The Wolf Of All Streets - Massive Ongoing Ledger Crypto Hack | Powell Rate Cuts? | Crypto Town Hall
Episode Date: December 14, 2023Crypto Town Hall is a daily X Spaces hosted by Scott Melker, Ran Neuner & Mario Nawfal. Every day we discuss the latest news in crypto and bring the biggest names in the space to share their insight. ... ►►TRADING ALPHA READY TO TRADE LIKE THE PROS? THE BEST TRADERS IN CRYPTO ARE RELYING ON THESE INDICATORS TO MAKE TRADES. USE CODE ‘2MONTHSOFF’ WHEN VISITING MY LINK. 👉 https://tradingalpha.io/?via=scottmelker ►► JOIN THE FREE WOLF DEN NEWSLETTER, DELIVERED EVERY WEEK DAY! 👉https://thewolfden.substack.com/ ►► OKX Sign up for an OKX Trading Account then deposit & trade to unlock mystery box rewards of up to $10,000! 👉 https://www.okx.com/join/SCOTTMELKER ►►NGRAVE This is the coldest hardware wallet in the world and the only one that I personally use. 👉https://www.ngrave.io/?sca_ref=4531319.pgXuTYJlYd ►►THE DAILY CLOSE BRAND NEW NEWSLETTER! INSTITUTIONAL GRADE INDICATORS AND DATA DELIVERED DIRECTLY TO YOUR INBOX, EVERY DAY AT THE DAILY CLOSE. TRADE LIKE THE BIG BOYS. 👉 https://www.thedailyclose.io/ ►►NORD VPN GET EXCLUSIVE NORDVPN DEAL - 40% DISCOUNT! IT’S RISK-FREE WITH NORD’S 30-DAY MONEY-BACK GUARANTEE. PROTECT YOUR PRIVACY! 👉 https://nordvpn.com/WolfOfAllStreets Follow Scott Melker: Twitter: https://twitter.com/scottmelker Web: https://www.thewolfofallstreets.io Spotify: https://spoti.fi/30N5FDe Apple podcast: https://apple.co/3FASB2c #Bitcoin #Crypto #Trading The views and opinions expressed here are solely my own and should in no way be interpreted as financial advice. This video was created for entertainment. Every investment and trading move involves risk. You should conduct your own research when making a decision. I am not a financial advisor. Nothing contained in this video constitutes or shall be construed as an offering of financial instruments or as investment advice or recommendations of an investment strategy or whether or not to "Buy," "Sell," or "Hold" an investment.
Transcript
Discussion (0)
I made co-hosts, I can't believe it. On a day like this, I can't believe it.
I rejected my invite.
I rejected the invite because I didn't want to have that conversation.
On the important days, we have to make sure the co-hosts are people that are responsible and know what they're talking about.
So Ryan, good to have you.
So what are you doing here, bro?
What am I doing? Is that what you said?
Yeah, he wants to put me up there.
Yeah.
Okay.
Okay.
To be honest, it's a joke, but it's also true.
I barely knew about the hack.
So you and Fred were kind of disagreeing on how serious this is, Ryan.
Maybe give us an overview.
Yeah, I think maybe let's wait for people to log on.
It's not a big hack, and people need to listen to what is affected.
And it seems that the cause of the problem was maybe patched,
but that doesn't mean that the hack is finished, so to speak.
So it could mean that the hack is not finished.
Would you agree with the title, biggest hack in crypto history or too far?
I don't know.
Let me explain to you what happened.
And then I think that people can jump to their own conclusion.
I think that because it was picked up so quickly,
and I'm not sure who picked it up,
but because it was picked up so quickly,
we probably averted a hack that could have destroyed us for a long time,
a long,
long,
long,
long,
long,
long,
long time.
Like it was,
it was,
uh,
if,
if,
if this hadn't been picked up as quickly as it got picked up,
I would say hundreds of thousands,
if not millions of crypto users could have had their entire wallets drained.
Uh,
I think a lot of people,
well, not, we don't know of a lot of people that did,
and we don't know, I certainly don't know,
but maybe some expert speakers will come up and tell us whether it's patched to the extent that it cannot be downloaded.
Because from what I understand, so let's maybe just go through what I understand.
And again, please forgive me because I'm technical to a point, but not to this level.
But anyone that uses a ledger wallet, a ledger wallet is probably the most common crypto hardware wallet out there.
And it's supposed to be like the safest solution you can get
because it's a hardware wallet.
It's not a software wallet,
which effectively lives on your phone or lives on your computer.
You actually have to plug it in every time that you want to use the wallet.
The Ledger Connect source repository was attacked
and essentially what this means is that
every time that you connected, anyone that connected their ledger and interacted with any Ethereum app or any app out there, effectively exposed their wallet to, if you approve the transaction, you effectively exposed your wallet to a draining function and a draining function effectively gives the hacker the
the opportunity or the or the the uh privilege or the rights to drain your wallet now they don't
have to drain your wallet immediately they could live on the on the thing they can decide to drain
your wallet whenever there is a money in your wallet and so a lot of people who interacted anytime after
9.45 or 9.44
UTC this morning,
a lot of people interacted with DeFi
apps and there's a whole, I mean, I can't even
begin to tell you what the list is. The list is so long
that it doesn't even fit onto
tweets. It's so, so, so, so, so long.
If anybody interacted
with any of those apps, they were
affected by this.
Now, there's a lot of things that I don't know,
and I don't know if anyone knows yet.
It seems that it was inserted by an employee of Ledger.
So it seems an ex-employee uploaded a malicious version
of the connector kit.
This UI front-end library, which would run on the client side,
it has since been removed.
So Ledger, it did take quite a while to come out with some kind
of public statement.
I'll quickly read you the public statement.
We have identified and removed a malicious version
of the Ledger connect kit.
A genuine version is being pushed to replace the malicious file now. Do not
interact with any dApps for the moment. We will keep you informed as the situation evolves. Your Ledger
devices and your Ledger were not compromised. So the device is uncompromised, but if you're
interacting with apps, you effectively, from what I understand,
gave signing power. You almost gave
the attacker a proof of your signature
and then they could empty your wallet that's my my non-technical understanding of exactly what
happened it seems to have been patched but what i don't know is if any users interacted during
the three or four hours that this hack was actually underway or that malicious code did actually live in the ledger connect um uh
interface then i don't know if those wallets can still be drained or not and that's i guess
i'm hoping that people will be able to come on and tell us quick quickly i just spoke uh
back channel with uh seth from Ledger and right now
we obviously invited them on the show so they
could give the perspective. Their comms
team is not allowing that at this
exact moment and they're all hands on deck
resolving this but he said that it is
his understanding is that it is resolved and
that they'll be putting more out there
about it but we are trying to get them on.
They're just not doing it the second.
Maybe Jameson, maybe
after hearing
ran's rundown obviously uh pretty much the foremost security expert you can give a much
better explanation yes yeah um what's going on here yeah i can give you my perspective and you
know it is still uh i guess you could say a fog war. We're still trying to get all of the details.
And the Ledger team, I'm sure, is digging directly into exactly what the malicious code was doing
because there are open questions around exactly how it was being executed
and how they were trying to trick users.
So the short version of why this is a potentially catastrophic type of attack is because what we really see is this single point of failure that is getting injected into basically every DeFi Web3 app out there.
And that's just because of the prevalence of ledger devices and all of these apps want to allow people to use their
Ledger devices with them. Now, one thing which we're not entirely sure of yet, I'm sure we'll
figure this out eventually. I'm not sure that it's necessarily true that this would only affect
Ledger users. I think we should be clear that Ledger was the entry point of this attack,
which allowed them to get into hundreds, if not more, crypto apps. But just because that code
came in through the Ledger library doesn't necessarily mean that only Ledger users would
be affected. What we don't really know yet is exactly what prompts this malicious code was injecting into the app to try to get people to sign a message that would effectively hand over control of your wallet funds.
