The “DogByte” attack would have allowed attackers to cheat the Ethereum 2.0 random beacon chain by gaming smart contracts and block validator selection.
A new report by Codefi, a subsidiary of the Ethereum software development firm ConsenSys, shines a light on how many unique users are leveraging these and other DeFi services. Even as the value locked in DeFi applications has nearly tripled from April of this year, the report concludes, most of the DeFi activity isn’t coming from new users. (Disclosure: ConsenSys funds an editorially independent Decrypt.)
One of the report’s central questions asks if “DeFi users [are] actually taking advantage of the interoperability of Ethereum-based DeFi protocols.” In an effort to answer this question, the report analyzes the 79,648 addresses that interacted with a DeFi smart contract in Q2 of 2020 (Ethereum surpassed 100 million unique addresses in June of 2020, and active address usage is up 118% since the beginning of the year.)
According to the report, out of all the users who have deposited some $1.2 billion worth of ETH and Ethereum-based tokens into DeFi applications, only 1,884 of these had sent 100 transactions or more over the course of the quarter. Further measuring user activity, the report states that the majority of DeFi users remain loyal to one platform in particular and rarely use other DeFi apps (these are users who transacted at least once but no more than 99 times over the course of Q2 2020).
When compared to average users, “super users” had a higher proportion of users who had interacted with at least two or three different DeFi protocols than users who hadn’t. Uniswap captured the majority of these overlapping users with 1,625 super users active with the platform over the quarter; Kyber Network came in second with 916 super users, followed by Compound’s 367.
The report did not indicate how large the account balances were for these user groups. Ultimately, though, it concludes that Compound’s explosive rise did little to attract new users who aren’t already using DeFi applications.
Instead, much of the ramped-up activity came from users who are already in the ecosystem. The solution then, the report’s authors suggested, is to focus on design, user experience, and education, lest DeFi run the risk of growing in a bubble, instead of expanding beyond it.
“The data suggests, however, that the frenzy stayed within the walls of the existing community. The likely conclusion is that many DeFi innovations run the ‘risk’ of increasing adoption only within the community of knowledgeable DeFi users,” the authors of the Codefi report stated.
Of course, that assumes the ultimate goal is to actually “grow the size of the DeFi community,” the report concluded.
Funds from the alleged PlusToken ponzi scheme are on the move again.
789,534 ETH was transferred today from a wallet containing Plus Token funds. The amount, worth some $185 million at today’s prices, hadn’t moved since December 2019, a few months after the ponzi scheme exit scammed following the arrests of some of its operators.
PlusToken, which operated largely out of China and South Korea, was accused of running a cryptocurrency ponzi scheme in July of last year. In its heyday, it attracted nearly $3 billion worth of various cryptocurrencies, principally Bitcoin, Ethereum, and EOS. Some figures even estimate that the scam allocated nearly 1% of Bitcoin’s total supply.
Since moving earlier today, the funds have been split between 52 addresses. The addresses are unmarked on the Etherscan block explorer, and it’s unclear whether they belong to an exchange or another venue (such as an OTC desk) through which the PlusToken team could cash out, assuming the funds are still under their control.
This movement comes a week after $67 million worth of EOS coins associated with the scheme were moved after a period of dormancy.
As in the past, the news has been followed by downward price action, as Ethereum is down nearly 4% on the day.
Analysts have long speculated about the impact of cashing out of these ill-gotten gains. Blockchain analytics firm Chainalysis found last December that the transfer of over $180 million in Bitcoin from PlusToken addresses likely crashed the price of Bitcoin at the time.
A wallet with 1 BTC was just brute-forced, but don’t worry: its owner wanted it this way.
Alistair Milne, the CIO of the Altana Digital Currency Fund, tweeted this morning that he woke up to the “bad news” that 1 BTC (currently worth north of $9,300) had been taken from an address he controlled. Incidentally, Milne actually wanted this Bitcoin stolen. It was part of a giveaway/puzzle that he orchestrated via Twitter.
Woke up to some ‘bad’ news this morning. The 1BTC wallet has been brute forced, which is pretty impressive. They must have rented several GPUs to do it so quickly!
I knew I was against the clock but most people thought it would take a few weeks to brute force 4 seed words pic.twitter.com/uAoLyQkhRJ
— Alistair Milne (@alistairmilne) June 17, 2020
Milne posted about the giveaway at the end of May, stating that he would periodically release a hint to a 12-word seed phrase for a wallet address containing a little over 1 BTC. In an effort to prevent brute-forcing (or running programs to guess the seed phrase), Milne intended to “give the last 3 or 4 words all at once.”
But he never got the chance, because one community member was able to brute-force the wallet’s seed after the eighth hint was published. It took the attacker 44 hours to find the full seed phrase.
