Vulnerability discovered in vanity wallet generator puts millions of dollars at risk

September 15, 2022

Vulnerability discovered in vanity wallet generator puts millions of dollars at risk

The 1inch Network disclosed a vulnerability that some of their contributors had found in Profanity, a tool used to create "vanity" wallet addresses by Ethereum users. Although most wallet addresses are fairly random-looking, some people use vanity address generators to land on a wallet address like 0xdeadbeef52aa79d383fd61266eaa68609b39038e (beginning with deadbeef), or one with lots of 0s at the end, or some other address the user thinks looks cool.

However, because of the way the Profanity tool generated addresses, researchers discovered that it was fairly easy to reverse the brute force method used to find the keys, allowing hackers to discover the private key for a wallet created with this method.

Attackers have already been exploiting the vulnerability, with one emptying $3.3 million from various vanity addresses. 1inch wrote in their blog post that "It's not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions."

The maintainer of the Profanity tool removed the code from Github as a result of the vulnerability. Someone had raised a concern about the potential for such an exploit in January, but it had gone unaddressed as the tool was not being actively maintained.

"A vulnerability disclosed in Profanity, an Ethereum vanity address tool", 1inch Network
Tweet by zachxbt

September 14, 2022

"No politics at work" Coinbase rolls out a feature to promote crypto-friendly politicians

A mobile screenshot of a list titled "explore legislators", showing various representatives and their "Crypto sentiment". Carolyn Maloney of New York, District 12 is displayed with a negative crypto sentiment.

Coinbase crypto policy feature (attribution)

When the "politics" were widespread civil unrest in the summer of 2020 triggered by the police murder of George Floyd, and pressure on the company to release a statement in support of Black Lives Matter, Coinbase CEO Brian Armstrong announced that there would be no political discussion or activism at work, and those who didn't like it could leave.

Now, he's just announced that Coinbase will be "integrating our crypto policy efforts right into our app" by providing a rating of Congressmembers' negative or positive "crypto sentiment". He also said that they plan to "help pro-crypto candidates solicit donations from the crypto community (in crypto)", and wish to get their users to attend town hall events. "We've also added a very easy way for you to contact your member of Congress to urge them to support pro-crypto policies," Armstrong said in a video demonstrating the feature.

Tweet thread by Brian Armstrong
"Coinbase is a mission focused company", Coinbase blog

September 14, 2022

"Double your money" scammers capitalize on Ethereum merge

Tweet by Twitter account with the verified display name "vitalik.eth" but the account handle "iThinkBuzz". Tweet reads "To celebrate the Merge, Ethereum Foundation giving away 50,000 ETH! 🎉

First come, first serve ➡️https://ETH-MERGE.BLOGSPOT.COM

You can only apply once."

Tweet by hacked verified account (attribution)

If it seems like you've been seeing a lot of Ethereum co-founder and figurehead Vitalik Buterin around Twitter lately, it may be due to the influx of hacked verified Twitter accounts that have been retrofitted to resemble Vitalik's account. They've been used to share a litany of scam links to supposed Ethereum giveaways in celebration of "The Merge": the much-anticipated change to Ethereum's consensus model that's scheduled to happen on September 15.

Most of the tweets say something like "To celebrate the Merge, Ethereum Foundation giving away 50,000 ETH!", and link out to various websites that invite people to send some amount of Ethereum with the promise that they'll receive twice as much in return — a classic double-your-money scam.

At least 36 verified Twitter accounts were compromised and used for the scam, including the 6 million-follower Cityarabia account that normally tweets for Arabic-speaking fans of the Manchester City football club. On the afternoon and evening of September 14 alone, at least 195 ETH (~$314,000) was drawn in by the accounts and scam websites I found.

Tweet by Molly White

September 14, 2022

South Korea issues arrest warrant for Terra founder Do Kwon

Do Kwon (attribution)

A South Korean court has issued a warrant for the arrest of Do Kwon, the founder of the Terra ecosystem, as well as five other people. According to Bloomberg the allegations include violations of Korea's capital markets law.

Kwon and the others named in the warrant are currently in Singapore. In June, Korea banned current and former Terraform Labs employees from leaving the country, and in July Korean authorities raided multiple exchanges in connection to their investigation.

September 12, 2022

Starbucks wants you to have an "immersive coffee experience" with their web3 rewards program

A glitchy photograph of a coffee farm, with the text "Starbucks Odyssey" atop it in white capitals

Starbucks Odyssey promotional image (attribution)

When Starbucks CEO Howard Schultz first announced at an employee town hall in April that the company was looking to get into NFTs, I assumed he was just hoping for a headline to distract from all the union busting they'd been doing. After all, they already have a rewards program that by all appearances seems to be quite successful.

Despite that, Starbucks has apparently decided that what its rewards program really needs are "digital collectible stamps", a euphemism for NFTs that somehow makes them sound even less appealing.

These NFTs promise to provide their holders with "immersive coffee experiences", which sounds an awful lot like what cost McDonald's a few million in the mid-nineties.

