Obelix and the Sleeping Cups
Reflections on Crypto and DeFi
Stop Pretending You Understand Crypto
My last guest on Brave New World is Antoinette Schoar, professor of economics at MIT’s Sloan School of Management.
Personally, I find the space of Crypto, Web 3.0 and Defi (decentralized Finance) a bit of a rabbit hole. The more I understand it, the more I realize how little I know. But what I do know is how treacherous it is, full of scam artists and people who are a lot smarter than I am. Calling it the Wild West is putting it mildly. FOMO is a big problem. Most people still have a poor understanding of the space, which makes it rife for scams and shady activity.
Antoinette has been immersed in the crypto space for some time and has novel insights on Bitcoin and DeFi that are grounded in carefully collected data about the major actors, namely, miners, exchanges, and wallets in the crypto space. She’s compiled these insights into a set of easily accessible papers on Bitcoin and Defi which we talk about in the podcast. So, check it out!
The Wild West: New Laws Required?
“Play to earn” is a big phenomenon in the new Web 3 platforms. You earn rewards for playing, where the rewards are typically tokens or other inducements to play more. Some people believe that this is a new way of earning a living. It reminds me of my Wall Street days where a trader would yell “buy em up” when the market opened, and add “everybody is a winner!”
That’s what a lot of platforms are messaging to Gen Z: you’re a winner if you play. No more of “waging in the cage” as one of them put it, referring to a regular office job. Instead, imagine playing to earn. Incredible. But before you buy into this, ask yourself a question: when was the last time anyone other than your family watched you play a game of backgammon, soccer, tennis or whatever you’re good at? Did you get paid for it?
But this one case got my attention: a clever programmer exploited a vulnerability of a DeFi platform called “Indexed.” This is a platform that holds specified percentages of crypto tokens in a pool, much like an ETF which holds various stocks (like a technology ETF that might hold the top 10 technology stocks). ETFs have been very popular because they provide exposure to specific parts of the marketplace without the hassle of trading and balancing the portfolio as prices change. Indexed used an “automated market maker” to do this algorithmically, without the fees that middlemen charge for managing ETFs. It’s a great idea in theory, and everything is transparent on the blockchain. And the code is in the public-domain.
But how do we know that the code is bug free?
In theory, it isn’t possible to guarantee that a program is bug free. In this case, the hacker found a hole based on irrational human behavior – gifting the platform some tokens – that it had never considered. This opened up a vulnerability that enabled him to make off with $16 million of other people’s money. The exploit involved taking out a “flash loan” of $157 million and using it to severely deflate prices of certain crypto tokens and inflating others in the pool, trading the mispriced tokens, and repaying the loan and substantial fees within seconds. The hacker risked $12K in fees for the maneuver. That’s quite a return.
We even know who the hacker is in this case, an 18-year-old Canadian. Should he return the money? Should the platform compensate its investors? Or should the investors learn a lesson for taking risks that they didn’t understand?
Defi has no justice system. After all, this is the Libertarian nirvana of zero central authority.
So, what did the Defi platform operators do? Go to court of course. Ironically, this has been criticized by the purists to whom “code is law” and the basis for Web 3.0.
The case raises some fascinating questions around Defi regulation and consumer protection.
The hacker claims he played by the rules. He followed the code of the various “smart contracts” associated with trading and borrowing which enabled him to buy low and sell high. The suing parties claim market manipulation and “subverting the intended purpose of a computer system.”
Defenders draw an analogy with traditional Wall Street “arbitrage” where traders exploit things like temporary price dislocations between exchanges.
Both arguments seem far-fetched. Clearly, the hacker didn’t exploit minor price dislocations but created major ones. His intent was malicious. By the same token, the “intended purpose” of a system is difficult to pin down. If a drone goes off target the manufacturer can’t say “Oops sorry, that wasn’t the intended purpose.” Of course, it wasn’t. But did you design it correctly?
What do you think? Should anyone be liable at all in Defi? For example, should platform operators be liable for code they write if it puts their users at risk? Or is it okay for them to say “Oops, sorry there was a bug in our program?” What if the New York Stock Exchange matching algorithm had a bug? Is the NYSE liable? It should be, shouldn’t it? Should individuals be similarly responsible for the activities of technologies they control?
Complexity creates problems which are difficult to predict in advance. I’ve spent a large part of my career trying to answer a basic question “when should we trust algorithms?” My answer is risk-based, namely, that it depends on the expected frequency and severity of errors. But the data to make such a determination emerges over time or must be estimated. In the crypto world, this data doesn’t exist for cases involving any degree of complexity. Which means we shouldn’t trust such algorithms yet.
Meanwhile Back in Provence
I’ve spent the last week pretending to be French in Provence. I’ve been hanging out at a “real” town square where people are civil to each other. That’s how the digital town square needs to be designed, which is something I’ve written about and discussed with Chris Bail, but I digress.
I don’t know whether my mind is playing tricks on me, but a lot of people here remind me of Asterix, Obelix and Vitalstatistix. Last Sunday the local grocer in Fontvieille, an Obelix, seemed genuinely offended when we didn’t accept his glass of champagne on a hot sleepy afternoon.
I need to drive back, I said. Don’t worry, its Sunday, he said in his strong French accent, the “cups” are asleep today.
Cops aside, I’ve caught the European bug and have decided to take August off. Its something America needs to learn from the Europeans.