When the Ethereum network split into two (ETC and ETH, July 2016) the networks didn't have replay protection so you would send thru these contracts that were super simple and would ensure that ONLY your ETH or ETC was sent on the intended chain.
It was especially important exchanges did this as in the first days of the network split, users who were "in the know" could send only ETH to, say, Coinbase and then withdraw that ETH but actually receive ETH & ETC and then send that ETH and separately ETC to Poloniex to profit.
It doesn't matter if the forkchain doesn't have value but the moment Polo listed ETC (about 3 days after the hard fork) ETC had value and eventually anyone who had ETH listed at the time of the fork had to credit their customers w ETC. That they may have inadvertantly given away.
(Shout-out to @ShapeShift_io who not only foresaw this as a real possibility while most were of us had the "longest chain will win" mindset BUT ALSO RELEASED A TOOL FOR USERS WITHIN DAYS SO USERS COULD SAFELY "SPLIT" THEIR ETH & ETC!!! 👏👏👏👏)
Okay but this is NOT THE CODING ERROR rekt Quadriga. Lol. #QCX
Usually exchanges handle funds like this:
1. User sends to their user deposit address (onchain) 2. Exchange sweeps to hot wallet (onchain) 3. Exchange credits users exchange acct balance (DB)
Once the fork happened, you need to split all new funds or funds you held at time of fork. For some, it's a massive undertaking.
An OG infamous account known as "The accumulator" generated a lot of interest and speculation when they split their holdings. reddit.com/r/ethereum/com…
But QCX. Oh sweet #QCX. For the next year, even after network-level replay protection was added, they just did this:
1. User sends to use deposit addy 2. Exchange sends thru "safe split" contract to their hot wallet 3. Exchange credits user acct balance (DB)
Everything was fine until one day the TXs that were sent via this safe split contract just....didn't make it to their final destination (the #QCX hot wallet)
This is partly bc the contract was so simple it didn't account for unhappy paths. But neither did their sweeper code.
So for 3 days in June 2017 all user deposits were sent to the contract, the contract didn't pass them along, but users were still credited.
Until @BokkyPooBah was like "uh hey guys you know all your money is getting stuck, right?"
And QuadrigaCX was like "oh shit oops. Don't worry though, we are #1 exchange and we are Canadian therefore you can trust us when we say we'll cover the loss with our profits."
And so until Feb 2019, everyone trusted them and no one was like "yo where are your cold wallets?" until it was revealed that QCX top dog Gerald Gotten had died ("died") and "no one knows where the keys are" which is code for "there are no cold wallets."
And everyone was like "but Canadians are the trustworthy and nice!"
And Gerald was like "lol canadians are really good at running schemes and laundering money too and man the weather in Thailand/hell is super hot compared to Canada! 😎"
Then any remaining $ was spent trying to find the $ and creating a report (June 2020).
And no one was like "BITCOIN FIXES THIS" even tho AN IMMUTABLE TRANSPARENT LEDGER THAT ENSURES ACCOUNTABILITY LITERALLY FIXES THIS but #digitalgold > #DeFi, amiright?
Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry.
They rekt more people, companies, protocols than anyone else.
But it's good to know exactly how they get in. Bc another smart contract audit won't save you.
For example, one long-time fave method:
- Contact employee via social/messaging app
- Direct them to a Github for a job offer, "skills test," or to help with a bug
- Rekt individual's device
- Gain entry to company's AWS
- Rekt company (and their users)
When it comes to financial crime, money laundering, etc. everyone goes thru a phase of thinking that the solution is knowing the identity of the account holder.
"if only we knew who moved these assets! then we would be able to catch them and stop crime!"
N O .
Literally NO.
It doesn't work at any scale. It's never worked at any scale. It never will work at any scale.
AML laws and all the related shit don't stop crime or money laundering. And it never has.
And it's really important to note that the implementation is NOT the issue.
The laws are *designed* to detect and block people from accessing the financial system.
And they do exactly that. Really well. So well in fact that like 1/4th of the world's population doesn't have a basic ass bank account.
On Fri June 2nd, thousands of Atomic Wallet users had their wallets drained across basically every chain.
Each theft involved 1-3 new addies. Initially we were only able to link thefts on-chain if they sent gas to multiple addresses.
(green guys are what we put alerts on first)
The lack of consolidation means the majority of addresses collected so far came direct from users sharing their info w/ folks like @zachxbt or w/ Atomic, @elliptic, @SlowMist, etc.
We have no idea how complete our lists are currently, or how long the long tail will be.