Australian crypto exchange Digital Surge suspends withdrawals

The Brisbane-based cryptocurrency exchange Digital Surge announced that they would be suspending deposits and withdrawals. "Due to the impact of FTX Australia's administration, we are not able to operate business as usual and have suspended all deposits and withdrawals until further notice," they wrote. They also disclosed in an email that they had "some limited exposure to FTX".

BlockFi plans layoffs, possible bankruptcy after FTX collapse

Cryptocurrency lending company BlockFi suspended withdrawals on November 10 after the FTX collapse, an expected move since they had stayed afloat after the previous crypto meltdown only thanks to hundreds of millions in loans from FTX.

Now, the Wall Street Journal reports that BlockFi has been considering layoffs, and has been in talks with bankruptcy attorneys about a possible Chapter 11 filing.

Although BlockFi disputed reports that they had been custodying client assets at FTX, they acknowledged that they had "significant exposure to FTX and associated corporate entities that encompasses obligations owed to us by Alameda, assets held at FTX.com, and undrawn amounts from our credit line with FTX.US".

SALT crypto lender halts their service

The crypto lending firm SALT announced that they would be halting withdrawals due to exposure to FTX. "I am sorry to report that the collapse of FTX has impacted our business," they wrote in a message to users. "Until we are able to determine the extent of this impact with specific details that we feel confident are factually accurate, we have paused deposits and withdrawals on the SALT platform effective immediately."

Binance announces an "industry recovery fund"

CZ of Binance announced on Twitter that Binance would be forming an "industry recovery fund", which he says is intended for projects that are "otherwise strong, but in a liquidity crisis".

This not entirely unlike someone trying to sell you a house that is "otherwise sturdy, but in an engulfed-in-flames crisis".

He says the project is intended to reduce the "cascading negative effects of FTX", underscoring how nervous this whole debacle is making other players in the industry.

Ikigai Asset Management announces "large majority" of assets trapped in FTX

The founder and chief investment officer of the Californian crypto hedge fund Ikigai Asset Management wrote on Twitter, "Last week Ikigai was caught up in the FTX collapse. We had a large majority of the hedge fund's total assets on FTX. By the time we went to withdraw Monday mrng, we got very little out. We're now stuck alongside everyone else."

He announced that they would continue trading their remaining assets, and continue operating their venture fund. However, he said the future of the hedge fund was unclear, and likely to depend on what happens with FTX customer withdrawals.

"I'm pretty disgusted with the space as a whole and kinda humanity in general," he continued. "I'm at a loss for words at the depth & breadth of the pieces of shit that permeate crypto. So many fucking sociopaths were granted the opportunity to do so much damage. It's hard for me to imagine the space bouncing back quickly from this ordeal. Too many got burned too hard."

Huobi exchange announces $18.1 million is locked on FTX, mostly customer funds

Huobi announced to shareholders that they had $18.1 million in crypto assets on the FTX exchange, where they can't be withdrawn. They reported that approximately $13.2 million of those funds were customer assets. They announced that they would be taking an unsecured loan of up to $14 million from controlling shareholder Li Lin to cover the client assets.

AAX cryptocurrency exchange suspends withdrawals

The Hong Kong-headquartered cryptocurrency exchange announced that they would suspend withdrawals, which they claimed was due to a system upgrade that went poorly. They've estimated it will taken seven to ten days for normal service to resume.

Users have been hesitant to believe this explanation, given the enormous shakeup in the industry lately, and the tendency for firms to be less-than-forthcoming when they are in major crisis.

Three days prior, the company had published a blog post claiming that AAX had no exposure to FTX and its affiliated companies, that AAX had stable reserves, and that user funds were never exposed to counterparty risk.

Flare token rug pulls or is exploited for $17 million

Chart showing the price of $FLARE (denominated in USDT) over the previous five days. The price hovered between $18 and $20, until briefly spiking to around $25 before plummeting to $0.000001754.FLARE/USDT (attribution)
Exploits and rug pulls of random tokens on BNB Chain are fairly commonplace, but typically the amount of money lost is fairly minimal. In this case, exploiters or insiders were able to siphon 3.9 billion $FLARE from the Flare project, which they swapped for just under $17 million.

This serves as a good example of how theft amounts shouldn't be naively calculated based on the token price before the theft × the number of tokens stolen. $FLARE was priced at around $18.25 before the attack, and a naive calculation would place the theft amount at $71 billion. However, the lack of liquidity caused the token price to plummet to $0.0000018, and the attacker ultimately ended up with around $17 million.

