Amusingly, one of the transactions by the hacker was frontrun by a MEV bot known as 0xa57, which made a tidy 480 ETH (~$623,000) from the attack. The second transaction succeeded, landing the attacker 268 ETH (~$348,000). According to a MEV researcher, 0xa57 has been known to return funds that were obtained as a result of a hack.
Earning.Farm exploited for $971,000, exploiter gets frontrun by MEV bot
The defi project Earning.Farm lost 748 ETH (~$971,000) to a hacker using a flash loan attack. The project contract was missing a check that a flash loan was initiated by the protocol, so the attacker was able to instruct the project to withdraw large amounts of funds, which they then were able to transfer to themselves.
DAO Maker allegedly tries to dodge hack repayment promises
In August 2021, DAO Maker (not to be confused with MakerDAO) was hacked for $7.38 million. The stolen funds were taken from users, rather than a project treasury, and 5,521 people lost an average of $1,250 each. DAO Maker promised to compensate impacted users with a mix of the USDC stablecoin and USDR: an IOU token that they promised users would be able to redeem a year later for 110% of its dollar value.
Now that year mark is approaching, and a report from Rekt alleges that DAO Maker is trying to wiggle out of their promises through a governance vote, which they've framed as trying to "prevent major $DAO DUMP from USDR distributions". Meanwhile, they've deleted the post that explained the original distribution plan.
Most members of the DAO today were not affected by the attack, and so stand to benefit from not honoring the payout. One voting option suggests that these users "had their chance" to cash out their USDR, apparently ignoring that people were holding out for the promised 110% redemption.
Some whistleblowers have also claimed that team members have recently moved large quantities of DAO tokens to various wallets to vote. Some have also claimed that those team members recommended buying USDR tokens several months ago for below $1.10, as a safe arbitrage opportunity when they became redeemable for that amount.
Blu3DAO faces claims that they've misused grant money to benefit founders
Blu3DAO is a DAO that describes itself as "focused on empowering women, non-binary people, and allies to learn, earn, and play in web3 towards financial freedom". The group was the target of some negative attention two days prior, after an incident in which several members of Blu3 leadership accused a man of harassment at the Devcon Ethereum conference.
On October 11, a crypto developer advocate wrote a thread about the group, starting by saying "Most of the members of Blu3DAO are great people working towards a good cause. Despite this, there have been things around their finances that I personally have found questionable. I've refrained from calling them out & it's something that has bothered me for a long time". She went on to allege that the group had solicited over $1 million in grant money from the Harmony community, misusing a personal relationship with a member of Harmony to continue to obtain grant funding while the group had paused grant allocations, and using funds to personally benefit the founders.
"I run an organization dedicated to advancing womens & nb ppls careers. And this type of grifting only hurts everyone," wrote the developer advocate in her Twitter thread. She also wrote, "In the coming days they'll post some fraudulent report clearing them from wrongdoing. They're running an elaborate scam with many wallets. One of them is literally married to a decision maker at harmony. Lmaooo. Fuck the[m] scammers"
Blu3DAO's founders responded to the allegations by claiming that they had only ever received $75,000 of the $1 million they were committed by Harmony, and that the funds were still in the DAO treasury. They also claimed that the Blu3 DAO members were never paid for their work, and that the money from Harmony was "flow-through reimbursements for scholars/hackers' travel expenses".
Harassment accusation at Ethereum conference triggers wave of online misogyny and racism
A Black woman attending the major Devcon Ethereum community event in Bogotá posted to Twitter a photograph of a man at the conference, writing, "Day 1 of Devcon and a group of us women got harassed by a gross guy! What did the Ethereum Foundation team do? Smiled and chatted with him for 10 minutes and let him go on his way! I feel horribly unsafe at this event. 👎 Take women seriously when they report harassment." Blu3DAO, a DAO with which she is associated and which describes its mission as "empowering women, non-binary people, and allies to learn, earn, and play in web3 towards financial freedom", later also tweeted that "we would like to formally address & acknowledge that an incident has occurred at Devcon", referencing the claim.
The man in the photo subsequently tweeted his version of events, in which he described encouraging the woman and her friends to jump up while taking a 3D photograph, and then gave them a thumbs-down gesture when they reacted in annoyance to him. He then claimed that they harassed him throughout the conference, by stalking him throughout the conference and posting his photo online with vague allegations of harassment.
The woman later elaborated on the event that had precipitated her report to Devcon staff, saying the man had been "verbally boo'ing and taunting us" at the photo booth.
It's a little unclear what actually happened at the event and who is at fault, something I don't intend to speculate on as a complete outsider. However, what's not unclear is the reaction from some people in the crypto community, who have used the incident (and their belief that the woman fabricated the harassment story) as evidence that all women, people of color, and "wokeness" are a blight on the crypto space. Various crypto enthusiasts have used the opportunity to denigrate what they view as a general issue of "feminazis", "purple hairs", or "SJWs" in crypto, and DAOs that aim to encourage gender minorities to engage with crypto. "Letting SJWs infiltrate into crypto was a huge mistake", wrote one person. "This is the woke crowd we didn't have to deal with last cycle. They came into crypto with their distorted vision of everything. [Crypto Twitter] got your back, mate."
