> You'd expect that invalid actions lead to idempotent errors, not glitch states where you lose everything.
Indeed, and that's exactly how most cryptocurrencies work today. You try to send funds to an invalid address, the wallet will present you with an error that you cannot do that.
The user in the submission did not perform an invalid action, because they wouldn't be able to perform an invalid action.
So your definition for "valid action" is just that the eth network lets them do it?
They clearly didn't want to burn £500k, and that is now irrecoverable, alongside 260 other people who made the same mistake, on a smart contract that forgoes validation for gas fees.
> So your definition for "valid action" is just that the eth network lets them do it?
Yes, this is indeed the definition for "valid", that the protocol allows them to do it.
It was a valid action, but not the action the user actually wanted to perform. There are two ways of avoiding these scenarios: A) use UIs and don't interact with the protocol without safeguards, as the UI will prevent you from making mistakes (this user interacted directly with the contract, not via a UI) and B) when doing something involving a lot of money, do it once first with a small percentage, so you can verify it's correct (this user didn't do this either).
For example, I know that IBAN has checksum built into the "address" and that the bank could revert transfers, but if I make transfers above a certain sum, I always send a small amount first, make the recipient confirm how much they received (I send a small random sum) and only then do I perform the larger transfer.
As I mentioned elsewhere in the comments on this submission (https://news.ycombinator.com/item?id=30136941), it's impossible to know if someone actually has access to an address or not, so why would the wallet stop them from sending it?
"It was a valid action, but not the action the user actually wanted to perform."
It's an action noone ever has ever wanted or ever will want to perform.
In the same way putting your finger inside a power socket is an invalid action, and people who designed sockets were smart enough to make it impossible.
For example, some holder (maybe a founder) of a certain coin can burn a certain amount of their tokens, making it more rare. This is a quite common practice. If I were to burn a certain amount of tokens, I think the most natural thing to use as a burn address would be the contract address itself.
Making it easy to build contracts that will accept resources and then never do anything with them, destroying the value, is a design mistake.
This is something the developer of the contract should explicitly opt into. As others pointed out, if everything a contract did was via explicit methods, rather than transfers, this type of defect would never have been created.
And this mentality is what will block wider adoption of crypto. Calling people dumb for not understanding a non-intuitive system (after there's so much prior, "return to sender" art in the world) will not get them to use crypto.
Sure, I have no desire for cryptocurrency to get a wider adoption, I have no skin in the game, I'm just looking at the facts. I don't care if the space burns up or saves the world, for me is the same.
This is not the case of a non-intuitive system screwing the user. This is the user purposefully avoiding using the intuitive systems setup for them, and interacting with something directly even though no one does that unless you're a developer. This person has half a million dollars worth of X, while not understanding X.
> (after there's so much prior, "return to sender" art in the world)
That's awesome that you have come up with a solution for this, while the ecosystem hasn't been able to. Could you share your solution?
It's a hard problem to solve in a system that has to A) be decentralized, B) work when less than half the network is trying to screw you and C) prevent double-spending
"return to sender" sounds easy to implement in a centralized system, but it's not that simple for a decentralized one. At least not until you release your solution.
> This is the user purposefully avoiding using the intuitive systems setup for them, and interacting with something directly even though no one does that unless you're a developer.
Of course using the intuitive systems setup for the
means that one has to trust some random people or companies, instead of going directly to the blockchain. What happened to trustless?
"Trustless" is referring to the consensus in the protocols, not to the entire ecosystem. This is a ecosystem built by and for humans, of course there will be trust involved.
You are intentionally misrepresenting the parent comment. The point is not that nobody should be able to transfer from one address to another, and pretending otherwise is pretty dishonest.
But then please share with me what the argument is? The user made a transfer that shouldn't have been done in the first place, and somehow people are saying that the protocol should have safe-guards against doing transfers to the wrong address, but how is the protocol supposed to know what address is right/wrong? There is literally no distinction between them, so therefore you need to allow any transfer, or no transfer.
So I guess, when it comes down to the wire, what wins out, the needs of real users, or the documented description of a protocol?
The fact that said protocol is incapable of addressing real needs is a failure state, and historically this has been addressed by building better tooling on top of the protocol, or replacing it wholesale.
