Category Archives: Blockchain

Phishing for Green Apes

On May 17, 2022, actor Seth Green announced to the world that he got “phished and had 4NFT stolen”. Apparently, he clicked on a link that led him to a website that requested and obtained access to his wallet – a wallet containing four high-profile collectible NFTs. After he provided the necessary consent, a scammer promptly emptied his wallet of these four expensive collectible NFTs.

Green purportedly knows how to navigate Web 3.0 but does a really bad job of justifying his lack of security hygiene:  “Scam GutterCats clone site. I’m crazy careful with separate wallets and security but still got got. Luckily it’s art not crypto so they can be traced. For anyone that bought them, we can work something out.”

Disregarding whether what was lost was actually “art” in the sense of fine art – they are likely more properly described as innovative collectible NFTs with significant speculative value based on community growth, utility, endorphins, and numerous other intangible measures, Green’s loss presents a valuable security lesson for all NFT collectors and raises issues that will not go away anytime soon. All of this is now ripe for discussion.

Green asked OpenSea not to allow trades in his four missing collectibles.  It is doubtful any marketplace will affirmatively identify, tag, and refuse to trade in Green’s four NFTs. As it stands, there are huge numbers of fake collectible NFTs sold on marketplaces – especially on OpenSea. Despite recent OpenSea changes aimed at addressing “copymints” – fake listings using copies of actual collectibles, the collectible fraud problem will not subside any time soon given this sort of fakery does not require much effort and can be very lucrative for scammers – as well as the marketplaces that thrive on trading fees.  More to the point, even the upgraded OpenSea controls do little to address the core issue of compliance.

To its credit, there are no current OpenSea listings tied to Green’s collectible NFTs but that might change at any time given at least one marketplace has them listed.  As of May 19, 2022, Rarible has MAYC # 19182 listed by public wallet address # 0xae7f30d77b367afe64f04dfd94e95f71f8e4ae66.

And, Rarible apparently also has BAYC # 8398 listed by public wallet address # 0xaf20e2e1dca5dffd0efa1a8055099a947beec8be.

These are not Green’s collectible NFTs simply because they reference the correct collections, point to the right image files, describe the correct collectible rarity properties, and use the right numbering scheme.  On the other hand, both have sold – perhaps in wash trades or maybe not, for significant amounts – 106.5 ETH on May 8, 2022 or $268,912 for BAYC # 8398 right around the time it was purportedly removed from Green’s wallet and 31.5 ETH on March 17, 2022 or $87,129 for MAYC # 19182.  Without a way to provide a universal and easily accepted means of verifying the authenticity of these collectibles, collectors will need to be part detective and part forensic investigator and use ETH explorers to track the relevant wallet addresses. 

Assuming someone did the legwork to confirm these are the actual pilfered collectibles, Mr. Green has several options.  He can continue pressuring marketplaces to refrain from listing them.  That would not get them back, but it might prevent further monetization and may cause the current owners to cut a deal with Green for their return given this lack of monetization.

As with many film actors, Seth Green lives in California where knowingly receiving actual stolen property is a criminal offense punishable for up to a year in prison.  See Cal. Penal Code § 496(a) (“Every person who buys or receives any property that has been stolen or that has been obtained in any manner constituting theft or extortion, knowing the property to be so stolen or obtained, or who conceals, sells, withholds, or aids in concealing, selling, or withholding any property from the owner, knowing the property to be so stolen or obtained, shall be punished by imprisonment in a county jail for not more than one year, or imprisonment pursuant to subdivision (h) of Section 1170.”).  Almost all NFT marketplaces are non-custodial – which means this statute would not really apply to them under any reading of the law.

Given this lack of custody, a marketplace would also not likely be liable for conversion. “The tort of conversion is established when one who owns and has the right to possession of personal property proves that the property is in the unauthorized possession of another who has acted to exclude the rights of the owner.” Angiolillo v. Christie’s, Inc., 103 N.Y.S.3d 244, 260-61 (N.Y. Sup. Ct. 2019).  Similarly, a cause of action of replevin requires that the defendant actually possess the property in question before its return can be obtained in court.  All of this assumes ownership of the constituent parts of an NFT, namely private keys, smart contract software code, IPFS content, etc., constitutes personal property in the first place.

Green’s likely best avenue for redress would be going after current holders of his lost NFTs who might be considered bona fide purchasers or good faith purchasers for value not having knowledge of the tainted title. Mr. Green lives in California and the “stolen” property could be in wallets belonging to persons anywhere in the world.  Assuming he knows the public wallet addresses of the current owners, Green would still not know the country of origin let alone name and address.  If the purchaser is identified, however, negotiating a deal or filing suit will be viable options.

