• shrugal@lemm.ee
    link
    fedilink
    English
    arrow-up
    109
    ·
    6 months ago

    Here is a more detailed explanation of the exploit.

    The Pepaire-Bueno brothers exploited a bug in MEV-boost’s code that allowed them to preview the content of blocks before they were officially delivered to validators, according to the indictment.

    The brothers created 16 Ethereum validators and targeted three specific traders who operated MEV bots, the indictment said. They used bait transactions to figure out how those bots traded, lured the bots to one of their validators which was validating a new block and basically tricked these bots into proposing certain transactions. […]

    So hardly an attack on any core system of cryptocurrencies.

    • survirtual@lemmy.world
      link
      fedilink
      English
      arrow-up
      45
      arrow-down
      15
      ·
      6 months ago

      So they discovered faulty code and made some money?

      Can anyone explain to me how this is illegal?

      The code is a contract. If someone writes bad code and loses money, then write better code - just like if someone writes a bad legal contract and loses money.

      The justice system is awful.

      • shrugal@lemm.ee
        link
        fedilink
        English
        arrow-up
        36
        ·
        edit-2
        6 months ago

        IANAL and all, but bad/unfavorable contracts and literal deception/fraud are two different things, at least in the legal system. Not everything that’s technically possible is also allowed, obviously.

        Compare it to using a security flaw to hack into a system. Technically you’re only using the official API, maybe in unusual ways, but still. But you’re doing it in bad faith and causing harm, maybe pretending to be someone you’re not or injecting fake data into the system, and that can make a difference.

        • survirtual@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          12
          ·
          6 months ago

          Hacking a private corporate system, which is generally on closed nets and requires an internal actor / phishing, is significantly different from exploiting a code fault on a public network.

          Trustless systems rely on mathematics to secure their networks. This is both the revolution of them and the risk. If you build a system of value and it is on a public network, and you fail to properly secure it, that is supposed to be the risk. You lose money, hopefully go bankrupt / lose credibility, and a more efficient actor eats your lunch.

          Treating it like a traditional system with these unspoken legal safeguards when it uses a public blockchain and public network is absurd.

          • shrugal@lemm.ee
            link
            fedilink
            English
            arrow-up
            7
            ·
            6 months ago

            What’s absurd is this crypto maximalist take.

            You can’t just make up your own permission and punishment system, and then expect the legal system to just step aside and let it handle all disputes, especially when it comes to fraud. That’s like founding your own city in an existing country, and declaring all existing law obsolete. I know some people think this is a real possibility, but the real world doesn’t work like that.

            • survirtual@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              3
              ·
              6 months ago

              The “real” world works however the people want it to.

              As it stands, it works with laws that protect the rich and elite with superior rights.

              Someday, maybe the people will decide on a more equitable system. Nature and mathematics might be heavy contributors to that system.

      • yetAnotherUser@feddit.de
        link
        fedilink
        English
        arrow-up
        29
        ·
        6 months ago

        You withdraw cash at an ATM but the software has faulty code which causes your balance to remain the same after withdrawing any amount.

        You notice this and then empty the entire ATM this way, making $200,000. I’m sure once you explain to the jury that the ATM just gave you a bad contract, they will acquit you.

      • blargerer@kbin.social
        link
        fedilink
        arrow-up
        30
        arrow-down
        1
        ·
        6 months ago

        This is like saying they discovered how to pick a lock so deserve everything in whats locked by it.

        • survirtual@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          21
          ·
          6 months ago

          No.

          It is more like finding a gold mine on public BLM land. It is over treacherous mountains only experienced climbers can access. There are no signs or doors saying it is licensed to anyone; indeed, it isn’t officially registered with BLM. So the climbers go in and take as many gold nuggets as they can carry.

          Unbeknownst to them, it was a mine discovered by rich and connected people who have cronies in BLM. Rangers go and arrest the climbers and say that you aren’t allowed to climb, climbing is illegal, and taking gold from that mine is illegal because someone else found it and dug it, even though they didn’t properly secure it nor did they put up any signs. They assumed the mountain was enough protection.

          This is closer to the situation.

            • survirtual@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              6 months ago

              Do you know how BLM land works?

              If you find a valuable resource on it, you can register it and you get exclusive access to mine it.

              Look it up.

      • Blackmist@feddit.uk
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Doesn’t sound a huge deal different to High Frequency Trading, and Wall Street nobheads fall over themselves to exploit that.

        • pedroapero
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 months ago

          Sounds to me that the difference is they exploited a bug to get private information in order to game the bots.

    • treadful@lemmy.zip
      link
      fedilink
      English
      arrow-up
      21
      ·
      6 months ago

      Frustratingly vague for a Slashdot write-up.

      “These brothers allegedly committed a first-of-its-kind manipulation of the Ethereum blockchain by fraudulently gaining access to pending transactions, altering the movement of the electronic currency, and ultimately stealing $25 million in cryptocurrency from their victims,” said Special Agent in Charge Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office.

