I write MEV bots for a living. I can tell you that the Beanstalk "hack" was evidence of extremely poor design. One of the key security aspects of designing a DAO is that you are not supposed to let the results of a vote take effect in the same transaction or even the same block. This was entirely on the designers of that protocol. It's so negligent and downright stupid that I would be quite surprised if it weren't an inside job. The fact that it took more than a day for anyone to notice this is truly shocking.
I’m not remotely in DeFi but your comment suggests there’s a world of design rules & patterns within it, which are always somewhat interesting to learn about. Where would you go to learn this stuff (other than as a practitioner eg with access to mentors)?
At this point, alot of this stuff floats around Twitter and substack. It's still a bit of a dark art. If you'd like to read some stuff about MEV, start here:
You can go pretty far down the rabbit hole on crypto twitter.
This was also a cool event, there is 7 hours of video and slides, which have more of the kind of info I think you're looking for...discussions about protocol flaws and design etc.
How can something both be a dark art with no actual organized space for best practices and also have it be extreme negligence and stupidity for somebody to fail to follow these best practices? I'm not aware of any other area of software engineering where best practices are only just floating around on twitter.
That’s the closest thing to a collection of standard contracts for protocol builders to use that I am aware of. I’m more on the MEV side - I try to profit from protocols rather than build them. So it wasn’t my first thought.
Would you be interested in interviewing somebody on this? I run an interview platform called Taaalk (https://taaalk.co), and I'd be happy to organise an interview with somebody relevant
Is there a list of common attacks with names? This is the first time I've heard the term "reentrancy attack", there's probably a dozen other terms I've never heard of, but would like to read about.
I don’t think it counts as one, I was thinking that needs the governance contract to either recursively call itself or call an external unrelated contract
Correct, the Beanstalk thing was not a reentrancy attack. That was a governance attack on the world's most insecure DAO. The Rari Capital exploit was a reentrancy attack.
On the ETH chain, Flashbots [1] has decimated profits, by turning MEV into a race to the bottom, where miners wind up with most of the profits that bots ("searchers") create. On other chains there is much more profit to be had. People are making large amounts of money, as you can see here [2] (check out BSC on there, most of those profits go to the actual bot owners).
It's gotten incredibly competitive, and there has been quite a bit of consolidation. You used to be able to make a bot that could just make a few thousand dollars per day. Now you're either making 6 figures per day as part of a team, or a few hundred dollars per day on your own. One of the reasons you need a team and financing is that much of it is infrastructure based - being right next to miners/validators in the same server rack, etc. It takes significant resources to have nodes exactly where you need to have them, in various parts of the world.
It's also feast or famine. Sometimes, you'll wake up with hundreds of thousands of dollars from thin air. Here [3] is a loan liquidation using a flash loan from last week that netted the person that submitted it $366K (that was the value at the time) - in a few milliseconds. The only money they had to have to do this tx was the $1.50 transaction fee. The ~$8 million necessary for the liquidation was flash borrowed from a Pancakeswap pair.
I don't know much about this at all so apologies if this is a stupid question, but presumably the owner of that $8m was compensated out of the profit of the deal and the $366k is what is left over for the person who set this deal up.
If so that was a great deal and worked out, but if the deal hadn't worked out for whatever reason, a bug in the code for the bot etc what would the downside be and how would it be enforced?
The owner of the $8 million was a smart contract, in this case a DEX (decentralized exchange) pair on Pancakeswap. Yes, the contract is designed to do this. I believe the fee on that pair is 0.25%. Technically this was a “flash swap,” not a flash loan, but they are functionally equivalent for purposes of this discussion.
If the contract loans the tokens and isn’t paid back by the end of the transaction, it reverts as if nothing ever happened. Ethereum transactions are “atomic” - either all parts of the tx succeed, or they all fail. So there is no risk to the lender, they always get paid back.
It is and it isn't. Getting to the point where you were the one bot fast enough to get into the right position to snag that liquidation involves writing the bot itself, writing the smart contract, understanding the lending protocol and how their liquidations work, understanding how oracle transactions work, working out the math such that every input and output is precisely correct to 18 decimal places, having your server in the right rack in the right datacenter to beat the others, and on and on, are not easy tasks.
