dForce Network exploited for $3.65 million, funds returned

An attacker using flash loans to exploit a common re-entrancy vulnerability siphoned $3.65 million from the dForce defi project on both Arbitrum and Optimism, which are Ethereum layer-2 networks. The exploit, which involves manipulating the oracle price in Curve liquidity pools, is a common one that was first reported to Curve in April 2022 and disclosed in October 2022. It has been used to attack various other projects, including QiDAO.

dForce contacted the hacker via blockchain transaction, offering to negotiate a bounty. Several days later, the project tweeted that the attacker had "c[o]me forward as a whitehat", and that the funds had been fully returned. "We have agreed to offer a bounty and will drop all on-going investigation and law enforcement actions," they announced.

Paxos ordered to stop minting Binance USD stablecoin, SEC sends Wells notice

New York-based crypto company Paxos was ordered by the New York Department of Financial Services to stop minting the Binance USD (BUSD) stablecoin over "several unresolved issues related to Paxos' oversight of its relationship with Binance in regard to Paxos-issued BUSD".

Nearly simultaneously, the SEC sent a Wells notice to Paxos, informing them of imminent enforcement action. According to the Wall Street Journal, the SEC told Paxos they intended to sue the company for violating investor protection laws, and that the SEC believed Binance USD was an unregistered security.

Paxos agreed to stop minting new BUSD tokens (but will continue to honor redemptions), and said in a statement that they would be ending their stablecoin-minting relationship with Binance. As for the SEC, Paxos has promised to "vigorously litigate if necessary", arguing that BUSD is not a security.

Paxos faces investigation over stablecoin offerings

CoinDesk reported that the New York Department of Financial Services is actively investigating Paxos, which issues both the Pax dollar (USDP) and the considerably larger Binance USD (BUSD) stablecoins.

It's not quite clear the extent of the NYDFS investigation, though it joins rumors (denied by Paxos) that they were also being investigated by the US Office of the Comptroller of the Currency (OCC), which regulates banks. Paxos has a provisional banking charter, which it received from the OCC in 2021. It also has a virtual currency license, which is issued by the NYDFS.

Umami Finance halts yields, CEO dumps tokens amidst accusations of rugpull

The Umami Finance defi protocol offered yield products intended for institutional customers. However, on January 31, they announced that they would be halting yields amidst claims that they were concerned about regulatory strategy and undergoing a review.

Shortly after, the project CEO began dumping tokens on the market, cashing out 44,000 UMAMI tokens. These were ostensibly priced at $800,000, though the sell-off crashed the UMAMI price by more than 60% and ultimately netted the CEO around $380,000 of USDC.

Amidst the sell-off, a team member tried to reassure users that "the team resigned" but that also, confusingly, the "treasury assets are safe and in control of the team".

Kraken ends staking, pays $30 million fine in settlement with U.S. SEC

U.S. cryptocurrency exchange Kraken has reportedly agreed to close up shop on its crypto staking operation and pay a $30 million fine to the U.S. Securities and Exchange Commission. This comes shortly after the news that the SEC was probing the exchange, and rumors from Coinbase CEO Brian Armstrong that the SEC was looking to "get rid of crypto staking in the U.S. for retail investors".

According to the SEC, Kraken had failed to register its staking-as-a-service program, which had generated $147 million in revenue.

This is not Kraken's first run-in with authorities, after paying a $360,000 fine to OFAC in November for sanctions violations.

Peer-to-peer Bitcoin exchange LocalBitcoins to shut down after ten years

LocalBitcoins, a Finnish platform that allows individuals to trade Bitcoins with one another peer-to-peer, will be shutting down. The exchange is one of the longest running cryptocurrency exchanges, and for a while functioned as a way for people to trade cash for Bitcoin (and vice versa) more privately. However, in 2019, the exchange introduced KYC requirements.

LocalBitcoins cited "the ongoing very cold crypto-winter" as the rationale for the closure, and stated that new sign-ups would be suspended immediately. Trading will be suspended a week later, and users will have a year to withdraw Bitcoins they stored on LocalBitcoins' wallet product.

Yuga Labs' 3-week-long "Dookey Dash" game tournament ends amidst allegations of widespread cheating

A monkey sits atop what appears to be some kind of underwater motorcycle, navigating through a murky sewer pipe with various obstacles in the distanceDookey Dash (attribution)
Yuga Labs released an endless runner game called "Dookey Dash" (really) where players compete to see how long they can keep their character navigating through a sewer pipe without crashing. Access to the game is granted through "Sewer Pass" NFTs, which can be claimed by people who own Bored Apes or Mutant Apes, but which were also trading on the secondary market for around 3.1 ETH ($5,100).

