As a new technological frontier, crypto is often compared to the Wild West. And just as America's expansion West was fraught with danger, crypto’s rapid growth to a $2trillion ecosystem is littered with its equivalent of stagecoach robberies. Hacks have become so commonplace that many no longer even merit a headline, but it is worth highlighting those that have had a lasting impact beyond the monetary value of the loss. Some raise ethical questions, others capture the public’s imagination, but what all these crypto hacks have in common, is that they’ve changed crypto.
Quadriga - The most notorious exit scam
Though the disappearance of $190 million can hardly be described as chicken feed, the exit scam pulled by Canadian crypto exchange, Quadriga, in late 2018, is sadly quite unremarkable among crypto crimes, based on pure monetary terms.
There is no doubt what caused Quadriga to collapse. With God-mode power over customer funds, founder, Gerald Cotten, created an elaborate scheme to syphon them off to other exchanges where he leverage-traded them with disastrous consequences.
He eventually got rekt, leaving the treasury of Canada’s biggest crypto exchange empty. If you needed a reminder, this highlights the inherent dangers of trusting centralised exchanges with your funds, especially when one person effectively holds all the Private Keys.
As distasteful as that is, that isn’t what makes Quadriga one of the most talked about crypto scams ever. It is unrivalled in terms of intrigue, given its perpetrator died in mysterious circumstances before the victims were even aware that the rug had been pulled.
What got the tin hats really tingling on the conspiracy theorists is the fact that, prior to his untimely demise, Cotten had taken several steps that could easily be construed as preparations for a calculated exit scam.
He took flying lessons and created a will just two weeks before he died in a hospital in India, due to complications from Crohn’s Disease.
Once news filtered through of his passing, customers decided to pull funds, and as the truth behind his fraud emerged, the questions mounted up. Did Cotten really die in India, was he in that coffin flown back to Canada and how much did his widow know about the missing Quadriga funds?
Though the scale of financial loss of crypto scams draws attention, the fact they often come down to faulty code and anonymous rogue hackers, means the stories lack a key personal angle.
By contrast, the Quadriga case has a name, a face and all the elements of a juicy conspiracy that is now on Netflix with the title "Trust No One: The Hunt For The Crypto King". With that kind of publicity Cotten’s disappearance could become as notorious as that of Carole Baskin’s husband, reinforcing the unhelpful trope of crypto’s association with crime, which could do long-term damage to the ecosystem’s credibility.
Mt.Gox - The biggest hack
The dubious accolade for the crypto’s biggest ever scam belongs to the infamous Mt.Gox exchange. When the Japanese-based exchange went offline in February 2014 it accounted for 70% of all Bitcoin trading worldwide, and took with it 850,000 BTC (750k from customers & 100k belonging to the exchange) roughly 7% of the entire supply at the time.
When measured using Bitcoin’s All Time High, that amounts to close to58bn, which is higher than the GDP of all but 74 countries, based on the 2020 figures from the World Bank.
Hard to believe that a fraud the size of Croatia’s GDP would have such humble origins. Mt.Gox started life as a trading exchange for cards from the popular card game, Magic the Gathering, hence the name Magic the Gathering Online eXchange.
Mt.Gox seems like a lifetime ago, with a huge increase in the diversity and professionalism of exchanges since, yet its ripples are still being felt, with the long-running attempt to establish what happened yet to reimburse defrauded customers with the 200,000 coins that have been recovered.
A rehabilitation plan was approved in November 2021, which should finally see a portion of funds returned. This in itself is subject to theories around the impact that such a significant increase in the circulating supply of Bitcoin might have on price.
Ethereum DAO hack - The most controversial response
Less than a year after Ethereum’s mainnet was launched back in 2015, it faced an existential threat that questioned one of the fundamental ideals on which crypto is based - code is law.
A DAO - decentralised autonomous organisation - had been created with a Smart Contract flaw - a ‘reentrancy bug’ - that meant a user’s balance would only be updated after funds were withdrawn.
A hacker spotted that the flaw could be repeated to potentially drain 14% of all Ether in existence at the time, then worth $250million (350 times more expensive at today’s value), potentially causing 11,000 investors in the blockchain-based cooperative to lose out.
After various failed attempts to solve the issue, the only viable option was to fork the Ethereum network, creating two versions of Ethereum’s blockchain history. One bearing the badge of the Ethereum Foundation, which restored the funds, and one that didn’t, which would become Ethereum Classic.
Reddit exploded into furious debate. One side argued that the Smart Contract simply did what it was programmed to do, and changing that fact would set a dangerous precedent that undermined the idea of decentralisation, and the immutability of blockchains.
Subscribe To The NGRAVE Blog
Get the latest insights on crypto, security, blockchain, and more.
The flip side saw it as a matter of principle to return the funds and protect the integrity of Ethereum going forward.
In the end, the community decided - via the Carbon Vote - and on July 20th, 2016 an irregular state change was made to the Ethereum network, splitting it in two in order to erase the impact of a compromised third-party DAO. The rest is history.