Over $4 million drained from DeFiAI

"Our contract has been hacked and has caused a lot of losses," wrote DeFiAI simply in their announcement. That same day, the project had announced the launch of a new website for their project.

The total funds stolen appear to be around $4.17 million, according to analysis by SlowMist.

Tokensoft intentionally publishes personal data of around 5,000 users who they believe are "bad actors"

Tokensoft is a project that aims to help web3 projects launch fairly, without the launches being gamed. The group evidently thought they had come across 5,000 or so users who had been gaming airdrops, to which their solution was to publish a list of private user data about those individuals. The list included full names, wallet addresses, and physical and IP addresses.

Several users replied to the message in shock that their data was exposed, saying they'd never done anything wrong. The Tokensoft employee replied, "If you made it on the naughty list...yes, shame on you....I shared your info, better luck next time".

The project later deleted the link from the Discord server, then tried to claim that it had never been posted at all, then issued a statement that "information was mistakenly posted in Tokensoft's social media channels".

Bahamas Securities Commission issues statement that they didn't instruct FTX to process withdrawals for Bahamian customers

The Securities Commission of the Bahamas issued a statement saying that "The Commission wishes to advise that it has not directed, authorized or suggested to [FTX] the prioritization of withdrawals for Bahamian clients."

This contradicted FTX's previous statement that "Per our Bahamian HQ's regulation and regulators, we have begun to facilitate withdrawals of Bahamian funds." The announcement that they would be processing withdrawals for Bahamian customers led to a slew of non-Bahamian customers trying to find ways to withdraw their funds via bribes and shady NFT deals.

Some have viewed FTX's choice to enable Bahamian withdrawals as evidence that they were trying to allow FTX employees and family members to get access to their funds on the exchange, even when most customers had no such access.

Crypto.com CEO admits company accidentally sent 320,000 ETH ($416 million) to another crypto exchange a few weeks prior

A Twitter user posted Etherscan screenshots showing a massive flow of crypto from the Crypto.com cryptocurrency exchange to another exchange, Gate.io. "Anyone know why Crypto.com would send 320k ETH (82% of their ETH today) to Gate.io on October 21?", they wrote. "And why Gate.io would send back to Crypto.com 285K ETH 5-7 days later?"

Crypto.com's CEO, Kris Marszalek, replied: "It was supposed to be a move to a new cold storage address, but was sent to a whitelisted external exchange address. We worked with Gate team and the funds were subsequently returned to our cold storage." He later clarified that all of the funds were returned.

Twitter users, reasonably, reacted in horror at the revelation that the platform had accidentally sent such a substantial portion of their funds elsewhere in a careless mistake, and that such a monumental mistake was even possible. They were lucky that they erroneously sent the funds to another exchange, and one who agreed to return the funds.

This is not the first time Crypto.com has erroneously transferred funds; in August of this year, they sued a woman to whom they'd accidentally sent $7.2 million that wasn't hers.

FTX claims it was hacked as more than $400 million is withdrawn

Telegram screenshot of a message by Rey: "Ftx has been hacked. All funds seem to be gone. FTX apps are malware. Delete them. Chat is open. Don't go on ftx site as it might download Trojans."Screenshot of a message from an FTX Telegram admin (attribution)
Over $477 million was mysteriously withdrawn from FTX and FTX US late on November 11, despite the company freezing withdrawals.

An FTX account administrator wrote on the FTX support Telegram, "FTX has been hacked. FTX apps are malware. Delete them. Chat is open. Don't go on FTX site as it might download Trojans". The message was pinned by FTX General Counsel Ryne Miller.

Miller later wrote on Twitter, "Investigating abnormalities with wallet movements related to consolidation of ftx balances across exchanges - unclear facts as other movements not clear. Will share more info as soon as we have it."

A Telegram admin subsequently wrote, "Not all hope is lost. Engineers have managed to retrieve substantial amount of funds," but no details were provided beyond that. A later announcement by Miller claimed that FTX had "initiated precautionary steps to move all digital assets to cold storage", suggesting some of the transfers may have been a part of that effort.

Many speculated that the so-called hack had been coordinated by insiders.

FTX files for bankruptcy, Sam Bankman-Fried resigns

Aaaand there it goes.

FTX announced that it had filed for Chapter 11 bankruptcy in the United States. Sam Bankman-Fried resigned as CEO.

SBF had spoken about trying to raise additional funds. In leaked Slack messages, he had allegedly written that "One could maybe say, if they wanted to be optimistic, that we have a lot theoretically in and/or potentially for the raise". No one was actually saying this.

