The stolen assets represented the entire TVL of the project.
Hope Lend emptied in $825,000 hack
A small defi protocol called Hope Lend was drained of nearly all its assets when attackers stole around 526 ETH (~$825,000). Hilariously, the project claims the hacker was frontrun by a watchful third party, who paid half of the stolen funds (~264 ETH, or around $414,000) to an ETH validator to allow them to frontrun the transaction. The original attacker who discovered the bug reportedly made no money at all.
Everscale halts bridge as "large number" of tokens stolen
The team behind the Everscale blockchain project disclosed that a "large number" of tokens had been stolen. In an attempt to thwart the attacker from cashing out, they announced that they had halted the project's bridge.
The team did not announce how many tokens were stolen. The price of $EVER suffered a 20% drop, though whether it was due to an attacker selling off tokens or collective panic by other token holders is not clear. The method of the theft was also not described.
Reddit abandons blockchain-based Community Points
Reddit's attempt to blockchainify their signature Reddit karma has come to an end as the company has decided to pull the plug on the feature. The idea was that users could "own a piece of their community" (what?) by racking up points for their positive contributions, which they could then spend on perks like custom badges.
Reddit attributed the decision to scaling difficulties, regulatory uncertainty, and the quantity of resources the company found itself having to put into the feature. The tokens were only used on a handful of subreddits, and the team had migrated them from the Ethereum blockchain to the Arbitrum Nova L2 chain, but despite that scaling continued to be a problem.
The news caused a massive dive in the prices of $MOON and $BRICK, the two Reddit tokens, as holders tried to exit their positions before the tokens became useless. Some angrily accused Reddit of rug-pulling, threatening legal action. One wrote, "I wish you guys knew how reckless this decision is and how many people you've hurt." Some accused subreddit moderators of selling when they learned about the decision an hour before it was made public.
Others were delighted at the news, however. One wrote, "Thank the effing Lord. This moons caused so much shit tier spamming for over a year."
Fantom Foundation and employees lose collective $7 million in mass hack
An attack targeting the Fantom Foundation and its employees siphoned $7 million from wallets under their control. Of that, around $550,000 were funds belonging to the Fantom Foundation. One individual employee reportedly lost $3.4 million.
It's not clear yet how the attack was perpetrated, although crypto researcher Spreek reposted a comment by an admin in Fantom's Telegram channel, where they blamed the theft on a zero-day exploit in Google Chrome.
TrueUSD tries to claim no affiliation with tokens created by its deployer address, raising further questions
A new, Euro-pegged stablecoin called $TEURO emerged on October 13, with an initial supply of around €70 million. However, TrueUSD subsequently tweeted that "we have zero affiliation with it". The post warned people to "step back and refrain from risky investments".
However, the post raised only more questions, as the $TEURO token had been deployed by the address that deployed the primary TrueUSD token. This means that either TrueUSD is lying when they claim they're unaffiliated with $TEURO, or some of their private keys were compromised, allowing an unrelated party to deploy a contract appearing to belong to them.
Almost $100 million liquidated over false news of Bitcoin ETF approval
A post falsely announcing that the SEC had approved a spot Bitcoin ETF caused $100 million in liquidations as the market briefly surged on the news. $81 million in short positions were liquidated as Bitcoin shot up to $30,000 from just under $28,000, and another $31 million in long positions were liquidated as the news turned out to be false.
The post by crypto media outlet CoinTelegraph was based on a faked screenshot of what appeared to be the Bloomberg Terminal. The post quickly propagated through the crypto world before people began to question its veracity. CoinTelegraph later issued an apology, blaming the incident on a failure by employees to follow the normal editorial approval process.
This adds to the list of incidents that illustrate the extent to which false reporting by traditional or crypto media, or by influential personalities, can move crypto markets. Past incidents have included a crypto Twitter personality tweeting the false rumor that Interpol had issued a red notice for Binance CEO Changpeng Zhao, and two instances of token price spikes based on false press releases claiming major corporations would accept the tokens as payment.
- "Clarification on sharing false spot Bitcoin ETF news", CoinTelegraph [archive]
South Korean regulators allege Sui Foundation manipulated markets
A lawmaker in South Korea has alleged that the Sui Foundation has engaged in market manipulation to enrich themselves. The South Korean Financial Supervisory Service reportedly launched an investigation into the distribution of the SUI token following Representative Min Byeong-deok's allegations, intending to determine whether there was truth to his claims that they had paid themselves interest by staking tokens that should have been left untouched in the non-circulating supply.
The Sui Foundation has disputed the allegations on Twitter, calling them "unfounded and materially false".
Hackers host malicious code on Binance chain to circumvent takedowns
An otherwise very "web2" hack has taken on a web3 twist as hackers have started to store malicious code on the blockchain. Attackers first compromise WordPress websites, then show a screen to visitors telling them they need to update their browser to view the website. When the visitor does so, the site downloads malware which then harvests information like login credentials.
Attackers previously stored the malicious code on typical webhosting services, but those services began to take it down. Now, some have started using Binance's blockchain to store these payloads, taking advantage of the immutable nature of blockchains to prevent anyone from taking it down.
USDR stablecoin de-pegs
The real-estate-backed US dollar stablecoin "Real USD" (aka USDR) lost its peg, dropping from $1 to around $0.53. The website for the stablecoin was — even after the depeg — promising customers 16.39% yields.
The de-peg occurred amid a "liquidity crunch" as holders rushed to redeem their USDR for the DAI stablecoin, draining the project of its DAI reserves. The team behind the project, TangibleDAO, issued a statement stating that "the real estate and digital assets backing USDR still exist and will be used to support redemptions." However, despite their insistence that the problem is just a liquidity issue rather than a solvency one, a dashboard on their own website showed that the stablecoin isn't fully backed and has a deficit of around $3.4 million.
In a related incident, a trader trying to swap their $131,350 in USDR for the USDC stablecoin lost every penny of it when their transaction was arbitraged by a MEV bot.
Platypus Finance hacked for a third time this year
At this point, they should probably just have a form email ready to go. Platypus Finance has suffered a cumulative $2.23 million in losses thanks to several attacks on the platform over the course of several hours. This set of hacks followed a $8.5 million hack in February, and another hack of at least $150,000 in July.
Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.