The Largest Bug Bounty in Crypto History
Discover more from Karlstack
The Largest Bug Bounty in Crypto History
Code is law, except for when it's not... it's complicated
Welcome to the ~200 new subscribers from my last article, A Legislative Onslaught Against Freedom!
Sometimes I write about crypto. If you don’t care about crypto, you should know that Karlstack is split up into 5 sections: Economics, Academia, Politics, Crypto and Personal. To opt-out of this “Crypto” section you can click the “Settings” button (at the top right corner of your screen) and then click “Manage Subscriptions.”
I have a confession — when I published this exclusive scoop in October, I was only 98% sure it was correct. There was a 2% sliver of uncertainty that I doxxed the wrong person and therefore I would be sued into oblivion.
I published it anyway.
2 days later, I was proven right.
Phew.
Let’s catch up on the timeline, and then we will dive into the legal nuance.
This isn’t over… the Avraham Eisenberg saga has just begun.
The Blackmail Timeline
On the afternoon of October 11th, roughly $114 million USD went missing from Mango Markets.
That same night, whoever took the money (Avraham was still anonymous at this point) offered to return ~half the money in exchange for the Mango team agreeing to “not pursue any criminal investigations or freezing of funds once the tokens are sent back.”
On the morning of October 12th, less than 24 hours after the hack occured, I doxxed the hacker as Avraham Eisenberg, and my article went viral.
On October 15th, knowing that he was already doxxed by Karlstack, Eisenberg doxxed himself in public by announcing that he hadn’t stolen the money, he had merely “operated a highly profitable trading strategy.”
A few hours later, Eisenberg graciously returned $67 million dollars to Mango Markets, keeping roughly $45 million for himself as a “bounty.”
5 days later, by October 20th, every user who had deposited money on Mango Markets was made whole.
Whew, what a whirlwind!
What you just witnessed was the biggest bug bounty in history — I think? I haven’t been able to find any bigger ones. Leave a comment if you can find one bigger:
How it Happened
In this twitter thread, Joshua Lim, Head of Derivatives at Genesis Global Trading, explains the logistics of the Mango exploit better than I could.
Who Lost Money?
If Eisenberg escaped with $45 million… and every user on Mango Markets was made whole... then where did the $45 million come from? Who lost money?
The answer is that while the Mango *treasury* had their money returned, the holders of the Mango *token* got fucked.
It’s hard to know the exact breakdown of who owns these tokens — many were in hands of the Mango developers, team members, founders, and other contributors, while many were owned by venture capital and retail investors.
The Mango token sale was public and there were no pre-sales to VCs.
Duress
Avi returned the $67 million to users on the condition that Mango does “not pursue any criminal investigations or freezing of funds once the tokens are sent back.”
Let’s get this out of the way: this is not a legally binding contract.
Duress, in a contractual context, refers to “a situation where a person is pressured into signing a document they would not have signed without that pressure.”
Basically what we have here is Avi successfully robbing a jewelry store and then smirking, pointing a gun at the owner and saying, “I’ll return half the jewelry if you agree not to press charges.”
This “agreement” between Mango Markets and Eisenberg is especially non-binding because not only was it agreed to under duress, it isn’t even up to the Mango Markets team to decide to press charges. The FBI (or other law enforcement agencies) don’t ask for anyone’s permission before they decide to prosecute crime.
Was it a “Hack”?
Many people refer to this Mango Markets debacle as a “hack” — the exact definition of which is difficult to pin down, because all 50 states have different computer laws, and I am an expert in precisely zero of them.
It’s useful, then, to start by googling the generic definition of “hack.”
Here are the first 3 results:
Computer hacking is the unauthorized act of accessing computer systems to steal, modify, or destroy data.
Hacking is the act of identifying and then exploiting weaknesses in a computer system or network, usually to gain unauthorized access to personal or organizational data.
A hack is Computer trespass, unauthorized access (or access exceeding permission that was granted to a user), or hacking is breaking into computer systems, frequently with intentions to alter, disable or modify existing settings.
It seems an integral part of what constitutes a “hack” is unauthorized access.
That isn’t just my assessment, though, that is SCOTUS’s decision in Van Buren, which ruled that you have to explicitly touch a part of the system that is off-limits.
Based on this criteria, everything Avraham did was technically “authorized” by the code; hence, Avraham will argue that “code is law,” and that this is not a hack.
“Code is Law” is a catchphrase (often affectionately referred to as “codeslaw”) stemming from a 1999 sci-fi book Code and Other Laws of Cyberspace, but today has evolved into a meme that crypto nerds spout when they have acted badly.