Early crypto investor loses $42 million in wallet compromise

Bo Shen, a general partner at Fenbushi Capital and an early adopter of cryptocurrencies, tweeted on November 22 that two weeks prior, someone had stolen $42 million in cryptocurrencies from his personal wallet. "The stolen assets are personal funds and do not affect on Fenbushi related entities," he wrote.

Analysis by the crypto security firm SlowMist attributed the theft to a compromise of Shen's seed phrase. Shen had been using the Trust Wallet software, though the theft does not appear to be related to security issues with the wallet software.

Users attempt to circumvent FTX withdrawal freeze with bribes and NFTs

Users panicked when FTX stopped processing withdrawals, particularly those with substantial amounts of funds locked in the exchange. When the exchange tweeted that they had "begun to facilitate withdrawals of Bahamian funds", some saw an opportunity.

"Any FTX employees willing to change my accounts country of residence to Bahamas to facilitate withdrawal I am offering $1 million and unlimited legal fees", wrote one trader (who later claimed to be joking).

A popular crypto Twitter user named "Algod" offered $100,000 to any FTX employee who would process their KYC documents, allowing them to withdraw. He was subsequently seen to be successfully withdrawing over $2 million in assets from the platform. He also shared links to a Telegram group where his partner was offering to buy people's FTX accounts for 10¢ on the dollar, from customers who feared they may never see the money again, or would only regain access to a fraction of it after years of court proceedings. Algod later denied "erroneous and defamatory statements" that he'd bought discounted claims/assets", admitting that he'd considered it, but claiming he ultimately decided not to.

Some observers noticed over $21 million withdrawn via NFT trades, that appeared to be being used as a way to bypass the internal blocks on users transferring balances to one another. People with funds locked in FTX bought NFTs from Bahamas-based users, spending their full account balance on the NFT and thus enabling the Bahamian user to then withdraw the funds. "This appears to be the first recorded case of NFT utility in existence 👍", wrote Cobie.

The Securities Commission of the Bahamas freezes FTX assets, appoints provisional liquidator

The Securities Commission of the Bahamas (where FTX is headquartered) announced they had frozen the assets of FTX and "related parties" — presumably Alameda. They also disclosed that they had suspended FTX's registration, and appointed a provisional liquidator.

The announcement went on to say, "The Commission is aware of public statements suggesting that clients' assets were mishandled, mismanaged and/or transferred to Alameda Research. Based on the Commission's information, any such actions would have been contrary to normal governance, without client consent and potentially unlawful."

DFX Finance suffers $5 million loss

An attacker was able to use a flash loan to exploit a vulnerability in the smart contract for DFX Finance, a decentralized forex trading platform. The platform suffered a loss amounting to around $5 million. The attacker subsequently laundered the funds through the Tornado Cash cryptocurrency tumbler. The attacker didn't make off with the entire amount lost from the platform, partly due to an MEV bot snagging a significant amount of the funds.

BlockFi suspends withdrawals

BlockFi had a tough time this past June, floundering after substantial losses in the crypto downturn. They were bailed out by FTX, who extended them a $250 million loan, then shortly after reached a deal that would give them the option to acquire BlockFi, and also extended BlockFi $400 million in revolving credit.

Now, the bailer is the one requiring the bailing, and the possible bailout of FTX by Binance fell through. This means that BlockFi is in a tough and uncertain spot, which is why they announced through Twitter that "until there is further clarity, we are limiting platform activity, including pausing client withdrawals". They also wrote that they had learned about the FTX collapse via Twitter.

BlockFi founder and COO Flori Marquez had tweeted only two days prior, just after the FTX news, that "All BlockFi products are fully operational. BlockFi is an independent business entity. We have a $400MM line of credit from FTX.US (not FTX.com) and will remain an independent entity until at least July 2023. We are processing all client withdrawals."

The Binance/FTX deal is off

It's over as quickly as it started, and it started pretty dang quickly. Binance walked away from the non-binding letter of intent that Binance signed to acquire FTX, which doesn't come as a huge surprise given how much they couched the announcement in caveats that it was subject to due diligence and that Binance could exit any time.

According to Binance, "As a result of corporate due diligence, as well as the latest news reports regarding mishandled customer funds and alleged US agency investigations, we have decided that we will not pursue the potential acquisition of FTX.com."

FTX is really up a creek. Reports suggest that the hole on their balance sheet is looking like $8 billion, a circumstance that is certainly not improving as FTT prices continue to plummet.

There is still no news about what will happen to Alameda, but the SBF-owned quant firm's website has ominously been taken offline.

FTX is insolvent; Binance offers bailout

Surprising just about everyone, FTX's Sam Bankman-Fried and Binance's Changpeng "CZ" Zhao announced suddenly that Binance had signed a "non-binding [letter of intent], intending to fully acquire FTX.com" after a "liquidity crunch". FTX, a major crypto exchange, had recently been rumored to be insolvent, and had stopped processing withdrawals earlier that day.

