Posts Tagged

Blockchain

Nomad Bridge Hack – Decentralized Currency Is Not Always Safer Than Plain Money

Elizabeth Technology September 29, 2022

The Base Of Cryptocurrency

Cryptocurrencies generally work off a blockchain which records its movements. This has both pros and cons, but the biggest pro and con is that there’s no centralized agency that monitors the coins. They monitor themselves instead! Given the base coin technology was made correctly, you can kind of just set it and forget it, and transactions using secure, well-made cryptocurrencies will work out as they should so long as both parties are being honest and not trying to scam each other. That’s not always the case, but in a perfect world, the flaws belong to the people and not to the tech. You can’t hack a Bitcoin, for example, it has to be deliberately sent. Almost all Bitcoin scams involving theft are social engineering attacks for this reason – if a scammer can get into a Bitcoin wallet, either by brute forcing the password or tricking the owner into giving it to them, they can still steal the coin by sending it elsewhere, and it can’t be called back.

However, this really applies best to Bitcoin and older cryptocurrencies that have had a minute to mature and improve the tech. New tech using blockchain are riddled with flaws. Take NFTs, for example – on some of the platforms hosting them, a security flaw allowed ‘smart contracts’ to be planted in someone’s wallet, which would then move the real NFTs out of the wallet once the owner clicked them. NFT chains can’t show if something was paid for, they only show if it was moved, and so those NFTs would be sold along as though they’d never been stolen because nobody would be able to tell. It’s sort of ridiculous.

The coins are impenetrable – everything else is not.

The Nomad Bridge Hack

Bridges, in cryptocurrency speak, are like currency exchanges. They allow people with one type to spend it like another by depositing the crypto they have to be used as collateral for the one they want. Blockchain technology is difficult to break when it’s one continuous piece, but when it’s not, it’s just like any other kind of banking technology. Meaning it also needs layers and layers of security so a failure on one layer doesn’t mean total system failure.

The problem is that typical banks have had a ton of time to work out security, but crypto is new, and it always wants to build itself something special, just for crypto, because that makes it more special than all the other modes people have used for payment. As a result, they’re rediscovering issues that banks have already worked out, like the exploit that drained Nomad of all of its money. Or the different exploit that drained Wormhole. Or the other different exploit that drained the Ronin bridge.

In Nomad’s case, a bad update allowed any tokens with the default value for transactions to go through as though they were valid. Once one person figured it out, others began copy-pasting his transaction info and substituting the destination address for their own. This allowed them to transfer currency to their own wallet without having to put up any collateral, like they normally would. A handful of people tried to altruistically take money so it’d be safe in a wallet and they could give it back later, but the vast majority was snatched before the platform could react.

Currently, Nomad is attempting to trace the coins and get them back, but this is the major disadvantage of cryptocurrency – they can’t just reverse the transaction, and the coins don’t record whether a movement was legal or not. There’s also no central body to make the thieves give the coins back, because the currency was made specifically so it wouldn’t need that. It’s unclear if Nomad is actually going to be able to get those coins back. Right now, 9 million dollars’ worth of the stolen coins have been returned (probably due to the 10% bounty that Nomad set trying to encourage people to give the money back) but the rest is still up in the air.

Sources: https://blockworks.co/nomad-token-bridge-raided-for-190m-in-frenzied-free-for-all/

Seth Green Lost His Bored Apes NFT

Elizabeth Technology June 16, 2022

And it’s kind of funny.

What is an NFT? And Why Do So Many People Hate Them?

An NFT is a non-fungible token. Essentially, it’s a unit of blockchain attached to something unique, like an image, as opposed to a blockchain coin, which is just a coin and can be exchanged with any other coin (fungibility). There are dozens upon dozens of people making really good arguments for why NFTs  shouldn’t exist and how their energy demands are ridiculous, but just know that every single layer of what an NFT is has some kind of tomfoolery going on within it.

Starting at the top: the art.

Art NFTs, which are non-fungible, can be any kind of art at all so long as it’s digital. Literally anything. Since the image isn’t actually stored on the blockchain (because there isn’t enough space for something hi-res) the blockchain is generally leading to a link to the image on the actual server where it’s stored (which is a whole other thing). Meaning you can link to huge impressive projects that someone may genuinely want to own an NFT of even though other people can see it, just because the project is that impressive. Like funding an art gallery IRL – the art inside is beautiful, and everyone who walks up knows you own it and you shared it with them.

Instead, we get bored apes and all sorts of other cookie-cutter Picrew dressup dolls with swappable details for easier selling, used mainly in Twitter avatars for clout. There’s also quite a bit of art theft going on, where people who published art online find their art later on NFT brokering websites and have to tell the staff that their picture was put up there illegitimately. It’s very annoying and difficult to combat, so much so that Deviantart created a tool for users to cross-check their art.

But Wait, There’s More

But the same doesn’t apply in reverse. Left-click-save people aren’t violating the rights of the purchaser or the creator unless they use that unedited image commercially. However, if someone does use it commercially, the creator has the right to legal action – not the buyer. Turns out, NFTs don’t confer copyright unless explicitly stated by the seller, so if you don’t clarify that you want to own that art and make stuff with it, you just don’t! The original creator of the NFT could double-sell the picture, and now there’s two Diamond Blunt-Smoking Bored Apes out there, and there’s nothing you can do except tweet about it. Generally speaking, an NFT is like a baseball card, in that you don’t own the art on the card or NFT just because you purchased it, and the original owner can pump out so many cards that the card you have is worthless. All of that blockchain does not prevent this from happening. A 2 where a 1 was earlier in the chain means those two diamond apes are technically different entities.