And, you know, drainer apps are not new.
This has been going on for years. kind of like a phishing attack in the sense that your funds are safe unless you approve
some malicious smart contract to have access to them. And so what these malicious actors are
trying to do is to trick you into approving that, making you think that you're approving something
else. So we're seeing some people like Zach are tracing some funds that are being drained and sent that it seems like this particular threat actor has likely been operating in the space for several months.
They just found a new way to inject their malicious code into many different apps. not necessarily over in the sense that while it's a very good thing that this code was caught and
patched within three or four hours, but due to the nature of how code gets distributed across
the internet, it's still possible that there are people out there who may still be loading this
older malicious version of the code because it's probably cached in many,
many different places all over the internet.
I mean, it sounds like you can't interact with DeFi right now safely.
I mean, are we talking about you shouldn't be connecting to Uniswap or other decentralized
exchanges?
Should we be using any of this right now until we get more clarity?
I mean, I'm pretty sure that a lot of people here obviously utilize a ledger with MetaMask for trading or investing because they have been told that it's the safer way than just leaving the
tokens inside your MetaMask and sounds like now you might have injected this malicious code all
over the place. True. It's obviously safer to keep your private keys on an air-gapped device,
but just due to the nature of how these more complex smart contract networks work
is that it's possible for you to hand over control of your funds
without actually losing the key itself.
So, yeah, the safest thing to do right now is nothing.
The experts are digging into it and will come out, I'm sure, with more specific advice and assurances once it's clear that it's unlikely for people to still be accidentally loading this code.
Mario, Ran, you guys are co-hosts.
Obviously, I'm not.
Ran, do we have a tweet or the list of compromised apps?
I know how long it was, but I think it would be useful to pin that in the nest.
So we don't have a list of compromised apps.
You have a list of effective protocols.
The list is very, very, very long.
One place that you can access it, it in banter bubbles in under the newsroom.
It's dropped under the newsroom as a,
as one of the guys tweet it.
Yeah.
Let me drop it.
Let me drop it to you and just tell me what,
what do you,
what do you think is the best way to drop something?
Just post,
if it's just a,
if it's a URL,
just post it.
Just check that out.
I'll check it out. Do you send it on WhatsApp, I guess, or Twitter? I'll check it out.
Do you send it on WhatsApp, I guess, or Twitter?
Yeah, on WhatsApp.
I'll check it out. Okay, I'll check it.
But just before I check it out, so James, let me ask a quick question to James.
So how long would something like this take to patch up if there's such a long list?
And how does it compare to other similar attacks in terms of scale?
Well, it's kind of the double-sided nature of the beast is that the attack was so
effective and able to get into so many apps because it was basically hot loading this
client library without doing any integrity checks. So that means the fix is also similarly easy.
And hopefully, going forward, the Ledger library code is going to be more careful and is
going to add in version pinning and integrity checks to make sure that it's not loading
arbitrarily changed malicious code. This was an unfortunate oversight, but this happens a lot in the JavaScript development ecosystem.
There are a lot of potential supply chain attacks due to the complexity of all of the dependencies that JavaScript-based apps tend to be built on top of.
Really quick, Mario, Metamask just tweeted, update the recent hack affects all users, not just Ledger users.
We've deployed a fix for MetaMask portfolio users on the latest version V2.121.0.
We'll be able to transact again and we'll be updated automatically.
If you're not on this version, please refresh your site data.
So this is saying that even just using MetaMask right now,
you're affected to my understanding. That basically confirms what I had just said is that
Ledger was the entry point, but it was not the only target. You know, that's just how they got
the malicious code in. But it looks like the attacker was smart enough not to constrain it
only to like Ledger device signing functionality. what does this mean does this mean that anybody who used metamark anybody who used any of the affected uh applications and
it's i mean you're talking about pretty much every single defy application if i'm not mistaken
does that mean that does that mean that that your wallet could still be drained or do you need to be
interacting uh it's obviously it requires you to hand over control of your wallet,
which means you have to cryptographically sign a message.
So yes, interacting with your wallet is when things start to get dangerous.
And the problem that really arises is that nobody is going to know
exactly what code their wallet is running.
So that's why it's best for everyone to sit tight and get an all clear from
the.
Don't use DeFi.
Or don't even use MetaMask. Like don't use a wallet.
It's not even don't use DeFi.
Like you don't even want to send tokens from yourself to yourself. Correct?
You shouldn't touch your MetaMask.
You should not touch your wallet.
I don't know how much more clearly to say it.
Just step away from the wallet.
Do not touch the wallet.
Touch a lot of grass.
Do not touch your wallet.
Get the hell out of here.
This is pretty crazy, though, because, you know, this is my knee-jerk reaction,
but I'm not going to trust the minute that they say everything
is all clear when they had no idea it was there and was this pervasive in the first place i this
is like it's just no one said who said it's all clear it's only ledger and they're referring to
no but i'm saying we're going to you know everybody's saying like uh we're all saying
you know step away wait until we get clear messaging. Who believes any of it?
Like clear messaging.
They didn't know it was there.
Jamison, I need to ask you.
So you would need to approve the front end, right?
You would need to approve the wallet.
You would need to approve the wallet.
So only once you've approved the wallet does this get access to allow the
drain function, right?
Correct.
Okay.
And if you did approve a wallet and your wallet is not drained yet, where do you stand?
Yeah, if you had done an approval action in the past six hours or so, I would look in and go to revoke that as quickly as
possible.
But the problem is that I heard that if you go to revoke that, that is interacting with...
What I heard is that the more people that went to revoke that, the more people were
actually enabling because apparently the revoke that function uses the interface or something
like that.
Well, I mean, that's a good question of, you know,
would it be possible that they were also extremely smart and somehow have
compromised the standard revocation action? You know,
this is once again why we need to wait and see. Yeah.
Hopefully not many people have made large scale approvals today.
You know,
like the window is so short
that I think that it's going to be fairly minimized.
And the real question is,
how long does it take to get all of this malicious code purged
from all across the internet?
And how will we know to trust them?
That's my bigger question.
So when you're talking about the revocation,
you're talking about if you go and metamask
and click to disconnect from anything that you're connected to.
Right?
Like disconnecting from a Uniswap, something like that.
No, no, no.
You have to revoke.
Because remember, once you've given a DAP permission to access your wallet, you need to then revoke the access that you've given the DAP.
And so right now, what you have to be careful of is when you go to revoke the access, you're using the same thing.
You're signing a transaction
with the same thing that is infected.
So what they said is don't go there.
Like don't go there.
Literally do nothing.
Literally do nothing.
I saw that tweet too
when they said that you basically revoke
is also like it's dangerous
because it's also infected
by it's not infected but it's also connected just like metamask just like everything else so just
the best course of action is to do nothing not even revoke not anything because when you go to
revoke you're also confirming uh uh uh yeah the confirmation the permission you're giving the
permission so like don't even touch the revoked websites I think there's two of them for the theorem like don't touch them. Don't touch them at all. Don't do anything touch grass
I mean, it's winter so I guess touch snow, but yeah
Yeah, be very very very very careful today
Do we know do we know do we know how much has already been drained James?
We're following I've're following some of it.
I've been following some of it.
I don't know if we're following all the wallets.
So about 610,000 is what ZachXBT said.
