On August 10, the Poly network was hacked for a record $ 600 million flight. While the hack itself was substantial, the events and remedial efforts that followed had a far greater impact than the financial damage. The cryptocurrency community’s reaction to the theft should alert regulators to the centralized reality of this ecosystem. Despite the decentralized claims, there are a few entities that can (and should) be brought under control, including ‘decentralized’ exchanges, those that fund decentralized exchanges, cryptocurrency miners, and leading stablecoins like Tether. . In particular, these entities should be required to put in place effective anti-money laundering controls.
And since the current ransomware outbreak depends on the larger ecology of the cryptocurrency, anything that can disrupt the ecology by forcing it to obey the law should be considered.
The number of cryptocurrency “assets” is proliferating dramatically. In the old days, to create a new asset like Dogecoin, you had to create a significant software infrastructure to run a new blockchain, a ledger that tracks balances. Once done, people could effectively bet on whether Dogecoin would rise or fall in value by trading the tokens on a centralized cryptocurrency exchange such as Coinbase.
Now, to create an asset like Shiba Inu Tokens (SHIB), just deploy a piece of code on top of an existing cryptocurrency like Ethereum. Ethereum acts as the shared ledger and the SHIB tokens run on top of it. Ethereum also includes âdecentralizedâ exchanges so that you can exchange SHIB tokens for other cryptocurrencies without the need for a third-party exchange service.
As many such cryptocurrencies can support these exchangeable tokens, it is common for someone who creates a token to create a version on top of multiple cryptocurrencies, thus creating a world in which there are tokens. Ethereum SHIB and Huobi Eco SHIB tokens. Players may want to move their SHIB from the Ethereum blockchain (ETH) to the Huobi Eco blockchain (HECO) as part of a particular gaming program.
Nowadays, almost all newly created cryptocurrencies are in fact tokens on top of another blockchain, so a mechanism was needed for information and value to be transmitted between different blockchain networks.
This is where the poly network is presented as a “cross chain” tool. Poly is implemented as a series of âsmart contractsâ that run across multiple blockchains. The Poly Network maintains a pool of assets across different blockchains, allowing someone to move from one channel to another by effectively substituting assets.
So, to transfer some SHIB from ETH to HECO, a player transfers the Ethereum version of SHIB and additional charges in ETH to the Ethereum version of Poly. The Huobi Eco version of Poly then transfers the Huobi Eco version of an equal amount of SHIB to the player. To do this, the Poly Network smart contract needs to control many assets, both the underlying cryptocurrencies and the top-level tokens, which means that anyone who can compromise Poly can take those substantial assets.
Now a smart contract means one of two things. In the eyes of the cryptocurrency community, it is the encapsulation of the notion that “the code rules”: the program represents a contract between the parties and executes it on behalf of the parties. Of course, if you can tell a smart contract to ‘give me all your money’ and it does, is that even theft? After all, it is clearly in the “text” of the contract since the contract did nothing that it was not specified as being authorized to do.
The reality is more prosaic. A smart contract is simply a program that works with money, just a public program rather than a private one. So unlike the programs that manage your bank account, the smart contract is public and anyone can interact with it by sending it processing requests. Also, since the underlying cryptocurrencies are irreversible, any problem with the code will be catastrophic as there is no way to âoops, cancelâ when something goes wrong. This is very different from traditional contracts, where, in case of ambiguity or error, the court system exists to resolve issues.
The natural consequence of this rigidity is that smart contracts are inevitable targets for exploitation. In 2016, the DAO, or Decentralized Autonomous Organization, attempted to create the first large smart contract entity where code would run a decentralized organization. The DAO was able to collect around 10% of all Ethereum during its funding period, but this success was limited as the DAO was hacked for large amounts of cryptocurrency. Subsequently, the Ethereum developers (who turned out to be heavily invested in DAO) violated the “code is the law” principle by reversing the transaction to effectively steal Ethereum from the hacker. The litany of subsequent smart contract hacks is long and amusing.
