Blockchains and Cybersecurity PDF

Summary

These lecture notes discuss various blockchain consensus protocols such as PoW (Proof of Work), PoS (Proof of Stake), and others. The document compares these systems in terms of energy usage and security.

Full Transcript

Blockchains and
Cybersecurity
ITCY 493 – Chapter 4
Dr Ghassan Alkoureiti
 Also called consensus mechanisms or consensus
algorithms
No decentralization of blockchain can work
without consensus mechanism
Consensus Set of rules agreed upon by valid nodes that
govern and maintain the blockchain by
Protocols validating transactions
Types of consensus protocols
PoW (Proof of Work)
PoS (Proof of Stake)
DPoS (Delegated Proof of Stake)
PoC (Proof of Capacity)
PoA (Proof of Authority)
PoH (Proof of History)
Proof of Work (remember?)
Most established means of generating consensus in public
permissionless blockchains
Protects the blockchain from Sybil attacks
Uses tremendous of energy
Some Bitcoin energy cost estimated to be as much as Ireland or
Switzerland
Cryptocurrencies which use PoW:
Bitcoin, Litecoin, Monero, Ethereum Classic (ETC), Dash, BCH, BSV, Zcash,
Dogecoin

Prepared by Dr. Ghassan 3
 Proof of Stake (remember?)
Like PoW, participating nodes validate transactions
But: Nodes can participate by pledging their crypto tokens
Picking validators depends on the blockchain’s protocol:
Some more staked crypto tokens, better chance of validating transactions
Some about longer staking results in more chance of earning from transactions
fees
Others just random node
Or combination of all above
PoS blockchains include Ethereum (ETH as of 2022), Polkadot, Cardano,
Flow, Polygon, etc.

Prepared by Dr. Ghassan 4
 Proof of Stake
Compared to PoW:
Does not demand high energy consumption
Requirement is high for some
E.g. Ethereum is minimum of 32 Ether. How much is that today?
Risk being slashed
Slashing: Lose staked coins due to not correctly validating blockchain
Rationale to penalize misbehaving nodes
Offending validator can also be ejected from participating
Each protocol has its own slashing mechanism
Extreme case: loss of all coins; Other do not have any penalty
Cons: Might wrongly penalize stakers when their device accidently drops or shuts down
PoS rewarding might encourage coin hoarding

Prepared by Dr. Ghassan 5
PoW vs PoS
Proof of Work Proof of Stake

Miners are rewarded, when they solve the
Reward for miners Stakers are rewarded the transaction fees
cryptographic algorithm first

The winner determined by the person who has the The more coins you can afford to buy and stake, the
Fairness to miners
most powerful/quantity of hardware devices more likelihood you can earn

Energy consumption High Low

Control No control If a forger attempts to hack the network or process
malicious transactions, then they would lose their stake

