In February 2022, Bored Ape Yacht Club (BAYC), the leading collection of non-fungible ape-based tokens, caught the attention of Twitter user Brodan, an engineer at Giphy. There were 31 identical entries in a record intended to cryptographically demonstrate the reliability of the bored monkeys, which was supposed to be impossible. “Some of your apes are super-suspicious,” wrote Brodan.
Brodan’s question remained unanswered, even after the newsletter Garbage Day brought it to people’s attention. The issue begs the question of whether there is anything fundamentally flawed with the notion that a group of amateurs can successfully hold massive projects to account. Unfortunately, the situation is widespread in the crypto business and the larger open-source community.
The “provenance hash” is a mysterious record cited as the root of the problem. Yuga Labs, the company that created BAYC, created the document to demonstrate that there was no irregularity in the original distribution of the NFTs. Some apes are rare and more precious than others, which presented a challenge for the team to overcome. However, they were distributed randomly among the first 10,000 applicants in the “mint” phase. They published a provenance hash, a list of cryptographically generated signatures for each of the 10,000 apes, to show that the apes had been pre-generated and pre-assigned without disclosing their characteristics. It was proof of the random distribution instead of allocating a few valuable ones to insiders.
So far, so good, but 31 signatures were the same and proved that the provenance hash record was faulty. It could have also meant that Yuga Labs could have theoretically altered them to suit the buyer’s preferences.
When questioned about the duplicates earlier 2022, Yuga Labs at first cited circumstantial evidence that it hadn’t been a scam: neither of the 31 apes had particularly desirable qualities, nor had they gone to someone with insider connections. However, the response, though accurate, was also inadequate. “Nothing’s gone missing, has it?” would only be a partial response if you discovered that the firm that installed your burglar alarm had never connected it.
When pushed, the business looked into the issue more thoroughly and discovered the root of it: while creating the provenance hashes, it caused a server hosting the photos of the gorillas to experience a rate-limiting error. Due to this oversight, the company unintentionally created cryptographic signatures of the error message “429 Too Many Requests” 31 times instead of the cryptographic signature of a monkey’s picture. Oops.
The instant this project exploded, the provenance hash lost some importance. After then, it would have been blatantly clear if even one pixel in the entire collection had changed.
Provenance hashes can be used to disprove claims of favouritism, but if no claims are made, it is understandable why no one would examine the hashes. However, a few months ago, the market discovered that Yuga Labs had committed another long-standing error. Despite vowing to forgo it, the business maintained control over the power to generate new apes anytime it pleased. Unlike the provenance hash, the community quickly discovered that capability, and Yuga Labs announced in June 2021 that the error would be corrected “in the next day or two.”
It took more than a year before Atlay said, “Even though we had planned to do this for a while, we held off out of great caution. I feel at ease doing it now. I’m done.”
These problems are not exclusive to Yuga Labs or the crypto industry as a whole. For example, Google’s Project Zero cybersecurity group discovered a new Android security flaw in 2022. The exploit had been manipulated by hackers “since at least November 2020,” so it wasn’t new to them. Google notified the open-source development team of the bug’s underlying cause; however, in August 2016, the team turned down a proposed repair a month later.
For practically every Android phone on the market, that translates into years of significant security flaws, even though the issue is readily apparent in the public record.
Uncertainty regarding the time the vulnerability existed in the code can lead to severe issues in other circumstances. For example, a bug that has been present in the command-line program Curl for 20 years was found in April.
And in 2021 December, vulnerability in the logging program Log4j was found, which the National Cyber Security Centre described as “possibly the most serious computer vulnerability in years.” The weakness was scarcely complicated, and an attacker would not have needed to make many attempts until they could have potentially taken over “millions of computers worldwide.” However, it had lain dormant in the source code for eight years. That omission was embarrassing for those who supported the open-source software security approach and also disastrous because it meant that affected software versions were widely distributed. The ongoing cleanup procedure might never be finished.
Little bugs, big issues
Open-source software supports many aspects of the modern world, including Log4j. But with time, the model’s fundamental presumptions have begun to reveal their shortcomings. The world should look for issues with a small piece of software that is utilized and reused by hundreds of other programs and ends up on millions of computers. Instead, it appears that people are more willing to rely on software without double-checking how widely used and valuable it is (As usual, a pertinent cartoon from the website XKCD comes to mind).
Perversely, crypto has addressed some of these issues by making finding flaws economically beneficial. For example, a prominent software developer like Apple or Microsoft will compensate users who identify security problems. This practice is known as a “bug bounty.” The goal is to encourage bug reporting rather than malware abuse and support the crowdsourced research that open-source software promotes.
When a crypto project begins, it has a built-in bug bounty that runs around the clock. If you are the cunning person who discovers a bug in the right crypto project, your bug bounty could be all the money the project has. Therefore, when North Korean hackers found a flaw in the video game Axie Infinity, they made off with more than $500,000,000. Of course, the drawback of such a strategy is that while flaws are promptly found, the project typically fails.
The USD 162 million at risk at Compound Labs
It turns out that millions more than we initially believed are at risk after the popular decentralized finance, or Defi, staking platform Compound through a bloodbath. According to Robert Leshner, the founder of Compound Labs, a very bad upgrade has left about $162 million up for grabs.
The cost of comp, the native token of Compound, has decreased by around 4.8%.
The CEO of Compound first noted in a tweet that there was a limit on the number of comp tokens that could be unintentionally issued, adding that “the impact is bounded, at most, 280,000 comp tokens” or $92.6 million.
However, Leshner disclosed that the cash pool that had previously been depleted had been refilled, leaving additional 202,472.5 comp tokens, or around $66.9 million at the current price, vulnerable to attack.
According to some, the biggest-ever fund loss in a smart contract issue, including a core developer at Defi platform Yearn, although investors don’t appear to be very concerned.
The largest-ever money loss was ignored by the cryptocurrency market, according to Mudit Gupta, a core developer at the decentralized cryptocurrency exchange SushiSwap. As a result, Defi’s future is promising, but there is still much to learn because this is unknown ground.
Conclusion
The excellent news for Yuga Labs is that the only people who could take advantage of the oversights were Yuga Labs personnel, who quickly gained a reputation for being reliable enough not to be concerned. However, investors in the larger crypto ecosystem would do well to exercise caution: even if a person claims to have released proof of their reliability, experience suggests there is no reason to believe anyone has verified it.
The biggest problem with crypto is that it can’t seem to exterminate its bugs. Every time a new bug is found, the community rallies around and fixes it, but there always seems to be another one waiting in the wings. It’s a never-ending battle, taking its toll on the people trying to make crypto a success.