51 / The Heist

A thrilling episode on the OlympusDAO hack and the two options for hacking in web3. Discover the pros and cons of white hat hacking and the new responsible disclosure in the world of cryptocurrencies.

Timeline

00:00 Intro

00:42 OlympusDAO hack

01:37 Two options for hacking

02:29 If you hack then you decide whether to return

03:07 Should you "responsibly disclose"?

15:25 Etherscan needs better source code view

16:02 I support Tor

17:03 Tracing shell games of stolen tokens

Participants

@fulldecent

William Entriken

@dtedesco1

Daniel Tedesco

@t012n4d0

???

@Rito_Rhymes

Ritorhymes

@cryptonerdylady

???

@merwyx

???

@yodude38

???

Episode notes

• On October 21, 2022 OlympusDAO lost and later recovered $292K due to an insufficient function parameter validation flaw.
  • Hack review
    • Set up another contract first
    • Exploit only used the transfer function
    • Looked up the transfer in Etherscan
    • Attack breakdown – bondexpiry contract has permission against
      • First call robot
      • Robot Look up balance
      • Redeem something against bondexpirycontract
      • Bondexpiry calls back to expire()
      • burn() (which seems to be ignored)
        • Function requires caller to be ‘teller’ – we ran out of time and didn’t figure out how robot got teller status
      • Bondexpiry called underlying(), asked robot
      • Robot lies about underlying
      • Bond contract then performs transfer for the balance amount
    • Should not have trusted bond contract
    • Should not let underlying() be updated–it should be set at the beginning
  • = “function is broken bad, anything can happen”
  • Options: don’t hack, hack and get ALL the money; non-option: hack and get some of the money
    • If you don’t, someone else will finish the job right away (everything you do on-chain is public)
    • White hat – take the money and then you have the option to give it all back
      • What difference does intentionality make? How do governments address it when someone claims they are white hats?
      • It might not be obvious where to return the money
    • No hat – If you just tell the org, maybe they will just use the exploit for their own gain
    • “Taking all the money is the only way to prevent anyone (else) from taking all the money”
    • “Taking the money is the new responsible disclosure in web3”
  • Epic heist tips (even for white hats)
    • Don’t use home computer or wifi
    • Can’t go unTOR-ed or un-VPNed even once
    • Worry about MTG-like “fizzles”
    • Upleveled OpSec is required (i.e. always using yarn in docker)
    • “This isn’t being paranoid [pause] that’s what a paranoid person would say.”
    • Anonymity buys time
• https://bitcoinmagazine.com/culture/if-you-love-bitcoin-you-should-help-tor
  • Support Tor: https://donate.torproject.org/
  • Wikipedia entry