Crypto exchange Deribit hacked for $28 million

Major crypto exchange Deribit suffered a hot wallet compromise that resulted in a $28 million theft. The exchange halted withdrawals to perform security checks, but urged that customer funds were safe and that the loss was covered by company reserves.

Deribit is also among the primary creditors of failed crypto hedge fund Three Arrows Capital, which defaulted on an $80 million loan from the exchange.

Founders of Hodlnaut attempt to hide financial records from court

Hodlnaut, a crypto lending platform that halted withdrawals on August 8, has been undergoing court proceedings while it's determined if the insolvent company has a path to stabilization or if they will need to be liquidated. A Singaporean court document shows that the company founders tried to hide financial documents from the court, and that the records that do exist "have not been properly maintained". According to the Interim Judicial Managers, the founders and some other employees were uncooperative, obstructed the advisors' work, and tried to stop them from "taking into possession various key books and records of the Company".

Sounds like everything's above board over there! It was also exposed in August that the company had lied to its users about their exposure to the Terra collapse.

French fry-themed DAO loses $2.3 million due to Profanity exploit

friesDAO describes itself as a "a decentralized social experiment where a crypto community builds and governs a fast food franchise empire via wisdom of the crowd". Welcome to the future.

Anyway, friesDAO seems to have fallen victim to the same Profanity vulnerability that has affected projects who used the tool to generate vanity wallet addresses. friesDAO wanted a wallet address beginning with 51D35 ("SIDES"), and as a result they opened themselves up to a major loss.

The project had previously announced that they had raised $5.4 million in funding, suggesting this attack drained almost half of the project's funds.

Core Scientific Bitcoin mining operator warns of missed payments, possible bankruptcy

One of the largest public crypto mining firms in the United States, Core Scientific, filed a notice with the SEC that they would miss upcoming debt payments due in October and November. They also wrote that the company "potentially could seek relief under the applicable bankruptcy or insolvency laws. In the event of a bankruptcy proceeding or insolvency, or restructuring of our capital structure, holders of the Company's common stock could suffer a total loss of their investment."

Core Scientific blamed their precarious financial situation on "the prolonged decrease in the price of bitcoin, the increase in electricity costs, the increase in the global bitcoin network hash rate and the litigation with Celsius Networks LLC and its affiliates". Bankrupt crypto platform Celsius owes Core Scientific around $5.4 million.

Core Scientific's stock plummeted from around $1 a share to around $0.20 on the news, an 80% decrease. The stock started the year at $10.43 a share, and has decreased in value by 98% year-to-date.

$14.5 million stolen from Team Finance

Team Finance is a project that helps projects lock their tokens to be released after a certain period or on a schedule. A hacker exploited a vulnerability in a smart contract that enabled users of Team Finance to migrate from version two to version three of their project, despite that contract being audited. The attacker made off with $14.5 million thanks to the vulnerability.

Monkey Drainer steals ~$1 million in 24 hours

A phishing scammer called "Monkey Drainer" stole around 700 ETH (~$940,000) in 24 hours on October 25, according to blockchain sleuth zachxbt. The scammer used malicious phishing sites to trick users into signing transactions that then drained cryptocurrencies and NFTs from their wallets. Some individual victims lost crypto valued at hundreds of thousands of dollars, and others lost NFT collections. Zachxbt estimated the total amount solen by Monkey Drainer to be around $3.5 million.

Oracle manipulation attack on a QuickSwap market earns exploiter $188,000

Adding to the recent string of oracle manipulation attacks is an attack on the miMATIC ($MAI) market on the QuickSwap decentralized exchange. An exploiter was able to manipulate the spot price of assets to borrow funds, ultimately making off with 138 ETH ($188,000) that they mixed through Tornado Cash. The vulnerability was due to the use of a Curve LP oracle, which contains a vulnerability that was disclosed by a security firm earlier that month.

Security firm PeckShield initially suggested the issue might have been with QiDAO, which creates the $MAI stablecoin. The vulnerability is not with their project, although it's possible that the theft will impact the collateralization of their stablecoin.

Freeway halts withdrawals, accused of $160 million rug pull

Freeway, a financial scheme where users buy "Superchargers", which are crypto "simulations" that promise to pay out rewards of up to 43% annually, seems to have taken the off-ramp. The project announced to its users that due to "unprecedented volatility in Foreign Exchange and Cryptocurrency markets in recent times", they would be pausing their Supercharger program. The project reportedly halted withdrawals on more than $160 million worth of assets.

Worryingly, the company also removed all mentions of its team from their website, and reportedly removed an attestation to the company's financial backing as well.

The day before the project announced the pause, crypto whistleblower and researcher FatMan published a Twitter thread urging people to withdraw funds immediately because he believed they were operating a Ponzi scheme. "In my opinion, it's likely that Freeway will collapse within the next few months and that all depositors will lose everything."

Attacker drains tokens from Layer2DAO, project buys some of them back

An attacker was able to siphon nearly 50 million L2DAO tokens from a multi-sig wallet on the Optimism protocol. These tokens would nominally have been valued at around $400,000 at the price at the time of the hack, although the token has low liquidity and the attacker would not likely have been able to sell them for that price. The stolen tokens amounted to 5% of the project's total token supply.