It appears that the Binance move was a last-ditch effort to save FTX, which went from being a powerful player in the crypto market offering bailouts and looking to acquire bankrupt companies to an insolvent exchange struggling to stay afloat in an incredibly short period of time.

CZ of Binance hedged a bit in his announcement, underscoring that "Binance has the discretion to pull out from the deal at any time" and would be performing "full [due diligence]" before the deal moved forward. It's not yet clear how much the Binance sell-off of FTX tokens contributed to the instability of the exchange.

Speculation emerges around Alameda Research and FTX solvency; Binance liquidates holdings

On November 2, CoinDesk published a leaked balance sheet from Alameda Research (a trading firm also owned by FTX founder and CEO Sam Bankman-Fried). The sheet suggested that Alameda held substantial amounts of FTX's $FTT token. "While there is nothing per se untoward or wrong about that, it shows Bankman-Fried's trading giant Alameda rests on a foundation largely made up of a coin that a sister company invented, not an independent asset like a fiat currency or another crypto," CoinDesk wrote.

Following the report, Binance CEO Changpeng "CZ" Zhao announced they would be liquidating their FTT holdings. CZ also took a shot at SBF's recent controversial policy recommendations, writing, "Liquidating our FTT is just post-exit risk management, learning from LUNA. We gave support before, but we won't pretend to make love after divorce. We are not against anyone. But we won't support people who lobby against other industry players behind their backs."

SBF first appeared conciliatory towards Binance, writing "I respect the hell out of what y'all have done to build the industry as we see it today, whether or not they reciprocate, and whether or not we use the same methods. Including CZ. Anyway -- as always -- it's time to build. Make love (and blockchain), not war." However, he later wrote that "A competitor is trying to go after us with false rumors" and urged that "FTX is fine. Assets are fine."

Federal judge rules that LBRY sold tokens in violation of federal securities laws

LBRY is a blockchain-based social network and video sharing protocol that was described by a researcher at The International Centre for the Study of Radicalisation and Political Violence as "the new YouTube for the far-right" in 2021.

In March 2021, the SEC sued LBRY over their LBC tokens, which were used for paid streaming, tipping, and as rewards for using the platform inviting other users. On November 7, 2022, a federal judge of the District Court for the District of New Hampshire ruled that "because no reasonable trier of fact could reject the SEC's contention that LBRY offered LBC as a security, and LBRY does not have a triable defense that it lacked fair notice, the SEC is entitled to judgment." The judge granted the SEC's motion for summary judgment, meaning the case will not go to trial.

U.S. Attorney convicts individual in 2012 theft from the Silk Road, announces seizure of over 50,000 Bitcoin priced at more than $1 billion

The U.S. Attorney's Office for the Southern District of New York announced that they had convicted James Zhong with wire fraud pertaining to his 2012 theft of around 50,000 Bitcoin from the Silk Road online marketplace. Zhong pled guilty to one count of wire fraud.

The government has filed a motion in the case against Ross Ulbricht, the founder and operator of the Silk Road who is serving life in prison, seeking to retain the seized Bitcoin. At the time of seizure in November 2021, the Bitcoin were notionally worth $3.36 billion. On the date the charges were announced, they would be notionally worth $1.06 billion.

Pando exploited for $20 million

The defi protocol Pando suffered a $20 million loss when it was exploited with an oracle manipulation attack. The protocol suspended several of its projects in response to the hack, and wrote that they hoped to negotiate with the hacker to regain some of the stolen proceeds. Some of the stolen funds were able to be locked, although it's not clear if it was the total amount.

Telegram repossesses usernames so they can sell them as NFTs

In August, the popular messaging app Telegram started repossessing some desirable usernames that were already being used. Shortly afterwards, Telegram founder Pavel Durov explained that he had been impressed by a quarter-million-dollar domain sale by the TON blockchain domain project, and wrote, "Let's see if we can add a little bit of Web 3.0 to Telegram in the coming weeks."

Telegram later introduced some of the repossessed usernames for sale as pricey NFTs on their new "collectible usernames" market, dubbed Fragment. Although Durov had claimed that "70% of all Telegram usernames had been reserved in inactive channels by cybersquatters from Iran", and that the only usernames that were "withdrawn" had been out of use, users were given no warning or option to keep their names.

On October 27, Durov announced that "in a few days, we will also introduce the ability for users to sell their existing usernames on Fragment" — unwelcome news for those whose usernames were sold out from under them by Telegram.

