Category: DeFi

White Hat Hacker Chooses $2 Million Bug Bounty over ‘Printing Unlimited ETH’

Post author By José Oramas
Post date February 16, 2022

A white hat hacker recently discovered a critical security bug on Optimism – a layer-2 scaling solution on Ethereum – that could have allowed him to exploit a set of smart contracts to print an unlimited amount of Ether (ETH). Instead, the hacker reported the issue to the Optimism team, who rewarded him with US$2 million for discovering the bug.

Jay Freeman, a software engineer who goes by the online handle of Saurik, discovered the bug on the project’s fork of Geth (Go Ethereum) – a popular standalone implementation for Ethereum-based protocols.

The Optimism team admitted in a blog post that the bug had been previously triggered by an Etherscan employee, and that it had gone unnoticed.

Analysis of Optimism’s chain history showed that the bug was not exploited. A fix for the issue was tested and deployed to Optimism’s Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation.
Optimism blog post

Freeman provided an in-depth insight into the discovery in a separate blog. “Exploiting this bug enables the attacker to have access to an effectively unbounded number of tokens” he said.

White Hat Hacker Saves the Day

White hat hacker is the term for ethical hackers who use their skills for identifying security issues in hardware or software networks instead of exploiting them.

The Optimism community praised Freeman’s detective work instead of taking advantage of such a situation, which could have spelled disaster for the platform:

haha! As a jailbreaker from the beginning – SO cool to see you make a killing. You have done SO much for the online community. The fact that you didn't just exploit tf outta this speaks to your character. -Fanboy
— Posty Cakes (@PostposterousYT) February 14, 2022

While the DeFi community is filled with malicious actors waiting for their opportunity to attack, there are also numerous examples of white hat hackers working towards the greater good of the community.

Decentralised exchange SushiSwap, for example, almost went dark if it were not for the collective effort of a group of white hat hackers that prevented a potential US$350 million heist.

In December, popular Ethereum-based layer 2 scaling solution Polygon rescued all of its MATIC tokens – worth around US$24 billion – thanks to a white hat hacker who had discovered a security bug on the protocol, leading to a hard fork on the Polygon sidechain.

Cosmos Cryptocurrencies DeFi Injective

DEX Token ‘Injective Protocol’ Soars 100% on Futures Listing Announcement

Post author By Jody McDonald
Post date February 16, 2022

The utility and governance token for the DEX Injective Protocol (ticker symbol INJ) rallied more than 100 percent in a single day last week following the February 9 listing of Cosmos (ATOM) perpetual futures on the platform.

It's here Cosmonauts: The first ever decentralized $ATOM Perpetual Futures are on Injective Pro!

Trade @cosmos perpetuals with leverage & zero gas fees. Injective Pro brings the best CEX features to the first fully decentralized derivatives exchange ⚛️https://t.co/U8Q09NdMkb
— Injective #InjectLiquidity🥷 (@InjectiveLabs) February 9, 2022

Injective Protocol is a decentralised exchange that offers a variety of financial products usually associated with centralised exchanges, such as margin trading, derivatives trading and other exotic assets. The platform also features cross-chain trading, supporting assets across the Ethereum, BSC and Cosmos networks.

The price of INJ exploded from the upper US$3 range in early February to a high of US$10.08 on February 11 following the listing of ATOM perpetual futures. At the same time, its 24-hour trading volume spiked 1,756 percent to a high of US$306 million.

ATOM Listing a First for a DEX Platform

This listing by Injective Protocol is the first time ATOM perpetual futures have been listed on a decentralised exchange, marking a significant milestone for the platform.

It builds on a string of recent positive developments for Injective Protocol, including the listing of Cosmos-based project Chihuahua (HUAHUA) and the release of Injective Bridge V2 in January, which drastically improved users’ experience.

In the days since its rally, INJ has backtracked somewhat and is now trading in the low US$6 range.

The growth of more exotic financial products on DEXs is part of a larger trend in crypto as the industry seeks to expand into a more diverse range of investment classes, such as the tokenisation of real estate.

Aave Crypto News Decentralized Social DeFi Social media

Aave Devs Launches ‘Lens Protocol’ to Power Decentralised Social Media Platform

Post author By Robert Drage
Post date February 10, 2022

Aave, one of the top decentralised finance (DeFi) platforms, has officially launched its new decentralised social network built on the eco-friendly Polygon blockchain.

