QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability

October 11, 2022

QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability

On September 15, a blockchain security firm disclosed a vulnerability affecting Profanity, a tool that allowed people to generate "vanity" crypto wallet addresses: addresses containing specified strings of characters. This affected some individuals with vanity addresses, but has also enabled subsequent attacks on projects that used vanity addresses, such as the Wintermute exploit on September 20.

On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.

The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.

The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.

This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).

"QANX Bridge wallet disclosure analysis [continuously updated]", QAN Platform
"Hacker drains $2 million from QANplatform bridge, token slumps 94%", The Block

October 11, 2022

Rabby Wallet's swap feature exploited a month after launch

(attribution)

Rabby Swap, a feature of the Rabby crypto wallet, was exploited a month after it was first rolled out. An attacker discovered an apparent vulnerability in the Rabby Swap smart contract that enabled them to arbitrarily transfer other users' funds. Rabby urged its users to revoke approvals for the contracts across multiple chains.

The attack impacted assets on multiple chains. The attacker tumbled 114 ETH (~$146,000) through Tornado Cash shortly after the hack, along with 179 BNB (~$48,500). The full extent of the attack is still being measured. The buggy contract that enabled the attack had been audited by blockchain security firm PeckShield, but the vulnerability had apparently gone undetected.

October 11, 2022

CNN accused of rug pull after ditching their Vault NFT project

(attribution)

In June 2021, CNN launched "Vault": a project to "make moments from history available for purchase". The project involved minting as NFTs various clips of CNN footage and photographs from their archives, such as CNN's predictions that Bush and Obama would win their presidential elections, or "War Notes": a series of photos and accompanying handwritten notes from Ukrainians impacted by the Russian war on Ukraine. On October 11, CNN announced they would "no longer be developing or maintaining this [Vault] community".

Although CNN claimed in their shutdown announcement that "Vault was originally launched as a 6-week experiment", CNN had not mentioned that the project was an experiment that was expected to possibly end. As recently as last month, Vault had been teasing upcoming events scheduled around election day in November, and encouraging users to buy more Vault NFTs to access the upcoming drops.

As an apparent attempt to placate angry users worried that the value of their NFTs might drop, CNN promised to return "either FLOW tokens or stablecoins" for "roughly 20% of the original mint price". However, the project is built on the Flow blockchain, where users can only withdraw stablecoins $10 at a time — and with a $4 fee on each withdrawal. Some angry users in the project's Discord channel threatened legal action, claiming that CNN had rug pulled.

Tweet by Vault by CNN
"CNN accused of rug pull as it abandons its NFT project", The Verge
"Did CNN Just Rugpull Its NFT Store?", Gizmodo

October 11, 2022

STAX Finance exploited for $2.3 million

(attribution)

A hacker discovered a vulnerability in the smart contract for the STAX project, which is built on the TempleDAO defi protocol. STAX is a liquidity provider for $TEMPLE/$FRAX.

Poor access control on a function in the smart contract allowed them to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).

This amount represents about 4% of the assets in the TempleDAO protocol. STAX replaced its homepage with a "disclaimer" about the hack, took down the project's dApp, and urged people not to deposit into the STAX contracts.

October 11, 2022

U.S. SEC is investigating Bored Apes creator Yuga Labs

An illustration of a bright pink ape, wearing a captain's hat, with heart-shaped sunglasses, with eyes on its neck, and a gold jacket and chain

Bored Ape #648 (attribution)

According to a scoop in Bloomberg, the United States Securities and Exchange Commission has been probing whether NFTs from Yuga Labs should be considered securities regulations, and may be in violation of federal law.

Yuga Labs is the company behind the Bored Apes NFTs and spinoff projects (Mutant Apes, and Bored Ape Kennel Club), and in March also acquired the blue-chip NFT collections CryptoPunks and Meebits.

A probe does not necessarily mean that Yuga has violated the law, but such an investigation could have major ramifications for the world of NFTs.

"Bored-Ape Creator Yuga Labs Faces SEC Probe Over Unregistered Offerings", Bloomberg

October 9, 2022

Blockwater Technologies is insolvent

Blockwater Technologies, a crypto investment firm based in South Korea, missed a payment on their $3.4 million loan from TrueFi, a decentralized borrowing platform. According to TrueFi, the group had previously amended their loan to extend the loan period and increase the borrowing rate, but were still unable to meet their required payment. TrueFi wrote that they intended to undergo a "court-supervised administrative proceeding", a route they said they chose due to "the complexity around the sudden insolvency".