The attacker swapped 16.7 million of the tokens before the project was able to negotiate a deal to buy back the remaining 33.2 million tokens at a price of $0.001. In the end, the hacker made off with the $33,200 paid by Layer2DAO, plus 40.4 ETH (~$54,000) from the tokens they were able to sell.

The Layer2DAO team seemed unsure how the hack had happened, but said that they believed it was similar to the June 2022 incident in which an attacker got hold of 20 million Optimism tokens after Wintermute provided an incorrect wallet address.

Several users report losing more than a million dollars each in 3Commas/FTX theft

Several users of the automated trading bot 3Commas reported losing over a million dollars each in a hack or phishing scam affecting users who had connected it to their FTX accounts. 3Commas has blamed the losses on phishing, but affected users have said they were confident they were not phished.

One user wrote they lost almost 104 BTC (~$2 million) from an account that they said they only ever connected to FTX a year ago, with an API key they had not saved, and which had since expired and been downgraded to a free account. Another reported losing about $1.5 million.

FTX CEO Sam Bankman-Fried wrote on Twitter that FTX would compensate the affected users for roughly $6 million in total. He wrote in all caps that he did not want this to be considered a precedent, and it was "a one-time thing". He also stressed that FTX was not responsible for the exploit, and that the users had been tricked by phishing sites impersonating other reputable trading services.

Warner Bros. reinvents DVD navigation menus with their web3 "Movieverse"

Image of Sauron throwing the Ring into a fireThe Lord of the Rings: The Fellowship of the Ring Extended Edition Epic (attribution)
Warner Bros. has just announced their "The Lord of the Rings: The Fellowship of the Ring (Extended Version) Web3 Movie Experience". Catchy name.

Now, you have of course already been able to purchase or stream The Lord of the Rings: The Fellowship of the Ring (Extended Version) for twenty years now. But now you can buy a $30 or $100 NFT to get the same thing, which also boasts "themed navigation menus based on iconic locations from the beloved film". So one of those DVD navigation menus. The NFTs come with other vagaries, including "8 hours of special features, image galleries, [and] hidden AR collectibles".

Plus, of course, you can "own and trade the experience in a community marketplace".

Two days after launch, 4,203 of the 10,000 "Mystery Edition" NFTs have sold for their $30 mint price. They're already reselling on the secondary market for as low as $7.99. The $100 mint "Epic" NFTs are doing slightly better — all 999 of those were minted, and are reselling on the secondary market for around $200. All told, WB has made around $225,000 off the mint.

Almost $300,000 stolen from Olympus DAO, later returned

Insufficient validation on an OHM smart contract at Bond Protocol allowed an attacker to drain 30,437 OHM (~$300,000) from the Olympus DAO defi protocol.

Olympus DAO wrote in an announcement that "This bug was not found by 3 auditors, nor by our internal code review, nor reported via our Immunefi bug bounty." They also noted that because they had done a phased rollout of the contract, only a limited amount of the project's substantial funds were at risk.

Olympus DAO initially announced that they would "compensate all affected bonders in full", but later revealed that the stolen funds had been returned. According to The Block, the Olympus team had successfully tracked the hacker and negotiated the return of the funds.

Unstoppable Domains disables .coin extensions, illustrating an issue with the idea that "you'll always own your NFT"

Unstoppable Domains is in the business of selling "domains" — at least that's what they call them, but they're not the kind of domain that you can plug into your web browser. Instead, they are more like the ENS domains that you may have seen (the ones ending in .eth), and they typically map to a crypto wallet address.

The organization just discovered that they were not the first to go around selling .coin "domains" (represented by NFTs), and were at risk of running into collisions. As a result, they decided to no longer sell these domains, and stop their libraries and services from resolving them.

But fear not, they said, because "Unstoppable domains are self-custodied NFTs, so you still own your .coin domain, but it won't work with our resolution services or integrations."

That's right, folks, you'll still have your .coin NFT! It just won't resolve, or be otherwise useful in any way.

This is much like the argument that has been common in crypto when describing a use case for NFTs: "if it's an NFT, you'll be able to really own your World of Warcraft sword, and Blizzard won't be able to take it away from you if they arbitrarily decide to ban you or remove the item!" This ignores the fact that the existence of an NFT on a blockchain does not ensure that some functionality initially advertised will continue to work in perpetuity, and you might end up with a domain name or a sword that can do nothing more than sit in your crypto wallet collecting dust.

Unstoppable Domains has offered to credit purchasers of .coin domains 3x their purchase price, though this will likely not be as appealing to people who held domains they hoped to flip for much higher than the initial price.

Vulnerability in BitBTC bridge ends in an exploit where the clock is ticking

A security researcher published a frustrated Twitter thread reporting that "BitBTC's Optimism bridge is trivially vulnerable. Their team has ignored my messages, so I'm going to publish the critical exploit here." They described an issue where it was possible for people to create tokens on the Optimism side of the bridge that could be tied to any token on the other side of the bridge — meaning an exploiter could create a valueless token and bridge it to an unrelated token with actual value.

Less than a day after publishing the thread, someone did exactly what the researcher described, and was able to cause the bridge to mint and transfer 200 billion BitBTC. BitBTC aims to be valued at 1/1,000,000 of a BTC, meaning the exploiter on paper just landed themselves 200,000 BTC, but this is another case where massive amounts of a token were created and could never be traded for anywhere near their ostensible "value". BitBTC doesn't have publicly available data on the backing of their tokens, but it's certainly nowhere near 200,000 BTC. The project appears to be very new, and was created by a self-described "19 year old Bitcoin believer".