Practically impossible. Theoretical possible by Practically impossible. Theoretical possible by owning
51% Attack owning 51% of total computation power 51% of the total stakes in circulation
Delegated Proof of Stake (DPoS)
Similar to PoS, participating nodes stake their tokens
But, participating nodes = voters + delegates
Voter nodes vote for delegated nodes
Delegated nodes validate the transactions
Voting for delegate nodes is directly related to their algorithmic reputation
Q: What about for PoS?
More power efficient than PoS
More centralized than other consensus mechanisms
Risk of delegates forming a cartel
Used by EOS, Tezos, Steem, Tron, Lisk
Proof of Capacity (PoC)
Utilizes the verifiers hard disk capacity to validate transactions
and maintain the blockchain
E.g., Chia BHD (Bitcoin HD), Burst, Storj etc.
Bigger capacity, the more likelihood of winning
High energy efficiency
Low entry to mine; HDs are cheaper than GPUs and ASICs
Cons:
Lack of developers supports
Suspectable to malware
Users with exceedingly high HD can mine most of network’s
CC
 Proof of Authority
(PoA)
PoA algorithm often used for private blockchains
At stake are the reputation of each participant’s real
identification
Selects a small and limited validators
Low transaction processing, does not require
computing power, low chances of attacks
Q: Why so?
BNB uses PoS + PoA called PoSA
Used part of Hyperledger projects, and Microsoft
Azure in SCM
Proof of History (PoH)
PoH is novel consensus algorithm technology
Relies on in-built synchronization mechanism
Employs an internal clock that sync time across all the network’s nodes
Eliminates need to seek external sources to establish median time across all
participating nodes; thus, reducing back & forth network traffic
Higher transaction processing speed
Low transaction costs
Centralization due to ASIC devices
Low adoption -> low development efforts
E.g., Solano (combines PoS and PoH)
 SOLANO (SOL)
Consensus Protocol: PoS & PoH
Block size creation 400 ms
>700k TPS
Uses RUST to code their dapps
Low code but powerful & allows parallel processing & customization
Cannot copy/paste EVM-based dapps
Relatively new platform but growing ecosystem
Experience multiple outages
SOL is inflationary and deflationary
Inflationary: Rewards stackers with SOL
Deflationary: Burns % of base fees
DAGs
Directed Acyclic Graphs (DAGs) are a specific type of data structure.
Nodes represent data, while directed edges represent relationships
between them.
Unlike blockchains, DAGs do not form a linear chain.
Nodes can reference multiple previous nodes, creating a more
intricate network structure.
Parallel validation makes it faster transaction processing & more
scalable than blockchains.
DAGs
Instead of mining, DAG employ various alternative mechanisms
e.g., voting, staking)
Applications include IOTA (DAG called Tangle), Hedera (DAG called
Hashgraph)
Avalanche (AVAX)
Used to run dapps on Avalanche network
Unique consensus mechanism of PoS & DAGs combination
Much faster than other ETH
720 million AVAX deflationary supply limit
Requires 80% of network control to attack
Can create own subnets
Each subnet can have its own public/private consensus protocol
Competes with other blockchain platforms like ETH, BNB, etc.
Niche market is GameFi dapps
 Bitcoin (BTC) &
Satoshi (SATS)
Smallest unit of BTC is satoshis (or sats)
Think about it as Fils to the Dinar
1 BTC = 100,000,000 SATS
1 dollar ~= 4000 satoshis
 Crypto Faucets
Analogy from a leaky water faucet
Tiny rewards for doing small tasks. Can accumulate with
frequent use.
E.g., watching ads, completing surveys, referring a
friend, reading articles etc.
Rewards are in terms of satoshis
Often used to educate and circulate crypto tokens in the
communities
Some website would allow withdrawal only when
reaching a minimum threshold
Free to Use
Most leading crypto faucets websites is Moon Bitcoin,
BTC Clicks
 Crypto Faucets
Some faucets are scams
Install malware on your device
Too little rewards (e.g., 1$ worth
of 1 week of participation)
Denying withdraw
Fake ads advertising
Earn more with part-time job
Reduce risk with DYOR
Mempool
Short for ‘Memory Pool’
Blockchain technology that stores unconfirmed transactions as they
await to be verified by validators and enter newly minted blocks.
Temporary storage where transaction prioritization and ordering take
place.
For Bitcoin, it exists in each Bitcoin node which is synchronized with
other nodes.
Ethereum Smallest Unit of ETH is wei
Gwei 1 gwei is 1 billion wei (1 Gwei = 1,000,000,000 Wei)
1 ETH is 1 billion gwei (1 ETH = 1,000,000,000 Gwei)
 Gas
Gas is the unit to measure computation processing in the blockchain.
Gas is often paid with ETH (or Wei)
Each transaction executed by smart contract needs resources to process
Hence, each transaction costs fees, and the fees in DeFi apps is called
gas price.
Irrespective if the transaction is successful or not
e.g., Gas units used * (base fees + priority fees)
20,000 * (10 + 4 ) = 280,000 WEI
Q: Why charge gas fees?
 Gas

Gas fees serve to improve the security of the blockchain:
It halts bad actors from spamming the network
It prevents infinite looping from taking place (whether accidental or intentional)

Base fees
Base fees is set by the blockchain protocol
The reserve gas price the transaction will cost to execute
Higher is the congestion on the Ethereum blockchain, higher the priority fees
After transaction is executed, the base fees is burnt

