People are becoming increasingly suspicious that the Multichain thefts may be an inside job, not least because Multichain's CEO suddenly disappeared in late May and hasn't been located since.
Multichain drained of another $107 million days after previous theft
Only five days after $130 million was emptied from the Multichain blockchain bridge, another $107 million in a wide range of assets has been taken. After the first theft, Multichain urged users to stop using the project and revoke contract approvals, but a large quantity of assets remained on the service.
Arkham Intelligence referral program exposes user emails
In a somewhat amusing complement to Arkham Intelligence's "on-chain intelligence exchange" announcement, a new product which seeks to allow people to buy and sell private information about blockchain wallet owners, Arkham has found themselves in hot water for exposing user email addresses without the users' knowledge.
Like many platforms, Arkham Intelligence allows its users to earn rewards for referring new customers. Users are given a unique link to invite others to sign up, which then credits them for the referral. However, some people have observed that the unique string used to identify the user is simply their email address, base64-encoded. This is a simple way of encoding a piece of text, which is trivially reversed to expose the email address.
A user who noticed the encoding strategy tweeted: "ABSOLUTE LMAO. ALL #ARKHAM REFERRAL LINKS SHARED ON TWITTER IS DOXXING EVERYONE BECAUSE THE EMAIL IS IN THE REFERRAL URL". They then went on to decode some referral links from anonymous crypto personalities, writing "HOW DOES IT FEEL TO GET DOXXED???"
Arkham Intelligence quickly updated its referral program to use an encryption algorithm that can't easily be reversed in this way, and the CEO apologized for what he said was an early version of creating referral links that was never updated.
Arkham Intelligence releases "dox-to-earn" project
Arkham Intelligence, a blockchain intelligence company with the tagline "deanonymizing the blockchain", announced the launch of its "on-chain intelligence exchange", inviting people to "buy and sell information on the owner of any blockchain wallet address—anonymously, via smart contract." In the crypto world where transaction data is largely public, maintaining pseudonymity is often a critical part of maintaining safety and privacy. Needless to say, this had a mixed reception, with many terming the exchange "dox-to-earn".
"hey isn't the most profitable use of this just to put a bounty on whale wallets and then kidnap people? like ... did that come up in any meetings?" wrote one Twitter user. "We are now one step closer to onchain assassination markets", wrote another. Others, however, were more optimistic, speaking about "doxx[ing] scammers", "democratiz[ing] tools [the government] already has", and, in the longer term, "accelerat[ing] privacy".
Dubai regulator cracks down on BitOasis
Dubai's Virtual Assets Regulatory Authority issued an alert that BitOasis was "under review for not meeting mandated conditions". In April, BitOasis received the first "MVP Operational License" issued under a new regulatory regime in Dubai, but has apparently already fallen out of compliance. VARA warned that further enforcement actions could follow, including rescinding the license.
BitOasis wrote on their website that the license had in fact been suspended, but stated that they had not begun offering services to the segments covered by the license (institutional and qualified investors).
BitOasis is among the most popular crypto exchanges in the Middle East and North Africa (MENA) region.
Arcadia Finance exploited
Arcadia Finance is a defi margin trading protocol that launched on Ethereum and the Optimism Ethereum layer 2 protocol in March 2023. On July 9, an attacker used a flash loan to drain liquidity pools in the lending portion of the project, resulting in a total loss to the project of around 160 ETH and $163,000 in stablecoins for a total loss of almost $460,000.
The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".
- "Arcadia Finance says exploiter contacted after $450K hack", Protos
- Tweet by PeckShield
- Etherscan transaction with message to the attacker
Hackers swipe pricey NFTs after compromising Gutter Cat Gang Twitter profile
An attacker successfully compromised the Twitter account belonging to the popular Gutter Cat Gang NFT project, as well as the one belonging to the project co-founder, and used them to post links to phishing sites claiming to be a new NFT airdrop. Instead of receiving the tokens they were promised, those who authorized the contract had their wallets drained.
One victim lost 36 NFTs, among them a Bored Ape NFT they'd purchased for around $130,000. Altogether, the attackers successfully stole NFTs worth between $750,000 and $900,000, depending on how resale value is estimated.
