By now, most of you will probably have heard of the biggest cryptocurrency hack of all time: The Poly Network Hack. $610-million-worth of cryptocurrency just whisked away by some hacker. I’m sure you’ve also heard that the hacker has given almost all of the money back. (He hasn’t.) What’s not being talked about much though, probably because of the sheer size of the hack and its surrounding drama, is: Does this mean cryptocurrencies and blockchains are insecure? The short answer is no. The long answer is… the rest of this article.
How to lose $610 million
Poly Network isn’t a blockchain or a cryptocurrency. It’s an inter-blockchain protocol that facilitates transactions between multiple blockchains. And that’s exactly what the hacker exploited: not the blockchains or any of the cryptocurrencies involved, but the inter-blockchain protocol. So if, say, Bitcoin and Ethereum were supported by the Poly Network protocol, then the hacker stole Bitcoin and Ethereum not by hacking Bitcoin or Ethereum, but by hacking Poly Network. It’s the difference between stealing your wallet out of your own pocket, and stealing your wallet out of your friend’s pocket after you trusted him to hold onto it for you. The problem isn’t Bitcoin or Ethereum, or even blockchain technology. The problem is trusting your Bitcoins and Ether to some inter-blockchain protocol that just might get hacked.
Most of the top blockchains and cryptocurrencies are well designed technologies tried-and-tested over many years. Bitcoin has been around for 12 years and 7 months. The one and only time it ever got hacked (and fully recovered without any financial losses) was 11 years ago. Meanwhile, Poly Network turned 1 year old just yesterday, got hacked for $610 million last week, and the most they could do was hope the hacker would give the money back.
But that’s not even what’s really wrong with Poly Network and inter-blockchain protocols. The real problem is: there is no single source of truth.
Everybody’s telling the truth (really)
When you’ve got inter-blockchain transactions between, say, Bitcoin and Ethereum, then you’ve got two halves of the transaction recorded on two different blockchains. It’s exactly the same as one transaction being split into two halves recorded on two ledgers.
So let’s say you’ve got some Bitcoins you want to sell in exchange for Ether. Let’s say the value of 10 Bitcoins is equivalent to 50 Ether. You send your 10 Bitcoins off to some inter-blockchain protocol like Poly Network to handle the transaction, and Poly Network writes in the Bitcoin blockchain (Bitcoin’s ledger) that: Kuma loses 10 Bitcoins. Over on the Ethereum blockchain (ledger), Poly Network writes the following: Kuma gains 50 Ether. Everything is fine and dandy, you’ve got your 50 Ether, and we’ve got two sources of truth now. Hurray!
ฅ^•ᴥ•^ฅ: Hurraaayyy!
But what happens when what gets written on the Bitcoin blockchain is Kuma loses 10 Bitcoins and what gets written on the Ethereum blockchain is Lambert gains 50 Ether?
ʕ ಠ ᴥಠ ʔ: Not hurray.
Exactly.
ʕ·ᴥ·ʔ: And there’s nothing I can do about it, huh?
Nope, nothing at all! Because both blockchains are the sources of truth! As far as the truth is concerned, you just spent 10 Bitcoins to give me 50 Ether.
ʕ·ᴥ·ʔ: …Fudge.
You mean: “no fudge”.
See, when all of your transactions are recorded on just one blockchain, there is no way to fudge the numbers. Everything is recorded and verified on the one blockchain, the single source of truth. Once you try to make a transaction outside of that blockchain, then you’re on your own, without the blockchain’s security measures in place. For example (or rather several examples), our simple transaction of 10 Bitcoins for 50 Ether could easily be recorded these other ways:
| On the Bitcoin blockchain | On the Ethereum blockchain |
|---|---|
| Kuma loses 10 Bitcoins | Kuma gains 100 Ether |
| Kuma loses 10 Bitcoins | Kuma gains 1 Ether |
| Kuma loses 10 Bitcoins | Kuma gains 1 Dogecoin |
| Kuma loses 10 Bitcoins | Lambert gains 100 Ether and 1 million Dogecoin |
| Kuma loses 10 Bitcoins |
ʕ·ᴥ·ʔ: Hey, that last one is empty.