Lens protocol logo. Source: lensprotocol.eth

Named Lens Protocol, the social graph is described as a “permissionless, composable and decentralised social graph that makes building a Web3 social platform easy”. A social graph is a model or representation of a social network, and has been referred to as “the global mapping of everybody and how they’re related”.

With Web 3.0 being the ownership upgrade of the internet, the platform seeks to solve many of the issues users face with current social network services. Meta, for example, has come under investigation for allowing crypto scam ads.

Unlike social media platforms of the past, Lens Protocol and its content are powered by dynamic NFTs, giving the power and control over content directly to the users, allowing for native content monetisation.
Lens Protocol

Using NFTs to Control and Own Your Content

One of the major selling points of Lens Protocol is that unlike traditional social media, users will have complete control over their content through the use of NFTs. NFTs are the catalyst driving this project:

Profile NFTs are the main primitive of the Lens Protocol. These dynamic NFTs are composable, non-custodial and permissionless. Individual addresses can own profile NFTs, an address can have multiple profile NFTs, and a profile NFT can be owned and run by a DAO via a multisig wallet.
Lens Protocol

The mirror function is an added feature of the social network where resharing a post could actually land users a cut, or “mirror-fee”, from any user who collects original content through the share, almost like built-in affiliate marketing.

As Kulechov told Decrypt, “We believe that content creators should own their audiences in a permissionless fashion, where anyone can build new user experiences by using the same on-chain social graph and data”, adding that “Twitter makes all the revenue from your tweets and the content you share, and Twitter decides which of your tweets get traction through the algorithm”.

According to the project’s official Twitter account, Lens is live on the Polygon Mumbai testnet, with plans for an alpha mainnet launch in the pipeline.

Crypto News DeFi Hackers Tokens

Polygon DeFi Protocol ‘QiDao’ Exploited for $13 Million

Post author By Caitlin Carey
Post date February 10, 2022

Another day, another DeFi hack. This time the target was QiDao’s Superfluid vesting contract. User funds on QiDao contracts remain safe, as the exploit was “solely on Superfluid”, as the Polygon-based DeFi protocol tweeted on February 8:

Superfluid's vesting contract for QI has been exploited.

User funds on QiDao contracts remain safe. The exploit is solely on Superfluid.

We will release an update when we know more.
— Qi Dao (@QiDaoProtocol) February 8, 2022

The QiDao protocol allows users to borrow stablecoins against their crypto holdings at zero percent interest. Hackers were able to get away with more than US$13 million in various tokens including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV, and MATIC. Rumour has it the stolen funds included team-vested tokens and might have belonged to some of the early backers of the project.

Dump Leads to 65% Price Plunge

The hackers behind the attack started dumping stolen QiDao on the QuickSwap decentralised exchange with high slippage, leading to a 65 percent decline in the price of the governance token:

#Slippage $QI #QiDAO price dropped -68.05% #Polygon https://t.co/CozWr2kwOZ pic.twitter.com/3Fef1PTG4A
— PeckShieldAlert (@PeckShieldAlert) February 8, 2022

The QiDao chart felt the pain as the price took a steep nosedive, dropping 68.05 percent in minutes, as reported by @PeckShieldAlert. According to CoinGecko, QI dropped sharply from US$1.24 to $0.18. Impressively, investors bought the dip and the price recovered to $0.80 by press time.

Qi price dip and recovery. Source: CoinGecko

On February 1, Crypto News Australia reported that Qubit Finance had suffered a US$80 million loss in a protocol exploit. With the world of DeFi still in the early stages of development, hacks such as this are common news.

Binance Crypto News DeFi Tokens

Tron’s Justin Sun Accused of Governance Attack on DeFi Lender ‘Compound’

Post author By Phil Stafford
Post date February 8, 2022

Billionaire Tron founder Justin Sun has been fingered for taking part in a “governance attack” scheme involving lender Compound Finance.

.@justinsuntron recently borrowed 90k $COMP from @compoundfinance (+99% of the borrow cap) and currently has 102K COMP in his alt. He hasn't set it up for voting, but everyone should keep an eye out.https://t.co/4aWtJUBN92
— GFX Labs (@labsGFX) February 3, 2022

As per the above tweet from crypto think tank GFX Labs, Sun’s wallet borrowed 99,000 COMP tokens worth over US$13 million last week, later sending 102,000 tokens to Binance.

Later, an address that received US$9 million worth of COMP tokens from Binance proposed adding TUSD (TrueUSD) as collateral to allow Compound users to take out loans against their TUSD holdings.

