It's Spy vs. Spy in DeFi
Crypto's radical transparency can look like radical opacity to anyone not fluent in the language of smart contracts and block explorers.
And even for the select few who are, figuring out who did what, when, and why is a laborious process: Crypto Twitter is full of breathless reports of on-chain goings-on, most of which are either incorrect, misleading, or meaningless.
The sleuths do sometimes hit gold, though, as in the case of FTX.
But you have to think that for all the skullduggery that gets exposed, multiples more go undetected.
If, for example, Dan Smith was not in the habit of spending his spare time scrolling through blockchain transactions, we may never have learned that one of 2022's biggest crypto exploits had been counter-exploited.
What's a counter-exploit? Just over a year ago, a black-hat hacker exploited (i.e., stole) $320 million worth of ETH from the Wormhole bridge, which Jump Crypto subsequently reimbursed.
Last week, Jump Crypto stole it back.
The smart-contract machinations of the counter-exploit are mostly Greek to me, although Dan does a great job of translating them to English in this Blockworks Research report.
A glance at the report is all it takes to know that the details are complicated. But the big-picture takeaway is not: A court of law ordered something to happen on chain and it did.
That (I believe) is a first.
Invoking God Mode
It's telling that no one volunteered the information that a major counter-exploit had occurred — I imagine that none involved wanted to be associated with the precedent being set.
Of the four parties (Oasis, Jump Crypto, the black-hat exploiters, and the white-hat counter-exploiters) only Oasis has commented, and only reluctantly.
The exact chain of events therefore remains a matter of speculation.
(Which makes it perfectly suited to the minimal journalistic standards required of newsletter writers.)
My speculative guess is that the white-hat group had been following the funds exploited from Wormhole as they moved around on-chain over the past year.
(The fact the exploiters were unable to move them off chain is a testament to how ill-suited crypto is for criminal activity.)
When the funds found their way to the Oasis protocol, the white-hat group spotted an opportunity: The protocol's builders had retained the ability to change their smart contracts without notice, which gave them the power to seize the funds the Wormhole exploiter had deposited.
They appear to have given themselves that power inadvertently: In a statement acknowledging the Blockworks Research report, Oasis said the counter-exploit "was only possible due to a previously unknown vulnerability in the design of the admin multisig access."
("Multisig" in this context is a wallet that grants a select group of people some degree of control over a protocol.)
Once the builders were informed of the power they held, they were reluctant to exercise it: While Oasis was "thankful to the Whitehat group for their intervention," they seem to have initially denied the request to counter-exploit the stolen funds.
The white-hat group made that request to Oasis only because they couldn't execute the counter-exploit on their own: They required access to the multisig — in video game parlance, they needed God Mode.
When Oasis declined, the white-hat group, I'm guessing, went to Jump, and Jump in turn went to the UK court system.
With a court order in hand, Jump and the white-hat group re-stated their request, and Oasis complied by adding the white hat group (or Jump?) to the multisig — which allowed them to invoke God Mode and execute the counter-exploit.
"This was carried out in accordance with the requirements of the court order, as required by law, using the Oasis Multisig and a court authorised third party."
Translation: "We really didn't want to, but we wanted to go to jail even less."
Coder Beware
That statement from Oasis, in acknowledging the jurisdiction of a UK court over a DeFi protocol, is uncomfortable reading for the DeFi industry: Code is meant to be law in crypto!
But I'd argue that, in this case, it was: The code allowed for the signers of the Oasis multisig to do what they want (God Mode) — and what the signers wanted to do was comply with a court order.
That's perfectly understandable: There's a crypto developer still confined to a Dutch prison for no evident reason other than to make sure coders everywhere understand their real-world legal liabilities.
The fact that the coders in this case appear to have taken that warning to heart is not an indictment of DeFi.
A lot of things had to go right (or, depending on your point of view, wrong) for this counter-exploit to have been pulled off: It was an unusual set of circumstances that is not likely to recur and the big-picture takeaways for DeFi are therefore limited.
It should still, however, be a wake-up call for DeFi's users and builders both.
Courts have leverage over people. So, to the degree that people (rather than code) have leverage over the protocols that comprise DeFi, DeFi will be compromised.
It's not news that DeFi has yet to achieve full decentralization: At this early stage of DeFi's development, decentralization remains a north-star destination to be sought after.
The spy vs. spy counter-exploit discovered by Blockworks Research is a signpost for the direction the industry needs to go.
No comments:
Post a Comment