- "$8.2M Lost as Visor Finance Suffers Latest DeFi Hack", CryptoBriefing
Because apparently the vinyl figurines known as Funko Pops aren't a sufficiently useless collectible, Funko decided to get in on the NFT craze by releasing a Bob Ross "Digital Pop". Ross made major changes to his will just before his death to try to prevent people from merchandising his legacy, and many fans were outraged by the NFT project, which they believe is exactly the sort of thing he was trying to prevent from happening.
A reentrancy exploit in the Ethereum-based Visor Finance DeFi protocol allowed hackers to pull 8.8 million VISR tokens out of the network, equivalent to about $8.2 million. The VISR token went from trading at around $0.93 to around $0.04, losing more than 95% of its value. The Visor team subsequently announced that they would perform a token migration to compensate affected users. Visor has suffered other hacks since its launch earlier in 2021, despite having undergone several audits.
Another Discord scam netted its perpetrators around 800 SOL, or about $150,000, from 373 individuals. The scammer posted a fake minting link in the official Discord of Fractal, the upcoming NFT and blockchain gaming marketplace co-founded by Twitch co-founder Justin Kan. Fractal said it would be compensating all who fell for the scam. The scam was apparently made possible by a compromise of the "Grape Protocol" Discord tools, a hack that was also used to target members of the Monkey Kingdom NFT collection Discord that same day.
An NFT trader hoping to get in on the "Monkey Kingdom" NFT collection was duped by a scam link in the project's official Discord channel, and sent 650 SOL (about $116,000) to a scammer. "It is important money to my family: my wife, my son", the victim wrote on Twitter. Another person replied to the tweet to say they too had been duped by the Discord scammer, to the tune of about 19.5 SOL (about $3,500). In total, the phishing link netted the attacker about $1.3 million. The scam was apparently made possible by a compromise of the "Grape Protocol" Discord tools, a hack that was also used to target users of the Fractal project's Discord that same day.
Bent Finance informed its users of a "possible exploit", but soon after issued a statement that the exploit had originated from the Bent Finance project's own deployer. Because of this, some speculated that it may have been a rug pull. Bent said in a statement, "There are multiple members on this team and we will make this right. We recommend you withdraw all funds until it is clear." The platform hasn't revealed how much money was lost, though a crypto fraud investigator wrote that 440 ETH (equivalent to about $1.8 million) appeared to have been funneled out of the platform. The attack was discovered on December 20, but appeared to have been ongoing since at least December 12, and possibly longer.
A Twitter thread showed dozens of people reporting amounts from hundreds to tens of thousands of dollars disappearing from their Chivo Wallets, the Bitcoin wallet backed by El Salvadoran President Nayib Bukele. El Salvador adopted Bitcoin as legal tender in September of this year, where it is used alongside the U.S. dollar.
Grim Finance, the "compounding yield optimizer" DeFi platform, was hacked. According to them, attackers exploited a bug in the platform to perform a reentrancy attack that netted them $30 million. Grim, indeed. A cryptocurrency watchdog group, RugDoc, opined that the exploit was possible because of very basic mistakes in implementation, and wrote, "Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand. If you haven't acquired this yet, don't build multi-million dollar projects. Don't get audits from companies which everyone knows are useless." This was apparently a dig at Solidity Finance, who had performed an audit several months prior to the hack and found that "ReentrancyGuard is used in relevant locations to preent[sic] reentrancy attacks."
Anticipating that buyers would try to hoard items from a big-name NFT drop, Adidas decided to try to limit their NFT drop to two per buyer. They apparently didn't realize that there is no guarantee that one address = one individual, and a crafty blockchain engineer created a smart contract that generated additional smart contracts, each with their own address. These contracts snapped up NFTs, then transferred them to the engineer's primary wallet and self-destructed. The engineer was able to snag 330 NFTs.
Comics artist Liam Sharp wrote on Twitter that he would likely need to close his DeviantArt gallery, which he has maintained for fourteen years, because his artwork keeps being minted as NFTs without his permission. He wrote, "I can't - and shouldn't have to - report each one and make a case, which is consistently ignored. Sad and frustrating."
Artists going through the greuling process of reporting individual NFTs created without permission from their work reported tickets being automatically rejected. Artists were also required to provide personal information to OpenSea, who in some cases forwarded the personal information to the scammer behind the theft, opening the artist up to doxing and other harassment. Eventually, OpenSea disabled their contact form that had previously allowed artists to report stolen work.