BitBTC has seven days from the time of the hack to fix the issue in their bridge before the transfer is complete and the attacker is awarded the tokens. Meanwhile, the hacker left an Ethereum transaction note to say that "I'm not a hacker, just want to test the exploit with a [proof of concept], won't touch any of the valuable assets."

Moola Market exploited for $8.4 million

The Celo-based borrowing and lending platform, Moola Market, suffered a major exploit when an attacker manipulated collateral prices to steal a collection of assets notionally worth around $8.4 million. After taking a loan of $MOO tokens on the platform, the attacker manipulated the price of those tokens to borrow all other tokens available on the lending protocol. The project dashboard currently shows 100% utilization, because the attacker emptied all funds that were available: a mix of $CELO, $cEUR, $MOO, and $cUSD that amount to around $8.4 million.

This attack was executed similarly to the Mango Markets exploit a week prior. Moola Market tweeted that they had "contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours." The attacker did eventually return 93% of the funds, keeping the remaining $588,000 as a "bug bounty".

Roofstock claims to have completed its first one-click NFT home sale

A grey single-family home with a garage door and cement drivewayThe house that was sold via NFT (attribution)
If you've ever wished you could put the same amount of thought into buying a $100,000+ home as you do ordering another bag of dog food from your online retailer of choice, you're in luck! A company called Roofstock claims to have achieved its first house-as-NFT sale on a platform it promises will "provide a radically simple way for [single-family rental] properties to be purchased and sold with one-click using web3 technology". The home in question was a $175,000 single-family residence in Columbia, South Carolina.

Needless to say, there were more than a few questions around the legal and tax ramifications of this. Some of the more crypto-minded spoke excitedly of "the ability to easily fractionalize your properties or take loans against it in a decentralized way" that this might unlock, while the rest of us were left wondering what a defi loan default and foreclosure would look like.

As much as I agree the real estate system could use some improvements, introducing the ability for someone to hack my crypto wallet and take my house is not quite what I had in mind.

Much-anticipated "speedy" Aptos chain launches, processing 4 transactions per second and with 80% of tokens allocated to insiders

Aptos, a much-anticipated layer 1 blockchain backed by FTX and a16z, and created by a team of former Meta employees, launched to much anticipation on October 17. The team had bragged that the chain would be able to process 160,000 transactions per second, even more than Solana's claimed theoretical 65,000, and far more than Ethereum's ~15 or Bitcoin's ~7. Instead, after launch, Aptos was processing a painful 4 transactions per second.

This was not the only criticism of Aptos upon launch. The Aptos token was quickly put up for sale on exchanges including FTX and Binance, but Aptos had not yet published information about their tokenomics — leaving would-be investors trying to make decisions about whether to purchase a token about which they couldn't find even basic information. Once the tokenomics were published, people expressed concerns about the distribution: 80% were allocated to the team and investors and staked, enabling them to dump the staking rewards on retail investors.

Texas regulators are investigating FTX and Sam Bankman-Fried for possible securities violations

Joseph Jason Rotunda, Director of the Enforcement Division of the Texas State Securities Board, submitted a filing to the ongoing Voyager bankruptcy case. FTX is the highest bidder among companies who have made offers to buy the assets of Voyager.

According to Rotunda, there is an ongoing investigation by the TSSB into whether FTX has been offering unregistered securities to United States residence in the form of yield-bearing accounts. He alleged that FTX's claimed attempts to segregate US users to the separate FTX.US exchange, the software makes no apparent attempt to do so, and offered yield-bearing accounts to customers who had signed up with a U.S. address — potentially in violation of securities laws.

Rotunda submitted the filing in the Voyager bankruptcy case to argue that FTX should not be permitted to buy Voyager's assets until they have been determined to be compliant with securities law. He wrote, "[FTX yield-bearing] products appear similar to the yield-bearing depository accounts offered by Voyager Digital LTD et al., and the Enforcement Division is now investigating FTX Trading, FTX US, and their principals, including [FTX CEO] Sam Bankman-Fried."

BitKeep Swap hacked for more than $1 million

The Swap feature of the BitKeep crypto wallet suffered an exploit that landed a hacker more than $1 million worth of BNB. The project acknowledged the hack, and promised to reimburse users who were impacted.

This is the second hack in October of the swap functionality of a crypto wallet, with Transit Swap suffering a $21 million hack on October 1 — although in that case, the attacker subsequently returned a large portion of the stolen funds.

Tokens notionally worth $825,000 stolen from Syntropy in venture capital investment deal gone wrong

The web3 company Syntropy suffered the loss of 15 million of their $NOIA tokens when they attempted to transfer them to a venture capital firm, but instead they ended up with a thief. In a Twitter statement, the company claims that they had reached an agreement with a venture capital firm to invest in Syntropy, and sent the agreed number of tokens to an escrow agent to complete the deal. However, they say, "it became apparent that the buyer's identity had been compromised. The malicious actor convinced the escrow agent into releasing the tokens to the impersonating party." 15 million $NOIA tokens (notionally worth around $825,000) were stolen, and the $NOIA price crashed from around $0.055 to around $0.037. According to Syntropy, Kucoin froze the accounts holding the stolen funds.

