Unstoppable Domains disables .coin extensions, illustrating an issue with the idea that "you'll always own your NFT"

Unstoppable Domains is in the business of selling "domains" — at least that's what they call them, but they're not the kind of domain that you can plug into your web browser. Instead, they are more like the ENS domains that you may have seen (the ones ending in .eth), and they typically map to a crypto wallet address.

The organization just discovered that they were not the first to go around selling .coin "domains" (represented by NFTs), and were at risk of running into collisions. As a result, they decided to no longer sell these domains, and stop their libraries and services from resolving them.

But fear not, they said, because "Unstoppable domains are self-custodied NFTs, so you still own your .coin domain, but it won't work with our resolution services or integrations."

That's right, folks, you'll still have your .coin NFT! It just won't resolve, or be otherwise useful in any way.

This is much like the argument that has been common in crypto when describing a use case for NFTs: "if it's an NFT, you'll be able to really own your World of Warcraft sword, and Blizzard won't be able to take it away from you if they arbitrarily decide to ban you or remove the item!" This ignores the fact that the existence of an NFT on a blockchain does not ensure that some functionality initially advertised will continue to work in perpetuity, and you might end up with a domain name or a sword that can do nothing more than sit in your crypto wallet collecting dust.

Unstoppable Domains has offered to credit purchasers of .coin domains 3x their purchase price, though this will likely not be as appealing to people who held domains they hoped to flip for much higher than the initial price.

Vulnerability in BitBTC bridge ends in an exploit where the clock is ticking

A security researcher published a frustrated Twitter thread reporting that "BitBTC's Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I'm going to publish the critical exploit here." They described an issue where it was possible for people to create tokens on the Optimism side of the bridge that could be tied to any token on the other side of the bridge — meaning an exploiter could create a valueless token and bridge it to an unrelated token with actual value.

Less than a day after publishing the thread, someone did exactly what the researcher described, and was able to cause the bridge to mint and transfer 200 billion BitBTC. BitBTC aims to be valued at 1/1,000,000 of a BTC, meaning the exploiter on paper just landed themselves 200,000 BTC, but this is another case where massive amounts of a token were created and could never be traded for anywhere near their ostensible "value". BitBTC doesn't have publicly available data on the backing of their tokens, but it's certainly nowhere near 200,000 BTC. The project appears to be very new, and was created by a self-described "19 year old Bitcoin believer".

BitBTC has seven days from the time of the hack to fix the issue in their bridge before the transfer is complete and the attacker is awarded the tokens. Meanwhile, the hacker left an Ethereum transaction note to say that "I'm not a hacker, just want to test the exploit with a [proof of concept], won't touch any of the valuable assets."

Moola Market exploited for $8.4 million

The Celo-based borrowing and lending platform, Moola Market, suffered a major exploit when an attacker manipulated collateral prices to steal a collection of assets notionally worth around $8.4 million. After taking a loan of $MOO tokens on the platform, the attacker manipulated the price of those tokens to borrow all other tokens available on the lending protocol. The project dashboard currently shows 100% utilization, because the attacker emptied all funds that were available: a mix of $CELO, $cEUR, $MOO, and $cUSD that amount to around $8.4 million.

This attack was executed similarly to the Mango Markets exploit a week prior. Moola Market tweeted that they had "contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours." The attacker did eventually return 93% of the funds, keeping the remaining $588,000 as a "bug bounty".

Roofstock claims to have completed its first one-click NFT home sale

A grey single-family home with a garage door and cement drivewayThe house that was sold via NFT (attribution)
If you've ever wished you could put the same amount of thought into buying a $100,000+ home as you do ordering another bag of dog food from your online retailer of choice, you're in luck! A company called Roofstock claims to have achieved its first house-as-NFT sale on a platform it promises will "provide a radically simple way for [single-family rental] properties to be purchased and sold with one-click using web3 technology". The home in question was a $175,000 single-family residence in Columbia, South Carolina.

Needless to say, there were more than a few questions around the legal and tax ramifications of this. Some of the more crypto-minded spoke excitedly of "the ability to easily fractionalize your properties or take loans against it in a decentralized way" that this might unlock, while the rest of us were left wondering what a defi loan default and foreclosure would look like.

As much as I agree the real estate system could use some improvements, introducing the ability for someone to hack my crypto wallet and take my house is not quite what I had in mind.