Q: Why burn tokens?
ERC (Ethereum Request for
Comment)
Proposed standards to be added or changed to the Ethereum
blockchain.
Ethereum Improvement Proposal (EIP) is the process of reviewing and
approving ERC by the community.
Most popular ones are:
ERC-20 – Introduced standards for fungible tokens created on Ethereum
blockchain and to be interchangeable among themselves.
E.g., LINK, WBTC, USDC, USDT
Made it easier for developers to understand and develop on the
blockchain.
ERC-721 NFTs
ERC-721 introduced standards for NFTs
ERC-721 tokens cannot work on AMM LPs (Q: Why so?)
NFT has unique properties that does not make it fungible.
Tokenized version of real or virtual assets.
Made possible due to ERC-721
Proof of ownership can be verified in the blockchain.
Represents unique items.
Value is inherent in the value of the token’s uniqueness.
Can be traded in NFT-specific P2P marketplace.
ERC-721 NFTs
ERC-1155
Allows generation of multiple tokens by the same smart contract.
Applicable to both fungible and non-fungible tokens.
Capable of detecting the token’s interface
Compared to ERC-721, it is cheaper to process and requires less
storage.
ERC-1155

Adidas Into the Metaverse

Microsoft Azure Heroes
ERC-404
ERC-404 = ERC-721 + ERC-20
Merging Non-Fungibility with Fungibility
Utilizes “Mint and burn” mechanism
The original NFT can be "burned" (removed from circulation) to create
smaller ERC-404 tokens representing fractions.
Individuals can then buy and sell these fractions.
New NFT created if more fractions are collected.
Benefits: Increased Liquidity, accessibility, & investment for NFTs
Challenges: Still experimental, regulation uncertainty; high speculative
investments
NFT Marketplaces
There are many NFT marketplaces, general and specific.
General NFT marketplaces sell unique digital works of art.
OpenSea
Blur
Exclusive NFTs for specific dapps:
NBA Top Shot Marketplace
Axie Marketplace
OpenSea
Largest NFT marketplace by trade volume
2.5% transaction fees
Works on Ethereum, Solano, Polygon blockchains
Huge selection of NFTs
Easy process to mint NFTs
Much spams and scams
 Hype of NFT – Beeple Art Deal
Even though NFT was there for some years, what popularized the NFT
hype fervor is transaction which made it to global news in 2021.
Titled as ‘Everydays: the First 5000 Days’ where artist drew a picture
everyday for 12 years continuously.
 Hype of NFT – Beeple Art Deal
The buyer goes by the online alias, Metakovan
Turns out Metakovan is in good terms with Beeple before the sale.
Their idea is to mint a cryptotoken called B.20
This B.20 cryptotoken will allow exclusive online visits to a virtual
museum of all of Beeple’s art creations.
Hype of NFT – Beeple Art Deal
The art deal, along with others, was part of a ‘revolutionary’ project
that will ‘flip the art world upside down’
Hype of NFT – Beeple Art Deal
Soon after the hype faded, B20 dropped by > 99% of its all time high
value.
Larva Lab
Place to buy and sell CryptoPunks and
Meebits
Based on Ethereum
No Service fees
Reputation suffered heavily for controversy of
V1 CryptoPunks
V1 CryptoPunks Controversy
Larva Lab created about 10,000 cryptopunks (known now as V1) for
free as NFTs.
Later, Larva Lab discovered a bug where NFT buyers can withdraw
their payment + receive the paid for NFT.
So, Larva Labs disowned all cryptopunks, and issued new cryptopunks
(denoted by V2)
But, two days before announcing the problem, a co-founder sold 40
cryptopunks for 260 ETH
Also, V1 and V2 cryptopunks NFTs are indistinguishable.
V1 and V2 Cryptopunks
Criticism of NFTs
Hype and attention “on steroids” (compared to CC)
Leads to unaccounted for inflation and bubble
Transacted through unregulated markets
Breeding ground for scammers and fraud
Ownership and IP confusion
You own link to am NFT; not the NFT per se
Cybersecurity concerns raised
Fake NFT stores, selling counterfeit identical digital NFTs
Does not generate value
Demand lies in selling it on premium to the next buyer
 Burning Fees
Burning base fees serves two purposes:
To limit the ETH in circulation
To prevent bad actors from “gaming the system”
By mitigating MEV (Miner Extraction Value) manipulation
Priority fees
Priority fees is inputted by the user
Awarded to network validators who won the block
Higher priority fees provides preferential execution over other transactions
User can set ‘max fees’ they are willing to pay. Max fees should be > base fees + priority fees
User refunded difference between max fees and actual gas fees to execute transaction
E.g. max fees = 20 Gwei. 5 Gwei was used to execute transaction. 15 Gwei returned to user wallet
Q: What happens if you do not want to pay higher gas fees to hasten your
transaction?
Are cryptocurrencies decentralized?
Investment and deployment of global companies in mining Bitcoin challenges
the ‘spirit’ of decentralization
Ethereum much controversial ‘The DAO’ reversal narrative
Ubiquity of whales across much cryptocurrencies
Crypto whales are entities who hold substantial amount of a particular cryptocurrency
where they can have significant sway in market price when trading
Q: What is the likelihood of successfully mining a block in Bitcoin blockchain?
 Arbitrage is the process of profiting from a disparity in pricing between two or more
markets