Unfortunately for Starbucks, between the time they came up with the idea, announced it at their town hall, and are now inviting people to sign up to the waitlist, the NFT craze has died down considerably. Even at the peak of NFT mania, though, I'm not sure if people would have been lining up to buy "digital collectible stamps" that allow them to "claim an ownership stake in their loyalty to Starbucks" (what??)

"Starbucks Brewing Revolutionary Web3 Experience for its Starbucks Rewards Members", press release

September 10, 2022

Ubisoft now claims its forceful introduction of NFTs was only "research"

Remember when Ubisoft decided it was going to shoehorn NFTs into their Tom Clancy's Ghost Recon Breakpoint game, to the nearly universal disappointment of their fans? Remember when one of their execs said that gamers just "don't get what a digital secondary market can bring to them"? Remember when their employees were so unhappy with the NFT plan that they had to hold an internal workshop about it, shortly before giving all employees NFTs of hats?

Well, despite being pretty bullheaded about their stance on NFTs and web3, even Ubisoft is now backing away from it all. In April, only a few months after launch, Ubisoft announced that there would be no more NFTs for the Ghost Recon Breakpoint title. Now, the CEO is putting a different spin on the company's once determination to introduce NFTs: "we are still in research mode" when it comes to web3 technologies, he said. "We probably were not good at saying we are researching. We should have said we were working on it, and when we have something that gives you a real benefit, we'll bring it to you." I imagine that might come as a shock to the handful of people who actually bought the Ghost Recon Breakpoint NFTs, given they were promised "real benefit" back in December and are now left with useless collectibles.

"Ubisoft CEO Says Company’s Interest In NFTs Was Just 'Research', No Longer Interested", Kotaku
"Yves Guillemot: 'I think we are a company that can be proud of itself'", GamesIndustry.biz

September 9, 2022

Algorand Foundation discloses $35 million exposure to Hodlnaut

(attribution)

The Algorand Foundation is a group responsible for managing Algorand, a proof-of-stake blockchain. On September 9 they disclosed that they had put $35 million of the project's treasury into Hodlnaut, a lending firm that halted withdrawals on August 8 and applied for creditor protection a week later. Hodlnaut was in turn heavily exposed to Terra, the ecosystem that collapsed in May.

The Algorand Foundation reassured people that the funds potentially lost to Hodlnaut were less than 3% of the Foundation's assets, and "we do not anticipate operational or liquidity issues due to this action". They also wrote that they would be "pursuing all legal remedies to maximize asset recovery".

"Algorand Foundation exposure to Hodlnaut", Algorand Foundation

September 8, 2022

New Free DAO loses $1.25 million in flash loan attack

A flash loan attack against the New Free DAO project resulted in a $1.25 million loss. The project's token also crashed 99% in the wake of the theft. The hacker quickly sent 1,500 BNB (~$415,000) of the stolen funds through the Tornado Cash cryptocurrency mixer, and sent another 2,900 (~$803,000) to the PancakeSwap decentralized exchange.

"New Free DAO crashes 99% after $1.25M flash loan attack", CryptoSlate

September 8, 2022

Shiba Inu developers leak AWS credentials on Github

(attribution)

If Amazon would like to buy the rights to the slogan "Web3, powered by AWS™️", feel free to reach out, because I'm registering it.

On September 8, a security researcher published a blog post reporting that the developers behind the Shiba Inu coin — one with reality-defying levels of popularity at #13 on the list of coins by market cap — had apparently published their AWS credentials to Github. After making the discovery, his team attempted to contact the developers, but were not able to find a bug bounty program, responsible disclosure policy, or even people they could reach out to personally.

Luckily for Shiba Inu (and somewhat miraculously), the tokens were invalidated two days later before anyone malicious apparently took advantage of the vulnerability. The researcher wrote that the exposure had "the potential to cause serious security breaches, including but not limited to user fund theft, token embezzlement, disruption of services, etc."

"Shiba Inu cloud credentials leaked on a public repository!", PingSafe

September 8, 2022

Coinbase funds lawsuit against the Treasury Department over Tornado Cash sanctions

In the wake of OFAC adding Tornado Cash to the U.S. sanctions list in early August, Coinbase has announced they will fund a lawsuit against the Treasury Department to challenge the decision. Coinbase itself is not a plaintiff in a lawsuit, though two of the plaintiffs are Coinbase employees, who along with four other individuals filed suit in a Texas court. They say they previously used Tornado Cash for licit purposes, and are now suffering financial damages because they can't legally use the service.

In the suit, they argue that the Treasury Department overstepped its authority in what it can sanction, claiming that "Tornado Cash software, including the smart contracts, consists of immutable open-source software code, which is not property, a foreign country or a national thereof, or a person of any kind." They've also argued that the designation is unconstitutional under both the free speech protections of the First Amendment and the due process protections of the Fifth Amendment.

Joseph Van Loon v. Department of the Treasury
"Crypto exchange targets Treasury sanctions in national security clash", The Washington Post

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.