Score one for state oversight of decentralized finance. Last week, a London court ordered a DeFi developer to enable the transfer of $140 million worth of hacked crypto from one of its user’s wallets to a court-designated recipient, a lawyer for the company tells DFD. This, of course, runs counter to one of the foundational tenets of decentralized finance: that third parties like courts and service providers are not supposed to be able to control users’ funds. In practice, though, DeFi can’t always deliver on that promise. On Thursday, we looked at a couple of recent trends that showed the challenges regulators face in exerting control over decentralized finance networks. But DeFi firms and users face their own challenges in making the networks as decentralized and immutable as intended. Even when the core blockchains at the heart of DeFi function as advertised, DeFi activity often relies on centralized service providers to make it more efficient and accessible. Those service providers are more susceptible to government-mandated interventions than the blockchains they connect to. In some cases, the service providers have back doors that let them override users who falsely believed their transactions were irreversible. And that, in turn, gives governments an opening to exert control over DeFi. In this case, the long arm of the state was able to reach onto a blockchain and yank a bunch of digital loot away from someone that was not supposed to have it, with the help of some eagle-eyed hackers. This particular saga began last year when a hacker took advantage of a bug in the Wormhole Bridge — software that provides inter-connection between several different DeFi blockchains — to make off with 120,000 Ether (These software “bridges” between blockchains often contain weak links that allow hackers to steal funds). At the time, the haul was worth more than $300 million, making it one of the larger crypto heists of the year. Eventually the hacker deposited the funds in a crypto wallet provided by Oasis, a developer of front-end software that makes it easier for users to engage in DeFi (Oasis was in no way implicated in the hack). The wallet was billed as non-custodial, meaning the user controls the funds with cryptographic keys. But there were caveats. Like many DeFi developers, Oasis built a multi-signature override — basically a back door that requires multiple private keys to open — into its software. This would let the company intervene in case the software got hacked and it needed to undo the damage, according to the lawyer for Oasis, Ann Sofie Cloots. A group of white hat hackers discovered the back door, and that it could be used to take the hacker’s funds away, she said. The white hats alerted Oasis earlier this month, and the court ordered that the back door be exploited. In a series of transactions that began on Tuesday, it was. Crypto media company Blockworks took note of the unusual transactions and described their mechanics in a research note published on Friday. This was followed by a statement from Oasis revealing the court order. The episode illustrates the gap between the vision of DeFi purists and the messy reality of DeFi activity today, which often relies on centralized service providers whose software contains both bugs and intentional back doors. Even a hacker sophisticated enough to pull off one of the largest crypto heists on record was unable to steer clear of these traps. And even when back doors are built on purpose to thwart crime, they are controversial — the subject of long-running fights about digital governance that extend beyond crypto. For years, governments have sought to mandate back doors into encrypted digital communications tools — like WhatsApp — citing the need to gather intelligence and fight crime. Civil society groups like Human Rights Watch have pushed back, citing privacy concerns. Meanwhile, federal law enforcement officials in the U.S. have successfully clawed back stolen crypto funds on several occasions, though their exact methods are often unknown. In cases when a special back door is not available, participants in crypto networks can still band together to reverse illicit transactions. Most famously, a majority of the Ethereum network agreed to reverse a theft of stolen funds in 2016. But that decision prompted heated debate among its users and a schism in the network when a rump group of crypto purists refused to recognize the reversal. So, while a company might normally celebrate its role in helping to restore hundreds of millions of dollars in funds to their rightful owners, Oasis is instead emphasizing that it had no other choice. “There’s no way for a UK entity to just say we’re going to ignore a court order,” Cloots told DFD. “It wasn’t a pleasant situation for our team to be in.”
|
Comments
Post a Comment