On-chain governance of DeFi protocols is often token-weighted, and while one GFX representative classified Sun’s loan as a “governance attack”, there is nothing to stop users from taking out loans to vote on proposals they back.

Sun Defends His Actions

While it’s impossible to verify that the proposal address belongs to Sun, he felt compelled to defend his actions in any case:

Hi @labsGFX, I discussed with @compoundfinance team before I borrowed any COMP from the pool. The proposal was well discussed for 6 months and @tusd_official has been launched in Compound for 9 months now. @tusd_official works perfectly in @AaveAave for a long time now.
— H.E. Justin Sun 🅣🌞🇬🇩 (@justinsuntron) February 5, 2022

In December, Sun resigned his CEO position at the Tron Foundation to become Ambassador to the Grenadian Government, seeking to expand blockchain adoption on its behalf. At the time he said he would remain involved with the Tron community since the network had been officially decentralised.

A year ago, Sun was caught shilling the TRX token, attempting to inveigle a popular YouTuber and influencer to promote the crypto on his social channels.

Bitcoin Crypto News DeFi Ethereum Hackers

ETH Sidechain ‘Meter.io’ Hacked for $4.4 Million

Post author By Caitlin Carey
Post date February 8, 2022

Blockchain infrastructure company Meter.io has confirmed that US$4.4 million was stolen in an attack on its network on February 6 and has since urged users not to trade unbacked meterBNB circulating on the Moonriver parachain. Meter added in a Tweet that it is working to compensate funds to affected users:

Community, unfortunately Meter Passport was hacked a few hours ago. Please do not trade the unbacked meterBNB that is circulating on Moonriver.

We have identified the issue: Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience.
— ⚡️Meter.io⚡️ (@Meter_IO) February 5, 2022

What Went Wrong?

Meter explained that the contract did not execute wrapped tokens correctly. A bug introduced in the automatic wrap, and the wrap of native tokens like BNB and ETH extended by the Meter team, allowed the hacker to fake BNB and ETH transfers by “calling the underlying ERC20 deposit function”.

Blockchain security company PeckShield reported that 1391 ETH and 2.74 BTC were stolen during the incident. Both the Meter network and the Moonriver network were affected by the hack.

The @Meter_IO is hacked with the loss of $~4.3M (including 1391.24945169 ETH + 2.74068396 BTC). The extension over the original (unaffected) ChainBridge introduces a false deposit issue !!! https://t.co/YShfXnEZzD pic.twitter.com/oY6bpau8DA
— PeckShield Inc. (@peckshield) February 6, 2022

A user named @ishwinder provided a full explanation of the hack on Twitter:

@Meter_IO was hacked and here is what exactly happened in a mixed layman/a bit tech terms
— Ishu (@ishwinder) February 6, 2022

Hacks on DeFi and blockchain platforms have become a regular occurrence. Just last month, Crypto News Australia reported that Grim Finance had been hacked for US$30 million in Fantom tokens.

Crypto News DeFi Hackers

Giant DeFi Bailout as Jump Capital Replenishes Wormhole’s 120,000 Lost ETH

Post author By Dale Warburton
Post date February 5, 2022

Earlier this week, we saw one of the most devastating DeFi (decentralised finance) hacks on record with an estimated US$326 million stolen from blockchain bridge, Wormhole. In a remarkable turn of events, Chicago-based venture capital fund, Jump Capital, came to the rescue to the tune of 120,000 ETH:

.@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.
— Jump Crypto 🦬 (@JumpCryptoHQ) February 3, 2022

A Hack with a Happy Ending

DeFi exploits and hacks don’t typically end well, as was the case with December’s MonoX Finance saga, in which US$31 million was stolen. However, in the case of Wormhole, things seemed to have turned out okay.

While the team is yet to have provided a detailed report, something expected in these types of situations, Wormhole has indicated that the vulnerability has been fixed:

The team is working on a detailed incident report and will share it asap

18:26 UTC – contract was exploited for 120k ETH

00:33 UTC – vulnerability was patched

13:08 UTC – ETH contract has been filled and all wETH are backed 1:1

13:29 UTC – the Portal (token bridge) is back up
— Wormhole🌪 (@wormholecrypto) February 3, 2022

While the Wormhole network went down for maintenance during the investigation, the team has now confirmed it is back up and running and that all funds have been replenished:

1/2

All funds have been restored and Wormhole is back up.

