Binance gave Putin regime information on users who donated to opposition leader Alexei Navalny

Alexei Navalny, pictured from the shoulders up, wearing a navy scarf and coatAlexei Navalny (attribution)
Binance, the largest cryptocurrency exchange, shared customer data with the Russian government according to a Reuters special report. Reuters detailed how Binance provided the Russian government's financial monitoring service with data on Binance users who donated to Alexei Navalny, an anti-corruption activist and prominent opponent of Putin. Reuters reported this was part of a broader effort by Binance to form allegiances with Russian governmental agencies as it worked to expand its footprint in Russia.

Navalny has been imprisoned in Russia since returning in January 2021, shortly after recovering from poisoning: an attempt on his life reportedly ordered by Putin. While in prison, Navalny's foundation has encouraged people to donate cryptocurrency using Binance. They have raised more than 670 Bitcoin ($28 million) so far, despite the Russian government outlawing the foundation and labeling it a terrorist organization. Donors to Navalny's cause now face potentially serious danger as they've been identified to the Putin regime by Binance.

Crypto proponents have long promoted the technology's potential to fund individuals who are targeted by oppressive regimes, and to allow anonymous and untraceable donations.

AkuDreams NFT project earns $34 million that its team will never be able to withdraw

A 3D rendering of a person with an astronaut helmet that has planets orbiting it, wearing a white suit with a heart on the front and a red cape, holding up a small globe in their handAkuDreams NFT (attribution)
Micah Johnson, an artist and former professional baseball player, launched an astronaut-themed NFT project called AkuDreams. The auction was based around a Dutch auction, with the added twist that the lowest bid would set the final price for the NFT and all who bidded higher would be refunded.

The contract suffered from several flaws, however. The first allowed an exploiter to stop all refunds and withdrawals from the contract. Luckily for the team, the exploiter was well-intentioned and only intended to highlight the issue; they removed the block shortly after, leaving a message urging the team to have their contracts audited before release.

AkuDreams were not so lucky with the second issue. A bug in the code failed to account for users minting multiple NFTs in a single transaction, which made it so that the claimProjectFunds function that would allow the team to withdraw their earnings can never successfully execute. This means that the team can never withdraw the 11,539 ETH ($34 million) earned from the NFT sales—it is stuck there forever.

Hacker pulls $1 million from defi project, then destroys contract without withdrawing the funds

An attacker targeted the ZEED defi projects, successfully using a flash loan attack to pull just over $1 million from the project. With the funds transferred to the attack contract, the hacker then called the contract's self-destruct function, making it impossible for the funds to ever be withdrawn. It's unclear if this was intentional and done as a sort of statement, or if the attacker intended to take the profit for themselves but forgot to do so before destroying the contract.

Scammers phish $4.3 million from Terra users in ten days using Google Ads

A screenshot of Google results for the search "astorport" showing an advertisement resembling the proper Google result, with an arrow reading "SCAM"Phishing results in Google ads (attribution)
Scammers ran Google ads for popular search queries relating to the Terra ecosystem. When users searched for things like "Anchor protocol" or "Astroport", the first result was actually a Google ad purchased by scammers impersonating the real protocols. The scammers were even able to make the domains resemble the correct domains, though these changed once the users clicked the advertisement. Users were then prompted to enter their seed phrases to connect their wallets, after which point the scammers were able to empty the wallets.

52 different people fell for the scam, losing a total of around $4.3 million in assets. The scammers appeared to be targeting high-value wallets, with only two accounts transferring less than $1,000. 24 individual wallets were scammed for more than $10,000 each, 7 wallets lost more than $100,000, and one user lost almost $1.4 million.

Rogue Society team resurfaces after being called out for rug pulling $5.5 million

A blue robot with an open mouth and shoulder-length blonde hair with a pink bow, on a pink backgroundRogue Society Bot #5639 (attribution)
The Rogue Society NFT project launched in September, with an ambitious roadmap that included a theme song, comic book series, 3D figurines, an augmented reality app, and an animated series. The project sold out its 15,777 NFTs, which minted at 0.09 ETH each ($355), for a total profit of around $5.5 million. The team stuck around for a while, but by December had gone completely silent. No tasks on the roadmap had been completed. The founder has withdrawn $3.4 million of the funds.

Following a thread by zachxbt outlining the team's rug pull, the project founder made the first post in the project Discord since December, announcing a theme song competition with no acknowledgement of the team's absence and lack of progress.

This event once again shows how it is people like zachxbt who are left to try to hold project creators accountable in the absence of reasonable regulation or enforcement.

Binance adds a branded hashtag to Twitter that closely resembles a swastika

Screenshot of the "#Binance" hashtag, showing an emoji next to it consisting of the diamond-shaped Binance logo on a yellow square, with four lines emerging from the sides in a way that resemble a swastikaTwitter's Binance branded hashtag (attribution)
Binance, the world's largest crypto exchange, used Twitter's branded hashtag feature to add a custom emoji to Twitter when people use the hashtags #Binance or #BNB. The hashtag closely resembled the Hindu swastika, though it's not clear if this was an intentional choice by Binance or a coincidence. The Hindu swastika is distinguished by the four dots within the arms of the symbol, and represents good luck and prosperity. Though Binance may have hoped the dots would distinguish it from the symbol used by the Nazi party, perhaps they (somehow) didn't realize that this distinction is not well-known to many particularly in the West, or that the single-pixel-wide dots are not particularly prominent at emoji size. In Germany the symbol is banned except when used in explicitly religious contexts; several German users confirmed they could see the hashtag.

