CryptoPunk sells for a fraction of its likely market price due to zombie smart contract

September 11, 2024

CryptoPunk sells for a fraction of its likely market price due to zombie smart contract

A CryptoPunk resembling an ape, wearing a blue and white sweatband and small sunglasses

A rare CryptoPunk NFT recently sold for only 10 ETH (~$25,300), despite a market value that's likely around 600 ETH (~$1.5 million). The sale went through thanks to lingering smart contracts from a defunct NFT fractionalization platform called Niftex, which allowed people to buy and sell "shards" of various NFTs. Niftex launched in November 2020, and is now defunct, with its domain redirecting to the Kraken cryptocurrency exchange.

The platform's smart contracts remain operational, however, and so despite the lack of a frontend website for the platform, the backend still remains. A trader was able to use these smart contracts to trigger a feature that allows a buyout of the fractional shard holders which, if not countered by someone else, automatically goes through in 14 days. The bidder proposed a purchase of 0.001 ETH per share, and without an operational Niftex frontend, no one noticed. The bid went through, and the trader successfully purchased all 10,000 shares — and thus, the NFT — for 10 ETH.

Since then, several people have offered to purchase the NFT for amounts ranging from 100 to 605 ETH. If the new owner were to accept the 605 ETH bid, they would 60x their purchase price.

One owner of a fractionalized share said he thought he had managed to successfully block the sale, but miscalculated. "GG to the new owner", he wrote. He wrote on Twitter, "I don’t consider this a heist. It’s an arb. The smart contract worked as intended. If you want decentralized systems you have to take the good with the bad. It’s part of the game. It’s why we’re here. If you don’t like those rules, you probably shouldn’t be playing."

September 10, 2024

Hacker steals $1.45 million from CUT token liquidity pool

An attacker exploited a bug in the smart contract for a BSC-based token called CUT, draining a PancakeSwap liquidity pool of almost $1.45 million in the BSC-USD stablecoin.

Tweet thread by CertiK [archive]

September 10, 2024

Indodax crypto exchange apparently hacked for at least $22 million

(attribution)

The Indonesian Indodax cryptocurrency exchange suffered an exploit that allowed attackers to steal tokens from several of its hot wallets. The firm did not directly acknowledge the theft, instead posting an announcement that they had "discovered a potential security issue" and were "conducting a complete maintenance to ensure the entire system is operating properly". They reassured customers that their assets were "100% safe".

Indodax's Instagram account also appeared to be compromised, promoting a suspicious "giveaway".

"Indonesian Crypto Exchange Indodax Hacked for $22M; Pauses Activity Before Bigger Hit", CoinDesk [archive]

September 9, 2024

State securities regulators settle with GS Partners over pyramid schemes including "tokenized skyscraper"

Rendering of a skyscraper in Dubai, with the Burj Khalifa in the background

Rendering of the supposed "G999 Tower" (attribution)

Five states have settled with the European crypto firm GS Partners over several crypto investment pyramid schemes. These included one in which the firm sold crypto "vouchers", each representing a single square inch of a 36-floor Dubai sksycraper, which they said would allow holders to earn passive income from rental leases. The group reportedly offered a 5% weekly guaranteed return. Other schemes involved selling metaverse land and a token purportedly backed by gold. GS Partners worked with various celebrity spokespeople, including eternal moth-to-the-flame of scammy crypto projects, Floyd Mayweather. The GS Partners firm shut down in the United States as of December 2023.

Terms of the settlement include 100% repayment of investments made by victims in the five states that settled: Texas, Alabama, Arizona, Arkansas, and Georgia.

GS Partners has also faced regulatory scrutiny in other US states, as well as in Canada, Australia, and South Africa.

"Five U.S. States Reach Settlement With GS Partners, Investors to Get Full Refunds", CoinDesk [archive]
"GSPartners collapses, GSPro reboot after fraud warnings", BehindMLM

September 9, 2024

AssangeDAO accused of rug pull after transferring treasury to German foundation

Julian Assange (attribution)

AssangeDAO was a project created to fundraise for the legal defense of WikiLeaks founder Julian Assange, who has been fighting espionage and computer intrusion charges for over a decade, and who was imprisoned in the United Kingdom for several years. The DAO raised around $55 million, and when Assange reached a plea deal and was sentenced to time serve, around $10 million remained.

This $10 million was later sent to a German non-profit foundation called the Wau Holland Foundation, which has also been fundraising and managing funds relating to Assange's legal defense. However, this transfer raised serious concerns among some members of the DAO who say they've effectively been cut out of decisionmaking, that the funds were transferred without their approval, and allege the treasury was mismanaged and crashed in value as a result.

Hacktivist, bitcoin core developer, and AssangeDAO organizer Amir Taaki accused fellow AssangeDAO organizer: "Harry Halpin you should be honest and direct with the people here. You believe the money should be kept in a foundation controlled by your people with Julian. You do not respect the community or believe in the DAO."

