🗡️ Sneak Attack — Issue No. 27

🗞 News

Last week, it was revealed hackers used a sophisticated attack vector to sneak malicious code into open source Bitcoin wallets developed by the company Copay. The multi-step attack involved first updating a package used by the wallet to include a new dependency, then taking control of that newly added dependency by simply asking its creator if they could become maintainer. Once in control, they snuck obfuscated code into the module specifically aimed at stealing private keys from Copay users. The tainted code did eventually make it into a production release, but as of now, it's unclear if any user funds were stolen. Link.

The issue was reported on the GitHub repo of the developer behind the compromised module. In the course of the conversation, it became clear the developer-- who singlehandedly created and released the package for free-- had relinquished control of the module because he no longer had the time to maintain it himself and was no longer using it. In other words, because he was not funded or incentivized to maintain the package, it became an attack vector for a malicious third party to exploit. The revelation set off a heated debate on the level of responsibility open source creators have towards third parties who use their code without contributing. Link.

I first learned about this incident before it had been discovered that the malicious code was targeting Bitcoin wallets. Regardless, my initial reaction was that the crypto community should pay attention to it for multiple reasons.

First, it demonstrates that funding and incentivizing the sustainable development of open source software is far from a solved problem. Some in crypto community broadly, and the Bitcoin community in particular, have asserted that the open source model is sufficient for incentivizing development in the ecosystem. In other words, they believe the community can rely on intrinsically motivated developers, willing to work for less than their market value, to advance protocol and project development. Not only will this not work for the crypto ecosystem, it isn't even working for the open source ecosystem in general right now.

Secondly, the incident demonstrates some specific problems with JavaScript ecosystem, and with the web as a platform more generally. I've covered this topic before on multiple occasions, and this attack highlights some of the concerns I've previously brought up. In issue No. 7, for example, I wrote:

"All these issues bring up a deeper question: Is the web the right platform for blockchain apps? Part of why web apps are great is because they allow code injection and reloading across the network. But when priceless private keys are on the line-- is that a feature or a bug?"

After this attack, the answer to that question becomes even murkier.

📺 Webinar Recap

Last week, I was joined by Andrew Bull, ESQ. to discuss the regulation of decentralized systems in light of the legal action against EtherDelta. Andrew is founder & CEO of Bull Blockchain Law, Philadelphia's premier crypto-centric law firm. I learned a lot from Andrew in this discussion. If you're a developer or entrepreneur with any interest in building in this space, you should check this conversation out. Link.

📊 Statistics

1.4 Million ETH is now locked in MakerDAO as collateral for the DAI dollar stable coin. That's 1.4% of total supply, and it's been growing at 12% weekly as the price of Ether has collapsed. That means the rate Ether is being locked as collateral is now slightly outpacing the issuance of new Ether created via mining, which should help stabilize the price of ETH. The interplay between the contracts/assets on the chain, and the chain itself, is a fascinating and largely unstudied phenomena. Link.