The Breakdown - So Now They’re Hacking DeFi Protocols Before They’ve Even Launched?
Episode Date: September 30, 2020DeFi is one of the breakout crypto categories of 2020. Indeed, yield farming and the grand game of “money legos” has been so profitable that many are following every new protocol with rapt attenti...on. This is all the more true for projects graced by YFI creator Andre Cronje. So when word got out about a new, pre-release game economy engine called “Eminence,” the DeFi degens took advantage of the permissionless nature of DeFi to pump $16 million or so into EMN. What happened next was arguably the first pre-release hack in DeFi’s history. This episode breaks down what happened and what it means for the fledgling field.
Transcript
Discussion (0)
every opportunity that can be exploited, whether there are actual hacks that we call exploits,
or whether they're just social hacks, like trying to follow the breadcrumbs to discover a new
protocol, they're going to be exploited. That's what markets do. Markets create incentives
for people to find every edge they can. We deny that and we forget that at our own peril.
Welcome back to The Breakdown with me.
NLW. It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
The breakdown is sponsored by crypto.com, BitStamp, and nexo.io, and produced and distributed by CoinDes.
What's going on, guys? It is Tuesday, September 29th, and this is the second of two episodes for today.
I explained this at the beginning of the previous episode on the new Coinbase No Politics at Work policy.
But basically, I discovered when I recorded this morning that I actually was doing two full shows
that were smashed uncomfortably together.
So if you want to hear about Brian Armstrong and his letter and the response to it, go check
out that episode.
This one is focused on the Eminence hack, a hack of a Defy protocol that hadn't even yet been
launched.
So let's try to bring you up to speed about what happened with Eminence, which you may see
on Twitter, abbreviated as EMN. I'm actually going to kick this off with a thread from Sam over
at FTX because I think he did a good job of summarizing it. He writes, all right, so here's
what I gather happened with EMN. Andre Cronier was working on a new protocol. It was still in the testing
phase not ready to be released in case, e.g. it had bugs. He hadn't yet vetted it. It did, in fact,
have an exploit. People were digging around Andre's code, found what he was working on, and started to
talk about it. To be clear, Andre hadn't promoted it and wasn't intending it to be used yet.
It obviously wasn't finished with testing. But people found it anyway. The people who found it
started talking about it and spreading it, probably not maliciously, probably just excited.
Everyone wants to get in on the next big Andre project so people started fomowing into it when they
got wind of it. So a bunch of people started buying. But remember, it wasn't tested and had an exploit
involving flash loans. So someone exploited it, taking all the funds, 16 million, I think. The hacker then sent
half to Andre as a quote, I'm sorry note, and kept half for themselves. Andre wakes up and is like
WTF happened. News spreads, people are confused and hurt and angry and impressed and lots of other things
at once. So, TLDR, A, Andre didn't intend any of this to happen. B, people dug around and found
his incomplete projects. C, people bought his incomplete projects and D. Flash loans. So maybe just to
flesh out a little bit more of that, like Sam said, Eminence was an unfinished defy protocol by
Andre Cronier. Now, Cronier is the dude behind YFI, which popularized yield aggregation,
i.e. farming yield from different protocols to optimize the max yield. It has one of the most hyped
tokens in the space with a current market cap of $787 million. And as Sam put it, Andre has
something of a cult following. Now, what we've learned about eminence from Andre subsequently is that
it is a card gaming protocol, or, as he put it, a quote, new economy for a gaming multiverse.
And as Sam said, it seems like it got revealed in some tweets.
The defy DGens piled in, depositing 15 or 16 million into this unfinished protocol.
Twitter user chain link God summed it up in a lot of ways with this tweet where he said,
Just Aped into EMS.
I still have no idea what it is or what its purpose actually is, but hey, if Andre Cronier is involved,
I'll Digen in any day of the week.
Then, as Sam said, the attacker found an exploit and drained the entire supply.
So here's how Andre himself wrote it up. He wrote first the data.
Yesterday we finished the concept behind our new economy for a gaming multiverse, Eminence.
As per my usual methodology, I deployed our staging contracts on ETH so we can continue
developing on it. Two, eminence is at least three plus weeks away.
Three, these contracts nor the ecosystem are final.
Yesterday alone, you will notice I deployed two separate batches of the contract.
This is my usual, quote, test and prod process.
Four, we started releasing some of the art teasers to showcase all the different clans in the
game on Twitter.
Five, we posted the first clan Spartans and I went to bed.
Six, around 3 a.m., I was messaged awake to find out, A, almost 15 million was deposited
into the contracts.
B, the contracts were exploited for the full 15 million.
And C, 8 million was sent to my yearn deployer account.
Seven, the exploit itself was a very simple one.
Mint a lot of EMN at the tight curve, burn the EMN for one of the other currencies, sell the currency for EMN.
What's going on, guys? I'm excited to share that one of this month's breakdown sponsors is Crypto.com.
