Beanstalk Farms stablecoin project loses $182 million to exploit

All my magic beans gone. An attacker successfully used a flash loan attack to exploit a flaw in Beanstalk Farms' stablecoin protocol, which allowed them to make off with 24,830 ETH (almost $76 million). The attacker then donated $250,000 to Ukraine before moving the remaining funds to Tornado Cash to tumble.

Estimated damages to the project were higher than the amount the hacker was able to take for themselves — around $182 million. The $BEAN token, once pegged to $1, dropped to nearly 0. The project creator wrote in the Discord, "We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming." However, they were later slightly more optimistic, writing, "it may also be the start of something good... there may be a path forward. We don't want to comment on next steps until that path is at least visible to us" while reiterating that a bail-out was "highly unlikely". They also told members of their community that they had contacted the FBI about the theft.

Someone successfully games raffle for popular NFT allowlist with Sybil attack

Pixel art of a white owl with one squinting eye, wearing a forest ranger hat, on a light green backgroundMoonbirds #768 (attribution)
The NFT project "Moonbirds" generated so much hype that they implemented a raffle system for the many people who hoped to get on the project's allowlist, hoping to make it more fair. However, because it is relatively trivial for a person to create many crypto wallets, a person was able to game the system by creating over 400 wallets, which went on to win more than 50 slots on the project allowlist. This strategy — creating many accounts or wallets to gain an advantage — is known as a "Sybil attack".

This did not go over so well for the people who were eager to get a spot in line to mint NFTs that cost 2.5 ETH ($7,650), but was selling with a floor price of 13.1 ETH ($40,000) on the secondary market shortly after the mint completed. If the person behind the Sybil scheme flipped their NFTs for the current floor price, they could make upwards of $1.6 million in profit.

Pseudonymous Gem cofounder revealed to be hiding a history of alleged sexual abuse, some targeting children

A pseudonymous co-founder of the NFT startup Gem, who was previously known only as "Neso", has been revealed to be Josh Thompson. Using the handles "Joshpriest" and "MethodJosh", Thompson is a once-prominent World of Warcraft streamer who has been accused by at least five people of rape, sexual harassment, and grooming of minors. Gem announced to their community on April 9 that they had reviewed allegations against Neso and "exited" him from the team, though a report by BuzzFeed News showed that the Gem team had known about his identity since at least mid-March.

Following the publication of the BuzzFeed article on April 16, the Gem Discord erupted in anger — apparently discovering for the first time that Gem had known Thompson's real identity for quite a lot longer than they had let on. Some members accused the team of lying and trying to cover up who Thompson was, demanding the team explain themselves. The Gem Discord bot was subsequently configured to block links to BuzzFeed.com, so people couldn't post the exposé article.

Crypto culture has embraced pseudonymity to such an enormous degree that not only is it common for everyday traders to cloak their identities behind wallet addresses or pseudonyms, but for founders and prominent members of major projects to do so as well. This is not the first time this has enabled deception, such as in the case where a chief developer of a defi project later being unmasked as a man with a history of financial crimes and other shadiness.

Rikkei Finance exploited for $1 million

Rikkei Finance, which describes itself as a metaverse defi project, was apparently exploited. 2,571 BNB, priced at around $1.07 million, was transferred out of the protocol and quickly moved to a tumbler.

Unicorn Nodes defi project rug pulls hours after launch

Unicorn Nodes claimed to be a "defi-as-a-service" project. It launched its $RNBW token on April 14, despite warnings from "TheBreadmaker", who rates various protocols. Only hours after launch, someone sold 5,432 RNBW (~$129,000), draining the liquidity pool and crashing the token price. Although the project creators initially claimed that the project had been exploited by an external actor, and that it wasn't a rug pull, by that evening they had scrubbed their website and Twitter presence.

Monero holders plan a bank run

Monero is a privacycoin that attempts to address some of the privacy issues with more popular currencies (like Bitcoin or Ethereum) — namely, that anyone can see that wallet A sent a transaction of X amount to wallet B. However, privacy cuts both ways, and this feature also means that, without cooperation from the exchanges, the Monero community can't verify that exchanges actually hold the amounts of Monero they're allowing their users to buy. Some in the community have become increasingly suspicious that exchanges are selling "paper Monero": fake Monero that's not actually backed by reserves.

