[flooow]

Every time I hear about another massive hack on Ethereum, I feel a little bit sad that I didn't specialize in software security. For many years there was huge amounts of free cash just sitting on a table waiting to be taken, a victimless crime (VCs and cryptobros are not victims, everyone is playing the same game).

I expect the low-hanging fruit has gone now. And setting up spearfishing attacks to scam teenagers out of their NFTs doesn't seem as noble (or as profitable).

[pcthrowaway]

As a dark-hat in the space you'd have a pretty good chance of being caught by chainalysis eventually.

Meanwhile there are still hundreds of millions of dollars of bounties available for white-hats who responsibly disclose.

The dark-hat hackers who aren't held responsible are likely in either Russia or North Korea

[greiskul]

It's amazing how quickly code-is-law becomes regular law is law when the code allows all your money to be stolen. And that is the nail in the coffin of this ideology, proponents of blockchain claim one day your house deed will be on the blockchain. What happens when people hack your house away from you then?

[rattlesnakedave]

Code is law. The issuer of tokens backing rwas should be able to figure this out and reissue.

[anamexis]

So, the issuer of tokens is law

[chrisco255]

If the code allowed the issuer such flexible control, then yes. But many tokens have immutable implementations that can no longer be altered after deployment.

[TimJRobinson]

The only people that think code is law are hardcore libertarians / anarchists, which was the majority of crypto in 2011 but obviously isn't now.

The most likely way houses and other real world assets will exist is via a 2/3 multisig on the tokens. The 3 participants being: Government, Management Company, User.

If you lose your keys or get hacked you can go to the government + company responsible for the assets and get them back. If the company screws up the users can work with the government to get their assets back.

The advantage of this over a traditional government database is transfers can be made much more efficient because the government doesn't have to be involved in every transfer, they only step in if things go wrong.

[dafelst]

At most you are going to make a few thousand, maybe if you're super lucky and skilled, a few tens of thousands of dollars on bug bounties. Compared to the amount of poorly-secured money that was/is in crypto, it is a pittance.

Add to that the fact that many of the hacks are largely legal consequence free due to crypto's famous lack of regulation (by design, lol), the economics are far more skewed towards the black hats over the white hats.

[waprin]

I don’t work in crypto but I read a ton of tech blogs and this guy:

https://cmichel.io/

Seems legit and claims to have made one million in 14 months in bug bounties, although he was #1 on some leaderboard. Based on his blog I think he’s probably one of the best in the world at smart contract security so it’s probably not a realistic goal for most people , but assuming the blogger is honest I think you underestimate the potential for top white hats. Certainly the big black hat hacks are far bigger money but a million is nothing to sneeze at especially for no legal or moral risk.

[iramiller]

Doing crime on a system with a perfect immutable record doesn’t seem like a smart play to me.

As noted above the firms like chainalysis will continue to uncover and attribute all of the nodes in the graph. If you are taking 100s of thousands or more through fraud the incentives are aligned to see your crimes prosecuted.

[liveoneggs]

is it a crime if the smart contract acts as coded, but not necessarily as intended?

[TimJRobinson]

Yes. There are those who claimed they just performed a "highly profitable trading strategy", and are now sitting in jail.

[dafelst]

I think the main takeaway here is that in many cases wrt crypto, it is highly ambiguous on whether the actions you take are criminal or not.

[mypastself]

Agreed, especially given that frontrunning and similar techniques are almost inextricable from the technology’s default behavior.

However, actors other than law enforcement can also perform chain analysis, and you’d probably prefer to stay anonymous if you engage in such practices…

[pornel]

It can't be a crime. The contract is always executed exactly as written.

[pcthrowaway]

There are loads of bounty payouts in the hundreds of thousands. Probably 1000 payouts per year at that size. Most protocols would rather pay out $1 million than lose $100M to an exploit.