Web3 is Going Just Great

April 20, 2024

ZKasino rug pulls after raising $33 million

A project promising to build a decentralized casino managed to raise $33 million, despite an anonymous team that had exhibited several instances of shady behavior throughout ZKasino's development. The project promised that everyone who bridged ETH to their layer-2 chain would be able to receive their ETH back 1:1 in thirty days.

Instead, the project's creators transferred those more than 10,500 ETH ($33 million) to Lido, an Ethereum staking service. As for the "return" of funds, the project team indeed followed through with their promises to return the crypto... except instead of ETH, depositors received the project's native token, ZKAS, which would vest over a period of 15 months. The project announced that they had calculated the ZKAS distribution based on a discounted rate, "as a favour to our users who have bridged to participate in the ecosystem". Gee, thanks!

One investor in the project wrote, "We made a mistake investing in Zkasino early. ... [I]t sounds like a scam, but 95% of crypto consists of such crap. With memecoins pumping every day, people believe this could be the next one."

It seems that ZKasino's creators have links to other crypto scams, including a failed "ZigZagExchange", which raised around $15 million that was allegedly misallocated to work on the ZKasino project. Crypto sleuth zachxbt had also described the team as "proven bad actors" in December, listing multiple instances in which they had avoided making promised payments.

After the rug pull, the project's planned IDO on Ape Terminal and AIT Launchpad were canceled, and MEXC (which had invested in the project's seed round) canceled the token listing.

April 18, 2024

Avi Eisenberg convicted of $110 million Mango Markets heist

A very close-up portrait of Avraham Eisenberg, who has curly red hair and a beard

(attribution)

A jury found Avi Eisenberg guilty of fraud and market manipulation after he stole $110 million from the Mango Markets defi protocol in October 2022. Although he tried to argue that "code is law", and that his actions were legal as they were allowed by the project's smart contracts, jurors ultimately agreed with prosecutors that his manipulation of token prices constituted fraud.

Shortly after he was identified as the person behind the attack, Eisenberg tweeted that he "was involved with a team that operated a highly profitable trading strategy last week. I believe all of our actions were legal open market actions". Sadly for him, jurors didn't share this belief.

Eisenberg faces up to 20 years in prison.

"Mango Markets Exploiter Avi Eisenberg Found Guilty of Fraud and Manipulation", CoinDesk [archive]

April 15, 2024

$2 million emptied from Grand Base real world asset platform

(attribution)

Grand Base, a real world assets platform built on the Base layer-2 blockchain, has seen $2 million exit the platform in a hack or rug pull.

The team behind the project claimed that the deployer wallet had been compromised, allowing an attacker to drain the project's liquidity pool. Altogether, 615 ETH (~$2 million) was taken from the project.

Grand Base is a platform where users can trade "gAssets", which are crypto tokens that represent stocks in tech companies including Amazon, Apple, Google, Meta, and Microsoft.

April 12, 2024

$26 million liquidated in surprise Pac Finance smart contract change

(attribution)

Pac Finance, a fork of the Aave lending protocol deployed on the Blast blockchain, surprised some of its users as an unannounced and unexpected code change lowered the liquidation threshold. Pac Finance said that they had asked an engineer to make changes to the smart contract, and that that person had unexpectedly decreased the threshold at which positions could be forcibly liquidated. This change resulted in $26 million being liquidated across the project.

Pac Finance has said they are "actively developing a plan with [impacted users] to mitigate the issue."

"$26 million in 'unnecessary liquidations' hit Blast-based lender Pac Finance", The Block [archive]

April 12, 2024

Crema Finance and Nirvana Finance hacker sentenced to three years imprisonment

Shakeeb Ahmed, the hacker who stole a combined $12 million from Crema Finance and Nirvana Finance in July 2022, has been sentenced to three years in prison. Ahmed had previously worked for Amazon, where he led a bug bounty program focused on paying whitehat hackers to discover flaws in Amazon's software.

US Attorney Damian Williams described this as the first ever conviction for a smart contract hack.

Ahmed forfeited around $12.3 million in stolen funds, and will pay more than $5 million in restitution.

"Former Security Engineer Sentenced To Three Years In Prison For Hacking Two Decentralized Cryptocurrency Exchanges", press release from the U.S. Attorney's Office, Southern District of New York [archive]

April 10, 2024

SEC sends Wells notice to Uniswap

(attribution)

The US Securities and Exchange Commission issued a warning to the Uniswap decentralized exchange in the form of a Wells notice. Wells notices are used to inform the recipient of an impending lawsuit, and give them a last-ditch opportunity to convince the SEC that the suit is unwarranted.

