Bug in Treasure NFT marketplace results in listings being sold for free

A pixel art monkey with a large brain, who appears to be made out of goldSmol Brains #5203 (attribution)
The Treasure NFT marketplace on Arbitrum (a layer 2 network built atop Ethereum) apparently experienced a bug that allowed someone to "buy" NFTs in transactions where they sent 0 currency. The attacker particularly seemed to target the "Smol Brains" NFT project, likely because of its relatively high value — the project has a floor price of almost $10,000. Some of the NFTs that were transferred at no cost to the attacker had been listed for several times that floor price, including one gold-colored Smol Brain (pictured) that had been put of for sale for the equivalent of $560,000.

At least 17 Smol Brains NFTs were stolen, which were listed for a combined total of around $1.4 million. PeckShield reported that more than 100 NFTs from multiple collections had been stolen. They reported that the exploit was due to a bug in their contract that allowed an attacker to set a quantity of 0 in a transaction, which when multiplied by the item price resulted in a total price of 0.

TreasureDAO co-founder John Patten wrote in a tweet while the hack was ongoing that "We will cover the costs of the exploit — I will personally give up all of my Smols to repair this."

One contracted developer writes malicious code for 32 different NFT projects

Rendering of a spherical planet with dark green trees interspersed with futuristic skyscrapersThestarslab #6333 (attribution)
A developer offering his services on the freelancer marketplace Fiverr was hired by 32 different NFT projects, for which he wrote and deployed the smart contracts. The first project to be compromised via the malicious code was "TheStarsLab" project, when the developer renounced ownership on the mint contract, making it impossible for the project team to access the funds. The developer is the only one who has the ability to move the money out of the project contract, though as of a month after the attack on the project, the 197 ETH stuck in the contract (~$580,000 at the time of the attack; ~$648,000 as of April 10).

About 2/3 of the other affected projects had yet to launch or had no social media presence. Crypto sleuth zachxbt tried to contact the other 1/3, and some of the projects were able to migrate contracts before any malicious actions. zachxbt wrote, "Funny enough when I reached out to all the different projects the ones that responded said they either didn't read over the smart contract beforehand or weren't the most technically inclined teams." On April 7, OpenSea contacted zachxbt to say they had frozen trading for all contracts created by the developer.

Hackers who stole data from Nvidia demand the chipmaker remove cryptomining limitations on GPUs

In late February, the Lapsus$ ransomware group claimed to have breached Nvidia's corporate network and stolen more than a terabyte of data, which they say includes schematics and source code for drivers and firmware, as well as employee credentials. Instead of the typical monetary ransom, Lapsus$ demanded something unusual: that Nvidia remove the "Lite Hash Rate" (LHR) feature from their graphics card. LHR is an artificial limitation that Nvidia has applied to their line of gaming chips, which makes them less attractive to cryptominers who have otherwise been causing shortages in GPUs.

Lapsus$ initially promised that if Nvidia removed LHR from their 30-series line of chips, they would "forget about [the hardware] folder (it's a big folder)". However, they updated their demand on March 1, demanding that Nvidia either make all current and future drivers for all of their cards open source ("while keeping the Verilog and chipset trade secrets... well, secret"), or else they would publish all files for Nvidia chips. They wrote that Nvidia had until March 4 to make a decision. As of March 3, Nvidia had not made a statement around whether they would acquiesce to the hackers' demands.

Former ConsenSys employees demand audit regarding MetaMask and Infura's transfer to a new company

A group of 35 former employees of the startup incubator ConsenSys filed a request for an audit of a transfer of the company's "crown jewel" assets to a new company, which they say "was to the detriment of the minority shareholders". The requested audit relates to an August 2020 deal that saw the cryptocurrency wallet MetaMask and the developer platform Infura be transferred to a brand new entity. The transaction also resulted in the banking giant JPMorgan taking a 10% share in ConsenSys, and in a $39 million loan by ConsenSys founder being offset. The shareholders allege that MetaMask and Infura were massively undervalued in the trade; an allegation that a ConsenSys spokesperson has rebutted, saying that "the group would like to apply a valuation that might be achieved today to a set of projects that were pre-monetization during the darkest days of Covid when the transaction took place".

