There’s no doubt that Ripple Labs tends to stand out from the cryptocurrency crowd. It has more money than most, a large team of programming veterans, and a heavily marketed suite of products aimed at giving the financial services industry a blockchain makeover.
David Schwartz , chief technology officer at Ripple, knows that XRP cannot do everything. In a TNW Answers session earlier this week, Schwartz was quizzed on the limitations of the XRP Ledger.
He gave a rather candid response – Schwartz doesn’t believe there can be just one digital currency that does all the things :
To which effect, Schwartz further highlighted that he even owns some Bitcoin. He wants cryptocurrency projects to work together, rather than fight each other for market dominance.
It should probably be noted that despite the hippie attitude, Schwartz then proceeded to throw a bunch of shade on Bitcoin, calling its Proof-of-Work consensus algorithm a “technological dead-end.” He also claimed that Ripple Labs’ XRP Ledger was improving on Bitcoin’s design.
David Schwartz answered lots of other questions – from his favorite snack foods to more technical stuff. Go check out all the responses at the TNW Answers page .
Google should learn from Apple’s cryptocurrency guidelines
It appears that Apple has learned its lesson when it comes to tackling cryptocurrency scams. The company has amended its app store review guidelines to extend its section on cryptocurrencies.
The new guidelines lay out the dos and don’ts for iOS developers building cryptocurrency and blockchain apps. Among other things, the document includes instructions on mining, wallet and exchange services, initial coin offerings (ICOs) , futures and securities trading, and cryptocurrency-based rewards.
On the face of it, the new guidelines may seem somewhat restrictive for cryptocurrency businesses, and users are already complaining on social media. But, the additional vetting may, in fact, help fight one of the biggest menace in the industry — phishing attacks and malware.
Here are the two clauses related to cryptocurrency mining, for example:
For anyone who has attempted to mine cryptocurrency on their mobile device would know that it is simply not profitable to do so. The cost you will incur in terms of electricity consumption (having to constantly charge your phone’s batteries) and harming your device by subjecting it to excessive heat will far outweigh your revenue from the mining.
The only way to make money with mining on phones is when you are using someone else’s device to mine. That way, you get all the rewards from the mining while someone else is paying the costs — which is exactly what scammers do.
Cryptocurrency mining malware (also known as crypto-jacking) is one of the most rampant running virtual currency scams right now. Scammers have infected the websites of governments, educational institutes, organizations, and even tech companies (such as Lenovo and D-Link) with the Coinhive malware. This allows them to mine cryptocurrency with the processing power of unsuspecting users’ devices. The same is true with mobile apps.
With this in mind, it is vital that apps running cryptocurrency mining in the background are kept in check, which is exactly what Apple is doing with its new guidelines. The fact that apps that run cloud-based mining are allowed is also in favor of the users. The user’s device can’t be exploited in cloud-based mining, and they can choose to participate if they find it profitable.
The other guidelines dictate that only organizations deemed appropriate will be allowed to run apps that offer cryptocurrency related services.
Now, if you don’t know what happens when you let anyone create such apps, look to Google Play Store.
The software distribution platform for Android devices is full of cryptocurrency malware . Indeed, Google Play has hosted fake apps disguised as popular cryptocurrency services such as MetaMask , MyEtherWallet , and Poloniex on a number of occasions. Although Google purges such malicious instances regularly, it is often after hundreds of users have already downloaded them.
This is precisely what Apple’s new guidelines aim to tackle: not allowing such mishaps in the first place.
As far as ICOs are concerned, I don’t think anyone needs a reminder how frequently they turn out to be scams or phoney . Authorities and cryptocurrency businesses across the globe are working together to offer regulations-compliant ICOs, and it makes sense for the App Store to make an exception for such apps.
Cryptocurrency is money, and while tech savvy users know not to risk their investments by installing software from shifty developers, many crypto-newbies don’t. Forbidding such apps on the App Store could go a long way in eliminating this possibility altogether.
As a cryptocurrency nerd and an iPhone user, I am quite content with the guidelines. It is agreeable that Apple puts the security of its users ahead. I hope Google follows suit with its Play Store as well.
MakerDAO bug could’ve let hackers steal Ethereum powering its DAI stablecoin
MakerDAO, the decentralized organization that runs on Ethereum, has disclosed an enormously dangerous security flaw that could’ve allowed an attacker to steal collateral powering its Dai stablecoin with a single transaction.
The bug, if exploited, would’ve resulted in a complete loss of funds for all Dai users making use of its upcoming Multi-Collateral Dai system, and was likely to have brought the entire MakerDAO ecosystem to its knees.
“The cost of performing the attack is almost zero — just the minimal denomination of each type of gem stolen plus gas,” wrote the researcher who discovered the flaw.
MakerDAO’s smart contract had almost zero access control
A HackerOne disclosure report reveals the attack was to be possible due to a complete lack of access control in a MakerDAO smart contract — specifically, the contract that was to allow the system to auction collateral in exchange for DAI cryptocurrency when loans are liquidated.
“A lack of validation in the method flip.kick allows an attacker to create an auction with a fake bid value,” reads the disclosure. “Since the end contract trusts that value, it can be exploited to issue any amount of free Dai during liquidation. That Dai can then be immediately used to obtain all collateral stored in the end contract.”
Liquidation phases exist due to Dai being an “over-collateralized” asset, which means that all circulating Dai cryptocurrency is backed by a surplus of collateral tokens stored in smart contracts on the Ethereum blockchain.
Give an autonomous organization Ethereum to receive crypto loans
MakerDAO documentation explains that Dai loans can be liquidated when they’re deemed unsafe. These measures are in place to ensure there’s enough collateral in the system to guarantee the value of all outstanding Dai tokens, which are meant to have a value of $1.
This collateral is what hackers could have stolen, which could have led to the complete collapse of the DAI once the MCD system was implemented.
According to MakerScan, there’s currently 40,673.89 ETH ($7.2 million) locked as collateral in just one MakerDAO loan , and $270 million worth of Ethereum housed in MakerDAO in total – so the stakes were certain to be very high.
The bug was originally submitted for review on August 29th. Seven days ago, MakerDAO devs announced they had patched the code, and awarded the researcher $50,000 for their efforts.
That bounty may very well be a lot of money, but certainly pales in comparison to the potentially huge stash of Ethereum cryptocurrency that could’ve been stolen at any time, if it wasn’t for this one researcher.
Thank Satoshi for white-hat hackers.
Update 13 :49 UTC, October 3: This article has been updated to clarify the collateral at risk were those related to MakerDAO’s upcoming Multi-Collateral Dai system, which is currently not live on the Ethereum mainnet.
Amounts of collateral backing MakerDAO’s Dai stablecoin have also been corrected. We apologize for these mistakes.
Want more Hard Fork? Join us in Amsterdam on October 15-17 to discuss blockchain and cryptocurrency with leading experts.