Revisit Trusting trustlessness? exploits in curve and polynetwork [pdf]

42 points by noneoftheaboveu 1 year ago | 7 comments
  • felixans 1 year ago
    FYI already made it here:

    https://news.ycombinator.com/item?id=29145946

    But this type of trust is kinda timeless.

  • noneoftheaboveu 1 year ago
    Recent vulnerabilities and exploits found in Defi bring back a quote found in this short essay by Georgiadis: “Additionally, even though the codebase might be open source, and thus inspectable, validating integrity of a million-loc-long codebase isn’t something that the average user is capable of.”

    I might add, it’s not even feasible for the average expert. The essay touches on some very nice points.

    • tired_bot 1 year ago
      [dead]
      • scrapemenow 1 year ago
        This is a nicely written spin of Turing Award winner Ken Thompsons speech "Reflections of Trusting Trust(lessness)!". Thanks for this, and thanks for posting.
        • nftsnotforme 1 year ago
          The bug in Curve was in vyper's compiler not Curve itself.

          I agree with this essay, and your point. No average user, nor average expert can spot this type of exploit. My own background is in compiler work. Hence the author, Evangelos Georgiadis, advocates for formal verification methods, but even these methods are not perfect. The most intriguing point for me was the author's concept of conceptual corruption, referencing work by Markus G Kuhn. It leaves off with an easter egg quote of former compiler expert Donald Knuth. This 3 pager is quite fitting for current events.

          • 10n10n 1 year ago
            I'm a victim to the bug. Man someone out here help. defi is fraud, I dont trust anyone.
            • migrane3 1 year ago
              Defi is not fraud, people are fraud. This essay makes a point in case for this argument. I'm sorry to hear that you were victim to the bug!
        • ninachan 1 year ago
          [dead]