In addition to the unregistered offerings charge, the SEC alleges Heart and PulseChain misappropriated $12.1 million to fund Heart's lavish lifestyle. Among other things, he purchased a McLaren sports car, five luxury watches, and a $4.3 million 555-carat black diamond called "Enigma", allegedly using funds from the sale.
SEC goes after Richard Heart and his projects Hex, PulseChain, and PulseX
The SEC filed charges against Richard Heart, the operator of Hex, PulseChain, and PulseX. Despite Heart's best attempts at evading securities laws — including by asking people to "sacrifice" tokens in exchange for PLS and PLSX to avoid using the term "invest" — the SEC says he's been conducting unregistered securities offerings amounting to more than $1 billion.
Bug in Vyper smart contract language enables multiple exploits on Curve and related projects
Some types of Curve factory pools, including one operated by AlchemixFi and one by JPEG'd, were exploited. The attack stemmed from an issue in the Vyper language, a smart contract programming language that is similar to Solidity. Early investigations suggested that versions of the Vyper compiler had improperly implemented a re-entrancy guard, leaving some projects vulnerable to that type of attack. Vyper tweeted an announcement that the versions were vulnerable, and urged "projects relying on these versions [to] immediately reach out to us".
Curve itself lost $61 million to the exploit. AlchemixFi was exploited for around $13 million in assets, and JPEG'd suffered a $11 million loss. MetronomeDAO suffered a $1.6 million loss, Ellipsis Finance lost $68,600, and Debridge Finance lost around $24,600.
Altogether, somewhere between $88 million and $100 million was taken, though some exploits appeared to be whitehat actions intended to preserve funds. The primary exploiter also later returned some of the stolen funds, refunding the entire amount to AlchemixFi and 90% of funds to JPEG'd in exchange for a 10% "bug bounty".
Kannagi Finance rug pulls for over $2 million
The defi yield aggregator project Kannagi Finance rug pulled on July 29 as its creators drained the $2.13 million total value locked. Kannagi Finance deleted its website and social media accounts following the exit scam.
Blockchain security firm SolidProof had audited Kannagi in June.
Memecoin launch by Pauly0x costs traders at least $2.2 million
Traders hoping to get in on the next big memecoin eagerly snapped up a token called Pond0x, a Pepe the Frog-branded memecoin launched by Pauly0x. Pauly0x is Jeremy Cahen, a crypto personality best known for his creation of CryptoPhunks, NotLarvaLabs, and involvement in the Ryder Ripps lawsuit.
However, serious flaws in the Pond0x contract resulted in traders losing at least $2.2 million as people discovered that anyone could transfer coins belonging to other people. People quickly began rushing to steal coins from one another.
Pauly0x responded by blaming the traders who bought and sold the tokens, and spent the following day variously posting on Twitter that he was teaching people a lesson, that it wasn't his fault that people lost money, and suggesting that the flaw was part of a bigger plan for the project. "No one stole your tokens lol. The contract is literally designed as such," he wrote to angry traders accusing him of a rug pull. He added to the website a message reading, "GREED KILLS".
DeFiLabs rug pulls for $1.6 million
A defi project called DeFiLabs was able to rug pull for $1.6 million thanks to a backdoor written into the smart contract. After traders bought into the project, its creator was able to call the
withdrawFunds function to make off with the project's assets.DeFiLabs claimed on Twitter that the platform "encountered an unexpected issue" while "undergoing maintenance and updates".
DeFiLabs had been audited by blockchain security firm CertiK.
- "DeFiLabs", Rekt
CoinsPaid hacked for $37.3 million
The CoinsPaid crypto payment platform, which provides payment services to various online casinos, reportedly suspended withdrawals under mysterious circumstances. The company later deleted a handful of tweets pertaining to the incident, which they ascribed to a "technical issue".
After prominent Bitcoiner Jameson Lopp tweeted that the issue "look[s] more like a hack", CoinsPaid replied "Our team is aware of the issue... Please wait for the official announcement on this topic." Crypto researcher zachxbt responded, "The issue is you got hacked by North Korea that's what lol", referencing the increasing suspicion that the Lazarus group may be behind the disruption. Sure enough, CoinsPaid later confirmed that they had been hacked for $37.3 million, and announced that they suspected the Lazarus Group was behind it.
Some have been speculating that there are connections between this incident and the $60 million hack of the Alphapo crypto payments processor on July 22. Alphapo also provided services to various online casinos. Indeed, there seem to be connections between Alphapo and CoinsPaid, and they may in fact be operated by the same people.
EraLend exploited for $3.4 million
The EraLend crypto lending platform was exploited for around $3.4 million after an attacker took advantage of a re-entrancy vulnerability to manipulate token prices and drain funds from the project. The thief then quickly distributed the stolen funds across various wallets and blockchains.
EraLend paused various functions of their protocol while they investigated the attack, and said they were working with various security research organizations and law enforcement to investigate the theft.
The BlockSec security research firm warned other projects that re-used a portion of code to be cautious if they re-used a portion of code from SyncSwap, because they could also be vulnerable.
IEGT token rug pulls for $1.14 million
The IEGT token was created on Binance Smart Chain on July 13. However, its creators "covertly minted a large amount of tokens, primed for a rug pull", as blockchain security firm SlowMist described it. Although the project reportedly had only 5 million tokens in supply, this allowed the team to sell 1 billion tokens, cashing out approximately $1.14 million in the USDT stablecoin.
Alphapo hacked for more than $60 million
The crypto payment processor Alphapo suffered a hot wallet hack on July 22 in which at least $60 million in Ethereum, Tron, and Bitcoin was stolen. Alphapo processes payments for several gambling platforms including HypeDrop, Bovada, and Ignition.
HypeDrop disabled withdrawals on their platform, and wrote on Twitter that they were experiencing "ongoing deposit and withdrawal issues" due to "an issue on the cryptocurrency provider's side."
Conic Finance exploited again, hours after first hack
Hours after suffering a $3.2 million exploit on their ETH pools, Conic Finance was hacked for a second time. Although Conic had assured the public that the incident was limited to the ETH pool and other pools were not at risk, an attacker successfully exploited their crvUSD pool. The attacker stole around $934,000, though ultimately only was able to realize around $300,000 in profit.
- "Post Mortem — ETH and crvUSD Omnipool Exploits", Conic Finance Medium