But yes, once you do all of that...it actually is a money printing machine that will never end as long as markets have volatility. It's a bit like living in the movie Ready Player One...once you are clever enough to run the gauntlet, riches are yours.
Yes, but it’s a meritocracy. I don’t control whether or not I look like Brad Pitt. I do control whether or not I am educated enough in this space to carry out a strategy like this.
If you can show that you have the knowledge to do it, getting the money to do it is absurdly easy these days. Crypto VCs are far different and much more accessible than traditional Silicon Valley VCs that only talk to connected startup bros from Stanford or MIT. They’ll all listen to what you have to say if you know what you’re doing. They also move with lightning speed relative to their SV counterparts, and they seem genuinely interested in helping those they invest in. My experiences with them have been off-the-charts amazing, compared to 100% disappointment I have had with SV VCs/angels.
Yeah this is tough. Even just dealing with CBP (8 decimals) I was losing fractions of cents here and there, not sure how they get it right, sometimes seems like randomly round to come out even (cases like emptying ballance).
They are in the sense that they level the playing field. People wouldn't give me millions of dollars to do arbitrage in real life, but I can borrow $200 million from a smart contract without issues if I find a profitable opportunity with it. That is game changing.
That said, there are still challenges. Last week, for 6 hours, there was $1 billion up for grabs [1]. Nobody noticed it except for one person, who only took $13.5 million. But bots are coming that will spot these things instantly....I have one under development that would have caught it.
On a tangent, what distinguishes a successful bot from a poor bot? For many of the arbs, the logic is simple to imitate. I understand there is some infrastructure engineering (having servers close to some node) involved, but besides that, it seems a level field in terms of money and tech.
So, seeing yet another story involving flash loans, I have to ask this question: what is the actual utility of a flash loan? The first use that occurred to me was to use it to pretend you were sufficiently rich for the purposes of exploiting an insufficiently secure smart contract, and judging from the number of stories involving them, I'm not the only person to think along these lines. But I'm not seeing any other uses than some variation on that fraudulent idea of making people think you have money you don't really have.
Surely the people who came up with this financial innovation had some other use for it in mind, one that would outweigh the inherent externality of this-is-a-perfect-vehicle-for-fraud, right? ... right?
Many financial positions (in DeFi or the real world) require you to have additional funds in order to move between different positions.
An example in the real world...say you're an employee at a large tech company with a bunch of stock options. You want to exercise those options and sell them. In order to exercise those options, you need money that you do not have. Luckily, your brokerage offers a service where they'll exercise the options for you and sell them. You're essentially borrowing their money very quickly to get out of your position.
In DeFi, you could use a flash loan in order to deleverage in a position. So instead of selling a small increment of your position and paying back your loan multiple times, you can instead take a flash loan and pay everything back at once to deleverage.
> Such flash loans have beneficial uses, including help for traders trying to capitalize on price differences between cryptocurrencies on different exchanges. In that sense, they are much like the financing that an investment bank might provide to an investment fund to make bets on different stocks or currencies.
This is their predominant use as well.
If you bid up the price of something on Sushiswap, that also trades on Uniswap, a flash loan will be deployed pretty much in the same block, pull all available capital necessary, and fix that price imbalance to its maximum potential.
Just a form of arbitrage.
Projects have to do system design that accounts for this. Beanstalk did not seem to account for the idea that the liquidity pool would have more than 50% of the BEAN supply eventually. But aside from that, having proposals passable in one block of deposit is the primary vector. Teams and communities like this model though because it basically comes down to "imagine how rich we would be if an attacker actually tried to buy all the tokens, I hope state actors get involved to really test that theory" because then it wouldn't matter if one block or many blocks was used if an actual organization was determined to pass something, this mentality is just not compatible with flash loans when all the liquidity is purchaseable already.
Flash loans are useful for both arbitrage and loan liquidations. Every swap on Uniswap and its many forks on many chains is actually a "flash swap" under the hood - you can take the coins out and use them before the code checks that you have sent the tokens for the swap in to the contract. You don't even need a dedicated flash loan provider on a given chain to be able to use very large amounts of capital sitting in DEX pair contracts.