Some supporters of Syntropy have questioned the team's decision to take a deal like this from a VC firm after the firm claimed to be fully funded, and without communicating with the community. Others questioned how the deal could have possibly gone so wrong in the way Syntropy claimed.

Over 51% of blocks validated on the Ethereum chain are censored

On October 14, Ethereum reached a milestone that alarms many who have pushed for blockchains as "censorship-proof" technology. More than 51% of blocks produced in the preceding 24 hours were processed by relays that filtered out transactions involving Tornado Cash, a crypto mixing service that was added to the U.S. sanctions list in August.

This 51% threshold doesn't pose an immediate threat to Tornado Cash users, because even validators that censor transactions will still attest to the validity of blocks created by non-censoring validators. However, if 51% or more of validators were to also stop attesting to non-censored blocks, they would no longer be able to be added to the chain.

Earning.Farm exploited for $971,000, exploiter gets frontrun by MEV bot

The defi project Earning.Farm lost 748 ETH (~$971,000) to a hacker using a flash loan attack. The project contract was missing a check that a flash loan was initiated by the protocol, so the attacker was able to instruct the project to withdraw large amounts of funds, which they then were able to transfer to themselves.

Amusingly, one of the transactions by the hacker was frontrun by a MEV bot known as 0xa57, which made a tidy 480 ETH (~$623,000) from the attack. The second transaction succeeded, landing the attacker 268 ETH (~$348,000). According to a MEV researcher, 0xa57 has been known to return funds that were obtained as a result of a hack.

DAO Maker allegedly tries to dodge hack repayment promises

In August 2021, DAO Maker (not to be confused with MakerDAO) was hacked for $7.38 million. The stolen funds were taken from users, rather than a project treasury, and 5,521 people lost an average of $1,250 each. DAO Maker promised to compensate impacted users with a mix of the USDC stablecoin and USDR: an IOU token that they promised users would be able to redeem a year later for 110% of its dollar value.

Now that year mark is approaching, and a report from Rekt alleges that DAO Maker is trying to wiggle out of their promises through a governance vote, which they've framed as trying to "prevent major $DAO DUMP from USDR distributions". Meanwhile, they've deleted the post that explained the original distribution plan.

Most members of the DAO today were not affected by the attack, and so stand to benefit from not honoring the payout. One voting option suggests that these users "had their chance" to cash out their USDR, apparently ignoring that people were holding out for the promised 110% redemption.

Some whistleblowers have also claimed that team members have recently moved large quantities of DAO tokens to various wallets to vote. Some have also claimed that those team members recommended buying USDR tokens several months ago for below $1.10, as a safe arbitrage opportunity when they became redeemable for that amount.

Blu3DAO faces claims that they've misused grant money to benefit founders

Blu3DAO is a DAO that describes itself as "focused on empowering women, non-binary people, and allies to learn, earn, and play in web3 towards financial freedom". The group was the target of some negative attention two days prior, after an incident in which several members of Blu3 leadership accused a man of harassment at the Devcon Ethereum conference.

On October 11, a crypto developer advocate wrote a thread about the group, starting by saying "Most of the members of Blu3DAO are great people working towards a good cause. Despite this, there have been things around their finances that I personally have found questionable. I've refrained from calling them out & it's something that has bothered me for a long time". She went on to allege that the group had solicited over $1 million in grant money from the Harmony community, misusing a personal relationship with a member of Harmony to continue to obtain grant funding while the group had paused grant allocations, and using funds to personally benefit the founders.

"I run an organization dedicated to advancing womens & nb ppls careers. And this type of grifting only hurts everyone," wrote the developer advocate in her Twitter thread. She also wrote, "In the coming days they'll post some fraudulent report clearing them from wrongdoing. They're running an elaborate scam with many wallets. One of them is literally married to a decision maker at harmony. Lmaooo. Fuck the[m] scammers"

Blu3DAO's founders responded to the allegations by claiming that they had only ever received $75,000 of the $1 million they were committed by Harmony, and that the funds were still in the DAO treasury. They also claimed that the Blu3 DAO members were never paid for their work, and that the money from Harmony was "flow-through reimbursements for scholars/hackers' travel expenses".

Harassment accusation at Ethereum conference triggers wave of online misogyny and racism

A Black woman attending the major Devcon Ethereum community event in Bogotá posted to Twitter a photograph of a man at the conference, writing, "Day 1 of Devcon and a group of us women got harassed by a gross guy! What did the Ethereum Foundation team do? Smiled and chatted with him for 10 minutes and let him go on his way! I feel horribly unsafe at this event. 👎 Take women seriously when they report harassment." Blu3DAO, a DAO with which she is associated and which describes its mission as "empowering women, non-binary people, and allies to learn, earn, and play in web3 towards financial freedom", later also tweeted that "we would like to formally address & acknowledge that an incident has occurred at Devcon", referencing the claim.

The man in the photo subsequently tweeted his version of events, in which he described encouraging the woman and her friends to jump up while taking a 3D photograph, and then gave them a thumbs-down gesture when they reacted in annoyance to him. He then claimed that they harassed him throughout the conference, by stalking him throughout the conference and posting his photo online with vague allegations of harassment.