To try to test this theory, Monero users have scheduled what is basically a bank run: they are encouraging all users to try to move their Monero out of exchanges on April 18. Some have claimed that exchanges including Binance and Huobi have frozen withdrawals of Monero in anticipation of the mass-withdrawal, in an effort to prevent their lack of reserves from being discovered. Indeed, Huobi suspended XMR deposits and withdrawals 10 days ago and has yet to restore the functionality, which they say is due to a wallet upgrade. Binance also shows "withdrawal suspended" on its status page as of April 14.

Archie Comics announces "Archiverse" NFT project to overwhelmingly negative reception

An red-haired young man wearing a blue varsity jacket has fully white eyes and what appears to be magical energy swirling around him, emanating from a floating book in front of himArchiverse NFTs promotional image (attribution)
Archie Comics announced they would be launching an NFT project called "Archieverse", which centers around their spooky "Madam Satan" character and invites people to "unlock the universe of Archie Comics to play, create, and be credited on a forthcoming comic book title". The project's creators have some pretty high hopes, aiming to mint 66,666 NFTs at $66.66 each, which would earn them $4.4 million from the mint alone if they were to sell all of them.

Reception to the project was swift and overwhelmingly negative. Even the biggest Archie fans who already populated the existing Archie Comics Discord (which saw the addition of crypto channels on the day of the announcement) seemed largely unhappy with the news, and a plan to migrate to their own server free from the NFT and crypto chat was quickly hatched.

Influencer "The Real Tarzann" (aka Mike Holston) rug pulls NFT project to the tune of $700,000

Illustration of a man with a hood made from a baboon skin wearing jewelry. The man has brown skin and a brown beard, and is shirtless except for furred shoulder coveringsTarzan #2924 (attribution)
Influencer, conservationist, and exotic animal whisperer "The Real Tarzann" (a.k.a. Mike Holston) announced in October 2021 his plans for an NFT project called "Tribes of Ogun". The project promised an ambitious roadmap that included creating a strategy game, generous giveaways including trips to Africa, and donations to the World Wildlife Fund. Various prominent influencers and athletes helped to hype the project in advance of its mint.

The project ultimately minted only 3,179 of the 5,500 planned NFTs, but at 0.068 ETH a pop this still brought in 216 ETH (just under $700,000). The project quickly reduced the supply to avoid the appearance of a lukewarm mint. The NFTs themselves are all illustrations of men wearing various animal heads as headdresses — an odd choice for an animal conservation project.

In November 2021, much of the team suddenly disappeared and stopped posting to Instagram or Twitter. One mod in the Discord has remained positive for months since the apparent rug pull, urging the remaining community members to remain positive. In March 2022, the mod wrote, "I need a huge favor this week from everyone to not spam the accounts of NFT.com guys and Tarzan, it is EXTREMELY IMPORTANT that stops if we want this to comeback, hopefully huge news to follow this week." No such news appears to have come.

Bug discovered in popular Rarible platform: NFTs could execute malicious JavaScript

Security research group Check Point Research discovered a flaw in the NFT trading platform Rarible, which would have allowed an attacker to steal the entire contents of users' NFT wallets. A user who received a link to a malicious NFT, or clicks on it in the Rarible marketplace, would cause it to execute JavaScript code that would attempt to send a "setApprovalForAll" request, which an unsuspecting user would likely be less wary of when interacting with a known, trusted marketplace like Rarible.

The vulnerability was discovered after Taiwanese singer Jay Chou had a Bored Ape NFT stolen in April, prompting the researchers to look into the details of the attack. After the researchers responsibly disclosed their findings to Rarible, Rarible implemented a fix. Rarible removed the ability for users to upload SVG files to patch the vulnerability; it's not clear if they intend to restore that functionality.

Authorities link Axie Infinity hack to North Korean Lazarus hacking group

According to the FBI, the infamous cybercrime group Lazarus has been implicated in the March Axie Infinity exploit that saw $625 million taken from the game's blockchain bridge. Lazarus are a criminal group with strong ties to North Korea, and are suspected of being behind infamous cyberattacks including the WannaCry ransomware that impacted a wide number of industries including hospitals and manufacturing, as well as legislative and justice systems. The U.S. Treasury department has added the crypto wallet that received the stolen funds to its sanctions list, which may make it substantially harder for the attackers to withdraw the money. The wallet still contains around 150,000 ETH, valued at around $445 million, but has been slowly siphoning it out to various other wallets, exchanges, and tumblers over the past weeks.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.