Last week, $186M worth of cryptocurrency was stolen on Nomad, a system of smart contracts that connects Ethereum and other networks (a so-called “bridge”). The exploitation was based on faulty code that, once discovered, incited numerous copycats. Some of these people sought to steal funds for personal gains (so-called black hats), and some sought to race ahead of the black hats to “steal” funds and return to Nomad later (so-called white hats). With $2.0B stolen from DeFi bridges just this year alone according to blockchain analytics provider Chainalysis, this incident highlights a major issue in the crypto community that, as we also discuss later, is morphing into a major geopolitical issue. These hacks have not gone unnoticed by governments internationally, as they have become a way for state-backed actors to enrich rogue nations even amidst the harshest of sanctions. It is worth noting that the vulnerabilities we discuss here are based on decentralized applications that do not exist on the Bitcoin blockchain.
Nomad is a particular type of application that has been ripe for the picking by nefarious actors — a “bridge.” Bridges connect one blockchain to another, allowing both the movement of assets between the blockchains and inter-blockchain communication. Since assets cannot natively move from one chain to another, bridges frequently hold balances of tokens that are sent from one chain and then re-issued natively on another chain. As a result, bridges can hold large sums of balances and, because of their complex codebases, have frequently contained vulnerabilities. Thus they have been prime targets for hackers in their short existence. Chainalysis estimates that 69% of all crypto stolen in 2022 has been from bridges, with more than $624M has been from a single hack, that of the Ronin Network on Axie Infinity.
The sheer amount of capital at risk in DeFi protocols has attracted pariah states to use hacking as a source of funding. Most notably, North Korea is purported to have stolen $1B of cryptocurrency this year through state-sponsored hacking organizations such as Lazarus Group. In that vein, earlier this year, Reuters reported that crypto hacks were a key source of funds for North Korea’s missile program. DeFi’s vulnerabilities have had an impact outside of the crypto community. While, from the perspective of developers and investors, these protocols represent a new and growing technology that, like many new technologies, can come with flaws, the geopolitical risks are making the status quo increasingly untenable. As a result, the U.S. Treasury has become keenly concerned about blockchain networks as a source of funding for illicit and nefarious activities.
As it is impractical for the U.S. to directly defend DeFi protocols, the government has focused instead on the laundering of illicit gains. The public nature of most blockchains makes it inherently difficult for criminals to obscure the sources of their funds. Because of this, hacked entities like the Nomad bridge mentioned earlier have generally made hackers an offer: return most of the stolen cryptocurrency and keep the remaining portion, say 10%, as a “bounty”. Thus, the U.S. Treasury has attempted to crack down on cryptocurrency exchanges and service providers that have accepted funds from sanctioned entities as well as so-called cryptocurrency “mixers.” Mixers are entities, centralized or decentralized, that attempt to obscure the flow of funds through blockchains. Given the added pseudonymity afforded by blockchains, criminals have used mixers to obscure illicit funds, which has driven the U.S. government’s attempt to shut them down. At the same time, however, mixers can also be used for entirely benign reasons. Ethereum creator Vitalik Buterin, for example, revealed this week that he used mixers to donate cryptocurrency to the Ukrainian government and avoid the prying eyes of the Russian government. Thus, while increased scrutiny and regulation may clean up some bad activity, there may also be some collateral damage.
Centralized mixers — whereby entities have personal control over operations — are easier to shut down than decentralized ones. The Department of Justice charged the operator of one such centralized mixer last year. But decentralized mixers, which exist solely as smart contracts on a blockchain, are harder to pin down. This week, the Treasury made its first effort to shut one down, placing the smart contract addresses belonging to the Tornado Cash application on its Specifically Designated Nationals (SDN) list, meaning that it is now illegal to transact with any of these addresses. Most recently, this morning, officials in Amsterdam arrested a suspected developer of Tornado Cash, though details are still sparse.