Crypto Virtually all arbitraging is conducted by algorithms (or DAOs)
Price difference often is negligible. To earn, you need to trade significant amount of
Arbitrage cryptocurrency
FTX founder initial wealth is from arbitraging Bitcoin price between crypto
exchanges
 Oracle

Oracles exists outside of the blockchain (off-chain)
Oracle does not exist physically; Oracles are only code
Three types of oracle:
Hardware oracles: Read data from devices like NFC, RFID, thermometers
etc.
Software oracles: Read data from stock market, websites, social media etc.
Human oracles: Read data from human personnel or expertise or reviews
Often use arbitraging prices of cryptocurrencies across markets
Q: Should we trust multiple oracles?
 Oracles are trusted third parties which the smart contract consults
Analogy is oracle are like referee
Oracle Smart contract executes its conditions based on the received data from the assigned oracle
E.g. Buy 1 ETH if price of ETH < 300 BHD
Oracles can be temperature (for farm insurance), stock market, who won elections, YouTube
views etc.
Q: Where do oracles exist?
 Chainlink (LINK)
Trusting in only one oracle makes you susceptible to single point of failure
Attacks that target oracle are called “oracle manipulation” attack
Chainlink attempts to address this
Chainlink is decentralized network of oracles that exchanges data between
on-chain and off-chain sources
Native currency is LINK
Consensus mechanism PoS
Based on the Ethereum network
Reliability is maintained among oracles by rewarding or slashing locked
stakes
Hence, trustworthiness are incentivized with LINK
Chainlink (LINK)
Maximum supply is 1 billion LINK tokens
Total in circulation is nearly half of this

Hence, considered as non-inflationary

LINK has two main functions:
To regulate the node operators
To charge dapps who request data

Due to decentralization, there is no single point of failure

Yet, exposed to “spam attack” in 2020 draining 700 ETH
Issue solved; but demonstrate nothing is 100% safe
Bitcoin never showed problem,
right?
Nopes
In August 2010, the original Bitcoin blockchain experienced a value output
overflow in one of its blocks (block #74368)
Two wallets received about 92.2 billion bitcoins each
Few hours after discovering the issue, a soft fork was created that ensured
consensus protocol does not accept value output overflow (i.e., does not
accept transaction >21 million bitcoin in a single transaction)
Despite soft fork, all used the “good” blockchain.
“good” blockchain exceeded the “bad” blockchain died off within < 60
blocks.
Bitcoin Taproot Upgrade
Soft fork occurred on Bitcoin blockchain in 2021.
First successful upgrade since Bitcoin inception
Allows limited smart contract functionality; But not Turing-complete
Means does can't perform all the computations that a traditional computer can;
Unlike Ethereum
Like: accepts multiple signatures for transactions (Schnorr signatures); Time-
locked transactions
Efficiency and Scalability
Reduces transaction size -> improves transaction processing
Added privacy features; But not anonymity
Smaller transactions makes simple and complex transaction indistinguishable
 Proof of Reserve

