Curve Finance has suffered an exploit in which its front end was compromised so that anyone interacting with the site would unintentionally have their funds drained to the attacker’s wallet.
Attacks against front ends
Attacks like this have been growing in popularity recently, since they require a different skillset compared with other types of hacks. Whilst many hackers in the blockchain space aim to familiarise themselves as much as they possibly can with the nuances of Solidity and smart contracts, this form of attack is focused on interfering with a protocol’s front end, meaning that users unknowingly interact with different contracts than they suspected.
This type of attack is based on the premise that there will be a lot of people who will interact with the contract without verifying it, and that this will make it possible to extract a lot of funds from unsuspecting customers. In the case of Curve Finance last night, the attacker was able to make off with $570k in ETH before the bug was fixed (and some of the ETH was also frozen).
Curve almost immediately addressed the issue at hand and Tweeted that people ought not to use the front end whilst they were investigating.
@Zachxbt soon highlighted that the funds were being sent to the exchange Fixed Float, and this is where the hacker lost some of his spoils — Fixed Float froze some of the ETH that he tried to move through their exchange.
How are hackers dealing with sanctions?
The rate of hacks and exploits over the last few days doesn’t seem to have slowed down in the slightest, but the lack of anonymity has certainly made it easy for on-chain sleuths to find out what they are up to.
Some are reticent to use Tornado Cash because they fear that this will be worse than not anonymising the funds, given that Tornado Cash is now sanctioned.
Perhaps more concerningly, however, is the fact that DeFi is becoming an increasingly difficult place to move funds freely. This should not only be concerning for those who are engaging in hacks, but also ought to be a concern for those who promulgate the idea that DeFi is permissionless – it also demonstrates the complete lack of decentralisation.
Core parts of Ethereum and Web3 infrastructure have willingly collaborated with the authorities to wield their influence and clamp down on freedom. Firstly, there was the announcement that both Infura and Alchemy, the key RPC providers for Web3 wallets like Metamask, disabled parts of their software so that it now won’t function with Tornado Cash addresses. The Tornado Cash website was also taken down, alongside the Github repositories of everyone who ever contributed to the project.
This is not symptomatic of a war on money laundering – there are already due processes for these measures and it is no secret that these measures are totally ineffective: according to Ronald F. Pol from La Trobe University, only 0.1% of stolen recovered are recovered from criminals thanks to these measures – 99.9% are not. Anti money laundering measures are not only a waste of time and a completely ineffective use of resources, but they damage the experience for everyone else.
Experienced hackers are competent developers, and are familiar enough with how to use decentralised exchanges and atomic swaps to be able to comfortably anonymise their ill-gotten gains. These measures will not significantly harm them in any way (Tornado Cash has already been forked several times across several different chains), but they will harm the hoi polloi who simply want more privacy.
Chainalysis’ oracle for sanction screenings – OpenSea as Judge, Jury and Executioner
Most insidious of all from this debacle is the new Chainalysis oracle that validates whether not a wallet has been designated to be sanctioned. Developers are being invited to implement these oracles into their smart contracts to cooperate with law enforcement, and to highlight any potential wrongdoing.
It is safe to say that although there has been some uptake amongst the developer community, this is not a widely-supported implementation, and the overwhelming majority of developers (particularly those working on smaller protocols) are rejecting the opportunity to implement the oracle.
OpenSea, the largest NFT marketplace, is well-known for being notoriously censorious. Whenever an NFT collection is listed on their platform that offers a yield, it is deemed a security and taken down. This has happened with a variety of different projects, but the most well-known example is Cyber Kongz.
OpenSea’s procedures of litigation have been interesting to behold, not only because of the bizarre interpretation of the law and the uneven way in which they apply it to users on their platform, but also thanks to how keen they are to do the bidding of their overlords. LooksRare, and other NFT marketplaces, have managed to capitalise on this weakness; it isn’t because LooksRare is necessarily a better exchange, but the main reason for rising market share is thanks to the fact that they are less centralised and less judicially onerous.
In light of the US’s sanctioning of Tornado Cash, wallets are now being removed and de-listed from OpenSea, despite the fact that no laws were broken.
The US’s handling of this debacle hasn’t been particularly surprising, since the last few years of policy in the US have been consistently inept and incompetent, with little consideration for second-order effects and zero lateral thinking. Nevertheless, some of this legislation ought to be redressed: even though hackers are a problem, the protocols themselves are already incentivised to defend themselves with the best contributors in the world, and are quite capable of doing so – as a percentage of Curve’s TVL, $570k isn’t noticeable.
There is no need for legislators to intervene in a heavy-handed manner with the rights (for code is an expression of the First Amendment) and freedoms of their citizens, and those of citizens globally. Despite the litany of hacks and exploits over the last few years in DeFi, regulating it out of existence is the worst thing a government could possibly do.
Relevant news:
- Crypto Personalities Subjected to Tornado Cash Inspired ETH Dusting
- Solidity Finance Audit Raises Warning on RoboApe Token Presale
Battle Infinity - New Metaverse Game
- Listed on PancakeSwap and LBank - battleinfinity.io
- Fantasy Sports Themed Games
- Play to Earn Utility - IBAT Rewards Token
- Powered By Unreal Engine
- Solid Proof Audited, CoinSniper Verified