Milne mentioned on Twitter that he was hoping to make the giveaway more inclusive to the “not-so-tech-savvy.” More than a clever giveaway, this puzzle is also a technical experiment in how quickly an attacker can derive a 12-word seed if they have over half of its words.
A seed phrase for a cryptocurrency wallet is a 12- or 24-word phrase. This acts as a backup phrase for a Bitcoin wallet’s private keys. It would take, according to some estimates, billions of years to crack these phrases without knowing any of the words (or letters) in the mnemonic. But with every hint and word that Milne published in this scenario, the seed became easier to crack.
Still, Milne was impressed by the rate at which the hacker brute-forced the seed. He was also intrigued by the high miner fee 0.01 they paid, saying that this likely means the miner felt pressure to move it quickly lest another participant crack the code first.
Did a group of hackers really breach a cryptocurrency exchange’s hot wallets only to burn millions of dollars of Ethereum as ransom? If that scheme sounds far fetched, well, that’s because it just might be, according to analysis by the ZenGo cryptocurrency wallet.
According to a blog post authored by ZenGo researcher Alex Manuskin, a spate of transactions that included millions of dollars in Ethereum fees were not an attack at all but a bug, as many initially suspected.
Following our discussion with @VitalikButerin, we updated our blog post to discuss the blackmail theory.
TL;DR – we don’t buy it.
— ZenGo (@ZenGo) June 16, 2020
The blackmail theory put forth recently by China-based blockchain analytics firm PeckShield made the case that these fees were orchestrated via a complex “gas price ransomware attack.” The researchers claimed that the hackers gained access to an unnamed crypto exchange’s key management system for its wallets, but the hackers could only spend the wallet balances on transfers to so-called whitelisted addresses that only require a single authorization when sending a transaction to them.
The idea here is that the attackers will keep sending exorbitant fees in these transactions as a type of blackmailing technique; they don’t control the wallets they’re sending to, but it doesn’t matter because they’ll just keep sending Ethereum unless their demands are met.
This scenario is “improbable,” according to Manuskin, not least because whoever owned the funds did nothing to halt the series of outflows. If this were a blackmail attempt, then we can assume that the victims tried to do everything they could to stop it and retrieve their funds, but for whatever reason were unable to do so, the researcher argued.
“For this to happen, the process controlling the address could not be operated from the victim’s environment, because if this were the case, they could have just shut it down, even if it meant shutting down all operations,” Manuskin wrote.
The address sending the transactions was not a smart contract either, so it could not function without someone controlling it with the private key. So if the attacker took control of these keys outside of the victim’s environment, then they would have had full control over funds and not have to burn ETH as ransom bait in the first place.
Manuskin also pointed out that the two mining pools that received the transaction fees said they would return the funds to the owners if they stepped forward—but so far, none have.
All of this evidence paints a dubious picture for the blackmail theory, Manuskin argued in the post. “Our assumption is that the transactions result from some sort of bug in an automated script that operates this account,” he wrote.
What’s more, we shouldn’t be surprised if this happens again, according to Manuskin: “The most important conclusion we can draw is that due to the automated characteristics of these transactions, the sender’s large remaining balance, and the continued operation of the sender, we may see a third transaction with $2.5M fees.”
As the crypto world awaits the TBD launch of Ethereum 2.0, ETH bulls are loading up on tokens in anticipation of the update—in an apparent attempt to claim the so-called staking nodes that will be critical to Ethereum’s revamped design.
According to a report teased by analytics firm Arcane Research, the number of Ethereum network balances that include or exceed 32 ETH is nearing 120,000. Under the proposed ETH 2.0 update, 32 ETH is the number of tokens you need to run an ETH 2.0 staking node—the validating nodes that will come to replace the miners to validate transactions and maintain the Ethereum blockchain.
Another sneak peek into our weekly market report
Are investors getting ready for Ethereum staking? Data from @nansen_ai shows that almost 120,000 @ethereum wallets are ready for staking. This number has grown by 13% over the past year.
Read more here: https://t.co/UKFQKI2jze pic.twitter.com/G3nXhylels
— Arcane Research (@ArcaneResearch) June 8, 2020
“Are investors preparing for the Ethereum 2.0 upgrade and staking?” the Arcane post queries, noting the rise over the past year since the major upgrade was announced.
According to the data, which was provided by Ethereum blockchain analytics company Nansen AI, the number of wallets holding at least 32 ETH has risen roughly 13% over the year. Ethereans are apparently stacking ETH in anticipation of the ETH 2.0 update, even though the proposed switch to proof of stake has suffered various delays. In an interview last month, however, Ben Edgington of Teku—an Eth 2.0 client operator—told Decrypt that the upgrade could be deployed as soon as July.