Regulation of any entity dealing with CC is PoR (Proof of
Reserve)
Cryptocurrency exchanges are in the custodian business. They
need PoR to ensure deposits match balance.
Third party audits of PoR is necessary to prevent tampering of
data.
Improves public trust by fulfilling transparency standards.
Regarding stable coins: Worst offender: USDT and most
transparent is USDC.
 Financial Modeling for
Cryptocurrencies
The goal of financial modeling in general is to try and predict a firm’s financial
performance.
This Three-Statement Model (the income statement, balance sheet, and cash
flow statement ) is part of the basic education of all business students.
More advanced financial models are used to analyze mergers and acquisitions,
discounted cash-flows (using NPV), IPO valuation models for pricing initial
public offerings, forecasting, and also options pricing models.

By Dr. Ghassan 48
Financial Modeling for
Cryptocurrencies
Because of the extreme volatility of cryptocurrencies and our historical lack of experience with
how they work, it is difficult to apply these financial models to effectively value them.

But there are some relative valuation models that attempt to value cryptocurrencies relative to
others.

One such model is called the Equation of Exchange Monetary Model which attempts to put a
value on the network, supply, and velocity of a cryptocurrency.

On-chain transactions are used here as a measure of the value of the network itself.

By Dr. Ghassan 49
Financial Modeling for CCs
Metrics Used to value cryptocurrencies:
CC Market Cap – The total value of all CC in circulation at a given point in time
CoinMarketCap.com is the most referred web source to benchmark CC
Network Value to Transactions Ratio (NVT) – this measures the currencies market
cap relative to daily transaction volume
High NVT might suggest a bubble (e.g., BTC had NVT of 40 and 33 for 2013 and 2017 peaks;
ETH can reach 70 to 110 consistently)
Transactions Per Second (TPS) – this is an especially important ratio for those
digital tokens aspiring to reach the consumer market
Total Value Locked (TVL) – total value of CC assets deposited or locked. Deposits
unavailable for immediate withdrawal until the user completes their desired action.
Higher TVL infers higher adoption and trust in CC ecosystem
 Financial Modeling for CCs
User Characteristics – namely, how is the ownership of a token distributed
throughout the wallets.
How are miners rewarded? Is there a circulation limit? Who received lion share of CC
launch? Celebrities involved?
Mining Profitability – measuring the number of big and small miners and their
profitability.
Is the consensus protocol algorithm coded for decentralization?
Exchange Trading – Looking at how many exchanges are supporting a token, and
how trading is dispersed among them
More listing, the better its reputation, and vice versa
Developers Support – Many promising CC performed poorly due to low
development support.
Financial Modeling for
Cryptocurrencies

By Dr. Ghassan 52
Dead Cryptocurrencies
crypto projects that are no longer actively maintained or developed.
Due to scam intentions, security fallout, lack of development &
investments
Identified by:
Zero or minimum trading activity
Lack of updates or new developments
No communication from community
Owning such CC can be illiquid
>24000 CCs created, about 50% are considered as dead
 Merkle Trees

Merkle tree is a data structure whereby its data components is hashed.
Hashing is converting any data of any length to a fixed length data.
Hash every node (or leaf) is hashed. The hashing assigned to non-leafy
branches is the child nodes hash.
What are Merkle Trees used for?
 Merkle Trees
Validate data of a distributed system
Any tampering of data will cause incorrect Merkle tree
Merkle trees small size makes it easier to verify data
Without Merkle trees, it would not be possible to maintain a blockchain
- Takes too much resources and power to verify line by line
Used to audit the integrity of clients’ accounts
 Crypto Mixers

AKA Crypto Tumblers
Uses multiple smart contracts that accept different quantities of ETH and ERC-20 deposits
These deposits can later be withdrawn to a different address by providing a cryptographic
proof
Often associated with illegal activities, especially money laundering identifiable “tainted”
CC
Fees range 1% to 3%
Tornado Cash & Blender sanctioned by USA; Bitcoin Fog founder arrested
ChipMixer funds seized and now defunct
Q: What are the alternatives to Crypto Mixers?
 Flash loans
Loans that are borrowed and returned
immediately within the same transaction are
called flash loans
You can take flash loans from decentralized
exchanges
No collateral needed
Flash loans used for:
Trading arbitrage
Flash loan attacks
Exploiting DeFi protocols or oracle
manipulation to gain millions of
dollars by initiating a flash loan.
Example: pancake bunny hack
 DEXs
Decentralized Cryptocurrency
Exchange.

