Rendered at 22:47:02 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
bob1029 2 days ago [-]
> The attacker compromised Resolv’s cloud infrastructure to gain access to Resolv’s AWS Key Management Service (KMS) environment where the protocol’s privileged signing key was stored.
Ok, but how was the AWS infrastructure compromised? This appears to be the crux of the entire article.
AWS is very hard to break if you are using the IAM roles properly and avoiding manual secret management. If the only thing that can even sign a JWT is a very specific blessed EC2 instance that has exclusive access to KMS, your attack surface is nearly zero by comparison to a similar setup where administrators use email or Discord to communicate API credentials.
The protocol around using an HSM is just as important as the machine itself. It seems like some of us are going to be speed running PCI-DSS the hard way.
nailer 1 days ago [-]
Just guessing: invite an engineer to a lucrative job interview and get them to install a “secure video conferencing” app (maybe call it Zoom Enterprise”) then use the screen viewing or filesystem permission to get access.
primitivesuave 2 days ago [-]
Missing from the article - the hacker first compromised Resolv Lab's AWS account, took a private key from KMS that was used to control minting, then managed to extract $25 million into ETH before all protocol functions were suspended.
WatchDog 2 days ago [-]
> took a private key from KMS
They used KMS to sign the minting operation, but they didn't "take" the key, AWS KMS doesn't let you extract keys.
pants2 2 days ago [-]
^ this is a common security misconception in crypto. "We're using an HSM, they can't steal our private key." OK genius now you still have to secure the HSM.
There's no shortcut to MPC/multisig with 3+ keyholders.
Ferret7446 2 days ago [-]
It's still significantly better, since access can be revoked, vs a leaked key where you're permanently fucked
pants2 1 days ago [-]
Not much better because even a single signature can drain your whole wallet.
WatchDog 2 days ago [-]
> you still have to secure the HSM
Obviously.
> There's no shortcut to MPC/multisig with 3+ keyholders.
The whole concept of a stablecoin seems to be based on centralised trust.
Ultimately there is some org that has the fiat bank account, that mints and redeems the coins.
idiotsecant 2 days ago [-]
Nope, that is the foundation of bad stablecoin. Trustless decentralized stablecoin like DAI exist. People just largely don't do their homework and prefer scams that lure them in with promises of 'yield'
Hendrikto 1 days ago [-]
DAI and SKY are backed in large part by USDC, so they are not truly decentralized. It is possible in theory, but nobody has successfully done it so far.
killerstorm 1 days ago [-]
It's possible in practice: that's how DAI worked originally. It's just not very competitive where the main customer -- traders -- want a lot of liquidity and razor thin spread.
idiotsecant 1 days ago [-]
DAI made some dumb decisions for market reasons recently but it was an actual stablecoin for a long time. It worked fine, they just decided to make it worse for some reason.
thebiblelover7 2 days ago [-]
Do you have a source for that information? I'd like to read more on it.
They also had a smart contract which didn't do some proper checks, but the hack was only possible with the stolen private key. Whoever held the private key was able to mint a lot of money, unchecked.
So there was a traditional hack at the core of this heist, not just a smart contract exploit.
Is there any proof, or even indication, that this wasn't an inside job?
bravoetch 2 days ago [-]
Usually I would expect proof for a positive - like that it was an inside job, or there being an indication of it. I'm not saying whether it was or not, just that it seems unusual for you to ask about proof of it NOT being an inside job.
kibwen 2 days ago [-]
When it comes to crypticurrencies, no, the "hack" that turns out to be an inside-job rugpull is so common that the correct burden of proof is on the people who think this wasn't an inside job.
amarant 2 days ago [-]
In a court of justice you'd be right, of course.
But for online armchair speculation, you have to admit it seems a likely explanation.
victorbjorklund 1 days ago [-]
Is there any proof that it was an outside job? If we don’t have any proof of either we should probably look at what is most common when it comes to crypto heists
andai 2 days ago [-]
If the admins can "lock all transactions", what's the point of it being a crypto?
colordrops 2 days ago [-]
Exactly. Stablecoins make zero sense.
pants2 2 days ago [-]
Unbacked stablecoins like USR make no sense - but USDC is one of the few real uses that crypto has.
Jommi 2 days ago [-]
USR is not unbacked. You have a severe misunderstanding of the whole situation if you say that.
oersted 2 days ago [-]
To be fair, the article itself says "unbacked" right upfront:
> an attacker was able to mint tens of millions of Resolv’s unbacked stablecoins (USR) and extract roughly $23 million in value
gwd 2 days ago [-]
If I understand the situation properly, the system is only supposed to mint backed stable-coins; the hack resulted in unbacked ones.
mememememememo 2 days ago [-]
Decentralized. Stable. Pick one.
Jommi 2 days ago [-]
Decentralized
> the transfer of authority, decision-making, or operational functions away from a central authority to smaller, local, or distributed nodes, systems, or entities
DAI is decentralized and stable
SubNoize 2 days ago [-]
Micro transactions? Giving agents access to money ?
mememememememo 2 days ago [-]
Any token offers this.
boringg 2 days ago [-]
Unless you are also trying to prop up the us government by buying treasuries (us based stable coins)
rchaud 2 days ago [-]
Most Treasuries are held by US banks, investment firms and municipalities. I'm pretty sure those firms hold a good chunk of global stablecoin volume, given the nonexistent regulation of crypto in the US relative to other countries.
koakuma-chan 2 days ago [-]
you can send them around easily without having to deal with bullshit payment systems
snypher 2 days ago [-]
No-one in the real world wants to be paid with a $USR. Most everyone wants a cashapp/zelle/PayPal/wire transfer. The bullshit payment systems gained ground on crypto while crypto became more difficult/less usable
lagniappe 2 days ago [-]
PYUSD is run by PayPal afaik.
koakuma-chan 2 days ago [-]
I don't know what USR is, but I would prefer to be paid in USDT or USC if Wealthsimple supported it as deposit method. When I withdraw, I do Deel -> Wise -> Interac e-Transfer -> Bank -> Interac e-Transfer -> Wealthsimple. This is incredibly stupid and I am forced to buy Canadian dollars. For groceries or electronics, you can buy gift cards using crypto.
mothballed 2 days ago [-]
If you track the FATFs crushing of bearer bonds, bearer notes, non-KYC/non-AML offshore banking, and Hawala it almost perfectly tracks with the rise of crypto.
troad 2 days ago [-]
But you do have to deal with bullshit payment systems. I can't receive stablecoins in my regular bank account, I'd have to set up some crypto nonsense on DankRocketBets or whatever for it to even work.
