The Breakdown - Hacks and Doxxing Raise Questions About CeFi Masquerading As DeFi
Episode Date: October 8, 2022This episode is sponsored by Nexo.io, Circle and FTX US. On this crypto recap episode, NLW looks at the latest news including: Binance Smart Chain exploit Celsius user data leak MiCA regulatio...n text finalization - Nexo Pro allows you to trade on the spot and futures markets with a 50% discount on fees. You always get the best possible prices from all the available liquidity sources and can earn interest or borrow funds as you wait for your next trade. Get started today on pro.nexo.io. - FTX US is the safe, regulated way to buy Bitcoin, ETH, SOL and other digital assets. Trade crypto with up to 85% lower fees than top competitors and trade ETH and SOL NFTs with no gas fees and subsidized gas on withdrawals. Sign up at FTX.US today. - I.D.E.A.S. 2022 by CoinDesk facilitates capital flow and market growth by connecting the digital economy with traditional finance through the presenter’s mainstage, capital allocation meeting rooms and sponsor expo floor. Use code BREAKDOWN20 for 20% off the General Pass. Learn more and register at coindesk.com/ideas. - “The Breakdown” is written, produced by and features Nathaniel Whittemore aka NLW, with editing by Rob Mitchell and research by Scott Hill. Jared Schwartz is our executive producer and our theme music is “Countdown” by Neon Beach. Music behind our sponsors today is “The Now” by Aaron Sprinkle and “The Life We Had” by Moments. Image credit: Boris Zhitkov/Getty Images, modified by CoinDesk. Join the discussion at discord.gg/VrKRrfKCz8.
Transcript
Discussion (0)
Welcome back to The Breakdown with me, NLW.
It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
The breakdown is sponsored by nexo.io, Circle, and FtX, and produced and distributed by CoinDesk.
What's going on, guys? It is Friday, October 7th, and today we are talking about finance, hacks, Celsius leaks, and so much more.
Before we get into that, however, if you are enjoying the breakdown, please go subscribe to
it, give it a rating, give it a review, or if you want to dive deeper into the conversation,
come join us on the Breakers Discord. You can find a link in the show notes or go to bit.LY
slash breakdown pod. Also a disclosure, as always. In addition to them being a sponsor of the show,
I also work with FTX. All right, folks, well, today, as I mentioned up top, we are catching
up on crypto, and it has been a fiery little end to the week here, with the big theme being about
the problems of centralization. Before we dive in there, though, let's discuss for just a moment
the U.S. jobs numbers that came out this morning. As we know, the Federal Reserve is laser
focused on jobs. They've made it clear that they believe that the tight labor market is a major
barrier to fighting inflation, effectively saying that until they see either inflation itself
come down or the labor market really start to show signs of softness, they're going to keep
tightening. Now, of course, there is a ton of debate around this. I've described in a past
episode why I wish the Fed would spend more time exploring or articulating if and how they think
things have changed in the jobs market structurally since the end of COVID. Whatever their
reasoning, they've made it clear that they need to see a softening in that market before they think
differently about tightening. Today, we got official payroll numbers for last month. And in the
world of bad news is good news, investors were hoping to see unemployment up and new jobs down.
What we got was the opposite. Now, it wasn't a major show.
shock in either direction, but payrolls climbed 263,000, which was a little higher than the 255,000
that economists anticipated. Economist had also anticipated the unemployment rate to hold at 3.7%, but it
actually fell to 3.5%, which matches a five-decade low. This, of course, gives more justification
for the Fed to stay tightening, and so stocks opened lower. Really, honestly, kind of a round-trip
week from excitement and October discussions at the beginning to the return of reality.
to send us off into the weekend.
But let's move now into CryptoLand,
where on Thursday night,
Twitter started noticing
huge amounts of B&B moving around.
Someone said, and I apologize,
I couldn't find the exact tweet,
that it's only in crypto
that you can see $500 million on the move
and wonder whether it's a hacker or a whale.
Turns out, hacker it was.
So, TLDR, BSC is the smart contract-enabled blockchain
launched by Binance.
