Defend Truth

GUEST ESSAY

Crypto — how to heist $47m in seconds and walk away, scot-free

Crypto — how to heist $47m in seconds and walk away, scot-free

The past couple of weeks have seen the greatest dollar volume of heists from various crypto-related projects in blockchain’s short history, including four major incidents in one day. In one startling case, a guy helped himself to north of $100m. Not only did he get to keep $47m of it without threat of legal action, but he also went public, doxxing himself and saying ‘yeah, it was me, have a nice day’.

At the core of this story lies the subtle difference between the definition of a hack and an exploit. For instance, a hacker who breaks into crypto and steals cryptocurrency using a purloined private key is a thief, a robber, a breaker-and-enterer and a criminal. There are legions of these crimes across the crypto space. The perp or perps are always anonymous — they do not want to get caught, because they will go to jail. Which sometimes happens, although not often enough.

Then there is another sort of play. I am not sure whether to call it a scam, a grift or a crime: it does not really fit neatly into any of those definitions.  What happened to Mango Markets on 12 October is a perfect example.

Mango Markets is a crypto project that facilitates lending and borrowing and margin trading in the crypto markets. There are a number of similar projects in this space; they deliver an important service to the crypto economy. Mango and similar projects all leverage a core advantage of blockchain — the ability of a piece of software, called a smart contract, to replace the function of the bank or exchange or other financial middlemen. 

Mango Markets is not a fly-by-night. The amount of value that it manages has reached as high as $200m, dropping to about $150m as world markets have crashed. 

And then one day, more than $100m disappeared from its coffers.

Bug in the code

What generally happens in these cases is that the developers, aided by an army of Good Samaritan developers out in the world, dive in to try to find out what went down. Smart contracts are open-source code — anyone can see them — internal project developers… and outsiders, both good and bad. In any event, they found a bug in the code. Or more accurately, an extremely subtle vulnerability in the way the application operates, which no one else had spotted since its release years before.

No one except a guy called Avraham Eisenberg.

Eisenberg is not a black-hat hacker wearing a dark hoodie — he has posted for years on various blogs like Substack, explaining how he and his team study Defi protocols and find ways to trade profitably. He has explained his techniques without hiding them. 

There is a 24 January post entitled, “How our team makes millions in crypto risk-free”. The article goes into transparent detail on how he does it — all above board, doing what armies of traders and hedge funds try to do in the real world.

All of this netted him a few percent per week in profits, sometimes more. An enormous amount if you look at the annual take. But nothing compared with his $100m haul at Mango.

The details of how he did this trade are less important than this — he did not hack Mango. He simply found a way to use its rules and process to leverage out the money. Nothing illegal at all. The Mango Market smart contract was not supposed to enable this sort of trade. But it did, and he saw it and simply played by its rules.

Visit Daily Maverick’s home page for more news, analysis and investigations

Here is what he said on a Twitter thread when he doxxed himself a few days after the hack on 14 October.

I was involved with a team that operated a highly profitable trading strategy last week.

“I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are.

“Unfortunately, the exchange this took place on, Mango Markets, became insolvent as a result, with the insurance fund being insufficient to cover all liquidations. This led to other users being unable to access their funds.

“To remedy the situation, I helped negotiate a settlement agreement with the insurance fund with the goal of making all users whole as soon as possible as well as recapitalizing the exchange.

Bounty

“As a result of this agreement, once the Mango team finishes processing, all users will be able to access their deposits in full with no loss of funds.”

It was a little stranger than that. Because Mango Markets offers any of its token holders (kind of like stockholders) the opportunity to submit proposals for improvements in the system, Eisenberg, who obviously held many tokens, submitted a proposal that said, Hi everyone. I will return everything but $47-million. That way your insurance fund will cover everyone, and no one loses money. And oh, you must indemnify me from legal action.

The community voted 97% in favour. So he walked away with his money and indemnification. The $47m was called a “bug bounty” — a reward for finding a flaw in the system.

It may not be the end of this story. It is possible that prosecutors may see this as illegal market manipulation or something, and come after him.

But I suspect there is no recourse, and the blame lies squarely with the architects of the smart contract who let some smarter smartypants outsmart them. DM

Steven Boykey Sidley is a Professor at JBS, University of Johannesburg.

Gallery

Comments - Please in order to comment.

Please peer review 3 community comments before your comment can be posted

X

This article is free to read.

Sign up for free or sign in to continue reading.

Unlike our competitors, we don’t force you to pay to read the news but we do need your email address to make your experience better.


Nearly there! Create a password to finish signing up with us:

Please enter your password or get a sign in link if you’ve forgotten

Open Sesame! Thanks for signing up.

We would like our readers to start paying for Daily Maverick...

…but we are not going to force you to. Over 10 million users come to us each month for the news. We have not put it behind a paywall because the truth should not be a luxury.

Instead we ask our readers who can afford to contribute, even a small amount each month, to do so.

If you appreciate it and want to see us keep going then please consider contributing whatever you can.

Support Daily Maverick→
Payment options

It'Mine: How the Crypto Industry is Redefining Ownership

There must be more to blockchains than just Bitcoin.

There is. And it's coming to a future near you soon.

It's Mine is an entertaining and accessible look at how Bitcoin made its mark, how it all works and how it challenges our long-held beliefs, from renowned expert and frequent Daily Maverick contributor Steven Boykey Sidley.

Become a Maverick Insider

This could have been a paywall

On another site this would have been a paywall. Maverick Insider keeps our content free for all.

Become an Insider
Elections24 Newsletter Banner

On May 29 2024, South Africans will make their mark in another way.

Get your exclusive, in-depth Election 2024 newsletter curated by Ferial Haffajee delivered straight to your inbox.