Quarterly Outlook
Fixed Income Outlook: Bonds Hit Reset. A New Equilibrium Emerges
Althea Spinozzi
Head of Fixed Income Strategy
Cryptocurrency Analyst
Summary: Decentralization is the key value proposition of crypto. It enables trust and services without intermediaries. However, there is no such thing as a free lunch, as decentralization comes with severe risks, stressed last week by the $320mn Wormhole exploit. This may reduce trust in decentralized applications and give incentive to further regulation.
In August, Certus One owned by leading market maker Jump Crypto, a subsidiary of Jump Trading, launched Wormhole, an interoperability protocol allowing users to transfer tokens and use applications across various cryptocurrencies such as Ethereum, Solana, and Terra. Such an application is also known as a bridge. The most used Wormhole bridge is from Ethereum to Solana. This particular bride was targeted last week in what evolved into one of the largest decentralized finance protocol exploits in crypto.
Wormhole exploited for 120,000 Ether
On Wednesday, a hacker managed to exploit the Wormhole bridge between Ethereum and Solana for 120,000 Ether, worth around $320mn at the time. In brief, the hacker was able to mislead the protocol into assuming that the person in question deposited Ether into the contract to issue an equal amount in wETH, which is tokenized Ether on Solana collateralized with actual Ether through Wormhole. With the wETH at hand on Solana, the hacker returned to Wormhole to redeem the majority to actual Ether on Ethereum. The problem, though, as the hackers wETH was not collateralized, it was Ether collateralizing others wETH. The hacker traded the remaining wETH into other assets on decentralized exchanges on Solana to quickly get rid of the undercollateralized wETH.
Wormhole quickly offered the hacker a $10mn bug bounty if returning the funds. However, the hacker did not seem interested since Jump Crypto promptly funded Wormhole with an equivalent 120,000 Ether from their own book, saying on Twitter: “Jump Crypto believes in a multichain future and that Wormhole is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.” The hacker has not moved the stolen Ether yet, and to cash out such an amount will be severely challenging, as the few exchanges, brokers, and OTC desks able to liquidate such an amount will freeze it instantly if it suddenly hits their Ethereum wallet, as they know the source of the funds.
The Wormhole exploit stresses the risk of decentralization
In 2021, $1.3bn was lost in decentralized application exploits, which was more than double the amount of 2020 upon an increasing value locked in decentralized applications. Hence, the Wormhole exploit is surely not the first and most critically, it is presumably not the last exploit. The latter stresses that decentralized applications are fragile and that they will likely continue to be that for years to come. This is further enhanced upon the fact that Wormhole was not developed by a teenager living in his or her parents’ basement. It was virtually developed by Jump Trading, one of the largest market makers within equities, options, futures, and cryptocurrencies. If a protocol developed by a corporation of that size can be exploited, imagine how challenging it is for a minor start-up to develop safeguarded decentralized applications. Moreover, imagine if an exploit in fact happens for a minor start-up, it is immediately game over as they cannot in this case fund the protocol with over $300mn worth in Ether in under 24 hours. This ultimately limits innovation within crypto as fewer want to risk their start-up and reputation in the space.Here, decentralization enters the equation. While decentralization is the key value proposition of crypto because it empowers services normally facilitated by various intermediaries such as international transfers and decentralized trading of non-fungible tokens (NFTs), it is also a notable shortcoming of crypto. This is the case with decentralized exploits, as developers and users cannot recover funds when exploits occur, compared to a centralized system where the company behind can often reverse the transaction. This means that exploits and cyberattacks can have proportionally much worse consequences when dealing decentralized.
Does crypto learn from it?
Whenever an exploit takes place, the community often makes a u-turn and presents it as somewhat positive with the main argument being that the protocol in question alongside other protocols learn from the particular exploit to develop future-proof protocols. The learning view is likely true, however, imagine in how many ways various decentralized applications can be exploited, so to potentially develop safeguarded decentralized applications through a learning phase will not be a quick fix.
One might argue that decentralized applications will experience the same learning phase and development as e.g., crypto wallets. In the early days of Bitcoin, there were no great wallets, which meant that many Bitcoins were lost forever in the first years of its lifetime. At the time, it was likely hard to imagine that institutions would ever trust crypto companies to custody billions worth of value. This is not unimaginable anymore. Quite the contrary, it is the case today. As Søren Kierkegaard said: “Life can only be understood backwards, but it must be lived forwards”.
It is important to remember that the first decentralized applications launched in 2018, so it is somewhat of a new phenomenon. This means the industry is still quite early in its learning phase. Furthermore, over the past years, several consultancies have launched making audits in the code of decentralized applications, such as OpenZeppelin, which further enhances security. Besides doing audits, OpenZeppelin has released a framework of battle-tested smart contracts intended to be used by new decentralized applications. This effectively means that as the industry matures there will perchance be various frameworks and infrastructure to be leveraged in making applications more secure.
On the other hand, even if the industry can present a near-zero exploit risk in the future, the question is whether everyday people will trust decentralized applications with their history of exploits. Not to mention that the potential consequences of exploits are rapidly intensified upon increasing usage and value locked in decentralized applications. This may enforce tough regulation by regulators before the industry proves that it is safe to interact with.