Main menu


Bounty and Monkey Business: The Truth About the Crypto Bug Epidemic | Technology

featured image

Men In February, Twitter user Brodan, an engineer at Giphy, said: I noticed something strange about Bored Ape Yatch Club (BAYC), the premier ape-based non-fungible token collection. A record intended to cryptographically prove the credibility of Bored Apes contained 31 identical entries, which was thought to be impossible. “There is something very suspicious about some of your apes,” Brodan wrote.

Six months later, Brodan’s question still went unanswered when the Garbage Day newsletter drew attention to the issue. Situations like this are all too common in the cryptocurrency industry and the wider open source community, and I suspect there is a fundamental problem with the idea that large numbers of amateurs can effectively account for large projects. The question arises.

The problem lies in the obscure record called the “Provenance Hash”. This is a record issued by Yuga Labs, the creator of his BAYC, intended to prove that the initial allocation of apes had no monkey business for him (sorry). The problem the team had to solve is that some apes are rarer and more valuable than others. But in the first “Mint” they were randomly assigned to the first 10,000 of him. Rather than handing out a few items of value to insiders, they published provenance hashes to prove they were randomly distributed. This is a list of cryptographically generated signatures for each of the 10,000 apes, indicating that the apes were pre-generated and pre-assigned. without revealing what their characteristics were.

So far so good, except 31 of these signatures were identical. His 31 apes they were assigned were different, so that means those ape provenance records were broken.

Earlier this summer, I asked Yuga Labs about the replication, and they pointed to circumstantial evidence that the company wasn’t pulling out the quick one initially, a desirable trait. This is true, but unsatisfying. If you find out that your burglar alarm was never wired by the company that installed it, then “you’re missing nothing, right?” is only a partial answer.

When pushed, the company investigated the issue further and found the cause of the problem. Triggered a rate limiting error from the server storing the ape image while preparing the provenance hash. Thirty-one times this error meant that the company unknowingly generated a cryptographic signature for the error message “429 Too Many Requests” instead of generating a cryptographic signature for a picture of a monkey. Oops.

The Bored Ape Yacht Club NFT sign in Times Square in June. Photo: Noam Garay/Getty Images

I asked Kerem Atalay, co-founder of Yuga Labs, who works under the handle Emperor Tomato Ketchup, if he feels that the years-long gap between the problem and its solution has weakened the validity of provenance hashes. rice field. If no one has checked these things, what’s the point? Attalei said. “The provenance hash ceased to be an important feature of this entire project the moment it exploded. If he had changed one pixel in the entire collection after that point, it would have been very obvious.”

That said, while provenance hashes are useful in refuting accusations of favoritism, it’s no surprise that nobody checks them in the absence of accusations. Yuga Labs has made a similar defense to his year-long oversight that was discovered months ago. Despite promising to destroy new apes, the company continued to control its ability to create new apes whenever needed. Unlike Provenance Hashes, Its Capabilities Gained Rapid Attention: June 2021, Yuga Labs they said they would fix the oversight “In the next day or two.”

actually, took over a year“We’ve been meaning to do this for a long time, but we weren’t paying enough attention,” Atalay tweeted. “Now I feel comfortable doing it. All done. “

Such issues are not limited to Yuga Labs or the crypto sector as a whole. Last week, Google’s cybersecurity team, Project Zero, announced a new security vulnerability in Android. It was their first time. The exploit had already been used by hackers “since at least November 2020.” However, the root cause of the bug is even older, reported to the open source development team in August 2016, and the proposed fix was rejected a month later.

This shows that almost every Android smartphone on the market has had significant security weaknesses over the years.

It’s unclear how long the vulnerability has existed in the code, but in other circumstances that time could cause significant problems. Discovered. existed for 20 years.

And last December, a vulnerability was discovered in a logging tool called Log4j. This “may be the most serious computer vulnerability in years,” said the National Cyber ​​Security Center. The bug was hardly complicated, and the attacker needed little to try before taking control of “millions of computers around the world,” but it remained undiscovered in his eight years of source software. was left. This oversight was both embarrassing and devastating for those who believed in the security model of open source software. It meant that the affected versions of the software were ubiquitous and the ongoing cleanup process might never complete.

small bug, big problem

Open source software like Log4j underpins much of the modern world. However, over time, the underlying assumptions of the model began showing weaknesses. A small piece of software that is used and reused by thousands of programs and eventually installed on millions of computers needs every eye in the world to scan for problems. Instead, it seems that the more ubiquitous and functional the software, the more people rely on it without checking it. (As always, there is a related cartoon from the webcomic XKCD).

In a twisted way, cryptocurrencies have solved some of these problems by providing a measurable economic return to bug discovery. The idea of ​​”bug bounties” is not new. Large software developers such as Apple and Microsoft pay people who report security vulnerabilities. The idea is to provide an incentive to report flaws, rather than creating malware that exploits them, and to fund the kind of crowdsourced research that open source software should encourage. .

The crypto project effectively has a built-in bug bounty that runs 24/7 from the moment it’s turned on. If you’re a smart person who finds a bug in a decent crypto project, the bug bounty could be… all money. that project holds. So when North Korean hackers found a hole in his video game Axie Infinity, they got him over $500 million. The downside of such an approach, of course, is that while bugs are discovered quickly, projects tend not to survive the experience.

The saving grace for Yuga Labs is that the only people who can exploit an oversight are the Yuga Labs employees themselves, who are rapidly becoming seen as trustworthy enough not to worry. However, investors in the broader crypto ecosystem would do well to be cautious. Experience shows that even if someone says they have published credible evidence, there is no reason to believe that someone checked it. ing.

wider techscape