In real finance, there is an understanding that technical loopholes can exist, since not every outcome can be foreseen when writing laws, but the legal system can frequently prosecute against a series of actions which are, individually, legal, but which together are taken in order to achieve something illegal.
That is, modern finance and the law also attempt to deal with intent.
But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?
The problem with smart contracts isn't that there are bugs, but that buggy results are final with little to no recourse, by design, unless you get everyone to agree to hard fork the chain (rolling the "bad" transactions back and eplacing the buggy contract) and/or the implementation (if the bug was in the platform rather than the contract).
The legal system has a similar principle of not being liable for conduct that predates a ruling or law that forbids it, but it also has the principle of agreements being interpreted according to common sense understanding by a person with ordinary skill, and where skill differences exist between them the non-expert's interpretation is the one given precedence.
These meta rules don't have equivalents in smart contract systems, which makes them brittle. The only way smart contracts end up being used for non-trivial purposes is if they are made explicitly subordinate to the existing legal infrastructure in ways that will gum up the works, or if smart contracts are subject to mandatory formal verification possibly including game theoretic 2nd order effects.
Smart contracts don't have to exist outside the judicial system. Smart contracts are simply a way to automate transactions in a way that's efficient, transparent, and credibly neutral. Yes, we may still have to invoke courts for the 0.01% of transactions that are clear exploits. But the other 99.99% of the time, it's a much more efficient system than using written contracts to handle normal, everyday outcomes.
Even without blockchains or smart contracts, we already have automated systems that execute transactions based on algorithmic rules. If you blatantly exploit a vulnerability in those systems, then courts will generally punish you. That doesn't mean that automated systems are pointless, because 99.9% of the transactions aren't exploits. That's still a huge win, because it means we don't have to have our lawyers email redlines back and forth every time we want to trade an S&P index futures contract. (Near) fully automated transactions are 1) orders of magnitude more efficient, 2) expose general purpose composability where one automated system can be predictably inter-connected with another.
When you put an automated transaction system on-chain, you drastically increase the advantages of both, because you're embedded in an open application network with credible neutrality. A smart contract exchange like Uniswap can process about the same amount of volume as a centralized exchange like Coinbase, but the difference is that Uniswap only needs about 50 employees, whereas Coinbase needs 5000. That's primarily because Coinbase runs inside a silo'd network. That entails replicating many functions like user account management, that aren't necessary for an application like Uniswap that piggybacks off the credible neutrality of a decentralized consensus layer like Ethereum.
Yes, but that's a wrong and unfair way to define and apply laws.
> humans are imperfect
Smart contracts and "code is the law" mantra don't contradict this. You're imperfect and you commit a mistake, you lose. You find a mistake in someone else's code, you win.
This is much better than the current legal system where we are all collectively forced to adapt to, or even pay for, someone else's mistakes.
In the world of smart contracts code is indeed law, but that doesn't change the fact that in the real world law is law, and the fact that you used a smart contract to commit a crime doesn't make it any less a crime.
Plenty of crypto hypers say the same. E.g. from a quick search of "Smart Contract advantages," the very first article, by a law firm:
> Guaranteed Outcomes: Potentially the most attractive feature, smart contracts could offer a way to substantially reduce or completely eliminate the need for litigation and courts. This is because when parties commit to using self-executing contracts, they bind themselves to the rules and determinations of the underlying code, rather than exposing themselves to interpretations med by parties outside of the contractual relationship.
I think some confusion arises because that "smart contracts" only make sense if code really is law, in the sense that any transaction executed by the contract -- even unexpected, surprising transactions -- is considered to be fully consented to by all parties interacting with the contract.
I agree that that's a terrible idea - bugs can always exist, and having no recourse when millions of dollars are lost due to a coding error is a huge and unreasonable risk.
But otherwise -- if, ultimately, courts can force "smart contract" transactions to be unwound if they are found to be exploitative, unintended or otherwise invalid -- then what's the point of having smart contracts in the first place? What's the value proposition? Why not just use regular contracts?
For example, robbery is when, with intent to commit theft, you take property by force.
Anything else is not robbery.
Theft by taking is: when a person unlawfully takes or, being in lawful possession thereof, unlawfully appropriates any property of another with the intention of depriving him of the property, regardless of the manner in which property is taken or appropriated.
