The potential for messing up on the way is simply enormous. Remember Silk Road? Guy got v& because of a stackoverflow post.
Ulbricht messed up in a lot of different ways. That was just one of the many. It wasn't just one little slip-up; he had truly awful OPSEC. (And pretty poor technical skills in general, it seems, based on his SO question [1] and various other things.) Even if the SO question potentially may have been found through parallel construction (no way to ever know), there were so many different parallel paths investigators could've taken that his downfall was almost certainly inevitable.
But your overall point is definitely correct. The oft-quoted attacker's advantage in information (and other) security is that the defenders need to "win" every time and the attackers only need to "win" once. Try 100 different exploit attempts; if the defenders prevent 99 of them, they lose.
This gets flipped when it comes to OPSEC. The attacker needs to "win" every OPSEC battle and the investigators often only need to "win" once. If they find a single mistake, they may be able to tug on a thread that leads to the attacker's likely affiliation and identity. And the more sophisticated and complex the attack, the more surface area there is for mistakes, just like how more complex systems/organizations have larger surface areas for attackers to target.
[1] https://stackoverflow.com/questions/15445285/how-can-i-conne...
All the hacker would have had to do was do the hack from a secure connection (ie cantenna to free wifi + proxy chaining ..etc.)
https://tornado-cash.medium.com/how-to-stay-anonymous-with-t...
Instead, only by hash(<method name string> + "(bytes,bytes,uint64)").slice(0,10) which is brute-force-able.
Still, this sounds just like one of my worst nightmares. A code in production having bugs that will lose all my money to an untraceable environment (the tornado chain).
Quick background. Back in the pre Flashbot days, the competitive barrier to front running was winning priority gas auctions. Basically whoever was able to bid at the highest gas price would get their transaction mined with first, and would extract the MEV. (Kind of analogous to traditional HFTs fighting to shave off nanoseconds to win a latency-based priority race.)
So you had to make sure that your on-chain smart contract for the front-running bot is an insanely gas optimized as possible. You'd literally pay a thousand times per unit of gas as the average person. Every single byte matters. And one thing about the EVM is that zero bytes in the transaction data cost slightly less than non-zero bytes.
So anyway, in the hot-path of that front-running bot, you'd want to get as many zeros in the method hash as you could. So I'd literally run a GPU to brute force method names.
I wonder if Coinbase has flagged the USDC that was stolen. Are those currently less-fungible USDCs?
