The theft prompted security researchers at Check Point Research to investigate what ended up being a serious bug in Rarible, where malicious NFTs could execute JavaScript and trick users into signing a contract that would then empty their wallets.
Taiwanese singer Jay Chou has Bored Ape stolen
Taiwanese singer Jay Chou fell victim to an apparent phishing scam, in which a malicious actor transferred his pricey Bored Ape NFT to their own wallet. The scammer then flipped the NFT for sale on LooksRare for 130 ETH (~$425,000).
- "Taiwanese star Jay Chou says Bored Ape NFT has been stolen by 'phishing website'", South China Morning Post
Class action lawsuit filed against "Let's Go Brandon" coin creators for alleged pump-and-dump
A class-action lawsuit filed by Missouri investor Eric De Ford claims that the people behind the pro-Trump "Let's Go Brandon" (LGB) memecoin misled investors about a NASCAR sponsorship deal and celebrity backing. LGB coin had nearly reached an agreement to be the primary sponsor for NASCAR driver Brandon Brown, but the sponsorship was axed by NASCAR shortly after LGB coin announced it. Regardless, those behind the coin allegedly continued to promote the coin as though the NASCAR sponsorship was in motion, even as the token value cratered. The lawsuit alleges that "Defendants pushed the LGB Tokens as a means of promoting the American dream, while simultaneously touting the prospects for LGB Tokens and the ability for investors to make significant returns from the LGB Tokens like other so-called 'meme coin' digital assets... In truth, Defendants cynically marketed the LGB Tokens to investors so that they could sell off their portion of the Float for a profit."
De Ford has named the LGB coin creators in the suit, as well as NASCAR, and promoters like Brandon Brown and Candace Owens.
Apparent scammers drop NFTs appearing to be from the Bored Ape Yacht Club project
An apparent scammer was able to create transactions that appeared as though they were coming from the smart contract belonging to the Bored Ape Yacht Club. OpenSea's UI doesn't differentiate these spoofed transfers from those that are actually coming from the project's contract, and so only users who carefully look at the transaction details can spot that the NFT is suspicious. "This is unfortunately just how the blockchain works", wrote gofannon.eth, the Director of Engineering for the company behind BAYC.
Whoever was behind these transactions airdropped fake NFTs purporting to be a part of an upcoming BAYC metaverse land project, sending them to owners of pricey NFTs and various NFT influencers. It's not clear whether the NFT can perform malicious actions, or if any individuals have been impacted by it if so. However, part of the scam appeared to be to try to entice other users hoping to get in on the next new BAYC project to fall for a phishing scam. Tracing the transactions back showed an OpenSea profile with a fake "verified" badge and a mint link to what appears to be a phishing website, which invites people to connect their wallets to supposedly mint their own BAYC land NFTs.
Discord servers of several big-name NFT projects including Bored Apes and Doodles are compromised
Another day, another Discord compromise — or in this case, many Discord compromises. Bored Apes wrote on their Twitter account in the early hours of the morning, "STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now."
Other Discords reported to be compromised include several other big-name projects including Doodles, which had previously endured a Discord compromise in late February. This particular compromise appeared to stem from a series of compromised Discord bots, including a very popular CAPTCHA bot used to fight spammers. It's unclear if anyone lost money to the fake links posted by seemingly-official Discord accounts, or how much, but these types of attacks often lure in at least some victims, and the higher-priced NFT projects like Bored Apes and Doodles enable scammers to ask for quite a lot of money without raising an eyebrow.
Nate Chastain, executive who was canned from OpenSea for alleged insider trading, creates a new NFT platform
Nate Chastain resigned from OpenSea at their request in September 2021 after it was discovered that he had allegedly been buying NFTs based on insider knowledge that they would be featured on the OpenSea front page, then reselling them at a profit. Fortunately for him, the crypto sphere is a great place for scammers and fraudsters to get second and third and fourth chances, and so Chastain is right back at NFTs with a new venture, "Oval". Oval is trying to raise a $3 million seed round and $30 million pre-money valuation, or a $7.5 million seed round and $50 million valuation, depending which pitch deck you look at.
Former Cosmic Cowgirls head community moderator accuses the project of rug-pulling
The former head moderator of the Cosmic Cowgirls NFT project Discord, Esh, wrote on Twitter that that the project team had fired all moderators and scrapped all of their roadmaps. The previous roadmap had promised gamification, meetups, merchandise, comics, an animated series, and all sorts of other things, though no headway appeared to have been made on any of them. The team also removed around 300 ETH (a bit over $1 million) in funds from the project wallet.