EXACTLY!
ʕ • ᴥ • ʔ: …Oh.
Hold on, I’m not done!
| On the Bitcoin blockchain | On the Ethereum blockchain |
|---|---|
| Kuma loses 1 Bitcoin | Kuma gains 50 Ether |
| Kuma gains 50 Ether | |
| Kuma loses 10 Bitcoins, then gains 10 Bitcoins | Kuma gains 50 Ether |
| Kuma loses 10 Bitcoins, then gains 100 Bitcoins | Kuma gains 50 Ether |
| Kuma loses 10 Bitcoins, then gains 10 Bitcoins | Kuma gains 50 Ether, then loses 50 Ether |
And so many other possibilities and combinations, all because there is no single source of truth.
Use it the way it was designed
Reading Satoshi Nakamoto’s Bitcoin whitepaper, I think it’s safe to say that blockchains weren’t designed to intermingle. Heck, I’d go so far as to say there weren’t even supposed to be multiple blockchains for the same purpose, like storing and transferring money. The way I see it, Bitcoin was designed to be the blockchain for money. Whether there should have been or should be other blockchains for other purposes, that’s debatable. But it’s pretty clear to me that “the blockchain” was designed to be “the one and only blockchain for money”. Now we’ve gone and expanded that into thousands of different blockchains for money. It’s like trying to keep track of the world’s finances with thousands of different ledgers using thousands of different sets of accounting rules, instead of one single ledger using one single set of rules that everybody adheres to.
Bitcoin’s transaction rules, for example, are very simple:
- The sender must cryptographically sign a transaction to the receiver
- The sender must have enough Bitcoins for the transaction
That’s it. Zero trust involved because only the sender has the cryptographic keys to sign the transaction. No keys or not enough funds, no transaction. No transaction, nothing for the sender.
Ethereum’s transaction rules are exactly the same, just as simple as above. But if you have Bitcoin and Ethereum intermignling with each other for a transaction, the rules get complicated real fast:
- The Bitcoin sender must cryptographically sign a Bitcoin transaction to the inter-blockchain intermediary
- The Bitcoin sender must have enough Bitcoins for the transaction
- The inter-blockchain intermediary must receive the Bitcoins from the Bitcoin sender
- The inter-blockchain intermediary must cryptographically sign an Ethereum transaction to the Ethereum receiver
- The inter-blockchain intermediary must have enough Ether for the transaction
- The signed Ethereum transaction must correspond to the signed Bitcoin transaction
So now, all of a sudden, both the Bitcoin sender and the Ethereum receiver have to trust an intermediary to not run off with their money.
Not only that, but there are three different sets of rules involved in the transaction: the rules of the Bitcoin blockchain, the rules of the Ethereum blockchain, and the rules of the inter-blockchain intermediary. What if the rules of the inter-blockchain intermediary are flawed? Well, that’s how you get the Poly Network hack. The Poly Network was the inter-blockchain intermediary with a flawed ruleset that allowed a hacker to take $610 million of other people’s money.
And all of this is assuming the two blockchains involved in the transaction are as functionally sound and widely supported as Bitcoin and Ethereum. What if the inter-blockchain transaction is between the Bitcoin blockchain and… Dogecoin? What’s stopping the guys who developed Dogecoin as a joke from printing billions and billions of newly minted Dogecoins, sending all of them to an inter-blockchain intermediary, and receiving very scarce and highly valuable Bitcoins in exchange?
ʕ·ᴥ·ʔ: I’ll take a guess: Uh, nothing!
Right, not a thing.
So the sender and the receiver not only have to play by the rules of the intermediary, but they also have to play by the rules of each other’s blockchains. And, let me tell ya’: not all blockchains play fair.
From decentralized finance to… centralized finance?
