paint-brush
NeverMind the Tornado Cash/Solana GitHib Attacksby@benjaminbateman
410 reads
410 reads

NeverMind the Tornado Cash/Solana GitHib Attacks

by Ben BatemanSeptember 14th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Thousands of Solana wallets were drained of their funds in an epic GitHub hack. The attack itself was not limited to Solana, but affected many blockchain projects and'software supply chains' which rely upon code repositories stored on the centralised servers. Mitja Goroshevsky is lead developer and founder of GOSH - Git Open Source Holder - after all. GOSH is a service for developers working on many different versions of the same file who need to control the development process. The software supply chain is when you take the source code you've wrote and it passes through a series of events until eventually making its way to the end user.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coins Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - NeverMind the Tornado Cash/Solana GitHib Attacks
Ben Bateman HackerNoon profile picture

In August, thousands of Solana wallets were drained of their funds in an epic GitHub hack. The attack itself was not limited to Solana, but affected many blockchain projects and 'software supply chains' which rely upon code repositories stored on the centralised servers.

And then, as if GitHub hadn't seen enough controversy, there was the removal of the Tornado Cash source code.

If you're a little lost as to what all of this means and why it affects us humble end users, you're not alone! After recently reviving the greatest Crypto news quiz podcast in the world in an all new-live show format recently, I realised, I wasn't the only one a little confused about these issues.

Being the 'work smart, not hard' type of guy I am, I asked the ever eloquent and overly educated on such matters, Mitja Goroshevsky, if he would be so kind as to explain it all. He is CEO and cofounder of GOSH - Git Open Source Hodler - after all.

For those who prefer to listen to the whole interview in full, it's available over on Spotify Video (as well as all good audio podcast platforms!)

And for those who prefer to skim over the key points, keep reading my eager to learn amigos!

Mitja - "Well let me start by saying I'm not an expert on Solana per se. I have been on Antoly's podcast, although it never aired, we mostly spoke about Bitcoin. So I don't want to directly talk too much about Solana's problems. Solana is a great project. A wonderful idea. I mean, it's the wrong idea but it's still a wonderful idea! For perspective though, the security issues (seen recently) are not a fault with Solana itself. This was a bug in the software supply chain. And this bug originated within GitHub."

Ben - "So just to slow you down a little, for our less technical users (like me!), what is GitHub, and what is the software supply chain?"

Mitja - "I'll start with the easy thing: GitHub is basically a place where you store you code - a cloud service. GIT is a version control for developers working on many different versions of the same file who need to control the development process. There were others before, but GIT is the most popular version now. Think of it like revisions on a shared Google document, you'll have the latest version with revisions, but also earlier versions. In this way GitHub is just a way for developers to collaborate on the same shared codes.

Now, the software supply chain is when you take the source code you've wrote, and it passes through a series of events until eventually making its way to the end user. These steps are processes such as taking the code and compiling it, taking the binary (the end result of compiling the code) and putting it into some sort of environment (Windows or Android for example), then delivering it to the app store or whichever distribution platform you use."

Ben - "Tying all these ideas together then, and using Solana just as the example, GitHub works using chains or branches, and these will eventually merge as the project progresses)."

Mitja - "So what happened there is, usually today when you write software, you don't write the whole thing yourself, you'll use 3rd party code libraries and so on."

Ben - "I like to use an analogy of using Lego bricks."

Mitja - "Aha, yes. You need to put all of these things together, taking someone else's third party libraries and putting this into your product. And on every step of this road, you have potential security vulnerabilities. You can't verify all the code someone else has wrote. And so you can't be sure whether someone may have inserted malicious code into one of these libraries. And that's exactly what happened here.

So to put it into perspective, these things which happened to these two wallets they had nothing to do with Solana. It has had other security problems in the past on a more core level, but that's not what happened here. "

Ben - "Well, I've already made the 'where did they touch you on the doll' jokes about Sol last week, so we'll leave that there. But, leading nicely into the project you're working on at present, GOSH. Tell me more."

Mitja - "GOSH is a service for storing the GIT and collaborating on the Git, like GitHub, but completely decentralised. Everything is stored on the blockchain. And the two main things we achieve with this. First, is that you can build consensus around your code, because when you add a decentralisation layer to this you can create DAOs, tokenisation and so on and so forth. Everything that Web3 is offering can be applied to the source code of your software. People don't care really, they just want to use the software but it all comes back to the source. What happened at Tornado cash recently is actually really interesting as an example. Shall we go into that?"

Ben - "Yes, of course!"

Mitja - "Tornado Cash is built by these guys who I know personally, who developed a Zero Knowledge Proof (ZKP) base, a cryptography system which offers an anonymity layer, ie, you cannot identify the sending or receiving wallet of the transaction. They uploaded these smart contracts to the Ethereum blockchain, and people used it. And so the US federal agencies got really annoyed by Tornado Cash, in particular, which is strange as there are many services like Tornado Cash. There is a whole blockchain running ZKP (ZCash)! They said the service was being used by North Korea, which, of course, no one supports the regime there, but you can't use this as an excuse to take away peoples rights to privacy! These are developers from democratic countries, and users from democratic countries, and what they did, it's the same as they've done with the banks for the past ten years. The 'terror' which the United States put on the banking system is beyond imagination!"

Ben - "I remember the tweets from Julian Assange thanking them for the sanctions against Wikileaks, as this was the reason they starting accepted Bitcoin for donations!"

Mitja - "For WikiLeaks again you have this controversy. Some people were completely siding with governments saying, you know, Wikileaks is bad..."

Ben - "He didn't look after his cat!"

Mitja -"Aha, yeah. But I'm talking much simpler. Real people who could not execute basic financial transactions. I could not send money to my own Mother! I tried to buy a small apartment, but wasn't allowed because my money originates in crypto and Bitcoin. Banks are so afraid of these potential sanctions they don't even want to touch it. They're not detectives so you can't expect them to do detective work, we've spoke about this many times. And with Tornado Cash, what is beyond belief is they now make the developers of the software someone uses liable."

Ben - "I believe they arrested one of the developers?"

Mitja - "Yes, exactly! They really arrested people for writing software someone uses! This is a horrible precedent! They should be bitten for this, bitten hard! Not literally, but in the court, of course!

So, first, before they arrested him, they just deleted them from GitHub. Their whole lives work, gone, in the push of a button without a court order! Just because someone said it's wrong. And I think this is definitely not going to happen anymore! You should just abandon all centralised platforms!

It's not just Github. I know a man who drove arms to the Ukrainian border from Germany. I don't know if you know but it's something a lot of people are doing. And he wad documenting it, and uploading this to Facebook. This is real reporting, real news., he's just filming what he did. A lot of people know this man personally. And they just deleted his account the other day. 15 years he'd had that account. That's his whole life. We can't allow this to happen, we are WebFree. This is what blockchain should be preventing!"

Ben - "Amen! Well, I'll be keeping a close on your work at GOSH and hoping to get involved down the line. I miss your face buddy! That's an awesome end there though, so thank you very much. Let's do this again soon!"

Mitja - "Anytime!"

Learn more about the work at GOSH

Watch/listen to the full interview.