Mango Markets suffers loss of more than $116 million

Mango Markets, a Solana-based defi project offering borrowing, lending, and leverage trading, was exploited for $116 million. An attacker manipulated the supposed value of their collateral on the platform, allowing them to take out massive loans from the project treasury that they never repaid. In total, they stole around $116 million worth of Solana tokens. However, only a few exchanges have sufficient liquidity to support exchanging or withdrawing that quantity of tokens, and those exchanges (Coinbase, Binance, and Kraken) froze the attacker's wallets.

Mango Markets posted on Twitter to urge users not to deposit into the project, and asked the hacker to contact them "to discuss a bug bounty". The hacker had their own plans, instead submitting a governance proposal in which they would return $46 million of the stolen funds (keeping $70 million) in exchange for a promise that the protocol would not try to freeze the assets or pursue criminal charges. The hacker then used their 32 million governance tokens to vote in support, but ultimately were not able to get the proposal to pass. A different proposal with largely the same terms, but which left the attacker with only $47 million of the stolen funds, passed shortly after.

QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability

On September 15, a blockchain security firm disclosed a vulnerability affecting Profanity, a tool that allowed people to generate "vanity" crypto wallet addresses: addresses containing specified strings of characters. This affected some individuals with vanity addresses, but has also enabled subsequent attacks on projects that used vanity addresses, such as the Wintermute exploit on September 20.

On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.

The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.

The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.

This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).

Rabby Wallet's swap feature exploited a month after launch

Rabby Swap, a feature of the Rabby crypto wallet, was exploited a month after it was first rolled out. An attacker discovered an apparent vulnerability in the Rabby Swap smart contract that enabled them to arbitrarily transfer other users' funds. Rabby urged its users to revoke approvals for the contracts across multiple chains.

The attack impacted assets on multiple chains. The attacker tumbled 114 ETH (~$146,000) through Tornado Cash shortly after the hack, along with 179 BNB (~$48,500). The full extent of the attack is still being measured. The buggy contract that enabled the attack had been audited by blockchain security firm PeckShield, but the vulnerability had apparently gone undetected.

CNN accused of rug pull after ditching their Vault NFT project

In June 2021, CNN launched "Vault": a project to "make moments from history available for purchase". The project involved minting as NFTs various clips of CNN footage and photographs from their archives, such as CNN's predictions that Bush and Obama would win their presidential elections, or "War Notes": a series of photos and accompanying handwritten notes from Ukrainians impacted by the Russian war on Ukraine. On October 11, CNN announced they would "no longer be developing or maintaining this [Vault] community".

Although CNN claimed in their shutdown announcement that "Vault was originally launched as a 6-week experiment", CNN had not mentioned that the project was an experiment that was expected to possibly end. As recently as last month, Vault had been teasing upcoming events scheduled around election day in November, and encouraging users to buy more Vault NFTs to access the upcoming drops.

As an apparent attempt to placate angry users worried that the value of their NFTs might drop, CNN promised to return "either FLOW tokens or stablecoins" for "roughly 20% of the original mint price". However, the project is built on the Flow blockchain, where users can only withdraw stablecoins $10 at a time — and with a $4 fee on each withdrawal. Some angry users in the project's Discord channel threatened legal action, claiming that CNN had rug pulled.

STAX Finance exploited for $2.3 million

A hacker discovered a vulnerability in the smart contract for the STAX project, which is built on the TempleDAO defi protocol. STAX is a liquidity provider for $TEMPLE/$FRAX.

Poor access control on a function in the smart contract allowed them to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).

This amount represents about 4% of the assets in the TempleDAO protocol. STAX replaced its homepage with a "disclaimer" about the hack, took down the project's dApp, and urged people not to deposit into the STAX contracts.

U.S. SEC is investigating Bored Apes creator Yuga Labs

An illustration of a bright pink ape, wearing a captain's hat, with heart-shaped sunglasses, with eyes on its neck, and a gold jacket and chainBored Ape #648 (attribution)
According to a scoop in Bloomberg, the United States Securities and Exchange Commission has been probing whether NFTs from Yuga Labs should be considered securities regulations, and may be in violation of federal law.