“Code is law” purists argue that Avi is using the immutable rules of the game to outsmart others and obtain outcomes that others did not believe could, or would, occur. Basically, Eisenvergh outsmarted whoever wrote the Mango Market code — he took their code and used it in a clever way that backfired on them. He didn’t break into an unauthorized space.
Avi argues that it’s not a crime to be smarter than whoever designed the Mango Markets exchange.
He’s right, he is smarter than them — I would place his IQ at easily >130, and beyond that threshhold, I am too stupid and incapable of discerning a 140 from a 150 from a 160 etc… suffice it to say that everyone agrees he is in the right tail of the IQ bell curve.
Being smarter than other people doesn’t make it okay to steal.
Imagine, for example, that a burglar breaks into a casino, cracks open the casino vault, and empties the vault. Do you think the casino owner would throw up his hands and say, “Oh well he is smarter than whoever designed the vault”? Of course not… looting the vault would be illegal even if the vault door were left wide open.
“No builder in this space in their right mind believes that code is law. It’s just a meme that is perpetuated by anon on-lookers who just like to see chaos unfold … If code was law then this field would just be a playground for hackers who will be continuously trying to steal funds out of protocols.”
— Lefteris Karapetsa, Founder of @rotkiapp
“I have heard some say that ‘the code is law,’ meaning that if the software code permits it, an action is allowed. I disagree with this fundamental premise. Case law, statutes, and regulations are the law. They apply to the code, just as they apply to other activities, contracts, or agreements.”
— Former CFTC Commissioner Brian D. Quintenz
So, it wasn't a hack (in my judgment, at least), but at the same time, the “code-is-law” excuse isn’t a real thing.
What is the appropriate classification for this incident, then?
The Market Manipulation Argument
Speaking on CoinDesk TV about the Mango Markets exploit, Chris Tarbell, who previously worked at the FBI's cybercrime squad, argues that Mango Market was “more of a market manipulation.”
Michael Bacina, partner at Australian law firm Piper Alderman, told Cointelegraph, “If this had occurred in a regulated financial market, it would be likely seen as market manipulation.”
This is a common sentiment.
Just like we started our exploration of “hacking” by looking up the definition, let’s Google the definition of “market manipulation”:
The US Securities Exchange Act defines market manipulation as "transactions which create an artificial price or maintain an artificial price for a tradable security".
Market manipulation is conduct designed to deceive investors by controlling or artificially affecting the price of securities
Market manipulation is when someone artificially affects the supply or demand for a security
Just like a key part of what constitutes a hack is “unauthorized access”, it seems a key part of what constitutes market manipulation is that it must be a “security”.
Just like that… poof! The market manipulation argument falls apart, because the Mango token is not a security.
The Mango token almost certainly *should* be classified as a security (it satisfies all criteria of the Howey Test) but rather than register with the proper authorities, the Mango Markets leadership team went with the strategy of being a renegade, offshore, and unregulated exchange.
Mango therefore has no recourse with US regulators, because it failed to register with them. Pretty straightforward. Everyone wants all the benefits of decentralization with none of the risks… but the reality of situation is that those who live by the sword, must die by the sword. If Mango Markets wanted the feds help, they should have set up a regulated exchange.
“The law is clear. I believe based on the facts and circumstances most of these tokens are securities.”
— SEC chair Gary Gensler
Targeting Mango is particularly clever on Avi’s part because not only does their “pirate” status clear him of criminal charges with respect to market manipulation, it essentially absolves him of civil charges, too.
For the Mango team to sue Avi, they’d have to allege that the Mango token is a security. If they allege it is a security, they would be arguing in court that they sold an unregistered security to the public, thus opening themselves up to prosecution. It is therefore in Mango Market’s best interest to avoid suing Avi; both Mango and Avi need each other. Them both avoiding prosecution is in the best interest of both parties.
I’m sure Avi gamed this all out ahead of time.
It’s an Exploit
If it isn’t a “hack”... and it isn’t “market manipulation”… what’s the proper terminology?
The correct word, as Alan Path, COO of Path Crypto, points out, is “exploit.”
There is no such crime as “exploit”, though, leading me to conclude that Avi did not break any codified laws. He did, in fact, pull off a highly profitable trading strategy; a master class in finessing $45 million dollars from people dumber than him.
For example, having a U.S. company registered in Belize to avoid taxes can be seen as a legal tax “exploit,” though it isn’t considered explicitly illegal… just a clever loophole in a gray area.
