By: Ria Bhutoria and Wilson Withiam
Know & go
- A closer look: We provide a closer look at the vulnerability discovered in a 0x smart contract and the quick response from the 0x team to patch it and prevent exploitation.
- Three things to know: (1) Facebook’s David Marcus sat in front of the U.S. Senate and House of Representatives to answer questions regarding Libra (2) Set Labs introduced a new Ethereum-based portfolio management strategy featuring automatic asset rebalancing (3) The NYDFS granted SeedCX subsidiaries a pair of licenses, paving the way for SeedCX to offer crypto derivatives.
- Market snapshot: Total crypto market capitalization is around $272.2 billion at press time (down 10.0% w/w). BTC is trading at $10,364 (up 3.5% w/w), ETH is at $218 (down 20.4% w/w). BVOL (the rolling 30-day annualized Bitcoin volatility as calculated by BitMEX) is 124.7%, up from 104.3% last week. (7/19 12:25PM ET)
Weekly market snapshot
A closer look: 0x addresses smart contract vulnerability
Last week, the 0x team was privately notified by third party security researcher, Sam Sun (samczsun) of a vulnerability in its 0x Exchange v2 contract stemming from a quirk in EVM. According to ConsenSys Diligence, one of the teams that audited 0x smart contracts in the past, the bug was present for a year but went undiscovered and was not exploited. The vulnerability was related to signatures from external, non-smart contract addresses needed to authorize trades and would have allowed an attacker to fill orders by faking signatures. Will Warren, co-founder of 0x, stated that the ZRX token contract was not exposed.
In 0x, a maker creates an order off chain. It is broadcast to an on chain smart contract when a taker fills the order. The contract checks traders’ signatures to confirm that the transaction is authorized. Because orders are created off chain, 0x calls the verification function on the maker address when a taker fills an order. For example, “in order for the Exchange to make sure that Alice really did make the offer that Bob claims she’s making, Bob needs to submit Alice’s signature with the order data.” With the vulnerability, if an attacker was trading with a user account (aka an externally owned account, or EOA), due to a subtlety in EVM’s assembly language, the verification method would always return “true”, which 0x would interpret as a valid signature.
More granularly, our cryptographer, Mira Belenkiy, highlights that the 0x smart contract interpreted the identifier “0x04” as an instruction to use an Ethereum contract as the signature verification method and Sam Sun noticed that signatures with just the value (0x04) were always accepted as valid if the maker was not actually a smart contract. For a more technical and in depth description of the vulnerability, see Sam Sun’s blog post.
The 0x team was quick to respond and put forth a patch within a few hours. They used the AssetProxyOwner contract to close the Exchange and AssetProxy contracts — as a result, projects plugged into 0x protocol (e.g. relayers like Radar Relay and Paradex) had to suspend trading and clear their orderbooks, deeming trades on v2.0 invalid. The 0x team deployed patched contracts within hours and advised projects leveraging the 0x protocol to point to the newly patched contracts (0x v2.1).
As ConsenSys Diligence described it, in 0x v2.0, the contract accepted any non-zero value as “true” or valid. With the patch, the contract 1) has a check to determine if the address is a smart contract or not and 2) requires the address to return a specific value (precisely 32 bytes long) — anything other than this value will be deemed “false” or invalid.
The response was two-fold. The community praised the speed and elegance with which the team responded and handled a tricky situation. The team was transparent throughout the process and updated the entire 0x pipeline with fixes within hours of discovery.
One concern had to do with the fact that a decentralized exchange was able to deploy an emergency shutdown switch that suspended trading and led to the invalidation of all orders. If this is the case and the community accepts the implications of emergency kill switches, one suggestion put forth was to stop referring to such exchanges and applications that exhibit this feature as “decentralized” to avoid confusion and establish branding best practices.
Another question that arises is what happens if/when bad actors are able to get access the central shutdown mechanism. This concern was brought to light when a single wallet used to upgrade smart contracts on Bancor was compromised, allowing the attacker to steal $12.5 million worth of ETH, $1 million worth of NXPS (the native token of Pundi X) and $10 million of BNT (Bancor’s native token). Bancor was able to freeze the BNT, but not the other tokens (which also brought up the question of whether Bancor is decentralized).
The event also spurred discussions around the fact that the vulnerability went undiscovered despite multiple audits. The consensus was that it’s near impossible to catch everything (note from our cryptographer, Mira: There are several poor design choices in the EVM language and certain functions have bad semantics that make bugs inevitable.) Steve Marx from ConsenSys Diligence said, “even formal verification, which provides stricter proofs around correctness, can only find bugs to the extent that the code is formally specified. A bug like this one can easily slip through such a process.” Thus, one of the benefits of open source and bug bounty programs is that benevolent hackers are incentivized to audit the code and report bugs. The more eyes on the code, the greater the chance of discovering and patching vulnerabilities (on the flipside, not everyone reviewing the code will always be good-natured enough to report it).