I've got a wallet in front of me that currently has $252,000 in it, which is a separate wallet,
which is also labeled by Zach xbt as the as the
malicious wallet um i mean maybe one of the ideas is to try and get zac xbt up here i'm actually
going to ping him and see if he wants to join us ran ran just tweeted the whole list for anyone
that wants to see it around you want to pin it at the top for the types of work? I'll do it.
I just saw in our newsroom only 500,000
so far. That aligns pretty close with what you said,
Rand. How is it so little if this
is so widespread?
My concern is that
once you put
a drain function in, I think as
Jamison mentioned, once you've put
a drain function in, you don't jameson mentioned once you've put a drain function in
you don't have to drain immediately you i mean some drain functions work that you can that you
can you can sit there you can leave them for hours and hours and hours uh days and days and days and
one day when there's money in the wallet you can decide to drain it whenever you want so i mean we
need to get i don't know enough i don't have enough technical details and I haven't yet found anyone that knows enough technical details to tell us exactly what this thing is.
But, but we, I think we need to be careful.
Yeah, I mean, we did see revoke.cache has said that they've fixed their particular website so the bad code in it
but they're still recommending not touching anything at least for the rest
of the day and you know I think one interesting aspect of all of this which
obviously I've been banging the drum on for many years is that this is not going
to affect people who are using multi-sig wallets because you can't approve a dap to a multi-sig wallet without having you
know meeting that threshold of signatures so a single signature approval is not going to
compromise people so let's let's just be clear because a lot of people don't understand what
multi-sig it's a very technical term a lot of people that are listening here they hear the
word multi-sig they immediately believe that they can't access a multisig,
they don't know what it is.
Maybe just walk us through how a multisig works
in day-to-day practice.
Yeah, I mean, I think the easiest way to explain it
is to think of physical lock boxes or safety deposit boxes.
Instead of just having one key that you have to insert into that box,
you're going to need multiple keys that have to be turned at the same time,
almost like nuclear launch code type of approval.
And this is what gives you a lot more robustness against all types of attacks,
including these software supply chain attacks.
Because even if you're keeping your keys offline on a device like Ledger, Trezor, or whatever,
as we've seen, it's possible for you with a single click of a button to unknowingly approve a malicious action. But what these malicious scripters are not really doing is trying to
attack people who have multi-sig setups. It's a lot more complex to do so, in part because
it would require multiple supply chain attacks at the same time. People would have to go
get multiple keys and sign them to
approve that malicious action. So let's just bring that back to practicality. So I'm a trader.
And every day, I'm trading meme shit coins on Uniswap. That's what I do. The question that I'm
asking is, what I need to now have two ledgers every time I want to sign a transaction, how do
I get the second signature? That's the part that people don't understand. Right. Well, it could be two ledgers, though I would recommend against that because using the same manufacturer means that both of those devices are potentially
compromised by a single supply chain attack.
So this is why at Casa we recommend people use a ledger and a trezor or really any two different devices from different companies that use different code, different hardware, so on and so forth.
Jameson and Ran, Ran, Ran, really quickly to add to that.
Obviously, I've been a longtime Casa customer.
That's how I use multisig for my Bitcoin.
I've been pretty outspoken about that. But Ram, when you're talking about interacting with DeFi,
the process of doing that with safe multi-sig is prohibited, right?
I mean, Jay, I don't even know how this would work, Jameson,
if that's even a thing.
But I would literally have to run around like to three states and yeah.
I'll tell you what, I'll tell you what.
I mean, I know what the answer is.
I just wanted to hear from Jason.
But so if you're really serious about security that the what you need to do is you need to separate
your holdings from your tradings and the idea would be to use a multi-sig to get money onto
a wallet that is like a place where you want to be trading all day and then use that transaction
from one to the other
could be a victim of the exploit.
Yeah, but you probably wouldn't be a victim of the exploit
if you used Ledger and Trezor as your two multi-sigs
because you hope that the attack doesn't target both.
If the attack doesn't target both.
You know the part that worries me here?
The part that worries me here is this has picked up in a couple of hours.
And if this had gone on for 24 or 48 hours and people would have carried on,
and this hacker was smart and, you know, he didn't actually –
we don't know what we don't know.
We don't know if he is as smart as we think or not as smart or whatever.
What we do know, though, is that if he had waited 24 hours to drain any wallets whilst infecting more and more and more DeFi users, and then you would have pressed the button at once and automatically drained all the wallets, you pretty much would have seen 50% of crypto wiped out.
Absolutely possible. And yes, speaking to your point, I think that people should realize that you don't need to
have just one wallet, especially if you have a substantial portion of your net worth in crypto,
then it makes sense to have different levels of security. Because what you're always doing is
you're making trade offs between security and convenience. So you know know, it's good to have a super duper secure distributed
cold storage setup. And then your trading setup is hopefully going to be a smaller portion of
your stash that's easier for you to access, but of course, also easier for you to lose.
Yeah, let me ask you a question, Rand, I want to ask you a question. In light of this,
and as many exploits as we've seen and i'm not talking
about your investment portfolio i just said i'm a cost of multi-sig i'm just putting this out there
not as a question for me but because i know a lot of people are thinking this for trading would you
right now feel more comfortable with your coins on a centralized exchange or dealing with all this
exactly i was gonna ask the same question like The whole concept of not your keys, not your coins
is just getting questioned now.
Yeah, well, someone said there was a meme that was posted.
There was a meme that was posted,
I'm trying to find the meme,
but it says something like,
your keys are still not your crypto.
Even though you've got the keys,
it's still not your crypto because you can get drained
um yeah hold on the the difference between this is that this is being remedied right now and if
it was on a centralized exchange you couldn't do crap with your coins so no no no this though well
it's not your keys not your coins that's the way to go is it remedied we don't know we hope that
the source is remedied but we don't know if the implications
are remedied yet no one knows that yet even and that's why metamaster is saying step away from
your computer today and toby you're saying with this text but toby toby with a sex with a centralized
exchange wouldn't they remedy the situation as well in some case ensure the money as well he's
going to ensure the money by that time they could have been completely hacked i mean you're talking
about this is a sophisticated, sophisticated,
sophisticated attack.
I mean, they believe it was an inside job.
There is – I don't know if this is the root of why people believe
that it was an inside job, but they found a piece of code saying
that it was published, and they published an email address in this code,
which is – it like literally published it's on twitter it's a jun.sugira.jp at gmail.com because it looks like when the code was was was published
it was published by this person and he left an email address like is that true is it not true
was i haven't compromised no i haven one knows. I haven't found that.
That's supposedly the ex
Ledger employee.
Let's
speak about two facts here. First of all,
if he did that, do you really think
he would leave his personal and business email
there?
That's not going to happen.
Yes, I think you're right, but
also people make mistakes.
I have another point.
I have another point.
Someone else in the same tweet, in the subtweet,
pointed out that people were targeting via phishing emails 24 hours ago.
So like yesterday, they were targeting GitHub.
So like specifically GitHub.
So my conclusion here with a little bit of cybersecurity history that I have
is that the guy,
the ex-employee got phished.
So he fell for the phishing attack
and his GitHub got compromised,
obviously.
And in my opinion,
I think the ledger
probably did not revoke his access
as they like fired him
or he was let go or whatever.
And that is my thesis.
I don't think that's the guy that
actually like did the exploit like if this is a sophisticated hack this is a sophisticated exploit
so if this is a sophisticated actor do you really think he would leave his public email into the i
just don't think it is i think he got fished and he's an ex-employee and the ledger did a mistake
not revoking the access from his gift house.
It does make sense.
As I said, it does make sense. It does, yeah.
Theory.
Yeah, theoretical.
In theory, yeah, of course.
It's not 100%, but that's common sense.
Yeah, Rand, quickly.
Just, Toby, just to go back to what you said once again, I want to be clear.