(The above is georgia, robbery/theft/etc are state crimes so defintions vary a bit)
Again, it requires doing so unlawfully (or converting unlawfully).
If doing what this person did isn't unlawful in the real world, it's not theft, it's not robbery, it's not anything.
So you have to find a crime that actually matches what happened.
It's not wire fraud - that would require " false statement, promise, or misrepresentation in order obtain money or something of value from someone else."
etc
So what crime do you believe this actually is?
(So far i've only seen a civil lawsuit, and while there is a warrant for his arrest, that's for refusing to move the tokens to a neutral third party, or show up to court :P )
The "laws of physics" analogy doesn't match up. I feel like it would be more appropriate in an anarchist society (physics are the only laws, thus everything that obeys physics is game).
This feels more like discovering an exploit in a video game. It's up to the devs to patch it, or tournaments to outlaw, but if you find something out, you can use it. We agree to play by the rules, but if someone comes up with something last minute, they can win.
(Well, maybe you can still complain, IANAL, but it gets a lot murkier.)
If this smart contract is considered a legally binding contract, then, yes, this would likely be illegal despite the proverbial "letter" of the smart contract not being broken. If it isn't, then it may not necessarily be illegal (but possibly still could be).
A smart contract is a piece of code running on a public permissionless blockchain. The developers who deployed that code do not own it. Medjedovic had as much the right to take money out of the smart contract using the contract's logic as Kellar and Day.
Being blockchain developers, Kellar and Day know these facts very well, but they persist in their hypocrisy because it is in their financial interest to do so. They are betting on a non-technical jury being convinced by a good lawyer that Medjedovic "hacked them" or "stole their funds" (which is not at all what happened here).
They don’t. They simply have to accept it as a bug bounty successfully collected and paid out, and treat it as a learning experience and evolutionary process. Do better next time, if there is a next time.
This is why things like "land registry on the blockchain" will never happen. When a court decides that a sale of a house was unlawful, then the blockchain is wrong and irrelevant.
Code isn't law. Law is system that ultimately sends people to your house and puts you in a locked house that you're not allowed to leave, and lets other people live in "your" house now.
Math can't enforce who lives in your house.
Edit: It would be great if there was more moral in finance, but I think that's wishful thinking and doesn't really distinguish traditional finance or Defi. The only nice thing about Defi is that everyone can see what's going on in contrast to what happens when you do something in traditional finance.
Do not see any 'unauthorised access' in that case i.e not the classic definition of 'computer hacking'. However if the case does end up progressing I do wonder what form a defense will take.
It's like the people who invented smart contracts never heard of the incompleteness theorem.
https://www.cnn.com/2021/02/16/business/citibank-revlon-laws...
And they're a gigantic bank, it's the original digital business, every banker knows a single arithmetic error is dangerous.
Just bankers being inept.
It does? Maybe for the poor, but certainly not for the rich/corporations.[1]
[1] - https://www.imf.org/external/pubs/ft/fandd/2019/09/tackling-...
but on your main point regarding “modern finance and law”:
2021: https://member.fintech.global/2022/01/05/the-top-five-compli...
https://www.kyckr.com/aml-fines-2021/
tldr fines amount to billions in total and sometimes criminal proceedings are brought forward.
Examples of code NOT being the law: Some defi protocols have made those affected by a hack/loophole whole again with their own funds. Some defi protocols explicitly exclude certain jurisdictions like the US from accessing their protocol. Surely if they all belived "code is law" they wouldn't give a fuck, right?
That's a terrible example. If the code really weren't law, they'd reverse the transaction, or force the hacker to give back the money, like a court could.
Since the code is law they're stuck, and so just hand the victim some money out of their own pockets, to try and eliminate bad press and keep people's trust.
“I did not steal anyone's private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.”
Yes, it's a little disingenuous to claim "code is law" until it doesn't suit you anymore.
This is misleading, either intentionally or due to Medjedovic's incompetence.
You can fork the current head of the mainnet blockchain to localhost and try infinite permutations for free to see what the next state of the blockchain will be. And then if you like that state, you can then pay to send the working transaction to the mainnet to make that same state occur, in a sure bet. (nearly sure fire bet as in some cases, someone could replace the mainnet transaction in route, but they wouldn't necessarily know what to look for or change if its a distinct kind of transaction)
Medjedovic either didn't know this, because his skills didn't translate as well as he thinks, or Medjedovic knows this and hasn't come up with a stronger argument to support his actions yet (of which there are plenty) and actually is relying on public sympathy to support his actions.