      Good to know the prosecutors have an understanding of what they’re prosecuting… Not even a single mention of MEV in the DoJ press release.

      • Kazumara@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        by fraudulently gaining access to pending transactions

        That makes no sense to me. The mempool is public, everyone can see pending transactions.

        • treadful@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 months ago

          Because it’s not the public mempool. It’s a private MEV mempool that people pay to add their transactions to for special priority or conditional inclusion. For instance, asshole profiteers can use it to sandwich attack traders to siphon off “market inefficiencies” or some people just want immediate front of the line inclusion in the next block.

          Presumably they exploited something in this MEV system (completely unrelated to the Ethereum protocol) that allowed them to see the pool and they shouldn’t have. Wish I knew more but everything I read was incredibly vague and misleading.

          • Kazumara@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            It’s a private MEV mempool

            Are you sure there is such a thing? My understanding was that they just submit their sandwich transactions to the mempool with higher and lower gas respectively to achieve their desired priority ranking. Could be wrong though.

            • treadful@lemmy.zip
              link
              fedilink
              English
              arrow-up
              2
              ·
              6 months ago

              I’m sure, yes. If you submit to a public mempool, you have no guarantees that your two transactions will land on either side of the target transaction in the same block (They likely won’t). You need to leverage conditional transactions with MEV so you guarantee the miner will select and position your transactions where you need them. In this case, before and after the target transaction.

              Check out the Ethereum Foundation’s page on MEV for more info.

              • Kazumara@discuss.tchncs.de
                link
                fedilink
                English
                arrow-up
                1
                ·
                6 months ago

                Wow, thanks for the link. It seems things have gotten a lot more complicated with PoS. I didn’t even know about PBS. I haven’t been following along properly.

      • bartolomeo@suppo.fi
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        What’s funny is that that’s a description of MEV.

        gaining access to pending transactions, altering the movement of the electronic currency, and ultimately stealing $25 million in cryptocurrency from their victim

        I skipped “fraudulent” because neither MEV bots nor this attack can be called fraudulent imo, although MEV is definitely taking value one didn’t help create.

  • hark@lemmy.world
    link
    fedilink
    English
    arrow-up
    38
    arrow-down
    2
    ·
    6 months ago

    This is a prime example of why the “code is law” selling point for smart contracts is a disaster waiting to happen. Proponents claim you won’t need lawyers, arbitrators, courts, etc, but in reality you’ll need all those and on top of that programmers to write and verify smart contracts.

    • mPony@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      “code is law” can become “might makes right” without oversight. Those who lobby against oversight are a problem.

  • ShittyBeatlesFCPres@lemmy.world
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    8
    ·
    6 months ago

    US Attorney Damian Williams said the scheme was so sophisticated that it “calls the very integrity of the blockchain into question.”

    If that’s actually true, they should be given a sentence of time served and a job writing useful software.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    2
    ·
    edit-2
    6 months ago

    It is wrong to criminalize him. He found a bug and got a reward. Bring him in to fix the bug and to make it better. If you start scaring away people hunting for bugs and exploits for fun you will end up being exploited by a much nastier adversary

    Edit: I did more research and it seems like there was some questionable actions such as creating a bunch of fake shell companies and crypto exchanges. This wasn’t a “bug” as the title is clickbait.

    • A_Random_Idiot@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      Its all imagination and pixie dust anyway.

      Like trying to arrest someone for theft cause they took a jar of sand home, and some delusional lunatic goes “OMG YOU CANT TAKE THAT, THATS MONEY, EACH GRAIN IS WORTH 80,000 DOLLARS!”

  • 0nekoneko7@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    12
    ·
    6 months ago

    “Each brother faces “a maximum penalty of 20 years in prison for each count,” the DOJ said.” 😬 They will be going in for a long time.

    Thomas Fattorusso of the IRS Criminal Investigation (IRS-CI) New York Field Office, said that investigators “simply followed the money.” 🔎💸

  • Imgonnatrythis@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    12
    ·
    6 months ago

    Whoa. A slashdot link? Remember when that wasn’t a cesspool, but it’s been awhile. For an ars technica summary this was extremely disappointing with regards to details.

    My only take away here is that we really should make H.E.B (highly educated brothers) a part of the vernacular.

  • General_Effort@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    6 months ago

    I’ll try a simple explanation of what this is about, cause this is hilarious. It’s the kind of understated humor, you get in a good british comedy.

    For a payment system you must store who owns how much and how the owners transfer the currency. Easy-peasy. A simple office PC can handle that faster and cheaper than a blockchain. But what if the owner of the PC decides to manipulate the records? No problem, you just go to the police with your own records and receipts and they go to jail for fraud. Their belongings are sold off to pay you damages. That’s how these things have worked since forever. It’s how businesses keep track of their debts.