This incident sheds light on the fact that many decentralized applications may have centralized components that could be detrimental if the wrong person or entity is made aware and able to take control. Further, most applications and protocols in the crypto ecosystem are very new and haven’t been battle tested (note from Mira: Ethereum smart contracts, specifically, are very hard to implement securely and using the EVM assembly language directly instead of Solidity adds an extra layer of complexity. This makes it difficult for even an experienced team of developers and auditors to detect unexpected side-effects). Teams can take the necessary precautions and diligence but still fail to identify each and every vulnerability. As a result, it’s important to have a plan of action on how to best respond when a vulnerability is discovered and, from our perspective, the 0x team handled the situation well.
Thank you to Mira Belenkiy for her contributions and corrections.
In other news
- Set Labs — the company building the TokenSets platform — introduced a new portfolio management strategy that will automatically rebalance users’ crypto holdings based on technical indicators. The offering will rebalance based on crossovers between ETH price and its 20 Day Simple Moving Average — if ETH price is higher, the portfolio with switch to 100% ETH, but if ETH price drops below the 20-day MA, Set’s Trend Trading Strategy will exchange all ETH holdings for stablecoin USDC. The Set platform leverages ETH daily price and moving average oracles as well as Kyber Network to facilitate rebalances. Source.
- Node infrastructure provider Infura released its premium Ethereum API gateway service, dubbed Infura+. The new service features three subscription tiers that provides increased daily request volumes and enhanced customer support for larger-scale dapps. Infura will continue to offer its freemium service (now as part of its Core tier) to help on-board new developers onto Ethereum. Source. For more on Infura and node infrastructure providers, read our latest Insights piece.
- Compound community members voted overwhelmingly in favor for adding wrapped Bitcoin (WBTC) to the protocol’s latest version. Source. The amount of WBTC — an ERC-20 token backed by an equivalent amount of bitcoin reserves, held in a cold storage vault — on Ethereum has grown by 614% over the last three months, according to DeFi Pulse.
- Forbes selected blockchain intelligence firm Chainalysis as one of the 25 companies for its Next-Billion Dollar Startups list. Chainalysis brought in an estimated $8 million in revenue last year and has raised ~$53 million in venture funding from Accel and Benchmark, among others. Source. Credit is due to Token Daily’s Mohamed Fouda, who earlier this year predicted blockchain analytics companies like Chainalysis would be the next crypto unicorns.
- Ethereum creator Vitalik Buterin suggested that existing blockchains featuring relatively low transaction fees per byte, such as Bitcoin Cash or Ethereum Classic, could help solve short-term scalability challenges with Ethereum 1.0. Despite the controversial proposal, Vitalik emphasized the long-term solution to Ethereum’s current scalability constraints is its planned upgrade to the proof-of-stake ETH 2.0 network featuring sharding. Source.
- Huobi-backed startup Stable Universal is planning to launch a stablecoin, HUSD, in partnership with stablecoin issuer and custodian Paxos. The new effort will replace Huobi Global’s first attempt at issuing a stablecoin, also dubbed HUSD, last October. Per a statement from Huobi, the crypto exchange is hoping to develop the new HUSD into “an alternative to Tether.” Source.
- The Web3 Foundation is planning to release an early version of Polkadot, dubbed the Kusama network, later this summer. The highly experimental “canary network” (similar to a testnet) will not be centralized nor have a kill switch. One percent of all DOT tokens — Polkadot’s native coin — are intended to be allocated to Kusama developers, stakeholders and community members to incentivize participation. Source.
- BITPoint Japan confirmed it suffered a hack on July 12 and estimated losses from the breach around 2.06 billion yen (~$28 million). 63% of these stolen funds directly affected over 50k BITPoint customers, but the exchange said all users that lost funds in the hack would be reimbursed in crypto on a 1:1 basis. Source.
- Gotbit, a two-man operation based in Moscow, was unveiled as a firm that fakes trading volumes for obscure cryptocurrencies via trading bots so these crypto projects can get listed on small exchanges as well as CoinMarketCap. Prices for its services run from $6k for a month of faked trading volume to $15k to get CoinMarketCap’s approval. Operations such as Gotbit reinforce the multiple reports released earlier this year that concluded 75-95% of reported trading volume is artificial and that some of the top crypto exchanges by volume engaged in suspicious practices to attract listing fees and user activity. Source. (h/t Nic Carter)
- trueDigital is planning to launch bitcoin derivatives for users. Its physically deliverable bitcoin swaps have been self-certified with the CFTC and it is awaiting the CFTC’s approval of DCO (derivatives clearing organization) and SEF (swap execution facility) licenses. Source.
