EthCC Stole Our 200 tickets

TL;DR: We MEV’d 200 valid tickets to EthCC. The organizers invalidated them and stole half of our USDC

What did we do?

We’re a small group of crypto enthusiasts who really wanted to ensure we got EthCC tickets to attend the event this year. On February 28th, we missed the initial early bird tickets that were dropped out of the blue, with all 100 gone within the hour. With the tickets being sold on-chain, we immediately decided to look at the code to try and guarantee that we secure some in the next batch, whilst also securing some extra to help friends attend and to sell.

EthCC website stated that, providing we could each generate a signature proving that we owned the wallet that held the NFT, we would be guaranteed entry to EthCC:

According to the FAQ on EthCC’s website on the infos tab

This gave us the idea for a simple way to make the non-transferable NFTs transferable and, on March 23rd, we successfully bought 200 tickets with the plan to sell the surplus tickets for profit (and hoped our purchase would push EthCC to use a better mechanism design next time).

What did they do?

With their pride hurt, EthCC decided to do what we honestly thought was unthinkable for a crypto-native organization. They went against the on-chain sale mechanism they designed and unilaterally invalidated our tickets:

Excerpt from EthCC’s “The Foam of a Scalper”

Jerome de Tychey (President of EthCC) bragged about why they stole our funds in this article, promising 200 additional tickets in the next batch:

EthCC SecondTicket Wave: The Foam of a Scalper

Because they knew we had valid tickets, they had to find a mechanism to ‘invalidate’ them — they did this through the refund mechanism. They interacted with the contract function “expireAndRefundFor” with the method[1] input as 0 for each of our NFTs. This means EthCC used the pre-implemented function meant for refunding users but with the refund input as, erm… ZERO:

We consider this theft, plain and simple. They did not return our funds, even though we have paid for what all available documentation states to be tickets.

Our Conversations with Jerome

Following the EthCC article and the invalidation of our tickets, we contacted Jerome through our anonymous Twitter account — @0x84003239. We felt we had proved our point about the poor mechanism design and thought we would be able to get refunded. Then EthCC could sell the tickets again, with an improved mechanism.

As mentioned here on EthCC’s website, our tickets are the NFTs themselves:

Excerpt from https://ethcc.io/infos

Jerome agreed that the NFT sales are “technically final” (duh!) and made some nonsensical arguments about how they were unable to refund the tickets due to “VAT and taxes” (despite having used the expireAndRefundFor function previously for its intended use, to refund an address):

EthCC refunding an address for 340 USDC, invalidating their argument — transaction link

to then tell us they would refund us half(!) to discourage “blackhat pentesting” (Translation — buying tickets for full price, using their smart contract):

How a customer paying full price for a product on-chain is “blackhat pentesting” is beyond us. EthCC received our funds, while we received nothing of value in return. EthCC are thieves, and they seem to enjoy unnecessarily threatening us too:

Code is Law

Many people have strong opinions about “code is law”. Does on-chain code rule all? Regardless of where you lean in this argument, EthCC wrote about what constitutes a ticket in their FAQ:

According to the FAQ on EthCC’s website on the infos tab

“Your ticket is an NFT”. Sure — it has metadata (that lives off-chain). But an NFT is an NFT — it’s an on-chain non-fungible token. By allowing tickets in NFT form, you bypass the requirement for the user to plug in their details (email address etc.) to your form. So, users can turn up with the wallet that owns the NFT and generate a signature — this makes sense.

According to all the existing information, our actions should have resulted with valid tickets. Various pieces of information assumed the existence of “metadata”, but there is no mention of this metadata being a prerequisite of ticket validity.

We wouldn’t expect on-chain code to be treated as law by a centralized Conference organisation, but EthCC not adhering to their own Ts&Cs (“FAQs”) is hypocritical, disingenuous, and ultimately, theft.

Summary

We understand that buying more tickets than one needs to go to an event themselves is frowned-upon. We stand guilty as charged.

As on-chain sleuths, we admire the challenge of looking for opportunities knowing that what settles on-chain is final. It’s unthinkable for a crypto-native organization like EthCC to publicly commit itself to using an on-chain mechanism to sell tickets and then refuse to honour the validity of the tickets because they dislike the incentives they created in their mechanism design.