There are other case-specific uses for them, but loan liquidations and arbs are the big ones.
Depends on your use case. First, AAVE is on ETH, and most arbitrage profits are on other chains. For example, there aren't a lot of flash loan providers on BSC (Binance Smart Chain) with deep liquidity, so everyone just uses flash swaps. The most profitable chain for arbs is BSC (binance smart chain). If you're using the loan for DEX arbitrage, then there is no point in using a third party loan provider like AAVE. You have to pay swap fees regardless, and a flash swap is "free" in the sense that you only pay the swap fees for the coins involved, and you must pay them whether you send the coins to the contract first, or if you borrow them and pay them back at the end.
So if you bring in outside money from a place like AAVE for a DEX arb, then whatever fees you are paying to AAVE are an extra, optional expense, since the swap fees must be paid regardless.
Somewhat strange take on it. Applying the exact same reasoning, any loan is a fraud that lets you pretend you have money that you don't have. Compared to flash loans, a mortgage is a far more serious scheme, because you could end up defaulting on it, something that is impossible with flash loans by design (the transaction would revert). Mortgages also drive up house prices for everyone.
Fyi, their intended use case is to remove arbitrage opportunities, something that improves the UX for ordinary users because you don't have to worry about buying/selling at a suboptimal price.
The main use is exploiting smart contracts. Not just in the "bug" sense, but if e.g. there's a decentralized exchange and many people unwisely set a resting stop order to sell to "reduce risk", you can clear out the order book popping everyone's stops to trigger a cascade and then buyback at firesale prices.
Another common use for cryptocurrency loans is speculating on other cryptocurrencies or borrowing a lot for a short-term pump & dump. There's smart contracts that will let you borrow at 20% interest leaving the balances of both known, and they'll margin-call you if the trade goes too far against you.
There's no use for these loans outside of cryptocurrency-land: If you buy e.g. an apartment complex, that asset cannot be used as collateral for a cryptocurrency loan and you can't get millions of dollars for cheap like you can a conventional or government loan.
If the hacker had not said the bit about donating to Ukraine, but instead just made the proposal "send me all the money" would he have committed any crime? It's not clear to me that, apart from lying, he really did anything you're not supposed to do.
If, analogously, my bank had a program where people could propose actions to the bank and vote on them by putting dollars in a "yes" or "No" jar - and I started a "give me the bank" proposal, took out a massive loan and won the vote... What have I done wrong?
Yes, it would be theft because the usage was clearly outside of the intended use of the system. This sort of thing has been tested in the courts before and likely falls under the realm of any bug exploit.
For another example, let’s say you were an employee of a retailer with the power to set a discount on certain items. You suddenly set a 100% discount on every item in the store and then buy all the inventory for $0. Try explaining to the police that you were actually fully within your legal right to do that.
> For another example, let’s say you were an employee of a retailer with the power to set a discount on certain items. You suddenly set a 100% discount on every item in the store and then buy all the inventory for $0. Try explaining to the police that you were actually fully within your legal right to do that.
But if you were the board, or the majority shareholder, it would be fine. Which is what happened here.
They borrowed money, bought a majority of the BEAN, used that BEAN to vote on their proposal to take all the money, and it passed. They kept the money, sold the BEAN, and returned the borrowed money.
You wouldn’t want to be an investor in one that did or looked like it was doing that
But yes there are other deterrents like not optimizing share price or returns for the other shareholders, by laws, state laws, rules from the exchange you trade on and mayyybe a regulator
When i heard beanstalk was exploited, i was thinking this was some like some instant leveraged buy out, like in tradi where a investment fund borrows a bunch of money (with the other companies assets as collateral), buys a company and sells there most profitable assets while the company lingers own death door for years (with some kind inflated asset valuation with the rest of their collateral leftover) before bankruptcy.
Just much faster in crypto because they allowed for their governance to be vulnerable to flashloans.
Which analogous cases are you talking about specifically?
And as much as your example would likely result in some kind of conversation with the police, it also highly depends on whether you discounted items fraudulently or if you did it because you specifically were in the position to do so. Your example describes it as though you had full legitimate power to discount certain items up to 100% off. At that point, at worst you would have violated company policy and not the law. You might get fired for it but when a retailer you work for offers a discount you are eligible to participate in it.