Yuga Labs is the company behind the Bored Apes NFTs and spinoff projects (Mutant Apes, and Bored Ape Kennel Club), and in March also acquired the blue-chip NFT collections CryptoPunks and Meebits.

A probe does not necessarily mean that Yuga has violated the law, but such an investigation could have major ramifications for the world of NFTs.

Blockwater Technologies is insolvent

Blockwater Technologies, a crypto investment firm based in South Korea, missed a payment on their $3.4 million loan from TrueFi, a decentralized borrowing platform. According to TrueFi, the group had previously amended their loan to extend the loan period and increase the borrowing rate, but were still unable to meet their required payment. TrueFi wrote that they intended to undergo a "court-supervised administrative proceeding", a route they said they chose due to "the complexity around the sudden insolvency".

TrueFi claims the default is not a major risk to them, making up 2% of the platform's total value outstanding. They announced that the loan was "currently in an active restructuring to maximize recovery for affected BUSD lenders".

NFT collector loses Bored Apes he bought for nearly $2 million in two consecutive scams

An illustration of an ape with pink fur and an angel halo. The ape's eyes are closed and its mouth is open. It's wearing no shirt, and has a silver stud earring.BAYC #2951 (attribution)
In an incredible display of misfortune and perhaps ineptitude, an NFT collector was scammed out of a Bored Ape and then scammed out of six more Bored Apes when he tried to revoke the permissions he'd granted for the first scam.

NFT trader Laszlo_btc went to swap his Bored Ape #8274 for another Bored Ape after reaching a deal with someone he met on Discord. He opened up Sudoswap to do the swap, but was tricked into trading his pricey NFT for a worthless NFT that was disguised to look like a Bored Ape. This is how Laszlo was scammed out of his first Bored Ape, which he'd only purchased three days prior, for 80 ETH (~$108,000). The scammer quickly flipped the NFT for around 70 ETH (~$92,000).

Realizing he'd been scammed, Laszlo went to revoke the permissions he'd granted in case he'd opened himself up to other thefts. However, instead of using the real permission revocation service Revoke.cash, he ended up using a phishing site: Revokecash.net. Only fifteen minutes after the first theft, six more Bored Apes were transferred out of his wallet.

Altogether, Laszlo had paid over $1.9 million for the collection of seven apes, which he purchased between January and October 2022. The priciest was Bored Ape #2951, which he bought for 173 ETH on May 1 — at the time, $490,000. The two sets of scammers quickly flipped all the NFTs, selling them for a total of $608,000.

CoinDesk reports that Decentraland has just 38 daily active users

A 3D virtual world with various logos on buildings. An avatar of a woman stands alone in the foregroundDecentraland (attribution)
According to CoinDesk, the metaverse platform Decentraland is entertaining roughly 38 users a day these days. This isn't much for its "valuation" of $1.3 billion — although CoinDesk seems to be estimating this on "market cap". Its competitor, the Sandbox (also "valued" at around $1.3 billion), is doing a bit better — with a whopping 522 daily active users.

Not only that, the most users Decentraland has ever had in one day is only 675; The Sandbox had 4,503 at one point.

Celsius exposes the names of all customers and their recent transactions in court filing – including their execs

Celsius Network is undergoing bankruptcy proceedings after its impressive implosion earlier this year. The company's latest court filing is 14,532 pages long — because it contains the names and recent transactions of every user on the platform. Although the judge allowed Celsius to redact individuals' home and email addresses, the names and details of recent transactions are all publicly available — much to some users' horror.

Among those listed in the court filing were Alex Mashinsky, his wife Krissy, and various other executives. The records show that Mashinsky withdrew $10 million from Celsius shortly before the company's collapse, and his wife withdrew another $2 million. Chief Strategy Officer Daniel Leon also withdrew $7 million.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.