Welcome to the Block & Mortar newsletter! Every week, I bring you the top stories and my analysis on where business meets web3: blockchain, cryptocurrencies, NFTs, and metaverse. Brought to you by Q McCallum.

Reading online? Subscribe to get this in your inbox whenever it's published.

(Image credit: “Frustrated Boromir” meme template from imgflip)

What’s the statute on spoilers for crossword puzzles? I don’t know. So if you’re working through a backlog of New York Times crosswords, you may want to skip this intro and head straight to the first segment.

The puzzle for 30 July included a clue about people shilling Bitcoin. The answer?

Beware geeks bearing grifts.

Crypto has long been the butt of jokes about crime. Why so?

Sure, it’s been used in some shady transactions. (But so has fiat currency.) And it’s a hot technology that’s getting all kinds of media attention. (But so is AI.) I feel there’s something more here. And it’s not just crypto’s questionable status in the eyes of financial regulators.

Whatever the case, today’s newsletter focuses on recent crypto crimes. If you feel dirty after reading it, that’s why.

Seems rather tame

The SEC has a messy relationship with crypto projects because the question “is crypto a security?” doesn’t have a clear-cut answer. The regulator says the answer is “yes yes.” Groups like Binance and Coinbase say “no no.”

More recently, Gary Gensler’s team has turned its attention to a very different question: “has crypto personality Richard Heart stolen money from investors?” Their answer is “this lawsuit speaks for itself”:

The SEC also charged Heart and PulseChain with fraud for misappropriating at least $12 million of offering proceeds to purchase luxury goods including sports cars, watches, and a 555-carat black diamond known as ‘The Enigma’ – reportedly the largest black diamond in the world. […] “Heart called on investors to buy crypto asset securities in offerings that he failed to register. He then defrauded those investors by spending some of their crypto assets on exorbitant luxury goods,” said Eric Werner, Director of the Fort Worth Regional Office. “This action seeks to protect the investing public and hold Heart accountable for his actions.”

I can see why Heart would take the “no” position here. He’s burned $12 million on flashy toys, but that’s just one percent of the alleged billion-dollar haul. Kind of a modest spend for an outright criminal mastermind, no? It sounds more like someone celebrating business success.

Maybe his defense team will play that card. We’ll see.

Seeing snakes around the curve

You’ve probably seen some headlines about a hack on “Curve” and something called “Vyper.” What’s that all about? I’ll have to take a step back to explain:

The mainstream finance space (tradfi) has plenty of rules, but they’re squishy. Personal relationships sometimes override bank policy, bad actors slip transactions past the compliance department, and lenders can spend months sending letters back and forth to address a delinquency. “Could you please make a payment on the loan? No? OK we’ll check back in a bit.”

That’s a far cry from crypto’s decentralized finance (DeFi), where everything happens in code. Cold, dispassionate code that swaps handshake agreements and phone calls for if/then statements. “Event A leads to B leads to C. If anything goes wrong, we reset to the initial conditions and everyone involved gets their tokens back.”

All of this is why cryptocurrency is considered a “trustless” medium. (More like “shifting trust from people to code,” but same deal.) Executing a smart contract is the equivalent of locking all of the involved parties in a room to conduct a deal:

• No one leaves till everything is settled;
• The terms of the settlement are posted right there for everyone to see; and
• No one can modify those terms.

In that case, sure, why not hand a complete stranger a massive amount of money (or an NFT, or whatever) for a flash loan?

This reasoning breaks down when there’s a flaw in the smart contract’s code. In tradfi we’d be able to pause the action, point out that we’d hit a logical inconsistency in the agreement, and come to some kind of consensus on what to do from there. But code only does exactly what is written, intended outcomes be damned. Bad actors use the code’s literal interpretation of the (flawed) terms to their advantage, and they walk off with the cash. Just ask the folks at Coinbase and Mango.

That, then, takes us back to Curve and Vyper:

Decentralized exchange (DEX) Curve Finance suffered a hack last week because of flaws in some of its smart contracts. Those flaws stem from a tool called Vyper.

Vyper compiles Python-like code into something that a blockchain can handle. The upside? Instead of fumbling through Solidity or some other new-to-them, crypto-specific language, experienced Python developers can leverage their existing skills to dive straight into writing smart contracts. That should reduce the number of flaws in the code they write, which should make their smart contracts safer to use.

The downside? That still exposes those smart contracts to problems in Vyper itself. And last week it was determined that certain versions of Vyper introduced a reentry bug into the compiled code. I’ll spare you the gory details. Just know that this bug lets hackers take the affected smart contracts down unintended-yet-still-written-right-there-in-the-(machine-level-)code paths.

Hackers have thus far exploited this Vyper bug to the tune of $70M. Curve Finance is the name that made headlines for this, but other projects have also been hit. Any smart contract built with the affected versions of Vyper are vulnerable.

