Attacker drains tokens from Layer2DAO, project buys some of them back

An attacker was able to siphon nearly 50 million L2DAO tokens from a multi-sig wallet on the Optimism protocol. These tokens would nominally have been valued at around $400,000 at the price at the time of the hack, although the token has low liquidity and the attacker would not likely have been able to sell them for that price. The stolen tokens amounted to 5% of the project's total token supply.

The attacker swapped 16.7 million of the tokens before the project was able to negotiate a deal to buy back the remaining 33.2 million tokens at a price of $0.001. In the end, the hacker made off with the $33,200 paid by Layer2DAO, plus 40.4 ETH (~$54,000) from the tokens they were able to sell.

The Layer2DAO team seemed unsure how the hack had happened, but said that they believed it was similar to the June 2022 incident in which an attacker got hold of 20 million Optimism tokens after Wintermute provided an incorrect wallet address.

Several users report losing more than a million dollars each in 3Commas/FTX theft

Several users of the automated trading bot 3Commas reported losing over a million dollars each in a hack or phishing scam affecting users who had connected it to their FTX accounts. 3Commas has blamed the losses on phishing, but affected users have said they were confident they were not phished.

One user wrote they lost almost 104 BTC (~$2 million) from an account that they said they only ever connected to FTX a year ago, with an API key they had not saved, and which had since expired and been downgraded to a free account. Another reported losing about $1.5 million.

FTX CEO Sam Bankman-Fried wrote on Twitter that FTX would compensate the affected users for roughly $6 million in total. He wrote in all caps that he did not want this to be considered a precedent, and it was "a one-time thing". He also stressed that FTX was not responsible for the exploit, and that the users had been tricked by phishing sites impersonating other reputable trading services.

Warner Bros. reinvents DVD navigation menus with their web3 "Movieverse"

Image of Sauron throwing the Ring into a fireThe Lord of the Rings: The Fellowship of the Ring Extended Edition Epic (attribution)
Warner Bros. has just announced their "The Lord of the Rings: The Fellowship of the Ring (Extended Version) Web3 Movie Experience". Catchy name.

Now, you have of course already been able to purchase or stream The Lord of the Rings: The Fellowship of the Ring (Extended Version) for twenty years now. But now you can buy a $30 or $100 NFT to get the same thing, which also boasts "themed navigation menus based on iconic locations from the beloved film". So one of those DVD navigation menus. The NFTs come with other vagaries, including "8 hours of special features, image galleries, [and] hidden AR collectibles".

Plus, of course, you can "own and trade the experience in a community marketplace".

Two days after launch, 4,203 of the 10,000 "Mystery Edition" NFTs have sold for their $30 mint price. They're already reselling on the secondary market for as low as $7.99. The $100 mint "Epic" NFTs are doing slightly better — all 999 of those were minted, and are reselling on the secondary market for around $200. All told, WB has made around $225,000 off the mint.

Almost $300,000 stolen from Olympus DAO, later returned

Insufficient validation on an OHM smart contract at Bond Protocol allowed an attacker to drain 30,437 OHM (~$300,000) from the Olympus DAO defi protocol.

Olympus DAO wrote in an announcement that "This bug was not found by 3 auditors, nor by our internal code review, nor reported via our Immunefi bug bounty." They also noted that because they had done a phased rollout of the contract, only a limited amount of the project's substantial funds were at risk.

Olympus DAO initially announced that they would "compensate all affected bonders in full", but later revealed that the stolen funds had been returned. According to The Block, the Olympus team had successfully tracked the hacker and negotiated the return of the funds.

Unstoppable Domains disables .coin extensions, illustrating an issue with the idea that "you'll always own your NFT"

Unstoppable Domains is in the business of selling "domains" — at least that's what they call them, but they're not the kind of domain that you can plug into your web browser. Instead, they are more like the ENS domains that you may have seen (the ones ending in .eth), and they typically map to a crypto wallet address.

The organization just discovered that they were not the first to go around selling .coin "domains" (represented by NFTs), and were at risk of running into collisions. As a result, they decided to no longer sell these domains, and stop their libraries and services from resolving them.

But fear not, they said, because "Unstoppable domains are self-custodied NFTs, so you still own your .coin domain, but it won't work with our resolution services or integrations."

That's right, folks, you'll still have your .coin NFT! It just won't resolve, or be otherwise useful in any way.

This is much like the argument that has been common in crypto when describing a use case for NFTs: "if it's an NFT, you'll be able to really own your World of Warcraft sword, and Blizzard won't be able to take it away from you if they arbitrarily decide to ban you or remove the item!" This ignores the fact that the existence of an NFT on a blockchain does not ensure that some functionality initially advertised will continue to work in perpetuity, and you might end up with a domain name or a sword that can do nothing more than sit in your crypto wallet collecting dust.

Unstoppable Domains has offered to credit purchasers of .coin domains 3x their purchase price, though this will likely not be as appealing to people who held domains they hoped to flip for much higher than the initial price.

