How Crypto Gets Hacked: Issue #2
A Wanted DeFi Hacker, NFT Fraud, and SushiSwap Governance
Disclaimer: I’ll be talking about individual crypto projects in this series but this is for informational purposes only and not a solicitation to buy or sell any cryptoassets.
Do your own due diligence.
Wanted: Defi Hackers
A Canadian 19 year old was charged with stealing $16 million in an exploit of Indexed Finance and didn’t show up for his court hearing. Now he has a warrant out for his arrest.
I’ve written about flash loans before, and this teenager was able to use a flash loan to distort prices within the DeFi protocol and take advantage of how it worked, making off with $16 million in various cryptocurrencies. Rekt News goes deeper into how this was carried out.
The hacker Medjedovic’s argument for why he did nothing wrong is one that is thrown around a lot in the crypto-space but has no legal backing to date: “code is law.” By that he means that if the code was written in a certain way that allowed him to be able to distort prices and take advantage of the protocol, then he was within his rights to distort prices on purpose and take advantage of the protocol. It’s their fault, he was just using the protocol as it was written. It was allowed, so why should he be penalized?
On the other side, the developers of Indexed Finance are arguing that this was not just something wrong with the code, but an action that involved malicious intent to manipulate the protocol’s internal markets.
“The attack was not some simple accounting error waiting to misprice tokens – it had to be deliberately manipulated through a complex series of actions in order to create the circumstances under which assets could be taken at a below-market price,” said Kellar.
I think they have a pretty good argument here. There are a few defenses for theft, but none of them would apply to “code is law” as far as I can tell, unless he felt the property was already his when he took out a flash loan, distorted prices, and took it all.
I don’t think a judge and/or jury is going to believe that.
But this is technically a civil case at the moment, and the lawyers seem to be trying to accuse him of “unjust enrichment,” which I could also see going in the developer’s favor. But CoinDesk disagrees with me:
This is the first time the “code is law” argument will come under legal scrutiny, and it will be interesting to see what happens from here. This could be the beginning of a precedent for more civil suits and law enforcement to start taking action against DeFi hackers (if they can find them).
NFTs Used for Wash Trading and Money Laundering
Wash trading has become a great way for NFT buyers to make it look like their assets are trending “to the moon.”
Wash trading, meaning executing a transaction in which the seller is on both sides of the trade in order to paint a misleading picture of an asset’s value and liquidity, is another area of concern for NFTs. Wash trading has historically been a concern with cryptocurrency exchanges attempting to make their trading volumes appear greater than they are. In the case of NFT wash trading, the goal would be to make one’s NFT appear more valuable than it really is by “selling it” to a new wallet the original owner also controls. In theory, this would be relatively easy with NFTs, as many NFT trading platforms allow users to trade by simply connecting their wallet to the platform, with no need to identify themselves.
This makes sense as many of NFT collectors have said they tend to look at the trend of the floor price of an NFT project (the lowest priced item) to help determine the value of the project as a whole. So by wash trading in order to make it look like their NFTs are rising in value is one strategy NFT holders could take, as long as it isn’t illegal:
NFT wash trading exists in a murky legal area. While wash trading is prohibited in conventional securities and futures, wash trading involving NFTs has yet to be the subject of an enforcement action. However, that could change as regulators shift focus and apply existing anti-fraud authorities to new NFT markets.
But thanks to the transparency of the blockchain, the worst perpetrators are easy to catch:
We encourage NFT marketplaces to discourage this activity as much as possible. Blockchain data and analysis makes it easy to spot users who sell NFTs to addresses they’ve self-financed, so marketplaces may want to consider bans or other penalties for the worst offenders.
As for money laundering, it appears that addresses with stolen funds and owned by scammers have been the biggest beneficiaries of trying to hide their money through buying NFTs:
All of this activity represents a drop in the bucket compared to the $8.6 billion worth of cryptocurrency-based money laundering we tracked in all of 2021. Nevertheless, money laundering, and in particular transfers from sanctioned cryptocurrency businesses, represents a large risk to building trust in NFTs, and should be monitored more closely by marketplaces, regulators, and law enforcement.
What Happens to DeFi Without Developers?
SushiSwap is in the middle of an existential crisis, and it will be interesting to see how it pans out. The leadership of the DAO and core developers have all left to work on other projects, and no one has administrator access to their Discord server, opening the door for scammers:
The SushiSwap community has lost admin access to its server, which means scammers can openly run social engineering campaigns against the less sophisticated SushiSwap users right out in the open. No one has the power to ban these people right now.
The SushiSwap project is not known for stable governance. The Defiant writes:
SushiSwap has been chaotic from the start. It’s original leader and creator, Chef Nomi, was ousted before the project ever took off. SushiSwap’s assets have still been taken care of by the multisig, but some workers haven’t been paid in months. Sorting out compensation is not possible with no one in charge. Teams have departed because they didn’t agree with the overall direction, and social engineers are ploughing through its internal channels. Nevertheless, SushiSwap has been crucial infrastructure for launching some of the weirdest, most interesting projects on Ethereum, so there appears to be broad agreement SushiSwap needs more organization. Where’s that going to come from?
DAO’s and other governing bodies in the crypto space will have to deal with things like this in the future, and what’s the answer? They could get acquired (like Polygon acquired Hermez in the summer of 2021), merge with other protocols (like Rari and Fei did in December), or become an “on-chain DAO,” fully autonomous and administered by code (which is the current proposal brought forth to the SushiSwap community).
The proposal, called Poke Bowl, would formalize Sushi as an on-chain DAO, which means voting will trigger smart contracts to execute and establish a legal entity for the project. The move would take assets like the protocol’s Twitter and Discord accounts off-chain. Both entities would be governed by SUSHI holders, according to the forum post, which preceded the Snapshot proposal.
The details of Poke Bowl involve making changes to the voting process. “In the puritan definition, Sushi isn’t really a DAO because all of the governance happens off-chain,” Bram said. “So all the votes they do are Snapshot signaling votes but no code actually gets executed from those Snapshot votes.” Only two people can currently approve the Snapshot votes, according to Bram, who would like to further decentralize the process.
How will SushiSwap and others deal with governance issues? How will they continue to exist long after the founders and developers are gone? I think this will become a bigger story in the months and years ahead. Without proper governance, it will only open the door for more scammers and hackers to compromise crypto protocols in the future.
Thanks for reading!