Category: DeFi

Categories
DeFi Scams Tokens

Scam Alert: Security Firm Identifies Arbix Finance $10 Million Rug Pull

Blockchain security firm CertiK has identified Arbix Finance as a rug pull, warning users who have engaged with the protocol to stay way from it and its ARBX token.

Another Rug in the DeFi Space; This Time Users Are Warned

Arbix Finance is a Binance Smart Chain-based protocol that describes itself as a yield-farming aggregator. So far, it has amassed over US$10 million in deposits by users.

CertiK found several red flags in Arbix thanks to its Skytrace tool, which it uses to analyse the risk of fraud. Some of the firm’s initial findings were that investors’ funds had been allocated in unverified pools through the depositor contract, which were later drained by the Arbix team.

The protocol’s underlying code was purposefully made to allow developers to mint millions of ARBX tokens, with roughly 4.5 million tokens minted to only one wallet.

The exploited contract was not in the audit scope that was done for Arbix. The project inserted eight ‘mint()’ functions to a newly deployed ARBX ERC20 contract, which allowed the owner to mint any amount of ARBX tokens to any address.

CertiK statement

Arbix Disappears Amid Accusations

It appears that Arbix Finance quietly disappeared shortly after the accusations were made – the project’s website and Twitter account are gone, and the ARBX token dropped to $0.

Discerning between a legit DeFi project with goals and a scam is difficult for newcomers in the space. While CertiK managed to warn users before more damage was done, some warnings come too late. In November last year, Crypto News Australia reported how the creators of DeFi token launch Monkey Jizz rugged investors out of US$300,000 worth of BNB.

Categories
Crypto News Cryptocurrencies Cryptocurrency Law DeFi Regulation

Number of Countries Banning Crypto Has Doubled in 3 Years

Although 2021 was generally seen as a good year for the cryptocurrency industry in terms of market performance, the number of international jurisdictions banning crypto has more than doubled since 2018 with no sign of the trend easing in 2022.

According to an updated report by the American Library of Congress (LOC), nine countries have now applied an absolute ban on crypto and 42 an implicit ban. This is up from eight and 15, respectively, in 2018 when the report was first published.

Bans Have Two Shades of Meaning

In the context of the LOC report, an absolute ban means any “transactions with or holding cryptocurrency is a criminal act”, whereas an implicit ban prohibits cryptocurrency exchanges, banks and other financial institutions from “dealing in cryptocurrencies or offering services to individuals and/or businesses dealing in cryptocurrencies”.

The nine new jurisdictions with an absolute ban are Egypt, Iraq, Qatar, Oman, Morocco, Algeria, Tunisia, Bangladesh and China. Other than the 51 jurisdictions with a crypto ban already in place, 103 have applied Anti-Money Laundering (AML) and combatting the funding of terrorism (CFT) laws, more than three times the 33 jurisdictions with such laws in place three years ago.

Current international legal status of cryptocurrencies. Source: LOC

Sweden, Estonia, Russia on the List; India Delays Execution

Estonia, Sweden’s EU neighbour across the Baltic Sea, is set to implement AML/CFT rules next month. As for Sweden itself, the Scandinavian nation’s Environmental Protection Agency called for a ban on proof-of-work (PoW) mining in November 2021 due to the power demands of keeping networks running.

The new rules are expected to change the definition of a virtual asset service provider and apply an implicit ban on decentralised finance (DeFi) and Bitcoin.

India’s government sent a shiver through the international crypto community when lawmakers there considered a total cryptocurrency ban last November. Although it did not eventuate, the Securities and Exchange Board of India – which oversees the regulation of local crypto exchanges – pushed to regulate cryptocurrencies as crypto assets. An outright ban, however, is still on the table.

Last month, Russia’s central bank moved to ban crypto investments and also also barred mutual funds from investing in digital currency.

Categories
Blockchain Crypto News DeFi Stablecoins Tokens

Web 3.0 Token ‘Near Protocol’ Up 79% in a Month Amid Terra Partnership

NEAR token has been marching steadily upwards to a new all-time high of US$16.37, the most recent rally on December 22 after NEAR announced it was partnering with leading blockchain protocol Terra Money.

Terra is an open-source decentralised network and the TerraUSD (UST) stablecoin is pegged 1:1 to the US dollar, making it an attractive medium of exchange for the DeFi space.

More Collaborations to Come

The integration of UST on NEAR “will be a big step towards growing the Near and Aurora ecosystem”, according to Aiden Knox, founder of NearPad and Rose. “I’m excited to be working closely with the Terra team to not only bring UST to NearPad and Rose, but also for the deeper integrations and collaborative projects this partnership enables.”