Far-right social network Parler launches an NFT platform where you have to pay with credit cards

An illustration of Donald Trump wearing rhinestone sunglasses and a rhinestoned tuxedo and bow tie, in front of rhinestoned text reading "TRUMP"CryptoTrump (attribution)
You might think if Parler was going to create an NFT celebrating their hero, they wouldn't include along with their promotional material the example most reminiscent of Milo Yiannopoulos, the man who's been so effectively deplatformed that he's had to resort to selling statues of the Virgin Mary on a home shopping TV channel. On March 1, the far-right social network Parler announced their "CryptoTrump" NFTs, which will sell on their "DeepRedSky" NFT platform. The platform is built on the Solana blockchain, and has already helped Melania Trump "sell" (wash trade) her NFTs. Their inaugural project is a collection of 250 algorithmically-generated Trump NFTs, which will sell for $2,750 each and eventually be part of a collection of 10,000 items.

Although Parler's press release contains a lot of their usual chest-thumping about "freedom from Big Tech", the DeepRedSky NFTs can only be minted with credit cards, with payments being processed through Stripe. The good news: if you aren't getting enough of a rush out of the risks involved with crypto in general, you can get a new thrill from giving your personal information to a platform that's been hacked multiple times.

GenomesDAO wants you to give them your genetic data, which they acknowledge is "data that can be exploited in ways we cannot even imagine yet"

An illustration of a calico cat with green eyesWho's going to tell them cats don't have human eyebrows? (attribution)
GenomesDAO has created a platform which they promise will allow people who wish to sell their genetic data to have more control over it. They write that genetic data is "data that can be exploited in ways we cannot even imagine yet" and go into a list of these possible exploits — and this is apparently why you should definitely entrust it to a company building in a space known for its endless hacks. The company promises to help users earn money through selling access to their genome — though of course this isn't until step five in their roadmap. They're currently at step two or step three, depending on which version of your roadmap you look at; both steps seem focused on creating cat NFTs out of your genetic data for some reason.

Randi Zuckerberg tests your secondhand embarrassment tolerance with her second crypto-themed parody song

Apparently hoping to create the "rallying cry for the women of web3", Randi Zuckerberg released her second crypto-themed song "WAGMI", a parody of Twisted Sister's "We're Not Gonna Take It". Earlier that month, she had released another parody video, of Adele's "Hello". "WAGMI" is loaded with crypto in-jokes, with Zuckerberg at one point yelling "LFG! sweep the goddamn floor! we're hodling, yes we are!" The reaction on Twitter appeared to be fairly universally one of cringe, and more than a few users drew comparison to the terrible raps of alleged Bitfinex money launderer Heather "Razzlekhan" Morgan.

Partway through the song, Zuckerberg sings "carpe the crypto diem". This raises the question of whether she intentionally included a dig at her brother Mark's failed Diem cryptocurrency project (formerly Libra), or if the project was such a flop even his own sister didn't know about it. I truly can't decide which scenario would be funnier.

NFT collector files $6 million lawsuit against OpenSea, LooksRare, and the company behind Bored Apes for not doing more to discourage thefts

A Mutant Ape illustration, with an ape made out of yellow oozing slime, with rainbow worms coming out of its nose, wearing rainbow suspendersMutant Ape #1819, one of the stolen NFTs (attribution)
Robert Armijo is the former owner of three valuable NFTs — one Bored Ape and two Mutant Apes — which he bought for a total of around $300,000 between November 2021 and January 2022. On February 28, he filed a lawsuit against the NFT marketplaces OpenSea and LooksRare, as well as the company behind the Bored and Mutant Ape projects, Yuga Labs. The lawsuit was filed only ten days after another former Bored Apes owner filed suit against OpenSea for allegedly failing to secure their platform.