    Just one little problem: What if the government wants your money. Maybe you don’t want to pay your taxes, or some fine. Or maybe you have debts you don’t want to pay, like your alimony. Perhaps the government wants to seize the proceeds from a drug deal. They can just go to the record keeper and force them to transfer currency.

    This is where cryptocurrencies come to the rescue (as it were). There are different schemes. ETH (Ethereum) uses validators. The validators are paid to take care of the record-keeping. The trick is, that you have to put down ETH as a collateral (called staking) to run a validator. If you manipulate the record/blockchain, then the other validators will notice and raise the alarm. That results in you losing your collateral.

    This means the validators can remain anonymous. You don’t need to know their identities to punish them for fraud. You just take their crypto-money. They need to remain anonymous so that the government (or the mob) can’t get to them.

    This is where it gets hilarious. These 2 brothers operated fraudulent validators. The stake/the collateral didn’t matter at all. The whole scheme didn’t matter. It was a horrible waste of money and effort. The indictment even details how they tried to launder the crypto. That is, how they tried to transfer it, so that it couldn’t be traced on the blockchain. The indictment even has the search queries they used to look up the info on how to do that.

    The whole point of it all is that you supposedly do not need the government to prosecute anyone. If validators are kept honest by the threat of criminal prosecution, then you do not need the whole Proof of Stake scheme. You do not need the whole expensive overhead.

    The only rational reason for crypto to exist, is to avoid laws; buying drugs and what not. I’m not judging. The hilarious fact is that the law knew everything about these guys.

    It’s all a sham. The one thing that crypto is supposed to do: Foil the government. And it doesn’t work.


    When people want to buy crypto on the blockchain, they put out a request so that a validator will execute that transaction and record it on the blockchain. So, while the request is waiting, a bot comes along and scans it. It may be that a purchase changes the exchange value of a currency. In that case, the bot adds 2 more transactions. First, to buy that currency before the original request, and to sell it afterward. The original request drives up the price in between the buy and sell, so that the bot makes a profit for its operator. The original request has to pay a little extra. That’s where the profit comes from.

    Sound shady? I hope not, because that’s what the victims did.

    The accused operated their own validators. At the right time, they put out their own buy request to lure in a bot. When the bot proposed the bundled transactions, their validators feigned acceptance. But then switched out the lure transaction of buying for selling.

    The indictment makes a fairly good argument. It’s like there is a “contract” between these automatic systems. The trading bot wants the bundled transactions to be carried out exactly so. The validator feigns agreement, but does not follow through.

    • Wrench@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      That sounds a lot like what I understood how etrade platforms like Robinhood work when I was reading up on the GME shorts fiasco.

      I definitely only have a surface level understanding of it, but it sounded like the stock brokers have a buffer in-between the transaction request to buy/sell, and they first try to handle that locally within their portfolio, before expanding to external trades. And if there’s a favorable internal trade, brokers like Robinhood siphon out a little something something for themselves.

      Sounds like people are getting busted for doing essentially the same thing Wallstreet has been doing for decades. Again.

      • General_Effort@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        It reminded me of high-frequency trading.


        Mind, the people who do that are the victims here!

        I didn’t explain how exactly they were harmed. It’s actually kinda funny, too.

        It costs virtually nothing to create crypto-tokens. So that’s what people do. Do some wash trades, slip some money to influencers to hype their new token as the next big thing, then offload the whole supply and run with the money. The “investors” quickly discover that these tokens are only good for one thing: To sell to a greater fool. At that point, there are no more buyers.

        The accused obtained such useless tokens. The indictment doesn’t say how. I guess they simply bought it for next to nothing.

        Effectively, they tricked the victims’ bots into buying these tokens at face value. The victims were left with crypto supposedly worth $25 million but in reality unsellable. If this was stealing $25 million, then I wonder about the legality of selling these crypto tokens in the first place.

        Eventually, all crypto is like that. Some cryptocurrencies are used as payment systems, but eventually something better must come along. Then that currency becomes unsellable. Someone must always be left holding the bag, as it is said in crypto circles.

        I think they are guilty of fraud. But I do wonder: If we are to accept that leaving someone with worthless crypto is equal to stealing money, what does that mean for the legality of crypto as a whole?

    • podperson@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      6 months ago

      Man - that comma in the second sentence murdered my brain. Excellent synopsis though.

  • Shurimal@kbin.social
    link
    fedilink
    arrow-up
    16
    arrow-down
    5
    ·
    6 months ago

    Nice! Too bad they got caught, though.

    No sympathy for cryptobros and trading bots.

  • vrighter@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    3
    ·
    6 months ago

    not stole. Were given.

    If code is law, then they just found the right way to ask. And the code gave the money to them, because they asked nicely.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      6 months ago

      The article leaves out information. Basically they set up fake crypto exchanges and committed fraud

    • bbuez@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 months ago

      charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering

      It seems that they went to great depth to make this happen