Some of the usernames that have sold on the marketplace include brand names like Facebook (which sold for 60,000 TON, or ~$94,200), FIFA (sold for 600,000 TON, or ~$972,000), Amazon (sold for 262,500 TON, or ~$425,000), and Meta (sold for 404,000 TON, or ~$723,000). There is no indication the buyers are necessarily associated with the brands in question. Furthermore, the username marketplace is not available in the USA.

Monkey Drainer steals dozens more NFTs, nets around $867,000

The "Monkey Drainer" NFT phishing scammer first identified by blockchain detective zachxbt has struck again. They successfully emptied 7 CryptoPunks and 20 Otherside NFTs, which they flipped for 522 ETH (~$867,000). The scammer then laundered the funds through the Tornado Cash cryptocurrency mixer.

Gala Games tokens drained by project claiming to help them; Huobi claims the project profited

There was some brief panic on November 3 as someone minted a huge number of $GALA tokens in what appeared to be an exploit. $GALA is the native token of Gala Games, a platform for distributing blockchain-based games. It turned out that the pNetwork project had discovered a vulnerability in the pNetwork bridge, which could have allowed someone to drain the entire pool. pNetwork decided to undertake their own "white hat" attack, draining the funds before a malicious exploiter could do so.

However, the Huobi crypto exchange has claimed that pNetwork's actions were not white hat, and that they profited $4.5 million from their actions. pNetwork rebutted that they had not made any money from the operation, and threatened to sue Huobi over the accusations.

Some traders who attempted to "buy the dip" and profit from the plunge in value of the GALA tokens were also upset with Huobi, when they found that the exchange had replaced their tokens with new, worthless $pGALA tokens.

Skyward Finance treasury drained of $3.2 million

Skyward Finance is a project based on the NEAR blockchain, aiming to help users with initial token distribution. The project's treasury was drained of 1.1 million NEAR (~$3.2 million) after a hacker discovered a vulnerability in the project's smart contract. Crypto exploit research group Rekt wrote, "The fact that it took over a year for anyone to find this relatively simple exploit is remarkable." and questioned, "Was this incident an honest, albeit simple, mistake? Or a planned ejector seat?"

The project was unusually frank in their announcement, writing on Twitter that the hack had "render[ed] the Treasury and the $SKYWARD token effectively worthless... We recommend users to withdraw their funds safely where they can and for the community to no longer interact with Skyward."

Iris Energy Bitcoin mining firm close to defaulting on loans of $103 million

Iris Energy, an Australian "sustainable Bitcoin mining company", has announced that they are close to defaulting on loans used to purchase $103 million of Bitcoin mining rigs. These machines depreciate in value quickly, and are currently estimated by the company to be worth $65–$70 million. At the moment, they produce $2 million in gross profit from mining Bitcoin, which is not sufficient for the company to meet the $7 million of loan payments each month.

Oracle attack on Solend costs the project $1.26 million

Solend announced that an exploiter had manipulated the oracle price of an asset on their platform, allowing them to take out a loan that left the platform with $1.26 million in bad debt. They reported that they had paused affected pools, and did not anticipate other pools on the platform were at risk.

Rubic exchange private key compromised, token plummets

An attacker was able to compromise the private key of an admin wallet for the Rubic crypto exchange, transferring around 34 million Rubic tokens. The attacker then sold the tokens on decentralized exchanges Uniswap and PancakeSwap.

The enormous sale caused the token price to plummet from $0.082 to $0.016, an 80% decrease. The stolen tokens were nominally worth almost $2.8 million (priced at the value before the theft), but it's not likely the attackers were able to exchange them for that much given the lack of liquidity to absorb such a huge sale.

Crypto exchange Deribit hacked for $28 million

Major crypto exchange Deribit suffered a hot wallet compromise that resulted in a $28 million theft. The exchange halted withdrawals to perform security checks, but urged that customer funds were safe and that the loss was covered by company reserves.

Deribit is also among the primary creditors of failed crypto hedge fund Three Arrows Capital, which defaulted on an $80 million loan from the exchange.

Founders of Hodlnaut attempt to hide financial records from court

Hodlnaut, a crypto lending platform that halted withdrawals on August 8, has been undergoing court proceedings while it's determined if the insolvent company has a path to stabilization or if they will need to be liquidated. A Singaporean court document shows that the company founders tried to hide financial documents from the court, and that the records that do exist "have not been properly maintained". According to the Interim Judicial Managers, the founders and some other employees were uncooperative, obstructed the advisors' work, and tried to stop them from "taking into possession various key books and records of the Company".