And, in an event that shouldn’t have surprised anyone, someone successfully exploited the smart contract feeding Poly into convincing the contract whereby the operator was allowed to transfer all underlying funds, stealing some $ 600 million in various cryptocurrencies that Poly needed to keep on hand to implement his on-chain exchange. At this point, it’s fun, but why should regulators care? Because of what happened next.
The people behind Poly began by asking that all exchanges and minors block the hacker’s wallet before beg the hacker, begging the hacker to return his code, which is legally stolen property. Then the CTO behind the Tether stablecoin blocked the transfer of some $ 33 million from Tether acquired by the hacker, freezing those assets. Finally the pirate started return assets to Poly, probably because of the difficulties of laundering the considerable sums involved.
Regulators should be careful as this series of events shows specific characteristics of “decentralized” finance projects like Poly and stablecoins like Tether that deserve close scrutiny.
The first observation is that despite all its claims to decentralization, Poly is a centralized money sender who is proud to have transferred more than $ 10 billion in value between different blockchains in less than a year. The only claim to decentralization is that the code itself runs on its own on various computers not controlled by Poly Network, but the code itself was developed and is controlled and maintained by Poly, and the code provides financial income. to the Poly Network project. The number of KYC and anti-money laundering checks is effectively zero. Just connect your cryptocurrency wallet and start trading.
In fact, most decentralized finance projects are actually decentralized in name only. Whatever entity or entities can update the code, these are the central authorities and the regulatory points. These entities also tend not to attempt to implement geographic control, making services available to people in every state and nation.
Even the truly decentralized Uniswap, a project that allows trading between different tokens on the same underlying blockchain, is not as decentralized as it matters. Although the underlying code is now fully distributed by the community, requiring an explicit vote from Uniswap token owners to update, it is made up of a large number of individual “liquidity providers” who provide the funds in as market makers at individual trading pools.
It is worth asking whether these providers themselves have a responsibility to ensure that the pool for which they provide liquidity correctly applies the legal requirements imposed on brokers and fund transmitters. Because it’s a safe bet that of the $ 300 billion in value transferred through Uniswap, including $ 1 billion in fees paid to liquidity providers, almost all of it was not properly reported for tax purposes nor followed for money laundering issues.
The second is a reminder that the cryptocurrency miners are money transmitters because they can and do enforce rules on the transactions they actually accept. It is in fact a cryptocurrency organization calling on these “decentralized” miners to act in concert to block known bad transactions. If minors can do it for theft, they can do it for any wallet that doesn’t pass anti-money laundering checks.
The last observation is the nature of Tether. Tether promises a dollar-backed ‘stablecoin’ and is a key component of many unregulated cryptocurrency exchanges. I have previously called Tether as bearing a striking resemblance to Liberty reserve, a money laundering money transfer center closed and prosecuted in 2013.
One could argue that Tether, by hosting its tokens on a blockchain, was somehow less to blame than Liberty Reserve, which maintained a central database. After all, Tether the business claims to have anti-money laundering policies, but for some reason a large number of Tether tokens are circulating entirely between the digital equivalent of Swiss numbered accounts.
By clearly demonstrating that Tether the company can control arbitrary instances of Tether the token, Tether the company has shown that any blockchain claim can be ignored. If individual addresses can be blocked or limited, Tether could block or limit all address that does not provide appropriate information about your customer’s knowledge.
Tether the company can claim that its clients are just exchanges and other direct buyers of the Tether token, but the ability to block Tether’s movement on such fine granularity clearly shows that to be wrong. Tether could implement anti-money laundering and know-your-customer controls; he showed that his current system could, but he chose not to. The same behavior led the founder of Liberty Reserve sentenced to 20 years in prison.
So, aside from comedy gold, the Poly hack serves as a useful reminder to regulators. There are groups, like Poly and Tether, and individuals, like the liquidity providers or the Uniswap miners, who have shirked their legal obligations under cries of “decentralization” – cries that turned out to be false when the The money of these entities is at stake.