The blockchain is the whole point, too. Can you imagine someone buying a Bored Ape for an avatar and spending more than 20$ at most on it if it wasn’t blockchain? Much less thousands? They wouldn’t, that guy would have been laughed out of the room. Because him and other people like him successfully convinced people that the blockchain has inherent value, a bunch of people bought these blockchain collectibles for significantly more than anyone would have had it not been. To be clear, the blockchain is not inherently valuable no matter what product it’s representing. It’s a technology, not an investment in and of itself. Cryptocurrencies crash and burn all the time because investors lose their faith in the product’s value.

All this to say that the blockchain creates this illusion of exclusivity over an image when you don’t have exclusivity by default and the images used by the most popular NFTs are stock images with stock details that look like they’ve been run through an RNG. It’s a common joke that you can just left-click and save these images, and it’s funny because there’s really no rebuttal. If you don’t care about the blockchain, if the other person doesn’t have copyright ownership, and if you’re not using it for commercial reasons, why can’t you left-click and make the Bored Ape that guy owns your profile pic? Literally nothing is stopping you at that point except for respect. The image is not actually on the blockchain, most of the time – usually it’s a link.

I’m going to skip all of the stuff about electricity consumption and money laundering, but know that those are issues too.

Seth Green’s Bored Ape

There’s a lot of fraud in the industry. You can steal digital art and use it illegitimately, but most of the time you have some way to stop that from happening so long as you notice it’s happening – you can copyright strike on most websites that do art, for instance, and that will put the brakes on the art being used illegitimately. Unfortunately, the same is not necessarily true for NFTs. Not only do you not have the copyright by default (which is a huge, confusing mess to navigate when someone is using your lion on a T-shirt but you have to contact the Lazy Lions guy to actually get something done) but when you have a penumbra of the copyright, you still don’t have all of it!

Bored Ape owns the copyright to their apes, but they’re fairly generous with what users can do with said apes as long as they’re apes the user has bought, and not someone else’s apes or an ape that doesn’t exist yet. They seem to know that tightening the collar too much on copyright issues would make some of their buyers question why they had the ape at all, and as such give users a wide berth to do their own thing with it. It also acts as great free advertising. However. The issue with that system is that once you lose your ape, you can’t make things with your ape. That makes sense for legit sales but is a total nightmare for theft, which is what happened to Seth Green. Many NFT sites (and the NFTs themselves) don’t have any way of distinguishing a sale from a theft – they can only record that the token moved from one wallet to another on their chain. The non-famous and famous alike who bought these things and then clicked a scam link have no recourse but to publicly ask for the NFT back from the thief, or whoever bought it off the thief, which has mixed results and sometimes ends in a ransom to get the thing back. In Seth Green’s case, the new owner who bought it from the thief doesn’t want to give it back at all!

But wallets are secure, you may say. How could this have happened? Besides the whole Smart Contract issue (which is an entire article by itself, but is also discussed here: https://elixistechnology.com/?p=7187 ) humans are still humans, and can commit human errors.

 Phishing scams are a huge issue in the industry, for example. None of the websites being used have been around for longer than NFTs themselves have been, and the side of the industry that wants to get these tokens out there to begin accumulating worth are not on the same page as website developers, so they end up with these huge, ungainly URLs that are indistinguishable from phishing scam pages. Some of the projects aren’t even made by a team – one guy is generating the pictures, making the advertising happen, running events, etc. and also making the website. Those projects are as legit as any of them are, and some blow up because of one big buyer – if you can score a 10$ NFT that turns into a 400$, it’s worth buying from those janky sites. Unfortunately, this means that the fake sites and the real sites that haven’t gotten their feet under them look too similar for comfort, but big risk, big reward, right? Even if the site looks good, that doesn’t stop someone from abusing the URL thing from before to make an identical page that steals data. This is regulated by an outside force– but you have to get into contact with the website hosting service to keep people from domain squatting on similar names, which most don’t. This exact thing happened to the Neopets NFTs, which was run by a big, well known company called Solana. If Solana couldn’t keep it from happening, what shot do the small guys have?

Anyway, Seth was trying to mint an NFT from GutterCats, and he clicked a phishing link instead. He’s probably going to get his NFT back (even though the person who has it says they don’t plan to return it – I suspect that’s a bluff to get a ransom out of him), but until it happened to him, the possibility of this bizarre penumbra-of-copyright thing happening hadn’t been considered. Because he’s famous and his show will act as free advertising, I doubt the Bored Apes guys would throw a fit even if he didn’t get his token back. However, the other Twitter nobodies? Who knows what would have happened if one of them was tackling a project as ambitious as an animated show only for the rug to be pulled out from under them? There’s no safety rails! If this hadn’t happened to Seth, the issues this creates wouldn’t have been discussed at all. Theft of the image is not supposed to be theft of the copyright too! In a digital world, that’s completely nuts – even real, physical art doesn’t work that way!

Sources:

https://decrypt.co/101283/seth-green-nft-show-bored-ape-stolen

https://www.buzzfeednews.com/article/sarahemerson/seth-green-bored-ape-owner