Either way, there is an opportunity for broader education on how these exploits can be cooked in something akin to a "hyperbolic time chamber" or quantum reality without anyone's knowledge, ready to hop back into our dimension fine tuned and ready to cause maximum effect, all within the ~15 seconds between blocks if necessary, as the state changes per block.
An exploiter conducting a big heist and disappearing never has to prove that they can't do it again, because they're rich immediately.
You don't even need to perfectly predict the next state to make risk-free attempts; you merely need to submit your transactions using flashbots (which operates a gateway directly to the miners). You pay a portion of your profit to the miners as an incentive to include your transaction, and if your transaction fails for any reason it fails atomically and is not included in the block, meaning you have paid no gas and your attempt is thus risk-free. One caveat is that this only works if the transactions can be assembled into a bundle within the same block.
They'd at least risk losing the transaction fees...
That often isn't true anymore, see https://ethereum.org/en/developers/docs/mev/
which means non-trading transactions would look so different that someone playing with higher gas wouldn't know what to replace in the bytecode within the 15 seconds between blocks
and the user also has the choice of sending directly to a miner just like the MEV people do, to skip the mempool
which is looks like he did (but not sure, just noticed his contract mentions MEV)
https://etherscan.io/tx/0x1710f8c91f03d43a51b94fb5db00305cdd...
You have described mining.
Nobody is suggesting grandmas code their own smart contracts.
This is not the reason to keep grandma's savings away.
But yield farmers and high value targets should open insurance policies
And the insurance pool participants should also be wary ha
This is of course entirely untrue, and anyone who has done even the smallest amount of onchain trading would know this.
This is how crypto operates. Buyer beware.
> This is how crypto operates. Buyer beware.
This statement rings very true for me, and perhaps is the bit we agree on. With crypto there is no "oversight" that blocks you from depositing your funds into unsafe contracts, etc. It's up to you as the user to do your own research before depositing funds.
There are many projects within crypto that ARE well built, and have been carefully tested, analyzed, slowly released to the public, etc. I like having the ability to make this choice myself instead of relying on some gatekeeper to decide what I can do with my money (cough "accredited investor rules").
We already do exactly that, e.g. Accredited Investor.
It's this very attitude, that omly the annointed elite should be allowed to do anything, that draw people to crypto. Now personally I would avoid this scheme like the plague for other reasons. Smart contracts are hard to get right, and especially the ones that rely on very complicated game theorethical considerations for correct operation. And further an index fund of tokens whether manually or automatically managed sounds like a bad idea since I don't believe in the underlying tokens.
In a smart contract, I'd make a legal distinction between syntactic parsing and calculation, which has to do with the purity of functions and data. An arbitrage would be fair game if it levered an unanticipated calculation, whereas a recent example where the contract was only checking the last several bytes of a destination address key would be a parsing exploit. Medjedovic's arbitrage as described appears to be a pure calculation advantage, and not exploiting a parsing error, and so this is very reasonably fair game.
He used logic endogenous to the contracts, with no exogenous control of the systems running the contracts. When you exploit a buffer overflow, you are breaking through (sabotaging) a parser as a means to manipulate the raw memory and machine - whereas this arbitrage is closer to something that lies somewhere between clicking on a link someone provided but had some unspoken intention about you not using it, and a SQL injection or other evaluation error that yields an index. (edit: Actually, it's more like saying something really funny and unexpected on a platform that hasn't banned that kind of humor yet, and they're just mad about the consequences. we could even see a future where the distinction between a hack and arbitrage will be the complexity class of the algorithm and whether it represented a scheme that was Turing complete)
Unfortunately, in Canada they'll go after him just as a fugitive now, and there is no shortage of political actors who will want to make him the perfect example villain for their hysterical policy objectives. This is one of those increasingly classic situations where a really smart kid gets system-involved and can't comprehend how insane it is because the legal system and politics are not subject to mere reason. If he has the money, fleeing before charges were laid was probably even rational, as there is no reason to expect the legal system is equipped to deliver justice in something so new.