Why would I do this when I can already receive actual USD without any extra ceremony?
Stablecoins are a solution in search of a problem.
kevin_thibedeau 2 days ago [-]
The problem presents itself when you have dirty money to launder. It isn't a product for non-criminals but they have to convince enough gullible people to participate and blend in with them.
rossjudson 2 days ago [-]
Crypto is how you can invest in crime without doing crime.
Jommi 2 days ago [-]
you can receive. you just need to set it up.
there are like 50 (many YC) startups fixing this today trying to offer your the best and cheapest service
koakuma-chan 2 days ago [-]
If your employer does direct deposit of USD into your USD bank account, you don't need stable coins. This is not the case for most people outside of the U.S.
troad 2 days ago [-]
I am outside the US. Many of my assets are in USD and USD-denominated securities. I've never touched a stablecoin.
Waiting to hear what "most people outside the US" are supposed to need those stablecoins for.
capitol_ 1 days ago [-]
Those stablecoins are useful when you want to do crime.
mothballed 2 days ago [-]
Most people don't realize they're inside a plexiglass shielded financial jail until they try to do something like wiring money for some legal activity in someplace spicy or on the FATF grey list.
If you fall into the middle bands of uses, or in the upper class that can just bend or make the rules, then the financial system is well oiled and it looks like the people questioning it are just cranks.
It's true that a lot of those in the outer bands are criminals but others are things like "buying a truck to build an orphanage for starving Iraqi children just outside of terrorist territory" or "wanted an investment visa in some corrupt island paradise and as it turns out no bank will open up account for purposes of 'international wires to the Comoros' "
troad 2 days ago [-]
Oh yeah, "most people outside the US" are looking to build orphanages in deeply sanctioned war zones. How could I have forgotten.
Come on now, that's absurd. If this is your best use case for stablecoins - groping for concocted scenarios to rationalise their existence
- I stand by what I said earlier: they're a solution in search of a problem.
mothballed 2 days ago [-]
One of the two is very close to something that actually happened to me. I tried to open up a bank account for paying immigration related costs to a particular shithole country, which is both legal and was part of a fully legal endeavor, but no bank would do it.
The other example is somewhat concocted but rooted in the time I spent in Iraq and noting almost all transactions are performed outside the banking system, in part because banking is inaccessible and people often don't have access to KYC documents.
It's really not absurd. As soon as you start trying to do anything interesting the KYC/AML burdens get greater until eventually you realize the compliance officers are just trying to get you to go away (or just deny you outright), get interesting enough and then suddenly despite fully complying with the law you find the walls are closed around you. Most people never find out because they never have occasion to try, they do a bunch of boring domestic transactions plus maybe some international trade with a few well known entities, then they just shout people are making up absurdities.
troad 2 days ago [-]
Clearly your situation of trying to obtain residency in the Comoros by investment would raise eyebrows at banks whose job it is to monitor tax compliance. I don't think you're describing an everyman kind of scenario.
I also don't entirely understand why you're even rationalising the purpose of the account to the bank. Can't you just open an account for any purpose? It takes me five minutes to open an account online, and I've never once been asked to explain or justify anything (in many decades). I use my accounts robustly, including for international transfers (I've lived on two continents in the last four years). I even once paid for a trip to North Korea out of an ordinary bank account. My bank never batted an eye.
Maybe you're just dealing with a bad bank, or an over-regulated banking system (Europe?). You realise you can walk into any US bank right now and they'll just open an account for you with nothing more than some accurate ID? And the same holds for much of the rest of the world? The problem you're trying to solve is already solved.
>> The other example is somewhat concocted but rooted in the time I spent in Iraq and noting almost all transactions are performed outside the banking system, in part because banking is inaccessible and people often don't have access to KYC documents.
Unsophisticated semi-literate farmers are the last demographic anyone is reasonably expecting to open their crypto brokerage accounts and start trading synthetic USD derivatives.
These are just not realistic scenarios. This is what people say when they rack their brains trying to come up with some reason stablecoins might be useful. I feel like you're just confirming that they're a solution in search of a problem.
lmm 2 days ago [-]
> You realise you can walk into any US bank right now and they'll just open an account for you with nothing more than some accurate ID?
There's an ocean in the way, not to mention how risky visiting looks right now. I changed my name recently and the one US bank that I managed to get an account with (so that US clients can pay me without weirdness) won't accept any kind of documentation without going there in person (and I'm not sure I can provide anything they'll accept even if I did go there in person). What now?
mothballed 1 days ago [-]
Well no matter what you say it's always nuh uh, doesn't count or some variation of why can't you just be an "everyman." It's hard to argue with a dogmatic position that is based on feelings. You can tell such person what's actually happened to me when I tried to open an account with only "accurate ID" (a US passport) and they literally won't do it while you are homeless because they require a proof of address for KYC even if you have none. Almost everything they have asserted is plainly false. They also claim to have used their bank account to pay for trade in North Korea, a comprehensively sanctioned entity, which seems to be a public written confession of committing a serious crime just to own the crypto use crowd for internet points lol.
People in the middle bands of uses are just ignorantly bliss. And moving between "2 continents" in some vague most likely semi-developed white listed countries in most cases doesn't fall outside the middle bands of uses. So you end up with people shaking their fists at the sky crying that crypto exists, with their fingers in their ears and loudly proclaiming anyone using it are just making up absurd contrived scenarios.
troad 1 days ago [-]
>> They also claim to have used their bank account to pay for trade in North Korea, a comprehensively sanctioned entity, which seems to be a public written confession of committing a serious crime just to own the crypto use crowd for internet points lol
Lol. Thanks, Mr Google Esq.
I was indeed in North Korea. It was not particularly hard to get to before COVID (I'm told it's harder now). You have no idea what the laws of my jurisdiction are were at the time I went, or the purpose of my visit and whether sanctions even extend to it, whether I sought any exemptions from my government, etc - but please tell me more about all these alleged serious crimes you've just discovered on Wikipedia.
>> So you end up with people shaking their fists at the sky crying that crypto exists, with their fingers in their ears and loudly proclaiming anyone using it are just making up absurd contrived scenarios.