- Horizon Games, a creation studio for blockchain-based games, raised $3.75 million seed round led by Initialized Capital, with participation from Coinbase Ventures, Polychain Capital and Inovia Capital, among others. The funds are being used to scale production on a new Ethereum-powered game called Skyweaver and a gaming platform called Arcadeum. Source.
- HDR Global, the parent company of BitMEX, provided a $60,000 grant to Bitcoin core contributor, Michael Ford, to support Bitcoin growth and engineering. This follows the firm’s donation to MIT’s Digital Currency Initiative in May. Source.
Global regulatory roundup
- The NYDFS granted two subsidiaries of SeedCX (Seed Digital Commodities Market LLC (SCXM) and Zero Hash LLC) virtual currency licenses (i.e. the Bitlicense) and a money transmitter license to one (Zero Hash). SeedCX is a regulated exchange that is planning on providing crypto derivatives. Source.
- Facebook’s David Marcus sat in front of the U.S. Senate and House of Representatives on back-to-back days to field questions and concerns regarding the tech giant’s proposed payments platform, Libra, and consortium of network partners. Congressional concerns ranged from a distrust in Facebook handling user information to Libra’s potential threat to the U.S. dollar. However, the hearings highlighted an increased awareness in Bitcoin and other crypto networks (as well as some colloquial crypto terms) among certain Congress members. You can view the both sessions here (h/t/ hasufl), and for a summary on some of the important topics covered in the Senate hearing, check out this thread from Dmitriy Berenzon.
- France’s financial regulator, AMF, is looking to approve the first group of crypto firms, including a few projects targeting an ICO, under its new cryptocurrency regulations. The French government adopted new policies in April regarding legal certification and tax requirements for cryptocurrency firms, which will come into effect towards the end of July. Source.
- Crypto custodian Anchorage received a trust charter from the state of South Dakota for its new subsidiary, Anchorage Trust Company, which will be headquartered in Sioux Falls, SD. Anchorage joins BitGo as the crypto entities with approved facilities operating in the state. Source.
- A group of congressional leaders have reportedly drafted a bill titled “Keep Big Tech Out of Finance Act.” The bill would aim to prohibit large tech companies (those with over $25 billion in annual revenue) from establishing or maintaining a digital asset intended to assume the attributes of money. This bill surfaced a few days before Facebook’s congressional hearings regarding its proposed payments network and associated digital currency, Libra. Source.
- Japan’s government is pushing to create a global network for cryptocurrency payments that rivals the SWIFT network in an effort to fight money laundering. Japan hopes to launch the network within the next few years. An FAFT-related team will reportedly be monitoring its development. Source.
What we’re reading
- Polkadot: Promise and Problems by Tom Shaughnessy
- The Separation of Time and State by Ryan Gentry (Multicoin Capital)
- Debt & the Failure of Monetary Policy to Stimulate Growth
- Paradigm shifts by Ray Dalio
- A Close Look at Libra’s Source Code by Raul Jordan (Token Daily)
- Facebook’s Cryptocurrency, Libra: Senate Banking Testimony by Caitlin Long
- Facebook’s Crypto Annoys Everyone
- Libra: A Governance Perspective by Dmitriy Berenzon
- Bitcoin Is a Human Right by Nik Bhatia
- BetterHash: Decentralizing Bitcoin Mining With New Hashing Protocols by StopAndDecrypt
- Trade Execution Coordinator (TEC) Primer by Timur Badretdinov
What we’re listening to
- What Bitcoin Did: Bitcoin Security and Ethics with Neha Narula
- Epicenter: Jerry Brito (Coin Center): The Case for Electronic Cash in an Open and Free Society
- Into the Ether: Set Protocol: Automating Asset Management with DeFi
- Unchained: How to Keep Your Crypto From Being Stolen VIa Your Phone
- Chain Reaction: Delphi Digital’s Kevin Kelly: The Perfect Storm for Bitcoin
- Base Layer: Hugh Karp (Nexus Mutual)
- Blockchain Insider: Donald Trump hates Libra……and Bitcoin
- Noded: Stephan Livera and Ketan
- Tales from the Crypt: Paranoid Bull
Circle in the news
- Circle CEO Jeremy Allaire will be joining Justin Sun and Warren Buffet at lunch next week to discuss crypto with the billionaire investor. Last month, Justin submitted the winning bid to have lunch with Buffet as part of an annual charity event.
Where we’ll be in July
- 2019 Mid-Atlantic Anti-Money Laundering Conference, 7/23-7/25, Arlington, VA