DFX Finance suffers $5 million loss
An attacker was able to use a flash loan to exploit a vulnerability in the smart contract for DFX Finance, a decentralized forex trading platform. The platform suffered a loss amounting to around $5 million. The attacker subsequently laundered the funds through the Tornado Cash cryptocurrency tumbler. The attacker didn't make off with the entire amount lost from the platform, partly due to an MEV bot snagging a significant amount of the funds.
Monkey Drainer steals dozens more NFTs, nets around $867,000
The "Monkey Drainer" NFT phishing scammer first identified by blockchain detective zachxbt has struck again. They successfully emptied 7 CryptoPunks and 20 Otherside NFTs, which they flipped for 522 ETH (~$867,000). The scammer then laundered the funds through the Tornado Cash cryptocurrency mixer.
Oracle manipulation attack on a QuickSwap market earns exploiter $188,000
Adding to the recent string of oracle manipulation attacks is an attack on the miMATIC ($MAI) market on the QuickSwap decentralized exchange. An exploiter was able to manipulate the spot price of assets to borrow funds, ultimately making off with 138 ETH ($188,000) that they mixed through Tornado Cash. The vulnerability was due to the use of a Curve LP oracle, which contains a vulnerability that was disclosed by a security firm earlier that month.
Security firm PeckShield initially suggested the issue might have been with QiDAO, which creates the $MAI stablecoin. The vulnerability is not with their project, although it's possible that the theft will impact the collateralization of their stablecoin.
Over 51% of blocks validated on the Ethereum chain are censored
On October 14, Ethereum reached a milestone that alarms many who have pushed for blockchains as "censorship-proof" technology. More than 51% of blocks produced in the preceding 24 hours were processed by relays that filtered out transactions involving Tornado Cash, a crypto mixing service that was added to the U.S. sanctions list in August.
This 51% threshold doesn't pose an immediate threat to Tornado Cash users, because even validators that censor transactions will still attest to the validity of blocks created by non-censoring validators. However, if 51% or more of validators were to also stop attesting to non-censored blocks, they would no longer be able to be added to the chain.
New Free DAO loses $1.25 million in flash loan attack
A flash loan attack against the New Free DAO project resulted in a $1.25 million loss. The project's token also crashed 99% in the wake of the theft. The hacker quickly sent 1,500 BNB (~$415,000) of the stolen funds through the Tornado Cash cryptocurrency mixer, and sent another 2,900 (~$803,000) to the PancakeSwap decentralized exchange.
Coinbase funds lawsuit against the Treasury Department over Tornado Cash sanctions
In the wake of OFAC adding Tornado Cash to the U.S. sanctions list in early August, Coinbase has announced they will fund a lawsuit against the Treasury Department to challenge the decision. Coinbase itself is not a plaintiff in a lawsuit, though two of the plaintiffs are Coinbase employees, who along with four other individuals filed suit in a Texas court. They say they previously used Tornado Cash for licit purposes, and are now suffering financial damages because they can't legally use the service.
In the suit, they argue that the Treasury Department overstepped its authority in what it can sanction, claiming that "Tornado Cash software, including the smart contracts, consists of immutable open-source software code, which is not property, a foreign country or a national thereof, or a person of any kind." They've also argued that the designation is unconstitutional under both the free speech protections of the First Amendment and the due process protections of the Fifth Amendment.
Celer Network's cBridge suffers BGP hijacking attack, users lose combined $240,000
The Celer Network's cBridge project was targeted with a BGP hijacking attack. Users who tried to access the bridge's frontend were instead shown a site that prompted them to authorize transactions that drained their wallets. The attacker was able to steal around 128 ETH (~$240,000) before the exploit was discovered and Celer took the frontend offline. The stolen funds were quickly transfered to the Tornado Cash cryptocurrency tumbler.
- Tweet by CelerNetwork
- Etherscan for attacker wallet
- "Truth Behind the Celer Network cBridge cross-chain bridge incident: BGP hijacking", SlowMist
Suspected Tornado Cash developer arrested in the Netherlands
A suspected developer of the Tornado Cash cryptocurrency tumbler was arrested in the Netherlands, according to the country's Fiscal Information and Investigation Service (FIOD). They said that he was "suspected of involvement in concealing criminal financial flows and facilitating money laundering". Wallet addresses used by Tornado Cash were sanctioned by the United States several days prior due to their use in laundering the proceeds of criminal activities.
It's not immediately clear from the statement whether the activities that led to the arrest involved more than just contributing to the Tornado Cash codebase, but it would be very concerning if not. There are complexities around the sanctioning of Tornado Cash—a fairly decentralized software project—that raise concerns about the criminalization of code. For many, it brings to mind the "Crypto Wars" (where "crypto" is referring to cryptography rather than cryptocurrency).
The largest Ethereum miner starts blocking Tornado transactions
The Ethermine mining pool is responsible for over a quarter of all Ethereum mining, making them the largest miner for that blockchain. On August 11, three days after OFAC added the project to its sanctions list, Ethermine stopped including Tornado Cash transactions in their blocks.
This came as a shock to some crypto enthusiasts, who were taken aback that such a large number of blocks in a "decentralized" and "censorship-resistant" project would reject Tornado Cash transactions. Others worried that more miners would do the same, which could eventually prevent Tornado Cash transactions from being validated at all.
Curve Finance frontend compromised, $620,000 stolen but later recovered by exchanges
Curve Finance's frontend at curve.fi was compromised, prompting users to give token approval to a malicious smart contract. Stolen funds were then transferred out to the FixedFloat cryptocurrency exchange and the Tornado Cash tumbler. It appears that at least 362 ETH (~$620,000) have been stolen.
Curve acknowledged the apparent exploit, tweeting at the iwantmyname domain platform to say they believed the issue was on their end. Around an hour after the issue was widely noticed, Curve announced the "issue has been found and reverted", and to use the alternate Curve Finance domain until DNS changes propagated for the affected domain. They also urged users to revoke any recent contract approvals they'd made on the Curve platform.
FixedFloat tweeted that they had been able to freeze 112 of the stolen ETH (~$192,000) that had been transferred to their platform. Binance later announced that they'd recovered the remaining stolen funds, with founder CZ tweeting, "The hacker kept on sending the funds to Binance in different ways, thinking we can't catch it. 😂"