Knowing the applicable law for a claim is significant given in some jurisdictions such as New York the law favors rightful owners seeking their stolen personal property.  See e.g., Solomon R. Guggenheim Found. v. Lubell, 77 N.Y.2d 311, 320, 567 N.Y.S.2d 623 (1991) (“To place the burden of locating stolen artwork on the true owner and to foreclose the rights of that owner to recover its property if the burden is not met would, we believe, encourage illicit trafficking in stolen art.”); Barnard v Campbell, 55 N.Y. 456, 461 (1874) (“The general rule of law is undoubted that no one can transfer a better title than he himself possesses.”); DeWeerth v Baldinger, 38 F3d 1266, 1278 (2d Cir. 1994) (“New York case law has long protected the right of the owner whose property has been stolen to recover that property, even if it is in the possession of a good-faith purchaser for value.”).

In some states and countries, however, it is quite different.  For example, under Swiss law, a bona fide purchaser becomes the owner even if the chattel was stolen or otherwise transferred without the authorization of its owner.

On the other hand, even New York law distinguishes between fraud and theft because the owner who is defrauded acted affirmatively and could have protected herself by due diligence, “whereas the owner from whom property is stolen has not acted affirmatively, and, in many instances, could not have protected herself. The [bona fide purchaser] may be equally innocent in both cases, but the original owner from whom property is obtained by fraud is more blameworthy than the original owner from whom property is stolen, and the former is entitled to less legal protection than the latter.”  Shubert Org., Inc. v. Partridge, 2020 NY Slip Op 32748 (N.Y. Sup. Ct. 2020).

This legal distinction raises an interesting point regarding Green’s “stolen” NFTs.  After all, Mr. Green was led to a website by way of a fraudulent email in the hope of minting himself some Gutter Cat Gang NFTs but instead connected his wallet to an imposter website.  All the while, he would have consented to everything done, including his wallet connection and any subsequent activity.  In other words, he was defrauded.  No one went to his home or computer, stole his private key, went into his wallet, and transferred his collectibles to another wallet.  If Green could bring to court a bona fide purchaser of his quartet of valuable NFT collectibles such a buyer could certainly raise all of this as a defense.

Beyond the security hygiene lessons and potential difficulties in retrieving lost collectibles, Green’s mishap also shines a light on the need for due diligence when using a marketplace.  In sharp contrast to collectible NFTs such as BAYC NFTs, purchasing fine art NFTs from a reliable source such as an established art gallery provides justifiable trading confidence.

UPDATE: June 7, 2022

On May 30, 2022, Seth Green announced he had struck a deal with the buyer of his Bored Ape #8398.

He also mentioned he was “working together to prosecute the original thieves” so presumably law enforcement is involved. The following day, Green made a somewhat cryptic statement: “Had to track the NFT to the current holders & make a deal between us to get them back- although we get to prove the friendship & community we all are building around these artists & collections. Plus now we work together to prosecute the original thief who scammed us both”.

In other words, Green was able to convince the buyer to send Green’s Ape back home for an unknown price. For all we know, it may be what the buyer paid or even a premium on that price. What will be of most interest to the ending of this story is what sort of prosecution takes place against Green’s scammers.

UK Royal Mint Wants to Mint an NFT

On April 4, 2022, the UK Royal Mint was asked to mint an NFT.  As with many announcements today, the Royal Mint’s announcement came in a tweet.

Either the above announcement demonstrates supreme ignorance or utter brilliance.  Offering for sale non-fungible representations of currency – the most fungible of assets, certainly seems on its face nonsensical.  Disregarding the typo, however, it may have been a brilliant marketing gambit – with the Chancellor’s goal of placing the UK on the crypto map furthered.  What happens this summer might be a major step in that direction.  Who knows?  There may even be a Royal Mint NFT drop at NFT.NYC in June.

Axie Infinity’s Sidechain Suffers Massive DeFi Exploit

On March 29, 2022, the developers behind the Ronin Network – an Ethereum sidechain used to support the decentralized game Axie Infinity, announced a major exploit.  The developers revealed that an attacker used hacked private keys from four Ronin Validators and a third-party validator run by Axie DAO – out of a total of nine, to forge withdrawals of 173,600 ETH and 25.5M USDC – valued at over $625 million. 