Not every blockchain is decentralized like Bitcoin, Ethereum, or even Dogecoin (yes, Dogecoin is surprisingly decentralized). Some blockchains and cryptocurrencies are highly centralized, controlled by a small group of people, like a single company. What if you successfully performed an inter-blockchain transaction spending a decentralized cryptocurrency in order to buy a centralized cryptocurrency? The danger’s over and nothing bad could possibly happen, right? Well, the Poly Network hacker knows the answer to that.
As we all know, the Poly Network hacker stole $610-million-worth of cryptocurrency. It turns out that $33 million of that was in the form of the centralized US-dollar-pegged cryptocurrency, Tether (Ticker: USDT). The Tether cryptocurrency is centrally developed, backed, and managed by the private company Tether Limited. They key word there is “managed”. They manage the Tether cryptocurrency. They have all the power over it. And wielding that power, what do you think they did with it when they found out that the biggest cryptocurrency hack of all time included $33 million of Tether?
ʕ·ᴥ·ʔ: They exercised that power?
Indeed, they did. They froze that $33 million. To this day, it remains frozen, with Poly Network waiting for Tether Limited to find some way to give it back to them, and the hacker essentially begging them to unfreeze it.
ʕ⚆ᴥ⚆ʔ: Haha! Noob!
Yep, he’s real professional, alright.
Going back to Tether, it’s a cryptocurrency that a small group of people have total control over. They can freeze anyone’s assets in that cryptocurrency whenever they like. Yet, somehow, we’re exchanging a decentralized, trustless, peer-to-peer cryptocurrency like Bitcoin for that. Letting Bitcoins be exchanged for Tethers, and therefore tying Bitcoin’s value to Tether’s, can’t be healthy for Bitcoin. And that brings us to the ultimate problem with how we’re using blockchain and cryptocurrency wrong.
Buying gold with manure
With the growing trend of inter-blockchain transactions, with one blockchain exchanging value with another blockchain, we are tainting good assets with bad assets. We are letting centralized cryptocurrencies influence the market value of decentralized ones. We are treating joke coins like Dogecoin as serious commodities that can buy Bitcoin.
Bitcoin can replace fiat currency; it can replace even the US dollar. I used to be of the opinion that it will one day replace all government-backed money in the future. Now, I’m not so sure, because we’re increasingly tying its market value to cryptocurrencies that aren’t meant to be digital money.
Ethereum was meant to be a decentralized computer. Dogecoin was meant to be a joke poking fun at the ridiculously inflated prices of cryptocurrencies way back in 2013. (Even back then, prices were crazy.) And Tether, well, Tether claims to be a non-volatile, dollar-backed cryptocurrency (a claim I don’t buy one bit, for many reasons). And then there are the over-6,000 other “altcoins” that can be exchanged for Bitcoin. Some of these are good cryptocurrencies, however many of them aren’t meant to be mediums of exchange, and most of them are downright crap.
ʕ·ᴥ·ʔ: I think the word you’re looking for is: “shitcoins”.
Yes, most of them are shitcoins. They are not “digital gold” or “digital cash”. They are not “mediums of exchange”, “valuable goods”, or “global computers”. Most of them are lesser copies of Bitcoin or Ethereum. Very, very few of them are of any use or bring value to the world. And yet, somehow, they have a combined market cap of $600 billion, three times New Zealand’s GDP. With Bitcoin’s market cap at $830 billion, and Ethereum’s at $350 billion, that is a lot of shit that can influence the value of digital gold and global computing.
We need to set some boundaries in decentralized finance.
Well, it’s certainly been an interesting week. What with the biggest cryptocurrency hack ever, Poly Network trying to sweet talk the hacker, the hacker probably getting identified and frantically trying to pretend like he’s a white hat, but still trying to hold onto several million dollars he stole. Oh, there was also something about the US pulling out of Afghanistan. Yes, we live in interesting times. And, if you’d like a helping hand to guide you through this perilous technological age, consider subscribing. I write an article a month, and subscribers get notified of those and nothing else. Just drop your email address down below or subscribe to my RSS feed linked to in the menu. I won’t sell your data, sell you ads, or even sell my crypto.