Except what's next? Live in hiding in a foreign country? Craft a new identity and find new chains to exploit? I suppose 18 years old is a good time to learn that you can have all the money in the world, but it won't do shit for you if you can't spend time with the people you want to.
I'd wager this individual could get much more satisfaction out of developing novel, interesting mathematics that do actual good for humanity, surrounded by a group of like minded high performing individuals. But he seems to have thrown hopes of that out the window. It's sad, really.
But I'm perhaps projecting.
Yeah, but tradfi has this problem too: sometimes it's hard to tell the difference between straight up trading, and spoofing/otherwise manipulating the market. Maybe the moral of the story is this, that free markets are a myth, and crypto is just making this even more clear.
This idea of the Turing completeness, or maybe complexity class of your transaction logic determining whether it is an endogenous logical arbitrage trade, or an exogenous manipulation scheme may have some really appealing features.
Hypothetically, if the steps of your transaction logic operate on or recurse over feedback into and from the market, you are in fact, "manipulating," it. I'd wonder how describing manipulation in terms of recursion limits and feedback would impact the definiton. Whereas, if you are precalculating or front running some periodic market function, you are arbitraging it with endogenous market information and that makes it "legit."
Where this guy might be vulnerable in that model is the question of how far upstream of his actual transaction did he get before the feedback loop he was operating over is not considered a part of that market - and whether his arbitrage was legit because it was between markets.
TFA claims he was originally offered to keep 10% (over a million dollars) from this hack, free and clear. Not agreeing to that deal meant willingly putting himself at the mercy of said legal system. Talking about a single decision as rational in isolation is disingenuous.
I will go back to this idea of an endogenous logic calculation vs. exogenous parsing errors description, where so long as he did not misrepresent the identities or sabotage the functions of any of the sources or destinations of the funds he used in his system, he should be in the clear.
It would be interesting to verify whether his technique had this "functional purity," that I've named and am balancing my argument on tho.
The same description can be said for using XSS to steal someone's cookies. XSS doesn't escape the JavaScript virtual machine similar to how you aren't escaping Ethereum's virtual machine. Technically the code allows you to inject arbitrary JavaScript, but that behaviour wasn't intend to be possible by the designers of the site.
The argument I'm using is that the casino didn't shuffle their deck and a player calculated an advantage. He didn't have hidden cards, a secret view of anyone elses. I'd like to verify that aspect of the strategy though as it's potentially a powerful heuristic.
So much of this reminds me of Chesterton's Fence, where "innovative" solutions are deployed by people who never put forth the time and effort to fully understand how the existing system came to be the way that it was - and the problems that it had to deal with and solve along the way.
I'm not trying to sing the praises of finance and banking; there's much there that is broken. (I'm also not a fan of crypto or NFTs.) But I am saying that many of the "old" ways came about in response to a litany of problems that are neither obvious nor intuitive, and you need to understand why it works the way it does before putting out a new solution.
To steal from Frank Zappa: Legal isn't the same as allowed, allowed isn't the same as fair, fair isn't the same as just, and just isn't music.
I don’t get why purchasing a stolen NFT is different than purchasing a stolen guitar from a pawn shop. Shouldn’t the previous owner be able to use the courts to demand the return of the item that was stolen from them?
Or is this just something that hasn’t been tested yet?
--
For the downvotes, I'll add some further explanation: you have access to the keys in order to perform a sale of "your" NFT, but no US court (I am unsure of other countries) has yet ruled in a case that clarifies whether a person actually owns an NFT. For example, they have not ever ruled against someone who has "stolen" an NFT. Therefore, there is no case law that says whether a person legally "owns" an NFT.
Don't just take my word for it:
> Ultimately, an NFT owner has access to the underlying asset, but they may lack exclusive access to or control of the asset, let alone ownership of the asset or any intellectual property (IP).
https://www.lawyer-monthly.com/2021/05/nfts-and-ip-law-who-o...
The specific danger here legally is trying to apply general laws into an unregulated market. It's a bit like borrowing money from your mate and then trying to take him to court because he's asking for too much interest.
They are, or at least purport to be, fair at some level or through some mechanism most people may not immediately percieve.
When something really isn't fair, even by some indirect means or when accounting for some other imperative like geneneral societal necessity, then they are at least understood to be failures not successes.
