MEV bot exploited for almost $2 million
An MEV bot was exploited after an attacker discovered a vulnerability in its code that allowed anyone to call one of its functions that sold wBTC for wETH. Using a flash loan to imbalance a wETH/wBTC pool on Curve, the attacker then caused the bot to purchase wBTC at its inflated price. They then sold the wBTC for a profit. Altogether, the exploiter made off with 1,047 ETH ($1.975 million).
- Tweet thread by CertiK Alert [archive]
- Transaction on Etherscan [archive]
Arrests made in $300 million Indian crypto scam
Indian police have arrested around eighteen people, including four police officers, in connection with a $300 million cryptocurrency scam that affected around 100,000 people in Himachal Pradesh. Victims were invited to invest in a cryptocurrency called Korvio Coin (KRO), but later the scam incorporated other tokens as well. Around 5,000 government officials and around 1,000 police fell victim to the scam, with some themselves becoming promoters.
The scam was allegedly orchestrated by Subhash Sharma, who has not been apprehended. This particular fraud was uncovered in September, but has been ongoing since as long ago as 2018.
Yuga Labs' social media lead resigns after racist and antisemitic tweets resurface
One might think that a social media lead might have a grasp on his own social media accounts, and might have scrubbed damning tweets made only shortly before they began their position.
One also might think that a company embroiled in constant racism accusations might be cautious about screening its employees.
Neither of these things happened, though, and someone dug up vile tweets by Shpend Salihu, better known as NGBxShpend. Salihu resigned shortly after the tweets came to light, writing that they had "become a distraction from the [Bored Ape Yacht] Club and what we're all about."
Bored Ape collectors experience searing eye pain after "ApeFest" party
Bored Ape collectors attending an ApeFest party in Hong Kong have now been subjected to the kind of eye pain the rest of us have felt for years having to look at their hideous, pricey JPEGs.
The going theory is that event organizers skimped on lighting costs by using UV lights intended for sanitization, not for entertainment, causing burns to the eyes and skin. The eye condition, photokeratitis, is better known as "snow blindness" or "welder's flash", as it more typically affects people who haven't worn proper eye protection while welding or while exposed to sunlight reflected from ice and snow.
Several attendees reported having to seek emergency medical treatment after experiencing excruciating eye pain and vision problems, and tweet threads began circulating giving various other ApeFest attendees advice on recovering from the painful condition.
Bored Ape creator Yuga Labs belatedly issued a tweet two days after the incident, claiming only a small fraction of attendees had experienced "eye-related issues", but encouraging anyone with symptoms to "seek medical attention just in case".
Sam Bankman-Fried convicted on seven charges
After less than five hours of deliberation, a jury convicted Sam Bankman-Fried of seven fraud and money laundering charges. The conviction followed a five-week-long trial which culminated in Sam Bankman-Fried himself taking the stand, only to appear evasive and sullen as he told prosecutors he couldn't recall many significant events from his time as FTX CEO.
Sentencing is scheduled for March 28, 2024, though scheduling could be affected by factors including whether the US decides to continue pursuing an additional five charges also set to be tried in March.
- "Sam Bankman-Fried: guilty on all charges", Molly White's Newsletter [archive]
Onyx hacked for $2.1 million
The Onyx Protocol was hacked for 1,164 ETH (~$2.1 million) after an exploiter took advantage of a known vulnerability affecting forks of Compound Finance. The bug allows attackers to siphon funds from new and unfunded markets on Compound forks — in this case, a new pool that had been created for the PEPE token.
After pulling off the hack, the attacker received the usual flood of on-chain messages from people asking them to share some of their ill-gotten funds. Unusually, the attacker followed through, ultimately sharing 19.5 ETH (~$36,000) out of their spoils.
Onyx is far from the first Compound fork to fail to patch known vulnerabilities and suffer hacks as a result. Hacks stemming from known Compound bugs, such as the attacks on Rari Capital and Sonne Finance, have netted tens of millions of dollars apiece for attackers in the past.
Monero discloses that its community crowdfunding wallet was drained
Monero's Community Crowdfunding System (CCS) funds projects that aim to improve the ecosystem of Monero, a privacycoin. The CCS is funded by donations, and up until September 1, 2023, held a balance of 2675.73 XMR (~$460,000). Two months after the fact, "Luigi" (a Monero developer and one of the two people with access to the wallet seed phrase) disclosed on Github that the wallet had been drained entirely. According to Luigi, he only discovered this a month after the theft.
The other person with access to the wallet is a former Monero developer named "fluffypony", or Ricardo Spagni. He surrendered to US authorities in July 2023 for extradition to South Africa, where he has been charged with invoice fraud against a cookie company (think chocolate chip, not software). However, he was released in late September, and has been working to "address this matter" while free but under court supervision.
Safemoon executives charged and arrested
An indictment charging SafeMoon executives with defrauding investors via their SafeMoon token was unsealed in the Eastern District of New York. Three defendants were charged with conspiracy to commit securities fraud, conspiracy to commit wire fraud and money laundering conspiracy for their roles in creating Safemoon, a crypto token that once boasted a "market cap" of around $8 billion.
SafeMoon promised buyers it would "safely go to the moon" by locking the liquidity pool so that its developers couldn't rug pull. In reality, the "locking" didn't prevent the developers from removing tokens from the liquidity pool in other ways, which they did to the tune of millions of dollars. They then spent the proceeds of their crimes on personal expenses, like luxury sports cars and real estate.
Alongside the charges from the Department of Justice, the Securities and Exchange Commission simultaneously brought a lawsuit against the SafeMoon executives for violating registration and anti-fraud provisions of securities laws.
Ryder Ripps loses Bored Apes infringement lawsuit, ordered to pay $1.6 million and legal fees
A judge has ordered Ryder Ripps and his co-defendant Jeremy Cahen to pay almost $1.6 million in disgorgement and damages after they created a collection of identical NFTs to the popular Bored Ape collection. The duo were sued for trademark infringement in June 2022 over their RR/BAYC project, which Ripps and Cahen tried to argue was an art project created to draw attention to racist imagery they and others have identified in the project.
In August, Ripps tried unsuccessfully to get the lawsuit dismissed via anti-SLAPP protections.
Now they're on the hook for $1.375 million in profits they earned from their copycat project and $200,000 for domain cybersquatting violations. They also must transfer control of two domain names, two Twitter accounts, and the RR/BAYC smart contract. Worse yet, the court found that this was an "exceptional case" because of the defendants' behavior, which included being "obstructive and evasive", and "unnecessarily and inappropriately ma[king] disgraceful and slanderous statements about Yuga, its founders, and its counsel" throughout the case. As a result, they will also have to pay Yuga's attorney's fees.
- Findings of Fact & Conclusions of Law, Yuga Labs v. Ripps [archive]
AuBit, the company behind Freeway, enters liquidation
A judge in the Cayman Islands has placed Aubit, the firm behind the Freeway crypto project, into liquidation. Freeway was a crypto lending project that promised annual returns as high as 43%, at least until it halted withdrawals in October 2022, claiming it was due to "unprecedented volatility" in forex and crypto markets. Withdrawals were never re-enabled, leaving around $160 million in total customer assets out of reach.
A lawsuit from an institutional customer was filed against the company in August, calling the project "a scam".
AuBit has tried to argue that it should be allowed to restructure, but the Cayman Islands judge opted to force the firm to liquidate, citing "a real absence of proper accounting".