It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".
$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud
Palisade discloses infectious XSS vulnerability on Rarible that could have arbitrarily changed NFT listing data and transactions
The researchers were able to inject malicious code into the profile photo on Rarible, which only required a person to visit the malicious profile in order to run. This code could have then "infected" other signed-in users' profile photos, increasing the spread of the vulnerability to anyone who then visited their profiles. Once infected, the code would persist across all pages on Rarible, and could change arbitrary data on NFT listings, modify smart contract interactions, leak or modify profile information, or prompt users to sign arbitrary messages.
In an example, the researchers showed how a listing of a Bored Ape (pricey NFTs which currently have a floor price ~100 ETH / $290,000) could be modified for an impacted user to appear as though it was listed for only 1 ETH (~$2,900). A user who attempted to buy the apparently massively-discounted NFT could then be prompted to approve a sale transaction which would actually run a setApprovalForAll call that would allow the attackers to steal crypto and NFTs from the user's wallet.
This bug was the second Rarible vulnerability that was publicly disclosed this week, following a vulnerability with SVG NFTs disclosed by Check Point Research on April 14.
After the security researchers responsibly disclosed the vulnerability, which could have quickly wreaked havoc across Rarible's entire userbase, Rarible patched the issue and awarded them a bug bounty of $5,000. Good luck to Rarible if the next people who find a bug are even slightly more motivated by money than they are by ethics.
Crypto multimillionaire and former defi developer Andre Cronje calls for crypto regulation as he founds an investment banking company
The reasoning may have just become clear, as Cronje published a blog post titled "The rise and fall of crypto culture" in which he wrote, "Crypto culture has strangled crypto ethos... I now more than ever see the need, or even necessity for regulation, not as a mechanism to prevent, but as a mechanism to protect. Its like a child trying to stick their finger into a electric outlet, you stop them, before they can learn why they shouldn't. One day they will understand, but not today." He remained optimistic about the prospects of crypto if regulation is introduced: "We will see the rise of a new blockchain economy, not one driven by greed, but instead driven by trust, not trustlessness."
Not everyone was impressed by his apparent change in tune. Twitter user 0xCana wrote, "andre cronje with the gigagrift walking away with over 1 billion dollars generated from crypto and then exits the space, rails against 'get rich quick mentalities' and advocates for strict regulations and then founds an investment banking company. incredible."
Starting on April 18, the projects were targeted with a series of flash loan attacks. The project faced a total of 267 flash loan attacks within one day, leading to major volatility in the ostensibly stable coin. In an impressive display of optimism, a project team member wrote, "This has caused a large price pump. (Also benefited with 3% more burned tokens in fees.) The outcome and intent of the person who has done this, is unknown and it may work in our favour, Do not panic, and do not buy or sell until stable." The attacker made a profit of around $190,000 from the attacks.
Estimated damages to the project were higher than the amount the hacker was able to take for themselves—around $182 million. The $BEAN token, once pegged to $1, dropped to nearly 0. The project creator wrote in the Discord, "We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming." However, they were later slightly more optimistic, writing, "it may also be the start of something good... there may be a path forward. We don't want to comment on next steps until that path is at least visible to us" while reiterating that a bail-out was "highly unlikely". They also told members of their community that they had contacted the FBI about the theft.
This did not go over so well for the people who were eager to get a spot in line to mint NFTs that cost 2.5 ETH ($7,650), but was selling with a floor price of 13.1 ETH ($40,000) on the secondary market shortly after the mint completed. If the person behind the Sybil scheme flipped their NFTs for the current floor price, they could make upwards of $1.6 million in profit.
Pseudonymous Gem cofounder revealed to be hiding a history of alleged sexual abuse, some targeting children
Following the publication of the BuzzFeed article on April 16, the Gem Discord erupted in anger—apparently discovering for the first time that Gem had known Thompson's real identity for quite a lot longer than they had let on. Some members accused the team of lying and trying to cover up who Thompson was, demanding the team explain themselves. The Gem Discord bot was subsequently configured to block links to BuzzFeed.com, so people couldn't post the exposé article.
Crypto culture has embraced pseudonymity to such an enormous degree that not only is it common for everyday traders to cloak their identities behind wallet addresses or pseudonyms, but for founders and prominent members of major projects to do so as well. This is not the first time this has enabled deception, such as in the case where a chief developer of a defi project later being unmasked as a man with a history of financial crimes and other shadiness.