The woman later elaborated on the event that had precipitated her report to Devcon staff, saying the man had been "verbally boo'ing and taunting us" at the photo booth.

It's a little unclear what actually happened at the event and who is at fault, something I don't intend to speculate on as a complete outsider. However, what's not unclear is the reaction from some people in the crypto community, who have used the incident (and their belief that the woman fabricated the harassment story) as evidence that all women, people of color, and "wokeness" are a blight on the crypto space. Various crypto enthusiasts have used the opportunity to denigrate what they view as a general issue of "feminazis", "purple hairs", or "SJWs" in crypto, and DAOs that aim to encourage gender minorities to engage with crypto. "Letting SJWs infiltrate into crypto was a huge mistake", wrote one person. "This is the woke crowd we didn't have to deal with last cycle. They came into crypto with their distorted vision of everything. [Crypto Twitter] got your back, mate."

Bittrex fined $29 million for sanctions violations

The U.S. Treasury Department announced fines against Bittrex, a U.S.-based cryptocurrency exchange. The Office of Foreign Assets Control (OFAC) announced a $24 million penalty against the company, and the Financial Crimes Enforcement Network (FinCEN) announced a $29 million fine. Both groups form parts of the Treasury Department. FinCEN said it would credit the fine to be paid to OFAC towards the total fine they imposed, meaning Bittrex will pay $29 million in total. According to the Treasury Department, the fines are the largest they've ever imposed on a virtual currency platform.

The OFAC sanction was imposed due to 116,421 reported sanctions violations in which Bittrex failed to prevent people in Crimea, Cuba, Iran, Sudan, and Syria from using their service. In total, these prohibited individuals performed more than $263 million in transactions on the platform.

The FinCEN fine was imposed due to "willful violations" of the Bank Secrecy Act's requirements pertaining to anti-money laundering (AML) and suspicious activity reports.

Mango Markets suffers loss of more than $116 million

Mango Markets, a Solana-based defi project offering borrowing, lending, and leverage trading, was exploited for $116 million. An attacker manipulated the supposed value of their collateral on the platform, allowing them to take out massive loans from the project treasury that they never repaid. In total, they stole around $116 million worth of Solana tokens. However, only a few exchanges have sufficient liquidity to support exchanging or withdrawing that quantity of tokens, and those exchanges (Coinbase, Binance, and Kraken) froze the attacker's wallets.

Mango Markets posted on Twitter to urge users not to deposit into the project, and asked the hacker to contact them "to discuss a bug bounty". The hacker had their own plans, instead submitting a governance proposal in which they would return $46 million of the stolen funds (keeping $70 million) in exchange for a promise that the protocol would not try to freeze the assets or pursue criminal charges. The hacker then used their 32 million governance tokens to vote in support, but ultimately were not able to get the proposal to pass. A different proposal with largely the same terms, but which left the attacker with only $47 million of the stolen funds, passed shortly after.

QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability

On September 15, a blockchain security firm disclosed a vulnerability affecting Profanity, a tool that allowed people to generate "vanity" crypto wallet addresses: addresses containing specified strings of characters. This affected some individuals with vanity addresses, but has also enabled subsequent attacks on projects that used vanity addresses, such as the Wintermute exploit on September 20.

On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.

The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.

The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.

This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).

Rabby Wallet's swap feature exploited a month after launch

Rabby Swap, a feature of the Rabby crypto wallet, was exploited a month after it was first rolled out. An attacker discovered an apparent vulnerability in the Rabby Swap smart contract that enabled them to arbitrarily transfer other users' funds. Rabby urged its users to revoke approvals for the contracts across multiple chains.

The attack impacted assets on multiple chains. The attacker tumbled 114 ETH (~$146,000) through Tornado Cash shortly after the hack, along with 179 BNB (~$48,500). The full extent of the attack is still being measured. The buggy contract that enabled the attack had been audited by blockchain security firm PeckShield, but the vulnerability had apparently gone undetected.

CNN accused of rug pull after ditching their Vault NFT project

In June 2021, CNN launched "Vault": a project to "make moments from history available for purchase". The project involved minting as NFTs various clips of CNN footage and photographs from their archives, such as CNN's predictions that Bush and Obama would win their presidential elections, or "War Notes": a series of photos and accompanying handwritten notes from Ukrainians impacted by the Russian war on Ukraine. On October 11, CNN announced they would "no longer be developing or maintaining this [Vault] community".

Although CNN claimed in their shutdown announcement that "Vault was originally launched as a 6-week experiment", CNN had not mentioned that the project was an experiment that was expected to possibly end. As recently as last month, Vault had been teasing upcoming events scheduled around election day in November, and encouraging users to buy more Vault NFTs to access the upcoming drops.

As an apparent attempt to placate angry users worried that the value of their NFTs might drop, CNN promised to return "either FLOW tokens or stablecoins" for "roughly 20% of the original mint price". However, the project is built on the Flow blockchain, where users can only withdraw stablecoins $10 at a time — and with a $4 fee on each withdrawal. Some angry users in the project's Discord channel threatened legal action, claiming that CNN had rug pulled.

STAX Finance exploited for $2.3 million

A hacker discovered a vulnerability in the smart contract for the STAX project, which is built on the TempleDAO defi protocol. STAX is a liquidity provider for $TEMPLE/$FRAX.