This story though... it actually provides a good example of indirect fairness. Well yes and no, there's a point and also a counter to that point, net result throw up my hands glad I'm not in crypto:
Point, it's fair: You got robbed and think it's unfair that there's no recourse. That downside is just the fair price of being in that game at all, which you pay in trade for not having to deal with the traditional system and "the man". You have to absorb the occasional loss from a mistake as just a feature of the environment like the risk of your shipping boat sinking because the ocean is not a safe place. The only protection possible is pay an insurer or maintain your own emergency escrow or something, not any kind of police or rule-daddy.
Point, it's not fair: They are not in fact free of the man, and so they are not really getting the true freedom they are paying for by assuming all responsibility for their own risk.
(Rabbit hole because I sense this is a debate lawyers have all through law school, and there are various schools of thoughts about the nature of the law etc)
Yeah, that's by design. If your "notions of fair are often at odds" with someone else's notions of fair, and a judge needs to intervene to resolve the dispute, then things may not break your way.
Hey! He’s just like me.
> But did Medjedovic do this, or did the algorithm? Barry Sookman, a lawyer in Toronto specializing in information technology, says it's a distinction without a difference: “Individuals are responsible for the activities of technologies they control.”
This of course goes both ways — aren’t the index fund creators responsible for their technologies too?
So the question becomes "Who's law?"
This sounds very much like the same thing, and since digital currency is not heavily regulated, some might say at all, I think the outcome, while unfortunate, is not illegal.
Sadly Day & Keller and others will likely haunt this poor kid with lawsuits and frivolous attacks, but in my book he did not break the law.
Importantly they had automated the creation/redemption mechanism poorly. Here's the operative passage:
By eliminating human managers, Indexed could forgo management fees like the 0.95% its bigger rival, Index Coop, charged for simply holding its most popular index token. (Indexed would charge a fee for burning tokens and swapping assets within a pool, but those only applied to a small fraction of users.)
It also saved on costs by limiting the number of interactions between the platform and outside entities. For example, when Indexed needed to calculate the total value held within a pool, instead of checking token prices on an exchange such as Uniswap, it sometimes extrapolated from the value and weight of the largest token within the pool, called the “benchmark” token.
This way, it reduced the fees it paid for transactions on the Ethereum blockchain. Kellar saw full passivity as a “natural extension of the way index funds already operate.”
Kellar was wrong.
In bringing down the costs, they eliminated the very thing that might have prevented the transactions that cost them all the money. The trades were legitimate, just unfortunate for the holders and to ask the courts to reward the incompetence of the management of indexed is to ask the courts too much.
> In their complaint, lawyers for Kellar and Day argued that two particular steps of the attack violated statutes against market manipulation and computer hacking. One was swapping almost all the UNI tokens out of the DEFI5 pool, the otherwise irrational trade that distorted the pricing such that Medjedovic could buy tokens out from under Indexed users, who were forced by the algorithm to sell. “The only purpose of that trade was to mislead token holders to part with tokens on terms they never would have agreed to,” says Stephen Aylward, a lawyer representing Kellar and Day. “We say that's a form of market manipulation.” The same argument applied to Medjedovic's interaction with the CC10 pool.
> The second illegal transaction, they argued, was when Medjedovic overwhelmed the pool with free Sushi, thereby tricking the algorithm into letting him bypass the size limit on certain trades. Aylward calls this “an intentional act by Andean to disable a security measure, like disabling the security system at a bank.” He argues that this falls under Canada's “extremely broad” legal definition of a hack, which can be interpreted as “subverting the intended purpose of a computer system.”
Enforcing a contract through a written contract & traditional finance vs a smart contract becomes a mere implementation detail since in either case somebody can come crying to the courts when they lose money. Smart contracts are only interesting if they’re a form of binding arbitration. If smart contracts are not binding, they just become poorly written contracts.
Smart contracts being binding honestly might need to be legislated.
It seems like it's working as designed, even if it's not the outcome its operators wanted.
Shame you can't manipulate an unregulated market. It's not illegal to do irrational things. Hell, even the regulated markets say, "The market can remain irrational longer than you can remain solvent."
The second argument is an analogy, "disable a security measure, like disabling the security system at a bank," and the limit expressed in the code was definitely an expressed preference by the contract author, but if they wanted it to be a legal contract subject to human interpretation, they would have specified this in English. Instead, they created a software tool, and they did not take into account how that tool might be used by the public.