To try to test this theory, Monero users have scheduled what is basically a bank run: they are encouraging all users to try to move their Monero out of exchanges on April 18. Some have claimed that exchanges including Binance and Huobi have frozen withdrawals of Monero in anticipation of the mass-withdrawal, in an effort to prevent their lack of reserves from being discovered. Indeed, Huobi suspended XMR deposits and withdrawals 10 days ago and has yet to restore the functionality, which they say is due to a wallet upgrade. Binance also shows "withdrawal suspended" on its status page as of April 14.
- " 'The Monerun' scheduled for April 18th, Monero's 8th birthday", Monero Observer
- "The Monerun", on r/CryptoCurrency
Reception to the project was swift and overwhelmingly negative. Even the biggest Archie fans who already populated the existing Archie Comics Discord (which saw the addition of crypto channels on the day of the announcement) seemed largely unhappy with the news, and a plan to migrate to their own server free from the NFT and crypto chat was quickly hatched.
The project ultimately minted only 3,179 of the 5,500 planned NFTs, but at 0.068 ETH a pop this still brought in 216 ETH (just under $700,000). The project quickly reduced the supply to avoid the appearance of a lukewarm mint. The NFTs themselves are all illustrations of men wearing various animal heads as headdresses—an odd choice for an animal conservation project.
In November 2021, much of the team suddenly disappeared and stopped posting to Instagram or Twitter. One mod in the Discord has remained positive for months since the apparent rug pull, urging the remaining community members to remain positive. In March 2022, the mod wrote, "I need a huge favor this week from everyone to not spam the accounts of NFT.com guys and Tarzan, it is EXTREMELY IMPORTANT that stops if we want this to comeback, hopefully huge news to follow this week." No such news appears to have come.
The vulnerability was discovered after Taiwanese singer Jay Chou had a Bored Ape NFT stolen in April, prompting the researchers to look into the details of the attack. After the researchers responsibly disclosed their findings to Rarible, Rarible implemented a fix. Rarible removed the ability for users to upload SVG files to patch the vulnerability; it's not clear if they intend to restore that functionality.
The project has been delayed so many times that it has become a bit of a running joke—crypto critics regularly describe the Ethereum PoS migration as something that has been "only six months away" for several years now. Meanwhile, it has proven a useful way for Ethereum fans to dismiss the valid concerns about the enormous energy expenditure of their preferred blockchain, as though enormous emissions and e-waste are somehow a non-issue if there is some vague plan at some perpetually-in-the-future point to move away from them.
Anyway, Ethereum developers have projected new levels of optimism lately, with several of them describing "the merge" as imminent—I believe a June timeframe was the popular estimate. Unfortunately, this appears to have been just as unachievable as the prior "deadlines", with an Ethereum core developer stating it was now looking like it wouldn't happen until some time this autumn. This is particularly brutal timing, given Nilay Patel's interview yesterday with a16z's Chris Dixon, where he confidently pointed to an early July "merge" date (only to become substantially less confident when pressed on specifics). Anyway, see you this fall for the next hype cycle—between now and then, Ethereum will have again consumed energy comparable to the amounts used annually by some small countries, for little if any useful purpose.
In the order, the Commissioner alleged that the project was "leveraging interest in metaverses to perpetrate a high-tech fraudulent securities offering", and had been falsely claiming to their followers that securities laws don't apply to NFTs. "They are misleading purchasers by claiming they can simply avoid securities regulation by implementing illusory features or use different terminology," the Commissioner's announcement said.
The day after the announcement, Brown released a statement saying that he had been drawn in by the hope that NFTs would allow him to avoid "big companies whose sole focus is strong-arming away the rights to projects they've never been a part of to turn a big profit." He wrote, "I felt that if I didn't jump on it myself, someone else would, without the love, care, and artistry we believe in". He concluded that, given the response from his fans, he would not be continuing the NFT project. Some encouraged him to use the artwork that had already been created for merchandise or other non-NFT art sales.
The day after the announcement, crypto influencer "Cobie" wrote on Twitter, "Found an ETH address that bought hundreds of thousands of dollars of tokens exclusively featured in the Coinbase Asset Listing post about 24 hours before it was published, rofl". The wallet had spent around $400,000 on multiple currencies listed in the announcement, which certainly appears as though they knew about the contents of the announcement before it was published.
