The vulnerability was discovered after Taiwanese singer Jay Chou had a Bored Ape NFT stolen in April, prompting the researchers to look into the details of the attack. After the researchers responsibly disclosed their findings to Rarible, Rarible implemented a fix. Rarible removed the ability for users to upload SVG files to patch the vulnerability; it's not clear if they intend to restore that functionality.
Bug discovered in popular Rarible platform: NFTs could execute malicious JavaScript
Security research group Check Point Research discovered a flaw in the NFT trading platform Rarible, which would have allowed an attacker to steal the entire contents of users' NFT wallets. A user who received a link to a malicious NFT, or clicks on it in the Rarible marketplace, would cause it to execute JavaScript code that would attempt to send a "setApprovalForAll" request, which an unsuspecting user would likely be less wary of when interacting with a known, trusted marketplace like Rarible.
Authorities link Axie Infinity hack to North Korean Lazarus hacking group
According to the FBI, the infamous cybercrime group Lazarus has been implicated in the March Axie Infinity exploit that saw $625 million taken from the game's blockchain bridge. Lazarus are a criminal group with strong ties to North Korea, and are suspected of being behind infamous cyberattacks including the WannaCry ransomware that impacted a wide number of industries including hospitals and manufacturing, as well as legislative and justice systems. The U.S. Treasury department has added the crypto wallet that received the stolen funds to its sanctions list, which may make it substantially harder for the attackers to withdraw the money. The wallet still contains around 150,000 ETH, valued at around $445 million, but has been slowly siphoning it out to various other wallets, exchanges, and tumblers over the past weeks.
- "Community Alert: Ronin Validators Compromised", Ronin Newsletter
- U.S. Department of Treasury announcement showing the sanctioned wallet address
- Attacker wallet on Etherscan
RCMP says more than $2 million has been lost to crypto scams in Richmond, B.C. since January
The police in Richmond, British Columbia say they've received 22 reports of crypto fraud, which have included fake investment schemes, romance scams, or scammers impersonating government officials. One individual targeted by a fake investment scheme lost CA$550,000, which he thought he was investing in foreign exchange companies that turned out to all be fake.
Shareholders file a class-action suit against Coinbase over deceptively positive statements
A group of shareholders have filed a class-action lawsuit against Coinbase, alleging that the registration and prospectus statements provided for the company's IPO were false and misleading. The suit alleges that Coinbase failed to disclose that the company would require a large cash injection, and that it was susceptible to outages that were becoming more common as the company scaled. They described the company's positive statements about its outlook as "materially misleading and/or lack[ing] a reasonable basis".
Fake SkyVerse project draws in more than $150,000
A scammer recreated the Twitter account for SkyVerse, a much-anticipated NFT land project due to launch in "mid-April". More than 250 NFT collectors eager to get in on a mint that has only vaguely pointed to a date have fallen prey to a scammer convincing them that not only has the project started minting, but they're rapidly selling out. The scammer implemented a "counter" on the webpage that appears to show the project quickly selling out in real-time, apparently hoping to increase the FOMO that might encourage someone to hastily connect their wallet. However, a glance at the website source shows the counter is just instantiated to a fixed value, and then increments arbitrarily to show the counter approaching the maximum number of NFTs that will be sold. So far, the website has drawn 50 ETH ($150,000) from would-be collectors trying to mint NFTs for 0.1 ETH ($300) each.
NFT collector gets $280 top bid for the Jack Dorsey tweet NFT he bought for $2.9 million last year
After Jack Dorsey made an NFT out of his first-ever tweet, then-cryptocurrency executive Sina Estavi won the auction in March 2021 with a 1,630 ETH bid (then around $2.9 million). A little over a year later, on April 6, Estavi tweeted that he would be selling the NFT. He listed the NFT on Opensea for 14,969 ETH (around $46 million), in an auction slated to last a week. When the auction closed, there were seven offers ranging from 0.0019 ETH ($6) to 0.09 ETH ($277). It's still up to Estavi whether or not to accept a bid.
