Large part of the blog post is about recovering NFTs, with multiple images, links and updates about individual items. It almost feels like product placement or some form of content marketing.
What a great read. I really enjoyed the author's writing style and candor.
As someone who lost 8 figures in crypto in 2017 - and someone who is still a huge advocate for defi in general - I can deeply empathize with the narrative. This quote stands out to me in particular:
"... in many ways the sense of violation and helplessness I felt on Thursday was matched by the excitement and empowerment I felt at being able to recover my remaining assets."
Reminds me of the first time I had a corrupted header on an encrypted drive back in 2012. I spent dozens of hours learning things I would have never learned, and while I wasn't able to recover that drive, I've kept header backups for every encrypted device I've had since.
Mistakes in crypto are mercilessly punished, sure. But in an era where every major company database (Facebook, Equifax are front of mind) has been leaked and government organizations are frequently compromised (SolarWinds most notable) I can't help but find some solace that hardened blockchains and clients, and developers who follow stringent procedures, will lead us to more widespread technological stability.
Maybe you haven't committed a cryptocurrency wallet private key to a repo, but I suspect many may have included vulnerable environmental variables like an API key before. An attacker using that could quickly rack up cloud bills that far exceed losses from the average hot wallet balance.
FWIW I consider 80%+ of NFT transactions to be wash trading / 'creative accounting' and most of this recent growth in crypto prices to be a byproduct of hyperinflation. A major correction is coming within 18 months (if not much sooner).
Nonetheless I'm still quite optimistic about the future :)
> As someone who lost 8 figures in crypto in 2017 ...
You could afford to lose 10+ million without your life being detrimentally impacted (at least I would assume, based on how calm you are about it). Most people can't. Most people can't imagine that amount of money.
I'm not a crypto fan. While the technology is interesting and has some intriguing use cases, it feels like all the big coins far away from actually becoming a legitimate currency, and most of the optimistic posts I read miss that.
Crypto is not stable. I think that's why so much money is flying into it. If the price of bread or milk goes up 10%, people get scared. In crypto, going up or down 10% is called "Wednesday". I'm aware of stablecoins, but the biggest ones (Tether, etc) all seem to A: be centralized, and B: be run by shady groups with whispers they could disappear at any moment. A breaks the promise that crypto is supposed to provide, and B only provides stability at a glance, until the whole house of cards tumbles apart (as it has).
The bigger problem is that crypto is unforgiving. OP's story is all about this. Sure, that's fine for techies who can afford mistakes, and banks or other who might have extreme security procedures, but Mom and Pop on a farm in Iowa are neither of those. When they get a phone call from the "IRS", they are happy to go buy Walmart gift cards and read off the codes, or set up a money transfer. Sometimes that money can be reclaimed, sometimes it can't. With crypto, there is no chance. The financial institutions that exist now are certainly rigged towards the bigger players, but Mom and Pop have a (slim) shot of seeing the money again.
Crypto is a fine gamble for those who can afford it, but I honestly doubt it will ever be an every day currency, because I can't see any concerted effort focused on solving those two problems. People can't afford to not know what everything costs at the grocery store, or that they could lose their entire savings by making a mistake when buying a Christmas gift. I don't think it's a great store of value either long term, because at least traditional stores of value (land, precious metals, commodities, etc) have uses to the entire population - blockchains provide no value to 73 year old grandma.
I appreciate your thoughts and, perhaps to your surprise, entirely agree.
I'm calm about it now because I've had years to reflect and learn. I began in 2013 buying small sums of bitcoin around ~$50. I amassed ~$500k by 2017, the most I had ever seen in my life, and throughout the year I made some profitable trades on btc-e.com. I had a competitive advantage on that platform because my orders would be filled prior to the blocks those transactions would be in. btc-e was seized by US authorities in July, but much of their funds were already gone.
This was entirely my failure. What did I learn?