More than a few people expressed shock at seeing what they believed to be a hate symbol on their Twitter feeds from a large brand. The date of release only made things worse—April 20 is celebrated among fascists because it is Hitler's birthday. Tweets from Binance's official Twitter account and the Twitter account of founder and CEO Changpeng Zhao (known as "CZ") were quickly deleted, though the emojis remained. Several hours later, Binance changed the emoji to a globe with the Binance logo.

Twitter doesn't publicly list how much it costs to obtain a branded hashtag, though most articles I could find listed the price at around $1 million. I'm not sure if this is per hashtag or per emoji—the new emoji appears on several related hashtags.

Rich Bulls Club team resurfaces after being called out for rug pulling $3.7 million

An illustration of a brown bull, with a pile of poo on its head, on a toilet-paper-esque background. The text "BANNED!" is stamped above it."Banned" Rich Bull NFT (attribution)
Crypto sleuth zachxbt researched the Rich Bulls Club, an NFT project that launched in December with NFTs priced at 0.3 ETH (~$1,350) a pop. The project included a clause where "selling under our minimum selling price agreement is forbidden"—anyone who sold a Rich Bulls NFT for less than 3 ETH ($13,500) would find the NFT image modified to a bull with a poo emoji on its head, with the text "BANNED!" stamped across it in red. The project roadmap promised networking and business opportunities enabled by its community members, exclusive events, opportunities to win supercars or hundreds of thousands of dollars, and a "real-life Squid Game event" where one person would win $1 million. Needless to say, none of this transpired, and the project quietly deleted its website and Instagram accounts as the founder cashed out over $3 million.

Two hours after zachxbt published his research, the team made their first post in three months, with multiple excuses for the issues zachxbt highlighted.

NFT influencer 0x_fxnction suffers $240,000 wallet compromise

NFT influencer 0x_fxnction reported that his wallet had been compromised, and 2349 SOL (~$240,000) had been stolen. The money had primarily been profit from the DeGods project, he said, and was unwisely stored in one hot wallet because it was "meant to help buy a house and was being withdrawn in the next weeks".

He said he hadn't used the wallet to mint any NFTs since October, and said he had revoked all access to minting websites since then. He wrote that he was unsure how the compromise had happened: "My best guess: an old minting site from October still had access to my wallet, even after 'revoking' happened in Phantom.... But honestly, it's just a guess."

Developers drain over $1.1 million from $CHEDDA

The price of the $CHEDDA token suddenly plummeted 50% when a developer removed $1.17 million from the project. The withdrawal was accomplished with a function only available to privileged wallets—that is, those belonging to the project team or its developers.

Members of the Chedda team claimed on Discord that they were not behind it, and that it had been done by an outsourced development team who was working on the projects farming and staking. "They technically should've been within contract, but they robbed us," wrote Discord moderator Ali Michelle (referring to legal contracts rather than smart contracts). "They were in contract so it would be illegal and full on theft, i believe". Despite the devastating loss, Michelle urged remaining members of the community to "hodl and help us bring this back to life!"

The project had been audited by CertiK, who were quick to note that the contract containing the function used to drain funds was "not in CertiK’s audit scope".

Atari cuts ties with their "Atari Token" partner

A press release from Atari announced that the company would be cutting ties with ICICB Group. In addition to Atari granting ICICB hotel and casino licenses, the original deal had also resulted in the creation of the "Atari Chain" and "Atari Token" ($ATRI).

Atari Token was described as "decentralized cryptocurrency that was created to become the token of reference for the interactive entertainment industry". It launched in November 2020, tanking in price immediately on release. Despite a brief boom around March 2021, the token has mostly traded below its launch price.

In the press release, Atari wrote, "Atari disclaims any interest in the [...] Joint Venture, currently promoted as Atari Tokens, and related websites, whitepapers and social media channels are unlicensed, unsanctioned and are outside the control of Atari." They also wrote that they would be replacing existing $ATRI tokens with new tokens in the future. Atari wrote that the termination of the hotel and casino agreements resulted in an €11 million ($11.8 million) write-off, but that financial impact of the token changes wouldn't be disclosed until the FY22 report.

$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud

An ape with fur resembling magma and volcanic rock, with a green muzzle, with leeches coming out of its nose and mouthMutant Ape #28478 (attribution)
Some MetaMask users using iOS were shocked to discover that their MetaMask credentials were automatically being stored to iCloud today, after MetaMask acknowledged this was the case in the wake of a costly phishing attack. Domenic Iacovone lost cryptocurrency and several pricey NFTs after a successful social engineering attack by scammers pretending to be Apple support earned them access to his iCloud account. From there, they were able to access his iCloud data, and use the stored MetaMask credentials to drain his wallet. The trader lost $650,000 worth of cryptocurrency and NFTs, including Mutant Apes and Gutter Cats, to the attack.

It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".

Palisade discloses infectious XSS vulnerability on Rarible that could have arbitrarily changed NFT listing data and transactions

Security researchers at Palisade publicly disclosed a wormable cross-site scripting (XSS) vulnerability and WAF bypass they had discovered and responsibly disclosed to Rarible several days earlier.

The researchers were able to inject malicious code into the profile photo on Rarible, which only required a person to visit the malicious profile in order to run. This code could have then "infected" other signed-in users' profile photos, increasing the spread of the vulnerability to anyone who then visited their profiles. Once infected, the code would persist across all pages on Rarible, and could change arbitrary data on NFT listings, modify smart contract interactions, leak or modify profile information, or prompt users to sign arbitrary messages.

In an example, the researchers showed how a listing of a Bored Ape (pricey NFTs which currently have a floor price ~100 ETH / $290,000) could be modified for an impacted user to appear as though it was listed for only 1 ETH (~$2,900). A user who attempted to buy the apparently massively-discounted NFT could then be prompted to approve a sale transaction which would actually run a setApprovalForAll call that would allow the attackers to steal crypto and NFTs from the user's wallet.