In other words: don’t hate the player, hate the game.
Luckily in my original article reporting on the exploit, I refrained from making any value judgements — I did not cry “illegal hack! arrest him!” I simply laid out what happened, judgment free. If I am being 100% honest, I went into this article with the bias that I was going to find him guilty of some crime, and crucify him for it… but I am unable to come to that conclusion in good faith.
Still... I have a hard time believing that if you hauled Avi in front of a judge, that the judge would look at this $100m being taken from thousands of people by an American, on US territory, under his own name, flaunting US authority, and conclude that he did nothing wrong… but I guess in a post-FTX world that’s just par for the course? Who cares! Nothing matters anymore!
That being said, the SEC/DOJ/FBI isn’t going to bring legal action on the off-chance that the presiding judge will be able to find a broken law somewhere. Either they go all-in and drop the hammer on something concrete, or they don’t go at all. They aren’t going to prosecute a marginal case and then cross their fingers and hope for the best. That’s not how the feds roll.
If you think Avraham Eisenberg committed a crime by exploiting Mango, I would love to hear which one. Please leave a comment.
What are prediction markets pricing in?
The first thing that the prediction market community did upon witnessing this attack on the integrity of their community was… to bet on the outcome. Of course. Everyone in this community is a degenerate gambler. I love it.
Manifold Markets is currently pricing in an 18% chance that Avraham will spend at least 6 months in jail before the end of 2030:
Compare this with a 28% chance that he will be a billionaire before the end of 2030:
Honestly, these 18%-chance-of-going-to-jail risks are the types of risks you need to take if you want to be a billionaire. Very few billionaires became billionaires without operating in the grey areas and without taking money from others by force, trickery, loopholes, and legal ratfuckery. This is how the game is played at the top. It’s not like George Soros created billions of dollars worth of value for people; he just took it from them.
One well-known member of the forecasting community, AG123, stands to profit $4,875 USD in peer-to-peer wagers if Avraham is charged with a crime within the next 12 months. He’s the Avraham whale.
Ever the rationalist, Avraham unsuccessfully tried to use this bookie as a chance to hedge the risk of himself going to jail.
Did Mango Markets Deserve it?
Here is one of the cofounders of Mango Market claiming that Avi that will face divine judgment from Hashem:
The other co-founder of Mango Markets promises that Mango Markets will return better than ever:
While the version of Mango Markets that was exploited by Avi was “V3”, what Daffy is referring to here is the fact that “V4” is set to launch any week now.
Despite V3 getting exploited and losing all their money, users are excited to give Mango a second chance!
I don’t know enough about the supposed upgrades to V4 to know whether it will be safe and secure, but presumably it will fix the Avraham exploit. Who knows what other exploits there may or may not be. Finding out is half the fun!
Everybody blames Avraham, but nobody talks about the fact that the Mango Market developers left a huge, gaping security vulnerability in their V3 code; Avi’s exploit wouldn’t have been possible if the V3 developers had simply been smarter & more competent than Avi.
Even worse than writing and deploying bad code, everyone *knew* about their bad code! The exact vulnerability that Avi exploited was posted in their public Discord server in March 2022… and the Mango team chose to sit on it for 7 entire months.
Are you starting to see how badly the Mango Markets team fucked up?
Their strategy for securing $100+ million in customer deposits was simply to count on the goodwill of the community not to take it. What was Avi supposed to do… when he sees $100+ million laying on the ground… pretend like he doesn’t see it, out of some unspoken gentleman’s agreement? Or is it rational for him to pick up the money laying on the ground?
I spoke to Mango Market directly and they confirmed they knew about the vulnerability but were simply waiting until the V4 update to fix it. It is unclear if this is true, as it is unknowable if this would’ve been fixed in v4 without the attack.
I've therefore come around to the view the Mango team mostly deserved it.
Still, that doesn't change the fact that they were trying to build something for others to enjoy, Avraham will NEVER do that; he only destroys. Even if he destroys in a technically “legal” manner, he is still purely a destroyer. This destruction may technically be 'legal’, but it doesn’t necessarily make it right. What the Nazis did do the Jews was considered legal in Germany at the time, for example, but that doesn’t make it morally right.
The Adversarial Hardening Argument
I just argued that while what Avi did (destroying the work of others) was legal, it may have been immoral. I could just as easily argue the opposite however; that not only was it okay to destroy the work of others, but it is necessary and a good thing.
This philosophy is laid out in a blogpost by renowned crypto-blogger “FBI Femboy” titled, On the supposed “nihilism” of the Mango Markets arbitrageur.
