> But in our email exchanges, he argued that he'd executed a perfectly legal series of trades.
In real finance, there is an understanding that technical loopholes can exist, since not every outcome can be foreseen when writing laws, but the legal system can frequently prosecute against a series of actions which are, individually, legal, but which together are taken in order to achieve something illegal.
That is, modern finance and the law also attempt to deal with intent.
But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?
This is a thing that confused me about smart contracts. I don't see how they can exist without a judicial system. They do seem to have some uses under that framework. Like the system is auditable so you can prove if someone cheated and changed a contract out from under you (and you lost your copy), but that's only a minor improvement on the current system. The US has a lot of legal policy that is based on spirit of the law because it is well recognized that humans are imperfect and never will be. It then seems silly that people who are fully aware of failure analysis/engineering would design a system where the mode of failure is easily exploitable.
I've seen this argument regarding smart contracts several times now, and I don't think it makes any sense. It's like robbing someone in real life, then claiming you did nothing wrong because you didn't violate the "laws" of physics. Those are two entirely separate things.
In the world of smart contracts code is indeed law, but that doesn't change the fact that in the real world law is law, and the fact that you used a smart contract to commit a crime doesn't make it any less a crime.
A smart contract is a piece of code running on a public permissionless blockchain. The developers who deployed that code do not own it. Medjedovic had as much the right to take money out of the smart contract using the contract's logic as Kellar and Day.
Being blockchain developers, Kellar and Day know these facts very well, but they persist in their hypocrisy because it is in their financial interest to do so. They are betting on a non-technical jury being convinced by a good lawyer that Medjedovic "hacked them" or "stole their funds" (which is not at all what happened here).
> With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?
They don’t. They simply have to accept it as a bug bounty successfully collected and paid out, and treat it as a learning experience and evolutionary process. Do better next time, if there is a next time.
The courts have found that a written description of the contract is legally binding even if the smart contract has a bug that allows things that were intended to be disallowed. Further the courts held the right to decide whether something was allowed or not allowed on their own judgement regardless of the smart contract, asserting the primacy of the law and jurisprudence over cryptonerd utopian fantasy.
"Code is law" is a dream that is not actualized. It's not actually law, it's just code. I'm pretty sure law enforcement will gladly prosecute for a lot of these "hacks".
Yes, but the I believe similar cases have appeared where the courts have found against the objectivity of smart contracts. I think, ultimately, the point of regulating the financial markets is not to protect investors, but to protect the economy. And if a smart contract undermines the security of our financial system, then that smart contract may simply be illegal.
Like high frequency trading players front-running trades, faking liquidity, manipulating prices, and changing infrastructure to benefit them to really screw people that want to buy or sell stocks? Never heard of anyone getting prosecuted by the legal system for that (besides for taking HFT code with them, but never for screwing a normal buyer or seller).
Edit:
It would be great if there was more moral in finance, but I think that's wishful thinking and doesn't really distinguish traditional finance or Defi. The only nice thing about Defi is that everyone can see what's going on in contrast to what happens when you do something in traditional finance.
He contravened their "intent" to make more (fiat) money through speculation, simply put. If they actually wanted to promote decentralization and openness, they would not be undermining trust in it and impeding its adoption by invoking the legal system at this stage. All they gain from suing over this is making things hard for the kid who did the trade, and a remote possibility of "recovering" some of their previous valuations in fiat.
Contracts are contracts and law is law. Law can overrule contracts. Smart contracts just let you have executable terms which allows greater composition and commoditization.
Am I missing something or did Medjedovic simply use unforeseen actions in the implementation of the contract as arbitrage and did not have an agreement to not attempt such actions?
Do not see any 'unauthorised access' in that case i.e not the classic definition of 'computer hacking'. However if the case does end up progressing I do wonder what form a defense will take.
> But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
It's like the people who invented smart contracts never heard of the incompleteness theorem.
As the article mentions, there is a difference between the utilitarian and the libertarian view of DeFi / smart contracts. In the utilitarian worldview, the legal system still exists to handle disputes / exploits, but in the absence of such legal disputes, smart contracts allow you to automatically execute contracts without needing human overhead to manually execute them.