This bug was the second Rarible vulnerability that was publicly disclosed this week, following a vulnerability with SVG NFTs disclosed by Check Point Research on April 14.

After the security researchers responsibly disclosed the vulnerability, which could have quickly wreaked havoc across Rarible's entire userbase, Rarible patched the issue and awarded them a bug bounty of $5,000. Good luck to Rarible if the next people who find a bug are even slightly more motivated by money than they are by ethics.

Crypto multimillionaire and former defi developer Andre Cronje calls for crypto regulation as he founds an investment banking company

Portrait of Andre Cronje, a man with a short beard, wearing a suitAndre Cronje (attribution)
Andre Cronje has graced the pages of W3IGG before, when he and his development partner Anton Nell unexpectedly announced they would be abandoning their 20+ defi projects, without giving any specific reason.

The reasoning may have just become clear, as Cronje published a blog post titled "The rise and fall of crypto culture" in which he wrote, "Crypto culture has strangled crypto ethos... I now more than ever see the need, or even necessity for regulation, not as a mechanism to prevent, but as a mechanism to protect. Its like a child trying to stick their finger into a electric outlet, you stop them, before they can learn why they shouldn't. One day they will understand, but not today." He remained optimistic about the prospects of crypto if regulation is introduced: "We will see the rise of a new blockchain economy, not one driven by greed, but instead driven by trust, not trustlessness."

Not everyone was impressed by his apparent change in tune. Twitter user 0xCana wrote, "andre cronje with the gigagrift walking away with over 1 billion dollars generated from crypto and then exits the space, rails against 'get rich quick mentalities' and advocates for strict regulations and then founds an investment banking company. incredible."

2omb and Redemption defi projects endure repeated flash loan attacks

Redemption provides the liquidity pools for 2omb, a Fantom-based algorithmic stablecoin project with big promises: "What if you could invest in a golden goose? Something you can acquire that will actually print you more money to either invest or use?"

Starting on April 18, the projects were targeted with a series of flash loan attacks. The project faced a total of 267 flash loan attacks within one day, leading to major volatility in the ostensibly stable coin. In an impressive display of optimism, a project team member wrote, "This has caused a large price pump. (Also benefited with 3% more burned tokens in fees.) The outcome and intent of the person who has done this, is unknown and it may work in our favour, Do not panic, and do not buy or sell until stable." The attacker made a profit of around $190,000 from the attacks.

Beanstalk Farms stablecoin project loses $182 million to exploit

All my magic beans gone. An attacker successfully used a flash loan attack to exploit a flaw in Beanstalk Farms' stablecoin protocol, which allowed them to make off with 24,830 ETH (almost $76 million). The attacker then donated $250,000 to Ukraine before moving the remaining funds to Tornado Cash to tumble.

Estimated damages to the project were higher than the amount the hacker was able to take for themselves—around $182 million. The $BEAN token, once pegged to $1, dropped to nearly 0. The project creator wrote in the Discord, "We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming." However, they were later slightly more optimistic, writing, "it may also be the start of something good... there may be a path forward. We don't want to comment on next steps until that path is at least visible to us" while reiterating that a bail-out was "highly unlikely". They also told members of their community that they had contacted the FBI about the theft.

Someone successfully games raffle for popular NFT allowlist with Sybil attack

Pixel art of a white owl with one squinting eye, wearing a forest ranger hat, on a light green backgroundMoonbirds #768 (attribution)
The NFT project "Moonbirds" generated so much hype that they implemented a raffle system for the many people who hoped to get on the project's allowlist, hoping to make it more fair. However, because it is relatively trivial for a person to create many crypto wallets, a person was able to game the system by creating over 400 wallets, which went on to win more than 50 slots on the project allowlist. This strategy—creating many accounts or wallets to gain an advantage—is known as a "Sybil attack".

This did not go over so well for the people who were eager to get a spot in line to mint NFTs that cost 2.5 ETH ($7,650), but was selling with a floor price of 13.1 ETH ($40,000) on the secondary market shortly after the mint completed. If the person behind the Sybil scheme flipped their NFTs for the current floor price, they could make upwards of $1.6 million in profit.

Pseudonymous Gem cofounder revealed to be hiding a history of alleged sexual abuse, some targeting children

A pseudonymous co-founder of the NFT startup Gem, who was previously known only as "Neso", has been revealed to be Josh Thompson. Using the handles "Joshpriest" and "MethodJosh", Thompson is a once-prominent World of Warcraft streamer who has been accused by at least five people of rape, sexual harassment, and grooming of minors. Gem announced to their community on April 9 that they had reviewed allegations against Neso and "exited" him from the team, though a report by BuzzFeed News showed that the Gem team had known about his identity since at least mid-March.

Following the publication of the BuzzFeed article on April 16, the Gem Discord erupted in anger—apparently discovering for the first time that Gem had known Thompson's real identity for quite a lot longer than they had let on. Some members accused the team of lying and trying to cover up who Thompson was, demanding the team explain themselves. The Gem Discord bot was subsequently configured to block links to BuzzFeed.com, so people couldn't post the exposé article.

Crypto culture has embraced pseudonymity to such an enormous degree that not only is it common for everyday traders to cloak their identities behind wallet addresses or pseudonyms, but for founders and prominent members of major projects to do so as well. This is not the first time this has enabled deception, such as in the case where a chief developer of a defi project later being unmasked as a man with a history of financial crimes and other shadiness.

Rikkei Finance exploited for $1 million

Rikkei Finance, which describes itself as a metaverse defi project, was apparently exploited. 2,571 BNB, priced at around $1.07 million, was transferred out of the protocol and quickly moved to a tumbler.