See, the problem with all your posts is that you're just spinning one tale after another. You need crypto for all the orphanages you're building in war zones. You need crypto for illiterate Iraqi farmers. You need crypto for your Comoros citizenship purchases. Never mind that none of that makes any sense - it's everyone else who's not listening to you! And all your super legitimate, not at all made up, not at all tax fraud related use cases for stable coins!
Get real.
mothballed 1 days ago [-]
Why is it more absurd to want to build an orphanage in Iraq or buy a residence visa somewhere off the beaten path than it is to proclaim you've gotten sanctions exemptions for North Korea in the context of you explicitly pointing to the use of US bank accounts? Why is your anecdotes somehow more valid than mine?
Suddenly when it comes to your North Korea escapades (while proclaiming about mr. "everyman", lmao) I just don't have all the facts and nuance, but you just handwave away any of the uses I point to. Get real.
troad 1 days ago [-]
I never said I obtained sanctions exemptions, I merely pointed out you're just straight up making stuff up when you're concocting "serious crimes" with no knowledge of the underlying facts whatsoever. Which seems like a bit of a pattern with your posts, to be frank.
It's relatively trivial to visit North Korea, and there are many reasons one might do so that may not fall afoul of any sanctions (journalism, research, aid, and so on). It's ludicrous to proclaim you're building orphanages in Iraq for which you require crypto stablecoins. These are not even remotely comparable claims.
mothballed 1 days ago [-]
It's funny how you can know all the facts to be sure stable coins aren't applicable to some others' scenario but if someone dare point out that you paid a comprehensively sanctioned country by god they're not allowed to use the same evidentiary standards you have presented. And for the record, I said it seems as if a confession to a crime, not that it actually was one.
Seems as if you don't like it when your own logic is used on you. Which seems like a bit of a pattern with your posts, to be frank.
troad 1 days ago [-]
Lol. Evidentiary standards? Mate, I don't give a flying fig if you believe me or not. You asked for my experiences, so I gave them to you. I certainly don't believe you, so you're free to not believe me. Seems only fair.
Your claimed use cases for stablecoins are utterly fantastical and I think your posts speak for themselves.
mothballed 1 days ago [-]
I did not ask for your experiences. You were the one asking ("waiting"). Then just dismissing anyone that told you because it was never a genuine question.
mothballed 2 days ago [-]
Pick an FATF grey list country that isn't sanctioned by your country. Then try to wire money there. Let me know how it goes and whether you really aren't asked to explain anything.
2 days ago [-]
tptacek 2 days ago [-]
This comment isn't really beating the rap that the primary purpose of stablecoins is to facilitate crime.
gopher_space 1 days ago [-]
Running down a list of corner cases means that you've already accepted the central idea. It's a classic internet troll-as-in-fishing gambit for derailing conversations that's been weirdly normalized.
codebje 2 days ago [-]
Perhaps you meant: stablecoins are a scam in search of a victim.
kogasa240p 2 days ago [-]
Monero is better for that task.
bigfishrunning 2 days ago [-]
Until it becomes another bullshit payment system
Saline9515 2 days ago [-]
Stablecoins enable cash-like (instantly redeemable and verifiable) payments for large amounts, for almost free.
In EU countries, you can't now buy a car with cash. You have to buy a bearer's check from your bank, which is expensive, requires that both parties have a brick and mortar bank, and doesn't work cross-border. Stablecoins solve this.
Ekaros 2 days ago [-]
It was good while ago, but last time I bought a car I just did bank transfer. SEPA transfers are entirely free. Was kinda amazed that they just handed me keys when I showed them the receipt from my own online bank...
Saline9515 1 days ago [-]
This requires trust, which, depending on where you live and who is the seller, may be a little bit risky or attract scammers.
fc417fc802 2 days ago [-]
It's a calculated risk. They know the VIN number and I assume made a copy of your photo ID.
Saline9515 1 days ago [-]
If you get scammed, it requires you to sue, many EU countries have very long waiting times for those, so you'll be carless and money less for a long time. Cash or crypto solves this elegantly.
tsimionescu 1 days ago [-]
How does crypto solve this? You still have to send the funds and hope they give you the car - it's exactly the same as a bank transfer.
Saline9515 1 days ago [-]
Because the transfer is done instantly and every party can verify it. Just like cash.
tsimionescu 5 hours ago [-]
Intra-bank transfers are instant, so is PayPal/Revolut/Zelle or whatever else, and many inter-bank transfers are also instant or very nearly so in the EU. None of these, except maybe cash, protect you from someone sinply not delivering the physical good (car + car keys) after the transfer completes.
From a legal standpoint, the bank transfer speed is anyway irrelevant - you first sign a sale contract that makes the car yours and the money theirs, before anything actually exchanges hands. If one party fails to deliver the money or the other fails to deliver the good, they are anyway liable. With instant transfers, the buyer is more likely to get scammed; with delayed transfers, both the buyer and the seller are equally as likely to get scammed - that is the only difference.
stevage 2 days ago [-]
How do stablecoins fit in here? You can buy a car with crypto but not cash?
Saline9515 1 days ago [-]
Many EU countries have limits on cash payments, and the EU will enforce a union-wide limit of 10,000€ in 2027. Of course, this limit won't be reevaluated over time, so the real value will decrease with inflation.
stevage 1 days ago [-]
I'm just trying to imagine what kind of European vendor is willing to accept crypto for their car. The most obvious reasons seem a bit shady.
Saline9515 1 days ago [-]
The use case would be for transactions between individuals. A friend working at a large industrial firm told me recently that crypto would solve a problem that they have in Asia: orders are often done during auctions from the producer, and require instant payments; however the payment rails take two weeks to clear a transaction. Crypto would fix this.
The fact that it's not widespread doesn't mean that there isn't a usecase.
hrmtst93837 2 days ago [-]
[dead]
anonym29 2 days ago [-]
Stablecoins aren't cryptocurrencies in any sense of the word. It's just electronic FIAT.
Ekaros 2 days ago [-]
They are cryptocurrencies. But they are not fiat. They are IOUs of fiat. Token represents promise of some other party to possibly redeem(if you collect enough tokens) to convert it to more commonly accepted fiat they promise they somehow hold.
Your money is safe with us. We promise. With lot less oversight than most other solutions for holding money...
amarant 2 days ago [-]
I mean they use Blockchain, right? Isn't that like the only real requirement for the name crypto?
As long as you burn as much electricity as Andorra does in a week just to make a transaction, you're probably a cryptocurrency. And that's their sole benefit it seems.
