If you’ve been wary about the cryptocurrencies, you’re in good company – mine. Crypto, regardless of the “brand,” is a mathematical construct implemented in a rule-based system. And a certainty upon which you, I, and everyone can rely is that it will have a vulnerability in it somewhere. Porretto’s Pessimistic Principle of Engineering applies here:
There Is An Equal But Opposite Engineer.
Cryptocurrencies and the trading schemes founded on them have been lauded to the world as “unhackable.” In truth, they’re nothing of the sort. You should put no more trust in these digital artifacts than you do in princes. (In other words, the avoidance of crypto is “Porretto-optimal.” 😁) So I was amused if unsurprised when I read this article:
On Oct. 14, in a house near Leeds, England, Laurence Day was sitting down to a dinner of fish and chips on his couch when his phone buzzed. The text was from a colleague who worked with him on Indexed Finance, a cryptocurrency platform that creates tokens representing baskets of other tokens—like an index fund, but on the blockchain. The colleague had sent over a screenshot showing a recent trade, followed by a question mark. “If you didn’t know what you were looking at, you might say, ‘Nice-looking trade,’ ” Day says. But he knew enough to be alarmed: A user had bought up certain tokens at drastically deflated values, which shouldn’t have been possible. Something was very wrong.
The subscriber who’d pulled off the fantastic trade was one Andean Medjedovic, a mathematics prodigy in Ontario, Canada. He’d risked about $11,000 and had gained crypto nominally valued at about $16 million. The owners of Indexed Finance treated it as an illegal hack:
Day had already contacted UmbralUpsilon [Medjedovic’s subscriber alias] to offer a 10% reward for the tokens’ safe return, striking a note of grudging praise—“well played,” he wrote—but hadn’t heard back. So [Indexed Finance co-founder Dillon] Kellar tried a different tactic, messaging Medjedovic and addressing him as “Andean.” This time Medjedovic reacted, taunting Indexed users publicly on Twitter: “You were out-traded. There is nothing you can do about that. … Such is crypto.” When a team member emailed him independently, saying that if he returned the tokens they’d pay him $50,000, Medjedovic responded with a link to an Ethereum address. “Send the money over,” he wrote. They didn’t take the bait from their tormentor—who they’d learned, to their astonishment, was only 18 years old.
Finally Kellar texted Medjedovic to make one last plea before, he said, they would be forced to bring in lawyers and police. “I implore you to give up now and make this easy on yourself,” he wrote. The teenager responded with “Xdxdxd,” an emoticon that evokes dying of laughter, and added, “Best of luck.”
Medjedovic’s trade-combination wasn’t a “hack,” by the usual standard. He had spotted a way in which the published rules of the system permitted a complex combination of operations that could be used to make giant gobs of essentially free cryptocurrency. (The article delves deeply into the exploit, but I shan’t quote all that here. Suffice it to say that it would be of interest principally to other mathematically-inclined Gentle Readers. Any who can’t access the article but would like a copy of it can email me for it.)
Perhaps Medjedovic isn’t a very nice person. (I wasn’t either, at 18 years of age.) But what he did was entirely within the published rules of the Indexed Finance platform. When they sued him, he said exactly that:
Medjedovic hasn’t officially responded to either suit; he told me [article author Christopher Beam] he doesn’t even have a lawyer in Ontario. But in our email exchanges, he argued that he’d executed a perfectly legal series of trades. Nothing he did “involves getting access to a system I was not allowed access into,” he said. “I did not steal anyone’s private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.” Medjedovic added that he’d taken on “substantial risk” in pursuing this strategy. If he’d failed he would have lost “a pretty large chunk of my portfolio.” (The 3 ETH he stood to lose in fees was worth about $11,000 at the time.)
From my understanding of the platform’s rules, he is entirely correct and within the law. I’d be greatly surprised to learn otherwise.
I know a number of people who see the cryptocurrencies as a viable alternative to (and escape from) government-controlled fiat currencies. I disagree with them, for reasons such as the exploit Medjedovic pulled off. As clever as it was, it merely revealed the fundamental limitation of all unbacked currencies, governmental or private:
A currency may be accepted as a medium of exchange, but that’s the extent of its utility. A digital currency is as insubstantial as any printed piece of paper. Its greater manipulability makes it even more vulnerable than the Federal Reserve Notes you have in your wallet.
Verbum sat sapienti.