As with other staking blockchains, crypto exchanges are expected to offer staking services for their users, meaning Ethereum holders will likely be able to deposit ETH with an exchange which in turn will stake the tokens for them (whether it’s the full 32 ETH of just a few).
This potential future has some critics worried that ETH 2.0 will bring about centralization of Ethereum staking on exchanges. Proponents, however, say this concern is overblown and presents a situation which is no more centralized than Bitcoin mining.
Nevertheless, according to Nansen co-founder and data scientist Alex Svanevik, the vast majority of these new addresses holding 32 ETH or more do not belong to exchanges. “In fact, it’s less than 1,000 addresses,” he told Decrypt.
“However, a large proportion of the total ETH are, as you’d expect, held by exchange wallets,” he said. “Specifically, out of the 105M ETH held by the ‘32 ETH Club’ addresses, at least 32M ETH are held by exchange wallets—in other words, [greater than] 30%.”
Business is booming for one of Wall Street’s go-to’s for Bitcoin exposure.
Hedge funds and other financial institutions have poured $1.7 billion into Grayscale Investment’s Bitcoin and cryptocurrency funds, according to an interview with Ray Sharif-Askary, director of investor relations Grayscale.
Sharif-Askary went on the Coinscrum markets podcast to discuss Grayscales’ soaring volumes. According to host Nisa Amolis, the crypto broker and custody has $3.8 billion in assets under management as of June, a significant jump from the $2.1 billion in AUM in May of 2019 and even the $2.2 billion in AUM in March of 2020.
Additionally, average weekly investment across Grayscale’s cryptocurrency trusts has increased over 800% over the year, from $3.2 million per week in 2019 to nearly $30 million per week in 2020.
Why the sudden surge in interest?
According to Sharif-Askary, 2020 has so far been the year of macro instability and unprecedented monetary stimulus, and institutions are looking to alternative hedges to weather the incipient crisis.
“This has been a record year—a record quarter for us. Candidly, we’ve never seen demand like this before for our products,” Sharif-Askary said in the interview. And many of the buyers have been traditional hedge funds, she said.
Out of the 90% or so of clients that come from institutions, 44% are multi-strategy hedge funds, while another sizeable portion come from long/short hedge funds, said the Grayscale executive.
Coinscrum markets host Nisa Amolis asked if the exposure came in the form of “401k plans,” as has been the trend since Grayscale started in 2013.
Sharif-Askary responded that “tax-advantaged accounts have always been one of and will continue to be one of” the primary vehicles for high-calibre investors because Bitcoin is “not set up to fit within the operational and legal frameworks of investors.”
“At the end of the day, our investors are looking to gain exposure to digital assets in a form that doesn’t make them have to buy and store to custody these assets on themselves,” she said.
Over the past year, $390 million from these investors went into Bitcoin while $110 million went into Ethereum. Sharif-Askary added that Grayscale’s clients are diversifying into altcoins more; 38% of their clients hold more than just Bitcoin, up 9% from this time last year.
She attributes the growth to the “policy implications of COVID-19.” After all, institutional investors are as interested as anyone in securing scarce assets that “could be used as an inflation hedge in a world where we’re faced with unprecedented monetary stimulus,” she said.
And with no end the economic downturn in sight at the moment, we may be in for more of the same.
A new options trading protocol built on Ethereum just entered mainnet, but it has already run into significant problems with its own code.
Just hours after Hegic launched its smart contracts on April 23, a bug in its code locked up $28,000 worth of user funds in the platform’s smart contracts. The majority of these funds were in the DAI stablecoin, while the rest were in ETH.
The Hegic team has pledged to reimburse all affected users with their own money, though the funds will be forever locked up in the smart contracts.
But what’s got the community riled up is that the team originally said that the vulnerability was the result of a typo. It backpedaled two days later after the community, as well as the independent team that reviewed its code, said that the vulnerability was caused by a bug that could have easily been avoided.
It’s a bug, not a “typo”. You’re downplaying the severity of the bug.
— Hudson Jameson (@hudsonjameson) April 25, 2020
Trail of Bits, the software auditing firm that reviewed Hegic’s code, told Decrypt that the exchange ignored warnings about the bug, as well as other critical flaws; instead, Hegic slapped a bandaid on the problems and rushed to ship its infant code.
“It’s clearly an error, and one that would have been easily caught had they written any unit tests,” Dan Guido, CEO of Trail of Bits, told Decrypt.
When Decrypt reached out to Hegic for comment, it replied with the company’s official post-mortem which, two days after the incident, “apologize[s] to each Hegic user (holders and writers) for calling this a typo, but not a bug or a security issue.”