The Cosmic Cowgirls team hit back with accusations against the head moderator, accusing him of falsifying allegations against the project out of anger at being fired along with the other moderators. The group also claimed that the funds had been moved for security and tax reasons, and sent a vaguely threatening message to the moderator in which they stated that he should "discontinue the spread of false information in attempts to harm us and the project" and "resolve [concerns] ... privately as the terms of our contract are still ongoing and applicable".
Lending protocol Ola Finance is hacked for $3.6 million
Ola Finance is a lending protocol that allows others to create their own lending networks. It promises to allow users to create their own loan platforms where "assets can be listed without needing to pass cumbersome and expensive governance schemes or comply with numerous requirements (deep liquidity, high trading volumes, low volatility, etc.)"
One of their networks, built on top of the Fuse chain, was exploited for crypto assets priced at around $3.6 million. By taking advantage of a re-entrancy vulnerability, the attacker was able to take loans on the platform, then withdraw the collateral without paying back the loans. They then took the stolen assets and transferred them to the BNB and Ethereum chains, making them more difficult to recover.
Creator of apparent $21 million Bored Bunny rug pull miraculously resurfaces following DOJ action against a different rug pull
Many had written off the Bored Bunny NFT project (and its subsequent spin-off NFT collections) as a rug pull. After releasing several new NFT collections that appeared to be little more than cash grabs, each less popular than the last, the team behind the project grew increasingly distant until going silent for over a month. Meanwhile, the team had pocketed over $21 million, largely thanks to the popularity the project had drummed up through influencer promotions from the likes of Jake Paul and Floyd Mayweather (both of whom, incidentally, are facing separate class-action lawsuits alleging impropriety in their promotions of crypto projects).
Suddenly, the project creator resurfaced on March 29, with a tweet claiming that he had been absent for a month because he had been... reading emails. The team then announced they would be handing the project reins over to a community member, though there was no mention of the $21.1 million that had already been pocketed by the original team.
The unexpected return came only days after the U.S. Department of Justice announced charges against two perpetrators of a different NFT rug pull, in which they stated unequivocally that "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."
Popular blockchain game Axie Infinity suffers a $625 million exploit, the largest in defi history
One of the most popular play-to-earn games, Axie Infinity, suffered an enormous hack to the Ronin network on which it runs. The project announced that a majority of Ronin validator nodes had been compromised — four belonging to the Sky Mavis company that builds Axie Infinity, and one belonging to the Axie DAO. After gaining control of the validators, they were able to approve malicious withdrawals of 173,600 ETH (about $600 million) and 25.5M USDC (a stablecoin, worth $25.5M). The $625 million loss was possibly the largest to date in the history of defi projects.
Sky Mavis announced that they had halted the Ronin Bridge and Katana DEX, and were making changes to their network to try to guard against future attacks. They also wrote that they were "working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed".
Would-be collectors of new Pak NFTs lose thousands of dollars in gas fees on failed transactions
Collectors were excited for a chance to obtain NFTs from the artist Pak's upcoming collection, "Ash Chapter II: Metamorphosis". Pak is an extremely popular digital artist, and his newest collection boasted collaborators including Pussy Riot, Paris Hilton, and others.
Unfortunately, the drop did not go smoothly. Heavy botting caused gas fees to spike, and the project claimed there were issues with MetaMask's estimation of gas fees. Outside parties have suggested the issue was not with MetaMask, but rather with a poorly-implemented smart contract.
People wound up making transactions that ran out of gas before completing, meaning they lost their gas fees and did not successfully receive any NFTs. Others paid sufficient gas, but ran into other errors with the contract that meant they didn't get an NFT. The spiking gas fees meant some people lost a considerable amount of money — people reported failed transactions that cost them amounts ranging from 0.1 and 0.8 ETH (between $338 and $2,700). Some who did successfully receive NFTs also claimed to have lost value as a result of the rocky mint, which they said contributed to a lower-valued NFT.
manifold.xyz, the group behind the mint, reported that they planned to reimburse people who lost gas trying to mint NFTs. Some people seemed happy with this solution, while others were upset that they missed their chance to obtain an NFT they wanted as a result of the problems.