Users interact directly with smart
contracts (self-executing code on the
blockchain).

No intermediaries – user funds remain
in their own wallets
 Types of DEXs
Order book-based
Like traditional centralized exchanges; order books to match buy and sell orders.
On chain orders: record in blockchain; higher fees & processing time.
Off chain orders: stored in servers; centralization issues
E.g., dYdX DEX
Automated Market Makers (AMMs)
Users interact directly with the liquidity pool to swap one cryptocurrency for
another.
Algorithm determines CCs prices based on the supply and demand within the pool.
E.g., UniSwap, Pancake, Sushiswap etc.
DEX aggregators
Not technically DEX
platforms that search multiple DEXs to find the best possible price for a trade.
E.g. 1inch Dapp
 Pros:
Potential high returns – no intermediary to share ROI
Increased privacy – reduced need for KYC & AML
requirements
Pros & Censorship resistance – trades are harder to block or
Cons of restrict
Access to a wider range of tokens
DEXs
Cons:
Potential for lower liquidity
User experience can be more complex
Risk of fraud
Lack of regulations
 Liquidity pools (LPs) provides the necessary liquidity for DEX to function
DeFi alternative to centralized exchanges
Liquidity Earnings from transaction fees are shared among the users who staked their
cryptocurrencies
Pools (LPs) Earnings are proportional to the amounted staked
LP pair two cryptocurrencies to regulate their price
E.g., USDT : ETH
LPs
Follows formula: x * y = K
K is constant
x and y are total token assets
Maintains even distribution of x and y
Risks of participating in LPs
LPs are susceptible to Impermanent loss (more on in later)
LPs might reward participants less
To incentivize participating in LPs
Over collateralization for borrowing to encourage returning debt
Substantial ROI; Averaging 20% APR
Exchange fees shared among liquidity stackers
LP examples
Uniswap
Bancor
Curve Finance
Balancer
Sushiswap
Vampire Attack
Vampire attack takes place when a crypto project woes investors from another already
established crypto project.
In liquidity pool tradings, Sushi swap vampire attacked Uni swap with rates reaching
to 1000% APR
Aim of vampire attack is to gain:
Users (Investors and traders)
Liquidity (Investments and market cap)
Trading volume
Q: What is the +ve and –ve of vampire attack from an investor pov?
 AMM type of DEX which utilizes ‘smart contracts’ to do the trading
Automated Traditionally, you need to manually search for a buyer for your
currencies
Market With AMM, you can immediately trade with a liquidity pool
Makers The algorithm automatically balances out the value of the
cryptocurrencies in the liquidity pool
E.g. Curve Finance, Terra-Luna-UST, etc.
AMM Takeaway
AMM algorithm aims for 50% to 50% crypto-pairing
The amount you deposit in LP for collateral != Loan from LP
Q: Why?
Q: Why take loan if we receive less than what we deposit?
After transactions, price of each paired crypto-tokens will change
Q: Suppose LP for cryptos A and B is now 60% : 40%. Which crypto-
token’s price is more?
Q: How can the LP achieve the equilibrium of 50%:50%?
 DAO
Stands for Decentralized Autonomous Organization
Basically, smart contract VCs (Venture Capitals)
Tokenized governance
Voting based on tokens on proposals
Vested interests aligns incentives for DAO success
Transparency of code and decisions
E.g., MakerDAO pegs USD to their token DAI using AMM
E.g., Uniswap is a DAO DEX.
DAO Challenges
Legally Unclear
DAOs can suffer progress due to low vote count
Lack of accountability
Still relies on human input for main decision
making
Plutocracy
E.g., TheDAO fiasco
E.g., OlympusDAO
Yield Farming
Aka liquidity mining
Earn passive income on your CC by locking them up in various DeFi protocols.
Rationale is to decentralize liquidity provision to community
Liquidity providers earn relatively interest for CC locked away + % of trading fees
Issues:
Susceptible to impermanent loss
DeFi protocols susceptible to hacks
Suspectable to Market Volatility
Relatively Complex
due to need to understand DeFi protocols
Requires constant monitoring
 DeFi Protocol Risk – Reentrancy
Attack
Common to DeFi dapps on Ethereum
100s of DeFi hacked using reentrancy attack
Victims
Curve Finance – 70$ M CREAM Finance – 18$ M Agave Finance – 11
M
Stable Coins
A cryptocurrency that is pegged to another asset; fiat currency or even precious
metal.
Stable coins bridge the gap between fiat and CCs.
Many stable coins in circulations are stabilized equal the dollar.
E.g., USDC, BUSD, USDT, PYUSD, UST (Q: What are they?)
Stable coins fall under three categories:
Fiat-backed – USDC
Crypto-backed – WBTC
Algorithmic – DAI
Q: Why stable coins?
Q: When can stable coins be good investments?
Reentrancy Attack
Exploit of Solidity-based DeFi Smart Contracts
Occurs when smart contract transacts with malicious smart contract
Repeats withdraw request before victim can update balance
Done recursively till depletion of balance
Reentrancy Attack
Examples of cases:
TheDAO – 60$ million siphoned
Lendf.Me (lending dapp) – 25$ million lost
Cream Finance Attack (DeFi liquidity app) – 130$ million stolen
Prevention:
CEI Pattern – (Checks-Effects-Interactions) instead of checks-interaction-
effect, which is the default ways of design dapps using Solidity.
Reentrancy Guards: Code mechanisms that prevent a function from
being called again before its current execution finishes.
Auditing smart contracts by security experts
Mango
Market