What does this say about the feasibility and stability of DeFi?

Nothing at all. At least, nothing new.

Crypto is ultimately code, so it is subject to code’s harsh realities:

1. All code has bugs. No matter what that hot-shot developer says during the interview, they will eventually produce code that doesn’t always do what’s expected or desired.

2. Those bugs cause problems when a system accidentally hits a triggering condition (“we’d never tested this beyond 1,000 simultaneous users”) or when bad actors induce such a condition (“I’ll send this web form a carefully-crafted message that causes it to write that wire transfer into the wrong account”).

3. Just about every piece of software relies on other software, which in turn relies on something else, and so on, until a problem in some dependency twelve steps down the chain risks bringing the whole house down. Remember the 2021 log4j bug?

If you build your app atop another software project – and realistically speaking, you can’t create a modern app without doing so – you inherit all of that project’s bugs and add your own to the list. That’s just how the game works.

So when it comes to code versus people, neither one is empirically better in every situation. Both are subject to constraints. Both will fail under certain operating conditions.

And, frankly, interesting things happen when the code and people meet. In the case of the Curve exploit, some white-hat (ethical) hackers were able to “steal” funds ahead of the bad guys and park them in safe wallets. Curve also offered a 10%, no-questions-asked bounty to black-hat hackers to return any stolen funds. Collectively, this has led Curve to recover almost three-quarters of the vulnerable tokens.

A real no-code solution

Not all crypto crimes rely on flaws in smart contract code.

Some involve no code at all.

Take, for example, OneCoin. Founder and self-proclaimed “Cryptoqueen” Ruja Ignatova released a token, convinced people to trade roughly €4bn of their cash for that token, and then disappeared with their cash.

No smart contracts were involved. Smart contracts weren’t even possible, as OneCoin didn’t have a blockchain behind it. The whole thing was, allegedly, just Ignatova’s lies marketing push and social engineering positive vibes. That magic act has landed her the inglorious designation of being the only woman currently on the FBI’s most-wanted list.

Looking for more details? Jennifer McAdam has documented her journey from OneCoin investor to whistleblower in Devil’s Coin: My Battle to Take Down the Notorious OneCoin Cryptoqueen. The book should be out by the time you read this newsletter. There’s also a movie version currently in pre-production. Maybe it’ll land before any of the FTX films…

The crocodile’s plea

Decentralized exchange (DEX) Bitfinex suffered a hack in 2016 and the perpetrator(s) walked off with $71 million in Bitcoin. Remember how crypto prices were on an upward trend for a while? The Bitfinex haul was worth $3.6 billion six years later when the feds arrested spouses Ilya “Dutch” Lichtenstein and Heather Morgan in connection with the crime.

The pair claimed they’d had no part in the Bitcoin heist. Their friends chimed in that they were simply not sophisticated enough to have pulled it off. (Does this sound like a backhanded form of support? I guess when the chips are down, you take whatever you can get.) But last week they finally caved: Lichtenstein and Morgan entered guilty pleas for the hack and for money laundering, respectively.

It’s entirely possible that they will be sentenced to prison for their crimes. If so, Morgan’s “Crocodile of Wall Street” alter ego, the self-proclaimed business rapper “Razzlekhan,” would be the rare case of someone who launched a rap career and then did time.

Saying the quiet part out loud

I’d originally planned to close out this newsletter with a different story on Worldcoin. (Remember them? They’re the company that’ll scan your eyeball so you can prove you’re a real person online.)

That was the plan. But then this tweet came across my desk. The embedded video is (allegedly) an excerpt from an interview dated 03 August 2023.

🚩🚩🚩 The co-founder of World Coin, @alexblania, said the World Coin Foundation takes advantage of the low token float of $WLD to manipulate the price of $WLD via market makers to “dampen” price volatility

Price manipulation? Not a good look.

(Why do I mention the date? I have a hunch that “03 August 2023” will be an important marker on the Worldcoin timeline. Sort of like “25 April 2022,” the date of the Odd Lots interview in which SBF kinda sorta tells Matt Levine that yield farming is a ponzi scheme.)

Granted, Blania still has an out. This is a video clip, released in an age of high-quality generative AI. He could simply claim the whole thing was a deepfake. For bonus points, he could then explain how this validates the existence of Worldcoin’s identity management system. That would be some solid salesmanship.

The wrap-up

This was an issue of Block & Mortar.

Who’s behind Block & Mortar? I'm Q McCallum. I've spent the past two decades in the emerging-tech space. And I'm very interested in web3 use cases.

Credit where it's due. Big thanks to Shane Glynn for reviewing early drafts. Any mistakes that remain are mine.

Reading this online? Or as a forward? Why not sign up? Get Block & Mortar news in your inbox, whenever it's published.

Privacy statement: I don’t share/rent/sell your personal info. Seriously.