This is not the first time allegations of insider trading have been made based on Coinbase announcements. In February, a trader made a profit of over $700,000 by trading on what appeared to be advance knowledge of two upcoming Coinbase announcements.
The Wikimedia community formally requests that the Wikimedia Foundation no longer accept cryptocurrency donations
The community member writing the closing summary of the discussion wrote that "Common arguments in support include: issues of environmental sustainability, that accepting cryptocurrencies constitutes implicit endorsement of the issues surrounding cryptocurrencies, and community issues with the risk to the movement’s reputation for accepting cryptocurrencies.... Excluding new accounts and unregistered users, the tally is 232 to 94, or 71.17% in support of the proposal. These results indicate overall community support, with a significant minority in opposition. Thus, the Wikimedia community requests that the Wikimedia Foundation stop accepting cryptocurrency donations."
Elephant Money is a defi project with some questionable promises—its Twitter account advertises that people can "earn 672% APY", and a recent tweet encouraged people to use Elephant Money "as your new bank: Your share of ELEPHANT tokens can be compared to your debit account, except that it also generates you money. Stampede Perpetual Bonds is your retirement fund." Hopefully no one took them up on their suggestion to put their debit account balance or retirement money into the project.
Individual accreditation is based on net worth or income: only those with net worth above $1 million, or yearly income above $200,000, qualify. American Celsius users were largely unhappy with the change, with one writing, "Celsius Network making the rich richer. Shameful."
One Rari developer blamed Ichi for the disaster, writing, "Fuse is a permissionless protocol. Pool operators are responsible for following best practices to avoid situations like this one". Rari Capital's official Twitter account also blamed Ichi, stating, "This is a permissionless pool that is owned and operated by Ichi. We hope to see an announcement from Ichi regarding redemption strategies and next steps to make users whole."
In the FAQ about the incident, Ichi wrote that they had allowed such a high LTV ratio in the pool because they expected "users would make responsible decisions that would benefit the community". There is currently around $30 million of bad debt in the liquidity pool.
Attacker drains Creat Future tokens through flaw that allows anyone to transfer the contents of another person's wallet
$CF was an asset belonging to Creat Future, an early-stage defi project. Some have speculated that the hack was an inside job, and the vulnerable function was added intentionally.
A customer ordered two combo meals, which he purchased by using his mobile crypto wallet to transfer 2 $APE. I was able to track down the transaction, and at the exact time of transfer, 2 $APE were priced at $21.92. The value of $APE has increased by 20% since then, so the purchaser lost out on those earnings by spending them at that time (compared to cash, which is worth roughly the same as it was 10 days ago). This is a (very small) example of why people don't tend to use as currency the same assets they are expecting to increase substantially in value. Furthermore, the purchaser had to agree to an estimated $10 in gas fees when he confirmed the transaction—half as much again as the price of the meal. The transaction ultimately cost the purchaser $4.66 in gas due to fortunately low rates that day, but it was a transaction fee that wouldn't exist if they used cash, or would be substantially smaller and typically absorbed by the restaurant if using a credit card.
Painful financial implications aside, a public transaction record means it's now trivial for anyone to see who is purchasing food at the restaurant using crypto in real time—something that has concerning implications for victims of stalking and other abuse if implemented more widely, as well as just for average people who enjoy having some degree of privacy.
Anyway, hopefully the food's good—assuming the person had any appetite left after looking at their food containers depicting an ape with green skin sloughing off its face.
A company called Gripnr is already working to line up NFT pre-sales, despite acknowledging that they have no idea how they will prevent fraudulent data input—an issue commonly known as the oracle problem. It's also unclear how they intend to change the game so that it's sufficiently different from the Wizards of the Coasts game that they will not face legal action (an issue that ended another crypto project planned to be based around a WotC game). We can only hope that none of this may last long enough to become an issue, given that Gripnr have come up with an idea that I can't imagine appealing to a single person who's ever played D&D.
- "NFTs Are Here to Ruin D&D", Gizmodo
Legal action begins against developer who solicited investments to build an OpenSea competitor, then used it to fund his NFT trading
Meanwhile, Gaye used the project Twitter account to promote his own NFT collection. He also took the donated funds and used them to buy NFTs. When pressed on this in the project's Telegram chat, he wrote, "Im buying NFTs because its my ETH and thats what I wanted to do." After crypto scam investigator zachxbt wrote about Gaye's scams, Gaye threatened to "put him in the ground if we ever meet in person".
