With help from Derek Robertson
Score one for state oversight of decentralized finance.
Last week, a London court ordered a DeFi developer to enable the transfer of $140 million worth of hacked crypto from one of its user’s wallets to a court-designated recipient, a lawyer for the company tells DFD.
This, of course, runs counter to one of the foundational tenets of decentralized finance: that third parties like courts and service providers are not supposed to be able to control users’ funds.
In practice, though, DeFi can’t always deliver on that promise.
On Thursday, we looked at a couple of recent trends that showed the challenges regulators face in exerting control over decentralized finance networks. But DeFi firms and users face their own challenges in making the networks as decentralized and immutable as intended.
Even when the core blockchains at the heart of DeFi function as advertised, DeFi activity often relies on centralized service providers to make it more efficient and accessible. Those service providers are more susceptible to government-mandated interventions than the blockchains they connect to. In some cases, the service providers have back doors that let them override users who falsely believed their transactions were irreversible.
And that, in turn, gives governments an opening to exert control over DeFi.
In this case, the long arm of the state was able to reach onto a blockchain and yank a bunch of digital loot away from someone that was not supposed to have it, with the help of some eagle-eyed hackers.
This particular saga began last year when a hacker took advantage of a bug in the Wormhole Bridge — software that provides inter-connection between several different DeFi blockchains — to make off with 120,000 Ether (These software “bridges” between blockchains often contain weak links that allow hackers to steal funds). At the time, the haul was worth more than $300 million, making it one of the larger crypto heists of the year.
Eventually the hacker deposited the funds in a crypto wallet provided by Oasis, a developer of front-end software that makes it easier for users to engage in DeFi (Oasis was in no way implicated in the hack). The wallet was billed as non-custodial, meaning the user controls the funds with cryptographic keys.
But there were caveats. Like many DeFi developers, Oasis built a multi-signature override — basically a back door that requires multiple private keys to open — into its software.
This would let the company intervene in case the software got hacked and it needed to undo the damage, according to the lawyer for Oasis, Ann Sofie Cloots.
A group of white hat hackers discovered the back door, and that it could be used to take the hacker’s funds away, she said. The white hats alerted Oasis earlier this month, and the court ordered that the back door be exploited.
In a series of transactions that began on Tuesday, it was.
Crypto media company Blockworks took note of the unusual transactions and described their mechanics in a research note published on Friday. This was followed by a statement from Oasis revealing the court order.
The episode illustrates the gap between the vision of DeFi purists and the messy reality of DeFi activity today, which often relies on centralized service providers whose software contains both bugs and intentional back doors.
Even a hacker sophisticated enough to pull off one of the largest crypto heists on record was unable to steer clear of these traps.
And even when back doors are built on purpose to thwart crime, they are controversial — the subject of long-running fights about digital governance that extend beyond crypto.
For years, governments have sought to mandate back doors into encrypted digital communications tools — like WhatsApp — citing the need to gather intelligence and fight crime. Civil society groups like Human Rights Watch have pushed back, citing privacy concerns.
Meanwhile, federal law enforcement officials in the U.S. have successfully clawed back stolen crypto funds on several occasions, though their exact methods are often unknown.
In cases when a special back door is not available, participants in crypto networks can still band together to reverse illicit transactions. Most famously, a majority of the Ethereum network agreed to reverse a theft of stolen funds in 2016. But that decision prompted heated debate among its users and a schism in the network when a rump group of crypto purists refused to recognize the reversal.
So, while a company might normally celebrate its role in helping to restore hundreds of millions of dollars in funds to their rightful owners, Oasis is instead emphasizing that it had no other choice.
“There’s no way for a UK entity to just say we’re going to ignore a court order,” Cloots told DFD. “It wasn’t a pleasant situation for our team to be in.”
Over the weekend the European Union kicked off its “citizens’ council” meant to solicit feedback on the metaverse, with its recommendations to be sent to the European Commission for consideration as it tackles regulation in the virtual world.
Patrick Grady, a policy analyst at the Center for Data Innovation, was there and recapped the experience in a blog published this morning, providing a few key takeaways from a weekend that featured a virtual Bruegel Room, some airing of digital grievances, and, for some reason, an improv comedy troupe.
Despite Grady’s praise that the session was “A leading experiment in democratic policymaking and invigorating to hear citizens input and experience on a pressing initiative,” the post features plenty of negative feedback for the Commission. Grady argues that the Commission “stack[ed] the deck” by loading the panels and programming with its own staffers, giving the EU citizens in attendance a relatively one-dimensional view of the nascent VR industry, among other things.
He added in an email to DFD that “The Commission should pay for and observe the process but remain impartial to it because it is for the citizens, not them, to decide what the topics and priorities should be,” and the next council “must not make the same mistakes.” — Derek Robertson
Some very smart people are kind of freaking out about AI.
And not about its capacity to disrupt the service industry, or “end homework” — rather, they’re worried about the possibility it could kill us all.
But not everyone is so chagrined. Rohit Krishnan, the VC and tech blogger I spoke to about the subject in DFD last month, has published a new essay that throws some additional cold water on the panic.
“If you are going to be the type of person so invested in empirical truth that you would like a meta-study of plenty of peer-reviewed studies to understand the efficacy of Ivermectin on Covid-19, then perhaps you should apply similar epistemic standards to predicting the future before jumping ahead to updating on our impending doomsday and prescribe courses of action,” Krishnan writes. (Ouch.)
Krishnan makes at length a case similar to the one he made when we spoke, saying that while the AI apocalypse some envision isn’t impossible, it’s improbable on the order of various other sci-fi catastrophes, and humanity would do much better for itself to think harder about how we develop and govern it in the here-and-now. — Derek Robertson
- Henry Kissinger and Eric Schmitt argue that AI will usher in an intellectual revolution.
- Can it also treat mental illness?
- The IMF thinks a blanket ban on cryptocurrency should be on the table.
- A Chinese company unveiled its new pair of lightweight AR glasses last week.
- It might already be too expensive to use a new line of mini-nuclear reactors.
Stay in touch with the whole team: Ben Schreckinger ([email protected]); Derek Robertson ([email protected]); Mohar Chatterjee ([email protected]); Steve Heuser ([email protected]); and Benton Ives ([email protected]). Follow us @DigitalFuture on Twitter.
Ben Schreckinger covers tech, finance and politics for POLITICO; he is an investor in cryptocurrency.
If you’ve had this newsletter forwarded to you, you can sign up and read our mission statement at the links provided.
- Ben Schreckinger @SchreckReports
- Derek Robertson @afternoondelete
- Steve Heuser @sfheuser
- Benton Ives @BentonIves
Follow us on Twitter