This sort of 51% consensus attack plagued the proof of work crypto community since its early days but largely fizzled out as a threat as the major blockchains grew more complex and the number of mining nodes grew into the thousands.  The fact that the Ronin sidechain only had nine validators for its exit bridge – with a majority being a mere five of the nine, was a security failing by most vantage points.  Not surprisingly, to “prevent further short term damage”, the Ronin Network immediately “increased the validator threshold from five to eight.” And, more importantly, the network “will be expanding the validator set over time, on an expedited timeline.” 

The race to mass adoption of new networks has caused many DeFi platforms to forego a security-first design.  Rather than viewing such an approach as time-consuming or stifling growth, new networks competing with Bitcoin and Ethereum and underlying many new DeFi platforms, must recognize that only with trust will this community ever grow beyond its current early adopters.

UPDATE: March 30, 2022

According to a text message sent to Bloomberg by Aleksander Leonard Larsen, chief operating officer of the developer behind the Ronin Network, Sky Mavis: “We are fully committed to reimbursing our players as soon as possible. . . We’re still working on a solution, that is an ongoing discussion.”

Another OpenSea Vulnerability Is Exploited

The world’s largest NFT marketplace – OpenSea, just got hit with another design flaw – this time allowing buyers in an ongoing auction buy rare NFTs for earlier auction prices.  One analyst ripped the $13.3 billion OpenSea for its security failing:

It’s worth noting that this problem arose as a result of the intended design of OpenSea, a centralized service that uses decentralized coins. It’s difficult to classify this as a hack or even a bug. OpenSea informs consumers that this is how its service works, which has resulted in numerous scams. The OpenSea bug shows that it is a sloppy marketplace, and if users aren’t cautious to follow proper practices, they may be exploited by more savvy users.  Whether the OpenSea bug is being treated as an open security flaw or a result of user error is currently unclear.

The CTO of Ledger had even more harsh words for OpenSea in a now-deleted tweet – suggesting that it is currently not safe for NFT holders to have their assets listed on OpenSea: “It’s very difficult to use this platform securely right now.”  

Despite being an exploit that has existed for well over a month, the actual mechanism for this switch remains unknown – with rumors pointing to a flaw in the API used by OpenSea and Rarible.  One analyst speculated “that an API exploit between Rarible and OpenSea was involved, allowing it to buy these #NFTs at a much lower price.” 

While the exact cause of the vulnerability is not yet known, it may ultimately derive from the fact that OpenSea requires a gas fee to remove a listing.  As a gas fee workaround, certain users transferred their NFTs to another wallet without cancelling the original listing.  This avoided paying any gas fees but left the original listing technically still open. 

After some time elapsed, owners would transfer the NFT back to the original wallet and list again.  That’s when the exploit comes into play.  If there is another auction using the original wallet’s address someone could possibly obtain the NFT using a bid that is based on an earlier offer – in essence, buying the NFT for a fraction of its true current value. 

Potentially feeling some pangs of guilt, the latest “exploiter” of this vulnerability took profits and “sent 20Ξ to @T_BALLER6  and 13Ξ to VirtualToast, two of the people he originally took #NFTs from.”  The public name tag of this person is “OpenSea Opportunistic Buyer” – just in case anyone had any doubts as to their good intentions. 

To date, neither Rarible nor OpenSea have publicly stated anything regarding this “exploit”.   

UPDATE:  January 25, 2022

An OpenSea spokesperson said in a private statement provided to a friendly crypto news outlet that the company has been “actively reaching and reimbursing affected users,” and is taking the matter “incredibly seriously.” The spokesperson apparently did not inform the news outlet exactly how much users have been reimbursed.

OpenSea said it’s been quiet on the issue to avoid notifying “bad actors who could abuse it at scale” before patching the problem. It’s apparently working on product improvements, including a new dashboard that shows all active listings, to address the issue.

Moreover, OpenSea suggested that this loss was caused by a “loophole” and was not an exploit or a bug – “it was an UI issue caused when a user creates a listing, then transfers the NFT to a different wallet to avoid the gas fee that comes with nixing a listing.”  In other words, it was as presumed by those looking at what originally took place.

OpenSea also said in its private statement that it is changing the default listing duration for NFTs from six months to one month, so that if an NFT is transferred back into a wallet after the new time frame the listing will have expired.

It goes without saying that a $13.3 billion company having such a large share of a nascent market should not disclose on a piecemeal basis its security and design failings – either wait until the coast is clear or open the spigots to everyone who can ask meaningful questions.

