The ethereum blockchain touts itself as the internet 3.0. It’s a decentralized autonomous supercomputer that can be accessed anywhere in the world as long as you own ethereum. It’s an entirely self-contained ecosystem where programmers, consumers and merchants can get together to engage in commerce. A few presently existing options for doing business on the blockchain include private decentralized finance (compound), freelancing and getting paid in crypto (ethlance), and playing games (cryptokitties). These collectively are called decentralized applications, (or d’apps).
But we’re probably getting ahead of ourselves. Let’s start with some definitions:
Decentralized applications (D’apps) are computer programs that run on a distributed computing system. Mostly you’ll hear about them in conjunction with the ethereum blockchain, and sometimes they’ll go by the name ‘smart contracts.’
They force certain conditions on actors, are immutable and irreversible. Sometimes they can have effects triggered by conditions. The aim of smart contracts is to provide security that is superior to traditional contract law and to reduce other transaction costs associated with contracting.
But like analog contracts, d’apps are only as good, and as binding, as the writing (or code) used in constructing them. Also worth mentioning is it’s also as reliable and as trustworthy as the person writing the code, and if that person (or organization) isn’t trustworthy, then we have what happened here earlier this month.
Fairwin was one of many gambling d’apps running off of ethereum, and one of the most popular.
Here are some stats on how it was doing:
To put the numbers in context, consider for a moment that ETH is presently trading at CAD$238.86. At the height of this particular scheme there was a lot of funds and traffic changing hands everyday, which on the surface looks like it might be a worthwhile place to pay attention. Except it wasn’t.
Users can make money in two ways:
“Invest” money in the scheme which will give a daily “dividend”.
Give invitation codes to other people. People you invite and people invited by people you invite (and so on…) putting money give you a reward.
Users lose money in one way (assuming the smart contract works as promised):
The contract runs out of funds. Since people are paid dividend and bonus, the amount of money which will be paid exceeds the user deposits. It currently only works because new people are putting more money in it. It is unsustainable and there will inevitably be a point where the contract won’t be able to pay participants. People still in the scheme at this moment will lose all their money.
You’d think there was some serious business going on there, and definitely worth watching. Well, it is, but not because of what you’d think. Instead, it’s a scam. And more specifically, a ponzi scheme.
It’s the kind of scam where gullible folks invest their money, expecting it to multiply in the short term, and end up getting fleeced. In the end, the money you put in magically disappears out some digital bolthole in the code when the investment stream dries up, leaving investors with nothing.
Fairwin called itself a fair gambling platform involving games of chance, and when you gamble, four percent of your funds went towards ‘ecological construction,’ which Fairwin stated went back to the investors.
White-hat hackers investigated and found holes in the contract.
Daniel Luca, a security auditor who helped discover the vulnerabilities, said the owner managed to remove most of the funds before investors could withdraw. But it was “impossible for everyone to withdraw their funds. Some people got burned.”
He took to Twitter to discuss the code:
The holes include three main vulnerabilities, “one allowing the owner/admin of the contracts to totally drain [the smart contract containing $8 million in ether], one where the admin can prevent users from withdrawing forever and one where anyone, not just the owner, can steal new deposits,” according to Philippe Castonguay, an R&D researcher at Horizon Games.
The smart contract contained over $8 million in ether at the time.
The app is empty now. It’s not entirely clear how much the criminals got away with and how much money participants managed to claw back, but there is definitely something to be learned here about the nature of this new internet—and it’s that no application will ever be proof from scammers. The same human ingenuity that goes into the design for these applications can easily be inverted and used to steal from people who would use them.
There are a number of different sites to inspect to determine if a decentralized application is, in fact, fraudulent.
One timeless piece of advice stands out, though:
And if something sounds too good to be true, then it probably is.
—Joseph Morton