Attacker cashes out more than $11 million from Elephant Money in a flash loan attack

A person was able to use a flash loan attack to drain the Elephant Money project, crashing the token price to 0 while cashing out 27,416 BNB ($11 million). Losses to the project were likely higher, including the loss of 30 billion $ELEPHANT tokens (~$10 million). The project boasted audits by both CertiK and Solidity Finance on its website, though CertiK later tweeted that the flaw was with the treasury contract, which was unverified and unaudited.

Elephant Money is a defi project with some questionable promises—its Twitter account advertises that people can "earn 672% APY", and a recent tweet encouraged people to use Elephant Money "as your new bank: Your share of ELEPHANT tokens can be compared to your debit account, except that it also generates you money. Stampede Perpetual Bonds is your retirement fund." Hopefully no one took them up on their suggestion to put their debit account balance or retirement money into the project.

Celsius stops allowing non-accredited investors in the United States to lend out their crypto

Celsius announced that, in order to comply with United States regulations, they would no longer allow non-accredited investors from the U.S. to "earn rewards on" (that is, lend) their crypto using their Earn product. Earn advertises that people can "earn up to 18.63% APY, get paid weekly" by putting their crypto into a Celsius account, which Celsius then lends out in exchange for interest. There are, of course, no insurance protections for the user in case of losses. Non-accredited investors will now be limited to only using their Celsius account to exchange, borrow, or transfer crypto—not lend.

Individual accreditation is based on net worth or income: only those with net worth above $1 million, or yearly income above $200,000, qualify. American Celsius users were largely unhappy with the change, with one writing, "Celsius Network making the rich richer. Shameful."

Ichi token plummets 90% after Rari liquidity pool is emptied

Ichi, a defi project that allows other projects to create their own stablecoins suffered cascading liquidations in its Rari pool, leading to a token price crash. Rari is a protocol that allows users earn yields on liquidity pools for various assets. Ichi's liquidity pool on Rari was set up with an extremely high collateral factor (85%) and no supply caps, which allowed borrowers to borrow more $ICHI to use as collateral than actually existed in the liquidity pool, with many borrowing $ICHI to buy more $ICHI. As borrowers did this, the price briefly spiked from the token's early April price of around $70 to $139 before plummeting to below $2.

One Rari developer blamed Ichi for the disaster, writing, "Fuse is a permissionless protocol. Pool operators are responsible for following best practices to avoid situations like this one". Rari Capital's official Twitter account also blamed Ichi, stating, "This is a permissionless pool that is owned and operated by Ichi. We hope to see an announcement from Ichi regarding redemption strategies and next steps to make users whole."

In the FAQ about the incident, Ichi wrote that they had allowed such a high LTV ratio in the pool because they expected "users would make responsible decisions that would benefit the community". There is currently around $30 million of bad debt in the liquidity pool.

NFT collector suffers wallet compromise and loses over 100 NFTs, priced at over $600,000

A computer-generated image of blue and orange wave-like structures on a striated yellow and orange backgroundOne of Casper's stolen NFTs, Jiometory No Compute - ジオメトリ ハ ケイサンサレマセン #1021 (attribution)
NFT collector "Casper" discovered their wallet had been compromised, and an attacker had stolen around 114 NFTs worth around $600,000. The collector took to Twitter to urge people not to transact with his compromised wallet, and to ask OpenSea and other marketplaces to freeze the address. As of April 12, it was unclear how the wallet had been compromised. However, other wallets besides Casper's had transferred NFTs to the same exploiter address, so they may not have been the only user affected.

Attacker drains Creat Future tokens through flaw that allows anyone to transfer the contents of another person's wallet

A chart showing the value of $CF/$USDT. The price was steady before briefly spiking and then crashing to near 0CF/USDT pair (attribution)
An attacker stole about $1.9 million after exploiting a bug in the smart contract for the Creat Future token. The contract's transfer function was defined as public, with no validation on the caller, allowing anyone to transfer tokens from any wallet. An attacker quickly exploited this flaw to drain millions of $CF tokens from various wallets, then exchange and tumble them to cover their tracks. The attacker made off with about $1.9 million, and the value of $CF crashed.

$CF was an asset belonging to Creat Future, an early-stage defi project. Some have speculated that the hack was an inside job, and the vulnerable function was added intentionally.