Yuga Labs has said that, following the end of the three-week-long game tournament, the Sewer Passes with non-zero scores in the game will transform into something new, with the idea that higher scorers may receive more valuable NFTs.

This, of course, incentivized users to try to cheat in the game by creating bots, changing the browser-based game code to eliminate obstacles, or access game seeds that allowed them to predict the layout of a course run. Sewer Pass holders began paying others to play their game for them — either more skilled players, or players who were using these tools. Some were charging up to 2.5 ETH (~$4,200) to obtain scores of 700,000 or more for those who hired them.

Yuga Labs has promised to review gameplay to ensure that those who cheated are disqualified. They've also warned people buying Sewer Passes after gameplay ended that if they buy a pass that is determined to have cheated, it will be worthless. Some are skeptical of Yuga's ability to accurately detect cheaters, and others have expressed concern over false positives in the game's cheat detection that appeared to be caused by slower Internet connections.

Creator of MetaBirkins NFTs loses trademark infringement lawsuit from Hermès

A digitally rendered handbag resembling a Birkin bag, which has been covered in faux fir with a yellow smiley face printMetaBirkin #98 (attribution)
A year ago, the Hermès luxury brand slapped Mason Rothschild, creator of "MetaBirkins" NFTs, with a trademark lawsuit. The suit centers on his NFT collection: a series of 100 digitally rendered, faux-furry handbags resembling the luxury Birkin bag design. The NFTs had enjoyed $1.2 million in trading in their two months of existence before the lawsuit was filed, and Rothschild estimated he made around $125,000 from the project.

Rothschild tried to argue that his work echoes Andy Warhol's Campbell's soup cans and other "brand art".

Hermès, on the other hand, argued that Rothschild was simply a "digital speculator" hawking a "get rich quick" scheme, and trying to profit off consumers' confusion that the NFTs were an official Hermès production. They claimed they have their own plans for NFTs, and that Rothschild impeded those with his project.

Ultimately, the jury found that Rothschild had infringed upon the Hermès trademark, and awarded the company $133,000 in damages.

"[Hermès] feel they have the right to choose what art IS and who IS an artist... Not because of what they create but because their CV doesn't scream artist with a pedigree from a world class art school," accused Rothschild after the decision, though he was not actually the designer of the images used in the NFT project.

Coin Cloud crypto ATM operator files for bankruptcy

A blue crypto ATM, with the CoinCloud logo printed on the side in whiteCoinCloud crypto ATM (attribution)
The US-based company Coin Cloud, which operates crypto ATMs in the US and Brazil, filed for bankruptcy on February 7. They are the second largest crypto ATM operator in the world, and also in the US.

The company disclosed liabilities between $100 million and $500 million, and assets between $50 million and $100 million. In a filing, they reported they had 5,001–10,000 creditors.

By far the largest creditor is Genesis, a crypto lending firm that is also undergoing bankruptcy proceedings. Coin Cloud has a $116 million loan from Genesis, around $108 million of which is unsecured. Coin Cloud also owes a $7.6 million secured debt to crypto lending firm Enigma.

According to Coin Cloud, contributing to their bankruptcy was a $35 million deal with a vendor who they allege sold them faulty ATMs in February 2021, and with whom they are in litigation. Furthermore, in September 2021, the firm providing Coin Cloud's ATM software tried to terminate their software agreement, and pushed a software update that rendered the machines inoperable, causing days- or weeks-long outages. Coin Cloud decided to deploy unfinished ATM software that they had been using internally, and which was quickly hacked for around $6.5 million. Finally, Coin Cloud claims a chief marketing officer they hired lied about his credentials, and then spent $20 million more than he was budgeted.

Webaverse discloses $4 million theft via a mysterious social engineering attack

The metaverse gaming company Webaverse disclosed on February 6 that they had suffered a $4 million theft several months earlier. They outlined what appeared to be a complex scam in which individuals posing as venture capitalists convinced them to meet in person in a hotel lobby in Rome, transfer funds to a new crypto wallet, and show it to them. The Webaverse team appeared to believe that the scammers somehow managed to steal funds from the wallet solely by taking photographs of the new Trust Wallet, with no QR codes or private keys showing.

Trust Wallet published a thread about the theft, characterizing it as a social engineering scam perpetrated by an "organized crime unit from Rome". However, they didn't clearly address the claims about funds being stolen via a photograph of the Trust Wallet. Trust Wallet seemed to suggest they believed that the theft may have been perpetrated via malware transmitted in a PDF containing KYC information.

Webaverse described the incident as "undoubtedly a setback", but expressed belief that they would be able to continue operating.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.