$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud

An ape with fur resembling magma and volcanic rock, with a green muzzle, with leeches coming out of its nose and mouthMutant Ape #28478 (attribution)
Some MetaMask users using iOS were shocked to discover that their MetaMask credentials were automatically being stored to iCloud today, after MetaMask acknowledged this was the case in the wake of a costly phishing attack. Domenic Iacovone lost cryptocurrency and several pricey NFTs after a successful social engineering attack by scammers pretending to be Apple support earned them access to his iCloud account. From there, they were able to access his iCloud data, and use the stored MetaMask credentials to drain his wallet. The trader lost $650,000 worth of cryptocurrency and NFTs, including Mutant Apes and Gutter Cats, to the attack.

It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".

Palisade discloses infectious XSS vulnerability on Rarible that could have arbitrarily changed NFT listing data and transactions

Security researchers at Palisade publicly disclosed a wormable cross-site scripting (XSS) vulnerability and WAF bypass they had discovered and responsibly disclosed to Rarible several days earlier.

The researchers were able to inject malicious code into the profile photo on Rarible, which only required a person to visit the malicious profile in order to run. This code could have then "infected" other signed-in users' profile photos, increasing the spread of the vulnerability to anyone who then visited their profiles. Once infected, the code would persist across all pages on Rarible, and could change arbitrary data on NFT listings, modify smart contract interactions, leak or modify profile information, or prompt users to sign arbitrary messages.

In an example, the researchers showed how a listing of a Bored Ape (pricey NFTs which currently have a floor price ~100 ETH / $290,000) could be modified for an impacted user to appear as though it was listed for only 1 ETH (~$2,900). A user who attempted to buy the apparently massively-discounted NFT could then be prompted to approve a sale transaction which would actually run a setApprovalForAll call that would allow the attackers to steal crypto and NFTs from the user's wallet.

This bug was the second Rarible vulnerability that was publicly disclosed this week, following a vulnerability with SVG NFTs disclosed by Check Point Research on April 14.

After the security researchers responsibly disclosed the vulnerability, which could have quickly wreaked havoc across Rarible's entire userbase, Rarible patched the issue and awarded them a bug bounty of $5,000. Good luck to Rarible if the next people who find a bug are even slightly more motivated by money than they are by ethics.

Crypto multimillionaire and former defi developer Andre Cronje calls for crypto regulation as he founds an investment banking company

Portrait of Andre Cronje, a man with a short beard, wearing a suitAndre Cronje (attribution)
Andre Cronje has graced the pages of W3IGG before, when he and his development partner Anton Nell unexpectedly announced they would be abandoning their 20+ defi projects, without giving any specific reason.

The reasoning may have just become clear, as Cronje published a blog post titled "The rise and fall of crypto culture" in which he wrote, "Crypto culture has strangled crypto ethos... I now more than ever see the need, or even necessity for regulation, not as a mechanism to prevent, but as a mechanism to protect. Its like a child trying to stick their finger into a electric outlet, you stop them, before they can learn why they shouldn't. One day they will understand, but not today." He remained optimistic about the prospects of crypto if regulation is introduced: "We will see the rise of a new blockchain economy, not one driven by greed, but instead driven by trust, not trustlessness."

Not everyone was impressed by his apparent change in tune. Twitter user 0xCana wrote, "andre cronje with the gigagrift walking away with over 1 billion dollars generated from crypto and then exits the space, rails against 'get rich quick mentalities' and advocates for strict regulations and then founds an investment banking company. incredible."

2omb and Redemption defi projects endure repeated flash loan attacks

Redemption provides the liquidity pools for 2omb, a Fantom-based algorithmic stablecoin project with big promises: "What if you could invest in a golden goose? Something you can acquire that will actually print you more money to either invest or use?"

Starting on April 18, the projects were targeted with a series of flash loan attacks. The project faced a total of 267 flash loan attacks within one day, leading to major volatility in the ostensibly stable coin. In an impressive display of optimism, a project team member wrote, "This has caused a large price pump. (Also benefited with 3% more burned tokens in fees.) The outcome and intent of the person who has done this, is unknown and it may work in our favour, Do not panic, and do not buy or sell until stable." The attacker made a profit of around $190,000 from the attacks.

Beanstalk Farms stablecoin project loses $182 million to exploit

All my magic beans gone. An attacker successfully used a flash loan attack to exploit a flaw in Beanstalk Farms' stablecoin protocol, which allowed them to make off with 24,830 ETH (almost $76 million). The attacker then donated $250,000 to Ukraine before moving the remaining funds to Tornado Cash to tumble.

