People rush to steal some of the $190 million in the Nomad bridge after an exploit is discovered

After an attacker began exploiting a vulnerability in the Nomad bridge, many people rushed to replicate the attack and steal some of the roughly $190 million of various cryptocurrencies in the bridge. Some didn't seem to think through the consequences of using wallets tied to their real-life identities to exploit the vulnerability, which should be interesting to watch.

Nomad posted on Discord and tweeted that they were "aware of the incident" and "investigating", but the attack was ongoing over an hour after the acknowledgement.

Four days before the attack, Nomad announced that they'd raised a $22.4 million seed round from investors including Coinbase, OpenSea, and Crypto.com.

Nirvana Finance drained of $3.5 million

The Solana-based yield farming project, Nirvana Finance, was exploited by an attacker who used flash loans to drain the project of just under $3.5 million. The attacker took out a $10 million loan from the Solend project, used it to mint ANA tokens, swapped the ANA for $13.5 million, and then repaid the loan. The attack was similar to the attack on Crema Finance earlier in the month.

The attack caused the project's ANA token to plunge in value by 80%, and the project's NIRV stablecoin to lose its dollar peg, falling to $0.08. Nirvana Finance tweeted, "Please be advised: ANA has lost its collateral, and NIRV has lost its peg. Until the thief restores funds, these tokens will not have exchange value. Be very careful with trading NIRV & ANA, as they currently have no guaranteed value."

They also tweeted at the hacker, promising to stop investigating the hacker's identity and to pay a $300,000 "bounty" in exchange for the funds back. They wrote, "You have not taken money from VCs or large funds — the treasury you have taken represents the collective hopes of everyday people."

The project had promised its users over 60% APY, and its Twitter account described ANA as "the balanced risk investment with adaptive yield".

Attacker makes off with $1.1 million after successful governance attack on the Audius web3 music platform

An attacker was able to create and pass a governance proposal to transfer out 18.5 million AUDIO tokens from the community treasury. They then successfully swapped these for 705 ETH (~$1.1 million).

Audius halted the token and smart contracts while they patched the bug, and brought the network back online shortly afterward. The attacker had found and exploited a vulnerability in the way the contracts were written which allowed them to rewrite the governance voting rules and delegate 10 trillion AUDIO tokens to themselves for voting purposes. They then used those tokens to pass the malicious proposal. The contracts had been audited by OpenZeppelin and Kudelski, but neither group caught the vulnerability. Audius stated that a plan for dealing with the loss of community funds was still under discussion.

FBI warns of fraudulent crypto apps that have stolen an estimated $42.7 million

The FBI's Cyber Division issued a notification about fraudulent cryptocurrency investment apps that are successfully being used to defraud American investors. The scammers typically claim to offer cryptocurrency investment services to their targets, then convince them to download mobile apps that resemble genuine crypto trading apps (sometimes mimicking actual exchanges). The apps typically show the users' accounts increasing in value, but when users try to withdraw funds they find they're unable. Sometimes the apps defraud their victims even further by claiming they need to pay an additional "tax" before they can withdraw.

The FBI stated they had identified 244 victims, and estimated the total loss associated with these fraudulent apps to be around $42.7 million.

PREMINT NFT tool hacked, user wallets drained

PREMINT is an NFT service intended to help project creators build access lists for new NFT projects based on various qualifications. The project was compromised on July 17, and users were asked to sign transactions that allowed hackers to drain all assets from their wallets. 314 NFTs were stolen, including from pricey collections such as Bored Ape Yacht Club, Otherside, Moonbirds Oddities, and Goblintown. The thiefs were able to flip the stolen NFTs for 270 ETH ($375,000), which they then tumbled through Tornado Cash.

On July 20, PREMINT's CEO announced they would be compensating all users affected by the hack by sending them ETH equivalent to the floor price of the stolen NFTs. "I realize that the NFTs stolen were not all floor NFTs... You might feel like this compensation isn't enough. But I don't think there's any other scalable and objective way to do this," he said. The total repayment will amount to about 340 ETH ($525,000). PREMINT also bought the two most expensive stolen NFTs from their new owners for the prices they had paid to buy them from the hacker — 92 ETH ($138,000) for a Bored Ape and 12 ETH ($17,800) for an Azuki. Those NFTs were returned to their original owners.

