News: Hester Peirce and Bruce Springsteen, the $350,000 DeFi hack, FCoin exchange collapse, Voatz still bad, IOTA still broken, merchants still nonexistent

  • Science Museum on Friday 21 February! Tickets are already sold out, but maybe you’ll get lucky … [Science Museum]
  • Off to Vancouver on Saturday! Don’t expect posts in the next week or so …


It has been [0] days since the last inexplicably rare loss of customer funds from a Bitcoin exchange

FCoin is a crypto exchange that launched in May 2018 with an exciting new shell game business model — “trans-fee mining.” Traders get back their transaction fees in FCoin Tokens (FT), which live on FCoin and can be traded.

So transactions are “free” — in the sense that you pay real coins for transaction fees, and get loyalty points entered into an on-exchange database. [FCoin white paper, PDF]

What does FCoin get out of it? Lots of trading volume! They make buckets of money in transaction fee income, and FCoin ranks higher on the exchange listing sites.

FCoin shut down for “two hours” maintenance on 10 February. [blog post] They then discovered “a system loophole that could cause risk control problems.” [blog post] Then this dire announcement: [blog post]

Due to the losing contact of key personnel in the team and severe damage to some systems and data, it was impossible to recover in a timely manner as planned. We are looking for ways to rebuild the system and restore data. The subsequent restoration progress and estimated time are subject to future announcements.

The FT token database — remember that this is an on-exchange token, not a token on any sort of public blockchain — had apparently been deleted. Initial rumours were that this had been sabotage by a disgruntled employee. [Twitter, archive]

There’s between 7,000 and 13,000 bitcoins of user funds missing too.

FCoin founder Jian Zhang has written a blog post explaining his view of events. [Blog post, official translation]

By mid-2018, FT’s price had crashed, upsetting the users. Jian Zhang started using company funds — and his own funds — to buy back FTs, and support the price. FCoin’s token economics had been flagged as obvious nonsense almost immediately — but it seems they really believed in the model, to the point of shoring it up themselves.

But some users had exploited bugs in FCoin’s back-end FT systems to get more dividends. FCoin was too busy making buckets of money on transaction fees to look into it — and didn’t set up proper accounting for another year.

So the buyback was draining company funds, and the FCoin team’s own funds. FCoin had also commingled company funds (their own money) and user funds (other people’s money).

Jian Zhang was the guy who burnt all the FT tokens — or, in normal parlance, just deleted the entries from his company’s loyalty token database. This doesn’t explain the missing bitcoins, you’ll note.

The exchange is still shut — and users wanting to withdraw their funds must apply by email. I’m still waiting for a verified report of anyone getting their funds back. [blog post]

Don’t count on getting your money back soon — it seems most of the contents of FCoin’s Bitcoin addresses was moved to … other exchanges. [Crypto Markets News]

Hester Peirce, rock critic

SEC commissioner Hester Peirce’s ICO “safe harbor” plan has not had a tremendously positive response. Peirce has posted to CoinDesk asking for suggestions on improvements. [Peirce]

Preston Byrne — who is now writing his “Not Legal Advice” column at CoinDesk — has responded. He thinks her plan does nothing useful, and is best scrapped. [Byrne]

Some crypto promoters are outraged that Byrne was so rude as to call Peirce’s proposal “hilarious.” I’d suggest the first action to remedy this is not to put up a proposal that’s hilarious.

Peirce’s original speech proposing her ICO safe harbour started with a pop culture reference, to a Bruce Springsteen song — “State Trooper,” from Nebraska: [SEC speech]

“I got a clear conscience ‘bout things I done. Mister state trooper, please don’t stop me.” A sensible regulatory framework would have not prevented my pumping the gas rather than being stranded in the rainy dark of night.