Poor access control on a function in the smart contract allowed them to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).

This amount represents about 4% of the assets in the TempleDAO protocol. STAX replaced its homepage with a "disclaimer" about the hack, took down the project's dApp, and urged people not to deposit into the STAX contracts.

U.S. SEC is investigating Bored Apes creator Yuga Labs

An illustration of a bright pink ape, wearing a captain's hat, with heart-shaped sunglasses, with eyes on its neck, and a gold jacket and chainBored Ape #648 (attribution)
According to a scoop in Bloomberg, the United States Securities and Exchange Commission has been probing whether NFTs from Yuga Labs should be considered securities regulations, and may be in violation of federal law.

Yuga Labs is the company behind the Bored Apes NFTs and spinoff projects (Mutant Apes, and Bored Ape Kennel Club), and in March also acquired the blue-chip NFT collections CryptoPunks and Meebits.

A probe does not necessarily mean that Yuga has violated the law, but such an investigation could have major ramifications for the world of NFTs.

Blockwater Technologies is insolvent

Blockwater Technologies, a crypto investment firm based in South Korea, missed a payment on their $3.4 million loan from TrueFi, a decentralized borrowing platform. According to TrueFi, the group had previously amended their loan to extend the loan period and increase the borrowing rate, but were still unable to meet their required payment. TrueFi wrote that they intended to undergo a "court-supervised administrative proceeding", a route they said they chose due to "the complexity around the sudden insolvency".

TrueFi claims the default is not a major risk to them, making up 2% of the platform's total value outstanding. They announced that the loan was "currently in an active restructuring to maximize recovery for affected BUSD lenders".

NFT collector loses Bored Apes he bought for nearly $2 million in two consecutive scams

An illustration of an ape with pink fur and an angel halo. The ape's eyes are closed and its mouth is open. It's wearing no shirt, and has a silver stud earring.BAYC #2951 (attribution)
In an incredible display of misfortune and perhaps ineptitude, an NFT collector was scammed out of a Bored Ape and then scammed out of six more Bored Apes when he tried to revoke the permissions he'd granted for the first scam.

NFT trader Laszlo_btc went to swap his Bored Ape #8274 for another Bored Ape after reaching a deal with someone he met on Discord. He opened up Sudoswap to do the swap, but was tricked into trading his pricey NFT for a worthless NFT that was disguised to look like a Bored Ape. This is how Laszlo was scammed out of his first Bored Ape, which he'd only purchased three days prior, for 80 ETH (~$108,000). The scammer quickly flipped the NFT for around 70 ETH (~$92,000).

Realizing he'd been scammed, Laszlo went to revoke the permissions he'd granted in case he'd opened himself up to other thefts. However, instead of using the real permission revocation service Revoke.cash, he ended up using a phishing site: Revokecash.net. Only fifteen minutes after the first theft, six more Bored Apes were transferred out of his wallet.

Altogether, Laszlo had paid over $1.9 million for the collection of seven apes, which he purchased between January and October 2022. The priciest was Bored Ape #2951, which he bought for 173 ETH on May 1 — at the time, $490,000. The two sets of scammers quickly flipped all the NFTs, selling them for a total of $608,000.

CoinDesk reports that Decentraland has just 38 daily active users

A 3D virtual world with various logos on buildings. An avatar of a woman stands alone in the foregroundDecentraland (attribution)
According to CoinDesk, the metaverse platform Decentraland is entertaining roughly 38 users a day these days. This isn't much for its "valuation" of $1.3 billion — although CoinDesk seems to be estimating this on "market cap". Its competitor, the Sandbox (also "valued" at around $1.3 billion), is doing a bit better — with a whopping 522 daily active users.

Not only that, the most users Decentraland has ever had in one day is only 675; The Sandbox had 4,503 at one point.

Celsius exposes the names of all customers and their recent transactions in court filing – including their execs

Celsius Network is undergoing bankruptcy proceedings after its impressive implosion earlier this year. The company's latest court filing is 14,532 pages long — because it contains the names and recent transactions of every user on the platform. Although the judge allowed Celsius to redact individuals' home and email addresses, the names and details of recent transactions are all publicly available — much to some users' horror.

Among those listed in the court filing were Alex Mashinsky, his wife Krissy, and various other executives. The records show that Mashinsky withdrew $10 million from Celsius shortly before the company's collapse, and his wife withdrew another $2 million. Chief Strategy Officer Daniel Leon also withdrew $7 million.

Binance Smart Chain halts after $570 million bridge exploit

Binance Smart Chain, the relatively popular blockchain that Binance is trying to rebrand as "BNB Chain", was halted when an attacker exploited "BSC Token Hub", the bridge between the old Binance Beacon Chain and BSC. The attacker successfully moved around $127 million of the stolen crypto assets off the chain before it was paused. The attacker's wallet contained 2 million BNB, valued at $586 million based on the price at the time of the hack, but as a result of the chain halt, they were not able to exfiltrate the entire amount.

Binance CEO Changpeng Zhao ("CZ") tweeted that "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC." A BSC developer later confirmed that "we coordinated with validators to temporarily suspend BSC after having determined an exploit on a cross-chain bridge, BSC Token Hub- which resulted in extra BNB". The value of the $BNB token dropped from $293.10 to $280.40 after the news.

