FINTECH
Breaches of Security
The text does not discuss theft of digital assets by hackers. This issue requires knowledge to understand the vulnerability of distributed ledger technology, wallets, imperfection of code, and regulation.
Parity Multi-Signature Wallet
On 19 July 2021, a hacker stole $31 million of ETH, the second largest heist in the history of digital currencies. In his article "A hacker stole $31M of Ether - how it happened, and what it means to Ethereum", Mr. Qureshi explains how a hacker exploited a weakness in the Parity multi-signature wallet on the Ethereum network to steal assets held in three wallets.
The hacker or hackers found a flaw in the code contained in the smart contract running the Ethereum multi-signature wallets [wallets that require more than one private key to unlock]. Programmers reduce costs by relying upon shared libraries of code. Transactions in smart contracts are executed through "calls". The multi-signature wallet" itself contained all of the right permission checks ... to enforce authorisation on all sensitive actions related to the wallet's state".
But the programmers made one critical mistake. Solidity, the language of smart contracts run on Ethereum, allows a "fallback method". This is the method that "gets called when there's no method that matches a given method name". In this case, the "fall method" calls a method in the shared wallet library, which allowed the hacker to reinitialise the smart contract and overwrite the owners' keys.
The author states: " The exploit was almost laughably simple: they found a programmer-introduced bug in the code that let them re-initialise the wallet, almost like restoring it to factory settings. Once they did that, they were free to set themselves as the new owners, and then walk out with everything".
Ethereum developers, aware of the breach, immediately hacked all other existing wallets exploiting the same flaw to protect an additional $150 million of assets. The "white hats" then began the process of returning the assets to their actual owners. Unfortunately, the funds stolen could not be recovered as they were spent and put into circulation.
Drawing attention to lessons learned, Mr. Qureshi observes that the theft was not due to a flaw in Ethereum or smart contracts but was caused by developer error. In this case, the developers were experts and adhered "to the highest standard of programming that exists in the Ethereum ecosystem". The developers also were fallible as were the auditors who had reviewed the code. In other words, there is no point blaming the developers of this particular code as it could have happened to any developer using a language as complex as Solidity.
Rather, blockchain programming is different from web development, less forgiving, and a work in progress. Programmers will improve their skills and tighten security. More importantly, the developer community in Ethereum "is what makes Ethereum so powerful". I quote: "Ethereum will not live or die because of the money in it. It will live or die based on the developers who are fighting for it". The "white hats" who defended the vulnerable wallets did not do it for money but because they believe in the ecosystem. "They are fundamentally why Ethereum will win in the long run - or if they abandon Ethereum, their abandonment will be why it loses".
Mt. Gox
In 2014, Mt. Gox, the largest bitcoin exchange at that time, filed for bankruptcy after hackers stole $460 million in Bitcoin. The company was headquartered in Tokyo and Mark Karpeles was the CEO. Based on several reports, Karpeles was an ineffective manager and the company lacked effective controls over the quality and security of its software code thereby making it a target for hackers.
Mt. Gox was first hacked in 2011. At the time of the hack, hardware wallets were practically non-existent. Mt. Gox held the private keys of Bitcoin owners in a file named wallet.dat file. The hackers got access to this wallet and began draining BTC from the exchange for a period of years. The company realised the total amount of the theft in 2014.
The DAO Hack
In June 2016, the DAO was hacked for 12.7 million Ether [in 2016 value about $60 million]. The acronym "DAO" refers to Distributed Autonomous Organisation, a blockchain based firm owned by its members. DAOs replace the common corporate structure with a decentralised organisation operated by technology and protocols. The DAO "intended to act as an investor-directed venture capital firm". [Cryptopedia 2021] It was built on the Ethereum blockchain. The founders used an Initial Coin Offering [ICO] to raise $150 million.
The entire amount of the funds raised in the ICO were held in a single wallet. Computer scientists found a bug in the DAOs wallet smart contract. Hackers exploited this vulnerability to commit the theft. The hackers parked the funds in another DAO subject to a 28 day lock-up period. Hence, when Ethereum learned of the hack, they were able to take control of the funds and return the Ether to their owners. In addition, Ethereum elected to make a hard fork in the blockchain.
The hard fork was not accepted by the entire Ethereum community resulting in two competing Ethereum blockchains. The hard fork resulted in rolling back blockchain's history to before the DAO attack. The pre-forked version is now known as Ethereum classic. The decision to take a hard fork was controversial as blockchains claim to be tamper-resistant.
Regulation
Regulation of cryptocurrency markets, ICOs, and blockchain networks is likely to be enacted in the very near future. However, regulation may be either a blessing or a curse. For example, if regulation is predicated upon cyber attacks, the legislation is misplaced. Legal systems already have civil and criminal penalties for theft. Regulation also cannot itself make code error free. Hence if legislation is based upon cyber theft, then it is completely misplaced.
In addition, regulatory systems deal with the registration of securities. Let us assume, all crypto is a security. The question arises: who is the issuer, since it is the issuer who files the registration documents with the appropriate authority. In BTC, coins are brought into existence by miners solving mathematical puzzles. Are miners then issuers of coins, or is the underlying protocol the issuer of the coin?
A major question is why regulate? The canonical response is to protect consumers and to make certain that markets are orderly, fair, and transparent. The canonical reply is contradicted by the track-record of legislation. The latter has not been able to achieve its goals in traditional regulated markets.
Hence, it must be asked: what is the aim of legislation? Legislation appears unrelated to the cyber theft of the three examples provided above, though admittedly these do not constitute a valid sample. Proponents of legislation state that it is necessary to bring the "crypto markets" under the auspices of regulatory frameworks established for other assets, in order to "normalise" them. As for cyber-theft, virtually every jurisdiction has laws against theft, both civil and criminal. Therefore, for this problem, new legislation is not needed.
Regulation raises many questions for students of this genre to contemplate.
Exercise
Research the historical record of cyber attacks involving crypto, identify how hackers attacked the system, and propose solutions to strengthen security.