New Free DAO loses $1.25 million in flash loan attack
Shiba Inu developers leak AWS credentials on Github
On September 8, a security researcher published a blog post reporting that the developers behind the Shiba Inu coin — one with reality-defying levels of popularity at #13 on the list of coins by market cap — had apparently published their AWS credentials to Github. After making the discovery, his team attempted to contact the developers, but were not able to find a bug bounty program, responsible disclosure policy, or even people they could reach out to personally.
Luckily for Shiba Inu (and somewhat miraculously), the tokens were invalidated two days later before anyone malicious apparently took advantage of the vulnerability. The researcher wrote that the exposure had "the potential to cause serious security breaches, including but not limited to user fund theft, token embezzlement, disruption of services, etc."
Coinbase funds lawsuit against the Treasury Department over Tornado Cash sanctions
In the suit, they argue that the Treasury Department overstepped its authority in what it can sanction, claiming that "Tornado Cash software, including the smart contracts, consists of immutable open-source software code, which is not property, a foreign country or a national thereof, or a person of any kind." They've also argued that the designation is unconstitutional under both the free speech protections of the First Amendment and the due process protections of the Fifth Amendment.
Crypto reacts to Queen Elizabeth's death
Is there a way to include in one's will that you don't wish to be turned into an NFT or commemorated with a "Queen Inu" token when you die? Asking for a friend.
Company begins selling Celsius-themed Monopoly game... three months after Celsius suspends withdrawals
If you were wondering who might decide to sell such a product, well, USA Strong's founder and CEO is none other than Krissy Mashinsky, wife of Celsius founder Alex Mashinsky.
Both the announcement tweet and the game product page were taken down shortly after the announcement, likely due to the less-than-enthused response from Celsius users.
- Tweet by Stephanie Martin
- Celsiusopoly on USA Strong
Investors face $11 million loss in VBit Technologies/Advanced Mining Group, an alleged crypto Ponzi scheme
However, customers trying to withdraw their "rewards" saw increasing delays in receiving their payouts — days, then weeks, then an indefinite pause. A COO hired by the group left the company only three weeks later. On June 27, the group sent an email to its customers explaining that there was a "potential pending settlement" with the SEC — the first customers heard of the existence of any investigation — and that they would no longer serve customers in the U.S. On July 15, the company promised to refund customers what they paid to sign up with the program, but no refunds or further updates have materialized.
The company has faced lawsuits in Washington state and Delaware, and apparently operated for two years after executives had acknowledged they were violating securities laws. The Delaware lawsuit describes the operation as a Ponzi scheme, and alleges that the company sold packages that would have required far more computing power than the company actually had access to.
- "Investors fear millions lost in Pennsylvania’s largest cryptocurrency scandal based in South Philly", The Philadelphia Inquirer
David Bowie NFTs anger fans
A tweet from OpenSea announcing the project received some positive replies, and a lot of other NFT projects trying to promote Bowie-themed NFTs they'd included in their collections. However, the tweet from David Bowie Twitter account seemed to be received almost universally negatively, with many commenters writing that they wished the estate would just raise money for charity without getting into NFTs, and others writing that they didn't think Bowie would have supported NFTs.
On September 10, the account announced that "Out of respect for the people of the UK and Queen Elizabeth II, we will be postponing the 'Bowie on the Blockchain' sale. We will update soon."
Flash loan attack nets attacker $370,000 from several sources
Binance plans to convert USDC and other stablecoins into their own BUSD stablecoin
Binance claims the move is to "enhance liquidity and capital-efficiency for users", but the conversion and Binance's related decision to stop trading on spot pairs involving those same stablecoins seems like an attempt to increase the status of its own stablecoin against that of rivals.
Poolin suspends withdrawals from their wallet service
Poolin users had been complaining about issues withdrawing from their Poolin wallets since at least August, which had sparked rumors of liquidity problems prior to the announcement. Poolin said in their announcement that they would announce their plans to resume withdrawals within two weeks. However, a week later, they instead told customers they would be receiving "IOU" tokens.
Bitcoiner gets 6–15 months in prison, warns others about making peer-to-peer Bitcoin trades
In 2019, his home was raided in connection to a Nigerian lottery scam, for which he converted between half a million and $1.5 million to cryptocurrency over the span of half a year. He was ultimately charged with "illegally operating a cash-to-cryptocurrency conversion business", to which he pleaded guilty (by his telling, in an attempt to get charges against his family members dropped).