Saline9515 2 days ago [-]
Most blockchains nowadays are not proof of work anymore.
anonym29 2 days ago [-]
>I mean they use Blockchain, right? Isn't that like the only real requirement for the name crypto?
Absolutely not. Cryptocurrently exclusively refers to permissionless, decentralized, cryptographically secured, irreversible, fungible monetary system with a disinflationary or non-inflationary supply, following a voluntary, collectivized governance model.
A vast majority of tokens colloquially referred to as "cryptocurrency" couldn't be further from these principles. There are no stablecoins that are cryptocurrency. Ethereum is not cryptocurrency. Any coin issued by a corporation (e.g. Ripple) is not a cryptocurrency.
YawningAngel 2 days ago [-]
If your definition excludes Ethereum your understanding of the term so differs from everyone else's that we aren't talking about the same thing
anonym29 2 days ago [-]
Ethereum is a great utility token. Smart contracts absolutely have utility in the digital economy. It's just not a cryptocurrency, is all. It had a massive premine, there's no supply cap, it's subject to OFAC censorship, and has effectively demonstrated that just ~4.8% of the total ETH supply can vote to cause rollout and widespread adoption of a fork that reverses transactions.
We need different words for these fundamentally different things, because conflating them causes real confusion, as this very hack demonstrates. People are surprised that an admin can lock transactions precisely because the word "cryptocurrency" led them to assume properties that don't exist in stablecoins.
rando1234 2 days ago [-]
Where did the 4.8% number come from? Is it based on the validator stake? How does that compare to the number required to fork Bitcoin as a function of it's supply?
anonym29 1 days ago [-]
There was a vote after the DAO incident to roll back. 87% of those that voted voted yes (for the rollback), but only 5.5% of the total supply voted at all.
genidoi 1 days ago [-]
Those are all arguments for why Ethereum is a bad cryptocurrency, not for why Ethereum isn’t a cryptocurrency at all.
amarant 2 days ago [-]
Is there even any currency that meets that definition? Iirc even bitcoin had some kind of reversal back in the day, or am I misremembering? I seem to recall bitcoin splitting in 2 for a while as there was some disagreement on whether the reversal should be made or not.
Idk, it's been a while and my memory is fuzzy.
kogasa240p 2 days ago [-]
Makes it easier to do pump and dumps, was never about "privacy" or "decentralization" as web3 types parroted 4-5 years ago. Monero is the exception btw.
0x3f 2 days ago [-]
I don't know how this specific thing works, but I don't really see any fundamental problem with mixing and matching. If you believe in the benefits of crypto, then 50% crypto is still possibly better than 0%.
It's not like I forgo a lock on my front door just because my windows are made of glass.
mnkyprskbd 2 days ago [-]
Currency isn't a homebrew computer or backyard car project; it is either centralised or not; there is no in between.
Blockchain with central authority is the worst of both worlds.
sota_pop 2 days ago [-]
Very much this, it’s all the technical rigour, code debt, and none of controls/reversibility.
At least when I report fraud to credit card or my bank, they can stop or undo/chargeback a transaction.
stan3223 2 days ago [-]
And if it is centralised, what is the point of blockchain? Just run it out a Postgres database.
0x3f 2 days ago [-]
Not really. At a traditional bank I have to trust n people with varying degrees of access. Et ceteris paribus, any reduction in n is an improvement, even if n is not zero.
Of course n can be smaller and the specific people less trustworthy, but that's quite a different thing.
mnkyprskbd 2 days ago [-]
At a traditional bank you have your national deposit insurance scheme; you get that in return for converting your "assets" to the said nations issued currency but accept the authorities control of the money supply and your funds.
With decentralised money, you get the safety of a globally distributed attestation backed by cryptography without a single authority controlling the supply of money or your funds.
There is no halfway option. You either have a single authority that can exercise control or you do not; number of delegates for exercise of control is almost irrelevant since you can change banks.
0x3f 2 days ago [-]
I mean you're just making bare assertions, of course there are halfway options. Different components of the account or relationship can have different parameters. Most crypto products are not the equivalent of depositor accounts anyway, they wouldn't be insured necessarily at a traditional bank either.
mnkyprskbd 1 days ago [-]
Most "crypto" products aren't even crypto but custody accounts. But that doesn't change the fact that blockchains that can be controlled by specific entities unanimously are a joke of a crypto.
0x3f 1 days ago [-]
There are just some things that are unsolved. For example, a smart contract can't act as an oracle for many types of external event. There's no way around that. Doesn't mean it's not valuable to make the rest of your product trustless. Reducing the keyholders matters. Unless you think NSA key escrow is also cool because hey, one person, somewhere, has the key, so why not the whole government?
mnkyprskbd 19 hours ago [-]
Exactly. It is the same. One person or the whole government; it is the same, when it matters.
ribosometronome 2 days ago [-]
That access is to provide account support, no? Reverse fraudulent transactions and the like. A "bank" could just not do that save for if you're a large enough client to merit attention but why would I want to bank there if I'm not a large enough client?
snypher 2 days ago [-]
Ok so we are expected to trust; the creator/s, some random hacker, whoever else has the key? So the value here is between 2 and 'many'.
0x3f 2 days ago [-]
You're expected to do your own research about how it works, who the keyholders are, and what permissions they have. You're free to choose only projects where n=0. If you choose n>0, you have to work out your trust and confidence level. You're always free to use the traditional financial system as well.
nkrisc 2 days ago [-]
If my money in the bank is stolen I have legal recourse.
dylan604 2 days ago [-]
is insured by the FDIC legal recourse?
mothballed 2 days ago [-]
FDIC does not cover bank theft[].
FDIC deposit insurance does not protect against losses due to theft or fraud, which are addressed by other laws.
That's covered by private bankers bond insurance, much like you could get for a decentralized stored pots of gold or you can buy insurance in the form of put options (like on IBIT) on the loss of value of bitcoin or if your cold wallet is stolen you can initiate legal proceedings against the thief.
That's good to know. I guess that makes sense though as those swindled by Madoff had to recoup their money through Madoff's estate instead of FDIC.
I guess Hollywood has mislead us yet again in pretty much every bank robbery scene with dialog like "Nobody panic. We're not stealing your money, we are stealing the bank's money".
cindyllm 2 days ago [-]
[dead]
babypuncher 2 days ago [-]
The primary selling points of cryptocurrencies are all hinged on the promise that they are decentralized and can't be controlled by a single entity. Without that, all they are is a new version of PayPal or a credit card network that requires many orders of magnitude more compute resources to maintain.
cameldrv 2 days ago [-]
You shouldn't have a key that controls millions/billions of dollars on a cloud service. It should be on an airgapped laptop that was purchased anonymously, has never been connected to the Internet, and only runs software that has been vetted and loaded onto it via a CD-ROM or some other comparable method.
