Islamic State tests out NFTs

In the apparent "first known nonfungible token created and disseminated by a terrorist sympathizer", a supporter of the Islamic State has minted an NFT with a message praising an attack on a mosque in Kabul, Afghanistan. According to former U.S. intelligence officials cited by The Wall Street Journal the NFT is likely an experiment with new funding and channels for propaganda.

The token was briefly listed on OpenSea, Rarible, and various other marketplaces before those marketplaces took it down. However, because it was minted on the blockchain, the token itself cannot be removed. "It's very much an experiment...to find ways to make content indestructible," said Raphael Gluck, a co-founder of a jihadist research group.

Crypto scam watchdog group launches NFT project, which is then exploited

An illustration of a man in a brown suit, brown fedora, and sunglasses, smoking a cigar and holding a noose.Bad Guys promotional artwork (attribution)
The group Rug Pull Finder aims to combat fraud, scams, and hacks in the NFT space, often investigating crypto rug pulls and offering audits for projects and smart contracts. They decided to launch their own NFT project, "Bad Guys", which is themed around a group of baddies who steal NFTs.

Ironically, a flaw in the project's smart contract allowed individual wallets to mint many NFTs at once, rather than one per wallet, allowing two people to game the system and snap up more than 450 NFTs rather than the one they were allowed. Rug Pull Finder wrote that "An exploit was shared with us 30 minutes before mint went live. After reviewing it with 3 different dev teams, we did not believe the credibility of the information sent to us... We were clearly wrong, and we are truly truly sorry".

Rug Pull Finder announced that they had reached an agreement with the people who gamed the mint, and would buy back the 366 NFTs the duo still held for 2.5 ETH (~$4,000).

Crypto security researcher OKHotshot wrote, "I think its concerning when security minded projects like RugPullFinder get their discord breached and their code exploited yet they're offering those exact services to customers."

Georgian Coinbase customers take advantage of 100x price bug

Some Coinbase customers in Georgia (the country, not the state) took advantage of an hours-long price bug where a misplaced decimal point altered the exchange rate of the Georgian Lari (GEL) to 100x its actual value. Users were able to sell their cryptocurrencies for GEL to receive, in some cases, thousands of dollars more than the trades were worth. According to Blockworks, some users exchanged $150 worth of crypto for $15,000, more than three times the national average salary in the country.

Some users who took advantage of the bug and withdrew funds to their bank accounts found their accounts frozen shortly after, when Coinbase noticed the error and began working to claw back the funds. According to Coinbase, about 1,000 users took advantage of the error.

Attacker exploits bug in ShadowFi to empty $300,000 liquidity pool

An attacker discovered that anyone could call the burn function on the liquidity pool contract for the ShadowFi project. They were able to exploit this vulnerability by calling the burn function and then taking advantage of the price difference (based on the new circulating supply) to remove all 1078 BNB (~$298,000) in the project's liquidity pool.

The project had only just launched that same day, after running a presale of their SDF tokens. The project promised to allow people to "Take your spending away from the floodlights of surveillance capitalism" and apparently involves sending people prepaid Visa cards to help them cash out their cryptocurrency without connecting a bank account or providing KYC information.

Holding company for Mercado cuts 15% of employees

2TM, the holding company for the Brazilian crypto exchange Mercado, announced they would be laying off 15% of their workforce — about 100 people. The company had previously laid off more than 80 employees in June. Mercado raised a $200 million Series B funding round in July 2021, which valued the company at $2.1 billion — the highest-valued crypto exchange in Brazil.

Describing the layoffs, a spokesperson for 2TM said that Mercado was suffering for playing by the rules. "The competitive environment remains deteriorated and unfair, lacking the approval of the legal framework for crypto-activities, as players following the law are penalized by companies that ignore local rules."

dYdX infuriates users by requesting "liveness checks" via webcam, cancels campaign due to "overwhelming demand"

The decentralized crypto exchange dYdX announced on August 31 that they would give users $25 if they completed a "liveness check", which is accomplished by taking webcam facial scans that can then be compared with scans from other accounts on the exchange in an attempt to combat Sybil attacks.

This infuriated many crypto users, who were horrified that dYdX would try to collect this kind of biometric data. "DYDX just nuked itself. I would never use this platform," wrote a prominent trader.

On September 1, dYdX tweeted that "Due to extremely overwhelming demand of the $25 deposit bonus promotion, we are ending the campaign, effective immediately. Thank you to the many thousands of new users that onboarded to dYdX today. We truly underestimated the amount of interest the campaign garnered." They made no mention of the backlash against the liveness checks, but quietly removed the mentions of the system from their website.

Bill Murray's NFT charity auction nets $185,000, which is then immediately stolen

Black and white photorealistic painting of Bill Murray. The only colors are the lenses in a pair of cardboard 3D glasses that Murray is wearing, and a green bowtie.Token #0 from Bill Murray's NFT collection (attribution)
Bill Murray auctioned off an NFT representing the right to drink a beer with him, during which a painter will paint a picture of the scene that the buyer can keep. The auction benefits Chive Charities, which is a veteran- and first responder-focused non-profit. The NFT sold for 119.2 ETH (~$185,000).

However, hours after the auction, a hacker gained access to Murray's crypto wallet and snagged the ETH for themselves. They also attempted to steal 800 NFTs from the remaining collection by Bill Murray, though a wallet security team was able to safeguard those NFTs in time.

Murray's team confirmed the theft, and said they are working with the police and Chainalysis to identify the hacker.

Attackers steal around $265,000 of user funds from KyberSwap exchange

An attacker was able to insert malicious code into the frontend of the decentralized exchange KyberSwap and steal $265,000 of user funds. The project used Google Tag Manager to allow code to be injected into the project frontend (often for analytics, ads, or marketing purposes), which was used by the attacker to insert malicious code into the project UI that specifically targeted whale accounts — that is, those with large balances.

Kyber identified and remedied the issue after two hours of investigating it, and only two wallets were affected. Kyber promised to compensate the users who lost funds, and also tried to tempt the hacker into returning funds by allowing them to keep 15% of the stolen money as a "bounty" (~$40,000).

Snapchat abandons its web3 plans

Snap Program Manager Jake Sheinman tweeted that "As a result of the company restructure, decisions were made to sunset our web3 team. The same team that I co-founded last year with other pirates who believed in digital ownership and the role that AR can play to support that." Snap, the company behind Snapchat, had been working on a feature that would enable users to import their NFTs and use them as augmented reality filters.

This news came amidst the announcement that Snap would be laying off 20% of its staff, a whopping 1,300 people.

Unable to recover from the April Rari exploit, Babylon Finance shuts down

In April, an attacker exploited vulnerabilities in the defi lending project Rari Capital to steal $80 million. The asset management project Babylon Finance was a major lending pool on Rari, and lost $3.4 million in the hack. After the incident, users withdrew more than 3/4 of the assets on the project.

Since April, Babylon tried to recover from the hack. However, they described it as "the domino that kickstarted a series of unfortunate events". Rari canceled their planned reimbursement, users withdrew their funds from Babylon Finance, the Fuse pool on Rari was abandoned, and the token price decreased from around $20 to around $5.

On August 31, Babylon Finance's founder Ramon Recuero published a blog post announcing that Babylon would be shutting down. They promised to distribute the remaining project treasury among holders. Users were told to withdraw their funds by November 15.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.