Hopkins claims that "any time anyone with a crypto trades p2p (i.e., not with an exchange), they're legally liable under this statute as it's currently interpreted", though authorities have claimed that Hopkins knowingly aided the lottery scammer by telling them "I'm set up as a marketing company, so tell them you're paying for a marketing campaign".
- 'Doctor Bitcoin' Pleads Guilty to Illegal Cash-to-Crypto Scheme, U.S. Attorney’s Office of the Northern District of Texas
- "Bitcoiner sentenced to federal prison warns users involved in OTC trading", CoinTelegraph
Islamic State tests out NFTs
The token was briefly listed on OpenSea, Rarible, and various other marketplaces before those marketplaces took it down. However, because it was minted on the blockchain, the token itself cannot be removed. "It's very much an experiment...to find ways to make content indestructible," said Raphael Gluck, a co-founder of a jihadist research group.
- "Islamic State Turns to NFTs to Spread Terror Message", The Wall Street Journal
Crypto scam watchdog group launches NFT project, which is then exploited
Ironically, a flaw in the project's smart contract allowed individual wallets to mint many NFTs at once, rather than one per wallet, allowing two people to game the system and snap up more than 450 NFTs rather than the one they were allowed. Rug Pull Finder wrote that "An exploit was shared with us 30 minutes before mint went live. After reviewing it with 3 different dev teams, we did not believe the credibility of the information sent to us... We were clearly wrong, and we are truly truly sorry".
Rug Pull Finder announced that they had reached an agreement with the people who gamed the mint, and would buy back the 366 NFTs the duo still held for 2.5 ETH (~$4,000).
Crypto security researcher OKHotshot wrote, "I think its concerning when security minded projects like RugPullFinder get their discord breached and their code exploited yet they're offering those exact services to customers."
Georgian Coinbase customers take advantage of 100x price bug
Some users who took advantage of the bug and withdrew funds to their bank accounts found their accounts frozen shortly after, when Coinbase noticed the error and began working to claw back the funds. According to Coinbase, about 1,000 users took advantage of the error.
Attacker exploits bug in ShadowFi to empty $300,000 liquidity pool
The project had only just launched that same day, after running a presale of their SDF tokens. The project promised to allow people to "Take your spending away from the floodlights of surveillance capitalism" and apparently involves sending people prepaid Visa cards to help them cash out their cryptocurrency without connecting a bank account or providing KYC information.
Holding company for Mercado cuts 15% of employees
Describing the layoffs, a spokesperson for 2TM said that Mercado was suffering for playing by the rules. "The competitive environment remains deteriorated and unfair, lacking the approval of the legal framework for crypto-activities, as players following the law are penalized by companies that ignore local rules."
dYdX infuriates users by requesting "liveness checks" via webcam, cancels campaign due to "overwhelming demand"
This infuriated many crypto users, who were horrified that dYdX would try to collect this kind of biometric data. "DYDX just nuked itself. I would never use this platform," wrote a prominent trader.
On September 1, dYdX tweeted that "Due to extremely overwhelming demand of the $25 deposit bonus promotion, we are ending the campaign, effective immediately. Thank you to the many thousands of new users that onboarded to dYdX today. We truly underestimated the amount of interest the campaign garnered." They made no mention of the backlash against the liveness checks, but quietly removed the mentions of the system from their website.
Bill Murray's NFT charity auction nets $185,000, which is then immediately stolen
However, hours after the auction, a hacker gained access to Murray's crypto wallet and snagged the ETH for themselves. They also attempted to steal 800 NFTs from the remaining collection by Bill Murray, though a wallet security team was able to safeguard those NFTs in time.
Murray's team confirmed the theft, and said they are working with the police and Chainalysis to identify the hacker.
Attackers steal around $265,000 of user funds from KyberSwap exchange
Kyber identified and remedied the issue after two hours of investigating it, and only two wallets were affected. Kyber promised to compensate the users who lost funds, and also tried to tempt the hacker into returning funds by allowing them to keep 15% of the stolen money as a "bounty" (~$40,000).
