Brand new $CS token exploited for almost $700,000
An attacker exploited the brand new $CS token for almost $700,000 using a flash loan exploit. They then swapped the funds into around 383 ETH ($689,400) and laundered them through Tornado Cash.
Tornado Cash DAO suffers hostile takeover
A proposal ostensibly to penalize cheating network participants in the Tornado Cash crypto tumbler project successfully passed by DAO vote. However, the proposer had added an extra function, which they subsequently used to obtain 1.2 million votes. Now that they have more than the ~700,000 legitimate Tornado Cash votes, they have full control of the project.
The attacker has already drained locked votes and sold some of the $TORN tokens, which are governance tokens that both entitle the holder to a vote but also were being traded for $5–$7 around the time of the attack. The attacker has since tumbled 360 ETH (~$655,300) through Tornado Cash to obscure its final destination. Meanwhile, $TORN plummeted in value more than 30% as the attacker dumped the tokens.
The attacker now has full control over the DAO, which according to crypto security researcher Sam Sun grants them the ability to withdraw all of the locked votes (as they did), drain all of the tokens in the governance contract, and "brick" (make permanently non-functional) the router.
Croatian cryptocurrency investment company BitLucky reportedly collapses; more than $75 million allegedly missing
Croatian company BitLucky told its customers that it would invest their money in cryptocurrencies, promising 5–25% monthly profits. However, its director Luka Burazer wrote an email to clients on May 19, explaining: "Dear clients, with a series of bad trades and decisions, unfortunately, I have brought the state of the company into a crisis situation. We will have more information in the following days". He and the company co-founder have since gone dark, turning off their cell phones, not replying to emails, and deleting their social media presence. According to Croatian news outlet Jutarnji list, a secretary for the company reached on the phone explained, "the director went crazy and spent all the money". The losses allegedly involve crypto assets notionally worth €70 million (~$75.7 million), and affect at least 700 individuals.
Some have expressed the opinion that BitLucky was a Ponzi scheme all along, given the unreasonable promises of 5–25% monthly returns. The editor of a crypto news outlet also expressed that "there was a 'line of [red] flags'", including that Burazer never wanted to appear in the media or have his picture shown online.
- "Najveća domaća kripto prevara? Riječanin klijentima uzeo 70 milijuna €. Upravo je u bijegu", Jutarnji list (in Croatian)
WDZD Swap exploited for $1.1 million
On May 19, an attacker successfully exploited the BNB Chain-based defi project WDZD Swap, making off with 609 Binance-Pegged ETH (~$1.1 million). The attack was apparently executed by a known exploiter, who had also previously exploited a project called Swap X.
- "DeFi protocol WDZD Swap exploited for $1.1M: CertiK", CoinTelegraph
Around $110 million "stuck" in Aave protocol on Polygon due to a bug that can't be fixed for a week
Recently, the Aave protocol deployed a contract upgrade on the Polygon version of their v2 project that was not compatible with Polygon. The bug has resulted in around $110 million of funds in wETH, wBTC, USDT, and wMATIC being "stuck", meaning users can't perform any actions involving those funds.
The funds are not at risk, but it will take at least a week before the funds are unstuck because any code change requires a DAO vote. "Considering governance times, if approved, the fix will be applied in approximately 7 days from now: 1 day of delay to start voting, 3 days of voting, 1 day of timelock on Ethereum, and 2 extra days of timelock on Polygon," explained a post by Bored Ghost Developing, a contributor to Aave.
Phishing-as-a-service company "Inferno Drainer" steals assets nominally worth $5.9 million in three months
A scam-as-a-service company identified by ScamSniffer and dubbed "Inferno Drainer" has stolen assets nominally worth around $5.9 million since mid-February. The vendor sells phishing scam software that is then used by phishers to target victims, who believe that they are interacting with an established crypto project. Inferno Drainer takes 20–30% of the stolen funds as "payment" for the scam software.
One Inferno Drainer victim lost assets worth around $417,000. They later sent an on-chain message to the thief, writing: "you are ruining my life and for me this money was a lifetime's work, I won't have enough my family..." They asked the attacker to return 50% of the funds stolen from them, offering to not report the scammer to Interpol and other authorities in return, and even offering to "sign a contract allowing you to use legally the stolen crypto".