It’s repulsive to see a non-profit behind a successful Ethereum conference would go as far as to steal the assets of people who participate in the ticket sale to try to save face due to the poor design of their sale protocol. We expect them to do better and validate or refund all of our tickets.

UPDATE: Since writing this article, EthCC has refunded us HALF of the funds thus far. They have no intention of giving us back the rest. We believe this was done in an attempt to keep us quiet, which we refuse to do.

Appendix 1

On-Chain Walkthrough; How we did it

Contract deployment -> Gnosis safes created -> Tickets bought -> Equivalent tokenId NFT minted-> EoA interaction

We deployed a ERC721 NFT contract (Wrapped EthCC Tickets) with a few custom tweaks:

• On every mint: It creates a gnosis safe, buys an EthCC ticket from Unlock Protocol and sends it to the gnosis safe. Then it mints an NFT with the tokenId equal to the tokenId of the EthCC ticket NFT.
• On burn: The contract transfers ownership of the gnosis safe to the owner of the burnt wrapped NFT.

Effectively, our NFT wrappers are transferrable contracts for underlying non-transferrable NFTs, and they are redeemable for the underlying whenever the owner wishes.

Redeeming the NFT: wNFT burnt -> ownership transferred to the gnosis safe

Appendix 2; Questionable Treasury Management

EthCC’s treasury “management” reminds us of this.

History doesn’t repeat itself, but it often rhymes

Lets look into what EthCC are doing with their y̶i̶e̶l̶d̶ ̶f̶a̶r̶m̶s̶ treasury:

Screenshot of EthCC’s address transactions on Polygon

0x04a8a22e5ef364c5237df13317c4f083f32c2cc4 is their address, with the ENS “ass.eth” (Ethereum France, the “non-profit” behind EthCC. Formerly known as ASSETH). ass.eth is registered and controlled by jdetychey.eth.

ass.eth took 28k USDC in from the first 100 tickets ($280 each) on February 28th. $101,320 in from our batch ($340 per ticket) on March 25th. The funds from our batch were bridged to Ethereum within 10 minutes, where Jerome wasted no time putting ours and others funds to work, see Ethereum transactions here.

What is the reason for not returning our funds? Did your accountant also advise you to bridge our funds to Ethereum and start yield farming on APWine? Or did you just hope you could profiteer off some overly keen “scalpers”?

Management of the Funds

Assets held by the treasury are so sporadic that it’s difficult to even assess the total treasury value, with popular wallet dashboards such as Zapper/Zerion only picking up some of the spurious, non-descript pools being farmed.

With their treasury, EthCC have $470k in the Curve sUSD 4-pool in Convex. They were previously one of the largest holders of the APWine fixed rate lock of 90D-StakeDAO-sdFRAX3CRV-f. They LPed this 90D locked token and the standard FRAX3CRV-f ($212k) before exiting this 12 days ago.

EthCC also have $413K in Curve’s 3EURpool on Convex; agEUR/EURS/EURt vault (yes, a pool with 3 Euro synths, you read that correctly, we’re surprised they got this past the accountant). Before this, they were farming €390k of mooJarvis4EUR on Polygon (jEUR, PAR, EURS, EURt).

They residual assets are $67K (61ETH) in Convex through the rETH+wstETHCRV pool. This position was worth $160k when it was put on at the start of March. Lets hope the liquid staking derivatives don’t trade at a further discount. Lets also hope that that Convex Finance doesn’t have any issues since all of the treasury assets are in Convex.

We as degens love alphabet soup pools, but taking on this amount of smart contract and depeg risk for their treasury is nuts. Poor treasury management.

Lets hope all the compounded risk they’re taking here does not backfire. We wonder how Jerome would breakdown EthCC’s 2022 balance sheet if they took sizable losses in a rug/exploit/stablecoin depeg during event planning.

What happens with these yield farming profits? Who takes the blame and eats the loss when EthCC inevitably get caught in a protocol rug in the coming years? Don’t worry attendees, we’re sure some of the premium sponsors will bail you out!

Or maybe you’re stealing from us in the hopes of plugging a hole in your finances.

It is also highly likely the treasury is managed by a single EoA (Externally Owned Account). There is no gnosis safe, and the manual contract interactions are too fast for an MPC wallet. This is abysmal OpSec.

Appendix 3

DM Screenshots

DMs screenshots