I am not questioning the keys, coins, ethos for your investment staff.
I'm asking if you are a trader
who's aggressively trading a bunch of garbage that you don't care about that could be worth quite a
bit of money at this point i'd be pretty 50 50 on using a metamask or a ledger and interacting with
unislop as i would by putting it on coinbase where it's secure and needs a ub key to do anything
you know i would be pretty
close there. Scott, let me tell you
what happened. I was at my son's
birthday party when this all went down.
One of the things that I feel really,
really guilty about is that I do work too
hard. Because of crypto, I'll end up
working 24 hours. I'll end up working weekends.
I'll end up always looking at my phone.
The last thing that I wanted to do was be at my son's
birthday party and be looking at my phone. And the last thing that I wanted to do was be at my son's birthday party and be looking at my phone.
But when the news hit, obviously, we've been interacting with a lot of our wallets because that's what we do.
We're in crypto, right?
And there were no details about what actually was happening.
And so I was at my son's birthday trying my hardest not to look at the phone, but living with the thought that thought that maybe maybe maybe every single one of our wallets today is going to be drained and we're
talking about millions okay like i don't even want to you know i don't want to put it out there
but a lot a lot of money now the first thought that went through my head is fuck this crypto
shit i'm going back to traditional banking i mean you, you know, I lost a lot of money in Luna
that nearly destroyed my life. And I just thought, if this is happening to me again,
after I've just rebuilt, and I've just started to rebuild, and this is happening to me again,
then my first thought was, I hate crypto. Like, you know, that's where I was. For a few minutes
at my son's birthday, I was at the point where I was like, I fucking hate this
industry. If they have just drained
every single one of the wallets that I've interacted with today,
I mean, I hate this place.
Even if they have this...
Hold on. What percentage of your
wealth is in wallets versus
centralized exchanges, if any?
Mario, you're robotic. I don't have anything
in centralized exchanges. I mean,
it's... I mean, we have custodians.
Obviously, we use custodians
for most of it.
But still, it's substantial
what's not with custodians
and stuff.
The problem is that
when you're with a custodian,
you can't trade,
you can't defy,
you can't stake,
you can't unstake,
you can't deploy strategies.
You want to get your money out. It's a lot
more complicated. So the majority
of our money obviously is with custodians, but
still a substantial amount is
with traders. We've got a
team of traders. They all have wallets. All the
wallets are loaded with money.
I'll give you an example.
We have a team of people that sit
in our office and airdrop fund. That's all
they do. So we give them each X amount of money.
Let me give you an example.
We could give you, if you're a sophisticated airdrop farmer,
we would give you a wallet with $100,000 in it,
and we would ask you to do and repeat multiple actions from wallets
to try and get us airdropped.
We have a team that does that, right?
Now, to be honest, probably every single one of those wallets is actually compromised because one of the airdropped. We have a team that does that, right? Now, to be honest,
probably every single one of those wallets is actually compromised
because one of the airdrops we were farming
is a ZK Sync one,
and we know that ZK Sync was compromised.
Okay, now I'm too scared to plug the wallets in
to do anything with them.
I'm sitting here thinking,
well, you know what?
Maybe those wallets are gone.
Who knows?
Like, who knows?
It can be very difficult to compare and contrast different security architectures and all the tradeoffs between self-custody, third-party custody.
Obviously, as you said, you get a lot more functionality in DeFi in self-custody. I try to sum up the entire security model available to us in this space is that everything
that can go wrong in a self-custody setup can also go wrong in third-party custody.
Because if you think about it, they are just doing self-custody, but for a lot of other
people's money.
So you're actually, you're exposing yourself to a wider variety of threats
when someone else has the money or someone else has the keys because they can screw up in all of
the possible ways that you could screw up yeah but most of which we just saw we just saw that
with prime trust and fortress who are two regulated trusted custodians in the united
most smart custodians today use what's called multi-party
computation what multi-party computation i'm going to break it down quite simply is
in its most basic form it shards your private key into three parts and you need any two parts
to sign the transaction and usually only one of the three parts is held by the custodian
one is usually held by you and the the second one is held by the custodian. One is usually held by you.
And the second one is held by some third party.
And you need three signatures to access.
You need two of the three signatures to access the wallet.
And, you know, a lot of custodians are traditional custodians
which don't use that kind of technology.
But I think these days most of them are using MPC or multi-party computation.
I mean, Jameson, I assume that applies to literally everyone what you're saying correct i mean you know because we know that like you know
eventually blackrock's going to be custodying their bitcoin for the uh spot etf right there's
got to be somewhere that uh that at least large institutions or players are going to have to trust as custodians in theory.
Yeah. So the short version is behind the scenes.
Any, quote unquote, good custodian is going to have a robust internal architecture that splits up the sort of command and control of the actual keys
internally. But from your perspective, that's a black box, you you don't actually know what's
going on, you can't confirm what's going on. And it's still possible for them to have
vulnerabilities. The problem is, you just, you can't possibly know. So you know so you know you are of course trusting that they
know what they're doing and there's a lot of good custodians out there that do know what they're
doing yeah just for the audience and then ryan maybe give a quick overview because we've got a
lot more people today because of the hack obviously just another quick overview for anyone that missed
it in the beginning on because there's still people messaging me and i was replying to a few
of them saying um you know is this just about ledger and they don't know that there's a lot more dabs and
metamask is compromising and i've also pinned the list of dabs that you tweeted everyone else to see
the full list is just pinned above go ahead ran yeah so we're in the midst we're in the middle
of a potential massive massive massive defy hack we don know a lot. What we do know is that the entry point to this attack
was malicious software inputted into what they call
the Ledger Connector app or the Ledger Connector.
Connect kit.
Connect kit.
And essentially anyone that's interacted and signed transactions
with this malicious, without knowing, with this malicious kit,
can have their wallet drained,
or some people have already had their wallets drained.
So the things that we don't know for sure is
whether the hacker can still drain wallets
that interacted earlier.
We don't know that.
We don't know. We think we know some of the apps that are earlier. We don't know that. We don't know.
We think we know some of the apps that are affected.
Metamask has come out
and Metamask has basically said,
I don't know, Scott, if you want to read that tweet,
but they pretty much said,
it's not only Ledger users that are affected.
Ledger was the entry point,
but now a whole lot of other dApps
are pretty much affected.
And the best advice
that we can give anyone today is step away from the computer and don't touch DeFi until experts
tell us that this is completely, completely safe. But for now, best advice I can give you,
stay away from anything to do with DeFi today. And when we say DeFi, we're talking about anything
where you approve a transaction on your
wallet, whether it's a hot wallet or a cold wallet. So anytime that it says, would you like
to approve this transaction? Would you like to connect your wallet? Don't do it today. Forget
about it. I just don't like, yeah, I think that's 100% perfect summary. I just, to a degree, and
this is nothing against any of these specific parties or whatever
like how do we trust that they cleaned it up when they tell us they did i'm sorry don't i don't want
to touch any of it for a month it's completely pointless you could not pay me to trade right now
even if i saw you picture it as a as a field full of landmines, and they assured you that they've cleared all the landmines.
My feeling is don't run into the field in the beginning.
It's exactly right.
Let others run in.
Let them blow up.
And since we're giving the recap,
Jameson, could you also just repeat what could happen next?
What's the best case scenario?
It's all been patched.
Not many dApps were compromised.
And what's the other alternative that got ran to say that could become
the biggest hack in crypto history? Right. So the good news, this was caught very quickly. Why was it caught? Well, at least partially because the code is open. we can see what the code is. So I think once the
security experts have said they have fully audited and reviewed
the latest version of the code, it's generally going to be good
to go. I would imagine that will happen sometime today. It's
also interesting and almost ironic that we've created this incredibly decentralized,
like large ecosystem. And yet it still has these incredibly concentrated single points of failure.