This has indeed been bullish news for NEAR as investors have rushed in. By Christmas Eve, NEAR trading volume had spiked to US$1,475,397,417 as the price rallied to a high of $16.15 on December 27. After a week of healthy consolidation, the NEAR chart is as green as a Christmas tree – its impressive price action has seen the token increase 1060.5 percent in value over the past 12 months.

CoinGecko.com

NearPad – NEAR’s DeFi Hub

NearPad aims to be the leading gateway for the DeFi ecosystem on Aurora – an Ethereum Layer-2 built on top of NEAR blockchain. NearPad consists of a DEX AMM, launchpad, and incubator project Rose – a liquidity protocol on Aurora. NearPad offers a product suite to nurture and grow the DeFi ecosystem.

Three weeks ago, Crypto News Australia reported that NEAR Protocol token had soared 48 percent in a week after listing on MoonPay. Terra’s native token LUNA has also had major upside over the past couple of months following Terra’s network upgrade, reaching a new all-time high on December 27 of US$103.34.

Categories
Crypto News DeFi Hackers

Algorand-Based DeFi Platform ‘Tinyman’ Exploited for $3 Million

The DeFi space has already had its first breach this year as Tinyman, an Algorand-based decentralised trading platform, was hacked and drained for roughly US$3 million.

On January 1, Tinyman announced via its Twitter account that its platform had been compromised, saying it had pulled the remaining liquidity from Tinyman on the TINY token. The platform has advised its community to withdraw their funds as the exploit is ongoing:

How the Breach Took Place

As per the investigation, the attackers managed to exploit various vulnerabilities in the platform’s smart contracts, giving them access to various liquidity pools. They started interacting with the targeted pools and swapped a portion of their funds to acquire ASAs, causing price instability in the following hours.

The attacker exploits an unknown bug in the burning of pool tokens and receives two of the same assets instead of two different assets. This worked in favour of the attacker since the gobtc asset was significantly more valuable than ALGO, which they immediately swapped against ALGO to receive more funds to continue their attack.

Tinyman blog post

The team behind Tinyman said that they were unable to block ongoing transactions on the blockchain as the contracts are permissionless. The first step, however, was to pull all of the liquidity from all Tinyman contracts and return it once the platform is clear of any attacks.

Another Day, Another Hack

DeFi protocols are always at risk of suffering smart contract exploitations on their platforms, or similar attacks such as security breaches or DoS (Denial of Service). As expected, each platform’s token drops massively after the liquidity pools are drained, leaving a wide cut on investors’ pockets.

In December 2021, the crypto community saw DeFi marketplace MonoX hacked for US$31 million, one of the largest hacks in that month. Two months earlier, Indexed Finance suffered its first hack, with US$16 million drained out of their two pools.

Categories
Blockchain Crypto News DAO DeFi Ethereum Hackers

Ethereum Sidechain Project Polygon ‘Hard Forked’ After Critical Bug Discovered

Ethereum sidechain project Polygon (MATIC) could well have lost all of its MATIC tokens, worth US$24 billion, after it discovered a “severe” bug that had gone unnoticed for some time. To offset the enormous loss, the Polygon network underwent a hard fork to save the project.

‘Critical’ Vulnerability Found in Polygon’s PoS Genesis Contract

The hard fork proceeded after a “critical” vulnerability was found in Polygon’s proof-of-stake genesis contract, which would have allowed attackers to steal 9.2 billion MATIC tokens. The total supply of MATIC is 10 billion, and any vulnerability would have put 9.2 billion of those tokens at risk, a potentially devastating loss.

The problem was reported on the bug bounty platform Immunefi by a white hat hacker known as Leon Spacewalker. Following the discovery of the bug, Immunefi informed the team at Polygon, after which they confirmed it.

However, Polygon did not come out entirely unscathed. Before the upgrade on the mainnet could be completed, an unknown black hat hacker stole 801,601 MATIC, worth about US$1.6 million.

The team at Polygon reported: “Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect.”

Co-founder Conceded Pre-existing Vulnerability

Although Polygon did not release details regarding the incident until December 29, chatter on social media had emerged mid-month about the network zero-warning hard fork. During that time, Polygon co-founder Mihailo Bjelic did concede that a vulnerability existed and that the team would subsequently release details of the problem.

Bjelic wrote at the time: “We are now investing much more on security and we’re making an effort to improve security practices across all Polygon projects.”

When asked why the project waited until this week to disclose information regarding the bug, the core development team explained its “silent patches” policy:

All in all, the team struck the best possible balance between openness and doing what’s best for the community, partners and the broader ecosystem in handling this extremely urgent and sensitive issue. But you can be the judge of that.