* diversify crypto holdings (such as OP's hot and cold wallets)
* diversify outside of crypto
* use regulated platforms (traditionally these are banks)
* understand fundamentals (I was so painfully naive)
* help others avoid these pitfalls (if I had a single friend I trusted to disclose my holdings, I'd almost certainly have made better choices)
I just responded to another comment below, which you might find helpful https://news.ycombinator.com/item?id=28910361. The foundational elements a blockchain provides - namely transparency and ownership of digital assets - are absolutely critical to our future as a society.
Crypto in its current forms is mostly noise, but there are also really pivotal things being build by people I choose to trust far more than the World Economic Forum.
> The foundational elements a blockchain provides - namely transparency and ownership of digital assets - are absolutely critical to our future as a society.
I'm not 100% sold, but I'm leaning that way, hence my phrasing of "While the technology is interesting and has some intriguing use cases".
I feel like the "good" use cases aren't particularly sexy however, and thus are in danger of getting lost. Additionally, there's a ton of people that want to throw "the blockchain" at a problem, and end up overcomplicating spaces that have no need for it.
We feel similar. Real progress isn't glamorous, and for years there's been unnecessary hype around the buzzwords. SEO and attention economies have cultivated these behavioral trends because it's profitable.
My first question for any blockchain-related project is, why do you need a blockchain? Most struggle to answer.
What's clear, from my perspective, is that humanity has an abundance of passion that's being funneled into profits. I firmly believe there will be operators in the coming years that will offer a strikingly unique set of value propositions that cannot be contested by the current majority controllers.
> But in an era where every major company database (Facebook, Equifax are front of mind) has been leaked and government organizations are frequently compromised (SolarWinds most notable) I can't help but find some solace that hardened blockchains and clients, and developers who follow stringent procedures, will lead us to more widespread technological stability.
Can you elaborate a bit on this? It reads to me like blockchain will reduce problems of big tech data leaks, but I'm not following how. Or did you mean something else?
Sure, thanks for asking. My reasoning follows a few paths in parallel:
* Distributed data storage like IPFS, built on open source software, should reduce (not eliminate) the number of vulnerabilities to large datasets. Code can be openly audited by many contributors in a way that commercial organizations can't quite support. Minor mistakes are more likely to be caught upstream, reducing the number of possible exploit chains.
* Data ownership, sovereignty, and portability are much more possible in web3 than they have been historically. By reducing friction for no-code users to own, store locally, and selectively grant access to their data, we increase the collective resilience and integrity of data at scale.
* Evolving the incentive layer, whether for open source contributors, or for end users allowing access to data, increases adoption, which encourages a virtuous cycle. Network effects should eventually compound.
* Immediate financial penalties for failure increase the likelihood that application developers and platform operators will prioritize security; historically, security budgets are subject to organizational politics (source: former pentester / digital forensics for 5+ years, many colleagues in the space, much public commentary).
TL;DR transparency decreases vulnerabilities, distributed user data ownership decreases attack surface, incentives increase adoption of these patterns, penalties increase operator diligence.
For instance... I've never again made a mistake like I did in 2017.
But you really shouldn't store anything in them that you wouldn't mind losing. Storing tens of thousands of dollars in your web browser is not a good idea. I'll at least pat myself on the back for keeping big ticket NFTs and the majority of my funds in my hardware wallet.
So I guess this confirms that these NFT purchases are legit and not just laundering. People are actually buying them in the hope of turning a profit or to just collect them.
But wait until the crypto market crashes again, which it certainly will and sooner than many expect, and those NFTs take a haircut. That would concern me.
So many people have their livelihoods staked on the dream/delusions of getting rich with crypto. Not gonna happen, I am sorry to say (unless you get in early on big project, are early adopter).
When I got to the part about 'irreplaceable NFTs' I had a little internal chuckle, aren't they all irreplaceable? Tough story though even though I don't do crypto at all, I understand tech errors, I've committed a personal token that had to be rotated before.