Sounds like everything's above board over there! It was also exposed in August that the company had lied to its users about their exposure to the Terra collapse.

French fry-themed DAO loses $2.3 million due to Profanity exploit

friesDAO describes itself as a "a decentralized social experiment where a crypto community builds and governs a fast food franchise empire via wisdom of the crowd". Welcome to the future.

Anyway, friesDAO seems to have fallen victim to the same Profanity vulnerability that has affected projects who used the tool to generate vanity wallet addresses. friesDAO wanted a wallet address beginning with 51D35 ("SIDES"), and as a result they opened themselves up to a major loss.

The project had previously announced that they had raised $5.4 million in funding, suggesting this attack drained almost half of the project's funds.

Core Scientific Bitcoin mining operator warns of missed payments, possible bankruptcy

One of the largest public crypto mining firms in the United States, Core Scientific, filed a notice with the SEC that they would miss upcoming debt payments due in October and November. They also wrote that the company "potentially could seek relief under the applicable bankruptcy or insolvency laws. In the event of a bankruptcy proceeding or insolvency, or restructuring of our capital structure, holders of the Company's common stock could suffer a total loss of their investment."

Core Scientific blamed their precarious financial situation on "the prolonged decrease in the price of bitcoin, the increase in electricity costs, the increase in the global bitcoin network hash rate and the litigation with Celsius Networks LLC and its affiliates". Bankrupt crypto platform Celsius owes Core Scientific around $5.4 million.

Core Scientific's stock plummeted from around $1 a share to around $0.20 on the news, an 80% decrease. The stock started the year at $10.43 a share, and has decreased in value by 98% year-to-date.

$14.5 million stolen from Team Finance

Team Finance is a project that helps projects lock their tokens to be released after a certain period or on a schedule. A hacker exploited a vulnerability in a smart contract that enabled users of Team Finance to migrate from version two to version three of their project, despite that contract being audited. The attacker made off with $14.5 million thanks to the vulnerability.

Monkey Drainer steals ~$1 million in 24 hours

A phishing scammer called "Monkey Drainer" stole around 700 ETH (~$940,000) in 24 hours on October 25, according to blockchain sleuth zachxbt. The scammer used malicious phishing sites to trick users into signing transactions that then drained cryptocurrencies and NFTs from their wallets. Some individual victims lost crypto valued at hundreds of thousands of dollars, and others lost NFT collections. Zachxbt estimated the total amount solen by Monkey Drainer to be around $3.5 million.

Oracle manipulation attack on a QuickSwap market earns exploiter $188,000

Adding to the recent string of oracle manipulation attacks is an attack on the miMATIC ($MAI) market on the QuickSwap decentralized exchange. An exploiter was able to manipulate the spot price of assets to borrow funds, ultimately making off with 138 ETH ($188,000) that they mixed through Tornado Cash. The vulnerability was due to the use of a Curve LP oracle, which contains a vulnerability that was disclosed by a security firm earlier that month.

Security firm PeckShield initially suggested the issue might have been with QiDAO, which creates the $MAI stablecoin. The vulnerability is not with their project, although it's possible that the theft will impact the collateralization of their stablecoin.

Freeway halts withdrawals, accused of $160 million rug pull

Freeway, a financial scheme where users buy "Superchargers", which are crypto "simulations" that promise to pay out rewards of up to 43% annually, seems to have taken the off-ramp. The project announced to its users that due to "unprecedented volatility in Foreign Exchange and Cryptocurrency markets in recent times", they would be pausing their Supercharger program. The project reportedly halted withdrawals on more than $160 million worth of assets.

Worryingly, the company also removed all mentions of its team from their website, and reportedly removed an attestation to the company's financial backing as well.

The day before the project announced the pause, crypto whistleblower and researcher FatMan published a Twitter thread urging people to withdraw funds immediately because he believed they were operating a Ponzi scheme. "In my opinion, it's likely that Freeway will collapse within the next few months and that all depositors will lose everything."

Attacker drains tokens from Layer2DAO, project buys some of them back

An attacker was able to siphon nearly 50 million L2DAO tokens from a multi-sig wallet on the Optimism protocol. These tokens would nominally have been valued at around $400,000 at the price at the time of the hack, although the token has low liquidity and the attacker would not likely have been able to sell them for that price. The stolen tokens amounted to 5% of the project's total token supply.

The attacker swapped 16.7 million of the tokens before the project was able to negotiate a deal to buy back the remaining 33.2 million tokens at a price of $0.001. In the end, the hacker made off with the $33,200 paid by Layer2DAO, plus 40.4 ETH (~$54,000) from the tokens they were able to sell.

