I barely knew about the hack. But you and Fred were kind of disagreeing on how
serious this is, Ryan. Maybe give us an overview. >> Yeah, I think maybe let's wait for people to
log on. It's quite a big hack, and people need to listen to what is affected. And it seems that the
cause of the problem was maybe patched, but that doesn't mean that the hack is finished, so to
speak. So it could mean that the hack is not finished. >> Would you agree with the title,
biggest hack in crypto history, or is it too far? >> I don't know. Let me explain to you what
happened, and then I think that people can jump to their own conclusion. I think that because it
was picked up so quickly, and I'm not sure who picked it up, but because it was picked up so
quickly, we probably averted a hack that could have destroyed us for a long time, a long, long,
long, long, long, long, long time. If this hadn't been picked up as quickly as it got picked up,
I would say hundreds of thousands, if not millions of crypto users could have had their
entire wallets drained. I think a lot of people, well, we don't know of a lot of people that did,
and we don't know, I certainly don't know, but maybe some expert speakers will come up
and tell us whether it's patched to the extent that it cannot be downloaded,
because from what I understand, so let's maybe just go through what I understand, and again,
please forgive me because I'm not, you know, I'm technical to a point, but not to this level, but
anyone that uses a Ledger wallet, a Ledger wallet is probably the most common crypto
hardware wallet out there, and it's supposed to be like the safest solution you can get,
because it's a hardware wallet, it's not a software wallet, which is effectively lives
on your phone or lives on your computer. You actually have to plug it in every time
that you want to use the wallet. The Ledger Connect source repository was attacked,
and essentially what this means is that every time that you connected, anyone that connected
their Ledger and interacted with any Ethereum app or any app out there, effectively exposed
their wallet to, if you approved the transaction, you effectively exposed your wallet to a draining
function, and a draining function effectively gives the hacker the opportunity or the privilege
or the rights to drain your wallet. Now, they don't have to drain your wallet immediately,
they could live on the thing, they can decide to drain your wallet whenever there is
money in your wallet. And so a lot of people who interacted anytime after 9.45 or 9.44 UTC this
morning, a lot of people that interacted with DeFi apps, and there's a whole, I mean, I can't even
begin to tell you what the list is, the list is so long that it doesn't even fit onto tweets,
it's so, so, so, so, so long. If anybody interacted with any of those apps, they were
affected by this. Now, there's a lot of things that I don't know, and I don't know if anyone
knows yet. It seems that it was inserted by an employee of Ledger, so it seems an ex-employee
uploaded a malicious version of the Connector Kit, this UI front-end library which would run
on the client side. It has since been removed. So Ledger, it did take quite a while to come up
with some kind of public statement. I'll quickly read you the public statement. "We have identified
and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed
to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you
informed as the situation evolves. Your Ledger devices and your Ledger were not compromised."
So the device is uncompromised, but if you're interacting with apps, you effectively,
from what I understand, gave signing power. You almost gave the attacker a proof of your signature
and then they could empty your wallet. That's my non-technical understanding of exactly what
happened. It seems to have been patched, but what I don't know is if any users interacted during the
three or four hours that this hack was actually underway or that malicious code did actually live
in the Ledger Connect interface, then I don't know if those wallets can still be drained or not.
And I guess I'm hoping that people will be able to come on and tell us.
Quick, quickly, I just spoke back channel with Seth from Ledger. And right now, we obviously
invited them on the show so they could give the perspective. Their comms team is not allowing that
at this exact moment and they're all hands on deck resolving this. But he said that his
understanding is that it is resolved and that they'll be putting more out there about it,
but we are trying to get them on. They're just not doing it at the second. Maybe Jamison, maybe
after hearing Rand's rundown, obviously, he's the foremost security expert.
I'm sure you can give a much better explanation.
Yes. Yeah. What's going on here?
Yeah, I can give you my perspective. And it is still, I guess you could say, a fog of war. We're
still trying to get all of the details. And the Ledger team, I'm sure, is digging directly into
exactly what the malicious code was doing because there are open questions around exactly how it was
being executed and how they were trying to trick users. So the short version of why this is a
potentially catastrophic type of attack is because what we really see is this single point of failure
that is getting injected into basically every DeFi web three app out there. And that's just
because of the prevalence of Ledger devices and all of these apps want to allow people to use
their Ledger devices with them. Now, one thing which we're not entirely sure of yet, I'm sure
we'll figure this out eventually, I'm not sure that it's necessarily true that this would only
affect Ledger users. I think we should be clear that Ledger was the entry point of this attack,
which allowed them to get into hundreds, if not more, crypto apps. But just because that code came
in through the Ledger library doesn't necessarily mean that only Ledger users would be affected.
What we don't really know yet is exactly what prompts this malicious code was injecting into
the apps to try to get people to sign a message that would effectively hand over control of your
wallet funds. And Drainer apps are not new. This has been going on for years. And it's kind of like
a phishing attack in the sense that your funds are safe unless you approve some malicious smart
contract to have access to them. And so what these malicious actors are trying to do is to trick you
into approving that, making you think that you're approving something else. So we're seeing some
people like Zack are tracing some funds that are being drained and sent that it seems like this
particular threat actor has likely been operating in the space for several months. They just found
a new way to inject their malicious code into many different apps. And it's not necessarily over
in the sense that while it's a very good thing that this code was caught and patched within three or
four hours, but due to the nature of how code gets distributed across the internet, it's still
possible that there are people out there who may still be loading this older malicious version of
the code because it's probably cached in many, many different places all over the internet.
I mean, it sounds like you can't interact with DeFi right now.
Safely. I mean, are we talking about you shouldn't be, you know, connecting to Uniswap or
other decentralized exchanges? Should we be using any of this right now until we get more clarity?
I mean, I'm pretty sure that a lot of people here obviously utilize a ledger with MetaMask for
trading or investing because they have been told that it's the safer way than just leaving the
tokens inside your MetaMask. And sounds like now you might have injected this malicious code all
over the place. True. You know, it's obviously safer to keep your private keys on an air-gapped
device. But just due to the nature of how these more complex smart contract networks work is that
it's possible for you to hand over control of your funds without actually losing the key itself.
So, yeah, the safest thing to do right now is nothing. The experts are digging into it and
will come out, I'm sure, with more specific advice and assurances once it's clear that
it's unlikely for people to still be accidentally loading this code.
Mario, Ran, you guys are co-hosts. Obviously, I'm not. Ran, do we have a tweet or the list
of compromised apps? I know how long it was, but I think it would be useful to pin that in the nest.
We don't have a list of compromised apps. You have a list of affected protocols.
The list is very, very, very long. One place that you can access it, it's in Banter Bubbles
under the newsroom. It's dropped under the newsroom as one of the news articles.
Just link it. Can you guys tweet it? Yeah, you can just tweet it.
Let me drop it, Mario. Let me drop it to you and just tell me what do you think is
the best way to drop something like this. If it's a URL, just post it.
You just need a tweet. Just check that out.
I'll check it out. Do you send it on WhatsApp, I guess, or Twitter?
Yeah, on WhatsApp. I'll check it.
