Monkey Drainer steals ~$1 million in 24 hours

A phishing scammer called "Monkey Drainer" stole around 700 ETH (~$940,000) in 24 hours on October 25, according to blockchain sleuth zachxbt. The scammer used malicious phishing sites to trick users into signing transactions that then drained cryptocurrencies and NFTs from their wallets. Some individual victims lost crypto valued at hundreds of thousands of dollars, and others lost NFT collections. Zachxbt estimated the total amount solen by Monkey Drainer to be around $3.5 million.

Oracle manipulation attack on a QuickSwap market earns exploiter $188,000

Adding to the recent string of oracle manipulation attacks is an attack on the miMATIC ($MAI) market on the QuickSwap decentralized exchange. An exploiter was able to manipulate the spot price of assets to borrow funds, ultimately making off with 138 ETH ($188,000) that they mixed through Tornado Cash. The vulnerability was due to the use of a Curve LP oracle, which contains a vulnerability that was disclosed by a security firm earlier that month.

Security firm PeckShield initially suggested the issue might have been with QiDAO, which creates the $MAI stablecoin. The vulnerability is not with their project, although it's possible that the theft will impact the collateralization of their stablecoin.

Freeway halts withdrawals, accused of $100 million+ rug pull

Freeway, a financial scheme where users buy "Superchargers", which are crypto "simulations" that promise to pay out rewards of up to 43% annually, seems to have taken the off-ramp. The project announced to its users that due to "unprecedented volatility in Foreign Exchange and Cryptocurrency markets in recent times", they would be pausing their Supercharger program. The project reportedly halted withdrawals on more than $100 million worth of assets.

Worryingly, the company also removed all mentions of its team from their website, and reportedly removed an attestation to the company's financial backing as well.

The day before the project announced the pause, crypto whistleblower and researcher FatMan published a Twitter thread urging people to withdraw funds immediately because he believed they were operating a Ponzi scheme. "In my opinion, it's likely that Freeway will collapse within the next few months and that all depositors will lose everything."

Attacker drains tokens from Layer2DAO, project buys some of them back

An attacker was able to siphon nearly 50 million L2DAO tokens from a multi-sig wallet on the Optimism protocol. These tokens would nominally have been valued at around $400,000 at the price at the time of the hack, although the token has low liquidity and the attacker would not likely have been able to sell them for that price. The stolen tokens amounted to 5% of the project's total token supply.

The attacker swapped 16.7 million of the tokens before the project was able to negotiate a deal to buy back the remaining 33.2 million tokens at a price of $0.001. In the end, the hacker made off with the $33,200 paid by Layer2DAO, plus 40.4 ETH (~$54,000) from the tokens they were able to sell.

The Layer2DAO team seemed unsure how the hack had happened, but said that they believed it was similar to the June 2022 incident in which an attacker got hold of 20 million Optimism tokens after Wintermute provided an incorrect wallet address.

Several users report losing more than a million dollars each in 3Commas/FTX theft

Several users of the automated trading bot 3Commas reported losing over a million dollars each in a hack or phishing scam affecting users who had connected it to their FTX accounts. 3Commas has blamed the losses on phishing, but affected users have said they were confident they were not phished.

One user wrote they lost almost 104 BTC (~$2 million) from an account that they said they only ever connected to FTX a year ago, with an API key they had not saved, and which had since expired and been downgraded to a free account. Another reported losing about $1.5 million.

FTX CEO Sam Bankman-Fried wrote on Twitter that FTX would compensate the affected users for roughly $6 million in total. He wrote in all caps that he did not want this to be considered a precedent, and it was "a one-time thing". He also stressed that FTX was not responsible for the exploit, and that the users had been tricked by phishing sites impersonating other reputable trading services.

Warner Bros. reinvents DVD navigation menus with their web3 "Movieverse"

Image of Sauron throwing the Ring into a fireThe Lord of the Rings: The Fellowship of the Ring Extended Edition Epic (attribution)
Warner Bros. has just announced their "The Lord of the Rings: The Fellowship of the Ring (Extended Version) Web3 Movie Experience". Catchy name.

Now, you have of course already been able to purchase or stream The Lord of the Rings: The Fellowship of the Ring (Extended Version) for twenty years now. But now you can buy a $30 or $100 NFT to get the same thing, which also boasts "themed navigation menus based on iconic locations from the beloved film". So one of those DVD navigation menus. The NFTs come with other vagaries, including "8 hours of special features, image galleries, [and] hidden AR collectibles".