TrueFi claims the default is not a major risk to them, making up 2% of the platform's total value outstanding. They announced that the loan was "currently in an active restructuring to maximize recovery for affected BUSD lenders".

"TrueFi Issues Notice of Default to Blockwater Technologies", TrueFi
"Crypto Gets Reminder of DeFi Risks From Latest Loan Default", Bloomberg
"Crypto Investment Firm Blockwater Technologies Defaults on DeFi Loan", CoinDesk

October 8, 2022

NFT collector loses Bored Apes he bought for nearly $2 million in two consecutive scams

An illustration of an ape with pink fur and an angel halo. The ape's eyes are closed and its mouth is open. It's wearing no shirt, and has a silver stud earring.

BAYC #2951 (attribution)

In an incredible display of misfortune and perhaps ineptitude, an NFT collector was scammed out of a Bored Ape and then scammed out of six more Bored Apes when he tried to revoke the permissions he'd granted for the first scam.

NFT trader Laszlo_btc went to swap his Bored Ape #8274 for another Bored Ape after reaching a deal with someone he met on Discord. He opened up Sudoswap to do the swap, but was tricked into trading his pricey NFT for a worthless NFT that was disguised to look like a Bored Ape. This is how Laszlo was scammed out of his first Bored Ape, which he'd only purchased three days prior, for 80 ETH (~$108,000). The scammer quickly flipped the NFT for around 70 ETH (~$92,000).

Realizing he'd been scammed, Laszlo went to revoke the permissions he'd granted in case he'd opened himself up to other thefts. However, instead of using the real permission revocation service Revoke.cash, he ended up using a phishing site: Revokecash.net. Only fifteen minutes after the first theft, six more Bored Apes were transferred out of his wallet.

Altogether, Laszlo had paid over $1.9 million for the collection of seven apes, which he purchased between January and October 2022. The priciest was Bored Ape #2951, which he bought for 173 ETH on May 1 — at the time, $490,000. The two sets of scammers quickly flipped all the NFTs, selling them for a total of $608,000.

October 7, 2022

CoinDesk reports that Decentraland has just 38 daily active users

Decentraland (attribution)

According to CoinDesk, the metaverse platform Decentraland is entertaining roughly 38 users a day these days. This isn't much for its "valuation" of $1.3 billion — although CoinDesk seems to be estimating this on "market cap". Its competitor, the Sandbox (also "valued" at around $1.3 billion), is doing a bit better — with a whopping 522 daily active users.

Not only that, the most users Decentraland has ever had in one day is only 675; The Sandbox had 4,503 at one point.

"It's Lonely in the Metaverse: Decentraland’s 38 Daily Active Users in a $1.3B Ecosystem", CoinDesk

October 6, 2022

Celsius exposes the names of all customers and their recent transactions in court filing – including their execs

Celsius Network is undergoing bankruptcy proceedings after its impressive implosion earlier this year. The company's latest court filing is 14,532 pages long — because it contains the names and recent transactions of every user on the platform. Although the judge allowed Celsius to redact individuals' home and email addresses, the names and details of recent transactions are all publicly available — much to some users' horror.

Among those listed in the court filing were Alex Mashinsky, his wife Krissy, and various other executives. The records show that Mashinsky withdrew $10 million from Celsius shortly before the company's collapse, and his wife withdrew another $2 million. Chief Strategy Officer Daniel Leon also withdrew $7 million.

October 6, 2022

Binance Smart Chain halts after $570 million bridge exploit

(attribution)

Binance Smart Chain, the relatively popular blockchain that Binance is trying to rebrand as "BNB Chain", was halted when an attacker exploited "BSC Token Hub", the bridge between the old Binance Beacon Chain and BSC. The attacker successfully moved around $127 million of the stolen crypto assets off the chain before it was paused. The attacker's wallet contained 2 million BNB, valued at $586 million based on the price at the time of the hack, but as a result of the chain halt, they were not able to exfiltrate the entire amount.

Binance CEO Changpeng Zhao ("CZ") tweeted that "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC." A BSC developer later confirmed that "we coordinated with validators to temporarily suspend BSC after having determined an exploit on a cross-chain bridge, BSC Token Hub- which resulted in extra BNB". The value of the $BNB token dropped from $293.10 to $280.40 after the news.

The chain operators and CZ seemed to feel a little awkward about the ramifications of unilaterally deciding to halt a supposedly decentralized blockchain. CZ claimed he was asleep and that the chain had already been halted by the time he woke up. The BSC team published a blog post saying that "Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones. This delayed closure, but we were able to minimize the loss." They also promised to try to decentralize the project even further going forward.