This unprecedented action has raised many issues. First, commentators have raised the issue that sanctioning code itself may, in some instances, raise First Amendment “free speech” concerns. Second, given that only addresses are sanctioned, the Tornado Cash code could simply be reused to create identical mixers with new addresses. GitHub did, however, remove the Tornado Cash code from its platform as well as the developer accounts associated with its creation. Third, because it is impossible for a user to reject an incoming transaction, some provocateurs have been sending small amounts of cryptocurrency from the Tornado mixer to prominent individuals (such as Shaquille O’Neal and Jimmy Fallon), potentially foisting an uncomfortable and unintentional legal situation onto them.
The wide-ranging geopolitical implication of crypto hacks has forced the U.S. to take action against largely anonymous crypto criminals, many of whom do not fall within any U.S. government body’s jurisdiction. The novelty, growth rate, and borderless nature of the DeFi space have made this more difficult for the government to keep up with and has dragged it into uncharted legal territories, which may result in sweeping responses, and therefore, collateral damage. We will continue to watch as the government evolves its stance on these areas involving national security and consumer protection.
Bitcoin saw significant gains on the week, adding 7.9%. Risk assets saw more muted gains, as the S&P 500 gained 1.4%, and the Nasdaq appreciated 0.5%. Bonds fell on the week: Investment Grade Corporate Bonds were down 1.4%, High Yield Corporate Bonds decreased by 0.3%, and Long-Term Treasuries depreciated by 4.1%. Gold increased by 0.8% on the week as real yields and inflation expectations increased.
Regulation and Taxation
U.S. Sanctions Tornado Cash – U.S. Treasury
Iran Places First Crypto-Funded Import Order – CoinDesk
Singapore Regulator Reiterates Crypto Dangers — Bloomberg
Interactive Brokers Expands Cryptocurrency Trading – Interactive Brokers
Hodlnaut Halts Withdrawal — Hodlnaut
Messari to Raise $35M — CoinDesk
August 26th – CME bitcoin futures and options expiry
September 2nd – United States Non-Farm Payrolls
September 13th – July CPI data is released
September 21st – Next FOMC interest rate decision
Thanks for joining us again this week. Please reach out with any questions or comments.
The NYDIG Team
This report has been prepared solely for informational purposes and does not represent investment advice or provide an opinion regarding the fairness of any transaction to any and all parties nor does it constitute an offer, solicitation or a recommendation to buy or sell any particular security or instrument or to adopt any investment strategy. Charts and graphs provided herein are for illustrative purposes only. This report does not represent valuation judgments with respect to any financial instrument, issuer, security or sector that may be described or referenced herein and does not represent a formal or official view of New York Digital Investment Group or its affiliates (collectively NYDIG).
It should not be assumed that NYDIG will make investment recommendations in the future that are consistent with the views expressed herein, or use any or all of the techniques or methods of analysis described herein. NYDIG may have positions (long or short) or engage in securities transactions that are not consistent with the information and views expressed in this report.
The information provided herein is valid only for the purpose stated herein and as of the date hereof (or such other date as may be indicated herein) and no undertaking has been made to update the information, which may be superseded by subsequent market events or for other reasons. The information in this report may contain forward-looking statements regarding future events, targets or expectations. NYDIG neither assumes any duty to nor undertakes to update any forward-looking statements. There is no assurance that any forward-looking events or targets will be achieved, and actual outcomes may be significantly different from those shown herein. The information in this report, including statements concerning financial market trends, is based on current market conditions, which will fluctuate and may be superseded by subsequent market events or for other reasons.
Information furnished by others, upon which all or portions of this report are based, are from sources believed to be reliable. However, NYDIG makes no representation as to the accuracy, adequacy or completeness of such information and has accepted the information without further verification. No warranty is given as to the accuracy, adequacy or completeness of such information. No responsibility is taken for changes in market conditions or laws or regulations and no obligation is assumed to revise this report to reflect changes, events or conditions that occur subsequent to the date hereof.
Nothing contained herein constitutes investment, legal, tax or other advice nor is it to be relied on in making an investment or other decision. Legal advice can only be provided by legal counsel. NYDIG shall have no liability to any third party in respect of this report or any actions taken or decisions made as a consequence of the information set forth herein. By accessing this report, the recipient acknowledges its understanding and acceptance of the foregoing terms.