The argument about this is whether code written for the express purpose of partipating in risky transactions can be imbued with any other coherent intention. The closest analogy would be that Medjedovic was at their gambling table and was counting cards, except there was no policy keeping him out of there, or against card counting.
Didn't they agree when they bought the token though?
So now they want crypto to be treated as regulated securities, but let me guess, only when it benefits them...
If that's what it takes to live the "code is law" dream, count me out.
This is another example of make risks public and reward private. They are arbitraging the financial system and trying to have the freedom of cryptocurrency, but when things go bad, want law enforcement to come fix it.
Opsec really isn't that difficult, you just have to give it some thought.
Yes, getting a proper audit for a Defi Protocol is expensive (probably 8 person weeks at $20-30k/week or ~$200k), and every good audit firm has a 3-6 month waiting period. But when you’ve got 100x that to lose, it’s a drop in the bucket.
My brokerage sends me plenty of prospectuses and other documentation that I don't read that describes exactly that. I depend on the regulators and the lawyers of other clients that have a lot more to lose than I do to make sure they stick to the rules.
It looks like if you fall foul of big merchant banks and stock traders you can have the full force of the DOJ land on you, but crypto is not important enough.
He also thinks Tesla Wall Batteries will mine crypto soon and “broke into” a private event Elon was at and made a TikTok of it.
I want him to have a successful future is all.
If it weren't those, it would be whatever else existed to fixate on.
I have a friend or two like that and I know that if I could fix Bitcoin it would not clear up their life or make them safe.
This is a nasty position to take. You should never take joy at others losses.
I'm cheering to see the grift coming apart. Yes, some people are losing. But the early the grift falls apart, the fewer future people get destroyed by it.
I'd rather cheer seeing crypto fail, then stand by and watch it suck in vulnerable person after vulnerable person in perpetuity.
Also, I absolutely do cheer the losses of bad people. If a scammer or ethnonationalist loses their hard earned winnings.... Good.
If you really hate crypto projects so much, rather than complain all day long about the crypto-bros getting rich off of their tokens, just hack the smart contracts themselves and the project should offer a bounty if not beg for a negotiation for that and once the project creators fix the bug, you keep the rest.
Job done, until the regulators come.
People aren't that black and white (sorry).
If a despicable bigot is facing the death penalty for stealing a bag of chips, would it be ‘tone deaf’ to say that’s an unfair punishment?
A key factor in an offence is the location of the offence, which usually determines jurisdiction and the relevant laws.
In the classic example of hacking an American bank from Canada, the offence occurs on the American bank's servers in the United States. That's relatively clean and simple, legally.
With an Ethereum smart contract ... I'm not even sure where to begin. Where does the offence even occur, legally speaking? What aspect of fraud by a non-American, against an American resident by executing an adverse smart contract, occurs under the jurisdiction of the United States, if any?
Q: is the programming language these things are written in powerful enough and have sufficient data access for the developers to include sanity checks that would halt trading automatically if something is happening too far out of the norm such as an unusually high volume of attempted night discount sales? Or maybe that would just block extreme discount sales if there have been too many of those recently?
More to your point, you can always have more logging, slow things down to make them safer and allow communities to react in a timely manner, but it's far from trivial. The real problem is that any mistake can be fatal from the defender's point of view.
> It also saved on costs by limiting the number of interactions between the platform and outside entities. For example, when Indexed needed to calculate the total value held within a pool, instead of checking token prices on an exchange such as Uniswap, it sometimes extrapolated from the value and weight of the largest token within the pool, called the “benchmark” token.
> This way, it reduced the fees it paid for transactions on the Ethereum blockchain.
This cost-saving mechanism ultimately allowed the hack to take place.
i found the address and i take everything back and declare the opposite, that address is not random at all.
-- original post --
> The Ethereum address used for the attack included the number ... shorthand for ...
So Bloomberg thinks people choose the numbers in their wallet addresses and are responsible for any perceived numerological meaning. Are they for real?
Sure the guy could have sat there recreating addresses until one includes this number, but i consider it more likely this is the result of searching randomness for patterns they want to find.
Someone noticed the pattern in the randomness and Bloomberg includes it, as it makes the antagonist more evil and the story more interesting.