Frosties Rug Pull Demonstrates Community is Key to NFT Projects

On January 9, 2022, creators of the Frosties NFT Collection abandoned their project after investors spent over $1.2 million buying the entire inventory of digital “cartoon ice cream” characters. The money received by the creators was transferred the same day.

Relying on the Chinese lucky number 8 four times over, the collection of 8,888 Frosties was described as “Cool, Delectable, and Unique” and quickly sold out based on claims made by the creators.  Their project website – which has since been taken down, promises the following:

Frostie NFTs are made up of over a hundred exciting traits of backgrounds, body, clothing, eyes, mouths, eyewear, hats, toppings, and items. Each Frostie is a unique, non-fungible token (NFT) on the Ethereum blockchain.

Frosties will have staking, metaverse, breeding functions, and so much more!

Holding a Frostie allows you to become eligible for holder rewards such as giveaways, airdrops, early access to the metaverse game, and exclusive mint passes to the upcoming seasons.

The Frosties presale will take place on January 7th and the main sale will take place on January 8th.

Join the Frosties community on Twitter and Discord!

After the January 8, 2022 public drop of Frosties at a floor of 0.04 ETH, the project’s Twitter and Discord server accounts were taken down and in a “rug pull” the floor price was removed.  It was also a cash grab given the NFTs stayed with their new owners whereas the creators stopped all further efforts to build or benefit the community.

What happened next is instructive.  First, the value of the underlying NFTs have been selling both low and very high.  In other words, the market is now dictating the pricing and life goes on with how these assets are going to be priced.

As for moving forward with the project, the Frosties Rug Pull demonstrates that projects can go forward with or without the original creators.  The key is to have a passionate community and at least a few folks who can help lead the charge from a technical perspective. 

In the case of Frosties, someone named EsahcHslaw took charge and posted on reddit:  “We are wrapping Frosties under a new contract for those who want to continue to hold while the project kicks off again. Old dev won’t gain royalties this way. The community will own the funds. Community ran, doxxed multisig, roadmap, website, new Twitter. DM for DC server invite.” 

By removing the possibility of creators obtaining future royalties, Frosties owners effectively removed the creators from the project going forward.  And, if the Frosties community continues growing organically – with new social media channels and active community involvement, the Frosties Rug Pull will demonstrate that an active community is the primary engine for driving NFT value.

UPDATE: March 25, 2022

Federal prosecutors New York charged two in a criminal complaint with conspiracy to commit wire fraud and conspiracy to commit money laundering, in connection with the Frosties rug pull.

As set forth in the March 24, 2022 DOJ press release, “Mr. Nguyen and Mr. Llacuna promised investors the benefits of the Frosties NFTs, but when it sold out, they pulled the rug out from under the victims, almost immediately shutting down the website and transferring the money. Our job as prosecutors and law enforcement is to protect investors from swindlers looking for a payday.”

Defi Security Growing Pains Continue with BitMart Breach

On December 6, 2021, crypto exchange BitMart – which bills itself as “The Most Trusted Crypto Trading Platform”, announced a security breach “mainly caused by a stolen private key that had two of our hot wallets compromised.”   A tweet from security analysis firm PeckShield first called attention to this hack days earlier.  According to Peckshield, the loss is around $196 million.  Interestingly, BitMart at first denied there was any hack – claiming it was “fake news”.

According to the BitMart Twitter release:  “At this moment we are temporarily suspending withdrawals until further notice.”  A Telegram “ask me anything” is scheduled for 8:00 p.m. est this evening.

Similar to what was done by other centralized crypto exchanges after a security incident, BitMart will use its own funds to compensate users impacted by the theft.   

The BitMart theft comes on the heels of a report by London-based consulting firm Elliptic revealing billions of dollars stolen from DeFi platforms.  According to Elliptic’s recently released report, the overall losses caused by DeFi exploits total $12 billion and of that amount, fraud and theft accounted for $10.5 billion, seven times the amount from last year.

Thefts hitting crypto exchanges such as BitMart and DeFi protocols such as Poly Network shine a light on the fact DeFi is largely driven by startups lacking cybersecurity maturity.   In contrast, the financial institutions that literally spend billions on cybersecurity want no part in helping DeFi projects; and more likely, welcome cyber incidents that tarnish DeFi’s reputation.  Until they reach a higher level of security and such incidents become less commonplace, DeFi projects will continue making platform users whole after a security incident – or risk a total collapse in the market for non-money laundering usage. 

