This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.
Platypus Finance hacked for the second time
Platypus Finance paused their pools after they were alerted to what they described as "suspicious activities". Security firm PeckShield was apparently the first to notice the activity, sending them a dreaded "hi, you might want to take a look" tweet that has become their signature way of alerting protocols that something bad has just happened. The CertiK security project also tweeted that they'd observed multiple suspicious flash loans involving the project.
New Rodeo Finance project exploited for the second time in one week
An attacker manipulated a price oracle to drain 472 ETH (~$884,000) from Rodeo Finance, a new Arbitrum-based leveraged yield protocol. The thief then used Tornado Cash to tumble the funds, some of which they placed into staking programs. According to Rodeo Finance, the attacker initially exploited the protocol for closer to $1.7 million, but $810,000 was recovered. Small victories. Anyway, Rodeo paused the protocol, and stated that they are working on recovery plans.
This was actually the second attack to impact Rodeo Finance in a single week. On July 5, the same day as their public token launch, the project was exploited for around $90,000 thanks to a bug in a smart contract.
NFT phisher charged over OpenSea lookalike scam
The U.S. Attorney's Office of the Southern District of New York announced the unsealing of charges against Soufiane Oulahyane, who they allege created a lookalike OpenSea website to trick victims into entering their login details, and used sponsored links in a "popular internet search engine" to cause his site to show up as the first result when a person searched "opensea". A victim with the OpenSea name "Hank666" entered his credentials into the scam website on September 26, 2021, and Oulahyane quickly used the credentials to transfer his crypto assets, sell his NFTs, and transfer the proceeds of those sales to his own wallet. Altogether, Hank666 lost assets that he had paid around $449,000 to obtain.
Oulahyane is charged with wire fraud, two counts of access device fraud, and aggravated identity theft.
- "Press release: Defendant Charged With Theft Of Cryptocurrency And NFTs Through Spoofing Of OpenSea Marketplace"U.S. Attorney's Office, Southern District of New York
- United States of America v. Soufiane Oulahyane
AlgoFi announces shutdown
AlgoFi, a lending protocol built on the Algorand blockchain, announced that they will begin winding down the project. They were vague about the specific reasons, writing only that "a confluence of events has taken place that no longer makes building and maintaining the Algofi platform to the highest standards a viable path for our company". Although AlgoFi is nominally decentralized, like many defi projects, its fate ultimately rested with the small team building it.
AlgoFi had raised a seed funding round of $2.8 million in November 2021, and was backed by groups including Union Square Ventures, Arrington XRP Capital, Pillar VC, and Y Combinator. They had also received other investments from groups including Jump Capital and Coinbase Ventures.
AlgoFi accounts for over half of the value on the Algorand blockchain, which itself has experienced a marked decline from earlier this year.
Multichain drained of another $107 million days after previous theft
Only five days after $130 million was emptied from the Multichain blockchain bridge, another $107 million in a wide range of assets has been taken. After the first theft, Multichain urged users to stop using the project and revoke contract approvals, but a large quantity of assets remained on the service.
People are becoming increasingly suspicious that the Multichain thefts may be an inside job, not least because Multichain's CEO suddenly disappeared in late May and hasn't been located since.
Arkham Intelligence referral program exposes user emails
In a somewhat amusing complement to Arkham Intelligence's "on-chain intelligence exchange" announcement, a new product which seeks to allow people to buy and sell private information about blockchain wallet owners, Arkham has found themselves in hot water for exposing user email addresses without the users' knowledge.
Like many platforms, Arkham Intelligence allows its users to earn rewards for referring new customers. Users are given a unique link to invite others to sign up, which then credits them for the referral. However, some people have observed that the unique string used to identify the user is simply their email address, base64-encoded. This is a simple way of encoding a piece of text, which is trivially reversed to expose the email address.
A user who noticed the encoding strategy tweeted: "ABSOLUTE LMAO. ALL #ARKHAM REFERRAL LINKS SHARED ON TWITTER IS DOXXING EVERYONE BECAUSE THE EMAIL IS IN THE REFERRAL URL". They then went on to decode some referral links from anonymous crypto personalities, writing "HOW DOES IT FEEL TO GET DOXXED???"
Arkham Intelligence quickly updated its referral program to use an encryption algorithm that can't easily be reversed in this way, and the CEO apologized for what he said was an early version of creating referral links that was never updated.
Arkham Intelligence releases "dox-to-earn" project
Arkham Intelligence, a blockchain intelligence company with the tagline "deanonymizing the blockchain", announced the launch of its "on-chain intelligence exchange", inviting people to "buy and sell information on the owner of any blockchain wallet address—anonymously, via smart contract." In the crypto world where transaction data is largely public, maintaining pseudonymity is often a critical part of maintaining safety and privacy. Needless to say, this had a mixed reception, with many terming the exchange "dox-to-earn".
"hey isn't the most profitable use of this just to put a bounty on whale wallets and then kidnap people? like ... did that come up in any meetings?" wrote one Twitter user. "We are now one step closer to onchain assassination markets", wrote another. Others, however, were more optimistic, speaking about "doxx[ing] scammers", "democratiz[ing] tools [the government] already has", and, in the longer term, "accelerat[ing] privacy".
Dubai regulator cracks down on BitOasis
Dubai's Virtual Assets Regulatory Authority issued an alert that BitOasis was "under review for not meeting mandated conditions". In April, BitOasis received the first "MVP Operational License" issued under a new regulatory regime in Dubai, but has apparently already fallen out of compliance. VARA warned that further enforcement actions could follow, including rescinding the license.
BitOasis wrote on their website that the license had in fact been suspended, but stated that they had not begun offering services to the segments covered by the license (institutional and qualified investors).
BitOasis is among the most popular crypto exchanges in the Middle East and North Africa (MENA) region.
Arcadia Finance exploited
Arcadia Finance is a defi margin trading protocol that launched on Ethereum and the Optimism Ethereum layer 2 protocol in March 2023. On July 9, an attacker used a flash loan to drain liquidity pools in the lending portion of the project, resulting in a total loss to the project of around 160 ETH and $163,000 in stablecoins for a total loss of almost $460,000.
The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".
- "Arcadia Finance says exploiter contacted after $450K hack", Protos
- Tweet by PeckShield
- Etherscan transaction with message to the attacker
Hackers swipe pricey NFTs after compromising Gutter Cat Gang Twitter profile
An attacker successfully compromised the Twitter account belonging to the popular Gutter Cat Gang NFT project, as well as the one belonging to the project co-founder, and used them to post links to phishing sites claiming to be a new NFT airdrop. Instead of receiving the tokens they were promised, those who authorized the contract had their wallets drained.
One victim lost 36 NFTs, among them a Bored Ape NFT they'd purchased for around $130,000. Altogether, the attackers successfully stole NFTs worth between $750,000 and $900,000, depending on how resale value is estimated.
The following day, Gutter Cat Gang announced that they'd regained control over the Twitter accounts and taken down the malicious tweets. They stated that they were working with law enforcement to investigate the theft, but to the dismay of some victims, did not describe any plans to compensate those who lost assets.