Unicorn Nodes defi project rug pulls hours after launch

Unicorn Nodes claimed to be a "defi-as-a-service" project. It launched its $RNBW token on April 14, despite warnings from "TheBreadmaker", who rates various protocols. Only hours after launch, someone sold 5,432 RNBW (~$129,000), draining the liquidity pool and crashing the token price. Although the project creators initially claimed that the project had been exploited by an external actor, and that it wasn't a rug pull, by that evening they had scrubbed their website and Twitter presence.

Monero holders plan a bank run

Monero is a privacycoin that attempts to address some of the privacy issues with more popular currencies (like Bitcoin or Ethereum)—namely, that anyone can see that wallet A sent a transaction of X amount to wallet B. However, privacy cuts both ways, and this feature also means that, without cooperation from the exchanges, the Monero community can't verify that exchanges actually hold the amounts of Monero they're allowing their users to buy. Some in the community have become increasingly suspicious that exchanges are selling "paper Monero": fake Monero that's not actually backed by reserves.

To try to test this theory, Monero users have scheduled what is basically a bank run: they are encouraging all users to try to move their Monero out of exchanges on April 18. Some have claimed that exchanges including Binance and Huobi have frozen withdrawals of Monero in anticipation of the mass-withdrawal, in an effort to prevent their lack of reserves from being discovered. Indeed, Huobi suspended XMR deposits and withdrawals 10 days ago and has yet to restore the functionality, which they say is due to a wallet upgrade. Binance also shows "withdrawal suspended" on its status page as of April 14.

Archie Comics announces "Archiverse" NFT project to overwhelmingly negative reception

An red-haired young man wearing a blue varsity jacket has fully white eyes and what appears to be magical energy swirling around him, emanating from a floating book in front of himArchiverse NFTs promotional image (attribution)
Archie Comics announced they would be launching an NFT project called "Archieverse", which centers around their spooky "Madam Satan" character and invites people to "unlock the universe of Archie Comics to play, create, and be credited on a forthcoming comic book title". The project's creators have some pretty high hopes, aiming to mint 66,666 NFTs at $66.66 each, which would earn them $4.4 million from the mint alone if they were to sell all of them.

Reception to the project was swift and overwhelmingly negative. Even the biggest Archie fans who already populated the existing Archie Comics Discord (which saw the addition of crypto channels on the day of the announcement) seemed largely unhappy with the news, and a plan to migrate to their own server free from the NFT and crypto chat was quickly hatched.

Influencer "The Real Tarzann" (aka Mike Holston) rug pulls NFT project to the tune of $700,000

Illustration of a man with a hood made from a baboon skin wearing jewelry. The man has brown skin and a brown beard, and is shirtless except for furred shoulder coveringsTarzan #2924 (attribution)
Influencer, conservationist, and exotic animal whisperer "The Real Tarzann" (a.k.a. Mike Holston) announced in October 2021 his plans for an NFT project called "Tribes of Ogun". The project promised an ambitious roadmap that included creating a strategy game, generous giveaways including trips to Africa, and donations to the World Wildlife Fund. Various prominent influencers and athletes helped to hype the project in advance of its mint.

The project ultimately minted only 3,179 of the 5,500 planned NFTs, but at 0.068 ETH a pop this still brought in 216 ETH (just under $700,000). The project quickly reduced the supply to avoid the appearance of a lukewarm mint. The NFTs themselves are all illustrations of men wearing various animal heads as headdresses—an odd choice for an animal conservation project.

In November 2021, much of the team suddenly disappeared and stopped posting to Instagram or Twitter. One mod in the Discord has remained positive for months since the apparent rug pull, urging the remaining community members to remain positive. In March 2022, the mod wrote, "I need a huge favor this week from everyone to not spam the accounts of NFT.com guys and Tarzan, it is EXTREMELY IMPORTANT that stops if we want this to comeback, hopefully huge news to follow this week." No such news appears to have come.

Bug discovered in popular Rarible platform: NFTs could execute malicious JavaScript

Security research group Check Point Research discovered a flaw in the NFT trading platform Rarible, which would have allowed an attacker to steal the entire contents of users' NFT wallets. A user who received a link to a malicious NFT, or clicks on it in the Rarible marketplace, would cause it to execute JavaScript code that would attempt to send a "setApprovalForAll" request, which an unsuspecting user would likely be less wary of when interacting with a known, trusted marketplace like Rarible.

The vulnerability was discovered after Taiwanese singer Jay Chou had a Bored Ape NFT stolen in April, prompting the researchers to look into the details of the attack. After the researchers responsibly disclosed their findings to Rarible, Rarible implemented a fix. Rarible removed the ability for users to upload SVG files to patch the vulnerability; it's not clear if they intend to restore that functionality.

Authorities link Axie Infinity hack to North Korean Lazarus hacking group

According to the FBI, the infamous cybercrime group Lazarus has been implicated in the March Axie Infinity exploit that saw $625 million taken from the game's blockchain bridge. Lazarus are a criminal group with strong ties to North Korea, and are suspected of being behind infamous cyberattacks including the WannaCry ransomware that impacted a wide number of industries including hospitals and manufacturing, as well as legislative and justice systems. The U.S. Treasury department has added the crypto wallet that received the stolen funds to its sanctions list, which may make it substantially harder for the attackers to withdraw the money. The wallet still contains around 150,000 ETH, valued at around $445 million, but has been slowly siphoning it out to various other wallets, exchanges, and tumblers over the past weeks.

RCMP says more than $2 million has been lost to crypto scams in Richmond, B.C. since January

The police in Richmond, British Columbia say they've received 22 reports of crypto fraud, which have included fake investment schemes, romance scams, or scammers impersonating government officials. One individual targeted by a fake investment scheme lost CA$550,000, which he thought he was investing in foreign exchange companies that turned out to all be fake.