> The user made a transfer that shouldn't have been done in the first place, and somehow people are saying that the protocol should have safe-guards against doing transfers to the wrong address, but how is the protocol supposed to know what address is right/wrong?
Sure, the user sent stuff to the wrong address... Or did he? Seems, rather, that he sent the wrong kind of stuff. Had he sent, whateveritwas, WETF in stead of WETH or vice versa, then it would have gone right.
So then it seems the receiving thingamajig was at least as much at fault: It accepted (and just swallowed) a kind of stuff it shouldn't receive. It's like, say, a one-way currency-changing ATM that takes dollars and returns euros. If you feed in euros by mistake, it fucking obviously should just spit them back out (and preferably display or print an error message, "Wrong currency: Gimme dollars to get euros.") You're saying just swallowing your euros would be a "valid" behaviour for that machine.
That's so obviously bullshit that the only remaining mystery here is whether you're actively trying to defend what you know is indefensible, or actually so deluded that you've somehow convinced yourself this bullshit is true. Well, no, not the only one: The other mystery is, which is worse?
>how is the protocol supposed to know what address is right/wrong?
It's the "right" address for certain transactions--like turning ETH into WETH--but the "wrong" address for other transactions, which makes the whole thing a garbage design. You can say "that's just the way Ethereum/crypto/smart contracts work" all day, but it doesn't matter.
Most people don't care why the design is bad, they just care that it is bad, and that there are better theoretical (or real) alternatives to this tech.
Your analogies make sense to me. Sounds a lot like running a system on Linux. Or maybe assembly is a better metaphor. I like the analogy about avoiding all the safety mechanisms on an electric line and jamming your hand in there...the grid can't tell the difference.
The arguments here are odd. The blockchain isn't built to handle this kind of operation by a non-expert user. Yes, mistakes are expensive. Is that okay? In the same way that a nuclear power plant isn't designed for a rando to go in and operate it.
Yes, raw blockchain stuff is hard and non-experts should not interact directly.
The key question is, is the payoff worth building an entire system around? For nuclear power, yes, because it provides electricity for people to just plug into. For blockchain, maybe, maybe not.
> The blockchain isn't built to handle this kind of operation by a non-expert user.
But the blockchain in general and smart contracts especially are pretty expressly supposed to be, that is, central to trustlessness is not requiring some elite priesthood as an intermediary (either personally or as trusted purveyors of overlay systems) between end users and the authoritative system.
Sticking your dick into a socket results in transfer of electrons from one object to another, thats the entire point of the electric grid! Clearly it's designers had no need to design circuit breakers, ground fault circuit interrupters, etc.
Listen, in this case, there already is circuit breakers, ground fault circuit interrupters and more to prevent problems to happen in the first place. The wallet is the first guard against this, the UIs the various services provide is another, and so on.
But when the user bypasses those and interact directly with the chain, which is not recommended for people who don't know what they are doing, problems can happen.
The same as if someone bypasses all those checks you wrote about, and then complains that they got a ton of electricity zapped into them. Why doesn't the grid just know that it was a human and not something else and stopped sending electricity?!
You know what happens when you transfer money to a non-existent/incorrect IBAN?
Most likely your bank will reject the transaction and not even defund your account - as you mentioned, the IBAN itself is already designed to prevent human error.
If by chance you “crafted” a technically MOD-97 valid but not existing IBAN and the money goes out to the other bank (PACS.008), the other bank cannot book it (as the account doesn’t exist) and should automatically return it to you (PACS.004).
If by chance the other bank is incompliant and does not return the money, you can have your bank send a recall message (CAMT.056) to try and retrieve the funds. The other bank is then compelled to either refund the money (PACS.004 again) or at the least officially communicate they’re keeping your money (CAMT.029).
At that point, there’s still law and legal avenues to pursue.
One thing that does not and can not happen though, is for the money to vanish into a black hole and be removed from the economy. That is what a stable, standardized and reasonably regulated industry with some centralization does for you.
You know what happens when you send Ether to a incorrect Ethereum address? The wallet will reject sending it. If you bypass the wallet and rewrite your own wallet to send it anyways, the validators reading from the mempool will reject it. If you rewrite your own validator to accept it anyways, no other validator will accept it and the transfer will never go through.