Depending on their popularity, open-source products can be highly secure and DeFi should be no different. At some point in time – after decentralized protocols are adequately security tested and implemented and DeFi projects become fully independent and organic and not reliant on any centralized cloud solution or centralized servers, breaches such as the one that hit BitMart will be rare.  In other words, as the market and business opportunities for DeFi increase in scale and scope DeFi’s security profile will naturally evolve.

DeFi May Overtake Traditional Finance If Crypto Changes to 26 U.S.C. § 6050I Becomes Law

The day after the world’s largest NFT event concluded – a truly spectacular event, a bill criminalizing unreported digital asset transactions over $10,000 was sent for presidential signature.  Prior to passage, one blogger warned:  “The amendment to section 6050I is an affront to the rule of law and to the norms of democratic lawmaking. It was slipped quietly into a 2,700 page spending bill, allegedly as a tax measure to defray the bill’s trillion-dollar price tag even though section 6050I is in fact a costly criminal enforcement provision.”

While US bankers and financial institutions thought this provision would level the playing field or even knock DeFi out from the playing field, it may eventually have the exact opposite impact.  By way of background, the 1980’s era 26 U.S.C. § 6050I requires persons who engage in “a trade or business” and receive “more than $10,000 in cash in 1 transaction (or 2 or more related transactions)” to file a Form 8300 report containing the “name, address, and TIN of the person from whom the cash was received, the amount of cash received, [and] the date and nature of the transaction”. 

In the proposed amendment to this law, however, there is a new additional definition of “cash”, namely “any digital asset (as defined in section 6045(g)(3)(D))”.  The definition of “digital asset” is broadly defined as “any digital representation of value which is recorded on a cryptographically secured distributed ledger or any similar technology as specified by the Secretary.”.  Not surprisingly, existing exemptions for “cash received by financial institutions” and reporting organizations or for those transactions “occurring outside the United States” all remain intact.

If this law is signed “as is” – which is apparently likely, it will push a knife deep into the virtual heart of DeFi, NFTs and any other burgeoning alternative investment solutions targeting US customers.  The KYC and reporting requirements would presumably create insurmountable disadvantages.

Some bitcoin whales rejoiced given that hodlers don’t really care much about DeFi or NFTs – they just want to buy more bitcoin and anything that gives rise to anti-governmental sentiment is bullish for hodlers.  In fact, BTC rose to new heights on the news.

While in the short term DeFi and NFT platforms may have significant new hurdles if this bill is signed into law, in the long term it may have the opposite impact intended by the bankers who likely pushed for this financial reporting provision in an “Infrastructure Bill”. 

For one thing, no one country can kill something that is truly decentralized – whether it is China, India or the United States.  The whole point of decentralization is that it is not tethered to any country.  Mandating governmental centralized reporting is no different than pushing a child into a pool – the reality quickly becomes “sink or swim”.  If this bill gets signed, platforms may very well expedite their decentralization plans and US banks will be flanked by truly decentralized platforms they cannot control or influence and participants who would rather take more control over their financial future.  After a decade or two, traditional financial institutions may very well go the way of Sears.

UPDATE: November 16, 2021

On November 15, 2021, the Infrastructure Bill was signed into law. None of the major news outlets discussed the change to 26 U.S.C. § 6050I – with only a few discussing the changes impacting digital asset broker disclosures. One senator, however, introduced on November 16, 2021 a bill to repeal all of the Section 80603 digital asset provisions – including that one involving 6050I. With any luck, it will quickly be enacted into law. And, if not, there is still the potential that down the road this change will forever alter the financial institution landscape by accelerating implementation of DeFi.

UPDATE: June 12, 2022

On June 10, 2022, a federal action funded by Coin Center was filed in the US District Court of the Eastern District of Kentucky against the Treasury Department in the first constitutional challenge to the amendment of Section 6050I of the IRS Code. One of the lawyers bringing suit first sounded the alarm on this amendment last year at NFT.NYC.

Seeking to block enactment of the amendment, the federal suit makes two major claims: “(1) forcing ordinary people to collect highly intrusive information about other ordinary people, and report it to the government without a warrant, is unconstitutional under the Fourth Amendment; and (2) demanding that politically active organizations create and report lists of their donors’ names and identifying information to the government is unconstitutional under the First Amendment. The first claim is about privacy and our Fourth Amendment right to be secure from unreasonable searches and seizures. The Fourth Amendment already has some huge carve-outs that leave people with precious little space for privacy. For example, under the “third-party doctrine” once you hand private information over to a bank or social media company, you lose your right to prevent warrantless searches of that information.”