Shareholders file a class-action suit against Coinbase over deceptively positive statements

A group of shareholders have filed a class-action lawsuit against Coinbase, alleging that the registration and prospectus statements provided for the company's IPO were false and misleading. The suit alleges that Coinbase failed to disclose that the company would require a large cash injection, and that it was susceptible to outages that were becoming more common as the company scaled. They described the company's positive statements about its outlook as "materially misleading and/or lack[ing] a reasonable basis".

Fake SkyVerse project draws in more than $150,000

Fake mint website, showing the text "SKYVERSE MINT IS LIVE 4062/5555 minted Total: 0.1 ETH Connect Wallet"Fake SkyVerse website (attribution)
A scammer recreated the Twitter account for SkyVerse, a much-anticipated NFT land project due to launch in "mid-April". More than 250 NFT collectors eager to get in on a mint that has only vaguely pointed to a date have fallen prey to a scammer convincing them that not only has the project started minting, but they're rapidly selling out. The scammer implemented a "counter" on the webpage that appears to show the project quickly selling out in real-time, apparently hoping to increase the FOMO that might encourage someone to hastily connect their wallet. However, a glance at the website source shows the counter is just instantiated to a fixed value, and then increments arbitrarily to show the counter approaching the maximum number of NFTs that will be sold. So far, the website has drawn 50 ETH ($150,000) from would-be collectors trying to mint NFTs for 0.1 ETH ($300) each.

NFT collector gets $280 top bid for the Jack Dorsey tweet NFT he bought for $2.9 million last year

Screenshot of a tweet by @jack: "just setting up my twttr"NFT of Jack Dorsey's first tweet (attribution)
After Jack Dorsey made an NFT out of his first-ever tweet, then-cryptocurrency executive Sina Estavi won the auction in March 2021 with a 1,630 ETH bid (then around $2.9 million). A little over a year later, on April 6, Estavi tweeted that he would be selling the NFT. He listed the NFT on Opensea for 14,969 ETH (around $46 million), in an auction slated to last a week. When the auction closed, there were seven offers ranging from 0.0019 ETH ($6) to 0.09 ETH ($277). It's still up to Estavi whether or not to accept a bid.

Ethereum transition to proof-of-stake delayed again, as is tradition

For years now, Ethereum has been talking about a transition from its energy-intensive, expensive proof-of-work consensus model to a proof-of-stake consensus model, which sports a totally different set of flaws! Exciting.

The project has been delayed so many times that it has become a bit of a running joke—crypto critics regularly describe the Ethereum PoS migration as something that has been "only six months away" for several years now. Meanwhile, it has proven a useful way for Ethereum fans to dismiss the valid concerns about the enormous energy expenditure of their preferred blockchain, as though enormous emissions and e-waste are somehow a non-issue if there is some vague plan at some perpetually-in-the-future point to move away from them.

Anyway, Ethereum developers have projected new levels of optimism lately, with several of them describing "the merge" as imminent—I believe a June timeframe was the popular estimate. Unfortunately, this appears to have been just as unachievable as the prior "deadlines", with an Ethereum core developer stating it was now looking like it wouldn't happen until some time this autumn. This is particularly brutal timing, given Nilay Patel's interview yesterday with a16z's Chris Dixon, where he confidently pointed to an early July "merge" date (only to become substantially less confident when pressed on specifics). Anyway, see you this fall for the next hype cycle—between now and then, Ethereum will have again consumed energy comparable to the amounts used annually by some small countries, for little if any useful purpose.

Texas Securities Commissioner issues emergency order to stop a metaverse casino

Securities Commissioner Travis J. Iles issued an emergency cease and desist order to stop "Sand Vegas Casino Club", a project that writes on its website "THE HOUSE ALWAYS WINS. And with SandVegasCasinoClub NFTs YOU can BE THE HOUSE!" The project would have allowed NFT buyers to participate in a "profit-share program" and earn "passive income" from a metaverse casino where people could not only gamble, but purchase metaverse items representing drinks and cigarettes (really).

In the order, the Commissioner alleged that the project was "leveraging interest in metaverses to perpetrate a high-tech fraudulent securities offering", and had been falsely claiming to their followers that securities laws don't apply to NFTs. "They are misleading purchasers by claiming they can simply avoid securities regulation by implementing illusory features or use different terminology," the Commissioner's announcement said.

Science fiction author Pierce Brown cancels NFT project after negative fan response

A sillhouette of a human figure on a red-brown background. The figure has an afro and what appears to be a steam valve on their neck, and is smoking a cigar.Solar Society promotional art (attribution)
"Don't make your dystopian books our reality, Pierce," a fan replied to sci-fi author Pierce Brown's announcement of an NFT project. Brown, the author of the bestselling Red Rising series of novels, announced an NFT project called "Solar Society" based around his work. Fan response was overwhelmingly negative, with some expressing concerns over environmental impact, and others dismayed at the negative effect they feel NFTs have had on creative communities.

The day after the announcement, Brown released a statement saying that he had been drawn in by the hope that NFTs would allow him to avoid "big companies whose sole focus is strong-arming away the rights to projects they've never been a part of to turn a big profit." He wrote, "I felt that if I didn't jump on it myself, someone else would, without the love, care, and artistry we believe in". He concluded that, given the response from his fans, he would not be continuing the NFT project. Some encouraged him to use the artwork that had already been created for merchandise or other non-NFT art sales.

Someone once again appears to trade on insider knowledge of Coinbase listings

On April 11, Coinbase announced 50 new cryptocurrencies they were considering listing on their exchange. These announcements tend to increase the price of the tokens under consideration, as traders take bets that the coins will be listed, and that their being listed on a major exchange and made more easily accessible will result in a price increase down the road.