Crypto.com offers one of the most cost-efficient ways to purchase crypto out there, as they've just waived the 3.5% credit card fee for all crypto purchases.
What's more? With Crypto.com's MCO Visa card, you can get up to 10% back on things like food and grocery shopping.
When you buy gift cards with the crypto.com app, you can get up to 20% back.
Download the crypto.com app today and enjoy these offers until the end of September.
BitStamp is the original global cryptocurrency exchange.
Since 2011, BitStamp has been the preferred exchange for serious traders and investors,
trusted by over 4 million customers, including top financial institutions.
BitStamp is built on professional grade trading technology.
Their platform is powered by a NASDAQ matching engine,
and their APIs are recognized as the best.
in the industry. Download the BitStamp app from the App Store or Google Play or visit bitstamp.net
slash pro to learn more and start trading today. That's bitstamp.net slash pro. In this crisis,
many investors aim to keep and grow their digital assets. Others seek to maximize the yield on their
cash. Nexo allows you to achieve exactly these two goals. The company offers instant crypto credit
lines against all major cryptocurrencies, with interest rates starting from only 5.9% APR. Nexo also lets
earn up to 10% annually on your fiat and digital assets. What's more, interest is paid out daily,
and you can add or withdraw funds at any time. Get started at nexo.io. So just a couple quick
takeaways on this one. The first is part of this whole opportunity has to do with the philosophy
or the reality of what is Andre Cronier's Twitter bio, where he writes, I test in prod. The idea here is
that in traditional software development environments, you test things in a staging environment that's not
accessible to the public. It's a lot harder to do that in Defi because so much of any new
defy protocol relies on composability with other platforms, other money Legos. From a pure development
standpoint, it makes more sense to then test in production. This is a reminder, however, of why that
isn't the norm in other contexts. Second, cults of personality are incredibly dangerous.
Alex Kruger summed up the EMS story like this. One, build up hype. Two, finish concept.
Three, deploy contract day after using Yerne's account allowing people to identify it, invest in it,
product unfinished. Four, hype it via Twitter feed a buying frenzy. Five, token hacked, 16
million stolen. So as you can tell, Alex clearly isn't buying the idea that Andre has no culpability
in this. In his estimation, there was a specific strategy to build up hype, which happened to
poorly interact in this case with the testing and production model. Mick Hagen, who is the founder of
Genesis Block, had a similar argument. He threaded on Twitter this. I'm a card-carrying member of
the cult of Andre Cronier like most of you. And yes, Degens who ape into unres,
unaudited, unknown contracts are ultimately responsible for any loss of funds.
But let's be real.
Andre's actions did not help the situation.
Andre deployed these contracts from the main yearn-deployer address,
people watches every move, every transaction.
Why didn't he use an alternative non-followed address to deploy slash test
if these were indeed just staging contracts?
Last week, Andre tweeted about surprise launching new stuff.
This week, he tweeted about bank or bonding curve.
Is eminence the surprise launch?
Is this a new system?
We see it as the bonding curve. FOMO. Just after he deploys the contracts, he starts retweeting
mysterious FOMO-inducing teasers. The domain is theirs. It all checks out. The hype is building.
This train is leaving the station. No turning back. Anything Andre touches turns to gold. Dgen mode
activated. The rest is history. Yes, DGEN's going to degen. No one forced them to put
funds in. But this could have been mitigated. It's not hard to see how it happened.
Again, I love Uren Finance and Andre Cronier, but having a platform and influence comes with
responsibility. Basically, Mix point can be summed up as, yo, you knew exactly what you were doing
in terms of hyping people up. And the fact is that because this thing was out in the wild,
testing or not, you had to understand, or if you didn't, you certainly do now, that the crew of
people who are watching every move in this space are going to pile in to get any advantage.
Which gets me to my third point.
Anyone who tells you that Defi is ready for a mainstream audience is absolutely out of their mind.
This is a sophisticated speculators' paradise.
It is a place for people to try to front-run new protocols from people with proven track records
because they know everyone else is going to do the same thing.
And by the way, people don't give a crap about culpability denying general statements
about don't interact with unodited contracts.
That's just naive to think that they are,
and it's not saving anyone's butts.
Crypto Messiah responded to that thread I read before saying,
Bro, we thought you retweeting obscure images with some sort of announcement.
I've never seen chat rooms and Twitter buzzing harder about anything for hours on end.
I get it.
Totally our fault for fomowing in, but we all share blame here.
As I've said before,
the only thing that limits the downside in this crazy game
is the people who are playing, or rather the barriers to entry that means it's such a small
number of people playing. We are watching in real time a totally different type of unfettered,
pure play, digital capitalism take place and play out. But in that context, you have to expect
that every opportunity that can be exploited, whether there are actual hacks that we call
exploits, or whether they're just social hacks, like trying to follow the breadcrumbs to discover a new
protocol, they're going to be exploited. That's what markets do. Markets create incentives for people
to find every edge they can. We deny that and we forget that at our own peril.