Polygon core development team statement

Polygon Records Exponential Growth

Polygon is undergoing a period of growth and mass adoption, and is evolving and adapting along with it. The scaling solution has seen an increasing number of decentralisation applications (dApps) running on the network. Data has also revealed that Polygon is growing at a rate two times faster than Ethereum at a comparable time in its history.

Having seen massive adoption from DeFi protocols, Polygon is also planning to launch a decentralised autonomous organisation (DAO) with the ultimate goal of improving users’ DeFi experience, while at the same time attracting more users to DeFi.

Polygon was also recently included in an exciting partnership between Exodus Wallet and SportX, which will allow its users to wager on esports and crypto prices on the network.

Categories
Blockchain Crypto News DeFi Hackers

Bent Finance Confirms Pool Exploit, $1.6 Million Rug Pull Suspected

Another day, another DeFi rug pull when, on December 20, Bent Finance discovered there had been an exploit of its staking and farming platform.

Everybody Out of the Pool!

Bent Finance immediately called for investors to withdraw their pool funds and announced it had disabled the reward claims while the attack was being investigated, adding it would “make this right” and confirming it would recover all stolen funds from the Bent curve pool:

We recommend you withdraw from the protocol until further notice. We are not going anywhere and will recover from this one way or another.

Bent Finance tweet

Bent Hires White Hats to Decipher Exploit

Bent hired the services of two white-hat hackers to help uncover the details of the exploit. Crypto fraud investigator Joe McGill confirmed that approximately 440 ETH (US$1.75 million at the time of writing) was stolen by the hackers. Full details of the attack are explained on the Bent Finance medium.

DeFi is still in the teething stages of development and attacks such as these are common and frequent. Just two weeks ago DeFi protocol BadgerDAO suffered a similar attack, losing US$120 million in funds.

Categories
Bitcoin Crypto News DeFi Metaverse NFTs

Jack Dorsey Causes Twitter Storm, Calls Web 3.0 a Centralised Venture Capital Playground

Following his recent departure from Twitter, many suspected Jack Dorsey would be spending his time on Bitcoin after saying earlier this year, “I don’t think there is anything more important in my lifetime to work on”. While his plans remain under wraps, Dorsey ignited a Twitter storm after criticising Web 3.0 as being centralised and for the benefit of venture capitalists.

The Promise of Web 3.0

Web 3.0 envisions a future state of the internet based on decentralised public blockchains where users own and govern sections of the internet, rather than requiring access through centralised entities such as Google or Facebook.

Unlike Web 2.0 where users are the product and unable to own a piece of the internet, Web 3.0 is “owned by the community” and “trustless” in the sense that an intermediary isn’t required for transactions.

Among other things, Web 3.0 includes decentralised finance (DeFi), a favourite among venture capital firms at the moment and a sector into which enormous sums of money have been ploughed.

Web 3.0 Decentralised?

Web 3.0 promises a decentralised version of the virtual world featuring public blockchains, metaverse technology, non-fungible tokens and DeFi free from the grasp of centralised power sources. But how much of this is true?

One place to start is with the data. Earlier this year, Messari published a report illustrating the initial token allocations for some of the most popular blockchains. Evidently, insiders such as venture capital firms, founders and foundations represent the bulk of initial allocations in most cases, suggesting that they may not offer the promise of decentralised governance purported.

Initial token allocation for public blockchains. Source: Messari

The crux of Dorsey’s criticism is simple. Venture capitalist firms (VCs) frequently fund Web 3.0 projects in direct competition with genuinely decentralised alternatives such as 100 percent initial coin offerings. By owning a controlling stake, they are able to pressure blockchain co-founders and influence the direction of the project. In addition, as insiders, VCs are well-placed to pump their bags and time their exit at the expense of retail investors.

Naturally, Twitter’s favourite billionaire troll couldn’t resist commenting too:

Taking a step back from the Twitter storm, it’s clear in the end that Dorsey feels as if Web 3.0 is decentralised in name only. While he quite obviously is not opposed to centralisation or venture capital – see Twitter and Square – he simply wants people to know what they are getting into.

Categories
Crypto News DeFi E-commerce NFTs

Shopify to Offer Merchants NFT Minting Services

Shopify has opened its non-fungible token (NFT) beta that allows participants to mint and trade their own branded NFTs on its platform. The multinational e-commerce company has partnered with blockchain company GigLabs to integrate NFT utilities on its platform.

Shopify CEO Tobias Lütke announced the release on December 16, having previously shown interest in the DeFi and crypto space.