> 5. This is probably the most impactful, but also the most understandable bit of stupidity: I copied files into my new repo by doing cp -r ./old-repo/* ./new-repo, which ignores hidden files (like .gitignore). Oops.
I now do the sequence: (1) cp the .git subdir to the new project dir, (2) git reset in the new project, (3) rm the .git in the new folder for fresh committing into a new repo.
They are all irreplaceable, but some are more irreplaceable than others . It's like how I can always buy a new car, but I can't buy a new family heirloom.
Have bad actors set up automation to watch all commits to all Github repositories to detect mistakes like this? Otherwise, how can the mistake be exploited in 5 minutes?
And if so, maybe Github should deploy some countermeasures? Like, block the uploading of private keys unless they are explicitly whitelisted by the repository owner?
I think there is a similar argument to be made for commits that contain e.g. database credentials or private data.
In legal ownership, when mistakes happen or illegal actions take place, humans can override and reverse these decisions. Laws, courts, police, etc.
In crypto, this is not true. Your money, your assets, your everything can be taken from you by one mistake, by one false step, and nobody can reverse it except the people who have benefitted.
This is why I don't believe in crypto. My fear of government is less than my fear of a world without an override.
I don't get crypto either. I say that as someone who bought a new computer in March 2021 for $1,900 and have used that same computer to mine enough Ethereum in that time to pay for it. Man some days I was making $70 per day when that Shiba Inu coin came out and gas prices skyrocketed.
I used to mine BTC when you could still use GPUs, even thought about buying ASICs for a time. I've bought and sold at least a dozen kinds of coins on exchanges, off exchanges, meeting people in Starbucks, etc.
I've made money off it, but I just don't get it. There's no legitimate purpose to it. DOGE, SHIBA, BTC, BCH, BSV, it's all a big joke to me. Maybe I'm stupid?
You've stated it yourself, you made money off it and that is why cryptos are so popular, people speculate and some people make lifechanging money while others lose. The greater fool theory is not even a thing in crypto markets. I'm not sure how far this will go till the bubble pops and there's no question the market is in a bubble. However, cryptos could become the currency of the future after n iterations.
I guess you have never been the victim of theft before? Sure, the government might, possibly be able to restore your property, but it is unlikely to actually happen.
The legal system has seized bitcoin private keys in the past, so it isn't impossible. The legal system could also order compensation. It isn't much different than most other cases the legal system deals with.
However, it is unlikely that this will ever happen again. The coordination costs behind pulling off this kind of fork are massive. It's difficult to imagine today's more decentralized community could ever agree to do such a thing.
If the bug is bad enough (for example, breaking the VM in a way where even a bug-free smart contract becomes vulnerable) Ethereum will fork again. I agree on how hard it would be to coordinate it, so the issue would need to be existential for Ethereum for everyone to agree.
If it's a bug and everybody agrees it's a bug then pushing a fix is very easy and uncontroversial.
e.g. two months ago the Geth team (and other community members) were able to change EVM behavior without even telling people what the change was. They simply said the EVM does something very unexpected ("there's an EVM vulnerability") and if we all hard fork (immediately update your Geth node) then the EVM will not do anything unexpected.
Yes. Satoshi did it in 2010 [0], core devs did it in 2013 [1]. Most of the "community" are just sheep. They will turn on a dime and follow the shepherds wherever they go. So you don't have to convince so many individuals to really convince the whole flock.
"This was possible because the code used for checking transactions before including them in a block didn't account for the case of outputs so large that they overflowed when summed"
Provable bugs in the system are not the same as accidentally exposing one's keys. Let's say I bought a used motorcycle from someone with BTC. Then I spam the community claiming the individual I bought from had in fact used malware to access my machine and stole the coin that way. The community to my knowledge has never reversed such a loss, nor should they be responsible for doing so.
Which is why we never hear these horror stories about phishing attacks trying to get people to send things to the wrong account.