The following day, Gutter Cat Gang announced that they'd regained control over the Twitter accounts and taken down the malicious tweets. They stated that they were working with law enforcement to investigate the theft, but to the dismay of some victims, did not describe any plans to compensate those who lost assets.
"Decentralized" BarnBridge closes up shop after claiming they are under SEC investigation
A small and rather unknown project called BarnBridge aimed to build a variety of defi yield projects. BarnBridge claimed to be decentralized and governed by a DAO.
On July 6, an attorney posted in the project's Discord server to say that BarnBridge and "individuals associated with the DAO" were under investigation by the U.S. Securities and Exchange Commission. The attorney wrote: "To reduce potential further legal liability, existing liquidity pools should be closed, and no more liquidity pools should be started. All work on Barnbridge related products should stop, and individuals should no longer be compensated for any work they do related to Barnbridge until further notice." Decentralized!
It's not terribly surprising that BarnBridge chose to drop the facade of decentralization when the SEC came knocking, however. A recent case by the CFTC against the Ooki DAO suggests that the mere veil of "decentralization" will not be sufficient to avoid legal liability for the actions of a DAO. However, it is interesting to see the SEC now (at least allegedly) going after a relatively small player in the defi world.
Multichain shuts down amidst $130 million suspected hack
Blockchain watchers observed $130 million in various assets flowing out of the Multichain blockchain bridge, questioning whether there had been an exploit. Multichain tweeted, "The team is not sure what happened and is currently investigating," and recommended users stop using the service and revoke contract approvals.
Several hours later, Multichain wrote that they had stopped service, and that "all bridge transactions will be stuck on the source chains. There is no confirmed resume time."
In May, Multichain suffered a bizarre slew of issues, culminating in the project team admitting that their CEO had gone missing and could not be contacted. So far, they have not reported his return.
This is also not the first hack suffered by Multichain. In January 2022, the project, bafflingly, publicly announced a security vulnerability that was affecting their tokens, without first instructing users to safeguard their tokens. Attackers quickly followed the instruction manual provided to them by Multichain, making off with around $3 million in assets.
NFTPerp blows up
A project called NFTPerp was, as the name suggests, a perpetual futures exchange for NFTs, allowing people to take long or short positions against NFTs. It relied on a vAMM — virtual automated market maker — which essentially simulates liquidity without there being any real money in the system. Such a system can be thrown out of whack if there is imbalance in the positions people are taking — for example, if everyone tries to go short on NFTs in a brutal bear market.
So anyway, that's exactly what happened. NFTPerp announced that they would be sunsetting their popular beta project after accruing bad debt.
How they're going about it has been controversial among the successful traders on the platform: essentially, those who were in profit will lose their unrealized gains, while those who had lost money in their trades will have their losses waived. "Nftperp stealing profits from winner [unrealized profit and loss] to backstop losers UPNL is insane to me", wrote one commenter. Another wrote, "If anyone else is considering NFT perps, please have the 'what happens when the illiquid market goes to zero overnight' plans clearly in place from the beginning."
Not to be deterred, the team is already preparing to launch a "v2". May it go as well as their first attempt.
Trader loses $213,000 to phishing scam, blames Twitter
Crypto personality LoveMake.eth wrote a Twitter thread about how they fell victim to a phishing scam in which an account appearing to belong to the cofounder of the popular Doodles NFT project advertised a fake project in the replies to a thread by a real cofounder. The Twitter account appeared to be Doodles' cofounder
burnttoast, but the handle was actually burntteoast. LoveMake connected their primary wallet, which was immediately drained of 61.5 ETH (~$120,000) and $93,400 in the Tether stablecoin.LoveMake wrote on Twitter that "I am dyslexic and didn't notice that the Burnt Toast acc was scam. It was very similar to the original & Verified." They appeared to blame Twitter's new verification process, writing, "@Twittersupport can you explain the meaning of the word 'verified'? we're waiting for days every time we change pfp or display name and then I got scammed by verified account with exact the same name and pfp as Doodles founder in million views thread?"
Several days later, they posted a thread again criticizing the prevalence of crypto scammers on Twitter. "I put millions $ into web3 projects, with over 90k$ into Twitter ads. I was rugged many times and finally robbed but not broken. Thanks to twitter the most profitable web3 activity now is a scam. Shouldn't Twitter pay more attention to its own security?"