Discord hack targeting Rare Bears NFT project nets attacker $800,000

An illustration of a bear wearing a crown, with laser beams firing from its eyes, with headphones around its neck, holding a molotov cocktailRare Bear (attribution)
After hackers successfully compromised the account of one of the Rare Bears Discord moderators, they posted an announcement that new NFTs were being minted. Those who tried to participate in the mint wound up having their accounts compromised and their NFTs stolen. The hackers sold most of the 179 NFTs they stole, for a combined total of 286 ETH (more than $800,000).

Not only did the attackers post a fake mint link, they took steps to prevent the project from thwarting their attack by banning other members and removing user rights that would have allowed other project members to delete the fake links. They also added a bot to the server that locked channels so people couldn't send warnings that the links were fake.

The Rare Bears team did eventually regain access and secured their Discord server. In an apology posted on their Twitter page, they addressed the multiple security breaches that Rare Bears have faced to date, and said they had "stepped up" and would be having a firm audit their project.

Bored Ape Yacht Club launches their new ApeCoin, which immediately tanks in price

Price of ApeCoin, compared to USD, showing a brief and large spike, followed by a drop and then fairly steady valueApeCoin price (attribution)
Bored Ape Yacht Club decided to release "ApeCoin", a new cryptocurrency token. The token distribution heavily favors current BAYC owners, truly underscoring the fantasy about a fairer distribution of wealth that some people thought crypto would somehow magically bring about. Holders of Bored Ape NFTs—already priced at several hundred thousand dollars apiece—received airdropped tokens in proportion to their holdings of Yuga Labs NFTs; one holder of 12 Bored Apes, 10 Mutant Apes, and 11 Kennel Club NFTs reported receiving 150,964 APE (valued at $1.3 million when $APE was at $8.56).

The $APE price briefly soared to around $40 shortly after launch, before crashing precipitously to around $8.50 not long after, presumably as people cashed out their free money. Even many cryptocurrency enthusiasts were nonplussed by the launch, with many describing it as a "money grab" or an attempt to enrich the founders, which apparently is a bad thing (despite many crypto projects openly doing the same). One angry Redditor wrote, "Owners of Bored Ape NFTs were given the coin first(very rich people), then it was sold to the normies who got FOMO and pumped the price, then it crashed. Yet again, leaving regular people holding bags of pure garbage while the coin pushers wave bye-bye from their lambos."

Winamp joins LimeWire in the emerging "legacy software comes back from the dead to do NFTs" trope

The first Winamp skin, a dark grey interface with buttons resembling those used in Windows 95 or 98Original Winamp skin, which they say will "be the base Artwork for all your derivative needs" (attribution)
A week after LimeWire emerged from cryostasis to announce it would become an NFT platform, Winamp decided to jump in as well. Winamp was a Windows media player that first launched in 1997, and was sold for a hefty sum to AOL in 1999, before fading into obscurity after facing tough competition from iTunes in the early 2000s. Although Winamp has been promising new versions of the software since its 2014 sale to Radionomy, only a single beta release in 2018 has ever materialized. However, on March 16, the Winamp Twitter account announced "the auctioning of Winamp Original Skin as 1/1 NFT AND the launch of Winamp Foundation". The Winamp Foundation, they wrote, would "collect money to help musicians across the world to make the music they love". The response on Twitter was overwhelmingly negative, with a top comment reading, "It is incredible how you took decades of good will nostalgia and removed it with a single tweet."

Official Formula 1 blockchain game suddenly shuts down

A rendering of a blue and white F1 racecar, hovering above a black triangular plastic base that says "Tiberon [sic] Car""Tiberon [sic] Car" NFT (attribution)
F1 Delta Time, a crypto car racing game that was officially licensed with F1 racing, shut down in mid-March. The game had previously generated a lot of hype—one of its car NFTs was the most expensive NFT sold in 2019 (more than $100,000). However, game owner Animoca was unable to renew their license to use the F1 brand, resulting in a sudden and unceremonious shut down. Players were given a single day of notice before the game went offline. Users, of course, keep their NFTs, but their ostensible use is now no more. The developers have tried to placate their players by offering various replacement options, primarily based around Animoca's Polygon-based "REVV Racing" game.

NFTBOOKS enters the race to see who can remake DRM the worst

A pie chart where none of the sections appear to be proportional to the numbered percentages, and are all slightly overlappingNFTBOOKS token distribution chart (attribution)
A project called NFTBOOKS has cropped up, promising to "transform the world of book-readings" by creating an NFT economy of authors, book-lenders, readers, translators, and, of course, investors. A writer named Tiffany Hutchinson contacted the project to politely inquire about how it intended to prevent the theft that is so rampant in the NFT space, and received some pretty disappointing answers. After trying several times to wave her off with vague answers about "there will be a review process" to check ownership of the work, they explained that they would implement "a filter on our system" that would check against identical copies. When she asked how that system would work if the original author was not the first person to create an NFT of the work, or how they would prevent someone from making small changes to the work to trick the filters, the project first gave staggeringly poor answers, then wrote that Hutchinson simply didn't understand, then became combative with her.