The fact is that in many, perhaps most cases of theft the Government isn't able to do much more than punish someone they think did the crime, maybe they can recover the assets, just as often those assets are evidence and you don't get them back for years.
One should note how useful mobile device location data was in identifying insurrectionists who were masked when trespassing at the US capitol ("geofence warrants").
The crypto equivalent appears to be chainalysis and similar products.
My advice to anybody who wants to use Git without making such stupid mistakes as this guy: do a 'git diff' before you commit. It's as simple as that. It's astounding how many people don't know what exactly they commit. I've seen people commit secrets, binary files, random artifacts, code that doesn't even compile/run just because they have no idea what they commit. With Git there is no excuse to not know what you commit.
It sucks that this happened but in all honesty this is why I can't take anything "crypto currency" seriously yet, because the field absolutely refuses to accept that mistakes happen.
Every developer will push some private key to a repo at some point in their career. It's not fun, and in every other case, you roll the keys, ensure nothing got compromised or moved (and almost everything is reversible), and move on.
But in the crypto-currency world, you make *one mistake* and you are done. There's no recourse, no getting your money and/or assets back.
And until this gaping hole is fixed, "crypto currencies" will never go mainstream.
The problem here is not the instantaneous and irreversible financial consequences of badly written code. That's a feature, it makes crypto work like cash, a coin is a coin and won't magically evaporate from my wallet because PayPal or Youtube doesn't like my face.
The problem is the lack of minimal KYC information and any link to real world identity. It what enables hackers to get close to 100% of the stolen sums with close to 0 risk.
Most major crypto networks are essentially giant money laundry machines: cash goes in, anonymous transactions are made over the internet, cash goes out. Of course that when you combine the two, irreversibility and anonymity, you get the giant cluster-crap of scams, embezzlement, Ponzi schemes, narcotics trafficking and cyber-blackmail that the crypto space has become.
If you want to fix crypto, the problem is not a tweak to the algorithm, it's the social rules that allow it to interface with the real world. We need to establish a minimal standard of how, when, and by whom can the real identity of a user be unblinded (think Chaum e-cash) and revealed for law enforcement - without compromising the privacy of all, like in the current banking system.
> But in the crypto-currency world, you make one mistake and you are done. There's no recourse, no getting your money and/or assets back.
What recourse do you suggest? There are already multi-sig, time locked wallets that can get around many of these issues, if users want to opt in to using them.
But making transactions somehow reversible by default would kind of defeat the purpose. Reversible transactions are good for the sender but bad for the receiver. I don't see any way around that, a tradeoff must be made.
This is the primary barrier to adoption and one that is, IMO, insurmountable.
The ways in which traditional currency is safeguarded is far more important to most of the population. I completely understand some people's hesitancy around government regulation and it's totally sane given what some folks have lived through. But the consolidation of banking institutions in the real world is pretty clearly mirrored in the cryptoworld and that side of banking is already far less reliable than real world banking. Mt. Gox was a while ago, sure, but a lot of people lost a lot of money doing something that shouldn't have been dangerous.
Most of the population trusts the government more than enough to protect themselves against this sort of blatant fraud and, at this point, I think most crypto currency is legitimately held by speculators which can create liquidity to drive transactions but which, on its own, does not a market make.
>But the consolidation of banking institutions in the real world is pretty clearly mirrored in the cryptoworld and that side of banking is already far less reliable than real world banking.
Crypto doesn't have "banking". Exchanges are fairly centralized, but it's a misuse of the technology to use an exchange for custody. There are some crypto lending platforms, but they are not banks.
>...most crypto currency is legitimately held by speculators which can create liquidity to drive transactions but which, on its own, does not a market make.
Liquidity is provided by market makers, who (by definition) are not holding or speculating.