What the DAO hack showed the crypto community was that the tremendous potential that Smart Contracts promised in automating agreements, required a complexity that was based on human input. Humans are both fallable and opportunistic, so the inevitability of coding errors would be matched by the ingenuity of those exploiting those errors for profit.
The threat of Smart Contract hacks is, therefore, an inevitable part of crypto’s evolution, but the solution that the Ethereum Foundation took wasn’t a get-out-jail card that could be repeated going forward, without the credibility of decentralisation being called into question.
Compound - The Self-Inflicted Hack
“This has been, without a doubt, the worst day in the history of the Compound protocol,” Those were the words of the DEFI application’s Founder, Robert Leshner, as on September 29th, 2021, he watched in slow motion $80million worth of COMP tokens drain out its treasury, thanks to a bug in the code for rewarding long-term liquidity miners.
“What makes it way worse is that I and most folks are completely powerless to do anything besides sit back and watch this moral dilemma play out.”
Though Leshner and his team created Compound, they are just another member of the DAO that governs the tokenomics of COMP, which features a rigid change process requiring seven days to approve any amendments to the code.
This meant that during those seven painful days they were just a by-stander in what was a strange self-inflicted hack, a kind of crypto own goal that didn’t even threaten user’s funds - the 280,000 COMP came from a Comptroller Contract - but meant those that benefited faced a strange moral dilemma.
Should they return the unearned funds for the wider benefit of the community, or take the ‘no harm, no foul’ approach and gladly accept their massive windfall.
Though Leshner briefly threatened to doxx users, he quickly changed his tone and eventually some funds began to be voluntarily returned. A similar situation in the centralised world of banking would leave little doubt as to what users should do, but once again, the ‘code is law’ argument reared its head.
The Compound incident highlights that agreements with Smart Contracts can have all sorts of unintended consequences, on this occasion users received a windfall, but more often than not, will be on the wrong side of a Smart Contract exploit. But should both outcomes be accepted in the spirit of governance rules, or is a different approach needed?
The Bitfinex Bail-In
Though the consensus response to the 2008 financial crisis was for governments to bail-out banks, with the implicit backing of tax-payers, Cyprus took a different approach, operating a bail-in policy that, for example, saw Laiki Bank wipe 3.4 billion euros from customer’s accounts to save their banking system - no governance vote required.
That bail-in, echoing Roosevelt’s gold confiscation in 1933, has often been used to highlight the dangers of centralised money, yet that is how crypto exchange, Bitfinex, responded to a hack of close to 120,000 BTC in 2016 - $8bn when valued at Bitcoin’s peak.
Facing a Mt.Gox style bankruptcy, and with Bitcoin’s price plunging 20% once the hack was confirmed, Bitfinex decided to spread the losses across all customers in order to stay afloat. Users took, on average, a hit of 36% on their balances, compensated with tradeable BFX tokens.
It's hard to know whether this turned out to be a good deal for customers; what is more important is the manner in which Bitfinex acted. With their backs to the wall and holding custody of customer funds, they acted like Cyprus. You may argue that this was done with good intention but might feel differently if you took a 36% haircut on your hard-earned crypto.
Though the bail-in has not become a standard response to hacks, the Bitfinex incident provides a different spin on the golden rule of crypto ownership - not your keys, not your coins.
Badger DAO Hack - A new approach to restitution
In December 2021 Badger DAO was drained of 10% of the total funds users had locked up gaining yield with the youthful DEFI protocol. A front-end exploit had managed to change the permissions that users approve when connecting wallets to the service, allowing the thieves to make off with $150million in coins.
As sobering as the scale of loss and simplicity of the exploit are, such events have become an occupational hazard of the $250bn DEFI ecosystem. The interesting aspect of the Badger DAO hack is the complex approach to restitution that is being proposed, which may help form a blueprint for others to follow.
Being a DAO - decentralised autonomous community - proposals need majority consent from the 32,000 users and 25 core contributors, and there is scant evidence of historical success in aligning views.
SushiSwap is a case in point. It is one of the largest DEFI protocols by Total Value Locked (TVL) and supposedly governed by a DAO, but recent events suggest that democracy isn’t being served. Two of its largest token holders recently sought a change to its rules amid lurid accusations of unauthorised spending and developers bypassing the community, which eventually saw the CTO forced to quit in December 2021…
The conundrum facing the Badger community requires balancing multiple perspectives and interests. The hack was stopped with only 50% of the potentially exploitable funds drained. Though it might seem straightforward to simply recoup $9.2million in stolen funds held in contract limbo, this will set a precedent for asset seizure that may not be so clear cut in future.
The distribution of losses presents arguably the thorniest dilemma. The majority of the $120million loss was felt by just ten users, as the hackers pulled funds in a top-down approach.
Should the 31,990 other more modest users all pitch in to help make good the super users, some of whom have been identified as significant crypto business in their own right with billion dollar balance sheets? And if so, how will that work? The Badger treasury cannot make good right now, so everyone may be earning a little less over time, to make good for the few.
Only time will tell as to whether DAOs can find consensus on dealing with hacks. Given the inevitability of further DEFI exploits it seems that finding ways to handle loss in an equitable manner may end up being baked into governance rules.