Snapchat abandons its web3 plans
This news came amidst the announcement that Snap would be laying off 20% of its staff, a whopping 1,300 people.
- "Snap to 'sunset' web3 team in company restructuring", The Block
- "Snap explores plans to let users showcase NFTs as filters", Financial Times
Unable to recover from the April Rari exploit, Babylon Finance shuts down
Since April, Babylon tried to recover from the hack. However, they described it as "the domino that kickstarted a series of unfortunate events". Rari canceled their planned reimbursement, users withdrew their funds from Babylon Finance, the Fuse pool on Rari was abandoned, and the token price decreased from around $20 to around $5.
On August 31, Babylon Finance's founder Ramon Recuero published a blog post announcing that Babylon would be shutting down. They promised to distribute the remaining project treasury among holders. Users were told to withdraw their funds by November 15.
- "Babylon Finance is shutting down", Ramon Receuro
Lawyer Kyle Roche withdraws from several crypto class-action lawsuits after allegations that he was involved in "gangster-style" schemes to hurt competitor projects
Although Roche has denied the claims by the site, and stated that someone deliberately got him drunk and then took clips of videos out of context, it probably doesn't look so good for a lawyer to be referring to jurors as "10 idiots", or plaintiffs in class-action lawsuits as "100,000 idiots".
Helium ditches its blockchain
Now, Helium is ditching its custom Helium chain in favor of a Solana-based token, and scrapping the blockchain entirely for the portions of its service that actually used the blockchain for anything beyond handling rewards.
Helium seems to have realized, finally, that blockchains tend to be slow as hell. In a blog post about the change, they wrote that "specific transactions, including Proof-of-Coverage and Data Transfer Accounting, are processed on-chain unnecessarily. This data bottleneck can cause efficiency issues such as device join delays and problems with data packet communications, which bloats the Network and causes slow processing times." They outline their plans to move these portions of the project to a "more traditional large data pipeline" — that is, infrastructure that's actually well-suited to that kind of processing.
- "HIP 70: Helium Core Team Proposes to Migrate to Solana", Helium Foundation
- Helium Tracker
DC Attorney General sues Michael Saylor and MicroStrategy for tax evasion
DC permits the court to impose "treble damages" on Saylor if he is determined to have evaded the taxes he owes, which could end up costing him and MicroStrategy more than $100 million in taxes and penalties.
- "AG Racine Sues DC-Based Billionaire Michael Saylor & Software Company Microstrategy for Evading More Than $25 Million in District Taxes", Office of the Attorney General for the District of Columbia
Compound Finance breaks their cETH market for a week
Thodex CEO arrested over a year after fleeing Turkey in the wake of the exchange's collapse
His plan to somehow work off anywhere from $24 million to $2.5 billion in debts was stymied when he was apprehended by Albanian authorities. He faces extradition to Turkey, where a prosecutor has asked for sentences of 40,564 years for him and other executives (just in case, I guess).
Thai SEC punishes Bitkub CTO for trading Bitkub Coin on insider information
The SEC reported that Wajanasathian had purchased around $61,000 of Bitkub Coin ($KUB) just before it was publicized that the Siam Commercial Bank would purchase a 51% stake in Bitkub. After the announcement, the value of KUB rose 100%.
Earlier that week, the SCM had announced they would not be following through on purchasing the planned $500 million stake in Bitkub, due to concerns over "various issues" that were raised by the Thai SEC.
Crypto.com wants back the $7.2 million they accidentally sent a customer last year
Rather than contacting Crypto.com about the error, she put the money into a joint account shared with her sister, and purchased her sister a five-bedroom home with nearly US$1 million of the funds.
Crypto.com only discovered the error in a December 2021 audit, and sued the woman for the erroneously-sent funds. She's just been ordered by the Victoria Supreme Court to sell the home and return the remaining money.
Unlike with many crypto transactions, erroneous transactions on centralized exchanges can typically be reversed by the exchange. However, Crypto.com would have had to notice the error much sooner, before the recipient transferred the funds elsewhere.
Hacktivists make NFTs out of the stolen passports of Belarusian officials
The group is selling the NFTs for between 0.2 and 6.5 ETH ($300–$9,700), and say that all proceeds will go towards "our work in hitting bloody regimes in minsk & moscow".
OpenSea took down the NFT collection shortly after it was published.