Cryptocurrency transactions are reversible through the legal system. If you violate a contract or commit fraud then I can sue you in civil court and get a judgment, which you'll have to satisfy by repaying the cryptocurrency (or fiat equivalent). Of course enforcing that judgment against a defendant in another country might be difficult.
> There's no recourse, no getting your money and/or assets back.
That's not true. You'll go to a court of law and you'll revert the transaction. Just like this guy did, where he went to the contract owners:
> Thankfully I was also able to contact art blocks and OpenSea, who were able to transfer ownership of my projects to my hardware wallet. As much as I'd like my royalties and project ownership to be ironclad and locked into the smart contracts, centralization and individual discretion has its perks sometimes.
It's important to understand that there's no group-think. There's no organization company or group that speaks with single voice. I recognize that there are as many thoughts and motivations and intents as there are people.
But it still gets frustrating when in one discussion on cryptocurrencies, it's all about absolute freedom from government/law/court/companies/Authority/TheMan, and in another argument it's "just use courts/laws/government the way you always do".
I understand different people have different approaches and points of view. It just feels like with crypto currencies, they cancel each other.
(I also recognize I'm an ignorant outsider looking in)
Edit: Indeed, as I wrote this, already a sibling comment made a completely opposite "Of course; too bad, so sad, irreversibility is the point" argument.
That's great for him but it kinda defeats the point of the blockchain being censorship resistant. And there have been tons of these like the DAO rollback. If a handful of people can just change the rules anytime they want, what's the point?
Curious to hear your perspective on this thought experiment.
From TFA, the analogy seems to be a developer publishing an api key for a read/write access to a bank account (say, Plaid). If someone was to use this key to withdraw money from a checking account that has no two factor, and somehow use an atm to convert it to cash, what legal recourse would the owner of that account have?
This seems to be less about crypto going mainstream and more about security mechanisms? or am I misunderstanding the premise here?
In the "real world", the recourse you have against e.g. pickpocketing is similarly non-existent (in theory, you have recourse in both the pickpocket and the crypto theft case, in practice, you're getting recourse in neither).
I'd argue that getting a software-only hotwallet stolen is comparable to getting pickpocketed or robbed of the cash you carry on you.
The crypto world is special because this often involves much bigger amounts than people usually carry around in cash, and most importantly, people negligently leave huge amounts laying around with minimal security, often because a) it wasn't worth anything when they put it in the wallet but appreciated rapidly, or b) because it's a lot of money, but it's not a lot of money for them because they are now multi-millionaires.
With a hardware wallet, it's much harder (not impossible) to make a mistake or get compromised.
>>With a hardware wallet, it's much harder (not impossible) to make a mistake or get compromised.
Of course, with a HW wallet, there are other footguns. I've read multiple sagas of attempted recovery from things like lost PWs, backups, etc., some successful, some not. And still the risk of HW itself being lost/stolen/destroyed/failed/etc. (&ya I understand that there are some recovery processes, which also must be balanced by how many recovery keys to create & leave around in 'safe' locations for such situations...)
Plenty of existing precedent is out there for the network cooperating with peers to handle reversals. True - when that pattern occurs it is not particularly decentralized.
I think what you'll see is the more privacy/anon you value in your transactions, the more you'll rely on no-givebacks network decisions.
There is also plenty of precedent that companies can handle incredibly high SLAs, but "no fail" is not something that's targeted. Bitcoin has an 100% uptime record in this regard, but to your point I wonder what an acceptable/achievable SLA is for a p2p network like bitcoin.
Can you please stop posting flamebait and unsubstantive comments to HN? You've done it repeatedly, unforuntately, and we're trying for a different sort of site here.
> This led to an immediate loss of thousands of dollars in liquid assets and the eventual loss of some awesome NFTs. In addition, several irreplaceable NFTs (like the steviep.eth ENS entry and my avatar NFT) became locked on that wallet.
Right there at the beginning it's clear they lost a great deal.
just a dude who committed his private key to a public github repo
oopsie