If you think about it, what seems to have happened here, one account of one former employee of one company got compromised,
it appears. And that led to a vulnerability that affected hundreds of different apps used by who
knows how many millions of different people. It's an amazing level of fragility and an otherwise
robust ecosystem. So the openness of the ecosystem was one of the saving graces here
that allowed this malicious code to be detected quickly,
patched quickly, and now we're just sort of in the wait and see mode
of making sure that any places where that code might have gotten cached
and still could be getting served to people needs to get purged.
And in order for people to be able to go forward and be able to use these apps with some peace of mind.
I think one of the reasons, I mean, one of the things that people forget is that this is,
we're still in the Wild West phase of this space, you know, so things like this are
going to happen. We're only 14 years into this. And yeah, just as Jameson said, you know, it's
open source. So we can actually see what's going on. This is unlike any time in history that we
can actually do that. So yeah, it got caught is it's going code is fixable. And you know, I mean,
all this doom and gloom, yes, there's going to be some collateral damage, but the space is going to be even stronger after this.
Do we know who spotted the hack initially?
Anyone? We still don't know.
I haven't seen it.
The first one, the first thing that I saw, and I don't know if it was the first one, I saw some communication coming out from Sushi.
Sushi Swap.
They came out with some communication coming out from SushiSwap. They came out with some communication.
Bear in mind
that they believe that the first
wallet was drained at about 9.44
UTC. That was when they believe that
the first wallet was drained.
Again, please don't quote me. I'm only going
on the information that I have, so I don't know
if it was the real first or
whatever else. That was the first
time that we heard something. That was six hours ago.
And when did Ledger say it was patched?
I think about four hours later or something.
So I think it was about four hours later.
And has there been any – and we would expect more models to be trained,
most likely.
The question is how many more because it hasn't –
Mario, you're robotic.'t... We don't know.
Mario, you're a robotic.
Yeah.
We don't know.
That's the problem.
So Ledger came out
at two hours ago.
So they came out
at 3.31.
It's now...
They came out
two and a half hours ago
and they said
we've identified
and removed malicious version
of the Ledger Connect kit.
That was at 3.31.
Underneath they said malicious
version of the file was replaced
at 2.35 CET.
The SushiSwap
communication,
I'm just trying to find out when did that
actually come out?
That came out
at, no,
that was late.
I like,
I like,
I like whenever
softly,
I'm not roboting
again,
Scott,
but I like
whenever there's
bad news in
crypto,
Danish requests
to speak.
Whenever there's
good news,
he's not even
in the audience.
Maybe peaks in
and out.
Yes,
Danish.
Yeah.
What is it, Danish? Please. this is the future of money guys this is the future i i keep hearing this is the
future but apparently the future can be hacked
this is not much we could say back you're not not was it not your keys not your coins I think it's a good thing. I think, I think it's fun staying for Don ish. Have fun staying for buddy.
Is that
that's on your shift.
Well, I was gonna say today I made a proclamation on the morning show,
which for Scott is super scary, which is I am officially, it is the top.
And the reason why I'm saying that is because I'm not a proclamation on the morning show which for Scott is super scary which is
I am officially
it is the top and the reason
why it is
I'm buying Bitcoin today
I'm just letting people
who do you think convinced him
that it was an uncorrelated asset
wait wait wait guys sell everything
guys sell everything it's time
I don't think so maybe Uncorrelated asset. Wait, wait, wait. Guys sell everything. Guys sell everything. It's time.
I don't think so.
I don't think so.
Maybe.
I convinced Donner said even if he, well, I don't know if I convinced him, but we had the conversation that I said, even if you literally hate it, it's idiosyncratic and
uncorrelated.
And so you should have it in your portfolio.
So Scott going with the really soft, soft sell.
Yeah, Scott got it started.
And then Powell yesterday convinced me
that the whole game is now rigged.
I literally cannot believe
how incredibly incompetent our Fed is now.
Why?
Why only yesterday?
What happened yesterday?
What happened yesterday was the final straw that broke
the camel's back. We literally saw in the last, well, pretty much the last week, the CPI numbers
were doctored. They literally changed the numbers to fit a narrative. I've posted about that. I can
put it up in the nest. Specifically, they said that health insurance premiums in these United States
went down by 30%. That is a, obviously, they talked about how there was a change in methodology.
If you corrected that to the actual numbers, we actually saw that part of the basket go up by 0.2%.
So it only represents 0.53% of the total weighting. But just that alone would have made us have a CPI that was higher than expected.
If that would have occurred, there's no way they would be talking about rate cuts.
They're saying yesterday on the dot plots that we're expecting three, not one, not two,
but three rate cuts next year.
On what premise?
GDP is at 5.2%.
Unemployment data came in today.
Jobless claims are hot.
We're actually running at a hot economy.
So what are they seeing?
They're telling them that we should get three rate cuts next year?
Okay, one rate cut at the end of the year, we can talk about it.
One of them said six.
Danish, one of them said six.
One of the state officials voted for six.
It's a fucking Ponzi.
This is made up.
I'm sitting here.
Oh my God. One of us. One of us. It's a fucking Ponzi. This is made up. I'm sitting here.
One of us.
One of us.
One of us. One of us.
I mean, yeah, you don't like CPI.
We just changed the
rules for how we calculate it.
And they've been doing that for, what, several decades
now? It just gets to be a bigger and bigger
joke until you see, what was it,
Krugman a few months
ago posting something about like we've defeated inflation all you have to do is not include food
housing electricity energy uh transportation and inflation's really low but but this is like one
of those where it's you know obviously they're doing things differently. But this specific one is such an egregious change that it even got me sitting here.
And I've been one of those people saying, look, look, you don't want to fight the Fed.
The Fed is going to tell you what they're going to do, then they're going to do it.
Today, yesterday was the correlate, the opposite correlate to what Powell did with the Jackson Hole speech. Yesterday was the opposite
of that. He came in, you could tell he wasn't sweating as much. He wasn't touching his face
as much. He seemed very confident. You could tell that he essentially called victory in his own
special way. And it's incredibly dangerous. So the reason why I would be going into any sort of thing,
and I am buying gold also,
is because I'm sitting here asking myself
if this looks exactly like 76-77,
which by the way, if you go back and read
what people were saying at that time in 76-77,
it was the same thing.
Powell is no Volcker.
He does not have the spine or the cojones.
He is clearly-
Or 25% debt to GDP.
Exactly.
And so we're literally sitting here
in a day where the market is ripping,
people are celebrating,
and what we should be doing is calling for his head. This is incredibly dangerous. What
he's doing. Just want to be very honest. I just am shocked. Okay,
I'll let you finish. Go ahead. Unless he's seeing deflation,
expanding from China to the rest of the world, which is what I
think is happening. That could be the only reason why they're
getting ahead
of this, because this is incredibly irresponsible. Like, I have to I'm calling like, I'm calling I'm
putting the red flag up. This is this is nearly as irresponsible as causing calling inflation
transitory. This is incredibly dangerous, in my opinion. That's what he does. That's what he does.
I just need to just briefly say so I made a false assumption because I've been missing the finance spaces in
the morning, unfortunately, because driving kids to school. But I made the assumption that you were
doing it simply as an investment. And you just literally gave the Bitcoin pitch in a billion
years. I would have never thought that that was the reason that you bought it i mean i know
you're laughing but i i'm actually quite impressed we talked literally didn't we just talk about
yesterday was it mario we were talking about strong opinions loosely held and when uh intelligent
people who can even be like yeah very strong in one direction are presented with new information
they change yeah danish contradicts it it because that usually correlates with intelligence.