The day after the announcement, crypto influencer "Cobie" wrote on Twitter, "Found an ETH address that bought hundreds of thousands of dollars of tokens exclusively featured in the Coinbase Asset Listing post about 24 hours before it was published, rofl". The wallet had spent around $400,000 on multiple currencies listed in the announcement, which certainly appears as though they knew about the contents of the announcement before it was published.

This is not the first time allegations of insider trading have been made based on Coinbase announcements. In February, a trader made a profit of over $700,000 by trading on what appeared to be advance knowledge of two upcoming Coinbase announcements.

The Wikimedia community formally requests that the Wikimedia Foundation no longer accept cryptocurrency donations

Wikipedia editors and other members of the Wikimedia communities completed a three-month-long discussion about whether the Wikimedia Foundation (WMF) should continue to accept donations in crypto. The WMF, which is the non-profit that owns and operates Wikipedia and related projects, has accepted crypto donations via BitPay since 2014. They have been a small source of donation revenue—in the last fiscal year, the WMF received about $130,000 worth of crypto donations. "Crypto was around 0.08% of our revenue last year, and it remains one of our smallest revenue channels," wrote a Wikimedia Foundation staff member.

The community member writing the closing summary of the discussion wrote that "Common arguments in support include: issues of environmental sustainability, that accepting cryptocurrencies constitutes implicit endorsement of the issues surrounding cryptocurrencies, and community issues with the risk to the movement’s reputation for accepting cryptocurrencies.... Excluding new accounts and unregistered users, the tally is 232 to 94, or 71.17% in support of the proposal. These results indicate overall community support, with a significant minority in opposition. Thus, the Wikimedia community requests that the Wikimedia Foundation stop accepting cryptocurrency donations."

Attacker cashes out more than $11 million from Elephant Money in a flash loan attack

A person was able to use a flash loan attack to drain the Elephant Money project, crashing the token price to 0 while cashing out 27,416 BNB ($11 million). Losses to the project were likely higher, including the loss of 30 billion $ELEPHANT tokens (~$10 million). The project boasted audits by both CertiK and Solidity Finance on its website, though CertiK later tweeted that the flaw was with the treasury contract, which was unverified and unaudited.

Elephant Money is a defi project with some questionable promises—its Twitter account advertises that people can "earn 672% APY", and a recent tweet encouraged people to use Elephant Money "as your new bank: Your share of ELEPHANT tokens can be compared to your debit account, except that it also generates you money. Stampede Perpetual Bonds is your retirement fund." Hopefully no one took them up on their suggestion to put their debit account balance or retirement money into the project.

Celsius stops allowing non-accredited investors in the United States to lend out their crypto

Celsius announced that, in order to comply with United States regulations, they would no longer allow non-accredited investors from the U.S. to "earn rewards on" (that is, lend) their crypto using their Earn product. Earn advertises that people can "earn up to 18.63% APY, get paid weekly" by putting their crypto into a Celsius account, which Celsius then lends out in exchange for interest. There are, of course, no insurance protections for the user in case of losses. Non-accredited investors will now be limited to only using their Celsius account to exchange, borrow, or transfer crypto—not lend.

Individual accreditation is based on net worth or income: only those with net worth above $1 million, or yearly income above $200,000, qualify. American Celsius users were largely unhappy with the change, with one writing, "Celsius Network making the rich richer. Shameful."

Ichi token plummets 90% after Rari liquidity pool is emptied

Ichi, a defi project that allows other projects to create their own stablecoins suffered cascading liquidations in its Rari pool, leading to a token price crash. Rari is a protocol that allows users earn yields on liquidity pools for various assets. Ichi's liquidity pool on Rari was set up with an extremely high collateral factor (85%) and no supply caps, which allowed borrowers to borrow more $ICHI to use as collateral than actually existed in the liquidity pool, with many borrowing $ICHI to buy more $ICHI. As borrowers did this, the price briefly spiked from the token's early April price of around $70 to $139 before plummeting to below $2.

One Rari developer blamed Ichi for the disaster, writing, "Fuse is a permissionless protocol. Pool operators are responsible for following best practices to avoid situations like this one". Rari Capital's official Twitter account also blamed Ichi, stating, "This is a permissionless pool that is owned and operated by Ichi. We hope to see an announcement from Ichi regarding redemption strategies and next steps to make users whole."

In the FAQ about the incident, Ichi wrote that they had allowed such a high LTV ratio in the pool because they expected "users would make responsible decisions that would benefit the community". There is currently around $30 million of bad debt in the liquidity pool.

NFT collector suffers wallet compromise and loses over 100 NFTs, priced at over $600,000

A computer-generated image of blue and orange wave-like structures on a striated yellow and orange backgroundOne of Casper's stolen NFTs, Jiometory No Compute - ジオメトリ ハ ケイサンサレマセン #1021 (attribution)
NFT collector "Casper" discovered their wallet had been compromised, and an attacker had stolen around 114 NFTs worth around $600,000. The collector took to Twitter to urge people not to transact with his compromised wallet, and to ask OpenSea and other marketplaces to freeze the address. As of April 12, it was unclear how the wallet had been compromised. However, other wallets besides Casper's had transferred NFTs to the same exploiter address, so they may not have been the only user affected.

Attacker drains Creat Future tokens through flaw that allows anyone to transfer the contents of another person's wallet

A chart showing the value of $CF/$USDT. The price was steady before briefly spiking and then crashing to near 0CF/USDT pair (attribution)
An attacker stole about $1.9 million after exploiting a bug in the smart contract for the Creat Future token. The contract's transfer function was defined as public, with no validation on the caller, allowing anyone to transfer tokens from any wallet. An attacker quickly exploited this flaw to drain millions of $CF tokens from various wallets, then exchange and tumble them to cover their tracks. The attacker made off with about $1.9 million, and the value of $CF crashed.