The narrator of “State Trooper” — who Peirce is identifying with — is an unhinged killer on the run. He’s asking the trooper not to stop him, so he doesn’t have to kill the trooper too. It’s possible that letting the killer pass freely, so he can keep doing his thing, isn’t the right course of action. [“State Trooper”; lyrics]

“State Trooper” is also a tribute to Springsteen’s friends Suicide, a New York electronic punk band of some renown. “State Trooper” lifts from Suicide’s song “Frankie Teardrop” — about a factory worker who kills his family and himself, and goes to Hell. The last six minutes of the song, Frankie’s just lying in the crypto winter Hell, with occasional screams. [“Frankie Teardrop”; lyrics]

In her CoinDesk piece, Pierce has shifted her pop culture reference to Huey Lewis and the News — quoting “If This Is It,” a song about harassing a love interest who has already told the narrator to go away and who he knows is refusing his calls. He was just after regulatory clarity, you understand. [“If This Is It”; lyrics]

The lesson here is to keep quoting pop culture you didn’t check, because then at least there’ll be something to say about your bad proposals.


How to make $350,000 on DeFi in one convoluted transaction

Decentralised Finance — or DeFi — is a street corner shell game with thousands of shells, and you have to guess which shells the thousands of fractions of a pea are under. It lures in suckers by being so complicated they figure there must be something to it, to justify the double-digit interest rates.

bZx Fulcrum just got taken for $350,000 in ether — which they claimed was a “hack.” It wasn’t, quite. [Twitter]

The trick was to rig the price on one exchange, to win a margin bet on another exchange. It’s very like the manipulations that account for pretty much all Bitcoin price movements in the past year or so — but doing it at the speed of DeFi.

The trader chained a string of actions together in a particular way so as to squeeze money from the DeFi ecosystem. The exploit used a flash loan — which lets a trader borrow and then return funds in a very short window.

  • Flash-borrow 10,000 ETH from DeFi provider dYdX.
  • Send 5,000 ETH to Compound (another DeFi protocol), and 5,000 ETH to bZx.
  • Short-sell WBTC — Ethereum ERC-20 tokens, each representing a bitcoin — on bZx, and also quickly borrow 112 WBTC on Compound.
  • Sell the borrowed WBTC on Uniswap.
  • bZx was taking its price for WBTC from Uniswap — bZx has denied this, but everyone else says they were doing this — and this one sale dropped the price enough to make short-selling the WBTC extremely profitable.

This was all done in a single Ethereum transaction, costing $8.71. [Korantin Auguste, Twitter]

This was a rerun of a similar attack on DAI last year — which also hit bZx. Someone also tried a transaction of this sort again just today. [blog post; Twitter]

In any regulated market, trades of this sort would likely be legally problematic — certainly the blatant price manipulation — but if DeFi were a regulated market, none of this laughably rickety nonsense would be allowed to exist.

Voting on the blockchain is bad, Voatz is worse

Voting is about the worst possible use case for a blockchain. It solves no problems that are actual problems — most of the problems in voting are registration shenanigans, not vote counting — and proponents never seem to have heard of a country that isn’t the US.

The one problem blockchain voting solves is the problem of grifting governments for snake oil. Voatz had a good old go at the grift angle in West Virginia and Utah, as I’ve written up previously — and were only slightly hampered by the minor issue that the Voatz system didn’t scale, and was a security disaster.

Michael Specter, James Koppel and Daniel Weitzner from MIT got hold of the Voatz system — and have written an excoriating analysis of its numerous security issues. It’s near-trivial to work out how a user voted, corrupt the audit trail, change what appears on the ballot — or even change a vote in mid-air. Also, the blockchain bit doesn’t do anything. [MIT, PDF; Vice]

The Department of Homeland Security has also analysed Voatz. Their report isn’t as strong as the MIT report, but the DHS researchers found multiple holes in Voatz’ infrastructure.

Election officials who used Voatz don’t give a hoot, of course. [CoinDesk]

The Internet of Things that isn’t switched on right now

IOTA is closed for business — after user problems with their Trinity wallet software turned out to be hacks, and $1,650,000 in IOTA had been stolen from 11 users. The central coordinator node was turned off on 12 February, and has yet to be re-enabled — though they say they found the Trinity bug on 14 February. [IOTA status archive; Reddit]

(Remember that IOTA is a completely 100% centralised coin, and all the promises and aspirations in the white paper are nonsense.)