Bittrex fined $29 million for sanctions violations
The U.S. Treasury Department announced fines against Bittrex, a U.S.-based cryptocurrency exchange. The Office of Foreign Assets Control (OFAC) announced a $24 million penalty against the company, and the Financial Crimes Enforcement Network (FinCEN) announced a $29 million fine. Both groups form parts of the Treasury Department. FinCEN said it would credit the fine to be paid to OFAC towards the total fine they imposed, meaning Bittrex will pay $29 million in total. According to the Treasury Department, the fines are the largest they've ever imposed on a virtual currency platform.
The OFAC sanction was imposed due to 116,421 reported sanctions violations in which Bittrex failed to prevent people in Crimea, Cuba, Iran, Sudan, and Syria from using their service. In total, these prohibited individuals performed more than $263 million in transactions on the platform.
The FinCEN fine was imposed due to "willful violations" of the Bank Secrecy Act's requirements pertaining to anti-money laundering (AML) and suspicious activity reports.
Mango Markets suffers loss of more than $116 million
Mango Markets, a Solana-based defi project offering borrowing, lending, and leverage trading, was exploited for $116 million. An attacker manipulated the supposed value of their collateral on the platform, allowing them to take out massive loans from the project treasury that they never repaid. In total, they stole around $116 million worth of Solana tokens. However, only a few exchanges have sufficient liquidity to support exchanging or withdrawing that quantity of tokens, and those exchanges (Coinbase, Binance, and Kraken) froze the attacker's wallets.
Mango Markets posted on Twitter to urge users not to deposit into the project, and asked the hacker to contact them "to discuss a bug bounty". The hacker had their own plans, instead submitting a governance proposal in which they would return $46 million of the stolen funds (keeping $70 million) in exchange for a promise that the protocol would not try to freeze the assets or pursue criminal charges. The hacker then used their 32 million governance tokens to vote in support, but ultimately were not able to get the proposal to pass. A different proposal with largely the same terms, but which left the attacker with only $47 million of the stolen funds, passed shortly after.
QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability
On September 15, a blockchain security firm disclosed a vulnerability affecting Profanity, a tool that allowed people to generate "vanity" crypto wallet addresses: addresses containing specified strings of characters. This affected some individuals with vanity addresses, but has also enabled subsequent attacks on projects that used vanity addresses, such as the Wintermute exploit on September 20.
On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.
The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.
The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.
This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).
Rabby Wallet's swap feature exploited a month after launch
Rabby Swap, a feature of the Rabby crypto wallet, was exploited a month after it was first rolled out. An attacker discovered an apparent vulnerability in the Rabby Swap smart contract that enabled them to arbitrarily transfer other users' funds. Rabby urged its users to revoke approvals for the contracts across multiple chains.
The attack impacted assets on multiple chains. The attacker tumbled 114 ETH (~$146,000) through Tornado Cash shortly after the hack, along with 179 BNB (~$48,500). The full extent of the attack is still being measured. The buggy contract that enabled the attack had been audited by blockchain security firm PeckShield, but the vulnerability had apparently gone undetected.
CNN accused of rug pull after ditching their Vault NFT project
In June 2021, CNN launched "Vault": a project to "make moments from history available for purchase". The project involved minting as NFTs various clips of CNN footage and photographs from their archives, such as CNN's predictions that Bush and Obama would win their presidential elections, or "War Notes": a series of photos and accompanying handwritten notes from Ukrainians impacted by the Russian war on Ukraine. On October 11, CNN announced they would "no longer be developing or maintaining this [Vault] community".
Although CNN claimed in their shutdown announcement that "Vault was originally launched as a 6-week experiment", CNN had not mentioned that the project was an experiment that was expected to possibly end. As recently as last month, Vault had been teasing upcoming events scheduled around election day in November, and encouraging users to buy more Vault NFTs to access the upcoming drops.
As an apparent attempt to placate angry users worried that the value of their NFTs might drop, CNN promised to return "either FLOW tokens or stablecoins" for "roughly 20% of the original mint price". However, the project is built on the Flow blockchain, where users can only withdraw stablecoins $10 at a time — and with a $4 fee on each withdrawal. Some angry users in the project's Discord channel threatened legal action, claiming that CNN had rug pulled.
STAX Finance exploited for $2.3 million
A hacker discovered a vulnerability in the smart contract for the STAX project, which is built on the TempleDAO defi protocol. STAX is a liquidity provider for $TEMPLE/$FRAX.
Poor access control on a function in the smart contract allowed them to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).
This amount represents about 4% of the assets in the TempleDAO protocol. STAX replaced its homepage with a "disclaimer" about the hack, took down the project's dApp, and urged people not to deposit into the STAX contracts.