STAX Finance exploited for $2.3 million

A hacker discovered a vulnerability in the smart contract for the STAX project, which is built on the TempleDAO defi protocol. STAX is a liquidity provider for $TEMPLE/$FRAX.

Poor access control on a function in the smart contract allowed them to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).

This amount represents about 4% of the assets in the TempleDAO protocol. STAX replaced its homepage with a "disclaimer" about the hack, took down the project's dApp, and urged people not to deposit into the STAX contracts.

U.S. SEC is investigating Bored Apes creator Yuga Labs

An illustration of a bright pink ape, wearing a captain's hat, with heart-shaped sunglasses, with eyes on its neck, and a gold jacket and chainBored Ape #648 (attribution)
According to a scoop in Bloomberg, the United States Securities and Exchange Commission has been probing whether NFTs from Yuga Labs should be considered securities regulations, and may be in violation of federal law.

Yuga Labs is the company behind the Bored Apes NFTs and spinoff projects (Mutant Apes, and Bored Ape Kennel Club), and in March also acquired the blue-chip NFT collections CryptoPunks and Meebits.

A probe does not necessarily mean that Yuga has violated the law, but such an investigation could have major ramifications for the world of NFTs.

Blockwater Technologies is insolvent

Blockwater Technologies, a crypto investment firm based in South Korea, missed a payment on their $3.4 million loan from TrueFi, a decentralized borrowing platform. According to TrueFi, the group had previously amended their loan to extend the loan period and increase the borrowing rate, but were still unable to meet their required payment. TrueFi wrote that they intended to undergo a "court-supervised administrative proceeding", a route they said they chose due to "the complexity around the sudden insolvency".

TrueFi claims the default is not a major risk to them, making up 2% of the platform's total value outstanding. They announced that the loan was "currently in an active restructuring to maximize recovery for affected BUSD lenders".

NFT collector loses Bored Apes he bought for nearly $2 million in two consecutive scams

An illustration of an ape with pink fur and an angel halo. The ape's eyes are closed and its mouth is open. It's wearing no shirt, and has a silver stud earring.BAYC #2951 (attribution)
In an incredible display of misfortune and perhaps ineptitude, an NFT collector was scammed out of a Bored Ape and then scammed out of six more Bored Apes when he tried to revoke the permissions he'd granted for the first scam.

NFT trader Laszlo_btc went to swap his Bored Ape #8274 for another Bored Ape after reaching a deal with someone he met on Discord. He opened up Sudoswap to do the swap, but was tricked into trading his pricey NFT for a worthless NFT that was disguised to look like a Bored Ape. This is how Laszlo was scammed out of his first Bored Ape, which he'd only purchased three days prior, for 80 ETH (~$108,000). The scammer quickly flipped the NFT for around 70 ETH (~$92,000).

Realizing he'd been scammed, Laszlo went to revoke the permissions he'd granted in case he'd opened himself up to other thefts. However, instead of using the real permission revocation service Revoke.cash, he ended up using a phishing site: Revokecash.net. Only fifteen minutes after the first theft, six more Bored Apes were transferred out of his wallet.

Altogether, Laszlo had paid over $1.9 million for the collection of seven apes, which he purchased between January and October 2022. The priciest was Bored Ape #2951, which he bought for 173 ETH on May 1 — at the time, $490,000. The two sets of scammers quickly flipped all the NFTs, selling them for a total of $608,000.

CoinDesk reports that Decentraland has just 38 daily active users

A 3D virtual world with various logos on buildings. An avatar of a woman stands alone in the foregroundDecentraland (attribution)
According to CoinDesk, the metaverse platform Decentraland is entertaining roughly 38 users a day these days. This isn't much for its "valuation" of $1.3 billion — although CoinDesk seems to be estimating this on "market cap". Its competitor, the Sandbox (also "valued" at around $1.3 billion), is doing a bit better — with a whopping 522 daily active users.

Not only that, the most users Decentraland has ever had in one day is only 675; The Sandbox had 4,503 at one point.

Celsius exposes the names of all customers and their recent transactions in court filing – including their execs

Celsius Network is undergoing bankruptcy proceedings after its impressive implosion earlier this year. The company's latest court filing is 14,532 pages long — because it contains the names and recent transactions of every user on the platform. Although the judge allowed Celsius to redact individuals' home and email addresses, the names and details of recent transactions are all publicly available — much to some users' horror.

Among those listed in the court filing were Alex Mashinsky, his wife Krissy, and various other executives. The records show that Mashinsky withdrew $10 million from Celsius shortly before the company's collapse, and his wife withdrew another $2 million. Chief Strategy Officer Daniel Leon also withdrew $7 million.

Binance Smart Chain halts after $570 million bridge exploit

Binance Smart Chain, the relatively popular blockchain that Binance is trying to rebrand as "BNB Chain", was halted when an attacker exploited "BSC Token Hub", the bridge between the old Binance Beacon Chain and BSC. The attacker successfully moved around $127 million of the stolen crypto assets off the chain before it was paused. The attacker's wallet contained 2 million BNB, valued at $586 million based on the price at the time of the hack, but as a result of the chain halt, they were not able to exfiltrate the entire amount.

Binance CEO Changpeng Zhao ("CZ") tweeted that "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC." A BSC developer later confirmed that "we coordinated with validators to temporarily suspend BSC after having determined an exploit on a cross-chain bridge, BSC Token Hub- which resulted in extra BNB". The value of the $BNB token dropped from $293.10 to $280.40 after the news.

The chain operators and CZ seemed to feel a little awkward about the ramifications of unilaterally deciding to halt a supposedly decentralized blockchain. CZ claimed he was asleep and that the chain had already been halted by the time he woke up. The BSC team published a blog post saying that "Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones. This delayed closure, but we were able to minimize the loss." They also promised to try to decentralize the project even further going forward.

South Korea reportedly freezes $39.6 million in crypto belonging to Terra founder Do Kwon, Kwon says it isn't his

South Korean prosecutors have reportedly frozen $39.6 million in crypto assets belonging to Do Kwon, the founder of Terraform Labs and creator of the failed Terra blockchain project. South Korea had also previously issued a warrant for his arrest.

Kwon claims that the report is a "falsehood", and "I don't know whose funds they've frozen". This joins his other claims, such as that he is "not 'on the run' or anything similar" (he is), and that Interpol didn't issue a red notice for him (they have).

Zcash continues to suffer from spam attack that started months ago

Zcash is a privacycoin which, unlike popular blockchains like Bitcoin and Ethereum, allows users to obscure who they are sending money to and how much. Since June or July, the network has been suffering from a spam attack in which attackers have been submitting massive transactions that quickly fill up block space. The chain has exploded in size, nearly tripling to more than 100GB since the attack began. Unlike other chains which are prohibitively expensive to attack, each spammed transaction costs less than a cent, and the attacker is estimated to be spending roughly $10 a day to execute the attack.

More than $1.1 million stolen from Sovryn defi protocol

Bitcoin-based defi protocol, Sovryn, lost $1 million to a price manipulation attack. An exploiter was able to use the project's legacy lend and borrow functionality to maliciously withdraw 44.93 RBTC (~$915,000) and 211,045 USDT.

According to the protocol, their developers "were able to identify and recover funds as the attacker was attempting to withdraw the funds". They have also announced that Exchequer, the project's treasury committee, would "reinject" the remaining stolen funds.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.