I never hear "code is law" from defi protocols, their ToS, or really from anyone. It's only the detractors of Web3 who tout this false logic of "code is law" so I guess you're screwed.
Examples of code NOT being the law: Some defi protocols have made those affected by a hack/loophole whole again with their own funds. Some defi protocols explicitly exclude certain jurisdictions like the US from accessing their protocol. Surely if they all belived "code is law" they wouldn't give a fuck, right?
This was an interesting read. The case is now in limbo until authorities can locate Medjedovic or he decides to appear.
“I did not steal anyone's private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.”
Reminds me of the standard advice of "don't roll your own cryptography." There are a lot of subtle nuances that make it hard to get right. When you have well-funded teams of absolute novices writing rules for complex games with money on the line, this is what happens. Rather than just having user accounts taken over and having to do a mea culpa, the reward isn't lolz or dark web money, it's actual money, and a lot of it.
> Medjedovic added that he'd taken on “substantial risk” in pursuing this strategy. If he'd failed he would have lost “a pretty large chunk of my portfolio.” (The 3 ETH he stood to lose in fees was worth about $11,000 at the time.)
This is misleading, either intentionally or due to Medjedovic's incompetence.
You can fork the current head of the mainnet blockchain to localhost and try infinite permutations for free to see what the next state of the blockchain will be. And then if you like that state, you can then pay to send the working transaction to the mainnet to make that same state occur, in a sure bet. (nearly sure fire bet as in some cases, someone could replace the mainnet transaction in route, but they wouldn't necessarily know what to look for or change if its a distinct kind of transaction)
Medjedovic either didn't know this, because his skills didn't translate as well as he thinks, or Medjedovic knows this and hasn't come up with a stronger argument to support his actions yet (of which there are plenty) and actually is relying on public sympathy to support his actions.
Either way, there is an opportunity for broader education on how these exploits can be cooked in something akin to a "hyperbolic time chamber" or quantum reality without anyone's knowledge, ready to hop back into our dimension fine tuned and ready to cause maximum effect, all within the ~15 seconds between blocks if necessary, as the state changes per block.
If anyone could perfectly predict what was going to happen in the next state then those with this ability would only ever make money and never lose it. Yet this can't happen. In the real world there are sniper bots and all sorts of other things that another agent could do in parallel with your own script, which would lead the outcome to be uncertain.
I took "fail" to mean someone seeing his transaction in the mempool and frontrunning him, exploiting the flaw for themselves before he could. AKA Ethereum's "Dark Forest." Not that the transaction would fail as in a bug or something. I'm sure he knows how to simulate transactions locally if he could figure all this out.
> You can fork the current head of the mainnet blockchain to localhost and try infinite permutations for free to see what the next state of the blockchain will be. And then if you like that state, you can then pay to send the working transaction to the mainnet to make that same state occur, in a sure bet.
Forget about the exploit itself. Why are people trusting two young nobodies (Day and Kellar of Indexed Finance) with so much money in the first place? Ok, so Day has some decent academic credentials, but he's just one person. Who was doing risk analysis? Which independent experts analyzed their algorithms? Which accounting firm audited them? Where's the oversight? These two guys whipped something up, threw it out in the wild, and the masses fed tens or hundreds of millions of dollars into it without a care in the world.
This isn't a hack, it was straight arbitrage. I distinguish them because there was at no time a transfer of administrative power or control over the contract or targets infrastructure to Medjedovic.
In a smart contract, I'd make a legal distinction between syntactic parsing and calculation, which has to do with the purity of functions and data. An arbitrage would be fair game if it levered an unanticipated calculation, whereas a recent example where the contract was only checking the last several bytes of a destination address key would be a parsing exploit. Medjedovic's arbitrage as described appears to be a pure calculation advantage, and not exploiting a parsing error, and so this is very reasonably fair game.