Built on Solano network
Defi trading platform for cryptocurrencies
Not centralized; managed by DAO
Uses native token MNGO to run the Defi
 Oracle manipulation attack
Not an exploit in the code; traditional market manipulation
Mango Mango Markets consults two Oracles: Peth and Switchboard

Markets Attacker spiked the price of MNGO by trading from two accounts in high volume
Next, the MNGO tokens the attacker already owned before the market manipulation was used as collateral to take out
Attack various CC like BTC, USDT, USDC, SOL, mSOL etc. worth of 100$ million.
Q: Why not more?
The mango market capped trading per day for an account was $100 million
Attacker proceeded to transfer and sell the lent CC to centralized exchanges for USDC.
Mango Market Attack Aftermath
Native token priced dropped to almost nothing
So, effectively no more collateral to stop this drastic drop
This made the whole trading platform to be insolvent
Attacker revealed himself as Avraham Eisenburg, due to bragging about “highly profitable trading
strategy”
Felt guilty for insolving whole Defi app, he negotiated with the DAO to return $67 million, in return the
users will not pursue him for the remaining money.
He ran to Israel, but was arrested in Puerto Rico by the US DoJ (under Commodity Exchange Act)
Q: Is what he did legal? Is "Code of Law” applicable here?
Terra-LUNA-UST
Story
Established and run by co-founder Do
Kwon as an AMM LP
Even named his daughter Luna
Had strong following who call
themselves LUNAtics
 Terra-LUNA-UST
Story
Two cryptocurrencies staked:
Algorithmic stable coin TerraUSD (UST), and native coin
LUNA
18$ billions in circulation; ranked 4th cryptoexchange; APR: 20%
Role of LUNA is to absorb price volatility of the crypto market
Decentralized and automated pegging process
Terra-LUNA-
UST Story
UST is an algorithmic stable coin
Means it is not pegged to any
fiat currency
Relies on algorithm to
maintain its price of 1$ worth
of LUNA
Hence, there is no collateralized
fiat dollars for every UST
Q: Then why invest/trust UST?
 Not relying on fiat to stabilize a stable coin is an attractive prospect to some
Compared to other stable coins, UST has utility
Terra- To garner interest, it has an exclusive savings protocol called ‘Anchor’ that
LUNA-UST yields 20% APR
Exponential price growth of LUNA coin
Allure From few dollars to 119$ ATH in a year
Terraform Labs even created Luna Foundation Group (LFG) which purchased
3$ billion of BTC as insurance to secure UST stability
Terra-LUNA-UST Allure
 How Terra-LUNA-UST works is as follows:
Terra- If UST value > 1$, users buy 1$ of LUNA , burn LUNA to mint UST.
Then sell UST for profit
LUNA-UST
If UST value < 1$, users buy 1 UST, burn the UST to mint LUNA, then
Working sell the LUNA for profit
Mechanism is called “mint and burn”
 Heavily dependent on LUNA demand (addressed with
Terra-LUNA- Anchor)
UST No deposit reserves need to run the algorithm
Working
 All happened on a single day of 7th May
TerraLabs withdrew 150$ million of UST in preparation of a stable coin project
Terra-LUNA- The “attacker” afterwards withdrew 350$ million UST and exchanged it for USDC in
UST Death another AMM LP called Curve (CRV)