$CF was an asset belonging to Creat Future, an early-stage defi project. Some have speculated that the hack was an inside job, and the vulnerable function was added intentionally.

First crypto burger purchase at Bored Ape restaurant illustrates why people don't widely do this

A packaged fast food meal with a Bored Ape and two Mutant Apes printed on the packagingBored & Hungry packaging (attribution)
A restaurateur opened "Bored & Hungry", a Bored Ape-themed restaurant in Long Beach, California that offers a simple menu of hamburgers or plant-based burgers (with or without onions), french fries, and soda. Prices are listed in plain ol' cash, but the restaurant published a celebratory Instagram post on April 9 showing their first ever meal purchased with $APE, the Bored Ape-associated crypto token.

A customer ordered two combo meals, which he purchased by using his mobile crypto wallet to transfer 2 $APE. I was able to track down the transaction, and at the exact time of transfer, 2 $APE were priced at $21.92. The value of $APE has increased by 20% since then, so the purchaser lost out on those earnings by spending them at that time (compared to cash, which is worth roughly the same as it was 10 days ago). This is a (very small) example of why people don't tend to use as currency the same assets they are expecting to increase substantially in value. Furthermore, the purchaser had to agree to an estimated $10 in gas fees when he confirmed the transaction—half as much again as the price of the meal. The transaction ultimately cost the purchaser $4.66 in gas due to fortunately low rates that day, but it was a transaction fee that wouldn't exist if they used cash, or would be substantially smaller and typically absorbed by the restaurant if using a credit card.

Painful financial implications aside, a public transaction record means it's now trivial for anyone to see who is purchasing food at the restaurant using crypto in real time—something that has concerning implications for victims of stalking and other abuse if implemented more widely, as well as just for average people who enjoy having some degree of privacy.

Anyway, hopefully the food's good—assuming the person had any appetite left after looking at their food containers depicting an ape with green skin sloughing off its face.

Gripnr seeks to financialize your Dungeons & Dragons games

An illustration of a dwarf with a long grey beard and short cropped hair with some braids in it. He is hunched over holding a glaive and is wearing a chainmail shirtGripnr dwarf NFT illustration (attribution)
Because, really, what is even the point of playing Dungeons & Dragons if you're not buying a premade character from a limited set of options, playing premade adventures with it, getting "Gripnr certified" as a dungeonmaster (or finding someone who is), paying transaction fees every time you level up or get new equipment, or reselling your characters after the campaign ends (to someone who apparently wants a "used" D&D character)?

A company called Gripnr is already working to line up NFT pre-sales, despite acknowledging that they have no idea how they will prevent fraudulent data input—an issue commonly known as the oracle problem. It's also unclear how they intend to change the game so that it's sufficiently different from the Wizards of the Coasts game that they will not face legal action (an issue that ended another crypto project planned to be based around a WotC game). We can only hope that none of this may last long enough to become an issue, given that Gripnr have come up with an idea that I can't imagine appealing to a single person who's ever played D&D.

Legal action begins against developer who solicited investments to build an OpenSea competitor, then used it to fund his NFT trading

Attorney Kevin Homiak tweeted that his firm would be representing several individuals who contributed money to a developer, Tyler Gaye, who promised to be working on an NFT platform called 0peNFT. After pulling in donations totaling 227 ETH (then around $400,000), the project was plagued with delays. Despite promises that the team was hard at work, people observing the public Github noticed it showed almost no commits to the project code.

Meanwhile, Gaye used the project Twitter account to promote his own NFT collection. He also took the donated funds and used them to buy NFTs. When pressed on this in the project's Telegram chat, he wrote, "Im buying NFTs because its my ETH and thats what I wanted to do." After crypto scam investigator zachxbt wrote about Gaye's scams, Gaye threatened to "put him in the ground if we ever meet in person".

Gaye has spent almost 400 ETH on NFTs since beginning to collect donations for his project—equivalent to over $1 million. He has also sold NFTs for a total of around 315 ETH (roughly breaking even with the amount he spent on NFTs, if looking at the ETH prices at time of trade), and amassed a substantial number of NFTs he still holds.

Blockchain bridge for the WonderHero play-to-earn game is exploited

WonderHero is a mobile play-to-earn turn-based strategy game. Attackers were able to mint 80 million $WND after successfully exploiting the bridge linking the WonderHero play-to-earn sidechain and the BNB chain. The attacker was able to swap their stolen $WND for 750 BNB ($325,000), tanking the price of $WND to near zero in the process.

Starstream treasury drained of $4 million

Starstream, a defi project built on the Andromeda layer 2 Ethereum protocol, had its treasury drained. Blockchain security company CertiK reported that the treasury appeared to have contained around $4 million in STARS, all of which was stolen. Shortly after the hack, the attacker transferred 900 ETH ($2.9 million) to a crypto tumbler. Starstream had been audited by two security firms prior to the exploit.

