Another bug affecting Terra's Mirror Protocol loses the project $2 million (and counting)

Someone has been able to drain more than $2 million from the Mirror Protocol in the Terra ecosystem. It appears they are exploiting an issue with the price oracle for "Luna Classic" (formerly known as Luna, but renamed with the release of Luna 2.0). The oracle seems to be providing an incorrect price for LUNC that is far higher than its price on exchanges. This has allowed a person to use a relatively small amount of LUNC as collateral for loans of much larger amounts in other assets.

Terra sleuth FatMan wrote on Twitter on May 30, "So far, the mBTC, mETH, mDOT and mGLXY pools have been drained. In around 12 hours, the market feed will kick in, and the attacker will be able to drain all of the mAsset pools (such as mSPY and mAAPL, mAMZN, etc.)". He begged Mirror developers to fix the oracle, writing that they are "completely MIA".

Another Bored Ape owner makes a typo, sells NFT for $180,000 less than they intended

A Bored Ape with grey fur, wearing goggles and rainbow suspenders, on a blue backgroundBored Ape #3158 (attribution)
An NFT collector trying to list their Bored Ape NFT for sale on OpenSea made a typo, and accidentally listed it for sale for 10 ETH (around $19,000) instead of 105 ETH (around $200,000). The NFT was quickly bought up before the trader had the opportunity to correct their mistake. It is common for people to run bots that automatically buy pricey NFTs that are listed for sale far below a collection's floor price, as this one was.

The trader later confirmed on Twitter that it was their mistake rather than an account compromise or some other hack: "Yep, was a fat finger. Was trying to list at 105. Never thought it'd happen to me. Devastating."

Meanwhile, the NFT's new owner has it listed for sale for 110 ETH (about $219,000), which will net them a tidy profit if they find a buyer.

Luna 2.0 airdrop sends 2.1 million $LUNA to Mirror Protocol thief

All holders of Luna, who saw their holdings crash to nothing in the Terra collapse, received an airdrop of the new Luna tokens with the release of Terra 2.0 (electric boogaloo). The researcher who originally observed that at least $88 million worth of ill-gotten tokens had been siphoned from the Terra Mirror Protocol before a patch was quietly applied in early May noticed that the attacker had been among the recipients of the airdrop, receiving more than 2.1 million $LUNA. "A nice little reward for stealing money from thousands of Mirror users & locking their funds, causing them millions in losses", wrote the researcher.

The price of the new $LUNA token has been volatile on its first day, starting at around $17 and later valued around $5.70. This would make the attacker's holdings of airdropped tokens worth around $12.1 million, assuming they could find liquidity to cash out.

PokeMoney blockchain game rug pulls for $3.5 million

The token associated with yet another crypto Pokémon rip-off, PokeMoney, suddenly crashed in price when around 11,800 BNB ($3.5 million) worth of it was pulled out of the project. The incident appeared to be a rug pull.

The project creators claimed it was a hack, and stuck around to try to keep the hope alive. They claimed on Telegram that for some reason they couldn't access the project Twitter account, and so couldn't inform their community of the hack. They also began rallying their community around hopes for a project relaunch. Meanwhile, they announced a "CHAT MUTE UNTIL TOMORROW TO AVOID FUD" — as any reputable, not-rug-pulled project would do, I'm sure.

Elon Musk deepfake tries to get people to give scammers Bitcoin

Elon Musk, sitting with his hands clasped in front of a purple background. A logo for "BitVex" is visible in the bottom right.Screenshot from the deepfake video (attribution)
A somewhat robotic-sounding deepfake Elon Musk speaks to a deepfaked interviewer, who asks "what can you tell us about your project and how can it help people get rich right now?" Fake-Musk explains that people who invest in the (scam) project, "BitVex", will "receive exactly 30% of dividends every day", and that if Bitcoin falls in price they will still receive twice their investment back.

According to BleepingComputer, only about $1,700 in deposits appeared to have gone to addresses associated with the scam, although they acknowledged that the addresses are likely rotated and so the true amount may be larger.

Someone brought the scam to Musk's attention on Twitter, where he replied, "Yikes. Def not me." The YouTube channel hosting the videos was taken down shortly after.

Bitso lays off around 10% of staff

The Latin American crypto exchange Bitso laid off 80 employees, around 10% of their staff which had previously amounted to around 700 people. The exchange told CoinDesk that they needed to reconsider the skills they were looking for in employees, so they could "move faster".

Bitso is a major Latin American exchange, with mor than four million users across Mexico, Argentina, Colombia, and Brazil.

Researcher discovers vulnerability in the Terra Mirror Protocol that allowed attackers to siphon tens of millions from the project

A crypto researcher who goes by "FatMan" discovered that the Mirror Protocol in the Terra ecosystem contained a serious vulnerability, that was quietly patched with no announcement on May 9. The Mirror Protocol code previously lacked a duplicate check, which meant that attackers could create a short position and then withdraw it repeatedly in the same transaction, taking many times more money than they should have been authorized to withdraw.

FatMan discovered one instance where a person deposited $10,000 and later withdrew $4.3 million. According to FatMan, they found repeated exploits of this type that earned attackers "well over $30 million". Another researcher on Terra forums estimated about $88 million had been exfiltrated from the project in this way, over the many months the bug went undiscovered and unpatched by Mirror developers.

Solana loses track of time

The Solana blockchain clock drifted about 30 minutes behind real-world time on May 26, as a result of slower-than-usual slot times. Solana's status page read that "this has no impact on performance or network operations", though The Block noted that this time drift could result in smaller staking payouts.

Blockchain timekeeping is also selling point of Solana, which talks up its "proof of history" algorithm in a blog post where Solana Labs co-founder Anatoly Yakovenko says, "our clocks never drift".

Terra decides to release "Terra 2.0", because apparently the way to fix a crypto catastrophe is with more crypto

Following the dramatic collapse of Terra earlier this month, the Terra ecosystem voted to pass a proposal by Do Kwon to create "Terra 2.0". The project intends to "effectively create a new Terra chain without the algorithmic stablecoin" — an odd choice given that the whole point of the original Terra was the stablecoin. The proposal also involves renaming the existing Luna ($LUNA) coin to "Luna Classic" ($LUNC), so that Luna 2.0 can take its place — a change that I'm sure will not cause any confusion whatsoever.

Billy Markus, one of the original creators of the Dogecoin cryptocurrency (both of whom have since left the project), tweeted, "luna 2.0 will show the world just how truly dumb crypto gamblers really are".

Scammer steals 29 Moonbirds NFTs nominally worth about $1.5 million from a single collector

A purple pixel art owl with one squinting eye, on a green backgroundMoonbird #8749 (attribution)
A scammer was able to trick a prolific NFT collector into signing a transaction on a fake trading website, which then allowed them to maliciously transfer 29 pricey Moonbirds NFTs in a single transaction. Moonbirds are a popular collection of pixel art owls that currently trade with a floor price of 24 ETH (about $48,000). The trader who was targeted was a big time Moonbirds fan, holding 29 of the NFTs in their affected wallet. The loss has been estimated at around 750 ETH (~$1.5 million).

The highly exclusive group of NFT collectors known as Proof Collective, of which this trader was a member, was reportedly preparing a report for the FBI and police. Because the attacker used an exchange that requires KYC there may be some possibility that their identity could be traced, although falsified KYC is also increasingly common.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.