The chain operators and CZ seemed to feel a little awkward about the ramifications of unilaterally deciding to halt a supposedly decentralized blockchain. CZ claimed he was asleep and that the chain had already been halted by the time he woke up. The BSC team published a blog post saying that "Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones. This delayed closure, but we were able to minimize the loss." They also promised to try to decentralize the project even further going forward.

South Korea reportedly freezes $39.6 million in crypto belonging to Terra founder Do Kwon, Kwon says it isn't his

South Korean prosecutors have reportedly frozen $39.6 million in crypto assets belonging to Do Kwon, the founder of Terraform Labs and creator of the failed Terra blockchain project. South Korea had also previously issued a warrant for his arrest.

Kwon claims that the report is a "falsehood", and "I don't know whose funds they've frozen". This joins his other claims, such as that he is "not 'on the run' or anything similar" (he is), and that Interpol didn't issue a red notice for him (they have).

Zcash continues to suffer from spam attack that started months ago

Zcash is a privacycoin which, unlike popular blockchains like Bitcoin and Ethereum, allows users to obscure who they are sending money to and how much. Since June or July, the network has been suffering from a spam attack in which attackers have been submitting massive transactions that quickly fill up block space. The chain has exploded in size, nearly tripling to more than 100GB since the attack began. Unlike other chains which are prohibitively expensive to attack, each spammed transaction costs less than a cent, and the attacker is estimated to be spending roughly $10 a day to execute the attack.

More than $1.1 million stolen from Sovryn defi protocol

Bitcoin-based defi protocol, Sovryn, lost $1 million to a price manipulation attack. An exploiter was able to use the project's legacy lend and borrow functionality to maliciously withdraw 44.93 RBTC (~$915,000) and 211,045 USDT.

According to the protocol, their developers "were able to identify and recover funds as the attacker was attempting to withdraw the funds". They have also announced that Exchequer, the project's treasury committee, would "reinject" the remaining stolen funds.

Buyer and seller of hacked account logins busted for $1 million tax fraud

A Floridian who was in the business of buying and selling hacked account logins on the dark web was busted for attempted income tax evasion when he tried to hide more than $1 million in crypto earnings from the IRS in 2014–2017. Despite using services like cryptocurrency mixers (or "tumblers"), the man was unable to successfully hide the money from the IRS. He faces up to five years in prison for the tax fraud. Remember, folks, always make sure to report your ill-gotten profits to the IRS!

Kim Kardashian pays $1.26 million fine for promoting a cryptocurrency without sufficient disclosure

Instagram story post from Kim Kardashian, which reads "Are you guys into crypto???? This is not financial advice but sharing what my friends just told me about the Ethereum Max token! A few minutes ago Ethereum Max burned 400 trillion tokens—literally 50% of their admin wallet giving back to the entire E-Max community. SWIPE UP"Kim Kardashian's Instagram post (attribution)
Kim Kardashian agreed to settle with the SEC over allegations that she had promoted a "crypto asset security" without disclosing how much she had been paid, or when. In June 2021, Kardashian posted an ad to her Instagram story where she claimed that she was "sharing what my friends just told me about the Ethereum Max token". Although she did include "#ad" in the post, she did not disclose to her 251 million followers that she was being paid $250,000 to post it — a requirement if they decide to post ads pertaining to securities investments. She will pay $1.26 million in the settlement.

SEC Chair Gary Gensler said, "Ms. Kardashian's case also serves as a reminder to celebrities and others that the law requires them to disclose to the public when and how much they are paid to promote investing in securities".

Kardashian is also named in an ongoing class action lawsuit pertaining to the EthereumMax project, along with Floyd Mayweather and Paul Pierce.

Coinbase experiences major outage related to U.S. bank accounts

The largest crypto exchange in the U.S., Coinbase, suffered a six-hour-long outage in which they couldn't take payments or make withdrawals involving U.S. bank accounts. They later narrowed down the problem to an issue creating ACH transfers, and tweeted "rest assured, your funds are safe". Six hours later, the company marked the incident as resolved.

Transit Swap hacked for $21 million, hacker returns large portion

Transit Swap is a multi-chain decentralized exchange aggregator. Users of the project were collectively exploited for approximately $21 million when an attacker took advantage of a bug in the project's smart contract that allows arbitrary external calls. The attacker used this vulnerability to steal tokens that had been approved for swap by Transit Swap users. Amusingly, the hacker lost about $1 million of their ill-gotten funds to a MEV bot that was able to successfully front-run the swap.

Multiple cryptocurrency security companies collaborated to investigate the hack shortly after it occurred. Transit Swap announced that "through the joint efforts of the SlowMist security team, the Bitrace security team, the PeckShield security team, the TokenPocket team and the TransitFinance technical team, we now have a lot of valid information such as hacker's IP, email address, and associated on-chain addresses." They subsequently announced that the attacker had returned around 70% of the stolen funds ($14–$15 million).

NFT trading fantasy league emerges to provide traders with the "sweet adrenaline" of flipping NFTs that they're missing in the bear market

"Most of us are too poor to be spending the [ether] we have left on huge sweeps, but we still want that sweet adrenaline rush of flipping JPEGs" said Brian Krogsgard, co-founder of the Flip NFT platform, in a statement you would think might have raised a red flag or two in his own mind. Evidently NFT traders are now being pitched NFT trading fantasy leagues, where they will be able to paper trade NFTs without risking their real-life fake money. Unfortunately for the traders, the app uses actual NFT price data, so the huge NFT project bull runs that some traders experienced during the NFT mania of 2021 will likely not emerge here, either.