Gaye has spent almost 400 ETH on NFTs since beginning to collect donations for his project—equivalent to over $1 million. He has also sold NFTs for a total of around 315 ETH (roughly breaking even with the amount he spent on NFTs, if looking at the ETH prices at time of trade), and amassed a substantial number of NFTs he still holds.
Scammer creates a fake site to revoke wallet permissions, then pretends there is an OpenSea vulnerability to trick people into using it
- "First NFT Collection from Paramount Global and RECUR Partnership to Drop with Star Trek on April 9", press release on StarTrek.com
Although the Formula 1 blockchain game that shut down earlier this month made halfhearted promises to allow NFT holders to swap their NFTs for ones used in a different game, Ubisoft has made no such promises.
The language in the lawsuit is very similar to the stolen ape lawsuit filed February 18, which is not surprising because the plaintiffs are using some of the same lawyers. Vice interviewed one of the lawyers, and determined that the somewhat odd wording refers to the issue in which OpenSea users didn't realize their old listings of NFTs at lower prices were still active.
Worldcoin, creators of the eyeball scanning orb that promises universal basic income, encounter more difficulties
Collectors spend a cumulative $26 million on gas fees alone for "VaynerSports" NFT project—3x the amount made from the NFTs
Someone mints NFTs of r/place, because what's the point of collective artwork if someone can't profit off it
Sadly, the collaborative and fun community art piece and social experiment was financialized almost immediately after the last pixels were placed, with several projects cropping up to sell portions of the canvas for crypto. One of the projects ended almost as quickly as it began, replacing all its NFT images with the "r/FUCKNFTS" portion of the canvas and rewriting the description to say, "Ok, I guess that was a bad move and a bad Joke. Please use Cryptos as decentralized money against states, not to sale dumb images on the internet. Love U Reddit, got U". Other projects, however, remain for sale.
COVID-19 conspiracy theorist Robert Malone announces to trucker convoy his plans to dox more than 4,000 people using blockchain-based tech "so they can't take it down"
When the user confirmed the transaction, they transferred their three pricey apes to the scammer, receiving three worthless ones in return. NFT trader 0xQuit estimated the loss at around $587,000.
The email in question appeared to be from Trezor, and claimed that users' funds were in jeopardy. It prompted them to download a new (fake) version of the Trezor wallet software, and when users entered their seed phrase to restore their wallet from a backup, it drained their crypto. "What a mug I am," wrote the affected user. "Had been building up my BTC for seven years and lost it in a few minutes' utter stupidity."
The Reddit post also included two follow-up edits, displaying the victim blaming that is common when users are hit with phishing scams and other attacks. The user wrote "Edit: yes I entered my keys, because I'm a twat Edit 2: a lot of people saying they'd never fall for it. I hope they're right."
- "I fell victim to the Trezor phishing scam" Reddit post on r/bitcoin
- "Taiwanese star Jay Chou says Bored Ape NFT has been stolen by 'phishing website'", South China Morning Post
De Ford has named the LGB coin creators in the suit, as well as NASCAR, and promoters like Brandon Brown and Candace Owens.
Whoever was behind these transactions airdropped fake NFTs purporting to be a part of an upcoming BAYC metaverse land project, sending them to owners of pricey NFTs and various NFT influencers. It's not clear whether the NFT can perform malicious actions, or if any individuals have been impacted by it if so. However, part of the scam appeared to be to try to entice other users hoping to get in on the next new BAYC project to fall for a phishing scam. Tracing the transactions back showed an OpenSea profile with a fake "verified" badge and a mint link to what appears to be a phishing website, which invites people to connect their wallets to supposedly mint their own BAYC land NFTs.
Other Discords reported to be compromised include several other big-name projects including Doodles, which had previously endured a Discord compromise in late February. This particular compromise appeared to stem from a series of compromised Discord bots, including a very popular CAPTCHA bot used to fight spammers. It's unclear if anyone lost money to the fake links posted by seemingly-official Discord accounts, or how much, but these types of attacks often lure in at least some victims, and the higher-priced NFT projects like Bored Apes and Doodles enable scammers to ask for quite a lot of money without raising an eyebrow.