Not to worry, day traders — this coin whose blockchain literally doesn’t work right now is alive and well on the exchanges, with $19 million in reported daily volume! [CoinMarketCap]

If you build it, they will come [citation needed]

There has never been a non-negligible merchant use case for crypto. Inside Pundi X’s troubled plan to take Bitcoin mainstream — “It works magnificently, it’s a great machine, it has amazing potential … But if the customers are not willing to actually use crypto to pay for stuff, what’s the point?”  [Decrypt]

The Lightning Network is not just centralised — it’s so centralised, that major hub nodes going down will leave it susceptible to split-network attacks. [arXiv, PDF]

Genuine Bitcoin use case found! Wall Street Journal: Cryptocurrency Scams Took in More Than $4 Billion in 2019. [WSJ, paywall]

Bitcoin mixers were invented for the purpose of keeping transactions private, even as they’re happening on a public blockchain. It turns out that this is fabulously useful for money laundering — Larry Harmon, operator of the Helix mixer from 2014 to 2017, just got busted. Harmon also operated darknet search engine Grams, and marketed Helix as a way to obscure illegal darknet transactions. I am shocked and outraged to discover that doing crimes on a permanent immutable ledger of all transactions is still dumb as hell. [US Department of Justice]

But on the Blockchain

The Ethereum Name Service is a bit like DNS on the Internet — much as DNS translates “” into the IP address, the ENS translates a humanly-memorable name into an Ethereum address.

It turns out this is a bit too open on a public blockchain — particularly because the address that bought an ENS name is public. Decrypt goes through 133,000 ENS addresses and discovers all sorts of details about people — “It’s the difference between sending someone an email and them being able to look at your entire inbox.” [Decrypt]

JPMorgan is trying to fob off its Quorum blockchain — a fork of Ethereum — onto Consensys. It’s not clear if the people who develop Quorum are even part of the deal. This appears to be face-saving as an alternative to abandoning it. [Reuters]

About 99% of what’s interesting about Telegram’s planned blockchain is the financial shenanigans that have the SEC upset — the hearing starts tomorrow. But if you’re interested in the other 1%, Telegram’s released a paper from Nikolai Durov on the Telegram Open Network’s Catchain consensus protocol. [Telegram, PDF]

Oh no — Australia’s Department of Industry is taking blockchain nonsense seriously. “Blockchain technology opens up new opportunities for improving processes and achieving efficiencies across the economy!” (They didn’t write that with an exclamation mark, but you know they’re thinking it with one.) Apparently it’s some other grifters as well as IBM. [Department of Industry]

Moneygram announces a new real-time international remittances system! Using Visa, and not using Moneygram’s valued partner Ripple. [CoinTelegraph]

How applicable is blockchain to energy distribution? Let’s ask Christian Kern of FSIGHT — “We have run several POCs integrating blockchain technology but we so far decided to run our core services without blockchain technology. Meaning, the solutions that we are already providing are working fine without DLT.” [Digital Asset Live]



Things happen (if not on IOTA)

Jacob or Jakub Kostecki — of the abandoned Massive Adoption crypto conference — has a new gig, as principal of Off Market Today, LLC. Here’s a screenshot I grabbed from LinkedIn. [Twitter]

The lawyer for users of the defunct Quadriga crypto exchange has found evidence that Crypto Capital Corp was one of its payment processors, and is asking for any information. [blog post]

Aleksi Grym outlines what a Central Bank Digital Currency is, and means. Commercial banks’ accounts with central banks are already CBDCs — so to mean anything, “CBDC” has to mean ordinary consumers using the CBDC. Money transmitters who are required to deposit the float — the stored customer funds — with a central bank, such as the ones in China, effectively serve a CBDC to customers. So we’re already most of the way there — and it doesn’t make any difference to anything, as long as CBDC currency is not the only legal form of the currency. [LinkedIn]

Economic Limits Of Proof-of-Stake Blockchains — David Rosenthal goes through the recent paper showing that Proof-of-Stake will end up costing the same as Proof-of-Work. Hopefully in dollars in bank computers, rather than in burning a country’s worth of carbon. [Blog post]

If you ever thought you’d never feel sorry for a billionaire — consider poor Warren Buffett, who finally had to sit through lunch with Justin Sun from TRON and a gaggle of crypto bros on 23 January. The lunch was going to happen in July last year, but was delayed — maybe because of kidney stones, or maybe because Sun was under Chinese border controls. [Twitter]



Become a Patron!

Your subscriptions keep this site going. Sign up today!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.