He used logic endogenous to the contracts, with no exogenous control of the systems running the contracts. When you exploit a buffer overflow, you are breaking through (sabotaging) a parser as a means to manipulate the raw memory and machine - whereas this arbitrage is closer to something that lies somewhere between clicking on a link someone provided but had some unspoken intention about you not using it, and a SQL injection or other evaluation error that yields an index. (edit: Actually, it's more like saying something really funny and unexpected on a platform that hasn't banned that kind of humor yet, and they're just mad about the consequences. we could even see a future where the distinction between a hack and arbitrage will be the complexity class of the algorithm and whether it represented a scheme that was Turing complete)
Unfortunately, in Canada they'll go after him just as a fugitive now, and there is no shortage of political actors who will want to make him the perfect example villain for their hysterical policy objectives. This is one of those increasingly classic situations where a really smart kid gets system-involved and can't comprehend how insane it is because the legal system and politics are not subject to mere reason. If he has the money, fleeing before charges were laid was probably even rational, as there is no reason to expect the legal system is equipped to deliver justice in something so new.
"But passivity also created risk. If there was a problem with the code, someone could exploit it directly, without needing to bypass any human safeguards. And limiting blockchain interactions to cut costs entailed a trade-off: When a smart contract—a script that executes automatically when certain criteria are met—has fewer steps, it can leave more room for security vulnerabilities."
So much of this reminds me of Chesterton's Fence, where "innovative" solutions are deployed by people who never put forth the time and effort to fully understand how the existing system came to be the way that it was - and the problems that it had to deal with and solve along the way.
I'm not trying to sing the praises of finance and banking; there's much there that is broken. (I'm also not a fan of crypto or NFTs.) But I am saying that many of the "old" ways came about in response to a litany of problems that are neither obvious nor intuitive, and you need to understand why it works the way it does before putting out a new solution.
What is interesting to me is how it shines a light on the regulatory framework of the non-crypto economy. If you read up on edge cases, there is a lot of people deciding if something is "fair", and my notions of fair and a particular judges notions of fair are often at odds.
To steal from Frank Zappa: Legal isn't the same as allowed, allowed isn't the same as fair, fair isn't the same as just, and just isn't music.
> His profile on one social network included a quote from Kurt Vonnegut's Cat's Cradle about the futility of humanity's quest for knowledge: “Tiger got to hunt, bird got to fly; Man got to sit and wonder ‘why, why, why?' Tiger got to sleep, bird got to land; Man got to tell himself he understand.”
Hey! He’s just like me.
> But did Medjedovic do this, or did the algorithm? Barry Sookman, a lawyer in Toronto specializing in information technology, says it's a distinction without a difference: “Individuals are responsible for the activities of technologies they control.”
This of course goes both ways — aren’t the index fund creators responsible for their technologies too?
This was fascinating to read, but I think the guy is ultimately innocent. He executed a series of speculative trades using the platform's rules and mechanisms. It reminds me of the 2013 case of some guys who took advantage of a software bug in a video poker game. “All these guys did is simply push a sequence of buttons that they were legally entitled to push.”
This sounds very much like the same thing, and since digital currency is not heavily regulated, some might say at all, I think the outcome, while unfortunate, is not illegal.
Sadly Day & Keller and others will likely haunt this poor kid with lawsuits and frivolous attacks, but in my book he did not break the law.
As I understand it, Indexed behaved as a sort of ETF for crypto, that had automated their creation/redemption mechanism.
Importantly they had automated the creation/redemption mechanism poorly. Here's the operative passage:
By eliminating human managers, Indexed could forgo management fees like the 0.95% its bigger rival, Index Coop, charged for simply holding its most popular index token. (Indexed would charge a fee for burning tokens and swapping assets within a pool, but those only applied to a small fraction of users.)
It also saved on costs by limiting the number of interactions between the platform and outside entities. For example, when Indexed needed to calculate the total value held within a pool, instead of checking token prices on an exchange such as Uniswap, it sometimes extrapolated from the value and weight of the largest token within the pool, called the “benchmark” token.
This way, it reduced the fees it paid for transactions on the Ethereum blockchain. Kellar saw full passivity as a “natural extension of the way index funds already operate.”
Kellar was wrong.
In bringing down the costs, they eliminated the very thing that might have prevented the transactions that cost them all the money. The trades were legitimate, just unfortunate for the holders and to ask the courts to reward the incompetence of the management of indexed is to ask the courts too much.
"In their complaint, lawyers for Kellar and Day argued that two particular steps of the attack violated statutes against market manipulation and computer hacking."
So now they want crypto to be treated as regulated securities, but let me guess, only when it benefits them...
