Pando exploited for $20 million

The defi protocol Pando suffered a $20 million loss when it was exploited with an oracle manipulation attack. The protocol suspended several of its projects in response to the hack, and wrote that they hoped to negotiate with the hacker to regain some of the stolen proceeds. Some of the stolen funds were able to be locked, although it's not clear if it was the total amount.

Telegram repossesses usernames so they can sell them as NFTs

In August, the popular messaging app Telegram started repossessing some desirable usernames that were already being used. Shortly afterwards, Telegram founder Pavel Durov explained that he had been impressed by a quarter-million-dollar domain sale by the TON blockchain domain project, and wrote, "Let's see if we can add a little bit of Web 3.0 to Telegram in the coming weeks."

Telegram later introduced some of the repossessed usernames for sale as pricey NFTs on their new "collectible usernames" market, dubbed Fragment. Although Durov had claimed that "70% of all Telegram usernames had been reserved in inactive channels by cybersquatters from Iran", and that the only usernames that were "withdrawn" had been out of use, users were given no warning or option to keep their names.

On October 27, Durov announced that "in a few days, we will also introduce the ability for users to sell their existing usernames on Fragment" – unwelcome news for those whose usernames were sold out from under them by Telegram.

Some of the usernames that have sold on the marketplace include brand names like Facebook (which sold for 60,000 TON, or ~$94,200), FIFA (sold for 600,000 TON, or ~$972,000), Amazon (sold for 262,500 TON, or ~$425,000), and Meta (sold for 404,000 TON, or ~$723,000). There is no indication the buyers are necessarily associated with the brands in question. Furthermore, the username marketplace is not available in the USA.

Monkey Drainer steals dozens more NFTs, nets around $867,000

The "Monkey Drainer" NFT phishing scammer first identified by blockchain detective zachxbt has struck again. They successfully emptied 7 CryptoPunks and 20 Otherside NFTs, which they flipped for 522 ETH (~$867,000). The scammer then laundered the funds through the Tornado Cash cryptocurrency mixer.

Gala Games tokens drained by project claiming to help them; Huobi claims the project profited

There was some brief panic on November 3 as someone minted a huge number of $GALA tokens in what appeared to be an exploit. $GALA is the native token of Gala Games, a platform for distributing blockchain-based games. It turned out that the pNetwork project had discovered a vulnerability in the pNetwork bridge, which could have allowed someone to drain the entire pool. pNetwork decided to undertake their own "white hat" attack, draining the funds before a malicious exploiter could do so.

However, the Huobi crypto exchange has claimed that pNetwork's actions were not white hat, and that they profited $4.5 million from their actions. pNetwork rebutted that they had not made any money from the operation, and threatened to sue Huobi over the accusations.

Some traders who attempted to "buy the dip" and profit from the plunge in value of the GALA tokens were also upset with Huobi, when they found that the exchange had replaced their tokens with new, worthless $pGALA tokens.

Skyward Finance treasury drained of $3.2 million

Skyward Finance is a project based on the NEAR blockchain, aiming to help users with initial token distribution. The project's treasury was drained of 1.1 million NEAR (~$3.2 million) after a hacker discovered a vulnerability in the project's smart contract. Crypto exploit research group Rekt wrote, "The fact that it took over a year for anyone to find this relatively simple exploit is remarkable." and questioned, "Was this incident an honest, albeit simple, mistake? Or a planned ejector seat?"

The project was unusually frank in their announcement, writing on Twitter that the hack had "render[ed] the Treasury and the $SKYWARD token effectively worthless... We recommend users to withdraw their funds safely where they can and for the community to no longer interact with Skyward."

Iris Energy Bitcoin mining firm close to defaulting on loans of $103 million

Iris Energy, an Australian "sustainable Bitcoin mining company", has announced that they are close to defaulting on loans used to purchase $103 million of Bitcoin mining rigs. These machines depreciate in value quickly, and are currently estimated by the company to be worth $65–$70 million. At the moment, they produce $2 million in gross profit from mining Bitcoin, which is not sufficient for the company to meet the $7 million of loan payments each month.

Oracle attack on Solend costs the project $1.26 million

Solend announced that an exploiter had manipulated the oracle price of an asset on their platform, allowing them to take out a loan that left the platform with $1.26 million in bad debt. They reported that they had paused affected pools, and did not anticipate other pools on the platform were at risk.

Rubic exchange private key compromised, token plummets

An attacker was able to compromise the private key of an admin wallet for the Rubic crypto exchange, transferring around 34 million Rubic tokens. The attacker then sold the tokens on decentralized exchanges Uniswap and PancakeSwap.

The enormous sale caused the token price to plummet from $0.082 to $0.016, an 80% decrease. The stolen tokens were nominally worth almost $2.8 million (priced at the value before the theft), but it's not likely the attackers were able to exchange them for that much given the lack of liquidity to absorb such a huge sale.

Crypto exchange Deribit hacked for $28 million

Major crypto exchange Deribit suffered a hot wallet compromise that resulted in a $28 million theft. The exchange halted withdrawals to perform security checks, but urged that customer funds were safe and that the loss was covered by company reserves.

Deribit is also among the primary creditors of failed crypto hedge fund Three Arrows Capital, which defaulted on an $80 million loan from the exchange.

Founders of Hodlnaut attempt to hide financial records from court

Hodlnaut, a crypto lending platform that halted withdrawals on August 8, has been undergoing court proceedings while it's determined if the insolvent company has a path to stabilization or if they will need to be liquidated. A Singaporean court document shows that the company founders tried to hide financial documents from the court, and that the records that do exist "have not been properly maintained". According to the Interim Judicial Managers, the founders and some other employees were uncooperative, obstructed the advisors' work, and tried to stop them from "taking into possession various key books and records of the Company".

Sounds like everything's above board over there! It was also exposed in August that the company had lied to its users about their exposure to the Terra collapse.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.