OptiFi developer accidentally closes the project contract, irretrievably locking $661,000
OptiFi has promised to return user deposits and settle all positions. In a post-mortem, they wrote that they had learned that "Every deployment needs a rigorous process and single point failure can be avoided. Please don't rush like what we did, especially for defi projects". They further outlined a "peer-surveillance approach" in which three people would be required to deploy any changes together. They also asked the Solana team to implement a two-step confirmation for such a potentially destructive command.
Whistleblower website alleges that the creators of the Avalanche blockchain paid lawyers to attack competitors
"A pact was formed that involved Ava Labs granting Roche Freedman a massive quantity of Ava Labs stock and Avalanche cryptocurrency (AVAX), now worth hundreds of millions of dollars, in exchange for Roche Freedman agreeing to pursue a hidden purpose," the site claims.
The site does include video clips of Roche saying some surprising things, although the clips are very short and devoid of context. The whole thing should be taken with a grain of salt.
Ava Labs founder Emin Gün Sirer dismissed the claims on the site as "conspiracy theory nonsense". Roche published a statement about the " numerous unsourced false statements and illegally obtained, highly edited video clips that are not presented with accurate context", in which he said that his statements about filing class action suits at the behest of Ava Labs were "false, and were obtained through deceptive means, including a deliberate scheme to intoxicate, and then exploit me, using leading questions. The statements are highly edited and spliced out of context."
CEO of Ragnarok metaverse game admits to treasury mismanagement, including nearly $2 million in trading losses and exorbitant salaries
On August 26, CEO Fanfaron published a Substack post providing a breakdown of the project's finances, which he began by saying, "As a previous business owner, and because Ragnarok is a startup and not a DAO, our initial plan was never to operate our finances in public, which is why we have historically been closed and unwilling to share full accounting of our balance sheet." As the post went on, it became clear there might be other reasons they were reticent to publish it.
The post revealed that Fanfaron had lost $1.827 million buying ETH during the crypto downturn: "I made mistakes by buying ETH multiple times when I thought it was an advantageous investment for the project, but then to protect downside risk and with the plan to reinvest at a better time, I sold our position in ETH, multiple times.."
It also revealed that the project is paying its team members apparently enormous salaries: $5.4 million in team compensation, plus another $1.5 million spent to buy out a co-founder. "We're a scrappy startup," he wrote, after also acknowledging that he pays himself $50,000 a month ($600,000 a year) — a number he already reduced by $600,000 from his original salary of $1.2 million per year. He ultimately promised in the post to pay back his trading losses.
As for the game, well, it exists, which means it's already ahead of a lot of crypto games. They launched an alpha version of the game in late July after multiple delays, with Fanfaron explaining, "Our vision was to create something similar to WoW... we were, however, overeager and optimistic with regards to how much time it takes to create such a world." The alpha is a multiplayer pixel art world where characters can walk around and talk to each other, and interact with buildings. Battling, leveling, quests, missions, and breeding are apparently all yet to come.
- "From Fanfaron"
- "Ragnarok: The MetaRPG", This Week in Avalanche
Indian financial crimes authority searches the offices of CoinSwitch, the country's largest crypto company
According to the CEO, there's nothing to worry about, the search had nothing to do with money laundering (that's specific), and the agency only executed the search to learn more about its business model and user onboarding. Seems like a pretty weird way to do that, but what do I know.
TechCrunch, however, reported that four people familiar with the investigation stated the investigation was to do with potential violations of foreign exchange laws, and that the agency suspects CoinSwitch acquired $200 million in shares in violation of forex laws.
eth.link service about to go offline because domain owner is in prison
.eth
, that's an ENS address. The problem is that .eth
is not a functional top-level domain, and so many services relied on eth.link to surface these DNS records to other services.However, the eth.link domain is only rented for a set period of time and needs to be renewed. ENS DAO tweeted that the domain's owner, Virgil Griffith, is "unavailable". By this, they mean that he is currently serving his first of five years in prison for helping North Korea evade sanctions. With Griffith "unavailable", the project has found itself at the mercy of GoDaddy. Welcome to the decentralized web3 we've all been promised!
Although GoDaddy previously allowed another person to renew the domain on Griffith's behalf, they reversed that decision, and now say they intend to allow the domain to expire on September 5.