Code is law in crypto. You can’t hate the law/regulation then call it in when you need it.
Also I don’t think your retailer comparison works, in this case the power to give the user the rights and ability to create 100% discounts was designed into the system and although the outcome is unintended, it is not a flaw because the system allowed it and everyone using the system was allowed to audit it before putting value in.
> Code is law in crypto. You can’t hate the law/regulation then call it in when you need it.
"Code is law" is the mantra of people who are either ignorant of how the law works or attempting to run from the law [1]. You don't get to choose whether or not the law applies to you [2].
[1] Or both. These aren't mutually exclusive categories.
[2] Source: see every sovereign citizen case ever. I was originally going to write "ask any sovereign citizen," but then I remembered that the failure of their legal theories to ever find purchase in a courtroom does surprisingly little to make them realize that they are wrong.
we don't get to choose whether the law applies to us, but we do get to choose whether the code applies to us. The idea being that code is is far more powerful than law
Edit: see Tor/I2P vs censorship law, or BitTorrent vs copyright law
That seems odd. People get fined when trying to circumvent copyright (or more). Censorship laws don't disappear just cuz you have a trick around the implementation of some firewall.
I would also counter the idea that we choose whether code applies to us! Loads of daily interactions with different companies or the government go through automated systems that make their own decisions.
We don't have line item vetos on what affects us in life, in a lot of scenarios. There are a whole lot of package deals, and big bureaucracy is a part of that.
> That seems odd. People get fined when trying to circumvent copyright (or more).
If they get caught. If you were opposed to copyright law, why go toe-to-toe against IP lobbyists when you can make a computer program that makes their tyrannical laws irrelevant?
> Censorship laws don't disappear just cuz you have a trick around the implementation of some firewall.
Censorship laws don't need to dissapear so long as they are rendered unenforcable.
> I would also counter the idea that we choose whether code applies to us! Loads of daily interactions with different companies or the government go through automated systems that make their own decisions.
You can make code apply to you, but you cannot make code not apply to you. Once someone starts using a technology, that changes the game in an irreversable way.
> We don't have line item vetos on what affects us in life, in a lot of scenarios. There are a whole lot of package deals, and big bureaucracy is a part of that.
No, you merely accept bureaucracy because you are old and complacent.
Bureaucracy and legal systems pose some sort of physical threat to you and can use violence (or the threat of violence) to enforce their rules.
In most western societies this happens only if absolutely necessary, after many warnings and the reactions are quite measured (e.g. you won't get shot for a parking ticket). The existence of assholes make people ask for rules to reign them in.
Whoever can send armed people to your door makes the rules. If you are a lucky you have some degree of say who that is (elections) and what that rules might be (e.g. ballot measures, public discussion). If you are unlucky the militia just shows up and takes you to a dark alley.
Crypto (or any other technology for that matter) doesn't change that fundamental fact that your physical body is located somewhere on this world and is accessible to someone. It takes some time for the bureaucracy and the laws to adjust but it always happens.
If need be (e.g. you created a smart contract that does something illegal) you can be punished so other people won't do the same.
In conclusion:
> No, you merely accept bureaucracy because you are old and complacent
In this case I was just using it as a figure of speech, commonly used in the crypto community.
It would be interested to see how different courts would settle the matter. I imagine it will be an interesting legal future for various crypto projects.
You can choose to give your consent to activities like exploiting code though. You can consent to being in a fight (e.g. boxing or mutual combat states). You can consent do whatever with your code (e.g. CTF style sites). To me, it seems like saying "Code is law" or allowing people to create arbitrary proposals and voting on them with loaned money is kind of consenting to whatever happens.
There are things you can't legally consent to. You may able to consent to being in a fight, but you generally can't consent to a fight to the death (e.g., a duel). Nor can you generally enter into an agreement to commit fraud, or other illegal activities.
Fine, but my values say that fraud is fraud whether you do it on a blockchain or not. I expect most of the public to agree and the laws of most countries to eventually reflect that even if some crypto maximalists don't like it.