Estimated damages to the project were higher than the amount the hacker was able to take for themselves—around $182 million. The $BEAN token, once pegged to $1, dropped to nearly 0. The project creator wrote in the Discord, "We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming." However, they were later slightly more optimistic, writing, "it may also be the start of something good... there may be a path forward. We don't want to comment on next steps until that path is at least visible to us" while reiterating that a bail-out was "highly unlikely". They also told members of their community that they had contacted the FBI about the theft.

Someone successfully games raffle for popular NFT allowlist with Sybil attack

Pixel art of a white owl with one squinting eye, wearing a forest ranger hat, on a light green backgroundMoonbirds #768 (attribution)
The NFT project "Moonbirds" generated so much hype that they implemented a raffle system for the many people who hoped to get on the project's allowlist, hoping to make it more fair. However, because it is relatively trivial for a person to create many crypto wallets, a person was able to game the system by creating over 400 wallets, which went on to win more than 50 slots on the project allowlist. This strategy—creating many accounts or wallets to gain an advantage—is known as a "Sybil attack".

This did not go over so well for the people who were eager to get a spot in line to mint NFTs that cost 2.5 ETH ($7,650), but was selling with a floor price of 13.1 ETH ($40,000) on the secondary market shortly after the mint completed. If the person behind the Sybil scheme flipped their NFTs for the current floor price, they could make upwards of $1.6 million in profit.

Pseudonymous Gem cofounder revealed to be hiding a history of alleged sexual abuse, some targeting children

A pseudonymous co-founder of the NFT startup Gem, who was previously known only as "Neso", has been revealed to be Josh Thompson. Using the handles "Joshpriest" and "MethodJosh", Thompson is a once-prominent World of Warcraft streamer who has been accused by at least five people of rape, sexual harassment, and grooming of minors. Gem announced to their community on April 9 that they had reviewed allegations against Neso and "exited" him from the team, though a report by BuzzFeed News showed that the Gem team had known about his identity since at least mid-March.

Following the publication of the BuzzFeed article on April 16, the Gem Discord erupted in anger—apparently discovering for the first time that Gem had known Thompson's real identity for quite a lot longer than they had let on. Some members accused the team of lying and trying to cover up who Thompson was, demanding the team explain themselves. The Gem Discord bot was subsequently configured to block links to BuzzFeed.com, so people couldn't post the exposé article.

Crypto culture has embraced pseudonymity to such an enormous degree that not only is it common for everyday traders to cloak their identities behind wallet addresses or pseudonyms, but for founders and prominent members of major projects to do so as well. This is not the first time this has enabled deception, such as in the case where a chief developer of a defi project later being unmasked as a man with a history of financial crimes and other shadiness.

Rikkei Finance exploited for $1 million

Rikkei Finance, which describes itself as a metaverse defi project, was apparently exploited. 2,571 BNB, priced at around $1.07 million, was transferred out of the protocol and quickly moved to a tumbler.

Unicorn Nodes defi project rug pulls hours after launch

Unicorn Nodes claimed to be a "defi-as-a-service" project. It launched its $RNBW token on April 14, despite warnings from "TheBreadmaker", who rates various protocols. Only hours after launch, someone sold 5,432 RNBW (~$129,000), draining the liquidity pool and crashing the token price. Although the project creators initially claimed that the project had been exploited by an external actor, and that it wasn't a rug pull, by that evening they had scrubbed their website and Twitter presence.

Monero holders plan a bank run

Monero is a privacycoin that attempts to address some of the privacy issues with more popular currencies (like Bitcoin or Ethereum)—namely, that anyone can see that wallet A sent a transaction of X amount to wallet B. However, privacy cuts both ways, and this feature also means that, without cooperation from the exchanges, the Monero community can't verify that exchanges actually hold the amounts of Monero they're allowing their users to buy. Some in the community have become increasingly suspicious that exchanges are selling "paper Monero": fake Monero that's not actually backed by reserves.

To try to test this theory, Monero users have scheduled what is basically a bank run: they are encouraging all users to try to move their Monero out of exchanges on April 18. Some have claimed that exchanges including Binance and Huobi have frozen withdrawals of Monero in anticipation of the mass-withdrawal, in an effort to prevent their lack of reserves from being discovered. Indeed, Huobi suspended XMR deposits and withdrawals 10 days ago and has yet to restore the functionality, which they say is due to a wallet upgrade. Binance also shows "withdrawal suspended" on its status page as of April 14.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.