The Layer2DAO team seemed unsure how the hack had happened, but said that they believed it was similar to the June 2022 incident in which an attacker got hold of 20 million Optimism tokens after Wintermute provided an incorrect wallet address.

Several users report losing more than a million dollars each in 3Commas/FTX theft

Several users of the automated trading bot 3Commas reported losing over a million dollars each in a hack or phishing scam affecting users who had connected it to their FTX accounts. 3Commas has blamed the losses on phishing, but affected users have said they were confident they were not phished.

One user wrote they lost almost 104 BTC (~$2 million) from an account that they said they only ever connected to FTX a year ago, with an API key they had not saved, and which had since expired and been downgraded to a free account. Another reported losing about $1.5 million.

FTX CEO Sam Bankman-Fried wrote on Twitter that FTX would compensate the affected users for roughly $6 million in total. He wrote in all caps that he did not want this to be considered a precedent, and it was "a one-time thing". He also stressed that FTX was not responsible for the exploit, and that the users had been tricked by phishing sites impersonating other reputable trading services.

Warner Bros. reinvents DVD navigation menus with their web3 "Movieverse"

Image of Sauron throwing the Ring into a fireThe Lord of the Rings: The Fellowship of the Ring Extended Edition Epic (attribution)
Warner Bros. has just announced their "The Lord of the Rings: The Fellowship of the Ring (Extended Version) Web3 Movie Experience". Catchy name.

Now, you have of course already been able to purchase or stream The Lord of the Rings: The Fellowship of the Ring (Extended Version) for twenty years now. But now you can buy a $30 or $100 NFT to get the same thing, which also boasts "themed navigation menus based on iconic locations from the beloved film". So one of those DVD navigation menus. The NFTs come with other vagaries, including "8 hours of special features, image galleries, [and] hidden AR collectibles".

Plus, of course, you can "own and trade the experience in a community marketplace".

Two days after launch, 4,203 of the 10,000 "Mystery Edition" NFTs have sold for their $30 mint price. They're already reselling on the secondary market for as low as $7.99. The $100 mint "Epic" NFTs are doing slightly better — all 999 of those were minted, and are reselling on the secondary market for around $200. All told, WB has made around $225,000 off the mint.

Almost $300,000 stolen from Olympus DAO, later returned

Insufficient validation on an OHM smart contract at Bond Protocol allowed an attacker to drain 30,437 OHM (~$300,000) from the Olympus DAO defi protocol.

Olympus DAO wrote in an announcement that "This bug was not found by 3 auditors, nor by our internal code review, nor reported via our Immunefi bug bounty." They also noted that because they had done a phased rollout of the contract, only a limited amount of the project's substantial funds were at risk.

Olympus DAO initially announced that they would "compensate all affected bonders in full", but later revealed that the stolen funds had been returned. According to The Block, the Olympus team had successfully tracked the hacker and negotiated the return of the funds.

Unstoppable Domains disables .coin extensions, illustrating an issue with the idea that "you'll always own your NFT"

Unstoppable Domains is in the business of selling "domains" — at least that's what they call them, but they're not the kind of domain that you can plug into your web browser. Instead, they are more like the ENS domains that you may have seen (the ones ending in .eth), and they typically map to a crypto wallet address.

The organization just discovered that they were not the first to go around selling .coin "domains" (represented by NFTs), and were at risk of running into collisions. As a result, they decided to no longer sell these domains, and stop their libraries and services from resolving them.

But fear not, they said, because "Unstoppable domains are self-custodied NFTs, so you still own your .coin domain, but it won't work with our resolution services or integrations."

That's right, folks, you'll still have your .coin NFT! It just won't resolve, or be otherwise useful in any way.

This is much like the argument that has been common in crypto when describing a use case for NFTs: "if it's an NFT, you'll be able to really own your World of Warcraft sword, and Blizzard won't be able to take it away from you if they arbitrarily decide to ban you or remove the item!" This ignores the fact that the existence of an NFT on a blockchain does not ensure that some functionality initially advertised will continue to work in perpetuity, and you might end up with a domain name or a sword that can do nothing more than sit in your crypto wallet collecting dust.

Unstoppable Domains has offered to credit purchasers of .coin domains 3x their purchase price, though this will likely not be as appealing to people who held domains they hoped to flip for much higher than the initial price.

Vulnerability in BitBTC bridge ends in an exploit where the clock is ticking

A security researcher published a frustrated Twitter thread reporting that "BitBTC's Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I'm going to publish the critical exploit here." They described an issue where it was possible for people to create tokens on the Optimism side of the bridge that could be tied to any token on the other side of the bridge — meaning an exploiter could create a valueless token and bridge it to an unrelated token with actual value.