What happened here is more like you used IBAN to send to the correct account, the correct bank and everything was correct, but no one actually has access to the account but the bank doesn't know this.
As far as I can tell, no one has argued that transaction validation for this specific smart contract should be built into wallets. You're arguing with a straw man.
The point I see made instead is that the smart contract should not be coded to behave as it does. If a financial product at a retail bank set a pile of cash on fire when you used it incorrectly, regulators would swoop in and make the industry add some safety features, even if that safety came at the cost of convenience.
It's very hard to draw parallels from cryptocurrencies to other things as it's not like other things we have today.
Some sort of analogy could be margin calls/puts. Imagine someone who doesn't know how margin trading works used it, and lost half a million dollars. Who's at fault here? The bank for allowing it, the financial system for having the feature or the user for not educating themselves enough to understand how it works?
> Some sort of analogy could be margin calls/puts.
That is not a comparable situation. The ETH/WETH trader misused a negotiable instrument, and 500K disappeared forever. Someone who loses 500K gambling on margin was gambling and lost. If they somehow mistakenly placed an order on margin, there's probably a process to reverse the transaction and get your funds returned within a specific time window (that's just a guess on my part, though, and it probably depends on the brokerage used).
> It's very hard to draw parallels from cryptocurrencies to other things as it's not like other things we have today.
I don't think this is true; cryptocurrency in this situation is very similar to cash. You can get mugged while holding 500K in a briefcase, and the funds are unrecoverable absent legal restitution. But that's why banks make you sign a waiver of liability when you withdraw large sums in cash.
> Yes, this is indeed the definition for "valid", that the protocol allows them to do it.
I believe that this, right here, is the core disagreement surrounding the utility of cryptocurrencies. There are two orientations to think about software. One is the software orientation and one is the human or problem orientation. "It did what the software says" is a defense often used by crypto advocates who point out, rightly, that there are very strong guarantees that cryptocurrencies provide and other things that they completely do not guarantee. Other people point to the mismatch between the guarantees that cryptocurrencies provide and the actual failure modes that are very common in the real world and complain that advocates seem to be completely ignoring these issues.
I think a relevant comparison is security vulnerabilities in traditional software. If you've got a program that is exploitable through a buffer overrun that enables arbitrary code execution, the program is behaving precisely as programmed. From the perspective of the program and the computer, there is no difference between ordinary operation and the exploit. But from a human perspective one of these behaviors is expected and one is both unexpected and undesirable. And the "well, just don't fuck up your C program" argument is basically failed at this point, for good reason. I would expect to see the same in the crypto space.
This is impossible to solve, in the cryptocurrency space or in the existing structures we have. When you send an email, you cannot know if someone actually has access to that account (maybe they forgot their password?), you can only know if the address is valid or not (by sending the email). Similarly, you don't know if the right person has access to the bank account you're sending funds to, unless you ask the person who is supposed to have access, if they actually can access it.
Since this has already been answered multiple times in this submission already, I'll leave you with this:
> You know what happens when you send Ether to a incorrect Ethereum address? The wallet will reject sending it. If you bypass the wallet and rewrite your own wallet to send it anyways, the validators reading from the mempool will reject it. If you rewrite your own validator to accept it anyways, no other validator will accept it and the transfer will never go through.
> What happened here is more like you used IBAN to send to the correct account, the correct bank and everything was correct, but no one actually has access to the account but the bank doesn't know this.
Let's talk about putting safety rails around large drops.
They should never be necessary with careful use.
And they can't prevent everyone from falling to their death.
But they still prevent some harms, so we generally require them to be present.
Design to do everything with contracts through methods instead of transfers to contract addresses would make this particular type of failure impossible. There would still be other ways to screw up and lose money on accident, of course. But any way that can be reasonably eliminated and isn't, is a design flaw.
SMTP servers are able to reply whether a user exists, and some still do. Your own server will send you a "undeliverable" message if it receives a negative reply.
Haha, that’s why the client software needs Nick-Fury-style safeguards to say “I understand that this a valid transaction, but given that it’s a stupid-ass transaction, I’ve elected to throw a warning.”
You'd expect that invalid actions lead to idempotent errors, not glitch states where you lose everything.