Nice work, but honestly I'm not sure why they bother.<p>The article states that the purpose of these smart contracts is:<p>"Stake your tokens with us and you could be the next cryptocurrency millionaire"<p>That's an obvious scam. Anyone who gave real money to such a cause has already lost it. So why is the author giving away his time to help the scammers?
I still don't understand what's happening at the core of this and the other dark forest post from a few weeks ago. How exactly are these bots front-running/stealing the ethereums?<p>My understanding:<p><pre><code> -these bots scan the smart contracts that are waiting to be executed by the miners
-the bots find vulnerabilities (another grey area in my mind) in the contract
-the bots adjust the destination address of where the contract is supposed to send the the ethereums
-then the bots continually execute the vulnerable smart contract code</code></pre>
I love that they're continuing the Dark Forest analogy! Makes me also realize I never want to dip my toe in crypto like that. It's like an amateur going up to an entirely unregulated wall street and expecting to earn some quick cash.
interesting read - seems like the solution to the dark forest is equivalent to a dark pool in traditional finance?<p>the logical conclusion is that within a few months we'll have dark pools run by miners who will process your transactions without broadcasting to mempool, in exchange for an increased gas fee. and, within a year, we'll find out that some dark pools sold order flow to those HFT's anyways, a la UBS <a href="https://sites.law.berkeley.edu/thenetwork/2015/01/29/ubs-dark-pool-leads-to-14-5-million-in-settlement-paid-to-sec/" rel="nofollow">https://sites.law.berkeley.edu/thenetwork/2015/01/29/ubs-dar...</a>
All this research into smart contracts and crytpocurrency may seem pointless and a waste of time. It is very risky to dabble in, and I don't think assigning value to these "bitcoins," or whatever they may be called, will be the lasting effect of all this research. Perhaps some new programming language, or something we haven't even thought of, could be the result of these people working on the outer edges of current knowledge.
Love whitehat crypto postmortems like this. They always read like heist movies.<p>Curious about the use of SparkPool to bypass the mempool and get the transactions minted directly into a block. It looks like anyone can sign up and contribute their hashrate to SparkPool. Is there a risk of malicious miners running workers in their competitors' pools and then frontrunning?
Makes me think of salvage operations, and then raises the question of how do people get paid? They're providing a valuable service. I think in shipping there are both conventions and an ability to quickly negotiate that allows contracting for a salvage ship to rush to the aid of a grounded or sinking container vessel.
"Smart contracts" has always seem incredible dumb to me. Code that controls how money being transferred that cannot be updated or changed even if a bug is found.<p>Awesome design. It is like the opposite of what I would want to control my money in any transaction.
Very interesting story, it really does sound like a scifi thriller to me.<p>It also makes me wonder what type of legal battle would ensue if a blackhat were to have taken all of these funds instead, I'm not sure I've seen any public high-profile cases like that yet.
I offer that anyone who did the work that these researchers did would have also been “rightful owners” of that money.<p>This is the consequence of programmable money; there’s no getting around it, and, in my opinion, people shouldn’t want to. Rescuing people and brands who don’t put the effort into security from the consequences of their own mistakes isn’t a net benefit.<p>I'm all for anonymous teams, but look at the hoops this person had to jump through just to get in touch with them to report the bug.<p>When you're anonymous, all you have is your brand, and theirs should have burned to the ground for this entirely preventable error.
i tried writing some toy Ethereum smart contracts circa 2016. at that time it was immensely difficult to write them in a secure way -- even a simple "hello world" level Solidity contract could easily have exploitable bugs if you don't code in an extremely defensive style.<p>i'm told things have improved since then -- can anyone who's used Solidity more recently comment on this? is it true?<p>this, plus the fact that putting information from the real world onto the blockchain unavoidably requires some trust, seemed like the two big problems then, and it seems like they haven't really been fixed.
One of my good friends has a saying, "Humans are really good at optimizing the hell out of the wrong thing." I can't help but think that when reading about any sort of heroics involving blockchain.
This is all very interesting to read about, but in the same way epic battles in Eve Online are interesting to read about but not participate in. I hope the author doesn't think this article is functioning as an enticement to use ETH myself, because it's only confirming for me that I never, ever want any of my money near that shambling wreck.
I quickly want to point out that we've recently seen a surge in uniswap/bancor based "liquidity pools" (all projects copying each other). The main idea here is that you can lock up your crypto in a smart contract - which is considered "secure" as to no one can steal it (audited code by reputable companies and such). If true the risk is very small with things like impermanent loss, which doesn't apply to all pools.<p>The idea here is that your money is provided liquidity and you'll get paid a portion of the fees as well as some new token which can have a very high value (for a fleeting moment).<p>This is important to realize when looking at the crazy marketing around these projects, if it's based on uniswap you can reasonably sure your principal won't get stolen - regardless of the scammy and weird marketing.
Nice read! That’s why I respect whitehat hackers, to be tempted by ~10million and then proceed doing the right thing. I wonder if they got a reward/bounty for managing to save all this ETH.
cryptocurreny != investment scam.
It's just another way to transfer and store value.<p>Interacting with automated contracts is an interesting extension to that system which can make things alot more complex.<p>The 'dark forest' comes from a kind of man-in-the-middle attack where anyone can see the order book and exploit it, by putting their own slightly better orders in. Hence the need for co-operation with a closed order book (miner) to get the transaction in safely.
If anybody would like more intense blockchain story-telling check out this longish write-up about Justin Sun's takeover of Steem.it from a few weeks back.
<a href="https://decrypt.co/38050/steem-steemit-tron-justin-sun-cryptocurrency-war" rel="nofollow">https://decrypt.co/38050/steem-steemit-tron-justin-sun-crypt...</a>