WatchDog 2 days ago [-]
If their coin requires a web service to process each transaction, then an offline key isn't very useful.
You can criticize their design, but you can't have a dude burning a CD-ROM every time someone wants some coins.
vlovich123 2 days ago [-]
Have you actually tried to run a business this way?
cameldrv 2 days ago [-]
Yeah. Sorry to say, but if you’re going to run a crypto company, and it’s even moderately successful, people are going to try to steal the key. Either you are extremely paranoid, or you’re going to lose a bunch of money, for yourselves or your investors.
mememememememo 2 days ago [-]
$24m was lost. Setting this up is say $10k in time and materials. Although I would use a rack server.
.
allreduce 2 days ago [-]
No need to get fancy. A yubikey glued to a tungsten cube would have prevented this attack. Thats 50€ for the yubikey and 300€ for the tungsten cube.
jiggawatts 2 days ago [-]
I have, I've set up "truly offline" root certificate authorities and the like in the past.
Yes, it's a pain to operate, but if the alternative is "the bad guys get all of our money", then it can be worth it.
vlovich123 1 days ago [-]
Sure, I never said anything against offline root cert authorities. But did you do it literally exactly how this guy was saying to do it with a laptop that you load via CD-ROM for a signing key that’s being used for active transactions?
It’s as if one of the things your root certificate authority signed got compromised. It doesn’t help that your root key is safe if attackers still managed to impersonate you before you revoked that cert.
> privileged private key to sign off on how much USR could be created. Unfortunately, the smart contract itself did not enforce any maximum limit on minting – it only checked that a valid signature existed.
The offline idea simply doesn’t work because this particular key has to be online
2 days ago [-]
amarant 2 days ago [-]
What is the point of stable coins? Like why does anyone buy them?
It seems to me that their initial value is 1usd per token (or some other fiat I guess) and that's also the roof of their value: they kinda guarantee that they won't become more valuable than that.
They are less usable than fiat: more businesses accept fiat than crypto, especially weird and small coins like all stable coins are.
There isn't really a floor to their value, as demonstrated here.
I see plenty of downsides of owning one of these coins, but not a single upside?
Yet people apparently do buy them, so what is the upside? There must surely be something that's good about them?
mememememememo 2 days ago [-]
Why have cash? A: as an intermediary between better uses of money (buy cool stuff or invest)
So why use stablecoins and not use cash? When you want to quickly convert to/from a token (60 second not 6 days), but for a short period have a stable value. Or you want to avoid banks.
I.e. trading, gambling, drug deals, money laundering, etc.
fintech_eng 2 days ago [-]
They’re not really meant to go up in value.
The main use is just having something dollar-like that you can move around easily. That’s useful outside the US, but also for plenty of people inside the US depending on what they’re doing; especially businesses that have a hard time getting or keeping normal banking (cough gambling, porn, weed cough).
They’re handy inside crypto since you can move in/out of other assets without touching a bank. And sometimes you can earn yield on them, which is part of the appeal (with the usual “this can blow up” caveats).
Also, there’s a reason every company wants to launch one: if you control the stablecoin, you get the float and the rails. That’s a pretty nice business if people actually use it.
If you already have solid access to USD and don’t care about that flexibility, they’re less compelling.
But yeah, not risk-free at all (depegs, issuer risk, etc). And honestly there probably isn’t much real need for dozens of slightly different stables beyond the business incentives.
amarant 2 days ago [-]
Ah, so we're basically battling the prudishness of VISA and MasterCard?
That... Actually makes sense.. Which is a rare feat for crypto!
Saline9515 2 days ago [-]
Stablecoins present less frictions, have cheaper transaction costs and less intermediaries susceptible to block them. It greatly increases the velocity of money.
amarant 2 days ago [-]
What utterly horrendous payment solutions are you using that have more friction than crypto?
The ones I use are several orders of magnitude less friction and most are 100% free. The ones that do have a cost (for recipients outside Scandinavia basically) are still way, waay cheaper than crypto transactions.
Saline9515 1 days ago [-]
Many banks from where I come from (France), will require, for larger payments:
- Print a paper form, fill it by hand, scan it and send it. A human will review it next week and agree (or not).
- If you receive money, you have to prove the origin. If you can't, or if the bank finds it unsatisfactory, they'll freeze it. Often, they'll freeze your account right away. You have little legal recourse.
For the record, I once wanted to buy a car in a foreign EU country. I had the contract, it was from a recognized dealership, etc etc. The bank refused to send it. I had to open a Wise account, wire the money there, and then sent it to the dealership.
Overall banks are nice, most of the time, but can create a lot of problems when you need them, especially now that the EU is having an AML inflation under the US and FATF pressure and everything is managed by AI with no human in the loop.
I understand that you couldn't care less about people who aren't having the exact same life as you, but maybe consider that one day it will change and you'll need a freer transaction infrastructure.
And crypto transactions are almost free nowadays, if you avoid Ethereum and Bitcoin. A transfer on Arbitrum L2 costs 0.002$[0]
No sign-up fee, no recurring fee, and no transaction fee. I guess it's a loss leader for banks? But if one bank stopped supporting it, they would find themselves without customers in less than 24 hours, so it's a worthwhile loss I guess
ezfe 2 days ago [-]
To take advantage of the ability to send money that way without the volatility
JumpCrisscross 2 days ago [-]
Let’s be honest, it’s principally for illicit use, a tiny fraction of privacy folks and then a lot of people caught in between who don’t understand yield but want to bet on a volatile asset and have to use a stablecoin to go between. (Because the backers of the volatile thing are doing something illicit.)
Saline9515 2 days ago [-]
You are a decade late, nowadays stablecoins are commonly used in international trade. Most Alibaba sellers accept USDT nowadays, same for Indian ones.
JumpCrisscross 2 days ago [-]
> stablecoins are commonly used in international trade
For a rounding error value of "commonly," sure. (Catering to a financially-constrained market is good business. But it, by definition, will never be an important one in the grand scheme of things.)
Saline9515 1 days ago [-]
Something can be common, while not representing a large volume. And given the current aggressive policy of the US administration, you may soon have to find new payment rails for your international trading, depending on where you live.