September 7, 2024

Friend.tech team abandons project

(attribution)

The development team behind friend.tech has officially ditched the crypto-based social media project, which was (very) briefly hailed as a potential platform for influencers to earn money from their followers. It attracted crypto influencers, OnlyFans models, and a handful of more mainstream notables. Friend.tech received undisclosed seed funding from the crypto venture capital firm Paradigm.

The project spiked in popularity when it launched in August 2023, but interest rapidly dwindled. A token launched in May 2024 also suffered a mostly downward trajectory. On September 7, the team reassigned ownership and admin rights to the smart contracts to the burn address, making them permanently inaccessible.

Some denounced the project as a Ponzi scheme (repeating accusations it has received since its inception, based on its incentive structure). Others accused the development team of rug pulling and not delivering on their promises — accusations that intensified as one co-founder deleted his Twitter account and the other set his to private. The team is estimated to have made around $44 to $60 million in fees.

"Friend.tech creators walk off with $44m as project shuts down", DL News [archive]
"Friend.tech Creators Bail on Ethereum Social Platform Four Months After Token Launch", Decrypt [archive]
"Friend.tech team sold $52M in 6 months, faces rug pull allegations", Cointelegraph

September 5, 2024

Revelo CEO resigns after claiming he was robbed of personal and company funds at gunpoint

(attribution)

Nick Drakon, formerly the CEO of the crypto research and venture capital firm Revelo, announced on Twitter that he was resigning from the company. In the post, he claimed that he "was recently targeted, surveilled and robbed by a highly sophisticated group. This was an in person attack where my wife and 8 month old son were threatened. The group was specifically interested in crypto assets and knew the deposit addresses belonging to the crypto businesses I operate. I was forced, at gunpoint, to log into a number of crypto accounts and transfer funds out. The funds stolen comprised personal funds, Revelo Intel working capital & retained earnings, as well as Revelo Ventures (an investment syndicate) funds for deals awaiting settlement."

He went on to state that the "vast majority" of the stolen assets were his personal funds. He also alleged that "There is some evidence to suggest that someone in the Ventures syndicate is either part of the group, or passing information onto them."

The amount of funds stolen was not disclosed. Drakon resigned as CEO, and said that he had forfeited his interest in Revolo Intel "to facilitate the return of some money back to members as quickly as possible". He wrote: "To be clear, I have zero financial interest in Revelo moving forward."

He also stated that he would be "stepping away from 'public life' in this space", and warned others: "If you are someone who is known to control large sums of money, you are a target and it is not difficult at all to get to you."

Tweet by Nick Drakon [archive]

September 4, 2024

Robinhood pays $3.9 million to settle commodities law violations in California

(attribution)

Robinhood has paid $3.9 million to settle charges from the California Department of Justice that the platform was violating commodities laws. From 2018 to 2022, the popular trading platform prohibited its customers from actually taking custody of the cryptocurrency assets they purchased on the platform. According to the California DOJ, this violated the state's commodities laws.

In addition to the fine, terms of the settlement require the platform to allow its customers to withdraw their crypto assets, and to update disclosures regarding asset custody.

The California DOJ also accused the platform of misleading its customers by claiming that the app "advertis[ed] it would connect to multiple trading venues, to ensure customers receive the most competitive prices between the venues, which was not always true". They also say that Robinhood lied about always holding all customer crypto assets purchased through the platform, when in reality, "there were instances in which it arranged for trading venues to hold customer assets for extended periods".

"Attorney General Bonta Secures $3.9 Million Settlement with Cryptocurrency Company Robinhood", California Attorney General's Office [archive]

September 3, 2024

Trump family Twitter accounts compromised ahead of World Liberty Financial launch

The Twitter accounts belonging to Lara and Tiffany Trump were compromised and used to announce a fake launch of the (unfortunately real) World Liberty Financial project that their family has been promoting. Donald Trump's son Eric tried to warn people of the scam, but in doing so retweeted the scam tweet containing the malicious token address.

The posts were deleted and accounts were locked down very quickly by Twitter, but not before approximately 2,000 people bought around $1.8 million of the fake token.

"Hackers breach social media accounts of Lara and Tiffany Trump", Politico [archive]
"House lawmakers clash at first-ever DeFi hearing", Blockworks [archive]

September 3, 2024

Penpie hacked for $27.3 million

(attribution)

The defi protocol Penpie was exploited for 11,113.6 ETH (~$27.3 million) by an attacker who exploited a flaw allowing them to withdraw unearned "rewards". Although the protocol claimed to have been audited by two blockchain security firms, they later disclosed that the smart contracts containing the bugs had not been fully audited.

The team behind Pendle (the platform on which Pendie is built) detected the attack and paused Pendle an hour after the attack began, which they claim prevented another $105 million from being stolen.

Members of the Penpie team filed complaints with Singaporean police and the US FBI. They also attempted to negotiate a "bug bounty" via on-chain and social media messages to the attacker, but the hacker seems uninterested and has continued to transfer funds between various crypto wallets and launder funds through Tornado Cash.

"Penpie Post-Mortem Report", Penpie [archive]
Tweet by Pendle [archive]

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.