But just before I check it out, let me ask a quick question to James. How long would something
like this take to patch up if there's such a long list? How does it compare to other
similar attacks in terms of scale?
Well, it's kind of the double-sided nature of the beast is that the attack was so effective
and able to get into so many apps because it was basically hot loading this client library
without doing any integrity checks. That means the fix is also similarly easy.
Hopefully, going forward, the ledger library code is going to be more careful and is going to
add in version pinning and integrity checks to make sure that it's not loading arbitrarily
changed malicious code. This was an unfortunate oversight, but this happens a lot in the
JavaScript development ecosystem. There are a lot of potential supply chain attacks due to
the complexity of all of the dependencies that JavaScript-based apps tend to be built on top of.
[crosstalk]
Really quick, Mario. MetaMask just tweeted, "Update. The recent hack affects all users,
not just ledger users. We've deployed a fix for MetaMask portfolio users on the latest version
v2.121.0. We'll be able to transact again and will be updated automatically. If you're not on
this version, please refresh your site data." So this is saying that even just using MetaMask
right now, you're affected to my understanding.
That basically confirms what I had just said is that ledger was the entry point,
but it was not the only target. That's just how they got the malicious code in,
but it looks like the attacker was smart enough not to constrain it only to ledger device signing
functionality.
So what does this mean? Does this mean that anybody who used MetaMask, anybody who used
any of the affected applications, and you're talking about pretty much every single DeFi
application, if I'm not mistaken, does that mean that your wallet could still be drained,
or do you need to be interacting?
Obviously, it requires you to hand over control of your wallet, which means you have to
cryptographically sign a message. So yes, interacting with your wallet is when things
start to get dangerous. And the problem that really arises is that nobody is going to know
exactly what code their wallet is running. So that's why it's best for everyone to sit
tight and get an all clear from the security.
Don't use DeFi.
Or don't even use MetaMask. Don't use a wallet. It's not even don't use DeFi. You don't even
want to send tokens from yourself to yourself, correct?
You shouldn't touch your wallet.
You should not touch your wallet. I don't know how much more clearly to say it. Just
step away from the step away from the from the wallet. Do not touch the wallet.
Touch a lot of grass. Do not touch your wallet. Get the hell out of here. This is this is
pretty crazy, though, because, you know, this is my, you know, knee jerk reaction, but I'm
not going to trust the minute that they say everything is all clear when they had no idea
it was there and was this pervasive in the first place. This is like, it's just...
No one said who said it's all clear. It's only ledger and they're referring to the...
No, but I'm saying we're going to, you know, everybody's saying like we're all saying,
you know, step away, wait until we get clear messaging. Who believes any of it?
Like clear messaging. They didn't know it was there.
Jameson, I need to ask you. So you would need to approve the front end, right? You would
need to approve the wallet. You would need to approve the wallet. So only once you've
approved the wallet does this get access to to allow the drain function, right?
Correct.
Okay. And so, and if you did approve a wallet and your wallet is not drained yet,
where do you stand?
Yeah, if you if you had done a approval action, you know, in the past six hours or so, I would
look in and go to revoke that as quickly as possible.
But the problem is that I heard that if you go to revoke that, that that is interacting
with what I heard is that the more people that went to revoke that, the more people
were actually enabling because apparently the revoke that function uses the interface
or something like that.
Well, I mean, that's a good question of, you know, would it be possible that they were
also extremely smart and somehow have compromised the standard revocation action? You know,
this is once again, why we need to wait and see. Yeah, hopefully not many people have
made large scale approvals today, you know, it like the window is so short that I think
that it's going to be fairly minimized. And the real question is, how long does it take
to get all this malicious code purged from all across the internet?
And how will we know to trust them? That's my bigger question. So when when you're talking
about the revocation, you're talking about to go and metamask and click to disconnect
from any thing that you're connected to, right, like disconnecting from a Uniswap,
something like that. No, no, you have to, because remember, once you've given a dApp
permission to access your wallet, you need to then revoke the access that you've given
the dApp. And so right now, what you what what you have to be careful of is when you
go to revoke the access, you're using the same thing. You're signing a transaction with
the same thing that is that is infected. So what they said is don't go there. Like,
don't go there. Literally do nothing, literally do nothing.
I saw that tweet too, when they said that you basically revoke is also like,
it's dangerous because it's also infected by it's not infected, but it's also connected,
just like metamask, just like everything else. So just the best course of action is to do
nothing, not even revoke, not anything. Because when you go to revoke, you're also confirming
yeah, the confirmation, the permission, you're giving the permission. So like,
don't even touch the revoked websites. I think there's two of them for Ethereum. Like don't
touch them. Don't touch them at all. Don't do anything. Touch grass. I mean, it's winter,
so I guess touch snow, but yeah. Yeah, be very, very, very careful today.
Do we know how much has already been drained, James?
I've been following some of it. I don't know if we're following all the wallets.
So about 610,000 is what ZACXBT said. I've got a wallet in front of me that currently has
$252,000 in it, which is a separate wallet, which is also labeled by ZACXBT as the malicious wallet.
I mean, maybe one of the ideas is to try and get ZACXBT up here. I'm actually going to ping him
and see if he wants to join us. Ryan just tweeted the whole list for anyone that wants to see it.
Ryan, do you want to pin it at the top for all the devs that want to see it?
I just saw in our newsroom only 500,000 so far. That aligns pretty
close with what you said, Ryan. How is it so little if this is so widespread?
My concern is that, you know, once you put a drain function in, I think as Jameson mentioned,
once you've put a drain function in, you don't have to drain immediately.
I mean, some drain functions work that you can sit there, you can leave them for hours and hours
and hours, days and days and days. And one day when there's money in the wallet, you can decide
to drain it whenever you want. So, I mean, we need to get, I don't know enough, I don't have
enough technical details and I haven't yet found anyone that knows enough technical details to tell
us exactly what this thing is. But I think we need to be careful.
Yeah, I mean, we did see revoke.cache has said that they've fixed their particular website.
The bad code in it, but they're still recommending not touching anything,
at least for the rest of the day. And, you know, I think one interesting aspect of all of this,
which obviously I've been banging the drum on for many years, is that this is not going to affect
people who are using multi-sig wallets, because you can't approve, adapt to a multi-sig wallet
without having, you know, meeting that threshold of signatures. So a single signature approval is
not going to compromise people. So let's just be clear, because a lot of people don't understand
what multi-sig is, it's a very technical term. A lot of people that are listening here, they hear
the word multi-sig, they immediately believe that they can't access a multi-sig, they don't know
what it is. Maybe just walk us through how a multi-sig works in day-to-day practice.
Yeah, I mean, I think the easiest way to explain it is to think of physical lock boxes or safety
deposit boxes. You know, instead of just having one key that you have to insert into that box,
you're going to need multiple keys that have to be turned at the same time, you know, almost like
nuclear launch code type of approval. And, you know, this is what gives you a lot more robustness
against all types of attacks, including these software supply chain attacks. Because even if
you're keeping your keys offline on a device like Ledger, Trezor, whatever, as we've seen,
it's possible for you with a single click of a button to unknowingly approve a malicious action.