As always, things are certain until they aren't. Technological innovation always starts with fringe use cases, before becoming more widespread.
stevage 2 days ago [-]
I think the idea is if you're attempting to actually use crypto in the way that you would normally use money (ie, to buy/sell stuff) then you don't want the volatility. So in theory, it takes away the volatility while living within the crypto ecosystem.
But obviously...things happen. Just like cash is usually relatively non-volatile, but financial crashes happen.
onemoresoop 2 days ago [-]
Could this be an inside job?
s_u_d_o 2 days ago [-]
And what happened next? He mixed those coins? Transformed them into monero?
Jommi 2 days ago [-]
first step is to turn them into real crypo like ETH (so its unfreezable)
then probably mix them via different methods
then sell them via OTC-style swap platforms like fixedfloat / changelly etc
s_u_d_o 1 days ago [-]
Yeah but aren’t those KYC-based platforms? I mean eventually he can get tracked down… no?
mememememememo 2 days ago [-]
Has to. As ETH they are probably still tracable.
consumer451 2 days ago [-]
Oh wow, there's another interesting story on that site:
> Trump Administration Likely to Un-ban Bitcoin Mixers, Dept. of Treasury Says They are “Not Unlawful”
I thought Tornado Cash was already taken off the OFAC list a year ago.
FpUser 2 days ago [-]
>"However, the hacker was only able to siphon off $25 million; the rest was locked into the protocol after system admins got alerted."
"Only" ?!!! Poor thing.
curiousObject 1 days ago [-]
If they take too much then confidence in the coin is absolutely lost and the coin fails and it’s price rapidly goes towards zero, so they’re possibly being smart by only taking a small percentage — if that was the hackers decision
Yeah $25m is only little but could still be useful
m0llusk 2 days ago [-]
stable as in house always wins?
microtherion 2 days ago [-]
stable as in "close the stable doors after the horse has bolted"
dmitrygr 2 days ago [-]
Self-Funding Bug Bounties strike again.
KK7NIL 2 days ago [-]
Sounds like it's working as designed!
1 days ago [-]
tekla 2 days ago [-]
Hacker? The coins were minted with perfectly valid code.
gverrilla 2 days ago [-]
not even news.
RS-232 2 days ago [-]
Has to be an inside job. One doesn’t just simultaneously hack into an AWS account, know exactly which key is needed for coin minting, and know internal details necessary to exploit a smart contract. The nature of the hack practically reveals their identity.
dafelst 2 days ago [-]
But guys, what you don't understand is that the code IS the contract!!! That means you don't even NEED regulation!!
0x3f 2 days ago [-]
Yeah, people who genuinely believe that don't have any problem with smart contracts getting exploited. Of course there are people who _say_ that because it's financially expedient at the time, then change their tune. But both groups exist and this is not really a gotcha.
protocolture 2 days ago [-]
I dont mind smart contracts getting battle tested.
I also dont mind the whole chain coming together to vote to reverse the transaction.
I also dont mind a bunch of people being unhappy with that and forking.
0x3f 2 days ago [-]
That's fine. I just see it as heuristics at different levels. In the wider context, generally, markets work well, so people should be 'allowed' to do all of this. After all, you can choose not to use ETH if you think the foundation sucks. Whether ETH or the foundation sucks is a technical question given your goals, I suppose, rather than a moral one.
In a western legal framework you might argue promissory estoppel if the foundation made certain statements about it, but if you take the libertarian code-is-law stance and you want to be consistent then you probably should have researched exactly what was possible at that level before investing.
So all-in-all, seems fine to me.
MrDrone 2 days ago [-]
The contract code said, "if you have a valid (off-chain) private key, you can mint tokens." The hacker gained access to their AWS account and ultimately their keys.
While I am happy to celebrate dumb crypto stuff, this isn't a situation where someone's code was "exploited." Their code was stupid, relying only on an off-chain private key to allow the minting of tokens. Their security was just also bad.
Franklinwhite 2 days ago [-]
[dead]
outside2344 2 days ago [-]
How is this industry still an industry?
danny_codes 2 days ago [-]
People love gambling. Get rich quick pitches have always been popular.
Now, as to why the SEC hasn’t regulated crypto out of existence.. I refer you to dementia Don
bigfishrunning 2 days ago [-]
Joe had 4 years, Barack had 8. The office of the president doesn't seem motivated to regulate crypto
etchalon 2 days ago [-]
Regulation (laws) are handled by the Congress, not the Executive.
jfengel 2 days ago [-]
Congress has passed laws to delegate details to the executive departments. Congress lacks the expertise to do any kind of precision in regulation.
etchalon 2 days ago [-]
Yet they do it all the time. Constantly.
2 days ago [-]
momoddo 2 days ago [-]
[dead]
le-mark 2 days ago [-]
Tl;dr another bug in a smart contract exploited, hacker got away clean.
MrDrone 2 days ago [-]
Not that it matters much, but this summary isn't right. The contract wasn't "exploited." The company's AWS account was compromised, giving the attacker access to a (off-chain) private key.
The contract relied on the key to mint new tokens. The hacker gained access to the key (through AWS) and with it minted as much as they'd like. It is certainly a valid take that a contract that only required the private key to mint an unlimited amount of the token isn't a good one, but you don't exploit someone's front door lock by grabbing the key from under the welcome mat.
AIorNot 2 days ago [-]
dang.. stealing money from fools and speculators.
Panzer04 2 days ago [-]
Why does everything have to be written by an AI?
aswegs8 2 days ago [-]
Writing like AI isn't a bug, it's a feature - to read it is quite annoying. And that's the problem.
Ok, but how was the AWS infrastructure compromised? This appears to be the crux of the entire article.
AWS is very hard to break if you are using the IAM roles properly and avoiding manual secret management. If the only thing that can even sign a JWT is a very specific blessed EC2 instance that has exclusive access to KMS, your attack surface is nearly zero by comparison to a similar setup where administrators use email or Discord to communicate API credentials.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-role...
The protocol around using an HSM is just as important as the machine itself. It seems like some of us are going to be speed running PCI-DSS the hard way.
They used KMS to sign the minting operation, but they didn't "take" the key, AWS KMS doesn't let you extract keys.
There's no shortcut to MPC/multisig with 3+ keyholders.
Obviously.
> There's no shortcut to MPC/multisig with 3+ keyholders.