Most want the law to benefit them if they suffer harm, even if it can be argued to be self-harm. Most pay little attention to the law if no harm is taking place... unless the law will cause harm. This isn't unique to DeFi
For all the people shouting "Way to go!" and "The money is his!" I think you should remember he's currently a fugitive, and would need to spend the rest of his life living this way.
If that's what it takes to live the "code is law" dream, count me out.
There's something delicious in a critical part of the arb relying on a mechanism the contract authors included to reduce gas fees. Not only are we enshrining code as law, we're playing code golf with it first!
I have a compromise. Allow hacks of cryptocurrency to be prosecuted, but when they are, the also prosecute the creators of the cryptocurrency for making unregistered securities and for any fraudulent marketing of the cryptocurrency, or any failure to disclose risks, or for not following financial regulations.
This is another example of make risks public and reward private. They are arbitraging the financial system and trying to have the freedom of cryptocurrency, but when things go bad, want law enforcement to come fix it.
"They discovered that the Ethereum wallet used to transfer tokens during the attack was connected to another wallet used to collect winnings in a recent hacking contest by a participant who sometimes identified himself as UmbralUpsilon. Pulling up the participant’s registration, they saw that it linked to a profile on the collaborative coding platform GitHub."
Opsec really isn't that difficult, you just have to give it some thought.
I'll keep saying it -- a "smart contract" is nothing nothing nothing at all like a real contract, it's a stupid little piece of vending machine code that just operates. If we're going to argue the ridiculously dumb idea that smart contracts are, in fact, legal contracts -- congrats to the kid because he is 100% entitled to that money.
Indexed gets no sympathy from me; guy exploits a bug in the code. Awfully predictable that these would-be DeFi fanboys go crying to a centralized legal authority when things don't go their way.
They were holding $17m in funds and only paid 2 unnamed security auditors?
Yes, getting a proper audit for a Defi Protocol is expensive (probably 8 person weeks at $20-30k/week or ~$200k), and every good audit firm has a 3-6 month waiting period. But when you’ve got 100x that to lose, it’s a drop in the bucket.
[+] [-] neonate|3 years ago|reply
[+] [-] SamBam|3 years ago|reply
In real finance, there is an understanding that technical loopholes can exist, since not every outcome can be foreseen when writing laws, but the legal system can frequently prosecute against a series of actions which are, individually, legal, but which together are taken in order to achieve something illegal.
That is, modern finance and the law also attempt to deal with intent.
But in the Ethereum smart contracts world isn't the whole premise that the code is the law? That we don't need any of these pesky courts or banks or auditors or anything: the code is the law, and the decentralized blockchain will enforce it.
With this worldview, if the attacker simply exploited poorly-written code to find a loophole, how do the owners of Index have a leg to stand on?
[+] [-] godelski|3 years ago|reply
[+] [-] Ajedi32|3 years ago|reply
In the world of smart contracts code is indeed law, but that doesn't change the fact that in the real world law is law, and the fact that you used a smart contract to commit a crime doesn't make it any less a crime.
[+] [-] glerk|3 years ago|reply
A smart contract is a piece of code running on a public permissionless blockchain. The developers who deployed that code do not own it. Medjedovic had as much the right to take money out of the smart contract using the contract's logic as Kellar and Day.
Being blockchain developers, Kellar and Day know these facts very well, but they persist in their hypocrisy because it is in their financial interest to do so. They are betting on a non-technical jury being convinced by a good lawyer that Medjedovic "hacked them" or "stole their funds" (which is not at all what happened here).
[+] [-] SkyMarshal|3 years ago|reply
They don’t. They simply have to accept it as a bug bounty successfully collected and paid out, and treat it as a learning experience and evolutionary process. Do better next time, if there is a next time.
[+] [-] fnordpiglet|3 years ago|reply
[+] [-] twox2|3 years ago|reply
[+] [-] c3534l|3 years ago|reply
[+] [-] mikkergp|3 years ago|reply
https://twitter.com/ohaiom/status/1451142195369725957
[+] [-] tomaha|3 years ago|reply
Edit: It would be great if there was more moral in finance, but I think that's wishful thinking and doesn't really distinguish traditional finance or Defi. The only nice thing about Defi is that everyone can see what's going on in contrast to what happens when you do something in traditional finance.