Keep in mind that “FBI Femboy” may-or-may-not be-but-definitely-is an accomplice of Avi on other exploits, so his analysis is extremely biased and self-serving.
Still, he makes some salient points. In this post, FBI Femboy argues that in order for crypto to build a “a new financial system” it must subject itself to “adversarial hardening.” This is the view that holding the builders accountable for bad security and bad code is the only rational solution — if people lost money, too bad, so sad, such is the price worth paying to learn a valuable lesson and to make the future of finance more resilient.
In this interpretation, Avraham’s actions act to strengthen the system in the long run. Of course, some people have a vision of web3 where everyone gets along and voluntarily plays nice, but frankly, this is just a stupid, moronic vision which seems fundamentally incompatible with the idea of decentralized, permissionless networks. It is hard to fault someone for taking actions that are incompatible with idiotic worldviews.
— FBI Femboy
The Waves Argument
One thing that undermines the “he’s a whitehat with a heart of gold who is engaging in adversarial hardening!” argument about Avi’s intentions is that Eisenberg made the exact opposite argument a few months ago, crying to the judicial system about one of his trades that lost money. He’s a hypocrite.
Avi’s trade goes bad and he loses money? Everyone else is manipulating the market! Sue them for market manipulation!
Avi’’s trade goes well? It isn’t market manipulation, merely a profitable trade. Better luck next time ;)
I reached out to Avi and showed him this article before publishing it. He strongly denies any parallels between Waves and Mango.
Avi’s e-Boy Arc
When I doxxed Avi in my original article, he had roughly 1,000 Twitter followers.
He now has 37,000+ followers and has become one of crypto-Twitter’s premier villains.
He seemingly loves this newfound Twitter attention more than he loves his hundreds of millions of newfound dollars, he’s leaned into his role as a heel and has exponentially increased his rate of tweeting to entertain his exponentially larger crowd.
He’s putting on a show.
He’s even doing the crypto podcast circuit:
After doing the podcast circuit, he then started a new scam dubbed “Mango Inu”, the name of which is a blatant attempt to rub the Mango Market’s community’s face in it.
He’s tea-bagging them.
After the “Mango Inu” scam, he allegedly attacked the AAVE protocol:
Just like he allegedly unsuccessfully attacked the Kleros protocol:
Avi strongly denies that he attacked Kleros, and even wrote an entire Substack article about it:
My assessment is that Avi may be getting a little too cocky for his own good.. he’s flying too close to the sun. If I were his lawyer I would advise him to lay low for a few months rather than grandstand.
, for example, went to jail not for committing crimes, per se, but for trolling. Sure, what garnered him the attention in the first place was the price gouging, but his autistic/sociopathic approach to trolling the public is really what did him in. He drew too much bad attention to himself and to the space he was operating in, just like Avi is doing now. The feds did not take kindly to to him flaunting it in their faces.
Dear Feds, I understand that you are, like, a decade behind this crypto legislation, and it’s a gray area to figure out whether the Mango Market exploit broke any laws. Surely there’s some poor boomer fed out there right now, googling what an “oracle” is.
Here’s what the Avraham Eisenberg story boils down to: it’s a pattern of attacks. He’s not going to stop attacking protocols until he is stopped — he’s only going to get more brazen, more aggressive, and more public now that he has hundreds of millions of dollars at his disposal and an audience to perform for. He’s insatiable and going to keep hurting the defi system, going to keep destroying the “average Joe” crypto investor.
Perhaps that is what you want, dear Feds, to damage trust in the crypto ecosystem. If so, bravo! Keep doing what you are doing. Avi is the perfect weapon; a human wrecking ball.
If you want well-functioning markets, though, here is my advice: you should know that Avi only got his capital to attack Mango Markets in the first place by defrauding around 14 million USD from Fortress DAO. While the Mango Markets stuff is gray territory, the Fortress DAO stuff is black and white fraud.
I laid it all out for you neatly in this article.
Good luck, Fedbros!
DISCLAIMER: I am not a lawyer, nor am I a defi expert. I am a washed-up economist turned investigative journalist who moonlights as an amateur defi enthusiast, who in turn LARPs as an legal analyst. This is not legal or financial advice.
The Largest Bug Bounty in Crypto History
Very well said, and I think you did a great job keeping this down the middle. I agree with your points, but as you have said, the word "security" or "unauthorized" may be disputable, but they do not make what he did right. I am hopeful he is behind bars in the future here, even if it is a few years.
You forgot to point out the jewish angle like in the FTX article.