But yeah, Danish did demonstrate exactly that
when I was really enjoying the pitch that he gave us.
I'm incredibly impressed.
I'll be clipping Danish.
I'll be clipping just him
and streaming it in the finance space.
Are you going for my...
It's via CryptoPump tomorrow.
It's via CryptoPump.
Yeah, imagine.
Danish, if you want a promotion from the finance space to the crypto
space please send me your your uh your cv i'll take a look at it and we'll let you know if we
would consider you uh yeah dave and also also got waheed so where he also hasn't jumped in for
months where he just before dave jumps in whereid, I think you got triggered by Danish's comments. Do you agree? Absolutely. I guess, you know, there's something
that was very, very different, but it actually started this week, early this week. For the first
time, Biden actually gave advice to the Fed. He was caught literally saying, you know what,
they ought to start lowering rates. He had never done that. In fact, he actually
was bragging that unlike Donald Trump, he was leaving the Fed alone,
etc. So he kind of broadcasted. Elections!
Exactly, exactly. And then Janet Yellen, literally
two days ago, the day before the Fed,
she literally spoke like a Fed chair. I mean,
it was insane. Giving statistics, inflation, and X-ing this and X-ing that out, and then
we ought to do this and all that. And then he basically comes and layers it in. So, you
know, basically the idea that he wants to front load the cuts so that he doesn't have to cut
uh june july august september uh october just right in front of the election front load everything
maybe sorry june probably included in the cuts i think that's very valid he was extremely political
and uh yeah i mean if anyone here well he this extortion. They're extorting and they're extracting from the American people.
No, I get that.
I get that.
We have never done this before.
They're extorting and extracting on all levels.
Like it's becoming a banana republic.
I mean, let's not kid ourselves.
It's becoming one.
I think it is, right?
Every day we tune in, it's like, Jesus Christ.
I mean, I don't know if you guys have.
I've been busy with Mario behind the scenes on all the other shows, right?
The political ones, the ones on Sunday.
I mean, it literally, you know, for people who sort of grew up in the establishment, you know, I was on Wall Street, et cetera.
I drank Kool-Aid like no tomorrow.
Used to make fun of conspiracy theorists.
And then in the last year, it's like you start to hear these stories and you just pinch yourself saying, you know, you got to hope that actually a lot of this is overblown, etc.
Now it's just blatant.
It is so it's surreal.
OK, just look what they're doing to Elon Musk.
Look what the FCC whistleblower this morning attested to.
Like, yes, absolutely.
The FCC was ordered to open up as many investigations on Elon Musk as possible. It's like there's no longer that now it's blatant, right?
And it's no longer
it's just blatant.
I mean,
it's been blatant for a long time. It was the reason
why I left the United States.
But we live
something special.
You can't say,
I always get annoyed when Grant says he can't go to South
Africa and say, yes, I left the U.S.
It's still far ahead most other countries in the world, but it is flawed.
And also, there's something very special happening, Rand, which is hard to explain.
I have to say, I know people have been talking shit about the Fed and all that.
It's a fiat, the fiat system, Ponzi crypto, whatever you guys talk about.
That's fine.
But this is a little bit different because they're actually
doctoring the underlying data
that they're then using
to rationalize decision-making.
That is new.
They did not change methodologies, man.
That's not a thing that they did.
This is new.
I'm telling you.
And to do this right before
an election year
at a time where...
I'll give you a really simple example.
It's a question I asked
at 5.2% GDP with unemployment being near, near all time, uh, all time lows. Today's jobs data
came in hotter than expected and, and, uh, American retail sales are higher than expected.
And we're talking about three cuts next year?
How?
To be fair,
the dot plot's never been right in history. But even to
hear the narrative is, yes, it's astounding.
Would you say that Fed pivoted
yesterday? They pivoted yesterday.
Beyond
reasonable doubt. I mean, it
was unreal.
Yesterday was the was the bizarro jackson hole speech it was the complete opposite this time he literally said the words you know
we might be a recession danish listen i was having a bad day today bro i woke up this morning
you know we've had this we had this the hack the hack you know We still don't know who's affected.
I was a bit
disillusioned by crypto again.
I thought to myself, what the hell am I doing in this industry?
But I can tell you that
watching you turn like
this, bro,
I mean, this is not a good turn, man.
This is making me sad.
I'm sad about this. This is sad about the
American future. Yeah, we've been sad.
We've been sad, Danish.
We turned like this.
We're very sad.
We're very sad when crypto pumps, Danish, as well.
We share your sadness.
And it is very sad.
I hope Danish literally, like, buys a Lambo and retires on an island
because of his involvement in this.
Truly.
Because of his crypto pumps.
And Danish, I mean, you know, I do think,
in case you think I wasn't being genuine,
we are looking for another co-host on Crypto Town Hall
because, you know, Mario is so busy with politics
that we want to replace him.
We want to replace him.
So we're thinking of replacing him.
So, I mean, I really think you should apply.
We'll get you into shit coins.
Next thing you'll be buying bombs we have we have no no right right we have the dgen show the other one
that we do we get down this on that one with all the shit coins in all seriousness is it all
seriousness though that when you uh you know this is really fun. It has been the last few days.
But in all seriousness, when you listen to this, the entirety of this conversation,
doesn't it just make you a little bit more of a Bitcoin maximalist than maybe you were before?
That you should just buy Bitcoin and get the hell out of all of this?
We just talked about the hack as well.
So just take it easy.
It's a good day and a bad day.
Yeah.
I'm just saying that because of the hack and because of the Fed and all of the main topics we're talking about, all roads lead directly to Bitcoin and nowhere else.
The rest of it is, I mean, have fun and figure it out.
And listen, I love to speculate, but the rest of it's a trade.
To be completely clear about something, because I'm getting a bunch of DMs on the back end.
There was a question that was asked from one of our listeners.
Do I believe that the ETF will be approved?
The answer is no, but I still think that we're doing such a bad job as a government that
I have to put my money somewhere else.
Well, hold on.
You don't believe the ETF is going to be approved?
Not by January 15th.
Sorry, to be clear. I don't expect it to be approved by January 15th.
I expect it to be approved in 2025.
I am not convinced that in an election year.
Because of Gensler.
Because of Gensler.
Because in an election year, look at what Biden is doing.
Look at what these guys are doing.
You don't think they can push off an etf approval until after the election of course
they can do whatever they want that's how much support they want from larry fink
the cash create narrative changes that in a big way that is a massive massive pipeline to trad
fi so the cash create versus in kind is a massive, massive difference in the Bitcoin ETF narrative.
It's the reason why I think it will be approved in January.
And we should probably change the whole fight the Fed conversation, change it to, you know, don't fight Larry.
Right. So the Fed basically works for Larry.
Just follow what Larry's doing. What's Larry been doing?
Larry's been grabbing a big bag of Bitcoin and a small bag of ether. So this entire conversation about Banana Republic and who's doing what, what's Larry doing? Right? So cash create again is a massive, massive, massive pipe to TradFi. And that hasn't gotten enough conversation over the last two days.
But the last, you know, six to 12 meetings that have that has happened between the ETF companies
and the SEC has basically been conversations about in-kind versus cash create. And the SEC
has drawn a fairly, fairly hard line in the sand about Cash Create.
So that's what it's going to be.
Just explain the difference for people who don't understand the difference.
So Cash Create essentially makes the Bitcoin ETFs,
the spot Bitcoin ETFs, much like a mutual fund.