In this particular case,
the bridge which allows B&B tokens
to be transferred onto the BSC,
network was exploited, allowing the hacker to withdraw 2 million B&B tokens out of the bridge and
into their control worth around 560 million. The attack vector was similar to other bridge
exploits we've seen in the past year. The hacker forged a withdrawal request, which the bridge
incorrectly processed. The hacker then bridged the stolen tokens out, using the stolen B&B tokens
as collateral to borrow Ethereum, Avalanche, Phantom, and Polygon tokens before bridging the assets
back to their native chains. BSC validators halted the blockchain after a few hours, keeping most of the
stolen tokens trapped on BSC, with around 100 million worth of tokens successfully bridged out
onto other chains. Effectively, the hacker was just trying to get things out of there as fast as
humanly possible across a variety of protocols. Some tokens have been frozen with tether blacklisting
the hacker's wallet swiftly. In total, Binance claims around 7 million has been frozen on other chains.
Early on Friday morning, the chain was brought back online with a validator software update
that blocked the hacker's address and disabled the BSC bridge, which was exploited. This means that the
smart contract platform is functioning again, but there will be a delay in re-enabling the ability to
move assets on and off the chain from centralized exchanges. Now, something interesting about this
particular hack was that, as I mentioned, the hacker went straight into defy lenders and pledged
the tokens as collateral to try and get liquidity as fast as possible. This spiked interest rates
across various lenders. It looks like the hacker is unlikely to return to pay back the loan,
so they'll get liquidated after a while, but it sort of begs the question of who buys the
liquidated collateral? And are they handling stolen goods at that point? There are a bunch of people
trying to explain this whole thing in layman's terms. Zerox Fubar wrote, somebody on BNB just got hacked for
around 2 million BNB or 600 million USD. The attacker is spewing funds across liquidity pools and
utilizing every bridge they can to get to safer chains. Complete chaos on the chain. Is this diversification?
Now the entire chain has been paused as clear confirmation as you can get. Something's gone horribly
wrong. With BSC paused, looks like the hacker has 400 million of assets stuck on CZ Chain,
and low 9 figures out on more censorship-resistant blockchains. Given infiltration into various
dexes, lending protocols, and bridges will be tough to unravel. Now, as with any hack,
there was confusion at the beginning, with the official communications from Binance only giving away
so much. BNB Chain first tweeted due to irregular activity, we're temporarily pausing BSC. We
apologize for the inconvenience and we'll provide further updates here. Then, to confirm, we have
suspended BSC after having determined a potential exploit. All systems are now contained, and we are
immediately investigating the potential vulnerability. We know the community will assist and help freeze
any transfers. All funds are safe. We want to thank all node service providers for their quick and
attentive response. A little later, CZ tweeted, an exploit on a cross-chain bridge BSC token hub
resulted in extra BNB. We've asked all validators to temporarily suspend BSC. The issue is contained now.
Your funds are safe. The current impact estimate is around 100 million U.S.D.
equivalent around a quarter of the last B&B burn. Now, there were a variety of reactions from
the community. One was to ask if there were implications for Ethereum. Nick H. at Hashbender, the CEO
of Luxor Mining, wrote, about 50 million made it onto Ethereum, so a bunch of people are wondering
about how Ethereum validators will deal with it. First big hack that touches Ethereum
post-merge. They can stop BSC, that's fine, but the coins already swapped to ETH. Now we'll find out
how decentralized Ethereum really is after the merge. This could be quite the Rubicon moment for
post-merge-Eth-2.0. Still, most Ethereum commenters just use this as a chance to point out how
centralized Binance is. Ryan Shot Adams wrote, pause the chain, freeze the funds, roll it back.
This is a bank with extra steps. Eric Connor wrote,
Two years ago, there was a couple months stretch where people actually thought Binance chain
was an Ethereum competitor. I thought so many dumb reply guys about how the chain was run by
one entity and was not decentralized whatsoever. Two years later, the chain is completely paused.
The great thing about bare markets is everyone gets time to understand what was a LARP
and what wasn't. Now, to some extent, I think these takes are, while legitimate, also a little silly.
