What the Poly Hack Tells Us About Ethereum's Future
"cross chain hacking is hot," they said (warning: wonky crypto post)
DeFi got hit with its biggest hack yet this month as the crypto-burglar made off with a headline-stealing $610 million from Poly Network...until they returned most of it.
So why bother?
“cross chain hacking is hot,” they replied simply.
As cavalier as the response seems, the vulnerability in Poly Network tells us two challenges for Ethereum’s future: its plans around scalability, and its reliance on smart contracts.
One Chain to Rule Them All
One of the biggest challenges with blockchains is that there are so many of them. As I wrote before, this constant stream of new projects creates myriad trading opportunities for those paying attention. It also creates a logistical nightmare: users and apps are split among dozens of different networks.
This created the need for “cross-chain” tools that can “bridge” from say, Ethereum to another network like Solana.
Unfortunately, that isn’t as simple as it sounds. After all, cryptocurrencies use very complicated systems to validate every transaction. How can one chain validate another?
The short answer is that it can’t, and most rely on a semi-centralized system of notaries, as Poly Network did:
These systems of checks always introduce weak points, and hacks have been happening over and over and over.
Cross-blockchain communication, interestingly, is actually also pretty important to Ethereum - or was, rather. For years, it was a massive part of the roadmap for how Ethereum would go from 15 transactions per second - too slow and unstable for real use - to thousands, by splitting the network into 64 “shards.” Vitalik once predicted a sharded chain by late 2017.
But aside from the delays, the hacks have been scary enough that last year Vitalik essentially booted that plan from the roadmap, instead focusing almost entirely on Proof of Stake. The Ethereum community has basically been spooked out of full sharding, instead moving to “data availability sharding” where fraud is prevented by a new tool called “rollups.” After the near-death experience of the DAO, Vitalik has reason to be extra cautious with every upgrade.
Rollups, though, have their own issues: they generally lock your money up on the sidechain for a week, and there isn’t just one implementation - at least a half dozen are out there already. This pushes Ethereum towards leaning more on “layer 2” solutions as Bitcoin does.
This debate isn’t settled, and it’s possible the Ethereum community will “unsettle” the debate if the upcoming releases don’t solve developer’s problems.
And that brings us to Ethereum’s other big challenge: its reliance on smart contract devs.
Dumb Contracts
Ethereum’s shift towards dependence on a “layer 2” may make Ethereum itself safer, but it also puts the onus on the developer and startup to choose the correct layer 2 solution and then configure it to avoid potential hacks.
This actually sounds a lot like the existing cross-chain ecosystem, where developers and startups choose from a long list of options of varying quality.
The Poly hack came about because of a gap in a smart contract for who could move assets back and forth, and many other hacks exploit similar weaknesses in contracts that identify who is an “owner” or “controller” of a contract.
Many of the issues with cross-chain approaches have to do with similar problems from Solidity, Ethereum’s smart contract language. Smart contracts, despite being an incredibly sexy term, are far from smart. Solidity was once considered an advantage, as it is incredibly flexible, but unfortunately that flexibility opens up many opportunities to mess up.
If these issues with smart contracts and cross-chain teach us anything, it’s that blockchain startups will take shortcuts, skipping audits and pushing insecure code out to users. Decisions on speed and security of layer 2 will be left to individual startups to make, and many will make mistakes. And in many cases, the developers haven’t done it intentionally - as is the caveat for everything in crypto, it’ll be “use at your own risk.”
Who You Gonna Call?
That caveat emptor approach brings us to my final point. When big hacks happen in crypto, people notice, and headlines are published.
As DeFi hacks have made the headlines, regulators like Gary Gensler of the SEC has signaled that intends he take a proactive approach with DeFi and may consider them securities. Proponents argue that DeFi apps shouldn’t be considered securities because the returns are not generated from the “efforts of others,” as the Howey test outlines, but from the actions of an automated contract..
Matt Levine of Bloomberg expounds on the classic “you can’t regulate code” defense:
[T]here is not really an issuer of the security to sue in the same sense that there would be for a stock offering by a company. The point here is that there is some genuine novelty in DeFi; it is really unlike the sorts of securities offerings that were on Congress’s mind when it passed the core U.S. securities laws in the 1930s. But it is mostly analogous to those offerings, so there is going to be trouble.
If smart contracts were code that really could run autonomously without any interference, that might be defensible. But Uniswap, once the most popular decentralized exchange in crypto, shows the perils of that approach: the founding team had to unilaterally delist 100 tokens in order to avoid illegal securities listing. DeFi apps rely on many other controls as well, from whitelists to blacklists to ways to upgrade the software or permissions only for contract owners.
When something goes bad in Ethereum (or any smart contract chain), ultimately some human has to pick up the phone and figure it out. And that punches a hole in the “it’s just code” argument.
That said, the SEC is still unclear on what to do with DeFi. After all, their actions on ICOs are still somewhat unclear...four years after the massive ICO bubble.
But ICOs are a good precedent for what might happen. The SEC didn’t have enough resources to prosecute every illegal token, but by releasing unclear guidance and enforcing a small number of cases, they were able to cool off the market enough and create a “perpetual gray zone” that made VCs think twice about what they were funding. The issues at Poly network show us that the experiment-deploy-hack-headline crypto cycle likely isn’t going to stop anytime soon, even as Ethereum pushes forward towards its ultimate upgrades.