We're deeply grateful for your support and thank you for your patience.
— Wormhole🌪 (@wormholecrypto) February 3, 2022

Responses from the community were mixed, to say the least. Some were incredibly appreciative:

Incredible work, fam. Big ups to the team for quickly turning around the ship.💪

Tough times don't last, tough teams do. ♥️
— Samoyedcoin (SAMO) (@samoyedcoin) February 3, 2022

Others were less so, pointing to the lack of transparency:

We need transparency, where does the money come from? Where are the ETH? You can’t expect us to trust you without verifying.
— Crypto Notte 🦀⚡ (@crypto_notte) February 3, 2022

Wtf how bro can we get an explanation on the quarter bill
— belugacrypto (@crypt0_beluga) February 3, 2022

Wormhole initially offered a US$10 million bounty to the hacker, however the current status of the negotiations remains unclear.

@jumptrading back-stopping the missing $ETH with their own assets. The question is dealing with the hacker and are they able to recover the funds minus a negotiated white hacker fee?@KariyaKanav
— Blue H◎rsesh🌖e.$UST (@BlueHors3Shoe) February 3, 2022

DeFi With a Backstop … Contradiction in Terms?

It’s not surprising that the community is somewhat divided on Jump Capital stepping in because … wasn’t the whole purpose of DeFi to disintermediate rent-seeking middlemen and “decentralise” power away from banks and financial institutions? Isn’t DeFi supposed to be a free market, absent of manipulation, bailouts, subsidies, and zombie companies that characterise the modern financial system?

Crypto does it and we freak out that it's fake money out of thin air.
Banks get this treatment from the gov't, and the architects of the system get Nobels.
— Phytoplankton (@swimsplashswim) February 3, 2022

Admittedly if you happened to be a beneficiary of Jump Capital’s bailout, you’d be excited by the prospect of deep-pocketed venture capitalists coming to save the day.

Despite bailouts being inherently incongruent with DeFi principles, the more interesting question, is who would spend 120,000 ETH without some serious skin in the game? Clearly, someone who stands to gain far more by throwing in another US$331 million (120,000 ETH).

Perhaps Jack Dorsey was on to something when he said that Web 3.0 was a venture capitalist’s playground.

Blockchain Crypto News DeFi Ethereum Hackers

Blockchain Bridge ‘Wormhole’ Suffers Possible $326 Million Exploit

Post author By Jana Serfontein
Post date February 4, 2022

Wormhole, the popular blockchain bridge for connecting Ethereum, Solana and others, has suffered a possible hack worth over US$326 million and is now attempting to negotiate on-chain with the hacker.

120,000 ETH Currently in Hacker’s Address

The team at Wormhole has reached out to the exploiter’s address on the Ethereum network and offered a US$10 million bounty for returning the money:

‼️ The wormhole network is down for maintenance as we look into a potential exploit.

📢 We will provide updates here as soon as we have them.

🙏 Thank you for your patience.
— Wormhole🌪 (@wormholecrypto) February 2, 2022

In a tweet, Wormhole confirmed that the bridge was down while the team investigated a potential exploit. The bridge’s official website simply reads: “Portal is temporarily unavailable”.

Looks like @wormholecrypto was exploited for potentially hundreds of millions of dollars?https://t.co/iA0n25kMBw https://t.co/jMgjS2mISq pic.twitter.com/VTULslfqoy
— Flood (@ThinkingUSD) February 2, 2022

The hack was identified when on-chain analysts called attention to an 80,000 ETH transaction from Wormhole to an address currently also in possession of over US$250 million worth of ETH. According to the developer, the hacker also kept 40,000 ETH on Solana, where they have been selling for other assets.

In a tweet, prominent pseudonymous Paradigm security researcher “samczsun” confirmed that the Wormhole team had offered the hacker(s) a bounty for returning the stolen funds:

holy fucking shit @wormholecrypto is not having a good time right now pic.twitter.com/Q6tcqAngCL
— samczsun (@samczsun) February 2, 2022

Exploit Sounds Alarm in the DeFi World

The exploit has caused alarm in DeFi circles because it means Ethereum that has been bridged to Solana may be unbacked. Cross-blockchain bridges often take assets, such as Ethereum, and lock them in a contract to issue a parallel asset on the bridge’s chain.

Massive Exploits Continue to Plague the Industry

Earlier this month, decentralised lending platform Qubit Finance suffered a hack of its smart contract governing deposits on the Ethereum-Binance Smart Chain bridge, losing 206,809 BSC in the biggest hack of the year so far. Last October, CREAM Finance was exploited for a third time during 2021 for a whopping US$130 million.