NFTs valued at $150,000 stolen via phishing link posted to the hacked Twitter account of NFT artist DeeKay

A colorful illustration of a conveyer belt ziz-zagging upwards. On the bottom level is a small boy with a butterfly over his head, amidst houses and trees. The second level has a larger town. The third level has an illustration of New York, with skyscrapers and the Statue of Liberty. The fourth level has San Francisco, with the Golden Gate Bridge. The fifth and final level has hills and a gravestone, with a ghostly angel next to it.Frame from the animated "Life and Death" NFT sold to Snoop Dogg (attribution)
On July 16, hackers compromised the Twitter account belonging to the well-known NFT artist DeeKay, who sold an NFT for 310 ETH (then $1 million) to Snoop Dogg in April. The 180,000 followers of DeeKay's compromised Twitter account saw it post a link announcing a new limited quantity airdrop, which directed them to a website mimicking DeeKay's real site. Some people fell for the scam, and in trying to claim their NFTs, actually approved transactions that allowed the scammers to empty their wallets. One victim lost four Cool Cat NFTs and three Azuki NFTs, which have floor prices of around 4 ETH (~$5,350) and 12 ETH (~$16,200) respectively.

Altogether, the stolen NFTs were valued at around $150,000. DeeKay reported that he wasn't sure how his Twitter account had been compromised, but that "my guess is that [two-factor authentication] was off for that specific time". DeeKay wrote that he was considering compensating his followers who were victim to the scam, but that "[a] few are pretending to be affected and looking for opportunities", and "this also encourages hackers to keep doing their thing". "There were some kind souls who were affected and have shown me great flexibility for me to compensate in different ways. Some are asking for high demands as if I was the hacker...😪", he wrote in the thread.

Citizen Finance claims to have been hacked for around $100,000

Citizen Finance, a multichain platform that has something to do with NFTs and blockchain gaming, claimed to have suffered an attack by an outside party who obtained access to a private key for the BNB and Polygon chains. The attacker then used their access to transfer 244 BNB (~$55,000), 57,637 MATIC (~$32,300), and 7,000 USDC for a total windfall of around $94,300. The theft also caused the value of the CIFI token to plummet more than 50%.

As with many of these attacks, it's not immediately clear if there was truly an outside party who gained unauthorized access, or if the "attack" was actually a rug pull or an inside job. The project tweeted on July 16 that they were "continu[ing] to investigate" and had hired outside security firms to try to help them identify the hacker and recoup lost funds.

More than $8.17 million stolen in phishing attack targeting Uniswap users

In a successful, broadly-targeted phishing campaign, more than 70,000 addresses connected to Uniswap were airdropped tokens that baited users into approving transactions that allowed attackers to control their wallets. After some initial confusion that there might be a vulnerability in Uniswap itself, it was determined that the thefts were being perpetrated through the airdrop, which also linked users to a website that resembled the authentic Uniswap site. Users were tricked into signing the contract, and cryptocurrency and NFTs were stolen from wallets.

One single wallet targeted by the phishing attack lost more than $6.5 million worth of Ether and Bitcoin, and another targeted by attackers lost around $1.68 million worth of those currencies.

More than $2.25 million stolen from Bifrost's BiFi platform

Bifrost is a platform that allows developers to create dApps across multiple blockchains. They run the service BiFi, which is a defi platform built atop Bifrost. On July 10, they inadvertently exposed the key to their Bitcoin address-issuing server. An attacker was able to use this to self-sign their own deposit address, then make a fake deposit into the BiFi Bitcoin lending service in exchange for 1,852 ETH ($2.25 million).

Bifrost wrote in their post-mortem analysis that because the attack was limited to the BTC address registration server, and the hack didn't exploit any smart contract or protocol vulnerabilities, a security audit performed by Theori "is still valid" — leading one to wonder why anyone should trust an "audited" platform if $2.25 million in assets can be stolen without invalidating an audit.

Hackers steal $1.43 million from Omni NFT lending platform

Hackers used a flash loan attack to steal around 1,300 ETH ($1.43 million) from the NFT lending platform Omni. Omni allows users to borrow cryptocurrency against their NFTs.

Hackers used NFTs from the popular Doodles collection as collateral to borrow wETH, then withdrew all but one of the NFTs, allowing them to perform a re-entrancy attack. The attacker then laundered the funds using the Tornado Cash cryptocurrency tumbler.

According to Omni, only funds belonging to the platform that were being used for testing were taken by the attacker.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.