Grumpy Cat trademark owner sends cease and desist via NFT over unauthorized "Grumpy Cat Coin"
A Grumpy Cat Coin memecoin emerged in May, with a website using illustrations of the late real-life Grumpy Cat to promote the coin. Crypto influencers, including the "SlumDoge Millionaire", jumped on board to promote the token. (The "SlumDoge Millionaire" is Glauber Contessoto, a person who briefly became a paper millionaire from, as he claims, emptying his bank account, selling all his stocks, and maxing out credit cards to buy 5 million Dogecoin during the 2021 crypto frenzy. His holdings spiked to over $1 million in value, but he didn't cash out; they are now priced at around $365,000.)
However, Grumpy Cat's owner owns trademarks associated with Grumpy Cat, and it seems she has become aware of the coin. On May 18, she minted an NFT and transferred it to the Grumpy Cat Coin deployer address. The NFT image is a copy of a cease and desist letter representing Grumpy Cat Limited. The letter describes the coin offering as a "blatant and willful infringement of our client's trademark rights", and insists that the coin creators stop all activities related to the coin offering or face legal action. The letter also mentioned that the URL of the project website — grumpycat.fyi — was a violation of the Anti-Cybersquatting Consumer Protection Act. The project subsequently changed its domain to gccoin.fyi in an apparent effort to avoid this issue.
Simultaneously, a message addressed to holders of the Grumpy Cat Coin was posted to Grumpy Cat's Twitter account, describing the token as a "desperate, sad attempt to scam unwitting traders" by "SlumDoge Millionaire and their cohorts".
Coin Cafe to pay $4.3 million restitution after instituting high fees without informing customers
Cryptocurrency trading platform Coin Cafe will pay $4.3 million in restitution to customers who were charged high fees after signing up for a "free" crypto custody service. The firm instituted fees for its wallet service in September 2020, but never informed customers. They also increased the fees four times without informing their users. At one point, they charged 7.99% of the account balance or $99, whichever was greater, per month if a user did not transact that month. This resulted in some investors being charged fees equal to 96% of their holdings. One investor was charged more than $51,000 in fees in 13 months; another was charged $10,000 in a single month.
The New York Attorney General found that Coin Cafe's misleading fee structure was still in effect even after the company obtained a BitLicense from the Department of Financial Services.
Swaprum decentralized exchange rug pulls for almost $3 million
Decentralized exchange Swaprum, a project on the Arbitrum layer-2 network, suddenly disappeared with around 1,628 ETH (~$2.96 million) in an apparent rug pull. The thieves then mixed the money through Tornado Cash.
The project had been audited by blockchain security firm CertiK, and displayed the "audited by CertiK" badge on their website. This added to criticisms of CertiK, who have come under fire for auditing multiple projects that later turned out to be scams. CertiK defended themselves, writing that, "As an auditor, we cannot force projects to implement our recommendations, but we can clearly and publicly call out vulnerabilities where we find them". They argued that they had identified vulnerabilities within their audit that ultimately allowed for the exploit, including the high degree of centralization and the upgradability of the smart contracts.
Sam Altman's Worldcoin project incentivizes a black market for biometric data taken from people in developing nations
"Show me the incentive and I will show you the outcome."
Sam Altman's Worldcoin project, a dystopian effort to use chrome orbs to scan the irises of people (often in developing nations) in exchange for vague promises of crypto compensation, is encountering even more difficulties. In April 2022, BuzzFeed News and MIT Technology Review both published in-depth reporting on some of the technical and ethical issues the project has run up against.
Now, the project is facing reports that people in China, who are not allowed to sign up legitimately, have been purchasing iris scans from individuals in Africa and Southeast Asia in order to circumvent the restriction. According to the news outlet BlockBeats, Chinese individuals have been engaging in "eyeball speculation": buying biometric data scanned en masse from villagers in Cambodia, Kenya, and elsewhere by people who then sell it for $30 or less, allowing the buyer to receive the associated Worldcoin payout (currently ~$20).
Worldcoin has said they are rolling out various measures to try to discourage this activity, including changing the in-person sign-up process. However, the project acknowledged that they have not figured out how to prevent this, writing: "Despite these precautions, it is important to acknowledge that they do not entirely safeguard against collusion or other attempts to bypass the one-person-one-proof principle. To address these challenges, innovative ideas in mechanism design and the attribution of social relationships will be necessary."