So a mutual fund, you put your money in there, it stays in there,
but you're going to get a tax bill every year based on what happens inside the mutual fund. It's the reason why ETFs gobbled up enormous market share from mutual funds because ETFs effectively are in-kind mechanisms where whatever happens inside of the ETF, you're not getting hit with a tax bill on an annualized basis. You're effectively
tax protected. That's the difference between in-kind and Cash Create. Cash Create creates
a taxable event. I put out a tweet maybe an hour ago. Cash Create is a massive kick to the balls for Grayscale. Well, why? Grayscale's Bitcoin cost basis is really, really, really low versus
Larry Fink's Bitcoin product. Everybody else's Bitcoin product, right, which has been created
and beginning to fill the coffers over the last six to 12, maybe even 18 months. Grayscale's
Bitcoin product has been around for a long time. So cash create with redemptions of any kind or movement of any kind inside of the ETF is going to create a taxable event.
Well, that tax will be easier access,
easier to get it approved inside of their mechanisms and boards and all that stuff.
But it creates a real problem, for example, for a place like Grayscale. But point being is,
you know, what's Larry doing? You know, Larry knows what's coming.
Larry is, you know, he agrees with, I don't want to say his name wrong, but Donish here.
You know, he agrees that he knows what's going on.
He knows what's happening.
He sees it.
He hears it.
He hears it before anybody else does, right?
So he's loading up.
Cash create is a big deal. Everybody needs to take a real anybody else does. Right. So he's loading up. Cash create is a big deal. Everybody
needs to take a real look at it, have an understanding of what's going on, have an
understanding that that is everybody argued all the all the Bitcoin spot Bitcoin ETF applicants
argued against cash create and lost. So their bet is we're going to bend the knee on Cash Create. We're going to launch these products,
hopefully grab a ton of assets under management
and deal with the consequences
of Cash Create. But Cash Create is going to happen.
To me, it's one of the reasons why it's going to get approved in January.
Don, if you going to give advice?
Yeah, I mean, there's a bunch of stuff to unpack there.
The tax implications I'm not an expert on,
but it really has a lot to do with where you buy it, where you sell it,
how much of it is churning flow versus lots of creates followed by redeems later.
But the big difference in cash create means that the funds all are now going to have to,
part of their marketing is how much slippage they're going to have in performance because
of how badly they trade. So funds that have the ability and have scale to trade using modern tools. Now,
I don't want to show my own company, so I'll just leave it at that. We'll have better performance
than ones that just trade in other ways and use their custodians to trade before them. So trading
all of a sudden, where if it was not cash create then you could use uh the best market makers the
best ways to actually acquire your bitcoin however you did it the miners whatever but you won't be
able to do that except for seeding and so it means that when you want to create you're going to be
publishing a price all day long and if you can't buy bitcoin at that price your fund performance
will be lower and if you buy it at that price, your fund performance will be lower. And if you buy it at a better price, your fund performance will be better.
And so it puts trading into the equation, which some people have vested interest in that being good or bad.
So that is important.
It is why, by the way, they didn't want that because funds didn't want to have to worry about that.
They wanted to be able to outsource that, and now they can't.
So that matters. But I want to go back to the Fed because Scott knows this for about a year and a half. Almost every Monday, I have said
that in 2024, the Fed is going to go dovish. There is no effing way they were going to be tightening
or not have stopped going into an election cycle. I'll have to admit, even I was surprised at how
absurd yesterday's
speech was. And of course, the FX markets, which are generally not terribly volatile.
Has anyone looked at the euro, the pound, the yen? I mean, you're talking 1% moves, boom,
you know, in 24 hours. Those are big moves that the whole world is basically saying, wait a minute,
what the hell is going on in the US.S.? And that is the Bitcoin narrative.
Actually, Bitcoin.
Dave, treasury is less than 4%.
10-year less than 4%.
Yeah, that's right.
Like, what is going on?
I understand.
Yeah, exactly.
That was going to be the next thing I was going to say.
Thank you.
It was going to be, how the hell did we go?
We've lost.
Just think about it.
The treasury yield, what has it been, a month since when it tapped 5%?
Those are just extraordinary moves. I mean, people talk about Bitcoin's not investable
because it's volatile. When the 10-year bond yield moves by 20% of its yield, I mean, 5% to 4%
in about a month, that is a big move. And so the use case for Bitcoin, I'm not surprised Dr.
Danish and other smart people aren't saying, OK, wait a minute, this really needs to be part of your portfolio.
I mean, we could talk about this at length and will, but it is kind of a big deal.
Just to be clear, you're not categorizing Danish as one of the smart people.
I just want to make sure that we all are.
And then someone else, I noticed this.
Someone apparently asked Danish about his source about the ETF.
Either Danish is making shit up or Danish is part of the crypto crew now.
But I do want to echo one thing I think it was Andrew was saying.
But the fact is you have to understand the SEC does not get into the weeds on the mechanisms of how an ETF and that stuff is going to work without approving it.
That virtually never happens.
So the fact that they have done this, what you have to understand is,
the ball is at the one-yard line, and we're talking maybe the one-inch line,
and we have the Philadelphia Eagles.
Hold on.
Ryan, you've got a hot mic again, man.
I was just going to say that the fact that BlackRock and others have all amended their filings to go to cash
in-kind, cash versus in-kind create. And by the
way, obviously, redeem too. It doesn't have to go that way. There will be two prices,
the redeem price and the cash price, but you create price. But
maybe later in later spaces, we can talk about ETFs
so people can understand.
Dave, sorry, I need to interrupt because Ledger just tweeted a full update. I know that people are waiting for this.
Go right back.
It's their final timeline and update to customers.
You can find this at Ledger.
Ledger Connect Kit Genuine Version 1.1.8 is being propagated now automatically.
We recommend waiting 24 hours until using the Ledger Connect kit again.
The investigation continues.
Here's the timeline of what we know.
By the way, Smiley, you were correct.
This morning, CET, a former Ledger employee,
fell victim to a phishing attack.
It gained access to their NPMJS account.
The attacker published a malicious version of the Ledger Connect kit,
affecting versions 1.1.5, 6, and 7. The malicious
code used a rogue Wallet Connect
project to reroute funds to
a hacker wallet. Ledger's technology
and security teams were alerted and a fix
was deployed within 40 minutes of
Ledger becoming aware the malicious file
was live for around five hours. However, we
believe the window where funds were drained was limited
to a period of less than two hours.
Ledger coordinated with Wallet Connect which quickly disabled the rogue project. The genuine
and verified Ledger Connect Kit version 1.18 is now propagating and is safe to use. For builders
who are developing and interacting with the Ledger Connect Kit code, Connect Kit development team on
the NPM project are now read-only and can't directly push the npm package for safety reasons we have internally rotated the secrets to publish on ledger's github a whole lot about uh yeah i mean
it goes much deeper but uh it says that chain analysis uh thank you to wallet connect tether
io chain analysis sacking xbt and the whole community that helped us in community to help
us identify and solve this attack it seems seems that the tether is frozen.
Ledger, along with Wall Connect and our partners,
have reported the bad actor's wall address.
The address is now visible on Chainalysis.
Tether has frozen the bad actor's USDT.
That's good news.
Remind you to always clear sign with your ledger.
You guys can read it.
That's the gist of it, but it seems they fixed it within 40 minutes.
It was live for a couple hours, and maybe they got the worst of it here.
But, man, this could be really, really ugly.
Crisis averted.
I asked Jameson.
I don't know.
Jameson, what do you think?
Melt-up continues.
Is that what you're saying?
Well, I think for price, yes.
Pretty much what I think we were speculating was the likely cause, but I'll say this is a fairly amateur mistake on Ledger's end.
And by that, I mean, this is a standard software as a service, a security architecture issue that you should have what we call two-man rules around the review and deployment of all
code. And so whatever architecture Ledger had internally around deploying those NPM packages,
it allowed a single employee to write and deploy code. And that's a single point of failure.