But what these malicious scripters are not really doing is trying to attack people who
have multi-sig setups. It's a lot more complex to do so, in part because it would require, you know,
multiple supply chain attacks at the same time. You know, people would have to go get multiple
keys and sign them to approve that malicious action. So let's just bring that back to
practicality. So I'm a trader and every day I'm trading meme shitcoins on Uniswap. That's what I
do. The question that I'm asking is, what, I need to now have two Ledgers every time I want to sign
a transaction? How do I get the second signature? I think that's the part that people don't
understand. Right. Well, it could be two Ledgers, though I would recommend against that because,
you know, using the same manufacturer means that both of those devices are potentially
compromised by a single supply chain attack. So this is why at Casa, we recommend people use,
like, a Ledger and a Trezor or really any two different devices from different companies that
use different code, different hardware, and so on. James and Ran, really quickly to add to that.
I'm obviously, I've been a longtime Casa customer. That's how I use multi-sig for my Bitcoin. I've
been pretty outspoken about that. But Ran, when you're talking about interacting with
DeFi, the process of doing that with safe multi-sig is prohibited, right? I mean,
I don't even know how this would work, Jameson, if that's even a thing. But I would literally
have to run around, like, to three states and, yeah. I'll tell you what, I'll tell you what,
I mean, I know what the answer is. I just wanted to hear from Jameson. So if you're really serious
about security, what you need to do is you need to separate your holdings from your trailings.
And the idea would be to use a multi-sig to get money onto a wallet that is, like, a place where
you want to be trading all day, and then use... Yeah, but any transaction, that transaction from
one to the other could be a victim of the exploit. Yeah, but you probably wouldn't be a victim of the
exploit if you used Ledger and Trezor as your two multi-sigs, because, you know, you hope that the
attack doesn't target both. If the attack doesn't target both. You know, the part that worries me
here, the part that worries me here is, this is picked up in a couple of hours. And if this had
gone on for 24 or 48 hours, and people that would have carried on, and this hacker was smart, and,
you know, he didn't actually... We don't know, we don't know what we don't know. We don't know if
he is as smart as we think, or not as smart, or whatever. What we do know, though, is that if he
had waited 24 hours to drain any wallets whilst infecting more and more and more DeFi users,
and then he would have pressed the button at once and automatically drained all the wallets,
you would have seen, you pretty much would have seen 50% of crypto wiped out.
Absolutely possible. And yeah, speaking to your point, I think that people should realize that
you don't need to have just one wallet, you know, especially if you have a substantial portion of
your net worth in crypto, then it makes sense to have different levels of security, because
what you're always doing is you're making trade-offs between security and convenience. So,
you know, it's good to have a super duper secure distributed cold storage setup, and then your
trading setup is hopefully going to be a smaller portion of your stash that's easier for you to
access, but of course, also easier for you to lose. Yeah, I mean, let me ask you a question.
Ran, I want to ask you a question. In light of this, and as many exploits as we've seen,
and I'm not talking about your investment portfolio, I just said I'm a Casa multisig,
I'm just putting this out there not as a question for me, but because I know a lot of people are
thinking this, for trading, would you right now feel more comfortable with your coins on a
centralized exchange or dealing with all of this? Exactly, I was going to ask the same question,
like the whole concept of not your keys, not your coins is just getting questioned now.
Yeah, well, someone said there was a meme that was posted. There was a meme that was posted,
I'm trying to find the meme, but it says something like, your keys are still not your crypto.
Even though you've got the keys, it's still not your crypto because you can get drained.
Yeah, hold on. The difference between this is that this is being remedied right now,
and if it was on a centralized exchange, you couldn't do crap with your coins. So,
no, no, no. Not your keys, not your coins, that's the way to go.
Is it remedied? We don't know. We hope the source is remedied, but we don't know if the
implications are remedied yet. No one knows that yet. That's why MetaMasterBase is saying,
step away from your computer today. But Tobi, with a CEX, with a centralized
exchange, wouldn't they remedy the situation as well, in some case, insure the money as well?
By that time, they could have been completely hacked. I mean, you're talking about,
this is a sophisticated, sophisticated, sophisticated attack.
I mean, they believe it was an inside job. I don't know if this is the root of why people
believe that it was an inside job, but they found a piece of code saying it was published,
and they published an email address in this code, which is literally published. It's on Twitter.
It's a J-U-N-D-O-S-U-G-I-U-R-A-DOT-J-P-@-G-M-A-I-L-D-O-T-C-O-M, because it looks like when the
code was published, it was published by this person, and he left an email address. Is that true?
Is it not true? Was he compromised? No one knows. I haven't found that. I haven't found that. So,
that's supposedly the ex-Ledger employee. And let's speak about two facts here. First of all,
if he did that, do you really think he would leave his personal and business email there?
So, that's kind of, you know, that's not going to happen. Yes, I think you're right, but also,
people make mistakes. I have another point. Someone else in the same tweet, in the sub-tweet,
pointed out that people were targeting by phishing emails 24 hours ago. So, yesterday,
they were targeting GitHub. So, specifically GitHub. So, my conclusion here with a little
bit of cybersecurity history that I have, is that the guy, the ex-employee, got phished. So,
he fell for the phishing attack, and his GitHub got compromised, obviously. And in my opinion,
I think the Ledger probably did not revoke his access as they fired him, or he was let go,
or whatever. And that is my thesis. I don't think that's the guy that actually did the exploit.
This is a sophisticated hack. This is a sophisticated exploit. So, if this is a
sophisticated actor, do you really think he would leave his public email into the... I just don't
think it is. I think he got phished, and he's an ex-employee, and the Ledger did a mistake
not revoking the access from his GitHub. It does make sense, as I said.
Yeah, it does, yeah. In theory, yeah. Theoretical, but...
In theory, yeah. Of course, it's not 100%, but that's common sense, basically.
Yeah, Ren, quickly, just Toby, just to go back to what you said once again, I want to be clear. I
am not questioning the keys, coins, ethos for your investment staff. I'm asking if you are a trader
who's aggressively trading a bunch of garbage that you don't care about that could be worth
quite a bit of money. At this point, I'd be pretty 50/50 on using a MetaMask or a Ledger and
interacting with Uniswap as I would by putting it on Coinbase where it's secure and needs a YubiKey
to do anything. I would be pretty close there. Scott, let me tell you what happened. I was at
my son's birthday party when this all went down. And one of the things that I feel really, really
guilty about is that I do work too hard. And because of crypto, I'll end up working 24 hours.
I'll end up working weekends. I'll end up always looking at my phone. And the last thing that I
wanted to do was be at my son's birthday party and be looking at my phone. But when the news hit,
obviously, we've been interacting with a lot of our wallets because that's what we do. We're
in crypto. And there were no details about what actually was happening. And so I was at my son's
birthday trying my hardest not to look at the phone, but living with the thought that maybe,
maybe, maybe every single one of our wallets today is going to be drained. And we're talking about
millions. I don't want to put it out there, but a lot of them.
Now, the first thought that went through my head is, "Fuck this crypto shit. I'm going back to
traditional banking." I mean, I lost a lot of money in Luna that nearly destroyed my life.
And I just thought, if this is happening to me again, after I've just rebuilt and I've just
started to rebuild, and this is happening to me again, then my first thought was, "I hate crypto."