Fortunately there doesn't actually appear to be much to the project yet—actually creating a platform and an app to allow people to borrow books doesn't come until the fifth and sixth stages of their roadmap. The project is currently on the fourth step, and has been focusing their attentions on things like "marketing campaign" (stage 1), "aggressive marketing rollout" (stage 2), and "extreme marketing campaign" (stage 3). The stage 3 "extreme marketing campaign" also came with a "website relaunch", which we have to thank for one of the most outrageous pie charts I have ever seen (pictured) (which was later determined to have been a stock photo of a pie chart where they'd just changed the numbers). Perhaps they should focus some of their marketing efforts on coming up with answers to the simplest of questions that they should probably expect from authors—the type of people they're claiming to help.

Hundred Finance and Agave Finance are both exploited for a collective $12 million

An attacker using a flash loan attack targeted two projects on the Gnosis blockchain: Hundred Finance and Agave Finance. Each project paused their smart contracts, but not before the attacker made off with a considerable sum of money. That day, the attacker put the funds through a cryptocurrency tumbler, making it much more difficult to trace the collective 4,479 ETH that was stolen in roughly equal amounts from each protocol.

Hundred and Agave were the second and third defi protocols targeted by flash loan attacks that same day, with Deus Finance losing more than $3 million to hackers using the same class of exploit.

Binance pauses withdrawals and deposits via Polygon

After an extended Polygon outage on March 10, Binance temporarily paused deposits and withdrawals via Polygon on March 15. Although Binance reported it was "due to the network wide issues of the Polygon network", Polygon stated that "Polygon PoS network is stable, and working fine. All funds are safe. Binance is upgrading its nodes, and currently syncing the block data, hence they have paused the deposit and withdrawal." It was unclear why this would happen days after the original outage.

Hackers make off with over $3 million from Deus Finance

Hackers were able to use a flash loan attack to manipulate a price oracle, pulling 200,000 DAI and 1101.8 ETH (totaling almost $3.1 million) out of the Deus Finance defi platform. PeckShield, the analysis firm that identified the vulnerability, wrote that the $3 million number represented the amount the hackers were actually able to withdraw and put through a cryptocurrency tumbler, but that the loss to the project may have been larger. The CEO of Deus Finance subsequently wrote on Twitter that users whose positions were liquidated as a result of the exploit would be repaid.

Sneaky malware replaces Bitcoin addresses in clipboard to reroute transactions

Bitcoin wallet addresses look something like bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq, and so it's not always obvious at a glance if one string of random characters might have been replaced with another. Malware taking advantage of this fact has been spotted in the wild, replacing copied Bitcoin addresses with the address of a scammer, so that if a person pastes in an address to send Bitcoin to, it goes to the scammer instead. One trader learned this the hard way when the 0.255 BTC (about $10,000) they'd tried to send to an exchange never arrived. After looking into it, they saw that the funds had gone to a completely different address than they'd intended, and were able to sniff out that malware was to blame.

Invictus DAO whales quickly vote to shutter the project in its first ever community vote, leaving most others with huge losses

Invictus price history since November 12, 2021, showing a brief spike in late November and then a precipitous drop and slow decreaseInvictus token price in USD (attribution)
The Sol Invictus project was an Olympus DAO-like project on the Solana blockchain, much like the Wonderland project that went up in flames recently. Promising absolutely massive returns, with numbers like 60,000% APY being tossed around, people bought in hoping to see their money skyrocket. The project also partnered with major names in the Solana ecosystem, earning legitimacy.

However, although the project enjoyed a spike in price in November, the token has bled value since then. On March 9, the project leaders began a conversation about team salaries, where they also floated the idea of redeeming the treasury and closing the project. On March 11 they began a vote, which lasted only three days, and allowed members of the DAO to vote on whether the project should close and distribute treasury funds to participants. Much like the Wonderland vote in late January, a relatively small number of whales with a large share of the votes (who bought in early and still stood to make money on the project) were able to pass the vote to close the project, despite a majority of voters selecting to keep the project going. Furthermore, because the Invictus tokens used for voting also themselves hold the value, some people were unable to vote in the poll because their tokens were locked up in lending platforms where they had used them as collateral. Many participants in the project who haven't been actively watching the governance page likely don't even know the vote happened.

Some members of the project wrote on Discord that they felt rugged, with one even speculating that the project had been so eager to implement voting so they could pass a "community" vote to close the project and make off with a profit without damaging their reputations or potentially facing lawsuits. Various members of the project Discord shared how much they had lost: one person said they were down $20,000, another was down $75,000, and a third person reported losing $400,000. One person asked "who else is in the 6 figure loss club" and received three agreement emoji reactions; another person said they'd lost a year's salary. Some people already opted to try to sell their tokens early, worrying that the project leaders might make off with the treasury and not allow people to redeem their $IN; others waited in hopes of the redemption price being higher than the current token price; and some even suggested buying more $IN in hopes that they could make a profit if the redemption price is higher than the current price.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.