OpenSea NFT trading platform patches a vulnerability that had allowed hackers to steal from users

Bug bounty hunters helped OpenSea patch a cross-site scripting (XSS) vulnerability in their platform that previously allowed attackers to create an NFT from an SVG image, which contained an iframe that would execute JavaScript. Attackers could create an authorization popup that looks legitimate, and if the victim fell for it, gain access to their wallet. OpenSea quickly patched the vulnerability after disclosure, though it appears it had been used in the wild—the bounty hunters began their research after seeing tweets of users who had fallen victim to attackers using the exploit.

A much-hyped Miss Universe NFT project turns out to be a rugpull

A trading card styled image depicting Miss Universe 2015, Pia WurtzbachPia Wurtzbach NFT (attribution)
Miss Universe and its models, the @nft Instagram, and Steve Harvey all got in on the advertisements for the Miss Universe NFT project, which Miss Universe presenter Paula Shugart said was "going to be the first brand in the NFT space that is about women, about women’s empowerment, and embracing the technology, and moving forward. I love it; this is the first one that is away from other more male-oriented spaces." Buyers were offered signed prints, virtual meetings with the models, exclusive events, and a chance to win $50,000. None of this materialized, the Miss Universe Instagram account was deleted, and NFT owners who asked questions began to be banned from the project's Discord channel.

Rapper Tekashi 6ix9ine releases a series of NFTs, only for the project not to deliver anything it promised

An illustration of a human character on a yellow background, wearing a yellow construction helmet, with blue hair. It has yellow teeth and is holding a bloody machete.One of the Trollz NFTs (attribution)
$100,000 to charity, governance power over the project funds, a boxing game, and weekly competitions and raffles were all promised as a part of the Tekashi 6ix9ine-backed Trollz NFT collection. However, the project crumbled shortly after it began, with creators removing the ability to mint new NFTs before the designated number were released, a takeover of a Discord bot funneling prospective buyers to scam links, and the rapper deleting any trace of his affiliation with the project. One buyer lost $40,000; it's not been reported how much was lost in total to the apparent scam.

DeFi platform C.R.E.A.M. is hacked for a third time, this time for $130 million

Crypto lending service C.R.E.A.M. Finance lost $130 million in a flash loan attack. It was the third hack of the platform this year, following a $37.5 million hack in February and an $18.8 million attack in August.

A tech startup aims to solve the real problem with the U.S. justice system: the lack of gambling involved

Tech startup "Ryval", which is formally launching in 2022, announced its plans to allow "everyday Americans" to bet on the outcomes of civil lawsuits, potentially raising funds for the parties. While the company is spinning this as "mak[ing] access to justice more affordable", I have considerably less faith that allowing crypto investors to decide on who and what is worthy of a lawsuit (or at least which lawsuits are likely to be "profitable" to them) will somehow introduce more equality into the American legal system.

"Realms of Ruin", a YA storytelling NFT project, collapses hours after launch

Six popular young-adult fiction writers attempted to launch an NFT project where they created a base universe, and participants would contribute their own stories (which they would mint as NFTs) that would be added to the official storyline if the authors liked them enough. Questions around who would own copyright, how teenagers (the target audience) would obtain cryptocurrency and mint NFTs, and environmental impact led the creators to shutter the project only five hours after the launch announcement went out.

Successful exploit of the CreatureToadz NFT project briefly nets a poorly-disguised hacker 88 ETH (almost $350,000)

A CreatureToadz NFT: an illustration of a red lumpy toad with hearts on its cheeks, with rain superimposed overCreatureToad #3813 (attribution)
A 17-year-old hacker was able to use a phishing webhook to make himself an admin in the CreatureToadz Discord server. Users who minted NFTs unknowingly sent cash to him, netting him a total of around 88 ETH (almost $350,000). However, after the hacker's real identity was uncovered shortly after the attack, the hacker returned the funds, claiming he'd intended to return it all along.

Hacker steals $16 million from Indexed Finance

A hacker drained $16 million from Indexed Finance, a defi protocol built on the Ethereum blockchain. The stolen funds represented nearly half of the total value locked on the platform. The hacker was later revealed to allegedly be an 18-year-old Canadian named Andy Medjedovic, who continued to refuse to return the funds even when his identity was revealed. The hacker argues that he simply took advantage of an arbitrage opportunity, and swore to "fight to the death" in court over his right to keep the money. However, the hacker never showed up to a December court appearance, and a warrant was issued for his arrest.

Four NFT projects on the Solana blockchain rug-pull in one day

A rendering of a small room, with a desk with a large monitor and computer tower, an L-shaped couch, and a large TV on one wall.One of the Solana Towers NFTs (attribution)
Developers behind Solana Towers, an NFT project allowing investors to buy rooms in a metaverse virtual condo as NFTs, disappeared with around $280,000 a day after the project's launch. It was only one of the projects to do so that day, joining the developers behind three other Solana NFT projects: "Interstellar Bots", "Cheesy Dizzy", and "Technidroids".

The creator of the "Evolved Apes" NFT project makes off with $2.7 million a week after launch

A cartoon man wearing a mesh tank top, with a beard and facial stubble, a hot pink earring, and a brown mohawk, drinks a can of beer.EvolvedApe NFT (attribution)
A week after the launch of the "Evolved Apes" NFT project, which consisted of 10,000 NFTs and a promised fighting game, the anonymous developer behind the project disappeared after pulling the equivalent of $2.7 million out of the project's funds.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.