The notice was received with an adversarial posture by Uniswap, who announced its receipt with a blog post titled "Fighting for DeFi". "Taking into account the SEC's ongoing lawsuits against Coinbase and others as well as their complete unwillingness to provide clarity or a path to registration to those operating lawfully within the U.S., we can only conclude that this is the latest political effort to target even the best actors building technology on blockchains," they wrote.

The news was met with outrage in the crypto community, who generally saw the action as indicative of an overly aggressive posture by the SEC to crack down on defi and crypto more broadly.

"Fighting for DeFi", Uniswap Labs blog [archive]

April 4, 2024

SushiSwap team votes to give themselves control of much of the "decentralized" project's treasury

(attribution)

The leadership team behind SushiSwap, a popular defi platform, submitted proposals for a DAO governance vote that would transfer control of around $40 million from the DAO to a small centralized organization called "Sushi Labs". That organization would also receive all future airdrops awarded to SushiSwap. According to the proposal, this was motivated by a desire for efficiency and faster development.

The "yes" votes are currently in the lead with a 63% margin. The most yes votes came from sushigov.eth, the official SushiSwap team address, which also created the proposal. It is the first time that address has ever participated in a governance proposal.

The 5.5 million yes votes from the team wallet, plus another 3.1 million delegated from other community members, were enough to push the vote to majority support. A former SushiSwap contributor has also alleged that the SushiSwap team was manipulating the vote with additional wallets.

On Twitter, Sushi's "Head Chef" claimed that he had consulted with lawyers and then authorized the voting activity out of fear of an "extortative [sic] governance attack attempt".

"SushiSwap Community Cries Foul Over Vote to Centralize $53M Treasury", Decrypt [archive]
"SushiSwap team treasury takeover looks likely despite heated debate", Cointelegraph [archive]
Tweet by Jared Grey [archive]

April 1, 2024

FixedFloat exchange hacked again

(attribution)

The FixedFloat cryptocurrency exchange was exploited again, this time for around $2.8 million. This follows shortly after a February 18 hack in which attackers made off with $26 million.

FixedFloat acknowledged the theft in a Twitter post, and blamed the same thieves. They claimed that this theft was enabled by a vulnerability in a third-party service.

March 28, 2024

Prisma Finance hacked for $12 million; attacker makes detailed demands

(attribution)

The defi protocol Prisma Finance was hacked for 3,257 ETH ($11.5 million). An attacker was able to take advantage of a flaw in the project's smart contracts, allowing them to manipulate users' positions and steal some of their collateral. Two other watchful attackers observed the attack strategy and replicated it, stealing a combined additional 173 ETH (~$610,000).

Plasma paused the protocol after detecting the attack.

The first attacker, who stole the bulk of the assets, sent an on-chain message to Prisma claiming that they had performed a "whitehat rescue", and inquired about returning the funds. In later messages, however, they asked the project to answer questions about their security practices and projects' responsibilities to users to prevent attacks. The attacker then transferred the stolen funds to Tornado Cash — indicating their return is unlikely.

In another message, the attacker was angry that Prisma had not expressed gratitude to them or remorse to their users, and was angry they had used terms like "exploit" and "attack" in their description of the incident. They demanded that the team reveal their identities, apologize, and thank the attacker in an online press conference.

March 22, 2024

Solana memecoin frenzy sparks trend of incredibly racist meme tokens

A screenshot of many Solana tokens on DEXScreener, including:
JEWS "Jews did 911"
卐 "NAZI"
N*** TRUMP "N*** Trump"
N***OLAS "N***OLAS CAGE"
COVID "chinadidcovid"
N***Butt "N*** Butt Token"
APERAH "aperah wenfree"
BDN "Big Dick N***"
CHIGGA "Chinese N***"
HITLER "I was right"
BOJE "Book of J***ers"
WODNDOR "AuschwitzWoodenDoor"
LIBTARD "Go Woke Go Broke"
BULLJEW "BULL JEW"
wifcancer "kate wif cancer"
N*** TRUMP "N*** TRUMP 2024"
GayPedo "Gays Are Pedos"
J*** "J*** Buice"

Racist Solana tokens on DEXScreener (attribution)

Solana memecoin trading has been booming lately, with people making money by speculating on tokens themed around various memes and jokes. Amid an explosion in trading innocuously-named meme tokens like dogwifhat has also been a rise in blatantly racist tokens, named after racial slurs, featuring racist caricatures, or named after antisemitic conspiracy theories.

The tokens became so popular that projects showing newly-released tokens, like DEXScreener, became full of such tokens. DEXScreener released a statement on Twitter to say that "We'll be reviewing our token profile moderation policy in the coming days. We won't be the gatekeepers of what happens on-chain, but we're definitely not here to spread hate." The replies to the tweet were, predictably, full of people accusing DEXScreener of "censorship" and "going woke".