It remains to be seen whether the suit will successfully block enactment of the new regulation but what is undeniable is that DeFi specifically and Web 3.0 generally is under attack by centralized institutions and constitutional challenges such as this one are an absolute necessity.

$600 Million Loss Shines a Light on DeFi Security

On August 10, 2021, Chinese cross-chain DeFi platform, Poly Network, was apparently hit with the exploit of a smart contract vulnerability in its “EthCrossChainManager” contract impacting three separate chains, including two leading DeFi blockchains – Ethereum and Binance Smart Chain, and numerous cryptocurrencies.   This latest exploit is part of a major trend in security incidents involving DeFi platforms.

Poly Network developers quickly asked for help on Telegram to block transfer of the stolen assets:   “We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses.”  

In another August 10, 2021 post on Telegram, Poly Network also posted:  “If you are experiencing any difficulty due to the hack that just happened theres [sic] a compensation plan , connect your wallet and get your refund in minutes , our dev only lose but this did not affect any of our users.”  

It is not clear how this protocol platform would make all users whole.  

As a start, the ESL Poly Network team also posted the following open letter asking for the return of the stolen assets:

Not surprisingly, this plea was immediately derided:  “Imagine successfully stealing over $600m and have the people you stole from think there’s a chance you might be willing to return it with what amounts to a passive-aggressive post-it note on the fridge.”  

Notwithstanding the obvious desperation found in its letter, the Poly Network team may be on to something given this was apparently never really a “hack” – it was likely yet another person who exploited a vulnerability in a deployed smart contract.  As of August 11, 2021, $119 million in Binance pegged BUSD was returned by the hacker’s associated address to those 947,598 owners impacted by the exploit.  BUSD is a stablecoin used to trade crypto assets on the Binance chain.  And, another $134 million was also soon thereafter returned to other impacted owners.  According to Chainalysis, at total of $261 million in cryptocurrencies have been returned to date.

A review of the micro transactions found on Etherscan and BscScan indicates that the “hacker” has been testing literally thousands of ways to move the stolen assets.  In other words, the exploiter does not know what to do with the stolen booty.  A few posts back that up – including one where the “hacker” is allegedly asking for someone to instruct on how to circumvent miner scrutiny.

The “hacker” purportedly also posted:  “WHAT IF I MAKE A NEW TOKEN AND LET THE DAO DECIDE WHERE THE TOKENS GO.”  

As things continued going downhill, the claimed sole perpetrator of the exploit – again claiming such identity solely by virtue of using the perpetrator’s wallet address, allegedly came out as an innocent interloper:

Information posted in the form of a Q&A on an ETH transaction Private Note section goes into further detail:

It’s looking like these posts are all from the same exploiter.  A spreadsheet tracking the exploit – including related communications, can be found on Google docs.  Even if these posts are not genuine, chances are still high the exploit was performed by one or more persons who decided to offload some coin and ultimately decided to give back – as apparently already done to the tune of $261 million, whatever could not safely be absconded with using his/her/their current knowledge.  There were certainly many out there willing to provide the necessary crypto laundering assistance, but apparently the advice was not taken – the clearest signal this was committed by an “ethical” hacker.

Poly Network is at its essence an interoperability protocol used by and integrated with many DeFi projects so this exploit will have direct ripple effects well beyond the Poly Network.  The more indirect impact of this exploit is the slight chance it might be replicated elsewhere by others having the necessary domain knowledge to move stolen assets.  

The best way for investors to minimize the likelihood such failings will not impact them in the future is to seek out and only use DeFi platforms that rely on a holistic “security by design” architecture – something not easily found in a decentralized world. Not surprisingly, in a recent survey nearly 75% of institutional investors and wealth managers state that the security of virtual currencies is a “significant” hurdle stopping many individuals from entering the crypto asset space – let alone the more exotic DeFi domain where software vulnerabilities can still cause the exfiltration of $600 million in digital assets.  Beaches will always have little appeal to swimmers when there are known sharks in the water.

UPDATE: August 12, 2021

Except for $33 million in Tether stablecoins previously frozen by Tether, the entire amount taken was apparently returned. Reuters is reporting that this was done in return for an after-the-fact $500,000 “bug bounty”.

The DeFi End Game

A skilled chess player will tell you the best way to study chess at a high level is to first study endgames and truly learn the power of each piece.  Memorizing book openings generally comes last.  If one wants to learn about the insurance industry, first take a job in the claims department.  In a similar way, students of disruptive technologies benefit from first learning their “end game”.  