Ethereum transition to proof-of-stake delayed again, as is tradition
For years now, Ethereum has been talking about a transition from its energy-intensive, expensive proof-of-work consensus model to a proof-of-stake consensus model, which sports a totally different set of flaws! Exciting.
The project has been delayed so many times that it has become a bit of a running joke — crypto critics regularly describe the Ethereum PoS migration as something that has been "only six months away" for several years now. Meanwhile, it has proven a useful way for Ethereum fans to dismiss the valid concerns about the enormous energy expenditure of their preferred blockchain, as though enormous emissions and e-waste are somehow a non-issue if there is some vague plan at some perpetually-in-the-future point to move away from them.
Anyway, Ethereum developers have projected new levels of optimism lately, with several of them describing "the merge" as imminent — I believe a June timeframe was the popular estimate. Unfortunately, this appears to have been just as unachievable as the prior "deadlines", with an Ethereum core developer stating it was now looking like it wouldn't happen until some time this autumn. This is particularly brutal timing, given Nilay Patel's interview yesterday with a16z's Chris Dixon, where he confidently pointed to an early July "merge" date (only to become substantially less confident when pressed on specifics). Anyway, see you this fall for the next hype cycle — between now and then, Ethereum will have again consumed energy comparable to the amounts used annually by some small countries, for little if any useful purpose.
- Tweet by Tim Beiko
- "Ethereum energy consumption", Ethereum.org
Texas Securities Commissioner issues emergency order to stop a metaverse casino
Securities Commissioner Travis J. Iles issued an emergency cease and desist order to stop "Sand Vegas Casino Club", a project that writes on its website "THE HOUSE ALWAYS WINS. And with SandVegasCasinoClub NFTs YOU can BE THE HOUSE!" The project would have allowed NFT buyers to participate in a "profit-share program" and earn "passive income" from a metaverse casino where people could not only gamble, but purchase metaverse items representing drinks and cigarettes (really).
In the order, the Commissioner alleged that the project was "leveraging interest in metaverses to perpetrate a high-tech fraudulent securities offering", and had been falsely claiming to their followers that securities laws don't apply to NFTs. "They are misleading purchasers by claiming they can simply avoid securities regulation by implementing illusory features or use different terminology," the Commissioner's announcement said.
Science fiction author Pierce Brown cancels NFT project after negative fan response
"Don't make your dystopian books our reality, Pierce," a fan replied to sci-fi author Pierce Brown's announcement of an NFT project. Brown, the author of the bestselling Red Rising series of novels, announced an NFT project called "Solar Society" based around his work. Fan response was overwhelmingly negative, with some expressing concerns over environmental impact, and others dismayed at the negative effect they feel NFTs have had on creative communities.
The day after the announcement, Brown released a statement saying that he had been drawn in by the hope that NFTs would allow him to avoid "big companies whose sole focus is strong-arming away the rights to projects they've never been a part of to turn a big profit." He wrote, "I felt that if I didn't jump on it myself, someone else would, without the love, care, and artistry we believe in". He concluded that, given the response from his fans, he would not be continuing the NFT project. Some encouraged him to use the artwork that had already been created for merchandise or other non-NFT art sales.
- Tweet by Pierce Brown announcing the project
- Tweet by Pierce Brown announcing the project's cancellation
Someone once again appears to trade on insider knowledge of Coinbase listings
On April 11, Coinbase announced 50 new cryptocurrencies they were considering listing on their exchange. These announcements tend to increase the price of the tokens under consideration, as traders take bets that the coins will be listed, and that their being listed on a major exchange and made more easily accessible will result in a price increase down the road.
The day after the announcement, crypto influencer "Cobie" wrote on Twitter, "Found an ETH address that bought hundreds of thousands of dollars of tokens exclusively featured in the Coinbase Asset Listing post about 24 hours before it was published, rofl". The wallet had spent around $400,000 on multiple currencies listed in the announcement, which certainly appears as though they knew about the contents of the announcement before it was published.
This is not the first time allegations of insider trading have been made based on Coinbase announcements. In February, a trader made a profit of over $700,000 by trading on what appeared to be advance knowledge of two upcoming Coinbase announcements.