The ENS DAO issued a series of tweets urging people to switch to a different service, given the risk that the domain could be snapped up. "If the name expires and is acquired by someone with ill intent, the damage they could do via phishing is substantial - so please update your links and alert your users of the issue immediately," they wrote.
The latest Pokémon-themed rug pull nets $708,000
One might think the blatant rip-off of the Pokémon IP (which belongs to a notoriously litigious company) might have been a red flag, but nevertheless, people bought in to PokémonFi — a play-to-earn game that seems like a much worse version of the original thing.
The project and tokens first launched in April. After apparently running off with the money, the project deleted its Twitter account, though its website remained live.
Researcher zachxbt alleges that teenager who stole crypto worth $37 million in 2020 is responsible for a spate of crypto-related Twitter hacks
Now, crypto investigator zachxbt thinks the same individual is indirectly responsible for a slew of compromised Twitter accounts that have then been used to promote crypto scams, including those of Beeple, DeeKay, and others. According to zachxbt, he has been selling access to a Twitter admin panel, which allows employee-level access to Twitter tools. This might explain how many of the accounts were compromised despite being protected by multi-factor authentication. According to zachxbt, "It's still unclear as to how Redman gained access to the panel to make elevated requests & reset passwords. As of now it appears the method stopped working".
10% of Ethereum nodes at risk of being booted from cloud hosting provider
16% of all hosting nodes (a category that makes up 62% of all nodes by network type) are hosted with Hetzner — 10% of all nodes. If 10% of all Ethereum nodes being supported by one company sounds awfully centralized to you, wait til you hear that 30% run on Amazon services.
SudoRare NFT exchange rug pulls for $820,000
At least one of the scammer wallets interacted with the Kraken crypto exchange, a U.S.-based exchange that requires KYC, so it's possible that Kraken could help identify the scammers — though they've not made any public moves to do so.
- "NFT Exchange SudoRare Goes Dark After $820,000 Rug Pull", CryptoBriefing
- "SudoRare Pulled the Rug for $820,000. How Will Kraken Respond?", CryptoBriefing
Group charged for stealing over $4 million in transaction reversal scheme
The three men were charged with wire fraud, bank fraud, and identity theft charges, and face potential decades in prison if convicted.
- "Three Members Of Miami Crew Charged With Defrauding Banks And Cryptocurrency Exchange Of More Than $4 Million", U.S. Attorney's Office of the Southern District of New York
Bank run leaves BendDAO with 5 ETH and a bunch of NFTs they can't sell
BendDAO allows people to take out loans with their NFTs as collateral. However, if the floor price of those NFTs drops too far and the borrower doesn't pay back some of the loan to adjust its risk rating, other people can bid on the NFT.
The problem with this whole plan was revealed when lenders' confidence was shaken when it was reported that $5.3 million in Bored Apes were at risk of liquidation. Panicked users withdrew their assets from the platform, resulting in a bank run that drained the reserves to a low of 5 ETH (~$8,200). BendDAO had other assets, of course: the NFTs below the liquidation threshold. However, a lack of interested buyers willing to pay the minimum prices (95% of the collection floor price) left the project in a tough spot.
Since the extremely close brush with a liquidity crisis, the project has begun to consider a proposal that would reduce the threshold at which NFTs can be liquidated, reduce auction and liquidation protection periods, remove the 95% floor price bid requirement, and increase interest rates.
OpenSea's stale listing issue burns another collector
In this case, a person successfully sold their Pudgy Penguin NFT for 8.69 ETH a year ago ($27,500 at the time of sale). Those particular NFTs have been having a comeback lately, and so the collector bought the same NFT back — this time for 20 ETH ($31,500 at the time of sale). However, an old listing from their previous ownership was still active, and someone was able to snap up the NFT from them for only 9.89 ETH ($15,600) within minutes.
The collector's near-instantaneous $20,000 loss has a happy ending for them, though — the person who bought the NFT was willing to reverse the trade.