Blockchain is one disruptive technology that still has not fully discovered its business sea legs.  The purported proxy for blockchain – Bitcoin, recently hit all-time highs so naturally on January 3, 2021 a forecaster placed a ten-year target of $1 million on this speculative asset.   Every good bubble requires inflating and the very speculative Bitcoin bubble currently being massively inflated by hedge fund money is no different.   

Bitcoin’s bubble ascension does not mean, however, the seismic blockchain and distributed ledger technology (DLT) shifts taking place over the past five years in the financial industry have been illusory or should be ignored.  As previously recognized, “acceptance of blockchain technology by the financial industry will be indelible proof those mistakes of 1995 made by retail sales and marketing companies will not be repeated by the financial industry.” 

Over the past several years, financial titans have reluctantly come out swinging in favor of convertible virtual currency (CVC) transactions.  For example, most US PayPal customers now have the ability to buy, sell and hold four different cryptocurrencies – BTC, ETH, LTC, and BCH, and use them as a funding source with the company’s 26 million merchants.  Presently, PayPal’s maximum dollar amount for weekly CVC purchases is $20,000 but even that relatively high consumer amount will likely change upwards as Paypal moves up the financial transaction food chain – with Paypal’s Venmo next in line.

The largest bank in the United States – J.P. Morgan Chase, launched its JPM Coin in 2019, and in October 2020 set up an entirely new business, Onyx, as an umbrella for its blockchain and CVC initiatives – including JPM Coin.  According to Jamie Dimon, Chairman and CEO of J.P. Morgan:  “Onyx is at the forefront of a major shift in the financial services industry. This new business unit reflects J.P. Morgan’s commitment to innovation as we continue to build cutting-edge technology that delivers a better, faster and more inclusive financial system.” On December 10, 2020, J.P. Morgan announced it completed a live, blockchain-based intraday repo transaction using JPM Coin.  And, Visa has filed a patent application for what may seem perfunctory, namely recording digital currencies on a blockchain.

Apart from these blockchain-based efforts, there is a whole category of blockchain initiatives that will forever fundamentally alter the broader financial sector – to the likely chagrin of PayPal, J.P. Morgan, and Visa. The banner name for these new blockchain and DLT initiatives is “DeFi”, or decentralized finance.

In December 2019, the entire Total Value Locked (TVL) in the DeFi market was worth less than $700 million, by the end of December 2020 it grew to $14 billion, and as of January 5, 2021 the total TVL in DeFi was at over $19 billion and growing – representing a staggering growth trajectory.  The TVL in the DeFi market represents all DeFi projects but is largely driven by the lending platform MakerDAO – a decentralized credit platform supporting Dai, a stablecoin pegged to the US dollar.  Decentralized exchanges (DEXes) such as Uniswap largely make up the remaining bulk of projects.  DEXes enforce trading rules and execute trades without charging the high fees normally associated with alternative investment trades.   

A commitment of $19 billion to DeFi initiatives may seem miniscule compared to, for example, the over $6 trillion in foreign exchange trades conducted each day.   On the other hand, each DeFi transaction potentially empowers individuals while at the same time weakening the grip over the monetary system currently held by central banks and finance intermediaries – a true game changer by any measure.

Generally relying on the public Ethereum blockchain platform, most DeFi projects deploy smart contracts to automate what previously required human intervention – obviating the need for central authorities such as banks or intermediaries.  DeFi Pulse nicely showcases the benefits of DeFi by describing it as “money Legos” and giving the following example:

Compound is a money market or, in other words, a lending service on Ethereum. When you supply DAI to Compound, you receive cDAI tokens which represent both your DAI in Compound and any interest you’ve earned from lending. Since cDAI is a token, you can send, receive, or even use cDAI in other smart contracts. Money Legos in action: ETH into MakerDAO to mint DAI tokens, DAI being supplied to Compound, cDAI tokens can be used in other DApps.  For example, you can swap ETH for cDAI on a DEX and instantly start earning interest for just holding cDAI. And because you choose how you interact with smart contracts on the blockchain, you can use a DEX aggregator like DEX.AG to compare and trade at the best prices across all the popular DEXes, all within seconds.