Crypto News DeFi Ethereum

$20 Billion Fund Suggests Ethereum Could 75x in Next 10 Years

Post author By Jana Serfontein
Post date February 3, 2022

In the newest edition of its Big Ideas Report, Cathie Wood’s Ark Invest has predicted that Ethereum (ETH), the world’s most in-demand blockchain, could have a market capitalisation of US$20 trillion in the next 10 years, suggesting the price could 75x to reach US$180,000 for a single ether.

2021 – The Year of Ethereum

ETH achieved major milestones in 2021 including capturing US$10 billion in transaction fees from the network. ETH also surpassed Stripe into second position in global transactions by dollar value in 2021. In 2021, the network underwent an upgrade called “London EIP-1559” which changed the way ETH fees worked and which has brought up issues of supply issuance. As it stands, crypto “whales” hold 43.7 percent of ETH, but it could become more attractive to them should a restricted supply issuance be ongoing.

Ark Invest is bullish on ETH and has high hopes for the platform, saying that it stands to benefit greatly from the rise in DeFi (decentralised finance) and NFTs (non-fungible tokens) given that it serves as the main ecosystem for both sectors. Since ETH is the “preferred collateral” in DeFi, Ark Invest believes that the platform could reach a market cap of US$20 trillion in the next 10 years, suggesting a price of roughly US$180,000.

The Big Ideas Report noted that:

According to our research, Ethereum could displace many traditional financial services, and its native token, ether, could compete as global money. As financial services move on-chain, decentralised networks are likely to take share from existing financial intermediaries.
Big Ideas Report, Ark Invest

It added:

“The beneficiaries of this shift include Ethereum, the base protocol, and DeFi, the decentralised applications built on top of Ethereum. As the preferred collateral in DeFi and the unit of account in NFT marketplaces, ether (ETH) has the potential to capture a portion of the US$123 trillion in global M2.”

Forecast of ETH market cap opportunities. Source: Ark Invest

To find out more about the exciting developments involving ETH, Crypto News Australia has published a helpful guide on the best Ethereum Layers 2 projects worth looking out for.

Crypto News DeFi Hackers

Qubit Finance Suffers $80 Million Loss in Protocol Exploit

Post author By Robert Drage
Post date February 1, 2022

Decentralised lending platform Qubit Finance has suffered an exploit of its smart contract governing deposits on the Ethereum-Binance Smart Chain (BSC) bridge, losing 206,809 Binance Coin (BNB) in the biggest hack of the year so far.

Qubit’s losses were estimated at US$80 million on January 27, according to security firm PeckShield. According to Qubit’s own exploit report, the hacker(s) took advantage of a logical error in the code which allowed them to maliciously withdraw tokens from the Binance Smart Chain bridge without depositing Ethereum (ETH).

The protocol was exploited by;
0xd01ae1a708614948b2b5e0b7ab5be6afa01325c7
The hacker minted unlimited xETH to borrow on BSC.
The team is currently working with security and network partners on next steps.
We will share further updates when available.
— Qubit Finance (@QubitFin) January 28, 2022

Even though the contract had zero ETH deposited into it, the attacker’s address had access to 77,162 qXETH (worth US$185 million) to use as collateral against loans on Qubit.

Funds Still Sitting in Hacker’s Wallet

According to the breakdown posted by CertiK, the funds were then used to borrow “15,688 wETH ($US37.6 million), 767 BTC-B ($US28.5 million), approximately $US9.5 million in various stablecoins, and $US5 million in CAKE, BUNNY, and MDX”. Thereafter, the funds were converted to just over 200,000 BNB, which is still sitting in the hacker’s wallet.

In summary, the deposit function was a function that should not [have been] used after depositETH was newly developed, but it remained in the contract. The team is cooperating with security and network partners, including Binance. Supply, Redeem, Borrow, Repay, Bridge, and Bridge redemption functions are disabled until further notice. Claiming is available. We are continuing to investigate and are in communications with Binance.
Qubit Finance report

Qubit Negotiates for Stolen Funds

Following the incident, the Qubit team tried to contact the hackers to offer a bug bounty of $US250,000 on ImmuniFi, but are also still prepared to negotiate:

pic.twitter.com/G1WOMglVUU
— Qubit Finance (@QubitFin) January 28, 2022

As chains and protocols utilise the multi-chain environment, bridges will only become more important. People need to move funds from one blockchain to another, but they need to do so in ways that are not susceptible to hackers. In December, MonoX was also hacked for an estimated US$31 million.