That's where I was. For a few minutes at my son's birthday, I was at the point where I was like,
"I fucking hate this industry. If they have just drained every single one of the wallets that I've
interacted with today, I mean, I hate this place." What percentage of your wealth is in
wallets versus centralized exchanges, if any? Mario, you're robotic.
I don't have anything in centralized exchanges. I mean, we have custodians. Obviously, we use
custodians for most of it, but still, it's substantial what's not with custodians and
stuff. The problem is that when you're with a custodian, you can't trade, you can't defy,
you can't stake, you can't unstake, you can't deploy strategies. You want to get your money out,
it's a lot more complicated. So, the majority of our money, obviously, is with custodians, but
still, a substantial amount is with traders. We've got a team of traders. They all have wallets. All
the wallets are loaded with money, right? I'll give you an example. We have a team of people
that sit in our office and airdrop funds. That's all they do. So, we give them each X amount of
money. Let me give you an example. We could give you, if you're a sophisticated airdrop farmer,
we would give you a wallet with $100,000 in it, and we would ask you to do and repeat multiple
actions from wallets to try and get us airdropped. We have a team that does that, right?
Now, to be honest, probably every single one of those wallets is actually compromised,
because one of the airdrops we were farming is a ZK-SYNC one, and we know that ZK-SYNC was
compromised. Again, I'm too scared to plug the wallets in to do anything with them. I'm sitting
here thinking, "Well, maybe those wallets are going to be gone. Who knows?" Who knows?
It can be very difficult to compare and contrast different security architectures and all the
trade-offs between self-custody, third-party custody. Obviously, as you said, you get a lot
more functionality in D5 in self-custody, but I think the short version of how I try to sum up
the entire security model available to us in this space is that everything that can go wrong
in a self-custody setup can also go wrong in third-party custody, because if you think about
it, they are just doing self-custody, but for a lot of other people's money. So you're actually
exposing yourself to a wider variety of threats when someone else has the money or someone else
has the keys, because they can screw up in all of the possible ways that you could screw up.
We just saw that with Prime Trust and Fortress, who are two regulated trusted custodians in the
United States. Most smart custodians today use what's called multi-party computation.
What multi-party computation, I'm going to break it down quite simply. In its most basic form,
it shards your private key into three parts, and you need any two parts to sign the transaction.
Usually, only one of the three parts is held by the custodian. One is usually held by you,
and the second one is held by some third party. You need two of the three signatures to access
the wallet. A lot of custodians are traditional custodians, which don't use that kind of
technology, but I think these days, most of them are using MPC or multi-party computation.
I mean, Jameson, I assume that applies to literally everyone, what you're saying, correct?
I mean, you know, because we know that like, you know, eventually BlackRock's going to be
custodying their Bitcoin for the spot ETF, right? There's got to be somewhere that at least
large institutions or players are going to have to trust as custodians in theory.
Yeah. So, you know, the short version is behind the scenes, any "good" custodian is going to have
a robust internal architecture, you know, that splits up the sort of command and control of the
actual keys internally. But from your perspective, that's a black box. You don't actually know
what's going on. You can't confirm what's going on. And it's still possible for them to have
vulnerabilities. The problem is you just, you can't possibly know. So, you know, you are, of course,
trusting that they know what they're doing. And there's a lot of good custodians out there that
do know what they're doing. Yeah.
Just for the audience, and Ryan, maybe give a quick overview, because we've got a lot more
people today because of the hack, obviously. Just another quick overview for anyone that missed it
in the beginning, because there's still people messaging me and I was replying to a few of them
saying, you know, is this just about Ledger? They don't know that there's a lot more dApps
and Metamask deals with compromising. And I've also pinned the list of dApps that you tweeted.
Everyone else, you see the full list is just pinned above. Go ahead, Ryan.
Yeah. So, we're in the middle of a potential massive, massive, massive DeFi hack. We don't
know a lot. What we do know is that the entry point to this attack was malicious software
inputted into what they call the Ledger Connector app or the Ledger Connector, I'm not sure what
that's called. Connect Kit.
And essentially, anyone that's interacted and signed transactions with this malicious,
without knowing, with this malicious kit can have their wallet drained, or some people have already
had their wallets drained. So, the things that we don't know for sure is whether the hacker can
still drain wallet that interacted earlier. We don't know that. We don't know, we think we know
some of the apps that are affected. Metamask has come out and Metamask has basically said,
I don't know, Scott, if you want to read that tweet, but they pretty much said it's not only
Ledger users that are affected. Ledger was the entry point, but now a whole lot of other dApps
are pretty much affected. And the best advice that we can give anyone today is step away from
the computer and don't touch DeFi until experts tell us that this is completely, completely safe.
But for now, best advice I can give you, stay away from anything to do with DeFi today. And
when we say DeFi, we're talking about anything where you approve a transaction on your wallet,
whether it's a hot wallet or a cold wallet. So anytime that it says, would you like to approve
this transaction? Would you like to connect your wallet? Don't do it today. Forget about it.
Yeah, I think that's 100% perfect summary. I just, to a degree, and this is nothing against
any of these specific parties or whatever, like, how do we trust that they cleaned it up when they
tell us they did? I'm sorry. I don't want to touch any of it for a month. It's completely pointless.
You could not pay me to trade right now, even if I saw you. Picture it as a field full of landmines
and they assured you that they've cleared all the landmines. My feeling is don't run into the field
in the beginning. Let others run in, let them blow up. And just since we're giving the recap,
Jameson, could you also just repeat what could happen next? What's the best case
scenario? It's all been patched. Not many dApps were compromised. And what's the other
alternative that got ran to say that could become the biggest hack in crypto history?
Right. So the good news, this was caught very quickly. Why was it caught? Well, at least
partially because the code is open. We can see what the code is. So I think once the security
experts have said they have fully audited and reviewed the latest version of the code,
it's generally going to be good to go. I would imagine that will happen sometime today. It's also
interesting and almost ironic that we've created this incredibly decentralized,
like large ecosystem. And yet it still has these incredibly concentrated single points of failure.
If you think about it, what seems to have happened here? One account of one former employee of one
company got compromised, it appears. And that led to a vulnerability that affected hundreds
of different apps used by who knows how many millions of different people. It's an amazing
level of fragility and an otherwise robust ecosystem. So the openness of the ecosystem
was one of the saving graces here that allowed this malicious code to be detected quickly,
patched quickly. And now we're just sort of in the wait and see mode of making sure that
any places where that code might have gotten cached and still could be getting served to people
needs to get purged in order for people to be able to go forward and be able to use these apps
with some peace of mind. I think one of the reasons, I mean, one of the things that people
forget is that we're still in the Wild West phase of this space. So things like this are
going to happen. We're only 14 years into this. And just as Jameson said, it's open source. So
we can actually see what's going on. This is unlike any time in history that we can actually
do that. So yeah, it got caught. Its code is fixable. And I mean, all this doom and gloom,
yes, there's going to be some collateral damage, but the space is going to be even
stronger after this. Do we know who spotted the hack initially?
