Crypto miners turn $11 into $6.7 million just by saying it is

Posted: 23 April 2020 8:16 pm

Picture not described

The oracle vulnerabilities may just be the tip of the iceberg that is PegNet's problems.

A group of cryptocurrency miners recently turned $11 into $6.7 million. They did this by telling everyone that the $11 was actually worth $6.7 million.

This is probably that one simple trick your bank doesn't want you to know.

How to tell a convincing lie

The miners were on a network called PegNet. It's a stablecoin system where miners are incentivised to serve as agreeable oracles.

Oracles are the data sources for these kinds of systems. Their job is to tell the truth. In this case their job was to tell the truth about currency exchange rates.

That's what they lied about. Specifically, they fibbed about the USD/JPY exchange rates.

At current exchange rates one yen is worth about one tenth of an American cent, but these oracles said the correct number is actually $5,306. Then they went and converted their yen to USD, turning $11 equivalent into $6.7 million equivalent.

That's what they call "a whopper" in the lying biz.

Fact check

The reason they got away with this whopper is because they worked as a group to collectively lie to the network, so their lie outweighed all the other oracles. It doesn't appear to have been difficult. It only took four colluding mining pools to successfully attack the network.

After doing the swap, the miners "then tried to liquidate as much as they could on exchanges" according to the postmortem.

They don't appear to have been very successful.

Instead of selling it they ended up burning most or all of the new money by sending it to a burn address, but only after scattering it into a whole lot of different currencies and wringing it through thousands of transactions.

It's not clear whether all the money is accounted for.

They now say it was a penetration test. If that's the case, it was wildly successful. They have conclusively proven that PegNet is seriously vulnerable and that you'd have to be crazy to keep any money there.

Congrats. Now what?

Opinion: Run. Flee for your money. Iceberg ahoy. Not financial or seafaring advice.

The $6.7 million didn't come from anyone. No one was robbed in the transaction.

Rather, the funds were blipped into existence by the PegNet computer program based on the understanding that someone had traded in $6.7 million worth of one asset and was therefore entitled to an equivalent amount of another.

This no-collateral system is at the heart of PegNet.

You onboard into PegNet with any supported asset, of which there are a lot, and can then use that as collateral for minting new supported assets.

The whole point of PegNet is that by wisely and seamlessly swapping between synthetic assets, a user will end up with a PegNet portfolio that, on paper, is valued significantly higher than any underlying collateral.

To quote the horse's mouth:

Picture not described

The only way PegNet can avoid an outcome where its synthetic assets greatly outvalue its collateral value is if PegNet users are constantly at least as likely to lose money as to make money while trading PegNet assets.

That's highly unlikely, and even if it does happen that just means PegNet is straight up a bad product whose viability depends on people constantly losing money on it.

As such, the natural state of PegNet is that the on-paper value of all its synthetic assets is constantly outgrowing its collective collateral. The difference between PegNet's total synthetic asset and total collateral value is pure smoke and mirrors, barely held together by chewing gum and trust in the security of obviously broken oracles.

Consequently, PegNet synthetic assets are worth much less than their on-paper value. There is no reason for the market to ever value pUSD at a dollar each or pBTC at a full BTC each.

Various nuances about needing to cash out via the PEG token and whatnot just reinforce the fact that a pBTC isn't as good as a real BTC.

To make matters worse, the sheer brokenness of PegNet means there's not a lot of reason for people to buy into it, so it's not clear who's going to be providing all that hype and demand for PegNet synthetic assets, to fill the increasingly wide gap between the value of its collateral and the value of its synthetic assets.

It's no surprise those attackers pen testers couldn't unload $6.7 million of pUSD. They probably couldn't have gotten rid of it even if it was legitimately obtained.

Also watch

Disclosure: The author holds BNB, BTC at the time of writing.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site