One misconfigured node apparently takes the entire Solana network offline

In the latest illustration of our marvelous new decentralized, resilient blockchain future, one single Solana node apparently was able to take down the entire Solana network. Solana outages are nothing new, and tend to end (as this one did) with Solana issuing instructions to the people who run their validators, asking them all to turn them off and on again.

A validator operator reported that "It appears a misconfigured node caused an unrecoverable partition in the network." It's a bit startling that, in a supposedly decentralized network, one single node can bring the entire network offline.

Elon Musk's texts reveal his ideas for a blockchain-based Twitter

Texts exposed in the discovery process during the Elon Musk v. Twitter lawsuit have exposed not just a number of high-profile people embarrassingly simping for Musk, but also Musk's ideas about Twitter-but-on-the-blockchain.

In a text sent to his brother, Musk wrote, "I have an idea for a blockchain social media system that does both payments and short text messages/links like twitter. You have to pay a tiny amount to register your message on the chain, which will cut out the vast majority of spam and bots. There is no throat to choke, so free speech is guaranteed." In another message, to the president of his Boring Company, Musk narrowed in on an amount: 0.1 Doge per tweet or retweet. At today's prices, at 0.1 Doge per tweet, 1¢ would buy you about 160 tweets.

Musk's idea that there is some magical amount of money that ordinary people are willing to pay to send out a tweet or a retweet, but that spammers are not willing to pay to spam, seems preposterous. And given that "free speech is guaranteed" and blockchains are immutable, he would really need to hope that he finds this amount, because otherwise there's going to be a lot of spam permanently stored on Web3 Twitter.

As with many of Musk's ideas, the idea for a blockchain-based "free speech" social network is not new. On one of the more popular such services, BitClout, the home page shows posts such as "are there actually real ppl here, or only 'marketing' and ai-generated art?" It costs $0.01 to create a profile or to begin a tutorial on how to use the site. Out of the list of ten top-ranked creators on the site, the top two (Elon Musk and Naval Ravikant) haven't even signed up yet, and another five haven't posted in months.

Musk appeared to later toss out his blockchain social network idea, though not for spam reasons: "Blockchain twitter isn't possible, as the bandwidth and latency requirements cannot be supported by a peer to peer network, unless those 'peers' are absolutely gigantic, thus defeating the purpose of a decentralised network".

MEV bot earns over $1 million in profit, loses almost $1.5 million in hack an hour later

MEV bots are a controversial category of bots who frontrun transactions in ways that are often detrimental to users. One such bot, known as 0xbadc0de, earned a windfall when a trader tried to sell 1.8 million cUSDC (USDC on the Compound protocol) — notionally worth $1.85 million — but only received $500 in assets in return due to low liquidity. The MEV bot, however, profited 800 ETH (~$1 million) from arbitrage trades surrounding the sale.

One hour later, a hacker exploited a vulnerability in the bad code of 0xbadc0de, which allowed them to withdraw all of the ETH in the contract: not just the ETH they'd recently earned in the huge trade, but all 1,101 ETH (~$1.5 million).

The bot operator subsequently sent a message to the thief via an Ethereum transaction, writing that if the thief returned the funds, they would give them 20% as a "bounty". Otherwise, they wrote, "we will have no choice but to pursue accordingly with everything in our power with the appropriate authorities to retrieve our funds". The thief replied by mimicking the message, writing, "What about normal people who you have mev'ed and literally fucked them? Will you return them?" and suggesting that if they returned all of the funds they'd extracted, the thief would pay them 1%.

Someone claims to have burned a Frida Kahlo drawing to "transition it into the Metaverse" as NFTs

a ghostly figure with enormous eyes intertwined with a giant fish, a broom, duck, bird, and other creatures against a green backdrop, with the phrase “Here are the sinister ghosts” scrawled across it.Fantasmones Siniestros (Sinister Ghosts) (attribution)
A businessman has published a video in which he burns a drawing that he claims is an original Frida Kahlo drawing worth more than $10 million — though its value and its authenticity have both been questioned. The entrepreneur created 10,000 NFTs from the drawing, which he's selling for 3 ETH (~$4,000) (reduced from the original 3.5 ETH/$4,700) for a hoped total of $40 million. He claims that in burning the artwork, he has "transitioned [it] into the Metaverse".

So far, the stunt has resulted in two NFTs being minted by outside parties, for total proceeds of 7 ETH (~$9,400) —  not quite the millions the drawing allegedly cost the NFT project creator. Meanwhile, Mexican authorities have said they are investigating whether the businessman committed a crime in intentionally damaging an artistic monument.

Crypto executive exodus continues

The wave of crypto executives stepping down from their roles is continuing, after Genesis' CEO left the company and Michael Saylor gave up his CEO title (but stayed on as chairman) in August.

Now, Genesis' managing director has stepped down after five years. Kraken CEO Jesse Powell relinquished his title, planning to remain at the firm as a chairman. Alex Mashinsky has resigned as the CEO of Celsius Network in the midst of bankruptcy proceedings. And FTX US president Brett Harrison will also be stepping down.