The whole concept of a stablecoin seems to be based on centralised trust. Ultimately there is some org that has the fiat bank account, that mints and redeems the coins.
https://xcancel.com/zacodil/status/2035658779706974556
A step by step breakdown of the attack Step 1. Gaining Access to Resolv’s AWS KMS Environment
They also had a smart contract which didn't do some proper checks, but the hack was only possible with the stolen private key. Whoever held the private key was able to mint a lot of money, unchecked.
So there was a traditional hack at the core of this heist, not just a smart contract exploit.
But for online armchair speculation, you have to admit it seems a likely explanation.
> an attacker was able to mint tens of millions of Resolv’s unbacked stablecoins (USR) and extract roughly $23 million in value
DAI is decentralized and stable
Why would I do this when I can already receive actual USD without any extra ceremony?
Stablecoins are a solution in search of a problem.
there are like 50 (many YC) startups fixing this today trying to offer your the best and cheapest service
Waiting to hear what "most people outside the US" are supposed to need those stablecoins for.
If you fall into the middle bands of uses, or in the upper class that can just bend or make the rules, then the financial system is well oiled and it looks like the people questioning it are just cranks.
It's true that a lot of those in the outer bands are criminals but others are things like "buying a truck to build an orphanage for starving Iraqi children just outside of terrorist territory" or "wanted an investment visa in some corrupt island paradise and as it turns out no bank will open up account for purposes of 'international wires to the Comoros' "
Come on now, that's absurd. If this is your best use case for stablecoins - groping for concocted scenarios to rationalise their existence - I stand by what I said earlier: they're a solution in search of a problem.
The other example is somewhat concocted but rooted in the time I spent in Iraq and noting almost all transactions are performed outside the banking system, in part because banking is inaccessible and people often don't have access to KYC documents.
It's really not absurd. As soon as you start trying to do anything interesting the KYC/AML burdens get greater until eventually you realize the compliance officers are just trying to get you to go away (or just deny you outright), get interesting enough and then suddenly despite fully complying with the law you find the walls are closed around you. Most people never find out because they never have occasion to try, they do a bunch of boring domestic transactions plus maybe some international trade with a few well known entities, then they just shout people are making up absurdities.
I also don't entirely understand why you're even rationalising the purpose of the account to the bank. Can't you just open an account for any purpose? It takes me five minutes to open an account online, and I've never once been asked to explain or justify anything (in many decades). I use my accounts robustly, including for international transfers (I've lived on two continents in the last four years). I even once paid for a trip to North Korea out of an ordinary bank account. My bank never batted an eye.
Maybe you're just dealing with a bad bank, or an over-regulated banking system (Europe?). You realise you can walk into any US bank right now and they'll just open an account for you with nothing more than some accurate ID? And the same holds for much of the rest of the world? The problem you're trying to solve is already solved.
>> The other example is somewhat concocted but rooted in the time I spent in Iraq and noting almost all transactions are performed outside the banking system, in part because banking is inaccessible and people often don't have access to KYC documents.
Unsophisticated semi-literate farmers are the last demographic anyone is reasonably expecting to open their crypto brokerage accounts and start trading synthetic USD derivatives.
These are just not realistic scenarios. This is what people say when they rack their brains trying to come up with some reason stablecoins might be useful. I feel like you're just confirming that they're a solution in search of a problem.
There's an ocean in the way, not to mention how risky visiting looks right now. I changed my name recently and the one US bank that I managed to get an account with (so that US clients can pay me without weirdness) won't accept any kind of documentation without going there in person (and I'm not sure I can provide anything they'll accept even if I did go there in person). What now?
People in the middle bands of uses are just ignorantly bliss. And moving between "2 continents" in some vague most likely semi-developed white listed countries in most cases doesn't fall outside the middle bands of uses. So you end up with people shaking their fists at the sky crying that crypto exists, with their fingers in their ears and loudly proclaiming anyone using it are just making up absurd contrived scenarios.
Lol. Thanks, Mr Google Esq.
I was indeed in North Korea. It was not particularly hard to get to before COVID (I'm told it's harder now). You have no idea what the laws of my jurisdiction are were at the time I went, or the purpose of my visit and whether sanctions even extend to it, whether I sought any exemptions from my government, etc - but please tell me more about all these alleged serious crimes you've just discovered on Wikipedia.
>> So you end up with people shaking their fists at the sky crying that crypto exists, with their fingers in their ears and loudly proclaiming anyone using it are just making up absurd contrived scenarios.
See, the problem with all your posts is that you're just spinning one tale after another. You need crypto for all the orphanages you're building in war zones. You need crypto for illiterate Iraqi farmers. You need crypto for your Comoros citizenship purchases. Never mind that none of that makes any sense - it's everyone else who's not listening to you! And all your super legitimate, not at all made up, not at all tax fraud related use cases for stable coins!
Get real.
Suddenly when it comes to your North Korea escapades (while proclaiming about mr. "everyman", lmao) I just don't have all the facts and nuance, but you just handwave away any of the uses I point to. Get real.
It's relatively trivial to visit North Korea, and there are many reasons one might do so that may not fall afoul of any sanctions (journalism, research, aid, and so on). It's ludicrous to proclaim you're building orphanages in Iraq for which you require crypto stablecoins. These are not even remotely comparable claims.
Seems as if you don't like it when your own logic is used on you. Which seems like a bit of a pattern with your posts, to be frank.
Your claimed use cases for stablecoins are utterly fantastical and I think your posts speak for themselves.
In EU countries, you can't now buy a car with cash. You have to buy a bearer's check from your bank, which is expensive, requires that both parties have a brick and mortar bank, and doesn't work cross-border. Stablecoins solve this.
From a legal standpoint, the bank transfer speed is anyway irrelevant - you first sign a sale contract that makes the car yours and the money theirs, before anything actually exchanges hands. If one party fails to deliver the money or the other fails to deliver the good, they are anyway liable. With instant transfers, the buyer is more likely to get scammed; with delayed transfers, both the buyer and the seller are equally as likely to get scammed - that is the only difference.
The fact that it's not widespread doesn't mean that there isn't a usecase.
Your money is safe with us. We promise. With lot less oversight than most other solutions for holding money...
As long as you burn as much electricity as Andorra does in a week just to make a transaction, you're probably a cryptocurrency. And that's their sole benefit it seems.
Absolutely not. Cryptocurrently exclusively refers to permissionless, decentralized, cryptographically secured, irreversible, fungible monetary system with a disinflationary or non-inflationary supply, following a voluntary, collectivized governance model.
