Stupid “smart contract” bug let hackers steal $31M in digital coin(arstechnica.com)
arstechnica.com
Stupid “smart contract” bug let hackers steal $31M in digital coin
https://arstechnica.com/information-technology/2021/12/hackers-drain-31-million-from-cryptocurrency-service-monox-finance/
6 comments
You are right. So he played by the rules and got $31M.
The point is, the "good" exchanges with worth of billions $ weren't not hacked yet. So that puts a lot of trust in them.
You basically have the same scam in clasical finance. There are a lot of examples, even one that caused a financial crisis. So let's say it can be a good thing that "bad code" or "bad asset management" is discovered early.
You basically have the same scam in clasical finance. There are a lot of examples, even one that caused a financial crisis. So let's say it can be a good thing that "bad code" or "bad asset management" is discovered early.
I mean at this point with the amount of people who have messed up smart contracts, it seems like basically the perfect way to setup a situation to take money from people.. create a digital money that is hard to recover, allow people to basically write code to describe how it can be used, and expose it all out to the internet.. previously you had to hack a company, then figure out how to use that access to initiate funds transfers from the company or ransom them.. now you don't even need to do that.. find coding flaw, literally profit.
I'd love for some combination of Armitage/Metasploit/Ghidra/Gyoithon/Shodan but aimed at exploring blockchain smart contracts for vulnerabilities. Put a nice little GUI list of contract addresses and associated wallets, with USD-equivalent valuations to help you prioritize your targets.
From the article:
Earlier this month, blockchain-analysis company Elliptic said
so-called DeFi protocols have lost $12 billion to date due to
theft and fraud. Losses in the first roughly 10 months of this
year reached $10.5 billion, up from $1.5 billion in 2020.The second part is also interesting:
“The relative immaturity of the underlying technology has allowed hackers to steal users’ funds, while the deep pools of liquidity have allowed criminals to launder proceeds of crime such as ransomware and fraud,” the Elliptic report stated. “This is part of a broader trend in the exploitation of decentralised technologies for illicit purposes, which Elliptic refers to as DeCrime.”
“The relative immaturity of the underlying technology has allowed hackers to steal users’ funds, while the deep pools of liquidity have allowed criminals to launder proceeds of crime such as ransomware and fraud,” the Elliptic report stated. “This is part of a broader trend in the exploitation of decentralised technologies for illicit purposes, which Elliptic refers to as DeCrime.”
The whole point of the “smart contract” nonsense is that the code is the exact legal contract. What is “meant” is not meant to be relevant and the ability to argue about such things in court is considered a flaw that these contracts are meant to be fixing.
So someone obeyed the terms of the contract and earned coins in it exchange.
By all the definitions that crypto folk have been throwing around this is the correct result, and if people didn’t like the terms of the contract they didn’t have to accept it.