Anyone? We still don't know. I haven't seen it. The first thing that I saw, and again,
I don't know if it was the first one, I saw some communication coming out from Sushi,
SushiSwap. They came out with some communication. Bear in mind that they believe that the first
wallet was drained at about 9.44 UTC. That was when they believe that the first wallet was
drained. And again, please don't quote me on any of this. I'm only going on the information that
I have. So I don't know if it was the real first or whatever else. That was the first time that we-
So that was six hours ago. And when did Ledger say it was patched?
I think about four hours later or something. So I think it was about four hours later.
And has there been any, and we would expect more wallets to be drained,
most likely. Just the question is how many more? Because it hasn't-
Yeah, we don't know. That's the problem. So Ledger came out, Ledger came out at two hours ago. So
they came out at 3.31. They came out two and a half hours ago, and they said, "We've identified
and removed malicious version of the Ledger Connected." That was at 3.31. Underneath they
said, "Malicious version of the file was replaced at 2.35 CET." The SushiSwap communication, I'm
just trying to find out when did that actually come out? That came out at, no, that was late.
I like whenever, so hopefully I'm not roboting again, Scott, but I like whenever there's bad
news in crypto, Danish requests to speak. Whenever there's good news, he's not even in the audio. So
maybe peeks in and out. Yes, Danish? Yeah. What is it, Danish? Please.
This is the future of money, guys. This is the future. I keep hearing this is the future,
but apparently the future can be hacked.
Yes, there's not much we could say back. Not your keys, not your coins.
Have fun staying poor, Danish. Have fun staying poor, buddy.
Is that Danish Chef? Well, I was going to say, today I made a proclamation on the morning show,
which for Scott is super scary, which is I am officially, it is the top. And the reason why
it is... Where was I? You bought Bitcoin. You bought Bitcoin. I'm buying Bitcoin today. I'm
just letting people... Who do you think convinced him? Who do you think convinced him that it was
an uncorrelated asset? Wait, wait, wait. Guys, tell everything. Guys, tell everything. It's time.
I don't think so. I don't think so. Maybe. But I convinced Danish that even if he... Well,
I don't know if I convinced him, but we had the conversation that I said, even if you literally
hate it, it's idiosyncratic and uncorrelated. And so you should have it in your portfolio.
So Scott... I'm going with the really soft, soft sell.
Yeah. Scott got it started. And then Powell yesterday convinced me that the whole game
is now rigged. I literally cannot believe how incredibly incompetent our Fed is now.
Why? Why only yesterday? What happened yesterday?
What happened yesterday was the final straw that broke the camel's back. We literally saw in the
last... Well, pretty much the last week, the CPI numbers were doctored. They literally changed the
numbers to fit a narrative. I've posted about that. I can put it up in the Nets. Specifically,
they said that health insurance premiums in these United States went down by 30%. That is a...
Obviously, they talked about how there was a change in methodology. If you corrected that to
the actual numbers, we actually saw that part of the basket go up by 0.2%. So it only represents
0.53% of the total weighting, but just that alone would have made us have a CPI that was
higher than expected. If that would have occurred, there's no way they would be talking about rate
cut. They're saying yesterday on the dot plots that we're expecting three, not one, not two,
but three rate cuts next year. On what premise? GDP is at 5.2%. Unemployment data came in today.
Jobless claims are hot. We're actually running at a hot economy. So what are they seeing? They're
telling them that we should get three rate cuts next year? Okay, one rate cut at the end of the
year, we can talk about it. One of them said six. One of them said six. One of the Fed officials
voted for six. It's a fucking Ponzi. This is made up. I'm sitting here. Oh my God, one of us,
one of us. I mean, yeah, you don't like CPI. We just changed the rules for how we calculate it,
and they've been doing that for what, several decades now? It just gets to be a bigger and
bigger joke until you see, what was it, Krugman a few months ago, posting something about like,
we've defeated inflation. All you have to do is not include food, housing, electricity, energy,
transportation, and inflation's really low. But this is like one of those where it's,
you know, obviously they're doing things differently, but this specific one is such
an egregious change that it even got me sitting here. And I've been one of those people saying,
look, you don't want to fight the Fed. The Fed is going to tell you what they're going to do,
then they're going to do it. Today, yesterday was the correlate, the opposite correlate to what
Powell did with the Jackson Hole speech. Yesterday was the opposite of that. He came in,
you could tell he wasn't sweating as much. He wasn't touching his face as much. He seemed very
confident. You could tell that he essentially called victory in his own special way.
And it's incredibly dangerous. So the reason why I would be going into any sort of thing,
and I am buying gold also, is because I'm sitting here asking myself,
if this looks exactly like '76, '77, which by the way, if you go back and read what people were
saying at that time in '76, '77, it was the same thing. Powell is no bulker. He does not have the
spine or the cojones. He has clearly- Or 25% debt to GDP.
And so we're literally sitting here in a day where the market is ripping, people are celebrating,
and what we should be doing is calling for his head. This is incredibly dangerous, what he's
doing. Just want to be very clear. Wow, Adonis, I just am shocked. Okay,
I'll let you finish. Go ahead. Unless he's seeing deflation expanding from
China to the rest of the world, which is what I think is happening, that could be the only reason
why they're getting ahead of this because this is incredibly irresponsible. I'm putting the red flag
up. This is nearly as irresponsible as calling inflation transitory. This is incredibly dangerous,
in my opinion. That's what he does. That's what he does. I just need to
just briefly say, so I made a false assumption because I've been missing the finance spaces in
the morning, unfortunately, because driving kids to school. But I made the assumption that you were
doing it simply as an investment and you just literally gave the Bitcoin pitch in a billion
years. I would have never thought that that was the reason that you bought it. I know you're
laughing, but I'm actually quite impressed. Didn't we just talk about yesterday? Was it,
Mario? We were talking about strong opinions loosely held and when intelligent people who
can even be very strong in one direction are presented with new information, they change their
mind. Yeah, Adonis contradicts it because that usually correlates with intelligence. But yeah,
Adonis did demonstrate exactly that when I was really enjoying the pitch that he gave.
I'm incredibly impressed. I'll be, I'll be, I'll be clipping Adonis. I'll be aiming at the finance
space. Are you going to buy a crypto pump tomorrow? If you want the promotion from the finance space
to the crypto space, please send me your CV. I'll take a look at it and we'll let you know if we
would consider you. Yeah, Dave. And also, I also got Waheed. So Waheed also hasn't jumped in for
months. Waheed just before Dave jumps in. Waheed, I think you got triggered by Adonis's comments.
Do you agree? Absolutely. I guess, you know, there's something that was very, very different,
but it actually started this week, early this week. For the first time, Biden actually gave
advice to the Fed. He was caught literally saying, you know what, they ought to start
lowering rates. He had never done that. In fact, he actually was bragging that unlike Donald Trump,
he was leaving the Fed alone, etc. So he kind of broadcast it. And then election.
Exactly. And Janet Yellen, literally two days ago, OK, the day before the Fed,
she was she literally spoke like a Fed chair. I mean, it was insane. Giving statistics, inflation
and X-ing this and X-ing that out. And then we ought to do this and all that. And then he basically
comes and layers it in. So, you know, basically the idea that he wants to front load the cuts so
that he doesn't have to cut June, July, August, September, October, just right in front of the
election, front load everything, maybe June probably included in the cuts. I think that's
very valid. He was extremely political. And yeah, I mean, if anyone here. Waheed, this is extortion.