Someone buys a Bored Ape, gets scammed out of it two hours later
Hodlnaut seems to have lied about their Terra exposure
However, documents from the legal proceedings surrounding the now-underwater firm revealed that Hodlnaut had 317 million UST, which it liquidated at a loss when the previously dollar-pegged UST hit $0.85. In the filing, they wrote, "Due to the market's lack of liquidity, the average exit price of UST to USDC was around 42 cents on the dollar, resulting in realized losses to Hodlnaut Trading Ltd of about USD 189.7M. As a result, Hodlnaut's total debt to depositors of USD 500M became backed by realisable assets of around USD 315M as of 13 May 2022 due to the de-pegging event."
- "Hodlnaut Cuts Staff as Terra Exposure Is Revealed", Crypto Briefing
- Tweet by FatMan
Swyftx crypto exchange cuts 21% of staff
Swyftx had announced in June that it would be merging with trading platform Superhero in a $1.5 billion deal.
Sub-primate lending: $5.3 million in Bored Apes used as loan collateral are at risk of being liquidated
However, NFTs in general haven't been doing so hot lately, and the Bored Apes haven't been immune from the slump. As the Bored Apes collection floor price has decreased, more than 15% of the apes used as collateral for BendDAO loans are in the "danger zone" — close to being auctioned off. These 45 apes are valued at roughly $5.3 million. Liquidation could lead to cascading liquidations, as the auctions could themselves cause the floor price to decrease.
As Bennett Tomlin put it, "I hate that y'all somehow created a risk for cascading liquidations of JPEG backed loans".
The FDIC sends cease and desist letters to FTX US and other entities who claim their products are insured
In July, the FDIC and Federal Reserve sent a cease and desist to Voyager, a company currently undergoing bankruptcy proceedings, which drew in customers with false promises that USD entrusted to the company were safe from any potential Voyager collapse thanks to FDIC insurance.
After choosing to keep the crypto, divorcee wants a do-over
As expected, the lawyer consulted by the FT informed them that their chances of a do-over were pretty slim, and suggested that individuals negotiating a split with a partner don't take on all the high-risk assets like this person did.
As of August 20, Bitcoin was trading at around $21,200–70% lower than at its all-time-high of $69,000 in November 2021. Other major cryptocurrencies are faring similarly poorly, with ETH down 67% to $1,630 from its all-time-high of $4,890.
- "Can I cut my potential tax bills when returning to UK?", Financial Times
DegenTown NFT project rug pulls after promotion from Magic Eden
DegenTown first suffered issues in July, when the project's Twitter account was allegedly hacked, and users were tricked into approving a contract that drained their wallets. One individual behind the project promised they would compensate the users whose wallets were drained, but never did.
The project ultimately rug pulled instead, with Magic Eden acknowledging it in a blog post and Twitter thread on August 17. They wrote that they were "urging the original Degen Town founders to return the funds" — however, this is complicated somewhat by the fact that the identity of one of them is not known to Magic Eden. They explained, "Our prior policy was that we doxxed founders. NFTRamo claimed to be an advisor but we learned that he was actually the founder of the project and used being an advisor as a way of skirting our doxxing processes." This is not the first time their identity verification process was sidestepped — they introduced it after a serial rugpuller used their platform to anonymously sell and then rug pull another NFT project, but that same person was able to do it again only a few months later.
The DegenTown project minted 8,000 NFTs for 3 SOL apiece, bringing in $923,000. Beyond that, the creators took 7.5% in royalties on secondary sales. Magic Eden has said that they were able to get one of the two founders to return the funds they'd earned from the mint, and that they planned to use them to compensate buyers.
- "Magic Eden Response to Degen Town", Magic Eden blog
- Twitter thread by Magic Eden
Bribe Protocol team disappears after raising $5.5 million
Bribe Protocol was incubated by Advanced Blockchain AG and Composable. Composable might ring a bell, because in February its pseudonymous head of product, 0xbrainjar, was revealed to be Omar Zaki, who had settled with the SEC over charges that he had misled investors while operating an unregistered investment advisement company and hedge fund. At the time, he wrote that "I do not want a mistake in my youth to cloud all of the team's efforts", though the SEC charge was filed less than three years prior, when Zaki was 21.
An employee of Figment Capital, one of the investors in Bribe Protocol, claimed that the project had formally shut down and returned 86% of the funds raised from institutional investors, though "retail took a huge L". However, this doesn't appear to have been publicly announced by the project.
Bribe Protocol is, of course, not to be confused with the other Bribe Protocol, a defi project that was abandoned in May 2021.