$35 Million Refund? Developer Appeals to Ethereum for Hack Reversal
On November 24, 2015, James Levy received 40,000 ether from the Ethereum Foundation.
Worth roughly $35,000 at the time (and nearly $35 million today), the grant was an award for Levy's efforts to create an early smart contracting tool, and one of many meant to encourage work on what was then another nascent cryptocurrency in a sea of alternatives.
But three weeks later, the grant was gone, drained from his wallet in what might be the largest hack of a single wallet in the history of the ethereum platform.
The result of a weak passphrase, Levy has been silent on the matter ever since. But now, in order to fund a new venture called TapTrust, Levy is appealing to the hacker to return the funds, and failing that, he's turning to the community to implement what would entail a system-wide software upgrade, or hard fork, to do so.
Such an upgrade would rely on EIP 867, a proposal to standardize the process of recovering funds on the platform, one that has been a point of conflict for ethereum developers.
At times heated, the discussion around the proposal is tilting toward blocking all attempts for the EIP to proceed. Former EIP editor Yoichi Hirai even stepped down from his post as a result, citing legal concerns that could ensue from allowing the proposal to develop. And with the developer community in an uproar, the proposal has been frozen in place as the process for accepting code changes gets considered more intently.
As a co-author of EIP 867, Levy has found himself in the eye of the storm as developers expose concerns about the proposal - everything from lamenting ethereum's governance structure as it relates to system-wide catastrophes to predicting that stakeholders could collude with such proposals ratified.
Levy's move is indeed controversial, but he feels that going public with his story might sway the current debate.
"Particularly in light of something like a hack, it's a very important issue for the community, and it's one that, I think, the network and the platform of ethereum and the community, we need to figure out," Levy told CoinDesk in an exclusive interview.
As adoption continues to rise, and ethereum is increasingly adapted for use in enterprise organizations, Levy continued:
"Ultimately, I think it comes down to, are we an economic system that lives outside the rest of society and the legal system? Are we totally separate from that? Or, are we somehow going to interface with these things?"
To step back, the hack happened because of a weak passphrase, which could lead some to put the blame of Levy himself. Yet Levy defends his security efforts, saying that he suspected his private key would still be needed to access the wallet.
But the wallet generation tool Levy used, developed by ethereum creator Vitalik Buterin, had a critical flaw in that others could access the wallet just with the passphrase.
"I assumed that the passphrase was going to be used in addition to some other criteria," Levy explained.
Later, when the wallet was drained, Levy found his private keys were still secure, and initially, he didn't believe he had been the victim of a hack.
"At first I thought was due to an upgrade or something," he said.
Shortly before the wallet had been emptied, new softwares, such as Brainflayer (for brute-forcing passwords) were released, and so Levy tested the software on his own wallet, cracked the passphrase and learned the bitter truth about his grant money - it was gone.
Yet, he traced the funds to another wallet, and in watching the wallet ever since, hasn't noticed any movement.
They've stayed at the same address, without "a single outgoing transaction in the entire history of the blockchain," Levy said.
And while Levy first accepted the funds as permanently lost, it was the eerie silence of the hacker's address (typically you would think a hacker would try and cash out or use the funds) that made him think a fund recovery might be possible.
Initially, Levy will just try some friendly communication.
"One of the things I am eager to do is to try to get in touch to whoever may have access to that new wallet, and to try to come up with something that we can agree to in terms of how to remedy the situation," Levy explained.
But should that not work, Levy will submit another fund recovery proposal that builds on his former efforts with EIP 867.
According to Levy, the new proposal requires "a very, very limited and well-defined and well-structured support for undoing finality," such as the format offered by EIP 876.
With that, Levy could recover his funds and use a significant portion to build something that would benefit the blockchain's community, including his new venture TapTrust, a Wikipedia-style forum for displaying objective information about tokens launched on ethereum.
"We're trying to improve the quality of information available and improve the ability for average people to participate in this new crypto economy without compromising their safety," Levy said.
It's perhaps an especially notable statement since much of the controversy surrounding the fund recovery proposal was stoked because of poor communication, Buterin said during a recent developer meeting.
Levy knows his appeals might not do any good, but still believes they will start a broader conversation about a pain point the community needs to tease out.
While the latest discussion around fund recovery stemmed from a code vulnerability that allowed a newbie coder to freeze, at the time, $160 million worth of ether in Parity Technologies ethereum client, Levy said hacks should be looked at categorically differently.
"I think that if we want to encourage organizations and businesses and financial institutions to adopt ethereum, that this is, I think for a lot of them, going to be a requirement, that in the event of a catastrophic situation, there is at least something that they can try to do," he said.
And it's a question that touches on a deeper, more philosophical rift in the ethereum community - the concept of blockchain finality.
The concept was first excited in the community after The DAO hack, when the ethereum community voted in favor of hard forking the code to return funds to its original holders. Valuing immutability under the adage "code is law," a dissenting group forked off the main ethereum chain, creating ethereum classic.
Such tensions are still active in the community today, as witnessed through the more recent funds recovery debates, that Levy wouldn't be surprised if there was another split down the line.
Levy told CoinDesk:
"I wouldn't be surprised if the network splits a some point over, not necessarily the issue of ETH recovery, but more generally, the issue of are we going to have a network that is technically pure, or are we going to have a network that we're making some accommodations so that we can integrate with society."
Money stack via Shutterstock