In 2021, crowdfunding will help fund some of the DeFi startups looking to eventually disintermediate the more traditional financial firms these startups would otherwise approach for financing.   As of November 2020, online platforms can raise up to $5 million in seed capital in a State-preempted manner – with previous platforms raising hundreds of millions of dollars using the prior SEC Regulation Crowdfunding cap of $1.07 million.  Even though a typical crowdfunding online platform itself breaks away from traditional centralized banking platforms its success is not relevant for purposes of the DeFi initiatives potentially opened up by Regulation Crowdfunding.  What may be more relevant are the new ideas coming to market without the latent influence of legacy financing.  

Before widespread adoption of any DeFi product is even feasible, however, regulatory scrutiny will be needed to protect consumers onboarding these new DeFi applications.   Given that a CVC wallet is the exit ramp for many DeFi initiatives, it is no surprise that has been an area of regulatory interest.  For example, the US Treasury’s Financial Crimes Enforcement Network (‘‘FinCEN’’) recently proposed a rule that would require banks and money service businesses to file a report with FinCEN containing information related to a customer, their CVC transaction, and counterparty (including name and physical address) “if a counterparty to the transaction is using an unhosted or otherwise covered wallet and the transaction is greater than $10,000.” FinCEN is issuing regulations on transactions using digital currency wallets because the growth of individual CVC transactions will continue unabated.  

While providing a suggested Token Safe Harbor Proposal, SEC Commissioner Hester M. Peirce offered an excellent analysis of the “regulatory Catch 22” faced by decentralized networks looking to comport with SEC regulatory law. In addition to Commissioner Peirce’s forward thinking, the SEC also recently set free its FinHub as a separate office to assist blockchain and DLT innovators.  

Despite these technology-forward initiatives, the SEC continues placing an exclamation point on its regulatory reach. For example, the SEC last month shook the Ripple world by claiming in a lawsuit Ripple’s XRP token –  used by financial institutions around the globe, was an unregistered security.  It also ended the year by filing a Cease and Desist Order against ShipChain on similar grounds. These sort of efforts convey US regulators still corralling the blockchain stallion – albeit primarily through the Howey door. Disruptive DeFi initiatives should remain undeterred.

More urgent concerns for the DeFi community are coding bugs, double-spend exploits, traditional hacks, and any number of faulty implemented software functions caused when smart contracts fail to undergo adequate audits.  Despite only losing $50 million in 2020, malicious actors will certainly begin seeing a larger target over DeFi’s head as its growth continues.  Moreover, given most DeFi projects run on Ethereum, there are future threats not even widely discussed – such as those potentially arising from miners who map out transactions on a blockchain for a fee and who are no longer satisfied with just receiving their fees.

All of these potential risks – whether regulatory, technological, malicious, or competitive, however, remain dwarfed by the potential upside found in a successful, widely-adopted DeFi application or protocol.  One likely key to success is to replicate what companies such as PayPal chose to do – take a widely used existing tool and deploy into it a profitable new way that allows for flexibility with actual autonomy and consumer self-determination.  DeFi will ultimately go nowhere if it only brings into the fold insiders stuck in Moore’s early adopter phase.  

Moreover, no open-source project can ascend until a large enough market believes the tradeoffs between ease of use, financial benefits, and utility ring strongly in its favor.  For example, despite having a strong web server market position, a Linux desktop will never really threaten Microsoft’s foothold until the relevant commercial and consumer markets believe a Linux desktop truly meets all of their needs. 

Similarly, DeFi will never gain a foothold reaching above the “PayPalJPMVisa” mountain peak until at least one DeFi application checks all the relevant boxes for a sizable enough market.  It may be a decade before a DeFi project reaches that vantage point – with the classic Amazon vs. Sears endgame likely being studied along the way. 

Is 2020 The Year Big Business goes all in on Blockchain and DLT?

In December 2017, it was recognized that in “the same way that the World Wide Web was never defined solely by Pets.com, the benefits of blockchain technology should never be defined solely by the latest price of Bitcoin.”  Now that the mid-2018 crypto bloodbath is well in everyone’s rearview window, it is clear that blockchain and DLT technologies have firmly taken corporate root and may actually someday bear some real fruit. 

No one can deny 2019 has seen great strides in the implementation and corporate adoption of enterprise DLT solutions as well as proactive growth in the regulatory oversight of blockchain technologies:

As exemplified by current projects emanating from the likes of J.P. Morgan and Fidelity Digital Assets, financial institutions will continue in 2020 taking calculated risks deploying blockchain and DLT technologies. 

Even though it may still may be another year or two before any consumer products hatched from these new technologies ever reach mass markets, 2020 may eventually be known as the year blockchain and DLT went mainstream in corporate America.