Vulnerability in BitBTC bridge ends in an exploit where the clock is ticking

A security researcher published a frustrated Twitter thread reporting that "BitBTC's Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I'm going to publish the critical exploit here." They described an issue where it was possible for people to create tokens on the Optimism side of the bridge that could be tied to any token on the other side of the bridge — meaning an exploiter could create a valueless token and bridge it to an unrelated token with actual value.

Less than a day after publishing the thread, someone did exactly what the researcher described, and was able to cause the bridge to mint and transfer 200 billion BitBTC. BitBTC aims to be valued at 1/1,000,000 of a BTC, meaning the exploiter on paper just landed themselves 200,000 BTC, but this is another case where massive amounts of a token were created and could never be traded for anywhere near their ostensible "value". BitBTC doesn't have publicly available data on the backing of their tokens, but it's certainly nowhere near 200,000 BTC. The project appears to be very new, and was created by a self-described "19 year old Bitcoin believer".

BitBTC has seven days from the time of the hack to fix the issue in their bridge before the transfer is complete and the attacker is awarded the tokens. Meanwhile, the hacker left an Ethereum transaction note to say that "I'm not a hacker, just want to test the exploit with a [proof of concept], won't touch any of the valuable assets."

Moola Market exploited for $8.4 million

The Celo-based borrowing and lending platform, Moola Market, suffered a major exploit when an attacker manipulated collateral prices to steal a collection of assets notionally worth around $8.4 million. After taking a loan of $MOO tokens on the platform, the attacker manipulated the price of those tokens to borrow all other tokens available on the lending protocol. The project dashboard currently shows 100% utilization, because the attacker emptied all funds that were available: a mix of $CELO, $cEUR, $MOO, and $cUSD that amount to around $8.4 million.

This attack was executed similarly to the Mango Markets exploit a week prior. Moola Market tweeted that they had "contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours." The attacker did eventually return 93% of the funds, keeping the remaining $588,000 as a "bug bounty".

Roofstock claims to have completed its first one-click NFT home sale

A grey single-family home with a garage door and cement drivewayThe house that was sold via NFT (attribution)
If you've ever wished you could put the same amount of thought into buying a $100,000+ home as you do ordering another bag of dog food from your online retailer of choice, you're in luck! A company called Roofstock claims to have achieved its first house-as-NFT sale on a platform it promises will "provide a radically simple way for [single-family rental] properties to be purchased and sold with one-click using web3 technology". The home in question was a $175,000 single-family residence in Columbia, South Carolina.

Needless to say, there were more than a few questions around the legal and tax ramifications of this. Some of the more crypto-minded spoke excitedly of "the ability to easily fractionalize your properties or take loans against it in a decentralized way" that this might unlock, while the rest of us were left wondering what a defi loan default and foreclosure would look like.

As much as I agree the real estate system could use some improvements, introducing the ability for someone to hack my crypto wallet and take my house is not quite what I had in mind.

Much-anticipated "speedy" Aptos chain launches, processing 4 transactions per second and with 80% of tokens allocated to insiders

Aptos, a much-anticipated layer 1 blockchain backed by FTX and a16z, and created by a team of former Meta employees, launched to much anticipation on October 17. The team had bragged that the chain would be able to process 160,000 transactions per second, even more than Solana's claimed theoretical 65,000, and far more than Ethereum's ~15 or Bitcoin's ~7. Instead, after launch, Aptos was processing a painful 4 transactions per second.

This was not the only criticism of Aptos upon launch. The Aptos token was quickly put up for sale on exchanges including FTX and Binance, but Aptos had not yet published information about their tokenomics — leaving would-be investors trying to make decisions about whether to purchase a token about which they couldn't find even basic information. Once the tokenomics were published, people expressed concerns about the distribution: 80% were allocated to the team and investors and staked, enabling them to dump the staking rewards on retail investors.

Texas regulators are investigating FTX and Sam Bankman-Fried for possible securities violations

Joseph Jason Rotunda, Director of the Enforcement Division of the Texas State Securities Board, submitted a filing to the ongoing Voyager bankruptcy case. FTX is the highest bidder among companies who have made offers to buy the assets of Voyager.

According to Rotunda, there is an ongoing investigation by the TSSB into whether FTX has been offering unregistered securities to United States residence in the form of yield-bearing accounts. He alleged that FTX's claimed attempts to segregate US users to the separate FTX.US exchange, the software makes no apparent attempt to do so, and offered yield-bearing accounts to customers who had signed up with a U.S. address — potentially in violation of securities laws.

Rotunda submitted the filing in the Voyager bankruptcy case to argue that FTX should not be permitted to buy Voyager's assets until they have been determined to be compliant with securities law. He wrote, "[FTX yield-bearing] products appear similar to the yield-bearing depository accounts offered by Voyager Digital LTD et al., and the Enforcement Division is now investigating FTX Trading, FTX US, and their principals, including [FTX CEO] Sam Bankman-Fried."

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.