I don't follow the analogy, but here's one that works for me: it's like leaving your door unlocked by accident, b/c you didn't understand the lock properly or were in a hurry. Negligence, sure, but it takes a person exploiting that negligence to get to the point of theft.
When you use or own a cryptocurrency, some of your wealth is transferred to miners in exchange for securing the network (block reward, fees -> mining, development). When you use or own a fiat currency, some of your wealth is transferred to governments in exchange for securing the economy (inflation, fees -> regulation, protection).
I think it is generally unfair to make the taxpayer to front the bill of the government protecting cryptocurrency institutions (via the justice system), especially when the cryptocurrency networks are supposed to be trustless and self-securing. That's basically a net transfer of wealth from the public to a special interest group of cryptocurrency users, and furthermore a rival financial system.
Well, if your bicycle is stolen in a big city feel feel free to discuss how important the law is with an officer at your local station; you aren't going see it again.
The "law is law" response to "code is law" is terribly uninteresting. It's just semantic shuffling.
I don't think it is because "law is law" has physicial enforcement behind it (in many cases) while "code is law" doesn't (unless through the regular legal system which won't enforce "illegal" smart contracts)
The intended usage in my opinion is up to the governance to decide. They can vote on things related to how things should work. The project can be taken any way the governance decides and if the governance decides that it wants to send all of the funds to a single person I don't see how that is outside the indented usage. The exact same action could benefit all the users in case the smart contract had a vulnerability and he wanted to save everyone else's funds from being stolen.
In regards to your example if the employee truly does have the power to do that and the intention for that power is not stated. I think it's fine for them to take actions which cause the store to lose money.
Edit: As a sibling comment mentioned it's more like if a owner of the business decided to add these discounts.
A majority shareholder in a company isn't allowed to take all the assets even though they have the votes. The minority does have rights. Like, this is what the eternally misunderstood fiduciary duty is about: the company isn't your personal piggie bank just because you're at the wheel.
The same could be said about other vulnerabilities like mysql injections. The difference in this case is that there was a government proposal that was legitimately passed, but it was unpopular with the community as votes are not 1 per person but rather based off how much you have financially invented into buying voting rights.
In real life this would be the equivalent of buying enough shares of a company to make unpopular changes. Hostile takeovers aren't illegal AFAIK.
If someone had a website that said "My server's code is law. You can do whatever it lets you do." And you found an sql injection vulnerability I would think you'd be allowed to mess with it.
Banks, and other companies, can indeed have shareholder votes to make decisions. You can't vote with dollars directly but you can buy more shares.
So shares are similar to governance tokens in DeFi projects. And in the real world, people also borrow money to get more than 50% of the shares. This is called a leveraged buyout.
However, the difference to DeFi is that shareholders have certain rights (like the right to share in the profits and assets) that are protected by laws. That means a majority shareholder cannot take actions that amount to stealing the company's profits or assets from other shareholders, or they'll be sued. They may do things that the other shareholders don't like, like dismantling the company by selling of parts for cash, but they'll have to fairly share the proceeds.
> It lets people with savings invest those savings in companies that produce real world goods and services.
You can invest in cryptos that you think will perform some sort of electronic service, like Ether, in expectation that the value will go up if it grows in usage.
It's admittedly pretty hard to make a connection to the physical world. So staying within the virtual world, ownership is an interesting application outside of finance. NFTs are the most prominent but (as art) least interesting examples of blockchain ownership. More interesting is the intersection with gaming, like what you see with Crypto Kitties and Gods Unchained (deck building game where card ownership and scarcity is blockchain driven). Another example is ENS: decentralized domain names.
> A bank can loan money to people who want to spend now what they will earn later.
This topic is much easier. Finance is the first application of blockchain, and there are tons of traditional financial instruments which exist in cryptospace already.
CDPs[1] offer a decentralized way to borrow money.
All governance tokens are essentially common stock with voting rights. $GRT for The Graph, for example.
All DAOs are essentially corporations. But not all are legally registered corporations. "LAO" (Legal Autonomous Organization" is the moniker for legally registered DAOs.
Not OP, but Telegram has its own token and there are also tokenized stocks on FTX.