On February 1, he was the victim of a phishing attack in which he lost the three pricey NFTs. He had agreed to trade one of his Mutant Apes for another NFT he was interested in, but he and the prospective buyer had to perform the transaction through a platform other than OpenSea or LooksRare because it was a swap rather than a purchase for ETH. Armijo turned down several suggestions of platforms by the other party, saying he was unfamiliar with them, and instead suggested one of his own choosing. However, the other party was still able to send him a trading link that appeared to be from the site he had suggested, and Armijo approved what turned out to be an illegitimate transaction that allowed the other party to take all three of his NFTs for nothing in return. Armijo alleges that although he quickly realized he'd been phished, he was not able to get OpenSea or LooksRare to freeze sales of the stolen NFTs, and they were flipped for resale within days.

Armijo alleges that OpenSea and LooksRare have "utterly failed to protect consumers or do anything to disincentivize or stop the thefts" because they profit from each trade on their platform. He has also named the company behind the Apes NFTs, Yuga Labs, in his lawsuit, stating that they have not done enough to disincentivize theft by failing to "monitor its proprietary and exclusive ape community by denying entry to individuals whose access is predicated on a stolen BAYC NFT". Once again, my heart goes out to the judge hearing this case.

In terms of damages, Armijo states he has been "deprived not only of the significant monetary value of the NFTs he owned, but also [has been] strip[ped] of his membership in the BAYC community and the commercialization rights he possessed in his underlying Bored Ape and Mutant Ape images", and as such is seeking damages "in no event less than $6 million". Interestingly, the name Robert Armijo also appears as a defendant in SEC charges from June 2021, where the individual is alleged to have unlawfully sold securities managed by an organization also alleged by the SEC to be a Ponzi scheme. It's not immediately clear if this is the same person, or someone who shares a name.

Elexir draws in more than $1.3 million, then announces an end to the project a week later and "reimburses" investors with $300,000

Elexir Finance promised a platform where users could build passive income via "yield bearing NFTs". They drew in more than $1.3 million in investments since the project's launch on February 22. However, on February 28, the team suddenly sold off their assets, tanking the $ELXR price in the process. They explained in Discord that this was because they had discovered a flaw in their tokenomics design, and so they had sold in order to cut losses and put "almost all early investors... either in positive profit or breakeven". The team also announced that they would distribute $300,000 to other early investors via airdrops. They notably failed to mention their plans for people who were not "early investors", or who were unknowingly snapping up doomed tokens that the project was offloading. Notably, the announcement also mentioned that the remaining treasury of more than $1 million would stay with the project developers, to be used for some new project they did not describe.

After their announcement went over about as poorly as you might expect, Elexir offered their community a choice: take the $300,000 they planned to airdrop, and either continue with that plan or re-add it to the liquidity pool. Community members by and large seemed to support an unlisted third mention, which was to refund the entire treasury to people who bought in, but the project developers seem intent on keeping that amount.

The project development team had had their identities verified by the organization StaySAFU, who subsequently tweeted that "We are currently communicating with both the team behind Elexir and the legal authorities", and that they had identity documents for the team members as well as video confirming they were responsible for rug pulls.

Cryptocurrency exchanges refuse requests by Ukrainian Vice President to freeze Russian and Belarusian addresses

Jesse Powell
@jespow
5/6 Sometimes the hardest thing about having power is knowing when not to use it. Our mission is better served by focusing on individual needs above those of any government or political faction. The People's Money is an exit strategy for humans, a weapon for peace, not for war.Tweet by Kraken CEO Jesse Powell (attribution)
Ukrainian Vice President Mykhailo Fedorov publicly requested major cryptocurrency exchanges to freeze addresses of all Russian and Belarusian users, to increase economic pressure on Russia to end its attacks on Ukraine. Several crypto exchanges including Binance, Kraken, and KuCoin publicly refused to do so. CEO and co-founder of the U.S.-based Kraken Exchange, Jesse Powell, wrote a Twitter thread in which he stated that Bitcoin was "the embodiment of libertarian values" and supposed to be "a weapon for peace, not for war".

Although perhaps unsurprising that these exchanges refused a request like Fedorov's, it will be interesting to see if and how sanctions may affect various cryptocurrency exchanges' actions. Binance, the largest crypto exchange, has already indicated it will comply with sanctions. Kraken, whose executives have tended towards more ideological stances, has also indicated that it will comply with legal requirements to freeze accounts.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.