[+] [-] bolasanibk|3 years ago|reply
[+] [-] prvc|3 years ago|reply
[+] [-] renewiltord|3 years ago|reply
[+] [-] roastedpeacock|3 years ago|reply
Do not see any 'unauthorised access' in that case i.e not the classic definition of 'computer hacking'. However if the case does end up progressing I do wonder what form a defense will take.
[+] [-] xenophonf|3 years ago|reply
It's like the people who invented smart contracts never heard of the incompleteness theorem.
[+] [-] ummonk|3 years ago|reply
[+] [-] silverlake|3 years ago|reply
https://www.cnn.com/2021/02/16/business/citibank-revlon-laws...
[+] [-] miltondts|3 years ago|reply
It does? Maybe for the poor, but certainly not for the rich/corporations.[1]
[1] - https://www.imf.org/external/pubs/ft/fandd/2019/09/tackling-...
[+] [-] sushid|3 years ago|reply
Examples of code NOT being the law: Some defi protocols have made those affected by a hack/loophole whole again with their own funds. Some defi protocols explicitly exclude certain jurisdictions like the US from accessing their protocol. Surely if they all belived "code is law" they wouldn't give a fuck, right?
[+] [-] blakesterz|3 years ago|reply
“I did not steal anyone's private keys. I interacted with the smart contract according to its very own publicly available rules. The people who lost internet tokens in this trade were other people seeking to use the smart contract to their own advantage and taking on risky trading positions that they, apparently, did not fully understand.”
[+] [-] dehrmann|3 years ago|reply
[+] [-] hartator|3 years ago|reply
Yes, it's a little disingenuous to claim "code is law" until it doesn't suit you anymore.
[+] [-] vmception|3 years ago|reply
This is misleading, either intentionally or due to Medjedovic's incompetence.
You can fork the current head of the mainnet blockchain to localhost and try infinite permutations for free to see what the next state of the blockchain will be. And then if you like that state, you can then pay to send the working transaction to the mainnet to make that same state occur, in a sure bet. (nearly sure fire bet as in some cases, someone could replace the mainnet transaction in route, but they wouldn't necessarily know what to look for or change if its a distinct kind of transaction)
Medjedovic either didn't know this, because his skills didn't translate as well as he thinks, or Medjedovic knows this and hasn't come up with a stronger argument to support his actions yet (of which there are plenty) and actually is relying on public sympathy to support his actions.
Either way, there is an opportunity for broader education on how these exploits can be cooked in something akin to a "hyperbolic time chamber" or quantum reality without anyone's knowledge, ready to hop back into our dimension fine tuned and ready to cause maximum effect, all within the ~15 seconds between blocks if necessary, as the state changes per block.
[+] [-] SamBam|3 years ago|reply
[+] [-] drcode|3 years ago|reply
That often isn't true anymore, see https://ethereum.org/en/developers/docs/mev/
[+] [-] jallen_dot_dev|3 years ago|reply
[+] [-] MockObject|3 years ago|reply
You have described mining.
[+] [-] buggeryorkshire|3 years ago|reply
[+] [-] uncomputation|3 years ago|reply
[+] [-] caymanjim|3 years ago|reply
This is how crypto operates. Buyer beware.
[+] [-] motohagiography|3 years ago|reply
In a smart contract, I'd make a legal distinction between syntactic parsing and calculation, which has to do with the purity of functions and data. An arbitrage would be fair game if it levered an unanticipated calculation, whereas a recent example where the contract was only checking the last several bytes of a destination address key would be a parsing exploit. Medjedovic's arbitrage as described appears to be a pure calculation advantage, and not exploiting a parsing error, and so this is very reasonably fair game.