They're extorting and they're extracting from the American people. No, I get that.
They're extorting and extracting on all levels, like it's becoming a banana republic. I mean,
let's not kid ourselves. Every day it's becoming one. I think it is right. Every day we tune in.
It's like, Jesus Christ. I mean, I don't know if you guys have I've been busy with Mario
behind the scenes on all the other shows, right. The political ones, the ones on Sunday. I mean,
it literally, you know, for people who sort of grew up in the establishment, you know,
I was on Wall Street, etc. I drank Kool-Aid like no tomorrow. I used to make fun of conspiracy
theorists. And then the last year, it's like you start to hear these stories and you just
pinch yourself saying, you know, you got to hope that actually a lot of this is overblown, etc.
Now it's just blatant. It is so it's surreal. OK, just look what they're doing to Elon Musk.
Look what the FCC whistleblower this morning attested to. Like, yes, absolutely. The FCC was
ordered to open up as many investigations on Elon Musk as possible. It's like there's no longer
even hiding it anymore. Right. The stuff that we uncovered yesterday with IBM. Unreal. It's like
no longer. So sorry, I'm deviating from the Fed. But yesterday is just like yet another data point
that now it's blatant. Right. And it's no longer. It's just blatant.
I mean, it's been blatant for a long time. It was the reason why I left the United States.
Yeah. But you live, you live, you live. Something special.
I was getting annoyed when Grant says he can't go to South Africa and say,
yes, I left the U.S. is still far ahead. Most other countries in the world. But it is flawed.
And also there's something very special happening, Rand, which is hard to explain. I have to say,
I know people have been talking shit about the Fed and all that. And the Fiat, the Fiat system,
Bronze and Crypto, whatever you guys talk about, that's fine. But this is a little bit different
because they're actually doctoring the underlying data that they're then using to.
But what's new about that? What's new about that?
They did not change methodologies, man. That's not a thing that they did. This is new. I'm telling
you. And to do this right before an election year at a time where, I'll give you a really simple
example. It's a question I asked. At 5.2% GDP, with unemployment being near all time, all time
lows, today's jobs data came in hotter than expected. And, and American retail sales are
higher than expected. And we're talking about three cuts next year? Wow. How? We don't-
I mean, to be fair, Donesh, to be fair, the dot plot's never been right in history.
But even to hear the narrative is, yes, it's astounding.
Would you say the Fed pivoted yesterday?
They pivoted yesterday. Beyond, beyond, beyond reasonable doubt. I mean, it was unreal.
Yesterday was the, was the bizarro Jackson Hole speech. It was the complete opposite this time.
He literally said the words, you know, we might be in a recession.
Donesh, listen, I was having a bad day today, bro. I woke up this morning.
You know, we've had this, we had this, the hack, the hack, you know, we still don't know who's
affected. I was, I was a bit disillusioned by crypto again. I thought to myself, what the hell
am I doing in this industry? But I can tell you that watching you turn like this, bro.
I mean, this is not a good turn around. This is making me sad. I'm sad about this. This is sad
about the American future.
Yeah, we've been sad. We've been sad, Donesh.
We turned like this-
We're very sad. We're very sad when crypto pumps Donesh as well. We share your,
your sadness. And it is very-
I hope Donesh, I hope Donesh literally like buys a Lambo and retires
on an island because of his involvement in this. I truly-
Because of his crypto pump.
And Donesh, I mean, you know, you know, I do think in case you think I wasn't being genuine,
we are looking for another co-host on Crypto Town Hall because you know,
Mario is so busy with politics that we want to replace him.
We want to replace him. So we're thinking of replacing him. So if, I mean,
I really think you should apply. We'll get you into shit coins. Next thing you'll be buying
a Lambo. You buy a Lambo and run on the metro.
No, no, right, right. We have the Degen show, the other one that we do.
We get Donesh on that one with all the shit coins.
In all seriousness, though, that when you, you know, this is really fun and it has been the last
few days, but in all seriousness, when you listen to this, the entirety of this conversation,
doesn't it just make you a little bit more of a Bitcoin maximalist than maybe you were before?
That you should just buy Bitcoin, throw it-
Hold on, hold on. We just talked about, we just talked about the hack as well,
so just take it easy. It's a good day and a bad day.
Yeah. I'm just saying that because of the hack and because of the Fed and all of the main topics
we're talking about, all roads lead directly to Bitcoin and nowhere else. The rest of it is,
I mean, have fun and figure it out. But, and I, listen, I love to speculate,
but the rest of it's a trade.
To be completely clear about something, because I'm getting a bunch of DMs on the back end.
There was a question that was asked from one of our listeners. Do I believe that the ETF will
be approved? The answer is no, but I still think that we're doing such a bad job as a government
that I have to put my money somewhere else.
Well, hold on. You don't believe the ETF is going to be approved?
Not by January 15th. Sorry, to be clear, I don't expect it to be approved by January 15th.
I expect it to be approved in 2025. I am not convinced that in an election year-
Because of Denzler. Because of Denzler.
Yeah.
Because in an election year, look at what Biden is doing. Look at what these guys are doing.
You don't think they can push off an ETF approval until after the election? Of course they can.
They can do whatever they want.
It depends on how much support they want from Larry Fink.
The cash create narrative changes that in a big way. That is a massive,
massive pipeline to trad fi. So the cash create versus in kind is a massive,
massive difference in the Bitcoin ETF narrative. It's the reason why I think it will be approved
in January. And we should probably change the whole fight the Fed conversation, change it to,
you know, don't fight Larry, right? So the Fed basically works for Larry.
Just follow what Larry's doing. What's Larry been doing? Larry's been
grabbing a big bag of Bitcoin and a small bag of ether. So this entire conversation about
Banana Republic and who's doing what, what's Larry doing, right? So cash create again is a
massive, massive, massive pipe to trad fi. And that hasn't gotten enough conversation over the
last two days. But the last, you know, six to 12 meetings that have happened between the ETF
companies and the SEC has basically been conversations about in kind versus cash create.
And the SEC has drawn a fairly, fairly hard line in the sand about cash create. So that's what it's
going to be. Just explain the difference for people who don't understand the difference.
So cash create essentially makes the Bitcoin ETFs, the spot Bitcoin ETFs,
much like a mutual fund. So mutual fund, you put your money in there, it stays in there,
but you're going to get a tax bill every year based on what happens inside of the mutual fund.
It's the reason why ETFs gobbled up enormous market share from mutual funds, because ETFs
effectively are in kind mechanisms where whatever happens inside of the ETF, you're not getting hit
with a tax bill on an annualized basis. You're effectively tax protected. That's the difference
between in kind and cash create. Cash create creates a taxable event. I put out a tweet maybe
an hour ago. Cash create is a massive kick to the balls for Grayscale. Well, why? Grayscale's
Bitcoin cost basis is really, really, really low versus Larry Fink's Bitcoin product. Everybody
else's Bitcoin product, right, which has been created and beginning to fill the coffers over
the last 6 to 12, maybe even 18 months. Grayscale's Bitcoin product has been around for a long time.
