52 different people fell for the scam, losing a total of around $4.3 million in assets. The scammers appeared to be targeting high-value wallets, with only two accounts transferring less than $1,000. 24 individual wallets were scammed for more than $10,000 each, 7 wallets lost more than $100,000, and one user lost almost $1.4 million.
Following a thread by zachxbt outlining the team's rug pull, the project founder made the first post in the project Discord since December, announcing a theme song competition with no acknowledgement of the team's absence and lack of progress.
This event once again shows how it is people like zachxbt who are left to try to hold project creators accountable in the absence of reasonable regulation or enforcement.
More than a few people expressed shock at seeing what they believed to be a hate symbol on their Twitter feeds from a large brand. The date of release only made things worse—April 20 is celebrated among fascists because it is Hitler's birthday. Tweets from Binance's official Twitter account and the Twitter account of founder and CEO Changpeng Zhao (known as "CZ") were quickly deleted, though the emojis remained. Several hours later, Binance changed the emoji to a globe with the Binance logo.
Twitter doesn't publicly list how much it costs to obtain a branded hashtag, though most articles I could find listed the price at around $1 million. I'm not sure if this is per hashtag or per emoji—the new emoji appears on several related hashtags.
Two hours after zachxbt published his research, the team made their first post in three months, with multiple excuses for the issues zachxbt highlighted.
He said he hadn't used the wallet to mint any NFTs since October, and said he had revoked all access to minting websites since then. He wrote that he was unsure how the compromise had happened: "My best guess: an old minting site from October still had access to my wallet, even after 'revoking' happened in Phantom.... But honestly, it's just a guess."
Members of the Chedda team claimed on Discord that they were not behind it, and that it had been done by an outsourced development team who was working on the projects farming and staking. "They technically should've been within contract, but they robbed us," wrote Discord moderator Ali Michelle (referring to legal contracts rather than smart contracts). "They were in contract so it would be illegal and full on theft, i believe". Despite the devastating loss, Michelle urged remaining members of the community to "hodl and help us bring this back to life!"
The project had been audited by CertiK, who were quick to note that the contract containing the function used to drain funds was "not in CertiK’s audit scope".
Atari Token was described as "decentralized cryptocurrency that was created to become the token of reference for the interactive entertainment industry". It launched in November 2020, tanking in price immediately on release. Despite a brief boom around March 2021, the token has mostly traded below its launch price.
In the press release, Atari wrote, "Atari disclaims any interest in the [...] Joint Venture, currently promoted as Atari Tokens, and related websites, whitepapers and social media channels are unlicensed, unsanctioned and are outside the control of Atari." They also wrote that they would be replacing existing $ATRI tokens with new tokens in the future. Atari wrote that the termination of the hotel and casino agreements resulted in an €11 million ($11.8 million) write-off, but that financial impact of the token changes wouldn't be disclosed until the FY22 report.
$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud
It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".
Palisade discloses infectious XSS vulnerability on Rarible that could have arbitrarily changed NFT listing data and transactions
The researchers were able to inject malicious code into the profile photo on Rarible, which only required a person to visit the malicious profile in order to run. This code could have then "infected" other signed-in users' profile photos, increasing the spread of the vulnerability to anyone who then visited their profiles. Once infected, the code would persist across all pages on Rarible, and could change arbitrary data on NFT listings, modify smart contract interactions, leak or modify profile information, or prompt users to sign arbitrary messages.
In an example, the researchers showed how a listing of a Bored Ape (pricey NFTs which currently have a floor price ~100 ETH / $290,000) could be modified for an impacted user to appear as though it was listed for only 1 ETH (~$2,900). A user who attempted to buy the apparently massively-discounted NFT could then be prompted to approve a sale transaction which would actually run a setApprovalForAll call that would allow the attackers to steal crypto and NFTs from the user's wallet.
This bug was the second Rarible vulnerability that was publicly disclosed this week, following a vulnerability with SVG NFTs disclosed by Check Point Research on April 14.
After the security researchers responsibly disclosed the vulnerability, which could have quickly wreaked havoc across Rarible's entire userbase, Rarible patched the issue and awarded them a bug bounty of $5,000. Good luck to Rarible if the next people who find a bug are even slightly more motivated by money than they are by ethics.