First crypto burger purchase at Bored Ape restaurant illustrates why people don't widely do this

A packaged fast food meal with a Bored Ape and two Mutant Apes printed on the packagingBored & Hungry packaging (attribution)
A restaurateur opened "Bored & Hungry", a Bored Ape-themed restaurant in Long Beach, California that offers a simple menu of hamburgers or plant-based burgers (with or without onions), french fries, and soda. Prices are listed in plain ol' cash, but the restaurant published a celebratory Instagram post on April 9 showing their first ever meal purchased with $APE, the Bored Ape-associated crypto token.

A customer ordered two combo meals, which he purchased by using his mobile crypto wallet to transfer 2 $APE. I was able to track down the transaction, and at the exact time of transfer, 2 $APE were priced at $21.92. The value of $APE has increased by 20% since then, so the purchaser lost out on those earnings by spending them at that time (compared to cash, which is worth roughly the same as it was 10 days ago). This is a (very small) example of why people don't tend to use as currency the same assets they are expecting to increase substantially in value. Furthermore, the purchaser had to agree to an estimated $10 in gas fees when he confirmed the transaction—half as much again as the price of the meal. The transaction ultimately cost the purchaser $4.66 in gas due to fortunately low rates that day, but it was a transaction fee that wouldn't exist if they used cash, or would be substantially smaller and typically absorbed by the restaurant if using a credit card.

Painful financial implications aside, a public transaction record means it's now trivial for anyone to see who is purchasing food at the restaurant using crypto in real time—something that has concerning implications for victims of stalking and other abuse if implemented more widely, as well as just for average people who enjoy having some degree of privacy.

Anyway, hopefully the food's good—assuming the person had any appetite left after looking at their food containers depicting an ape with green skin sloughing off its face.

Gripnr seeks to financialize your Dungeons & Dragons games

An illustration of a dwarf with a long grey beard and short cropped hair with some braids in it. He is hunched over holding a glaive and is wearing a chainmail shirtGripnr dwarf NFT illustration (attribution)
Because, really, what is even the point of playing Dungeons & Dragons if you're not buying a premade character from a limited set of options, playing premade adventures with it, getting "Gripnr certified" as a dungeonmaster (or finding someone who is), paying transaction fees every time you level up or get new equipment, or reselling your characters after the campaign ends (to someone who apparently wants a "used" D&D character)?

A company called Gripnr is already working to line up NFT pre-sales, despite acknowledging that they have no idea how they will prevent fraudulent data input—an issue commonly known as the oracle problem. It's also unclear how they intend to change the game so that it's sufficiently different from the Wizards of the Coasts game that they will not face legal action (an issue that ended another crypto project planned to be based around a WotC game). We can only hope that none of this may last long enough to become an issue, given that Gripnr have come up with an idea that I can't imagine appealing to a single person who's ever played D&D.

Legal action begins against developer who solicited investments to build an OpenSea competitor, then used it to fund his NFT trading

Attorney Kevin Homiak tweeted that his firm would be representing several individuals who contributed money to a developer, Tyler Gaye, who promised to be working on an NFT platform called 0peNFT. After pulling in donations totaling 227 ETH (then around $400,000), the project was plagued with delays. Despite promises that the team was hard at work, people observing the public Github noticed it showed almost no commits to the project code.

Meanwhile, Gaye used the project Twitter account to promote his own NFT collection. He also took the donated funds and used them to buy NFTs. When pressed on this in the project's Telegram chat, he wrote, "Im buying NFTs because its my ETH and thats what I wanted to do." After crypto scam investigator zachxbt wrote about Gaye's scams, Gaye threatened to "put him in the ground if we ever meet in person".

Gaye has spent almost 400 ETH on NFTs since beginning to collect donations for his project—equivalent to over $1 million. He has also sold NFTs for a total of around 315 ETH (roughly breaking even with the amount he spent on NFTs, if looking at the ETH prices at time of trade), and amassed a substantial number of NFTs he still holds.

Blockchain bridge for the WonderHero play-to-earn game is exploited

WonderHero is a mobile play-to-earn turn-based strategy game. Attackers were able to mint 80 million $WND after successfully exploiting the bridge linking the WonderHero play-to-earn sidechain and the BNB chain. The attacker was able to swap their stolen $WND for 750 BNB ($325,000), tanking the price of $WND to near zero in the process.

Starstream treasury drained of $4 million

Starstream, a defi project built on the Andromeda layer 2 Ethereum protocol, had its treasury drained. Blockchain security company CertiK reported that the treasury appeared to have contained around $4 million in STARS, all of which was stolen. Shortly after the hack, the attacker transferred 900 ETH ($2.9 million) to a crypto tumbler. Starstream had been audited by two security firms prior to the exploit.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.