I actually use the latter one, since my income isn’t large enough to take a margin loan at e.g. InteractiveBrokers (they require 75k€ annual income) to participate in moves of Tesla.
Please don’t tell me about European derivatives like KnockOuts and Warrants. These are more expensive than a margin loan on FTX.
Flash loans are actually extremely democratic and socialize the ability to conduct billions of $ worth of transactions (as long as the debt is paid for in a single block).
This is in contrast to the current stock market in which only a handful of players have the liquidity and the regulatory ability to market make.
Agree. Only fine men like George Soros and companies willing to pay enough to lawyers should be able to do so.
Also open source software should be banned, as everyone can search for security exploits. I see it the same with flash loans, etc. It forces DeFi protocols to safeguard against all attack vectors, resulting in a much more secure environment.
Well, they’re kind of limited in what they can do with it because of the requirement to make a profit in an atomic transaction.
But I think the conversation we should be having is, do we want to move towards more resilient markets, given that the additional security will carry a heavy cost in terms of productivity?
I’m sure there are arguments both ways but it seems like we don’t have the full picture yet.
Like Reddit, HN and Lemmy.ml - different selection of investors leads to different preferences.
The various economies in the world show that not all investors create the same results. Restricting big investments to investors who were successful in the past seems to be not the worst idea.
I analyzed this transaction when it happened back in April
There was enough liquidity in Uniswap V2. A lot of projects incentivize community organized trading liquidity these days. Larger and larger traders are more willing to buy into projects when the liquidity is large enough to support them, but in the past (and simultaenously now in the present, for projects that bother), providing liquidity had a major challenge of both expense and regulatory issues (promising liquidity to potential buyers and actively courting exchanges has been a prong in being designated as a security, but communities expected funds to be used this way anyway, exchanges know this and extort project founders). So now with AMM technology like Uniswap, this has all been solved. Nobody ever has to deal with crypto exchanges again, and communities don't have to worry about liquidity. This has allowed rapid flourishing of some kinds of projects.
Anyway, there are 71,000,000 BEAN tokens in existence. And if you look at the Uniswap liquidity pool, it has risen to around 30,000,000 BEAN slowly over time.[0] And the day the amount got high enough, the person did a flash loan of $1,000,000,000 in stablecoins and bought everything from the liquidity pool, they got 6,000,000 additional BEAN from another source, deposited 36,000,000 BEAN into Beanstalk to get immediate majority vote of their proposal, which gave them all the funds locked up in Beanstalk to themselves (the $80,000,000 or so), withdrew the bean, sold it back into the liquidity pool (resetting the price to what it was before), returned the $1,000,000,000 and kept the $80,000,000 to themselves. ($250,000 to Ukraine Relief to fulfill the promise of their proposal, but they deposited it all into Tornado cash to never have to figure out if that was good enough like in a court) [1]
Sometimes I fantasize about become a modern day Robinhood type figure and using these flash loan scams to liberate millions in crypto and then disburse them to people stuck with crippling student loan or medical debts. Not like I’m really doing much else with my life.
I've met quite a few less-than-well-off folks with significant portions of their net worth in cryptocurrencies. Like work 60 hours a week across multiple jobs but still qualify for food stamps poor. For a lot of them they see it as their only way to get out of poverty and the skill/knowledge level necessary to interact with those markets has dropped enough they're able to access them with their small amount of available capital. Depending on your perspective this is either because crypto projects are grassroots projects bringing financial freedom to everyone or because the scam has reached a size where it needs to bring those people in in order to continue running without collapsing.
If you're the sole wage earner in a family of 4 and you make federal minimum wage or close to it, you'd still be within the qualifying income range at 60 hours a week: https://www.fns.usda.gov/snap/recipient/eligibility
Got curious and did the math. Minimum federal wage is 7.25 in the US. 60 hours a week over 50 weeks is 3000 hours. Pretax that’s 21,750 a year.
Food stamps qualification depends on household size. I got different numbers when I googled but 21.75k a year qualified in all of them if there’s at least two people in your home.
You'll see a lot of get rich quick crypto schemes around Wisconsin. It's a little depressing. I hate to see people who I know are not so well off risking what little they have on something so precarious.