A vast majority of tokens colloquially referred to as "cryptocurrency" couldn't be further from these principles. There are no stablecoins that are cryptocurrency. Ethereum is not cryptocurrency. Any coin issued by a corporation (e.g. Ripple) is not a cryptocurrency.
We need different words for these fundamentally different things, because conflating them causes real confusion, as this very hack demonstrates. People are surprised that an admin can lock transactions precisely because the word "cryptocurrency" led them to assume properties that don't exist in stablecoins.
Idk, it's been a while and my memory is fuzzy.
It's not like I forgo a lock on my front door just because my windows are made of glass.
Blockchain with central authority is the worst of both worlds.
At least when I report fraud to credit card or my bank, they can stop or undo/chargeback a transaction.
Of course n can be smaller and the specific people less trustworthy, but that's quite a different thing.
With decentralised money, you get the safety of a globally distributed attestation backed by cryptography without a single authority controlling the supply of money or your funds.
There is no halfway option. You either have a single authority that can exercise control or you do not; number of delegates for exercise of control is almost irrelevant since you can change banks.
[] https://www.fdic.gov/news/fact-sheets/crypto-fact-sheet-7-28...
I guess Hollywood has mislead us yet again in pretty much every bank robbery scene with dialog like "Nobody panic. We're not stealing your money, we are stealing the bank's money".
You can criticize their design, but you can't have a dude burning a CD-ROM every time someone wants some coins.
.
Yes, it's a pain to operate, but if the alternative is "the bad guys get all of our money", then it can be worth it.
It’s as if one of the things your root certificate authority signed got compromised. It doesn’t help that your root key is safe if attackers still managed to impersonate you before you revoked that cert.
> privileged private key to sign off on how much USR could be created. Unfortunately, the smart contract itself did not enforce any maximum limit on minting – it only checked that a valid signature existed.
The offline idea simply doesn’t work because this particular key has to be online
It seems to me that their initial value is 1usd per token (or some other fiat I guess) and that's also the roof of their value: they kinda guarantee that they won't become more valuable than that.
They are less usable than fiat: more businesses accept fiat than crypto, especially weird and small coins like all stable coins are.
There isn't really a floor to their value, as demonstrated here.
I see plenty of downsides of owning one of these coins, but not a single upside?
Yet people apparently do buy them, so what is the upside? There must surely be something that's good about them?
So why use stablecoins and not use cash? When you want to quickly convert to/from a token (60 second not 6 days), but for a short period have a stable value. Or you want to avoid banks.
I.e. trading, gambling, drug deals, money laundering, etc.
The main use is just having something dollar-like that you can move around easily. That’s useful outside the US, but also for plenty of people inside the US depending on what they’re doing; especially businesses that have a hard time getting or keeping normal banking (cough gambling, porn, weed cough).
They’re handy inside crypto since you can move in/out of other assets without touching a bank. And sometimes you can earn yield on them, which is part of the appeal (with the usual “this can blow up” caveats).
Also, there’s a reason every company wants to launch one: if you control the stablecoin, you get the float and the rails. That’s a pretty nice business if people actually use it.
If you already have solid access to USD and don’t care about that flexibility, they’re less compelling.
But yeah, not risk-free at all (depegs, issuer risk, etc). And honestly there probably isn’t much real need for dozens of slightly different stables beyond the business incentives.
That... Actually makes sense.. Which is a rare feat for crypto!
The ones I use are several orders of magnitude less friction and most are 100% free. The ones that do have a cost (for recipients outside Scandinavia basically) are still way, waay cheaper than crypto transactions.
- Print a paper form, fill it by hand, scan it and send it. A human will review it next week and agree (or not).
- If you receive money, you have to prove the origin. If you can't, or if the bank finds it unsatisfactory, they'll freeze it. Often, they'll freeze your account right away. You have little legal recourse.
For the record, I once wanted to buy a car in a foreign EU country. I had the contract, it was from a recognized dealership, etc etc. The bank refused to send it. I had to open a Wise account, wire the money there, and then sent it to the dealership.
Overall banks are nice, most of the time, but can create a lot of problems when you need them, especially now that the EU is having an AML inflation under the US and FATF pressure and everything is managed by AI with no human in the loop.
I understand that you couldn't care less about people who aren't having the exact same life as you, but maybe consider that one day it will change and you'll need a freer transaction infrastructure.
And crypto transactions are almost free nowadays, if you avoid Ethereum and Bitcoin. A transfer on Arbitrum L2 costs 0.002$[0]
[0]: https://arbiscan.io/tx/0x92122f1df5e8811f4d0cbf44f210074f5bb...
No sign-up fee, no recurring fee, and no transaction fee. I guess it's a loss leader for banks? But if one bank stopped supporting it, they would find themselves without customers in less than 24 hours, so it's a worthwhile loss I guess
For a rounding error value of "commonly," sure. (Catering to a financially-constrained market is good business. But it, by definition, will never be an important one in the grand scheme of things.)
As always, things are certain until they aren't. Technological innovation always starts with fringe use cases, before becoming more widespread.
But obviously...things happen. Just like cash is usually relatively non-volatile, but financial crashes happen.
then probably mix them via different methods
then sell them via OTC-style swap platforms like fixedfloat / changelly etc
> Trump Administration Likely to Un-ban Bitcoin Mixers, Dept. of Treasury Says They are “Not Unlawful”
https://bfmtimes.com/trump-likely-to-un-ban-bitcoin-mixers/
"Only" ?!!! Poor thing.
Yeah $25m is only little but could still be useful
I also dont mind the whole chain coming together to vote to reverse the transaction.
I also dont mind a bunch of people being unhappy with that and forking.
In a western legal framework you might argue promissory estoppel if the foundation made certain statements about it, but if you take the libertarian code-is-law stance and you want to be consistent then you probably should have researched exactly what was possible at that level before investing.
So all-in-all, seems fine to me.
While I am happy to celebrate dumb crypto stuff, this isn't a situation where someone's code was "exploited." Their code was stupid, relying only on an off-chain private key to allow the minting of tokens. Their security was just also bad.
Now, as to why the SEC hasn’t regulated crypto out of existence.. I refer you to dementia Don
The contract relied on the key to mint new tokens. The hacker gained access to the key (through AWS) and with it minted as much as they'd like. It is certainly a valid take that a contract that only required the private key to mint an unlimited amount of the token isn't a good one, but you don't exploit someone's front door lock by grabbing the key from under the welcome mat.