Much-anticipated "speedy" Aptos chain launches, processing 4 transactions per second and with 80% of tokens allocated to insiders

Aptos, a much-anticipated layer 1 blockchain backed by FTX and a16z, and created by a team of former Meta employees, launched to much anticipation on October 17. The team had bragged that the chain would be able to process 160,000 transactions per second, even more than Solana's claimed theoretical 65,000, and far more than Ethereum's ~15 or Bitcoin's ~7. Instead, after launch, Aptos was processing a painful 4 transactions per second.

This was not the only criticism of Aptos upon launch. The Aptos token was quickly put up for sale on exchanges including FTX and Binance, but Aptos had not yet published information about their tokenomics — leaving would-be investors trying to make decisions about whether to purchase a token about which they couldn't find even basic information. Once the tokenomics were published, people expressed concerns about the distribution: 80% were allocated to the team and investors and staked, enabling them to dump the staking rewards on retail investors.

Texas regulators are investigating FTX and Sam Bankman-Fried for possible securities violations

Joseph Jason Rotunda, Director of the Enforcement Division of the Texas State Securities Board, submitted a filing to the ongoing Voyager bankruptcy case. FTX is the highest bidder among companies who have made offers to buy the assets of Voyager.

According to Rotunda, there is an ongoing investigation by the TSSB into whether FTX has been offering unregistered securities to United States residence in the form of yield-bearing accounts. He alleged that FTX's claimed attempts to segregate US users to the separate FTX.US exchange, the software makes no apparent attempt to do so, and offered yield-bearing accounts to customers who had signed up with a U.S. address — potentially in violation of securities laws.

Rotunda submitted the filing in the Voyager bankruptcy case to argue that FTX should not be permitted to buy Voyager's assets until they have been determined to be compliant with securities law. He wrote, "[FTX yield-bearing] products appear similar to the yield-bearing depository accounts offered by Voyager Digital LTD et al., and the Enforcement Division is now investigating FTX Trading, FTX US, and their principals, including [FTX CEO] Sam Bankman-Fried."

BitKeep Swap hacked for more than $1 million

The Swap feature of the BitKeep crypto wallet suffered an exploit that landed a hacker more than $1 million worth of BNB. The project acknowledged the hack, and promised to reimburse users who were impacted.

This is the second hack in October of the swap functionality of a crypto wallet, with Transit Swap suffering a $21 million hack on October 1 — although in that case, the attacker subsequently returned a large portion of the stolen funds.

Tokens notionally worth $825,000 stolen from Syntropy in venture capital investment deal gone wrong

The web3 company Syntropy suffered the loss of 15 million of their $NOIA tokens when they attempted to transfer them to a venture capital firm, but instead they ended up with a thief. In a Twitter statement, the company claims that they had reached an agreement with a venture capital firm to invest in Syntropy, and sent the agreed number of tokens to an escrow agent to complete the deal. However, they say, "it became apparent that the buyer's identity had been compromised. The malicious actor convinced the escrow agent into releasing the tokens to the impersonating party." 15 million $NOIA tokens (notionally worth around $825,000) were stolen, and the $NOIA price crashed from around $0.055 to around $0.037. According to Syntropy, Kucoin froze the accounts holding the stolen funds.

Some supporters of Syntropy have questioned the team's decision to take a deal like this from a VC firm after the firm claimed to be fully funded, and without communicating with the community. Others questioned how the deal could have possibly gone so wrong in the way Syntropy claimed.

Over 51% of blocks validated on the Ethereum chain are censored

On October 14, Ethereum reached a milestone that alarms many who have pushed for blockchains as "censorship-proof" technology. More than 51% of blocks produced in the preceding 24 hours were processed by relays that filtered out transactions involving Tornado Cash, a crypto mixing service that was added to the U.S. sanctions list in August.

This 51% threshold doesn't pose an immediate threat to Tornado Cash users, because even validators that censor transactions will still attest to the validity of blocks created by non-censoring validators. However, if 51% or more of validators were to also stop attesting to non-censored blocks, they would no longer be able to be added to the chain.

Earning.Farm exploited for $971,000, exploiter gets frontrun by MEV bot

The defi project Earning.Farm lost 748 ETH (~$971,000) to a hacker using a flash loan attack. The project contract was missing a check that a flash loan was initiated by the protocol, so the attacker was able to instruct the project to withdraw large amounts of funds, which they then were able to transfer to themselves.

Amusingly, one of the transactions by the hacker was frontrun by a MEV bot known as 0xa57, which made a tidy 480 ETH (~$623,000) from the attack. The second transaction succeeded, landing the attacker 268 ETH (~$348,000). According to a MEV researcher, 0xa57 has been known to return funds that were obtained as a result of a hack.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.