Plus, of course, you can "own and trade the experience in a community marketplace".

Two days after launch, 4,203 of the 10,000 "Mystery Edition" NFTs have sold for their $30 mint price. They're already reselling on the secondary market for as low as $7.99. The $100 mint "Epic" NFTs are doing slightly better—all 999 of those were minted, and are reselling on the secondary market for around $200. All told, WB has made around $225,000 off the mint.

Almost $300,000 stolen from Olympus DAO, later returned

Insufficient validation on an OHM smart contract at Bond Protocol allowed an attacker to drain 30,437 OHM (~$300,000) from the Olympus DAO defi protocol.

Olympus DAO wrote in an announcement that "This bug was not found by 3 auditors, nor by our internal code review, nor reported via our Immunefi bug bounty." They also noted that because they had done a phased rollout of the contract, only a limited amount of the project's substantial funds were at risk.

Olympus DAO initially announced that they would "compensate all affected bonders in full", but later revealed that the stolen funds had been returned. According to The Block, the Olympus team had successfully tracked the hacker and negotiated the return of the funds.

Unstoppable Domains disables .coin extensions, illustrating an issue with the idea that "you'll always own your NFT"

Unstoppable Domains is in the business of selling "domains" — at least that's what they call them, but they're not the kind of domain that you can plug into your web browser. Instead, they are more like the ENS domains that you may have seen (the ones ending in .eth), and they typically map to a crypto wallet address.

The organization just discovered that they were not the first to go around selling .coin "domains" (represented by NFTs), and were at risk of running into collisions. As a result, they decided to no longer sell these domains, and stop their libraries and services from resolving them.

But fear not, they said, because "Unstoppable domains are self-custodied NFTs, so you still own your .coin domain, but it won’t work with our resolution services or integrations."

That's right, folks, you'll still have your .coin NFT! It just won't resolve, or be otherwise useful in any way.

This is much like the argument that has been common in crypto when describing a use case for NFTs: "if it's an NFT, you'll be able to really own your World of Warcraft sword, and Blizzard won't be able to take it away from you if they arbitrarily decide to ban you or remove the item!" This ignores the fact that the existence of an NFT on a blockchain does not ensure that some functionality initially advertised will continue to work in perpetuity, and you might end up with a domain name or a sword that can do nothing more than sit in your crypto wallet collecting dust.

Unstoppable Domains has offered to credit purchasers of .coin domains 3x their purchase price, though this will likely not be as appealing to people who held domains they hoped to flip for much higher than the initial price.

Vulnerability in BitBTC bridge ends in an exploit where the clock is ticking

A security researcher published a frustrated Twitter thread reporting that "BitBTC's Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I'm going to publish the critical exploit here." They described an issue where it was possible for people to create tokens on the Optimism side of the bridge that could be tied to any token on the other side of the bridge – meaning an exploiter could create a valueless token and bridge it to an unrelated token with actual value.

Less than a day after publishing the thread, someone did exactly what the researcher described, and was able to cause the bridge to mint and transfer 200 billion BitBTC. BitBTC aims to be valued at 1/1,000,000 of a BTC, meaning the exploiter on paper just landed themselves 200,000 BTC, but this is another case where massive amounts of a token were created and could never be traded for anywhere near their ostensible "value". BitBTC doesn't have publicly available data on the backing of their tokens, but it's certainly nowhere near 200,000 BTC. The project appears to be very new, and was created by a self-described "19 year old Bitcoin believer".

BitBTC has seven days from the time of the hack to fix the issue in their bridge before the transfer is complete and the attacker is awarded the tokens. Meanwhile, the hacker left an Ethereum transaction note to say that "I'm not a hacker, just want to test the exploit with a [proof of concept], won't touch any of the valuable assets."

Moola Market exploited for $8.4 million

The Celo-based borrowing and lending platform, Moola Market, suffered a major exploit when an attacker manipulated collateral prices to steal a collection of assets notionally worth around $8.4 million. After taking a loan of $MOO tokens on the platform, the attacker manipulated the price of those tokens to borrow all other tokens available on the lending protocol. The project dashboard currently shows 100% utilization, because the attacker emptied all funds that were available: a mix of $CELO, $cEUR, $MOO, and $cUSD that amount to around $8.4 million.

This attack was executed similarly to the Mango Markets exploit a week prior. Moola Market tweeted that they had "contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours." The attacker did eventually return 93% of the funds, keeping the remaining $588,000 as a "bug bounty".

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.