Less than a day after publishing the thread, someone did exactly what the researcher described, and was able to cause the bridge to mint and transfer 200 billion BitBTC. BitBTC aims to be valued at 1/1,000,000 of a BTC, meaning the exploiter on paper just landed themselves 200,000 BTC, but this is another case where massive amounts of a token were created and could never be traded for anywhere near their ostensible "value". BitBTC doesn't have publicly available data on the backing of their tokens, but it's certainly nowhere near 200,000 BTC. The project appears to be very new, and was created by a self-described "19 year old Bitcoin believer".

BitBTC has seven days from the time of the hack to fix the issue in their bridge before the transfer is complete and the attacker is awarded the tokens. Meanwhile, the hacker left an Ethereum transaction note to say that "I'm not a hacker, just want to test the exploit with a [proof of concept], won't touch any of the valuable assets."

Moola Market exploited for $8.4 million

The Celo-based borrowing and lending platform, Moola Market, suffered a major exploit when an attacker manipulated collateral prices to steal a collection of assets notionally worth around $8.4 million. After taking a loan of $MOO tokens on the platform, the attacker manipulated the price of those tokens to borrow all other tokens available on the lending protocol. The project dashboard currently shows 100% utilization, because the attacker emptied all funds that were available: a mix of $CELO, $cEUR, $MOO, and $cUSD that amount to around $8.4 million.

This attack was executed similarly to the Mango Markets exploit a week prior. Moola Market tweeted that they had "contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours." The attacker did eventually return 93% of the funds, keeping the remaining $588,000 as a "bug bounty".

Roofstock claims to have completed its first one-click NFT home sale

A grey single-family home with a garage door and cement drivewayThe house that was sold via NFT (attribution)
If you've ever wished you could put the same amount of thought into buying a $100,000+ home as you do ordering another bag of dog food from your online retailer of choice, you're in luck! A company called Roofstock claims to have achieved its first house-as-NFT sale on a platform it promises will "provide a radically simple way for [single-family rental] properties to be purchased and sold with one-click using web3 technology". The home in question was a $175,000 single-family residence in Columbia, South Carolina.

Needless to say, there were more than a few questions around the legal and tax ramifications of this. Some of the more crypto-minded spoke excitedly of "the ability to easily fractionalize your properties or take loans against it in a decentralized way" that this might unlock, while the rest of us were left wondering what a defi loan default and foreclosure would look like.

As much as I agree the real estate system could use some improvements, introducing the ability for someone to hack my crypto wallet and take my house is not quite what I had in mind.

Much-anticipated "speedy" Aptos chain launches, processing 4 transactions per second and with 80% of tokens allocated to insiders

Aptos, a much-anticipated layer 1 blockchain backed by FTX and a16z, and created by a team of former Meta employees, launched to much anticipation on October 17. The team had bragged that the chain would be able to process 160,000 transactions per second, even more than Solana's claimed theoretical 65,000, and far more than Ethereum's ~15 or Bitcoin's ~7. Instead, after launch, Aptos was processing a painful 4 transactions per second.

This was not the only criticism of Aptos upon launch. The Aptos token was quickly put up for sale on exchanges including FTX and Binance, but Aptos had not yet published information about their tokenomics — leaving would-be investors trying to make decisions about whether to purchase a token about which they couldn't find even basic information. Once the tokenomics were published, people expressed concerns about the distribution: 80% were allocated to the team and investors and staked, enabling them to dump the staking rewards on retail investors.

Texas regulators are investigating FTX and Sam Bankman-Fried for possible securities violations

Joseph Jason Rotunda, Director of the Enforcement Division of the Texas State Securities Board, submitted a filing to the ongoing Voyager bankruptcy case. FTX is the highest bidder among companies who have made offers to buy the assets of Voyager.

According to Rotunda, there is an ongoing investigation by the TSSB into whether FTX has been offering unregistered securities to United States residence in the form of yield-bearing accounts. He alleged that FTX's claimed attempts to segregate US users to the separate FTX.US exchange, the software makes no apparent attempt to do so, and offered yield-bearing accounts to customers who had signed up with a U.S. address — potentially in violation of securities laws.

Rotunda submitted the filing in the Voyager bankruptcy case to argue that FTX should not be permitted to buy Voyager's assets until they have been determined to be compliant with securities law. He wrote, "[FTX yield-bearing] products appear similar to the yield-bearing depository accounts offered by Voyager Digital LTD et al., and the Enforcement Division is now investigating FTX Trading, FTX US, and their principals, including [FTX CEO] Sam Bankman-Fried."