That's really what I harped on an hour
or so ago is the fact that despite how distributed and decentralized this system is, we still have
these insane single points of failure. So it sounds like, you know, Ledger has figured out
that they need to make the deploy process more robust there. And going forward, it seems unlikely
that this specific type of attack will
happen again. But this is the nature of security is that bad things happen, you learn lessons from
them, and you harden your security processes as a result. And did they say, by the way, Scott,
did they say it's a former employee? Does that mean they fired him after this incident?
I think it's, I don't know if the implication Does that mean they fired him after this incident?
I think it's, I don't know if the implication is that he got fired for this or that they were already, they were a former employee already got exploited.
I can't.
It sounds like they were already a former employee,
and that would just indicate another ball that they dropped,
where this is another failure.
There's a standard security practice that
former employees you know authentication mechanisms as soon as they are determined
is the second or third ledger issue in the last 18 to 24 months i remember the last one i just
third when they had the uh well i don't know if it was 18 months but they obviously had the data
breach that had nothing to do with any of this. And then they had the controversy over their new program, you know, for recovering keys. And that sort of showed that maybe someone else, I don't remember the exact details, but yes, they've been in a controversial situation about three times at least. Yeah. I mean, at some point,
shouldn't you kind of bring folks like Jameson in and have a couple of
conversations about how to avoid his own company.
I know, but still, I mean, point being,
people like it it's it's, you know,
this should feels fairly elementary to, to, to avoid stuff like this, but you know, this should feel fairly elementary to avoid stuff like this.
But, you know, who am I to say?
I guess what you guys can do is, I mean, if you're worried about this stuff,
then, you know, have multiple different hardware wallets that you put your coins on.
At least you're, you know, as anti-fragile as you can be.
Yeah.
Yeah, I figured that. am i am i robotic no um so with with with this update so you guys said the worst has been averted so does that mean because i spotted it
too early that it is not going to be that many daps effect it's not going to be that many wallets
this is ledger right this is coming from ledger and talking about yeah but if ledger i wouldn't i wouldn't start jumping into anything
else that could have like no but if ledger patched it but it ledger was the entry point if the entry
point was closed up that quickly it's just mean that not that many wallets would have been affected
i'm sure there's a bunch of them i mean but it just metamask metamask also deleted their tweet
the one that said it doesn't matter whether you use a ledger or not that that tweet's also
wow okay that's important he deleted it yeah that's very important yeah i like how he mentions
it casually but so what would you make of this jameson i i think it it's showing that it's fairly minimized.
We'll know over the next day or two.
Like you said, the drainer doesn't necessarily need to take all the funds, though.
I would suspect at this point, since they've been found out, that they're going to be draining as quickly as possible and that they have likely already drained everything that they could drain. Sounds like Tether has frozen the funds, but apparently the USDC funds that they had drained
were not frozen in time and they already converted that to something else.
So I think at this point, it's probably mostly going to be on the Chainalysis folks to try
to follow their movements.
And this is a perfect example of the advantages and disadvantages of
centralization. So with the, obviously the hack itself,
it shows a disadvantage, but then with Tether being able to freeze,
some of the funds that were, that were drained,
just shows an advantage, David.
Yeah. I mean, it seems like they're going to get away with nothing.
That's what it sounds like.
Yeah. How much did they get away with, with, with USCC?
It was only a few hundred.
It was only,
well,
yeah,
I don't know.
It was only a few hundred thousand,
but I'm assuming that is being watched very closely now.
I don't know what it was for USCC.
Jameson was the one who quoted that.
I didn't see that in the ledger part.
David.
Oh yeah.
I just wanted to bring the conversation back to,
to macro Powell, back to macro.
Powell, Bitcoin ETF approval.
I'm sorry that Danish prominence El Salvador and the experiment in Argentina going on under Malay right now could possibly get and
contrast that with what's going on here in the United States, right? So we've got, I think,
you know, general consensus on this call that, you know, the Fed is not doing the prudent thing
in terms of if it does, in fact, go ahead and cut rates next year.
And we are not being, you know, managed. The U.S. economy is not being managed properly.
You have Millay in Argentina who, you know, whether he'll get to dollarization and whether
he'll get to Bitcoin being legal tender, you know, very quickly.
We'll have to wait and see. But clearly, based on his acts on the first day of his presidency,
you know, is really serving it up straight as a real libertarian. And, you know, he is going to
go ahead and make he's going to radically change, try at least, to radically change the society there in terms of being fully transparent and having very little, having the smallest government, frankly, footprint out of any government that's out there.
And then El Salvador, you know, clearly in the black on its investment in Bitcoin and only going bigger on that investment.
Those two countries are not particularly notable in the worldwide scheme of things,
but in terms of the experiments that they're undergoing,
I think they're really good.
Let me jump in, David.
I want to bring the conversation back to the hack.
Is he okay with us mentioning his name?
Did he give you an okay?
Yeah, the CTO of C2C Swap DMed me, Matthew Lilly,
and he said, hey, I'm listening to the spaces
and I'm the one who broke the news.
So we'd like to get him up on stage, of course.
And we did mention, obviously, without his name, that it was from SushiSwap CTO that we'd heard it.
So if he can answer where we're at.
Yeah, I just saw a message as well.
He sent it to me 16 minutes ago.
I apologize, Matthew, for missing it.
I've just sent you an invite request to speak as well.
If you're listening, let me just reply. Oh, there you go. Is that him? No, that's not him. Let've just sent you an invite request to speak as well. If you're listening, let me mess up reply.
Oh,
there you say him.
Oh,
no,
that's not him.
Let me just reply to him quickly.
Uh,
a request.
All right,
we'll get him up.
Uh,
be good to get his thoughts on this.
And if you are the one that broke it,
Matthew,
I'm assuming you did consider you saying you did.
Uh,
congratulations.
I appreciate it.
Yeah,
I agree.
I've just sent you an invite,
man.
You can actually see in the audience.
If you want to come up and speak, uh, Scott, did you ask him? Okay. He said, yeah, he brought it. Yeah, I agree. I've just sent you an invite, man. You can actually see you in the audience if you want to come up and speak.
Scott, did you ask him?
Okay, he said yeah.
He brought it up.
Hold on.
Did he come up or leave?
He's on stage.
I don't see it.
I don't see anything.
No, no.
Yeah, it would be good to bring him up, Matthew,
get your good thoughts on this.
But otherwise, appreciate you spotting the vulnerability so uh credits to you um but
i think that's pretty much it's got i think we've covered the story well if he's not coming up i
like i feel like we have to end it at seemingly things are improving i think we got good insight
there but we should have literally just crashed the rug the spaces the minute that don ish said
that he bought bitcoin should have said that yeah because rug, the spaces the minute that Don has said that he bought Bitcoin.
Should have just ended it.
Yeah.
Because that was such a revelation that we could,
we could only go down from there.
Yeah.
I'm just checking the news if there's anything else,
by the way,
are we doing spaces on,
on news,
uh,
news day and Christmas day,
or just taking those days off?
I don't know.
How much trouble do you want us to be in with our family and
children and wives that you don't.
Yeah.
I don't want my wife and kids to miss me on those days.
You're right.
Anyway,
I think,
I think we've covered it well.
Yeah,
I think we did.
All right.
Well,
thank you,
Matthew.
If you didn't get up,
appreciate you.
Thank you.
Yeah.
Everyone give him,
give him a follow.
It's at Matthew double T Matthew Lily L I double L-I-double-L-E-Y.
So give them a follow and a thank you.
Cool. Thanks, everyone.
Awesome. Bye.