Conversation

Notices

1. mathew ✅ (mathew@mastodon.social)'s status on Saturday, 23-Apr-2022 20:51:40 UTC mathew ✅

   This is great: "stable" coin project relies on community governance, so a hacker borrows $1b, uses it to get a 67% voting stake, votes that the project should wire them $182m, then pays back the huge loan and exits -- all in the space of 13 seconds. The "stable" coin immediately crashes.
   https://www.theverge.com/2022/4/18/23030754/beanstalk-cryptocurrency-hack-182-million-dao-voting

   • Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • Coyote of the Snows (gedvondur@hulvr.com)'s status on Saturday, 23-Apr-2022 20:51:39 UTC Coyote of the Snows

     in reply to

     @mathew There is going to be UNENDING shenanigans with consensus voting and so-called smart contracts.

     Its like a whole generation of people have to learn the hard way why financial regulations exist and are so complicated.

     These motherfuckers should learn to play D&D. Then they will figure out what rules lawyering, unintended consequences, min-maxing, and system loopholes are.

     Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • Chrisshy Keygen (rgegriff@hackers.town)'s status on Saturday, 23-Apr-2022 23:12:13 UTC Chrisshy Keygen

     in reply to

     @mathew Nowhere in the rules does it say a dog can't play basketball.

     I see no crime committed here

     Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • Leonardo Di Ottio (leonardodiottio@mastodon.social)'s status on Saturday, 23-Apr-2022 23:12:32 UTC Leonardo Di Ottio

     in reply to

     @mathew Yes, but https://web3isgoinggreat.com

     Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • mathew ✅ (mathew@mastodon.social)'s status on Saturday, 23-Apr-2022 23:12:37 UTC mathew ✅

     in reply to

     • Rysiekúr Memesson
     • Ryuno-Ki

     @rysiek @RyunoKi To me this is classic hacker work: making use of unintended consequences of a software system.

     I also don't really see it as a scam — the entire system worked exactly as it was designed to, and nobody was lied to.

     Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • Ryuno-Ki (ryunoki@layer8.space)'s status on Saturday, 23-Apr-2022 23:12:38 UTC Ryuno-Ki

     in reply to

     • Rysiekúr Memesson

     @mathew
     Web3 is going great!

     CC @rysiek

   • Rysiekúr Memesson (rysiek@mastodon.technology)'s status on Saturday, 23-Apr-2022 23:12:38 UTC Rysiekúr Memesson

     in reply to

     • Ryuno-Ki

     @RyunoKi @mathew not a "hacker" but a scammer. Please, let's not mix hackers into this.

   • Rysiekúr Memesson (rysiek@mastodon.technology)'s status on Saturday, 23-Apr-2022 23:13:04 UTC Rysiekúr Memesson

     in reply to

     • Ryuno-Ki

     @mathew @RyunoKi the question is: how the tools and skills were employed?

     You wouldn't write "drivers robbed a bank", you would say "robbers" -- even if driving was a crucial skill in that particular robbery.

   • mathew ✅ (mathew@mastodon.social)'s status on Saturday, 23-Apr-2022 23:13:04 UTC mathew ✅

     in reply to

     • Rysiekúr Memesson
     • Ryuno-Ki

     @rysiek @RyunoKi As someone on Twitter just pointed out to me, this was really a leveraged hostile takeover followed by asset stripping — all of which is standard capitalism and perfectly legal when corporations do it.

     Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • Santa Claes 🇸🇪🇭🇰🎅 (clacke@libranet.de)'s status on Saturday, 23-Apr-2022 23:15:46 UTC Santa Claes 🇸🇪🇭🇰🎅

     in reply to

     • Lunch (--)
     @lunch @mathew Did they borrow and repay within the same block?
   • Lunch (--) (lunch@cybre.space)'s status on Saturday, 23-Apr-2022 23:15:47 UTC Lunch (--)

     in reply to

     @mathew >in the span of 13 seconds

     a block executes atomically, it doesn't "take time" to execute a transaction so really it all happened instantly

     the journalists are kinda crappy here since it's hard to articulate how transactions are included, but it's pointless to say "how long" it took to happen since any flash loan arbitrage like this always happens in the span of a single tx

   • Santa Claes 🇸🇪🇭🇰🎅 (clacke@libranet.de)'s status on Saturday, 23-Apr-2022 23:17:42 UTC Santa Claes 🇸🇪🇭🇰🎅

     in reply to

     • Lunch (--)
     @mathew @lunch "Flash Loans allow you to borrow any available amount of assets without putting up any collateral, as long as the liquidity is returned to the protocol within one block transaction."
     
     Wow, that's a pretty cool hack actually. And in hindsight predictably leads to exactly this.
     
     docs.aave.com/faq/flash-loans
     
     /via mastodon.social/@mathew/108183… @mathew
   • mathew ✅ (mathew@mastodon.social)'s status on Sunday, 24-Apr-2022 02:43:02 UTC mathew ✅

     in reply to

     • Rysiekúr Memesson
     • Xerz! :blobcathearttrans:

     @xerz @rysiek Taking out a flash loan, buying votes, using them to transfer cash, and returning the loan all in a few seconds using software *is the hack*.

     Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • Xerz! :blobcathearttrans: (xerz@fedi.xerz.one)'s status on Sunday, 24-Apr-2022 02:43:03 UTC Xerz! :blobcathearttrans:

     in reply to

     • Rysiekúr Memesson

     @mathew ngl I’m surprised they were able to turn a profit out of it, guess they found a trade where this one obscure currency was able to be sold out within a few seconds – what a mess lol

     also I concur with @rysiek – nothing was hacked, all that was done is quickly buying votes and using them to transfer cash

   • ewhac (ewhac@mastodon.social)'s status on Sunday, 24-Apr-2022 02:46:57 UTC ewhac

     in reply to

     @mathew
     The raider borrowed $1Bn, paid it back 13 seconds later, and paid about $100M for the privilege. So that's 10% interest over 13 seconds, which works out to an annualized percentage rate of 24,275,077%.

     Santa Claes 🇸🇪🇭🇰🎅 likes this.
   • Santa Claes 🇸🇪🇭🇰🎅 (clacke@libranet.de)'s status on Monday, 25-Apr-2022 11:21:14 UTC Santa Claes 🇸🇪🇭🇰🎅

     in reply to

     • ewhac
     @ewhac @mathew They paid back in the same block, so the annual interest is unbounded.
   • Santa Claes 🇸🇪🇭🇰🎅 (clacke@libranet.de)'s status on Monday, 25-Apr-2022 12:51:08 UTC Santa Claes 🇸🇪🇭🇰🎅

     in reply to

     • gudenau
     • L. Rhodes
     @lrhodes It has nothing to do with PoS, it was a DAO governance issue.
     
     PoS currencies are not structured around voting, they're more like having passive ownership in a fund and receiving dividends.
     
     @mathew @gudenau
   • gudenau (gudenau@mastodon.technology)'s status on Monday, 25-Apr-2022 12:51:14 UTC gudenau

     in reply to

     @mathew Isn't that how they all work, more or less?

   • L. Rhodes (lrhodes@merveilles.town)'s status on Monday, 25-Apr-2022 12:51:14 UTC L. Rhodes

     in reply to

     • gudenau

     @gudenau @mathew AFAIK, this is a vulnerability particular to proof-of-stake currencies. They're meant to replace computation intensive proof-of-work schemes by giving verification powers to the largest stakeholders. That's how this transaction happened: The trader in question borrowed enough to become the largest single stakeholder in the system, which gave them unilateral powers to verify their own transaction. It's a known vulnerability that PoS schemes struggle to defend against.