A bug in Uranium Finance, a DeFi exchange based on Binance Smart Chain, allowed an attacker to drain the liquidity pools for multiple token pairs. Uranium had just commissioned an audit which uncovered the bug, but the attack occured two hours before the patch went live. An apparent member of Uranium's development team wrote that they believed the attack had been the result of leaked information.
An employee of the ZKM Centre for Art and Media in Karlsruhe accidentally sent two of their four Cryptopunk NFTs back to its smart contract address. This is referred to as "burning" the NFTs, because the address is inaccessible and the NFTs are permanently impossible to trade as a result. The employee had copied the Cryptopunks contract address while browsing Etherscan, and didn't realize that was what he was pasting while making the transfer — wallet addresses are long hex strings like 0xb47e3cd837ddf8e4c57f05d70ab865de6e193bbb and are prone to errors like this since they are not easily distinguished at a glance. The two NFTs were originally acquired for the museum for approximately $100 each in 2017, and are individually valued at around $187,000 as of January 2022.
Turkish Bitcoin exchange Thodex halted trading and limited customers' access to their investments, claiming it was to investigate suspicious activity and swearing it was not an exit scam. With an international manhunt now underway for the Thodex CEO, and no sign of the approximately $2 billion that was invested in the platform, it seems awfully likely it was a rug pull.
Hackers compromised a computer belonging to EasyFi founder Ankitt Gaur, accessing his private keys which allowed them to transfer $6 million in stablecoins and $120 million worth of EASY. The price of EASY crashed as a result of the low liquidity, limiting the hacker's total payout to around $80 million. EasyFi followed the breach with a hard fork to "EZ 2.0", and compensated users with a mix of stablecoins and "IOU tokens" that could later be redeemed for discounted EZ.
The two founders of a South Africa-based crypto investment firm called Africrypt claimed they had been hacked, and all assets had been stolen. The duo disappeared as legal action began, and as skepticism grew as to the veracity of that story.
24 hours after pre-sale, the team behind Turtledex drained $25 million from the liquidity pool and disappeared. Turtledex's smart contract had been audited shortly before the sale, with no major issues found, leading some to question the point of such audits.
Private keys for hot wallets on the Roll network were compromised, allowing the theft of around $5.7 million from various "social tokens". "Friends With Benefits", an a16z-backed DAO with an associated token that allows those who are approved by the DAO and can afford the ~$8,000 entrance fee access to exclusive parties, was one of the tokens affected, and it tanked in value by about 96%. Roll apologized and announced a fund to help those affected, though the $500,000 fund was only a small fraction of the money lost.
Vignesh Sundaresan's $69 million purchase of an NFT by artist Beeple made headlines. However, Amy Castor outlined a few days later that Sundaresan is a business partner of Beeple's, and that Beeple himself owns 2% of the B20 tokens created by Sundaresan's cryptocurrency investment firm. She speculates that money may not have exchanged hands at all, but that Sundaresan and Beeple orchestrated the purchase to artificially inflate the value of the work, increase Beeple's popularity, and draw attention to Sundaresan and his company.
- "Metakovan, the mystery Beeple art buyer, and his NFT/DeFi scheme", Amy Castor
- "JPG File Sells for $69 Million, as 'NFT Mania' Gathers Pace", The New York Times
Jason Rohrer, developer of the 2014 indie game The Castle Doctrine announced his plan to auction 155 of the digital paintings that he had commissioned for the game as NFTs on the OpenSea platform, without ever requesting permission from the original artists or informing them of his plan at all. In an email, Rohrer told Kotaku that he hadn't asked for permission from the artists to sell the works as NFTs "mostly because having email conversations with 50+ people would exceed my bandwidth as a solo creator." At least three artists asked for their work to be removed from the collection.
An NFT artist changes all images in their collection to photos of rugs to make a point about the value of NFTs
NFT artist "neitherconfirm" created a collection of 26 NFTs of stained glass-style computer-generated art. After release, they changed the art for each NFT to a picture of a rug, an apparent reference to "rug pulls". The artist wrote on Twitter, "Nobody got hurt. It is pretty easy to change the jpg, even if it does not belong to me or it is on auction. I am the artist, my decision, right? A thread from somebody making his living with art irl about the value of NFTs... All discussions about the value of NFTs are meaningless as long as the token is not inseparable from the artwork itself... What is the meaning of creating an unforgeable token on a highly secured network if somebody can alter, relink or destroy your possession? As long as the value of your artwork is reliable on a central service you do not own anything."
DeFi project DODO was relieved of $3.8 million after hackers exploited a bug in their v2 Crowdpools smart contracts. The exchange later recovered $1.89 million of these funds.
A contract exploit allowed a hacker to mint almost 60 million PAID tokens (priced at around $160 million based on the value before the attack) on the PAID Network. The hacker then made off with about $3 million in Ethereum from their efforts. The attack caused the PAID token to crash about 88% in value over the course of a day, from around $2.86 to $0.32.
The team behind the Meerkat DeFi protocol claimed they had been victims of a hack, but subsequently disappeared from the web after the equivalent of $31 million in Binance Coin (BNB) and BUSD was pulled from the project. Two days later, a developer for the project wrote that the project had been a "test [of] user greed and subjectivity", and aimed to "[help] users realize the potential danger in smart contracts [and] the subjectivity in the audit processes of audit companies." The developer wrote that all victims would be refunded. Some believed that the bizarre "experiment" explanation was to cover that Binance had stepped in to address the scam.
A hacker was able to code a smart contract that tricked C.R.E.A.M. into believing it was from a trusted source. They were then able to make off with $37.5 million worth of Ethereum and stablecoins in what was only the first of several major exploits of the platform in 2021.
An exploit in Yearn.Finance's yDAI vault resulted in an $11 million loss to the platform, though "only" $2.8 million of this went to the hacker.
- "Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack", Cointelegraph
- "Yearn Finance suffers exploit, says $2.8 million stolen by attacker out of $11 million loss", The Block
- "DeFi platform Yearn moves to restore exploited 'vault' less than a week after $11 million loss", The Block
Tether pays $18.5 million in penalties; NY Attorney General alleges they don't have the cash reserves they claim
The stablecoin Tether swears up and down that it's fully backed by actual currency, but the New York Attorney General doesn't agree. Tether paid $18.5 million in penalties, was banned from trading in New York, and agreed to submit transparency reports for two years in exchange for ending the long-running legal dispute.
- "Tether, Bitfinex to pay $18.5M to NYAG, cease trading in New York", Amy Castor
- "The curious case of Tether: a complete timeline of events", Amy Castor
- "Cryptocurrency firms Tether and Bitfinex agree to pay $18.5 million fine to end New York probe ", CNBC
- Press release from the New York Attorney General