Scammer creates a fake site to revoke wallet permissions, then pretends there is an OpenSea vulnerability to trick people into using it

Tweet by grantith.eth, reading "HUGE OPENSEA ISSUE You MUST go check on revote.site if you have the OpenSea API allowance, if yes you should revoke for your NFTs! I just lost a $100k Azuki so ALWAYS check and don't make the same mistake. Share it to save someone NFTs.A tweet falsely claiming an OpenSea vulnerability, linking to a scam permission revocation website (attribution)
It's not exactly straightforward to revoke wallet permissions once they've been granted, and so many users use a site called revoke.cash to remove permissions in the case of malicious contracts or as a precautionary measure. A clever scammer created a fake website that mimics revoke.cash, called revoke.site, and then used a verified Twitter account to tweet about a "huge OpenSea issue" that they claimed resulted in the loss of a pricey NFT. Hoping that people would panic and try to use the site to revoke permissions, in reality the website runs a script to determine the highest value assets, and then prompts the user to "revoke" permissions for those assets—when in reality, it sets approval for those assets to be transferred to the scammer's wallet. As of the evening of April 7, the wallet had received 13 NFTs, and flipped eight of them for a total profit of 4.9 ETH (~$16,000).

Star Trek gets into NFTs

A rendering of a spaceship resembling the Starship EnterpriseSample Star Trek NFT (attribution)
Star Trek announced the creation of "Star Trek Continuum", a part of Paramount's new NFT platform. They state that the project is "accessible to everyone [with $250 to throw around] and allows another expression of fandom [by giving us their money]". The press release attempts to drum up FOMO by writing, "there will never be more of these designs created and the minting window will only be open for 24 hours"—however, it also talks about how this is "Season 0" and the platform will be used for "future seasons of Star Trek™ NFTs."

Ubisoft abandons Tom Clancy's Ghost Recon Breakpoint after shoehorning NFTs into it

A monochrome, dark grey helmet modelUbisoft "Wolf Enhanced Helmet A" NFT (attribution)
Ubisoft announced in December that they would be incorporating NFTs in to their Tom Clancy's Ghost Recon Breakpoint title, much to the chagrin of its players and some employees as well. On April 5, Ubisoft announced that they would no longer be releasing updates to the game, nor would they be minting any additional NFTs.

Although the Formula 1 blockchain game that shut down earlier this month made halfhearted promises to allow NFT holders to swap their NFTs for ones used in a different game, Ubisoft has made no such promises.

Another $1 million lawsuit is filed against OpenSea for stolen apes

An illustration of a red-furred ape wearing a captain's hat, grimacing with half-lidded eyes, and wearing a dress shirt and maroon vest with an ascotBored Ape #8858 (attribution)
A third "stolen ape" lawsuit was filed against OpenSea, alleging that Opensea's "security vulnerability allowed an outside party to illegally enter through OpenSea’s code and access Plaintiff’s NFT wallet, in order to sell Plaintiff’s Bored Ape at a fraction of the value." Someone was able to buy the plaintiff's Bored Ape for 24.89 ETH (~$60,000)—much less than the 135 ETH (~$332,000) the plaintiff had recently listed it at. The scammer then quickly flipped the NFT for resale for 92.9 ETH (~$225,000) within an hour.

The language in the lawsuit is very similar to the stolen ape lawsuit filed February 18, which is not surprising because the plaintiffs are using some of the same lawyers. Vice interviewed one of the lawyers, and determined that the somewhat odd wording refers to the issue in which OpenSea users didn't realize their old listings of NFTs at lower prices were still active.

Worldcoin, creators of the eyeball scanning orb that promises universal basic income, encounter more difficulties

A man sits staring into a gleaming silver sphereStare into the Orb (attribution)
New reporting from BuzzFeed News and MIT Technology Review described some of the issues that Worldcoin has been encountering on its mission to scan the eyeballs of the world population, in exchange for nebulous promises of crypto. Although "Orb operators" have been out and about scanning eyeballs in countries around the world, those who've agreed to be scanned have only been offered a voucher for Worldcoin tokens and a promise that they may, someday, be redeemable for $20. Meanwhile, the company appears to be flouting data privacy laws and endangering operators of these Orbs, who have encountered threats from angry uncompensated users, and some of whom have been detained by law enforcement. Those who have agreed to have their eyes scanned have accused the company of "stealing their eyes", and fear how their biometric data may be used.

Collectors spend a cumulative $26 million on gas fees alone for "VaynerSports" NFT project—3x the amount made from the NFTs

A rendering of a card with the letters "VSP" on itVaynerSports Pass NFT (attribution)
AJ Vaynerchuk, brother of prominent NFT personality Gary Vaynerchuk (aka Gary Vee), launched his VaynerSports NFT collection. The popularity of the project resulted in surging gas fees on the Ethereum chain, and a poorly-implemented contract worsened issues. Users encountered failed transactions, meaning they lost the gas fee they had spent, and also did not successfully mint an NFT. Once the mint was over, 2411 ETH ($8.2 million) had been spent on mints, and 7652 ETH ($26.4 million) had been spent on gas fees. Some users lost thousands of dollars in gas fees on failed transactions.

Someone mints NFTs of r/place, because what's the point of collective artwork if someone can't profit off it

Pixel artwork showing a Bitcoin with a cancel symbol, and "r/FUCKNFTS"Portion of r/place (attribution)
Reddit reopened its chaotic collaborative art project, r/place, for several days. Users could place colored pixels onto a shared canvas at limited intervals, collaborating to festoon the page with flags, fan art, memes, subreddit names, activist statements, logos, and everything else people could collectively convince others to help create. The collaborative canvas at various times conveyed pro- and anti-crypto sentiment, with r/Buttcoin putting up a valiant effort to stamp "Fuck NFTs" onto the piece.

Sadly, the collaborative and fun community art piece and social experiment was financialized almost immediately after the last pixels were placed, with several projects cropping up to sell portions of the canvas for crypto. One of the projects ended almost as quickly as it began, replacing all its NFT images with the "r/FUCKNFTS" portion of the canvas and rewriting the description to say, "Ok, I guess that was a bad move and a bad Joke. Please use Cryptos as decentralized money against states, not to sale dumb images on the internet. Love U Reddit, got U". Other projects, however, remain for sale.