This enormous exchange caused big mismatch in the pairing of UST (85%) and CRV
Spiral Trigger (15%)
Due to slippage, the attacker received less USDC than UST deposited, hence
incurred a loss by this whole affair
 Terra-LUNA-UST Death Spiral
Due to the attack, global price of UST went dramatically down
Enters the LUNA-UST AMM algorithm to solve the imbalance
But the shock is too much that it created a death spiral
The following iterative actions happened, which in turn induced the death spiral:
UST is burnt and LUNA is minted. This reduces LUNA price as it tries to elevate price of UST
Too many LUNA were minted; Hence, LUNA price drastically reduced
Caused bank run (people selling more LUNA and UST) reducing price further
Repeat (and repeat)
LFG tried to protect the peg despite acquiring additional 1$ billion loan
Terra-LUNA-UST Death
Spiral
Terra-LUNA-
UST Death
Spiral
Terra-LUNA-
UST Death
Spiral
Terra-LUNA-UST Solution Options
TerraformLabs had the following dilemma:
Keep the AMM keep on working. The hope is that UST burning
(and LUNA minting) will eventually raise its UST price to dollar.
Worst case scenario is that both LUNA and UST reach 0 before this.
Stopping algorithm. This will depeg LUNA-UST and re-orient LUNA
to a different new stable coin. UST will die but LUNA might be
saved.
Community decided first option, resulting in worst case scenario to
unravel with both coins hemorrhaging.
 There are numerous success and failure narratives in the
Why is Terra-Luna- still experimental cryptoworld

What makes Terra-Luna project stand out is:
This event changed whole crypto market attitude from bullish to
bearish
Government began to seriously intervene to regulate crypto-market
important?
Proof that decentralized and permissionless ‘too big to fail’ projects
UST Story

can fail
Reminds the people the difference between stable coins and dollar
Challenged the notion of algorithmic stable coins as standard for other
conventional stable coins.
Founders and developers can be professional and innocent, and yet the
project fails
Understanding how Terra-LUNA case shows a deep grasp of blockchain
and crypto market
Presumes a person knows about crypto-jargons such as AMM, LP,
pegging, arbitrating, burning, slippage, and death spiral.
Aftermath
 60$ billion dollars disappeared from cryptomarket
CZ, BNB CEX creator, lost 1.6$ billion worth of LUNA
Aftermath CEXs delisted LUNA
1$ million worth of LUNA after a week ~= 3$
 Who is behind the
attack?

We still don’t know
Wall Street banks?
FTX?
Tweeters? Tweeters who bet against Do Kwon
A tweet outlined how an attack is possible
One or two huge companies involved
Timed attack with UST withdrawal
Capable of withdrawing >350$ million
Might have shorted BTC in anticipation of LFG
rescue attempts
Future of Luna?
Do Kown launches Luna 2.0, a hard fork from
original Luna (now called LUNA classic)
Crypto experts not optimistic
S. Korea, Singapore, and USA filed lawsuits
against Do Kwon
S. Korea invalidated his passport
He was caught in Montenegro in 2023
Might be deported soon to USA or S. Korea, or
released?
Q: Can we blame Do Kown for what happened?
 Blockchain Council
Whiteboard Crypto
Coin Bureau
References Binance Academy
Forbes