Blur NFT platform bug allows old bids to be accepted

The Blur NFT marketplace appeared to become vulnerable to a bug in which old, canceled bids could still be accepted. This meant that people who had placed bids on NFTs when they were selling for higher prices, then canceled them, suddenly found those purchases going through — in some cases on NFTs that were selling for considerably less.

Blur disabled bid acceptance functionality while investigating the bug. Amusingly, this led people to begin placing huge bids they knew couldn't be accepted in order to farm Blur points, some kinds of which are awarded based on bids rather than purchases.

It's not clear how much money was lost due to the bug, but Blur cofounder "Pacman" announced that "any losses will be refunded once the issue is resolved".

Crypto researcher identifies massive wallet draining operation

Crypto researcher Tayvano posted a Twitter thread about a massive, mysterious wallet draining operation that has siphoned more than 5,000 ETH (~$9.88 million at today's prices) as well as other tokens and NFTs from wallets across more than eleven blockchains since December 2022. The operation appears to target more sophisticated crypto users, but the mechanism of attack is unclear. The researcher hypothesized that "someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove", but emphasized that that was only speculation.

Co-founders of company best known for Bella Hadid NFTs begin $77 million court battle against each other

3-D artwork of a humanoid robot shaped like a woman, all white with a red circle on the chest, wearing a bomber jacket with "Japan" on the arm. The robot has Giga Hadid's face, which is wearing a futuristic visor and earphones. The background is the Japanese flag.A "Cy-B3lla" NFT (attribution)
Krzysztof Gagacki and Edmond Truong are co-founders of Rebase.gg, some sort of augmented reality app where people go hunting for NFTs. They're best known for helping to create a "Cy-B3lla" NFT collection with model Bella Hadid, which launched in mid-2022. Speaking about skepticism of celebrity NFT projects to Vogue in June 2022, Hadid said, "Where that skepticism comes from is the people who just want to have a money grab. To me, it’s so much bigger than that. I want it to be a collective. It’s not a one-stop shop—this is a real passion."

Although the project promised to provide ongoing access to Bella Hadid and various other perks, the project website has already dropped offline, the Twitter account hasn't posted since October 2022, and the Discord is a ghost town save for occasional questions about whether the project is dead. Hadid made $1.5 million for her involvement in the project.

Things at Rebase seem to have devolved, because now Gagacki has filed suit against Truong, alleging that he "has gone rogue". The suit alleges that Truong tried to oust Gagacki from the company, stole around $2 million from a shared wallet, and damaged Gagacki's reputation. In particular, Gagacki is concerned that Truong is attempting to launch the project on the Arbitrum network without Gagacki's involvement, and that tokens minted there "could reach many times over the Rebase app's last round valuation of $150,000,000" without being shared with Gagacki.

Altogether, Gagacki is claiming damages of no less than $77 million, representing the stolen funds, the value of the app, and the profits from the possible Arbitrum deal.

SEC charges Bittrex with operating an unregistered exchange

Several weeks after Bittrex announced it would be winding down its US operations by the end of April, citing the US "regulatory and economic environment", the SEC filed charges against the company and its co-founder and former CEO William Shihara for operating an unregistered national securities exchange, broker, and clearing agency.

The complaint also alleges that Bittrex and Shihara had coordinated with token issuers to dodge potential SEC action by having them remove public "problematic statements" predicting price, describing an expectation of profit, or describing offerings in terms of investments.

Hundred Finance exploited for $7.4 million

An attacker was able to manipulate the exchange rate between tokens and their interest-bearing equivalents on the Hundred Finance system on the Optimism layer-2 network, ultimately siphoning around $7.4 million from the project.

Hundred Finance announced that they were trying to communicate with the attacker to try to convince them to return some of the funds.

This was not the first exploit to impact Hundred Finance: in March 2022, both Hundred Finance and Agave Finance were targeted with a flash loan attack by a hacker who stole a total of $12 million from the two projects.

Bitrue crypto exchange hacked for $23 million

The Singapore-based Bitrue crypto exchange suffered a hack on April 14 in which attackers siphoned tokens including Ethereum, Shiba Inu, and MATIC (the token for the Polygon network). Altogether the stolen funds were estimated at around $23 million.

Bitrue didn't release details on how the attack had been achieved, but explained that one of their hot wallets had been impacted. They announced that they would be pausing withdrawals for several days as they investigated the incident, and that they would be compensating affected users.

