This was actually the second attack to impact Rodeo Finance in a single week. On July 5, the same day as their public token launch, the project was exploited for around $90,000 thanks to a bug in a smart contract.
Oulahyane is charged with wire fraud, two counts of access device fraud, and aggravated identity theft.
- "Press release: Defendant Charged With Theft Of Cryptocurrency And NFTs Through Spoofing Of OpenSea Marketplace"U.S. Attorney's Office, Southern District of New York
- United States of America v. Soufiane Oulahyane
AlgoFi had raised a seed funding round of $2.8 million in November 2021, and was backed by groups including Union Square Ventures, Arrington XRP Capital, Pillar VC, and Y Combinator. They had also received other investments from groups including Jump Capital and Coinbase Ventures.
AlgoFi accounts for over half of the value on the Algorand blockchain, which itself has experienced a marked decline from earlier this year.
People are becoming increasingly suspicious that the Multichain thefts may be an inside job, not least because Multichain's CEO suddenly disappeared in late May and hasn't been located since.
Like many platforms, Arkham Intelligence allows its users to earn rewards for referring new customers. Users are given a unique link to invite others to sign up, which then credits them for the referral. However, some people have observed that the unique string used to identify the user is simply their email address, base64-encoded. This is a simple way of encoding a piece of text, which is trivially reversed to expose the email address.
A user who noticed the encoding strategy tweeted: "ABSOLUTE LMAO. ALL #ARKHAM REFERRAL LINKS SHARED ON TWITTER IS DOXXING EVERYONE BECAUSE THE EMAIL IS IN THE REFERRAL URL". They then went on to decode some referral links from anonymous crypto personalities, writing "HOW DOES IT FEEL TO GET DOXXED???"
Arkham Intelligence quickly updated its referral program to use an encryption algorithm that can't easily be reversed in this way, and the CEO apologized for what he said was an early version of creating referral links that was never updated.
"hey isn't the most profitable use of this just to put a bounty on whale wallets and then kidnap people? like ... did that come up in any meetings?" wrote one Twitter user. "We are now one step closer to onchain assassination markets", wrote another. Others, however, were more optimistic, speaking about "doxx[ing] scammers", "democratiz[ing] tools [the government] already has", and, in the longer term, "accelerat[ing] privacy".
BitOasis wrote on their website that the license had in fact been suspended, but stated that they had not begun offering services to the segments covered by the license (institutional and qualified investors).
BitOasis is among the most popular crypto exchanges in the Middle East and North Africa (MENA) region.
The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".
- "Arcadia Finance says exploiter contacted after $450K hack", Protos
- Tweet by PeckShield
- Etherscan transaction with message to the attacker
One victim lost 36 NFTs, among them a Bored Ape NFT they'd purchased for around $130,000. Altogether, the attackers successfully stole NFTs worth between $750,000 and $900,000, depending on how resale value is estimated.
The following day, Gutter Cat Gang announced that they'd regained control over the Twitter accounts and taken down the malicious tweets. They stated that they were working with law enforcement to investigate the theft, but to the dismay of some victims, did not describe any plans to compensate those who lost assets.
On July 6, an attorney posted in the project's Discord server to say that BarnBridge and "individuals associated with the DAO" were under investigation by the U.S. Securities and Exchange Commission. The attorney wrote: "To reduce potential further legal liability, existing liquidity pools should be closed, and no more liquidity pools should be started. All work on Barnbridge related products should stop, and individuals should no longer be compensated for any work they do related to Barnbridge until further notice." Decentralized!
It's not terribly surprising that BarnBridge chose to drop the facade of decentralization when the SEC came knocking, however. A recent case by the CFTC against the Ooki DAO suggests that the mere veil of "decentralization" will not be sufficient to avoid legal liability for the actions of a DAO. However, it is interesting to see the SEC now (at least allegedly) going after a relatively small player in the defi world.