He used logic endogenous to the contracts, with no exogenous control of the systems running the contracts. When you exploit a buffer overflow, you are breaking through (sabotaging) a parser as a means to manipulate the raw memory and machine - whereas this arbitrage is closer to something that lies somewhere between clicking on a link someone provided but had some unspoken intention about you not using it, and a SQL injection or other evaluation error that yields an index. (edit: Actually, it's more like saying something really funny and unexpected on a platform that hasn't banned that kind of humor yet, and they're just mad about the consequences. we could even see a future where the distinction between a hack and arbitrage will be the complexity class of the algorithm and whether it represented a scheme that was Turing complete)
Unfortunately, in Canada they'll go after him just as a fugitive now, and there is no shortage of political actors who will want to make him the perfect example villain for their hysterical policy objectives. This is one of those increasingly classic situations where a really smart kid gets system-involved and can't comprehend how insane it is because the legal system and politics are not subject to mere reason. If he has the money, fleeing before charges were laid was probably even rational, as there is no reason to expect the legal system is equipped to deliver justice in something so new.
[+] [-] shockeychap|3 years ago|reply
So much of this reminds me of Chesterton's Fence, where "innovative" solutions are deployed by people who never put forth the time and effort to fully understand how the existing system came to be the way that it was - and the problems that it had to deal with and solve along the way.
I'm not trying to sing the praises of finance and banking; there's much there that is broken. (I'm also not a fan of crypto or NFTs.) But I am saying that many of the "old" ways came about in response to a litany of problems that are neither obvious nor intuitive, and you need to understand why it works the way it does before putting out a new solution.
[+] [-] omarhaneef|3 years ago|reply
To steal from Frank Zappa: Legal isn't the same as allowed, allowed isn't the same as fair, fair isn't the same as just, and just isn't music.
[+] [-] jakear|3 years ago|reply
Hey! He’s just like me.
> But did Medjedovic do this, or did the algorithm? Barry Sookman, a lawyer in Toronto specializing in information technology, says it's a distinction without a difference: “Individuals are responsible for the activities of technologies they control.”
This of course goes both ways — aren’t the index fund creators responsible for their technologies too?
[+] [-] Overtonwindow|3 years ago|reply
This sounds very much like the same thing, and since digital currency is not heavily regulated, some might say at all, I think the outcome, while unfortunate, is not illegal.
Sadly Day & Keller and others will likely haunt this poor kid with lawsuits and frivolous attacks, but in my book he did not break the law.
https://www.wired.com/2013/11/video-poker-case/
[+] [-] JackFr|3 years ago|reply
Importantly they had automated the creation/redemption mechanism poorly. Here's the operative passage:
By eliminating human managers, Indexed could forgo management fees like the 0.95% its bigger rival, Index Coop, charged for simply holding its most popular index token. (Indexed would charge a fee for burning tokens and swapping assets within a pool, but those only applied to a small fraction of users.)
It also saved on costs by limiting the number of interactions between the platform and outside entities. For example, when Indexed needed to calculate the total value held within a pool, instead of checking token prices on an exchange such as Uniswap, it sometimes extrapolated from the value and weight of the largest token within the pool, called the “benchmark” token.
This way, it reduced the fees it paid for transactions on the Ethereum blockchain. Kellar saw full passivity as a “natural extension of the way index funds already operate.”
Kellar was wrong.
In bringing down the costs, they eliminated the very thing that might have prevented the transactions that cost them all the money. The trades were legitimate, just unfortunate for the holders and to ask the courts to reward the incompetence of the management of indexed is to ask the courts too much.
[+] [-] antishatter|3 years ago|reply
[+] [-] giantg2|3 years ago|reply
So now they want crypto to be treated as regulated securities, but let me guess, only when it benefits them...
[+] [-] QuantumGood|3 years ago|reply
[+] [-] TameAntelope|3 years ago|reply
If that's what it takes to live the "code is law" dream, count me out.
[+] [-] kristjansson|3 years ago|reply
[+] [-] RcouF1uZ4gsC|3 years ago|reply
This is another example of make risks public and reward private. They are arbitraging the financial system and trying to have the freedom of cryptocurrency, but when things go bad, want law enforcement to come fix it.
[+] [-] bobsmooth|3 years ago|reply
Opsec really isn't that difficult, you just have to give it some thought.
[+] [-] jrm4|3 years ago|reply
[+] [-] pcj-github|3 years ago|reply
[+] [-] yobananaboy|3 years ago|reply
Yes, getting a proper audit for a Defi Protocol is expensive (probably 8 person weeks at $20-30k/week or ~$200k), and every good audit firm has a 3-6 month waiting period. But when you’ve got 100x that to lose, it’s a drop in the bucket.