The Shopify application is built on Flow, a decentralised blockchain, and for the time being the “NFT Beta program” will only be available to US-based merchants on Shopify Plus. Participants will be able to buy the digital collectibles with Shopify Payments, Shop Pay, crypto payment gateways, credit/debit cards, and others. Users can also choose on which blockchain they want their NFTs minted, including Ethereum, Polygon, Near and Flow.

NFTs for Branding and Customer Engagement

Earlier in the year, Shopify made it possible to sell NFTs on its platform but now users will be able to access a host of additional functionalities. Included among these will be the ability to “forge [their] own branded experience” by minting NFTs, scheduling airdrops, memberships, and content-gating.

The platform has simplified much of the convoluted procedure required to get your hands on an NFT. Customers can easily claim their NFTs via email and add them directly to their wallets from there. Other companies, such as the entertainment company Superplastic, have praised the application for helping with a successful NFT drop for their brand.

Shopify’s platform is f****** amazing. It helped Superplastic and our partner Christie’s create a massively successful NFT drop for Janky and Guggimon.

Paul Budnitz, founder and CEO, Superplastic

NFT Industry Continues to Boom

Just last month, leading NFT marketplace OpenSea surpassed US$10 billion in all-time trading volume, marking quite an achievement since its total volume trading for all of 2020 was just US$21 million.

Other massive multinational companies have also jumped aboard the bandwagon. For example, sports apparel giant Nike flagged its interest in NFTs earlier this week with the acquisition of RTFKT, a digital arts studio specialising in NFT collectibles.

Categories
Crypto News DeFi Tokens

Yearn Finance Token Soars 50% Amid Aggressive Buyback Program

Yearn Finance (YFI) proved to be one of the best performers in the crypto market last week, rallying almost 50 percent to hit a fortnightly high above US$31,700 at the time of writing.

The surge coincided with a revelation by Yearn that it has been buying back its YFI token in bulk since early last month in response to a community vote to improve its tokenomics. The decentralised asset management platform purchased 282.40 YFI at an average price of US$26,651 per token, totalling over US$7.5 million.

Yearn Intends to Buy Back Even More Tokens

Yearn also claims to have more than US$45 million in its Treasury and has recorded “stronger than ever” earnings. As a result, it said it would buy back even more YFI tokens in future.

Yearn reportedly makes about US$100 million per year alone in fees collected from Vaults, its smart savings account service that maximises the value accrual of deposited digital assets. It also has enough liquidity to sustain its token buyback strategy going forward.

YFI Leaves ETH and SOL in the Shade

Right now, Yearn’s primary aim is to recover recent losses and last week’s rally left some of the major altcoins in the shadows. To cite two examples, ETH dropped 3.38 percent with SOL sitting at -1.57 percent in the same period YFI shot up 46 percent.

YFI price action, December 15-17. Source: TradingView / AMBCrypto

Back in February this year, Fantom FTM coin pumped more than 73 percent in a single day on the back of its collaboration with Yearn Finance. Perhaps YFI has once again found the magic touch.

Categories
Crypto News DeFi Factom Hackers

Grim Finance DeFi Protocol Hacked for $30 Million in Fantom Tokens

Grim Finance is the latest DeFi (Decentralised Finance) protocol to fall victim to a hack in which attackers exploited a flaw in the vault contract to drain millions.

On December 19, Grim Finance, a compounding yield optimiser on the Fanton blockchain, was targeted by an “advanced attack” where hackers drained an estimated US$30 million in Fantom (FTM). In a series of tweets, Grim explained that the unknown attackers exploited a flaw in its vault contract.

Smart Contract Exploited

The hackers used a reentrancy attack, which in this case allowed an attacker to fake additional withdrawals out of a smart contract while the initial transaction was still in progress and never updated the balance of the receiver, effectively allowing the loop to continue.

In reality, the attack can be prevented with not too much effort, mainly by updating a balance after a transaction is sent rather than before. According to Quantstamp senior research engineer Martin Derka, “if no internal state updates happen after an ether transfer or an external function call inside a method, the method is safe from the reentrancy vulnerability”.

As of December 19, all deposits into Grim Finance vaults remain paused to prevent further theft. The Grim team has contacted Circle (USDC), DAI, and AnySwap regarding the attacker’s address to potentially freeze any further fund transfers.

Attacker’s address

Rough Month for Some DeFi Investors

Grim Finance is the newest addition to the list of protocols that have been hacked, bringing the total up to over US$600 million stolen this month alone. The US$31 million MonoX hack just missed the cut, taking place at the end of November.

According to a tweet by RugDoc, “Hopefully all projects can draw lessons from this incident that there is much knowledge most experienced solidity devs have at hand”, adding that “if you haven’t acquired this yet, don’t build multimillion-dollar projects”.