NFT collector Franklin claims to have been scammed for 2,000 ETH ($4.2 million)

A gold-furred illustrated ape wearing a red visor and red shirt resembling a foodservice uniform. Its eyes are closed and it's on a grey backgroundBored Ape #1726, used by franklinisbored as a profile picture (attribution)
Franklin, aka franklinisbored, has come to be known as one of the most prolific collectors of Bored Apes. At times, he's held more than fifty of the NFTs, and he can often be spotted snapping up cheap apes. However, on April 13 he sold quite a few of his collection.

Franklin disclosed on Twitter that "Due to an unfortunate IRL issue, I have had to sell off a lot of BAYC apes to pay off BendDAO loans while the liquidity was available". He had recently sold 27 of the Bored Apes. He later wrote, "I got rug pulled on an investment I put almost 2000 ETH into, thinking it was credible due to who else invested (not naming anyone for privacy reasons). Someone used our $$ as a casino gambling Ponzi and flushed it down the drain. Please learn any lessons possible from this." 2,000 ETH is worth around $4.23 million at today's ETH prices.

People immediately began to speculate about what project he could be referring to. Some wondered if perhaps he was trying to cover up losses on the Rollbit crypto casino, which he was known to use, and where he could be observed on-chain depositing more than 6,000 ETH (~$12.7 million) since the beginning of the year alone. Later in the day, he wrote another tweet: "For partial transparency: My personal PnL [profit and loss] of my Rollbit gambles is about -650 ETH total. So yes I lost a lot of money myself on Rollbit, but that didn’t require me to sell off today." At today's prices, 650 ETH is around $1.375 million.

Franklinisbored expressed that he would be taking a break from NFT trading and social media following the incident: "I won't get involved in NFT trading/twitter for a while, and will just focus on my private life for the time being with my remaining apes."

Yearn Finance exploited for more than $11 million

A bug in a token issued by the Yearn Finance defi protocol resulted in a loss that has been estimated at around $11.6 million. An attacker was able to use a 10,000 USDT deposit to mint more than 1.2 quadrillion yUSDT, a wrapped version of the Tether (USDT) stablecoin. Losses were limited somewhat by the fact that only older versions of the Yearn protocol were vulnerable to the bug, and the version had been "frozen" since December 2022.

The attacker began swapping tokens out for other stablecoins shortly after the exploit, moving them into lending projects like Aave and laundering them through the Tornado Cash cryptocurrency mixer. There were early concerns that Aave itself was impacted by an exploit, but it was later clarified that Aave had simply been used to swap tokens involved in the Yearn exploit, and did not appear to itself be vulnerable.

This is not the first exploit involving Yearn Finance, which was hacked for $11 million in 2021, and which lost around $1.4 million in connection to the massive Euler Finance attack in March 2023.

Nicole Behnam pumps and dumps: "There were mistakes made in a wallet that I controlled"

A poorly drawn pixel art shiba inu dog with half-lidded eyes, a shiny black pompadour, and its tongue sticking out, holding some sort of wire with red, green, and blue ends in its paw.Blocky Doge 3 #8691 (attribution)
New passive voice Hall of Fame contender just dropped: "There were mistakes made in a wallet that I controlled." You would think someone who got their start as a writer might know better.

Writer, journalist, and now web3 influencer Nicole Behnam helped pump Dogecoin founder Billy Marcus' new free-to-mint "Blocky Doge 3" NFT project, writing on Twitter, "No roadmap or utility? I'm in 👀" and talking it up on large Twitter spaces. A wallet belonging to her then received 250 NFTs from Marcus early on, then dumped around 220 of the NFTs on the market all at once, tanking the secondary market price while earning her around 20 ETH (~$38,000). At the moment, the NFTs are selling for an average of 0.031 ETH apiece (~$59).

After being found out, she wrote on Twitter that "There were mistakes made in a wallet that I controlled," but claimed that she had tried to make it up by returning the profits and buying up low-priced NFTs. "How the last 24 hours went down was not cool and I’m doing my best to rectify the situation," she wrote. "Listening, learning, moving forward." Shortly afterwards, she was removed from a "NFT100" list that had published only days prior by NFT Now, for what they described as violations of their ethics policy.

Ren Protocol transfers all assets to FTX bankruptcy team

In February 2021, the Ren project announced that it had been acquired by Alameda Research so that Alameda could "[help] accelerate the decentralisation" of the project.

Now, the Ren team has announced that they have transferred all assets on the Ren Protocol "to the FTX Debtors' cold storage wallets for safeguarding".

The announcement mentioned "possible shutdowns of infrastructure and systems," possibly referring to Ren's plans — announced shortly after the FTX collapse — to "move on from Alameda" by launching "Ren 2.0" and sunsetting the 1.0 version. However, there has been little public evidence that Ren 2.0 has been progressing.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.