The value proposition of Binance Chain was never about it being as decentralized or censorship-resistant
as something like Ethereum. It was about making a trade-off against that for speed. So this is
sort of just part and parcel of, I think, what people expected. Now, to the extent that people
thought Binance Chain was actually as decentralized as Ethereum, well, then I completely understand
these takes. I just don't get the impression that that's most market participants. Another take
on Twitter was that it was notable that the price of B&B didn't actually tank. Jeff the Dunker writes,
so B&B just suffered a massive exploit that would have crippled 99% of projects, and it only
dropped 5% while currently hovering it down 2.5%. I don't think betting against CZ and Binance is a good
idea. There were also a number of still so early type of tweets. Mike Dutas from Sixth Man Ventures
wrote, feels like we're still experimenting in the lab, but instead of losing mice, we're losing money.
Finally, there was a lot of questions around CFi masquerading as defy, which has been a pretty common
discussion for the last couple months.
Ryan Selkis of Masari writes, The Celsius Rug and Docs and the B&B exploit and coordinated shutdown
are two examples on the same day of how hard it is to separate CFi and Difi.
True Open Protocols should be protected, but we can't die on the hill for centralized companies.
The issue as policymakers look at massive hacks and losses and see CFi masquerading as
Defi makes them want to capture the whole ecosystem without exception because they think
defy is bullshit. Not because the protocols aren't powerful, but because they're not actually
decentralized. Want to keep more profits when trading? Get the best possible prices and trade with
50% lower fees on Nexo Pro. The new Spot and Futures trading platform uses aggregated
liquidity of over 3,000 order books collected from multiple sources. Utilizing the
complete Nexos suite allows you to earn interest and borrow funds as you wait for the next
trade setup. Visit pro.nexo.io. That's p.r.0.n. nexo.io and sign up today. The breakdown is sponsored by
FTX US. FTX US is the safe, regulated way to buy and sell Bitcoin and other digital assets
with up to 85% lower fees than competitors. There are no fixed minimum fees, no ACH transaction
fees, and no withdrawal fees. One of the largest exchanges in the U.S. FDXU.S. U.S. U.S.U.S.U.S.
is also the only leading exchange that supports both Ethereum and Solana NFTs. When you trade NFTs on
FTCX, you pay no gas fees. Download the FTCX app today and use referral code breakdown to support
the show. So let's shift now and talk about the Celsius thing that Ryan mentioned in that tweet.
As part of its court filing, Celsius submitted a 14,500 page long document that contained a ton
of highly sensitive information, such as customer names, transaction types, and amounts, which services
customers had used crypto wallet IDs, types and quantities of tokens held, basically, in other words,
everything. Yesterday, that data was leaked and Twitter was incredulous. Henry DeVolence wrote,
seems like among other things, anyone can now docks all the on-chain activity and addresses
of any named Celsius user by matching the dates and exact amounts to transaction data.
Lawrence, a trader at San Capital writes,
If you ever use Celsius, even once, you are now name and address doxed.
Very cool and normal behavior from an utterly psychotic platform that deserves to be absolutely
burned to the ground.
End quote.
And to be fair, at this point, there has been no explanation given to why this level of detail
was required by the courts or if it actually was.
Nick H. Hashbender again says this Celsius leak may go down is one of the greatest breaches
of customer information ever.
Names, balances, and transaction IDs, any wallet that's ever touched Celsius.
is now exposed and linked to an ID, a perfect demonstration of why KYC only hurts honest customers.
Selkis again writes, this is what I would present to every single sitting member of Congress as evidence
for why private Web3 transactions are not just a nice to have, but a fundamental and constitutionally protected right.
This is exactly the point, by the way, that people who are focused on changing the KYC and BSA regime discuss.
Capturing this data means this data is available for capture.
We need a new version of Murphy's Law but for the Internet and for private personally identifiable information.
Basically, at some point, on a long enough time scale, if data can be leaked, it will be leaked.
And so, if we require institutions to collect this type of data, it's really only a matter of time.
Anyway, a couple more quick stories and then we're out.
