Flash-loan attacks, also LegalEagle on crypto

If you type “flash” into the search box on good ol’ Web3 Is Going Just Great, it’s very likely that you’ll get a lot of hits; at the moment there are nearly a dozen just in the last two months.

I haven’t studied these all in detail, but I think I can outline a representative flash-loan attack in enough detail and generality to be instructive and/or amusing.

Consider this small recipe, embodied as a piece of code:

1. For a small fee, borrow a jillion FooCoins for a very small period of time, like the time that this program will take to run.
2. Use those FooCoins to purchase 51% of the FooAdmin coins that determine who gets to vote on actions of the FooDAO (Distributed Autonomous Organization).
3. Having control of the FooDAO, transfer all of the five-jillion FooCoins owned by the DAO to yourself.
4. Sell the FooAdmin coins purchased in (2), for some amount of FooCoins, probably less than a jillion, maybe zero, I’m not clear on this part, see below.
5. Pay back the jillion FooCoins borrowed in (1).
6. Make off with a net profit of four-jillion FooCoins, minus the small fee in (1), plus the possible proceeds from selling the empty husk in (4).

One interesting fact about this is that every step appears to be using some feature of the overall system exactly as it was intended to be used: there are no stolen passwords, no impersonation, no stack overflows. Prosecutions or lawsuits seem relatively unlikely; it would be interesting to see how one goes!

Another interesting fact about this is that it’s basically the way that Mitt Romney and other “Vulture Capitalists” got rich: find a company whose assets are worth more than it would take to buy the company, get a loan, buy the company, sell off the assets, pay off the loan, and profit, leaving an empty husk of a company behind.

Only it’s much, much faster.

People have talked about various ways to keep these things from working:

Flash loans seem bizarre; I don’t know what non-nefarious uses they have. On the other hand, since they are really just programs, it’s unclear how (especially in the Free and Decentralized Web3 World) one would prevent people from creating them, in order to profit by supplying services to even nefarious uses.

It’s also not clear to me that the DAO administrative coins should just be sitting around for sale to anyone with enough money; given what they do, perhaps one would like actual human judgment involved. On the other hand, that also goes against the basic Code Is Law And Everything Is For Sale principles of Web3.

Perhaps, even if flash loans have to be allowed and buying DAO administrative coins has to be allowed, maybe they shouldn’t be allowed to intersect. In the traditional market, you aren’t supposed to buy big things like cars and houses (and down-payments on loans) using borrowed money, to prevent this sort of privilege-amplification via cash. That seems like it would be hard to enforce without significant additions to the relevant protocols; like, a FooCoin would have to remember that it’s borrowed and will need to be paid back, and who wants to clutter up the free simple Web3 world with stuff like that?

Perhaps someone should have to have owned a DAO administrative coin for more than a millisecond before they can vote the share that it represents. A few days maybe even. I think this is being seriously considered by some DAOists. (Haha “DAOists”; have you read “The Confessions of a Taoist on Wall Street”? Good book, long predating cryptocurrencies.)

Perhaps in general FooDAO shouldn’t own more FooCoins than the value of 51% of the FooAdmin coins that exist. But, as with the traditional companies, it’s not all that unusual for a company to own more assets than the company (or just a controlling interest in it) would cost, it just means that they’ve been accumulating stuff to use to make money by doing whatever the company is in business to do, but haven’t made that money yet. And in the area of DAOs, it’s not clear to me whether it’s perhaps possible to get enough by reselling the husk in step (4) that this isn’t actually necessary anyway. Also there are “liquidity pools” that I should read about sometime.

This here above is a specific type of flash loan attack; the most impressive and amusing kind that I know of. More generally, there are various kinds of flash loans where someone pays a small fee to acquire a jillion FooCoins, uses those FooCoins to play fun lucrative tricks in the market (all the more feasible where liquidity is low, things are generally unstable, unregulated, etc), and then pays back the loan with a fraction of the resulting booty.

So that’s that Fun Idea o’ the Day! :)

Relatedly, the very interesting Legal Eagle YouTube channel / person / lawyer recently had a (what do you call them?) thing called “NFTs are legally problematic“, all about how NFTs are legally problematic, for reasons including the contract and copyright things that we wondered about back in previous posts here in the weblog, and benefiting from actual real legal concepts like “privity of contract”, which says that a contract can’t confer rights or impose obligations on anyone who hasn’t signed it (and which leads us to wonder for instance how someone who uses Opensea to buy some NFT that I’ve put up for sale, can acquire any rights in that, since I’ve never heard of them, let alone signed a contract with them; I dunno).

Anyone interested in the vaguely-legal NFT stuff that I’ve talked about here will probably be interested in that Legal Eagle video. There’s another one, also by Legal Eagle, about the usefulness (or otherwise) of NFTs for creators, and it’s over on Nebula and/or CuriosityStream; here is a link that probably requires some kind of membership in something.

I don’t entirely understand Nebula and/or CuriosityStream (including, clearly, being able to tell them apart), but there seem to be various interesting videos (that’s the word: videos!) on it/them, and various people that I like to listen to (including Legal Eagle and Jordan Herrod I think it is) talk about it/them and seem to be somehow involved, so that’s cool.

I wanted to write about something else, what was it? Oh, right, the objectivity or otherwise of God-based moral systems. That sounds like a different post :) so maybe later.

Trying to be fair to web3

I have, obviously, said a number of skeptical (or sceptical, what’s up with that?) things about NFTs and blockchains and The Metaverse, and cryptocurrency and “web3” in general. Including pointing out with some evil glee the extent to which web3 is going just great.