> The Ethereum address Medjedovic used for the attack included the number “1488”—shorthand for a neo-Nazi slogan—and he’d written the N-word into the code itself, 16 times. A Twitter user called him the “Dylan [sic] Roof of Balancer Pools,” a reference to the mass shooter who killed nine Black people at a church in Charleston, S.C., in 2015. Medjedovic liked the tweet.
Here’s another:
> Medjedovic apparently flirted with extremist ideas: The classmate says he heard him speak favorably about White supremacy and eugenics.
He is clearly a white supremacist, how is this “searching randomness for patterns they want to find”? This is speculation, but it wouldn’t surprise me if this guy generated lots of addresses until he got one that did have 1488 in it.
With a flash loan, the funds must be returned by the end of the transaction, or the transaction fails. This makes the completion of the transaction the collateral, as if it fails at any point, all transactions (including the loan) get reverted.
What if someone wishes for full protection of the law and publicly asks for it beforehand, but then gets involved crypto/DeFi — would they then "deserve" the law's protections while others involved in crypto/DeFi do not?
The Ethereum address Medjedovic used for the attack included the number “1488”—shorthand for a neo-Nazi slogan—and he'd written the N-word into the code itself, 16 times. A Twitter user called him the “Dylan [sic] Roof of Balancer Pools,” a reference to the mass shooter who killed nine Black people at a church in Charleston, S.C., in 2015. Medjedovic liked the tweet.
Completely counter to every experience I’ve had working with Waterloo people. My sample group always seemed smart, interesting, kind.
Jesus, this whole cryptocurrency racket is a joke.
When you deploy a smart contract on a permissionless blockchain, you don't own the smart contract or the funds that it controls.
These developers are hypocrites who don't believe in the basic premises of this technology. It is easy to preach the virtues of decentralization when it makes you money and run back in the arms of daddy government when things don't play out in your favor.
The judiciary could write the latter any time they got the right technical input. The question really is - what’s worth putting in the effort right now?
And those answers are coming soon.
But we shouldn’t conflate smart contracts with legal contracts in discussions.
They had to sue or they would be sued themselves (which they might regardless), but there is no law restricting you actually from inflating the market value of an item (or a security). Their advantage is that he doesn't have a lawyer (or claims to) -- which is a stupid move; and that they froze his gains (another stupid move). If a hack is actually involved under Canadian law we shall see but a civil lawsuit is not unlikely to dictate that.
He misled their market maker, not the holders. Of course without reading the case one can not say anything and has an incomplete view, but they are trying to shift blame here.
There is precedent of course, when Oil futures went negative and in the end brokers paid the difference -- as their software wouldn't allow people to trade non-negative ranges.
tl;dr: I think they are still on the hook for the lost funds back in the E.U./U.K.
I agree, but with the caveat that code is the letter of the law only. As it currently stands, there is no way to resolve a dispute, ambiguity, or unintended consequence with smart contracts in the same way that a court of law would handle such issues with a conventional contract. There is no room for interpretation and all smart contracts must be understood as such.
The only thing interesting about this case is how incompetent he was, while having his entire brand and identity be based on intellectual superiority. He should have used a virgin address and Tornado cash. He should have not needed to risk any funds for failure, as he should have tested the transaction in a localhost staging environment for free. Him getting doxxed is the only thing that allows this theory to be tested, whether he, or we, believe it was legal, it is now unnecessary liability. Instead, everyone knows who he is, that he's spiraling mentally, a judge in his hometown jurisdiction froze his addresses and the funds within it (which is a legal abstraction that does not freeze the funds but makes it illegal to move them until the order is lifted, in his favor or not). Just piling on the liability.
I think “code is law” is a decent crux of a more fleshed out defense, I think the Canadian attorney for the project founders is grasping but I’m not as familiar with the direction courts go there, I would prefer to see something similar play out in US federal appeals court (which is sadly after the drama of trials court and how opinions calcify throughout). It would be great and beneficial to see a transcript of how the “Sushi flooding” is argued the context of a broad computer access abuse law.
I'm astonished at how poor his OPSEC was. He could have taken any number of precautions to shield his identity -- did he really think that deleting the messages on Discord would be sufficient?
e: missed at the end of the article:
> (Except for the headline, this story has not been edited by NDTV staff and is published from a syndicated feed.)
So perhaps this is reproduced under a legit syndication deal?
