Prisma Finance hacked for $12 million; attacker makes detailed demands

March 28, 2024

Prisma Finance hacked for $12 million; attacker makes detailed demands

The defi protocol Prisma Finance was hacked for 3,257 ETH ($11.5 million). An attacker was able to take advantage of a flaw in the project's smart contracts, allowing them to manipulate users' positions and steal some of their collateral. Two other watchful attackers observed the attack strategy and replicated it, stealing a combined additional 173 ETH (~$610,000).

Plasma paused the protocol after detecting the attack.

The first attacker, who stole the bulk of the assets, sent an on-chain message to Prisma claiming that they had performed a "whitehat rescue", and inquired about returning the funds. In later messages, however, they asked the project to answer questions about their security practices and projects' responsibilities to users to prevent attacks. The attacker then transferred the stolen funds to Tornado Cash — indicating their return is unlikely.

In another message, the attacker was angry that Prisma had not expressed gratitude to them or remorse to their users, and was angry they had used terms like "exploit" and "attack" in their description of the incident. They demanded that the team reveal their identities, apologize, and thank the attacker in an online press conference.

March 28, 2024

Sam Bankman-Fried sentenced to 25 years in prison

Sam Bankman-Fried (attribution)

Sixteen months after the collapse of his FTX cryptocurrency exchange, Sam Bankman-Fried has been sentenced to 25 years in prison. He has also been ordered to pay an $11 billion monetary judgment.

The sentence follows his conviction on all seven felony charges in November 2022 — a decision reached by the jury within hours of beginning their deliberations.

Bankman-Fried intends to appeal the conviction.

Minute Entry for proceedings held before Judge Lewis A. Kaplan: Sentencing held on 3/28/2024 for Samuel Bankman-Fried [archive]

March 26, 2024

LENX co-founder accused of $10 million rug pull

(attribution)

The LENX cross-chain bitcoin liquidity protocol has recently been accused of a $10 million rug pull after community members observed massive withdrawals of treasury funds which were then sent to Binance accounts.

One of the co-founders, known only as "Paul", claimed on Discord that he was "trying to investigate" the movement of funds, which have been blamed on the project's other co-founder, John Kim.

Conversations on Discord suggest that a remaining $3 million in treasury funds were protected, and that the remaining LENX team may have been able to convince Binance to freeze the account that received stolen funds. However, little has been verifiably confirmed to date.

LENX is backed by the Frax Finance lending protocol.

"Unexplained transfers on LENX protocol spark rug pull concerns", Cointelegraph [archive]

March 26, 2024

KuCoin and founders criminally charged

(attribution)

The cryptocurrency exchange KuCoin and two of its founders, Chun Gan and Ke Tang, were indicted in the Southern District of New York on charges of conspiring to operate an unlicensed money transmitting business and conspiring to violate the Bank Secrecy Act. Both founders are Chinese citizens, and neither has been located or arrested.

According to prosecutors, they tried to conceal that the exchange had customers from the United States in order to claim that they were exempt from US anti-money laundering laws. They also marketed KuCoin as a KYC-optional exchange where customers from the US could operate unverified accounts.

The charges against the founders carry maximum sentences of five years in prison.

"Prominent Global Cryptocurrency Exchange KuCoin And Two Of Its Founders Criminally Charged With Bank Secrecy Act And Unlicensed Money Transmission Offenses", U.S. Attorney's Office, Southern District of New York [archive]

March 26, 2024

"Munchables" crypto game exploited for $62.5 million

A small round furry shape with big blue eyes and thin legs, somewhat resembling a soot sprite

A Munchable (attribution)

The "Munchables" crypto game explains: "Schnibbles grow on every realm across the Munchable's world. Each realm has their own unique and distinctive schniblet, and the Munchables react differently based on their compatibility to the schniblets fed to them. When creating an account for the Munchables, you must choose the location of your snuggery." Right then.

Things went awry in the land of the schnibbles and snuggeries when an attacker siphoned around 17,400 ETH ($62.5 million). Various descriptions of the attack circulated, with blockchain sleuth zachxbt attributing it to a recently hired developer, and crypto developer 0xQuit claiming the theft appeared to have been "planned since deploy".

Some began discussing the possibility that the Blast layer-2 blockchain might forcibly roll back the chain to "undo" the hack. Some have argued this is contra to the crypto ethos or would set a bad precedent, while others have argued that as a blockchain focused more on gaming and experimentation and less on decentralization and other facets of crypto ideology, it would be a reasonable step.

Some hours after the attack, the exploiter was convinced to return the funds.