So cash create with redemptions of any kind or movement of any kind inside of the ETF
is going to create a taxable event. Well, that taxable event makes it, you know,
it's another liquidity issue associated with TradFi. It also means that other entities,
other traditional finance entities that exist will be easier access, easier to get it approved
inside of their mechanisms and boards and all that stuff. But it creates a real problem,
for example, for a place like Grayscale. But point being is, you know, what's Larry doing?
Larry knows what's coming. Larry is, you know, he agrees with, I don't want to say his name wrong,
but Danish here. He agrees that he knows what's going on. He knows what's happening. He sees it.
He hears it. He hears it before anybody else does. Right. So he's loading up.
Cash create is a big deal. Everybody needs to take a real look at it. Have an understanding
of what's going on. Have an understanding that that is everybody argued all the all the Bitcoin
spot Bitcoin ETF applicants argued against cash create and lost. So their bet is we're going to
bend the knee on cash create. We're going to launch these products, hopefully grab a ton of
assets under management and, you know, deal with the consequences of cash create. But cash create
is going to happen. And it's to me, it's one of the reasons why it's going to get approved in
January. Danish, are you convinced? Yeah, I mean, there's a bunch of stuff to unpack there.
The tax implications I'm not an expert on, but it really has a lot to do with, you know, where you
buy it, where you sell it, how much of the of it is churning flow versus, you know, lots of creates
followed by redeems later. But the big difference in cash create means that the funds all can now
are now going to have to part of their marketing is how much slippage they're going to have in
performance because of how badly they trade. So funds that have the ability and have scale
to trade using modern tools. Now, I don't want to show my own company, so I'll just leave it at that
will have better performance than ones that just trade in other ways and use their custodians to
trade before them. So trading all of a sudden where if it was if it was not cash create,
then you could use the best market makers, the best ways to actually acquire your Bitcoin,
however you did it, miners, whatever. But you won't be able to do that except for seeding.
And so it means that when you want to create, you're going to be publishing a price all day
long. And if you can't buy Bitcoin at that price, your preferred fund performance will be lower.
And if you buy it at a better price, your fund performance will be better. And so it puts trading
into the equation, which some people have vested interest in that being good or bad. So that that
is important. It is why, by the way, they didn't want that because funds didn't want to have to
worry about that. They want to be able to outsource that. And now they can't. So that matters. But I
want to go back to the Fed, because Scott knows this for about a year and a half. Almost every
Monday, I have said that in twenty twenty four, the Fed is going to go dovish. There is no effing
way they were going to be tightening or not have stopped going into an election cycle. I'll have
to admit, even I was surprised at how absurd yesterday's speech was. And of course, the FX
markets, which are generally not terribly volatile. Has anyone looked at the euro, the pound, the yen?
I mean, you're talking one percent moves, boom, you know, in twenty four hours. Those are big
moves that the whole world is basically saying, wait a minute, what the hell is going on in the
US? And that is the Bitcoin narrative. Actually, Bitcoin, Dave Treasuries, less than four percent,
10 years, less than four. Yeah, that's right. Like what is going on? I understand. Yeah,
exactly. I know that was going to be the next thing I was going to say. Thank you.
It was going to be how the hell did we go? We've lost. Just think about it. The Treasury yield.
What has it been a month since when it tapped five percent? That is those are just extraordinary
moves. I mean, people talk about bitcoins on a vessel because it's volatile when the 10 year
bond yield moves by, you know, 20 percent of its yield. I mean, five percent to four percent in
about a month. That is a big move. And so the use case for Bitcoin, I'm not surprised, Dr. Donnish
and other smart people aren't saying, OK, wait a minute, this really needs to be part of your
portfolio. I mean, we could talk about this at length and will, but it is kind of just to be
clear, just to be clear, you're not categorizing Donnish as one of the smart people. I just want
to make sure that we all try it. And then someone else. I noticed this. I know someone,
someone apparently someone apparently asked Donnish about his thoughts about the ETF.
Either Donnish is making shit up or Donnish is part of the crypto crew.
But I do want to echo one thing. I think it was Andrew was saying. But the fact is,
you have to understand the SEC does not get into the weeds on the mechanisms of how an ETF and
that stuff is going to work without approving it. That virtually never happens. So the fact that
they have done this, what you have to understand is the ball is at the one yard line and we're
talking maybe the one inch line and we have the Philadelphia Eagle.
Ryan, you've got a hot mic again, man. Go ahead.
I was just going to say that the fact that BlackRock and others have all amended their filings
at to go to cash, you know, to cash, you know, in kind cash versus in kind create.
And by the way, obviously redeemed to, you know, it doesn't have to go that way.
There will be two prices, the redeemed price and the cash price, but it create price. But,
you know, maybe later in later spaces, we can talk about ETFs, you know, so people can understand.
Dave, sorry, I need to interrupt because Ledger just tweeted a full update.
I know that people are waiting for this. We'll go right back. It's their final timeline and
update to customers. You can find this at Ledger. Ledger Connect Kick Genuine Version 1.1.8 is being
propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues. Here's the timeline of what we know. By the way,
Smiley, you were correct. This morning, CET, a former Ledger employee fell victim to a phishing
attack that gave access to their NPMJS account. The attacker published a malicious version of
the Ledger Connect Kit affecting versions 1.1.5, 6 and 7. The malicious code used a rogue wallet
connect project to reroute funds to a hacker wallet. Ledger's technology and security teams
were alerted and a fix was deployed within 40 minutes of Ledger becoming aware. The malicious
file was live for around five hours. However, we believe the window where funds were drained
was limited to a period of less than two hours. Ledger coordinated with Wallet Connect, which
quickly disabled the rogue project. The Genuine and Verified Ledger Connect Kit Version 1.1.8
is now propagating and is safe to use. For builders who are developing and interacting
with the Ledger Connect Kit code, Connect Kit development team on the NPM project are now read
only and can't directly push the NPM package for safety reasons. We have internally rotated the
secrets to publish on Ledger's GitHub. A whole lot about, yeah, I mean, it goes much deeper,
but it says that Chainalysis, thank you to Wallet Connect, Tether.io, Chainalysis,
Zaking, XPT, and the whole community that helped us in the community to help us identify and solve
this attack. It seems that the tether is frozen. Ledger along with Wallet Connect and our partners
have reported the bad actor's wallet address. The address is now visible on Chainalysis. Tether
has frozen the bad actor's USDT. That's good news. Remind you to always clear sign with your ledger.
You guys can read it. That's the gist of it, but it seems they fixed it within 40 minutes. It was
live for a couple hours and maybe they got the worst of it here. But man, this could be really,
really ugly. Crisis averted. I asked Jameson. I don't know. Jameson, what do you think?
Melt up continues. Is that what you're saying? Well, I think for price, yes.