The text for the EU markets and crypto assets or MECA regulation has been fine.
finalized. The bill will go to a vote on October 10th. The key provisions of the regulations deal with
registration of crypto firms that serve as EU customers, mandatory white paper disclosures for newly
issued tokens, and granting the power to make rules and govern markets to the European
securities and markets authority. The treatment of Dow's has been cleaned up with them being
excluded from the regulations. Quote, where crypto asset services as defined in this regulation
are provided in a fully decentralized manner without any intermediary, they do not fall within the
scope of this regulation. One thing that many people have been watching is what the treatment of
NFTs would be, and right now there is still no clear line drawn between tokens and NFTs.
That means that NFTs could fall under this regulation depending on how the regulator
interprets their power. A restriction on stablecoin circulation to 200 million euro or 1 million
transactions remains, which could present an issue for major stable coins that already exceed these
limits. Interestingly, a lot of the commentary on Twitter is sort of positive around this.
Gabriel Shapiro, the GC at Delphi, said,
Based on latest convos about the final Mika draft,
I definitely think the EU has stolen the U.S.'s regulatory thunder on crypto for now.
Want to offer a token? Just publish and file a white paper. There's no permissioned
registration regime, no transfer restrictions, etc. Beautiful.
There are some ambiguities around what tokens still constitute financial instruments,
a.k.a. securities, but I expect it will come out in the wash.
The big remaining question mark is defy, as that is carved out from Mika.
How will the EU handle it? Will it respect its purposes?
All the more reason for crypto projects and people whose life and career revolves around crypto to avoid the U.S.,
where I suspect many of us lawyers are wasting our time intricately debating U.S. law, while the rest of the world races past our backwaters.
Brandon Isaacson, a G.C. at Cartesey had a similar thought. Bottom line, he writes,
when compared to the current U.S. regulatory tone, Mika affords crypto projects a presumption of innovation potential rather than a presumption of fraudulent behavior.
All of this seems very positive, but until I get to see the text myself, I'm going to keep to keep.
a little bit of skepticism. Last up today, I want to talk about the latest indication of post-narrative
institutionalization. Now, for the uninitiated post-narrative institutionalization is something that
I've been describing for a while in which, as opposed to the institutions coming into crypto
during the bull market, which tended to carry with it a strong narrative component, both from the
industry side, as we were actively involved in pushing the narrative of
institutions coming, and that being a reason for people to get excited, as well as from the institution
side who wanted to get the headlines that came with them starting to experiment with Bitcoin and
crypto. Anyways, if that was what characterized institutions coming to the space in late 2020 and
throughout 2021, post-narrative institutionalization is the process that has been happening throughout this
year, where companies continue to build out their infrastructure for the crypto space, where big
Wall Street giants start to launch new crypto products without much fanfare, and where very
traditional types of financial providers, such as retirement accounts, start to add this capacity
all during a bare market. It's quite clearly all positioning for the future, and it continues to
happen, basically regardless of what's happening day to day from a price perspective.
In a research report released yesterday, Morgan Stanley said that the market for crypto exchange
products is growing despite this crypto-bare market. Morgan Stanley notes that despite total assets in
crypto-related products dropping 70% from $84 billion to $24 billion, of the more than 180 active
crypto-exchange traded products and trusts, half have been launched since the beginning of the Bitcoin
bear market. The report says, quote, the crypto exchange products market will continue to grow.
The bear market hasn't deterred asset managers and financial companies from launching ways for their
clients to get access to digital assets. End quote. In fact, fund launches accelerated this year despite
the decline in crypto prices. Over the last year, eight new exchange traded products have been launched
each month on average. I share this not to try to dig too deep into some sort of hopium, but just to
point out, once again, that when the world's biggest financial institutions continue to plow into the
space, perhaps in different ways than they did before, but clearly positioning for the future, it's
hard not to be kind of optimistic about what the future holds. For now, I want to say thanks again
to my sponsors, Nexto, Circle and FTX, and thanks to you guys for listening. Until tomorrow, be safe
and take care of each other. Peace. I want to tell you about CoinDesk's new event, the investing in
digital enterprises and asset summit or ideas. The event facilitates capital flow and market growth
by connecting the digital economy with traditional finance. Join CoinDesk October 18th and 19th in New York
City for a 360-degree investment experience, where you can source, invest, and secure the next big deal in
digital assets. Use code Breakdown 20 for 20% off a general pass. You can register today at
coindex.com slash ideas.