"Crypto game ‘Munchables’ on Blast exploited for $63M", Cointelegraph [archive]
Tweet by 0xQuit [archive]

March 25, 2024

Curio RWA project suffers $16 million exploit

(attribution)

Curio, a crypto project that creates tokens based on "real-world assets" (RWAs) like cars, watches, wine, and other goods, has suffered an attack that saw around $16 million drained from the project's funds.

A bug in the project's Ethereum smart contract enabled an attacker to mint 1 billion of the project's CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.

Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.

"Hacker mints 1B tokens in $16M Curio smart contract exploit", Cointelegraph [archive]
Tweet by Cyvers Alerts [archive]
"CurioDAO Q1 2024 Exploit Recovery Strategy", CurioDAO [archive]

March 22, 2024

Solana memecoin frenzy sparks trend of incredibly racist meme tokens

A screenshot of many Solana tokens on DEXScreener, including:
JEWS "Jews did 911"
卐 "NAZI"
N*** TRUMP "N*** Trump"
N***OLAS "N***OLAS CAGE"
COVID "chinadidcovid"
N***Butt "N*** Butt Token"
APERAH "aperah wenfree"
BDN "Big Dick N***"
CHIGGA "Chinese N***"
HITLER "I was right"
BOJE "Book of J***ers"
WODNDOR "AuschwitzWoodenDoor"
LIBTARD "Go Woke Go Broke"
BULLJEW "BULL JEW"
wifcancer "kate wif cancer"
N*** TRUMP "N*** TRUMP 2024"
GayPedo "Gays Are Pedos"
J*** "J*** Buice"

Racist Solana tokens on DEXScreener (attribution)

Solana memecoin trading has been booming lately, with people making money by speculating on tokens themed around various memes and jokes. Amid an explosion in trading innocuously-named meme tokens like dogwifhat has also been a rise in blatantly racist tokens, named after racial slurs, featuring racist caricatures, or named after antisemitic conspiracy theories.

The tokens became so popular that projects showing newly-released tokens, like DEXScreener, became full of such tokens. DEXScreener released a statement on Twitter to say that "We'll be reviewing our token profile moderation policy in the coming days. We won't be the gatekeepers of what happens on-chain, but we're definitely not here to spread hate." The replies to the tweet were, predictably, full of people accusing DEXScreener of "censorship" and "going woke".

March 22, 2024

Previously rug-pulled Lucky Star Currency project somehow rugs again

(attribution)

The astrology-based Lucky Star Currency project rug-pulled for $1.1 million in October 2023. You'd think that might be the end of it, but on March 22, 2024, ownership of the project was transferred to a malicious smart contract that then drained tokens priced at almost $300,000 from those who still held them.

You almost have to admire the tenacity.

Tweet by CertiK [archive]

March 21, 2024

TICKER project developer steals $900,000

Tweet by MIDA (@brgMIDA): "im not sorry for any of you, tbh
you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich, you were expecting to receive 10,100,1000x money for that donation or wtf, "they dont tell us it gonna 1000x when they are down the streets tho", cuz you would have otherwise mfer? go touch grass anon, and apply donating from hands to hands to people in needs in your closest physical community and turn the world a better place instead, i love you
social contracts do not have a place on the blockchain anons, i don't know why it is not much more evident for all of you"

Tweet by TICKER thief (attribution)

A developer brought on to run a presale for the $TICKER token stole $900,000 from the project. 15% of the token supply was sent to the developer to distribute via an airdrop, but instead of doing so, the developer sold the majority of the tokens for around $900,000.

After the thief was identified by blockchain sleuth zachxbt, they posted a long message on Twitter, writing, "im not sorry for any of you, tbh. you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich". The thief later spent some of the money on Milady NFTs and memecoins.

zachxbt stated that he had identified the developer, including his full name, location, and other details. He encouraged those who were scammed to contact him if they were interested in pursuing legal action.

Tweet thread by zachxbt [archive]

March 21, 2024

Super Sushi Samurai exploited by whitehat for $4.6 million

(attribution)

Super Sushi Samurai, a new blockchain game on the Blast layer-2 blockchain was exploited for $4.6 million when an attacker discovered a vulnerability in its smart contract. A bug in the mint functionality caused users who transferred their $SSS balance to themselves to receive twice as many tokens. An attacker took advantage of this to drain $4.6 million from the project, causing the $SSS token to plummet by 99%.

The attacker contacted the project shortly after the theft, claiming to be a whitehat. They wrote, "Hi team, this is a whitehat rescue hack. Let's work on reimbursing the users." Super Sushi Samurai later confirmed that the funds had been returned, minus a 5% "bounty". The team also gave the whitehat an additional 2.5% in SSS tokens and land, and brought them on to the project team as a tech adviser.

On-chain message from exploiter [archive]
Tweet by coffeexcoin [archive]
Tweet by Super Sushi Samurai [archive]

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.