Team cried bug, people called foul
In an older tweet explaining the issue, Hegic claimed that a “typo” in the code prevented traders from unlocking funds from an expired options contract.
ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW. Everyone will be 100% REFUNDED with the amount of premium that you paid for options.
— Hegic (@HegicOptions) April 25, 2020
In options trading, traders purchase a contract that gives them the option to buy or sell an asset for a specific price at a certain maturity date; Hegic’s “typo” kept users from accessing the funds locked in these contracts after they expired.
But Trail of Bits, the security auditing firm that reviewed Hegic’s code, called it a bug—not a typo, as originally claimed by Hegic. Trail of Bits’ CEO claims that Hegic misrepresented how secure the exchange was when it presented a security assessment—a brief review of code—as an audit—a more comprehensive review of the code.
Guido said in a Twitter thread after the incident that Hegic had ignored many of Trail of Bits’ suggestions and was too cavalier with its launch. He said that his company found “10 critical flaws” in Hegic’s code when they reviewed it earlier in April.
Trail of Bits recommended that Hegic delay the launch of its mainnet. But Guido said the DeFi fledgling refused and “patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an ‘audit’, then immediately deployed.”
This gave users the false impression that Hegic was safe, Guido said, even though the project has no public documentation, nor a single published or verifiable test of the software.
Danger to DeFi
Guido said that the misrepresentation of security audits by malicious or ill-informed teams is pernicious for the whole of Ethereum and DeFi.
And Ethereum’s been here before. As blockchain platform MyCrypto pointed out on Twitter, the 2017 Parity wallet debacle, where a library of wallets worth $280 million in the Parity DAO was deleted by an anonymous developer, was also ostensibly an accident. But the bug was still exploited, by accident or not, and Parity ended in a controversial hard fork that split Ethereum into two chains to recover the lost ether.
Hey guys just a quick update…the Nov ’17 Parity incident that resulted in the loss of ~$280M was NOT a security issue. It was just an unprotected function. If the function was called in an unexpected manner, the funds are just forever locked. Nbd. https://t.co/3lC3CT3opI
— beta.mycrypto.com (@MyCrypto) April 25, 2020
You won’t get a fork here, but a snafu’s a snafu—no matter how many times you try to call it a typo.
One of Ethereum’s most popular block explorers is launching a monitoring feature that scans for illegal activity.
Etherescan will now blacklist “tainted” wallets. The Every Transaction Hash Protect (that’s ETHProtect, for short) will allow Etherscan users to examine incoming funds to see if they originate from illicit gains such as hacks, phishing schemes, or other scams.
Once funds are flagged, users can trace them to the source of contamination. When users interface with one of these contaminated wallets on Etherscan, they are greeted with a red banner, warning them that the funds in the wallet are associated with some sketchy activity (like, for example, ETH filched from the November UpBit hack).
These marked addresses are pinned with a red shield, which will give users access to the funds’ transaction history and origin. When broken down, you can view the address and transaction hash that originally tainted the coins, where they were before they were tainted, and how many hops they’ve made since they were tainted.
Etherscan has become one of the most widely used and integrated Ethereum block explorers since it launched in 2015. And widespread use has bestowed Etherscan with a trove of user data. This data, coupled with the crypto community’s penchant for chronicling exchange hacks and other dastardly acts, has allowed it to keep tabs on tainted funds.
“Etherscan receives daily user reports on suspicious fraudulent activities which are reviewed and verified by our security research analysts,” an Etherscan blog post reads. “Once identified, these tainted addresses are then added into our database.”
Decrypt asked Etherscan what other methods of data collection it uses, the potential for false positives, and how wallets are informed that allegedly tainted funds are on hold, but the team did not immediately respond.
Etherscan said in its announcement, however, that users who suspect their addresses have been wrongly flagged will be able to appeal to the team. It also clarified that it has a database of whitelisted addresses (likely exchanges and other custodians) who may have received tainted coins but were not implicated in their tainting.
According to the announcement, Etherscan has “worked with countless affected parties” since its inception (presumably exchanges, users and blockchain analysts). From this experience, and the data it provided, Etherscan built an engine to surveil the Ethereum blockchain for dirty coins.
“We began exploring on how to effectively trace tainted addresses in real-time and assist affected users and projects. What we’ve learnt is that there is no one stop solution; it is an ever evolving cat-and-mouse game with bad actors and their need to ‘wash’ tainted funds into fiat,” the announcement reads.
Etherscan claims that users will be able to use the feature to trace funds in real-time. The team, however, emphasized that the ultimate goal is to cut illicit funds out of circulation, which it claims justifies the added surveillance:
“We hope to bring greater awareness to the situation and encourage users to act as community watchdog for tainted funds within the space,” Etherscan said.