But this is pretty much what I think we were speculating was the likely cause, but I'll say
this is a fairly amateur mistake on Ledger's end. And by that, I mean, this is a standard,
software as a service, a security architecture issue that you should have what we call two-man
rules around the review and deployment of all code. And so whatever architecture Ledger had
internally around deploying those NPM packages, it allowed a single employee to write and deploy
code. And that's a single point of failure. That's really what I harped on an hour or so ago is the
fact that despite how distributed and decentralized this system is, we still have these insane single
points of failure. So it sounds like Ledger has figured out that they need to make the deploy
process more robust there. And going forward, it seems unlikely that this specific type of attack
will happen again. But this is the nature of security is that bad things happen. You learn
lessons from them and you harden your security processes as a result. And did they say, by the
way, Scott, did they say it's a former employee? Does that mean they fired him after this incident?
I think it's, I don't know if the implication is that he got fired for this or that they were
already, they were a former employee already who got exploited. I can't-
It sounds like they were already a former employee and that would just indicate another
ball that they dropped where this is another, it's a standard security practice that all former
employees, you know, authentication mechanisms, as soon as they are terminated.
Is this the second or third Ledger issue in the last 18 to 24 months? I remember the last one.
I think it was third. Well, they had the, well, I don't know if it was 18 months,
but they obviously had the data breach that had nothing to do with any of this. And then
they had the controversy over their new program, you know, for recovering keys. And that sort of
showed that maybe someone else, I don't remember the exact details, but yes,
they've been in a controversial situation about three times at least.
Yeah. I mean, at some point, shouldn't you kind of bring folks like Jamison in and have a couple
conversations about how to avoid- He has his own company.
I know, but still, I mean, point being- Jamison, you need a job?
People like it. It's, you know, this should feel fairly elementary to avoid stuff like this, but,
you know, who am I to say? I guess what you guys can do is, I mean,
if you're worried about this stuff, then, you know, have multiple different hardware wallets
that you put your coins on. At least you're, you know, as anti-fragile as you can be.
Yeah. Am I robotic?
No. So with this update, so you guys said the worst has been averted. So does that mean because
they spotted it too early, there's not going to be that many dApps affected, there's not going
to be that many wallets affected? But this is Ledger, right? This is coming
from Ledger and talking about- Yeah, but if Ledger patched it-
I wouldn't start jumping into anything else that could have like obviously been affected.
No, but if Ledger patched it, but if Ledger was the entry point, if the entry point was
closed up that quickly, does this mean that not that many wallets would have been affected? I'm
sure there's a bunch of them, but it just- I mean, MetaMask also deleted their tweet,
the one that said, "It doesn't matter whether you use Ledger or not." That tweet also-
Oh, wow. Okay. That's important.
They deleted it? Yeah.
That's very important, yeah. I like how he mentions it casually. So what would you make of this,
Jameson? I think it's showing that it's
fairly minimized. We'll know over the next day or two, like you said, the drainer doesn't
necessarily need to take all the funds though. I would suspect at this point, since they've
been found out that they're going to be draining as quickly as possible and that they have likely
already drained everything that they could drain, it sounds like Tether has frozen the funds, but
apparently the USDC funds that they had drained were not frozen in time and they already converted
that to something else. So I think at this point, it's probably mostly going to be on the chain
analysis folks to try to follow their movements. And this is a perfect example of the advantages
and disadvantages of centralization. So obviously the hack itself shows a disadvantage,
but then with Tether being able to freeze some of the funds that were drained,
it just shows an advantage, David. Yeah. I mean, it seems like they're
going to get away with nothing. That's what it sounds like.
Yeah. How much did they get away with with the USDC?
Well, it was only a few hundred. Well, yeah, I don't know. It was only a few hundred thousand,
but I'm assuming that is being watched very closely now. I don't know what it was for USDC.
James said he just wanted to quote that. I didn't see that in the ledger part.
David? Oh, yeah. I just wanted to bring the
conversation back to macro. Powell, Bitcoin ETF approval. I'm sorry that Donesh is no longer here,
but I really believe with the ETF approval forthcoming in January, I think 2024 could be
the year of Bitcoin in ways in terms of its not only adoption, but profile being grown massively.
And on that point, I'm wondering how much prominence El Salvador and the experiment in
Argentina going on under Millet right now could possibly get and contrast that with what's going
on here in the United States. Right. So we've got, I think, you know, general consensus on
this call that, you know, the Fed is not doing the prudent thing in terms of if it does, in fact,
go ahead and cut rates next year. And we are not being managed. The U.S. economy is not being
managed properly. You have Millet in Argentina who, you know, whether he'll get to dollarization
and whether he'll get to Bitcoin being legal tender, you know, very quickly, we'll have to
wait and see. But clearly, based on his acts on the first day of his presidency, you know,
is really serving it up straight as a real libertarian. And, you know, he he is going to go
ahead and make he's going to radically change, try at least to radically change the society there
in terms of being fully transparent and having very little, having the smallest government,
frankly, footprint out of any government that's out there. And then El Salvador,
you know, clearly in the black on its investment in Bitcoin and only going bigger on that
investment. Those two countries are not particularly notable in the worldwide scheme of things. But in
terms of the experiments that they're undergoing, I think they're really good.
Let me jump in, David, I want to bring the conversation back to the hack.
Yeah. Is he OK with us mentioning his name? Did he give you an OK?
Yeah. The CTO of SushiSwap DMed me, Matthew Lilly, and he said, hey, I'm listening to the spaces and
I'm the one who broke the news. So we'd like to get him up on stage, of course. And we did mention,
obviously, without his name, that it was from SushiSwap, the CTO, that we'd heard it.
So if he can... Yeah, I just saw a message as well. He sent it to me 16 minutes ago. I apologize,
Matthew, for missing it. I've just sent you an invite, a request to speak as well, if you're
listening. Let me just reply. Oh, there he is, is that him? Oh, no, that's not him. Let me just
reply to him quickly. A request. All right, we'll get him up. It'd be good to get his thoughts on
this. And if you are the one that broke it, Matthew, I'm assuming you did, considering you're
saying you did. Congratulations. Yeah, I appreciate it. Yeah, I agree. I've just sent you an invite,
man. You can see in the audience if you want to come up and speak. Scott, did you ask him? Okay,
he said, yeah, he brought a time up. Oh, no, did he come up or leave? Yeah. He's on stage.
Yeah, it would be good to bring him up, Matthew, get your quick thoughts on this. But otherwise,
appreciate you spotting the vulnerability. So credits to you. But I think that's pretty much
it, Scott. I think we've covered the story well. Yeah, if he's not coming up, I feel like we have
to end it at seemingly things are improving. I think we got good insight there, but we should
have literally just crashed the rug, the spaces the minute that Don has said that he bought Bitcoin.
Should have just ended it. Yeah. Because that was such a revelation that we could only go
down from there. Yeah, I'm just checking the news if there's anything else. By the way,
are we doing spaces on news day and Christmas day or just taking those days off? I don't know
how much trouble do you want us to be in with our family and children and wives that you don't.
Yeah, I don't want my wife and kids to miss me on those days. You're right. Anyway, I think
we've covered it well. Yeah, I think we did. All right. Well, thank you, Matthew. If you didn't
get up, appreciate you. Thank you. Yeah, everyone give him a follow. @MatthewLillie,
M-A-T-H-E-W-T-L-I-L-L-E-Y. So give him a follow and a thank you. Cool. Thanks, everyone.
Awesome. Bye.