Recently Daniel Ritchie, who is apparently a friend of Grady Booch, wrote a piece decrying how negative people have been about web3, and basically imploring such people to give it a chance: Web3 has an Identity Problem. It’s short; I urge you to read it and reflect upon what it says.

I replied to the Twitter post that announced it, and this led to a little tree of discussion with the author, in which I expressed a desire for examples of web3 things that are actually good / interesting / exciting, and the author urged me to look at the ones listed in their piece (and not be so negative about them).

I also wrote a brief answer to my own question (of whether anything in the web3 space is new or useful), viz:

To answer my own question: if web3 means that a neglected content creator can get more eyes on their work by pointing NFTs at it while NFTs are still hot, that's great. (Although a way that's less expensive in gas fees and energy waste would be better!)

— Dale Innis 🙏 (@DaleInnis) March 23, 2022

Just wanted to get that down, so as not to seem like a total old grump. :)

I thought it might be interesting to go through the dozen or so things that are listed in the article; as the underlying claim is that critics of web3 are ignoring things like those on this list, consciously not ignoring them can only make our ideas about web3 more accurate. But as I started to do that, it became apparent that talking about all dozen of them would make a long and likely tedious post.

So I’ll urge you again to look at them all yourself, but for now I’ll talk about just one that specifically caught my eye: “proof of humanity”, which is a link to proofofhumanity.id. I looked it over and found the idea both unworkable, and terrifyingly dystopian. The idea is that there would be a distributed blockchain-based system that would maintain a list of (blockchain addresses associated with) actual living humans, with mechanisms for people to challenge each other’s humanity or livingness, ways to prove that you are (still) human/alive, and so on.

If this were to be actually used for something that matters, the Black Mirror episode is obvious: in some sort of straits, the protagonist attempts to obtain help, only to find that someone has challenged their humanity, and they have to find a video camera and a recent blockchain hash, so that they can satisfy the network that they are still human and alive. Meanwhile, bad guys have bribed a few registered humans to vouch for the humanity of a few bots, which have vouched for more bots, and the percentage of actual humans in the official list of humans is slowly sinking, and all the big state-level actors can basically put the humanity of any dissenter into perpetual limbo, while running a network of certified-human bots and minions for their own ends.

When I expressed these worries, Daniel Ritchie linked me to an episode of the Green Pill podcast, which is an interview with the person behind Proof of Humanity. (“greenpilling” is another term on his list, referring to this podcast, and it looks like this same podcast person coined at least one more term on the list, “regenerative cryptoeconomics”; small world!)

Despite my personal dislike of podcasts (can’t I get a transcript?), I listened to the episode, and it did not address my dystopian worries at all. It also added a bunch of new worries about the “$UBI token” which is automatically given (one per hour) to everyone currently officially recognized as a human.

It seems obvious to me that a small private group isn’t going to provide the world’s humans with a Universal Basic Income by just minting electronic coins with no backing (talk about “fiat currency”), and sending them out to everyone; indeed the current value of $UBI is about $US0.04, so that’s four cents an hour, which I would imagine is completely dominated by transaction costs in any realistic scenario.

Now of course this is just me being negative again! Giving every human on the planet a regular income is a great idea, and maybe they will figure out a way to in fact make it work! Why should I assume that they won’t? The intent is good, even if the impact is not-yet.

(The “that’s a nice thing to want to do” feeling points to something that shows up a lot in the listed projects: web3 projects that want to do nice things, that have salutary intent, but that so far have not actually produced good results, or in many cases even suggested plausible mechanisms through which good results might eventually be obtained.)

My best answer to that, I think, is that the probability of this working seems really, really low, and the time and effort being put into it could be instead put into things with a higher success chance. Of course, what do I know?

The currency of the United States used to be based on gold, which is pretty and useful and limited in supply, and so in some sense has inherent value; even if people stopped caring about dollars, you could get gold from the government for them, and make gold things. Now it’s based on the US government promising that it has and will continue to have value, paying people in it and accepting only it for tax and other payments, and so on. That is a kind of value that is perhaps less inherent; US persons, at least, will not stop caring about dollars at least a bit, because they will need some to pay their taxes (and get government payments in it, and etc).

What would it take to get $UBI to work as a currency, without its value going to zero in the obvious way? Some institution or billionaire could promise to honor it at some minimum exchange rate with US$ or gold or something, but that’s not very scalable. (This is what “stablecoins” do for say Bitcoin, but that works only due to massive fraud.) What if everyone, for some large value of “everyone”, just liked it, as an idea, and the minter behaved and continued to mint and distribute only an amount per person-hour that roughly reflected the amount of actual value produced per person-hour? Could it continue to be accepted by everyone, just because it’s accepted by everyone?

This sounds like a risky thing to base a universal currency on :) but I should read more advanced theory of currency before I decide that it’s infeasible.

It does bother me that the website and podcast and so on don’t at all address the obvious potential problems of using a big complex distributed system to decide whether people are human, how the system could be abused, and so on. This does not in general give me big faith that they’ve thought through everything else thoroughly.

Arguably the world just needs a balance between “it’s a good idea and maybe it can be made to work somehow” optimists, and “it may be a good idea, but I see no way it can work” skeptics, and Daniel is the former and I am the latter, and that’s fine, all is working as designed. I worry, though, about the number of people who get hooked on the optimistic statements, and end up losing tons of money to bad actors, the amounts of energy that crypto is wasting, etc. If there were no downsides to web3-optimism, I might well not bother being a vocal skeptic. But as it is… well, there are definitely downsides!