DeFi platform Rari Capital has been hacked for more than US$80 million in assets held within its Fuse lending pools.
Our monitoring system detected that multiple pools related to @RariCapital@feiprotocol were attacked, and lost more than 80M US dollars. The root cause is due to a typical reentrancy vulnerability. @defiprime https://t.co/Cbtilpbuw9
Rari Capital’s Fuse platform enables DeFi developers to create their own lending markets. Security firm BlockSec identified the exploit as having occurred because of a reentrancy vulnerability in the protocol’s smart contract.
Development team Fei Protocol, which runs a decentralised US dollar-pegged stablecoin called Fei USD, was the biggest loser in the hack. The team manages lending markets on Fuse, where users can deposit funds for an annual yield and also take out loans in FEI stablecoin.
$10 Million Bounty Offered, ‘No Questions Asked’
Fei Protocol has acknowledged the massive exploit and asked the hacker(s) to return the funds to claim a US$10 million bounty:
We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage.
To the exploiter, please accept a $10m bounty and no questions asked if you return the remaining user funds.
The Rari Capital exploit is the third significant reentrancy hack in six months. In December, the unfortunately named Grim Finance, a compounding yield optimiser on the Fantom blockchain, was drained of an estimated US$30 million in Fantom (FTM) tokens.
And early last month, DeFi protocol Ola Finance suffered a US$3.6 million hack, also blamed on a reentrancy bug. A fortnight earlier, DeFi lending protocols Agave and Hundred Finance were exploited for approximately US$11 million. DeFi continues to provide far too much fertile ground for hackers.
USDC.Homes is a new company that partners with mortgage lenders and brokers to facilitate home loans using cryptocurrencies. This week, the company sold its first home to an Austin, Texas, resident who bought a US$680,000 condo through the Ethereum-based lending protocol Teller.
Forget About Fiat – Buy Your Home With Crypto
Teller calls USDC.Home the “first unsecured DeFi mortgage”, with its hybrid program that combines practices from both the traditional finance and decentralised finance worlds. Borrowers can ask for loans and show their credit score to determine eligibility and can use cryptocurrency staking or other yield-generating activities to pay off the balance:
The first home to be mortgaged through https://t.co/26BgeWPd0Z was sold at $680,000 in Austin, Texas with the buyer taking out a $500,000 USDC mortgage loan using the Teller protocol. <3/6>
Thanks to a good credit score, the Austin homebuyer was able to get the loan and while he didn’t put up collateral, he did make a downpayment in USDC. He was able to earn interest on the downpayment by putting his assets to work through staking.
According to Teller, all transactions take place on-chain using Ethereum sidechain Polygon, which leverages a set of mechanisms to make transactions faster and cheaper.
Buying Homes With Crypto – From Dreams to Reality
Buying a home using bitcoin or other cryptocurrencies was a mere dream years ago, but it’s now a solid reality thanks to mainstream adoption of digital assets.
A few months ago Crypto News Australia reported that Milo, a US fintech company, had launched the world’s first Bitcoin mortgage offering, enabling customers to buy real estate in the US by leveraging their stack as collateral:
💥BREAKING: You can now buy a house using #Bitcoin as collateral and ZERO fiat deposit with mortgage lender Milo.
Globally, gains were up more than five-fold compared to the previous year, increasing from US$32.5 billion in 2020 to US$162.7 billion in 2021, with the US seeing the most gains by a wide margin:
"Crypto investors around the world realized $162.7 billion in gains in 2021. We used transaction and web traffic data to break down these gains by country."
Being a breeding ground for innovation will go down in history as the US' saving grace for the last 100+ yrs pic.twitter.com/bYNE4uQuCp
This is the first year that Chainalysis has reported annual gain data on cryptocurrencies other than Bitcoin (BTC), so it’s hard to draw direct comparisons – but based on the BTC data, it appears gains in Australia are up around 5x, which is in line with similar economies around the world. In 2020, Australia saw around US$0.2 billion in BTC gains, while in 2021 this figure was close to US$1 billion.
Many other countries saw similar increases: the US recorded growth of 476 percent, from US$8.1 billion to US$47.0 billion; UK gains grew 431 percent; and gains in Germany were up 423 percent.
China’s gains increased from US$1.7 billion to US$5.1 billion, a modest gain of 194 percent. This relatively subdued growth is most likely a reflection of the Chinese government’s crackdown on crypto activity over the past year.
Majority of Gains From Ethereum
On a per-crypto basis, the majority of realised gains globally came from Ethereum at US$76.3 billion, with Bitcoin coming in second at US$74.7 billion.
Crypto gains by country by coin. Source: Chainalysis
Chainalysis attributes Ethereum’s dominance to the explosion in DeFi in 2021, saying:
We believe this reflects increased demand for Ethereum as the result of DeFi’s rise in 2021, as most DeFi protocols are built on the Ethereum blockchain and use Ethereum as their primary currency.
Chainalysis
Good Signs for Crypto
Chainalysis believes its data shows that crypto is in a vigorous growth phase and suggests it still represents a good economic opportunity moving forward, explaining:
While there are still risks the industry must work to mitigate, the data not only shows that crypto asset prices are growing, but also that cryptocurrency remains a source of economic opportunity for users in emerging markets.
Users of the popular Ethereum wallet MetaMask are infuriated after the wallet’s default endpoint, Infura, again suffered a major outage.
Infura is Metamask’s main RPC (Remote Procedure Call) provider that allows the wallet to communicate with the Ethereum network. Last week, at least 15 components of the Infura system suffered complete or partial outages, bringing down MetaMask access in the process.
MetaMask addressed the issue on Twitter, explaining that: “If you’re currently experiencing issues with MetaMask, it may be because of the outage that Infura is actively combating.”
All Infura systems appear to be up and running again, as per the protocol’s status page. But this is yet another outage to have occurred in the Infura protocol, and users didn’t hesitate to call out for a more decentralised ecosystem where everyone can run their own nodes. As it was, users had to deploy different RPC endpoint solutions, such as Alchemy or QuickNode, to access their Web3 accounts:
Of course, you can always change your RPC endpoints yourself. Here are some other nodes you can consider:https://t.co/l13ziCBG7o
On the subject of a lack of decentralisation, last month both MetaMask and OpenSea banned wallets associated with Venezuelan and Iranian IP addresses, citing compliance issues, only later to discover that Infura had cut off users to separatist areas in Ukraine, accidentally blocking Venezuelan users as well.
MetaMask has been having a rough time of it this month. On April 20, Crypto News Australiareported how MetaMask iPhone users were endangered by an iCloud-related phishing scam.
Unlike traditional stablecoins such as Tether (USDT), which already runs on Tron, USDD will supposedly be “fully decentralised” – it won’t be backed by centralised assets held in traditional financial institutions such as banks, but will depend on algorithms to keep its peg to the US dollar.
Tron’s ‘Self-Imposed Revolution’
Sun characterised the plan as a “self-imposed revolution”, going on to describe USDD as “a fully decentralised stablecoin underpinned by mathematics and algorithms, bringing the development of stablecoins to the next level”.
He explained how he envisions USDD maintaining its peg to the US dollar even in the face of extreme market conditions:
USDD will be pegged to the underlying asset, TRX, and issued in a decentralised manner. When USDD’s price is lower than 1 USD, users and arbitrageurs can send 1 USDD to the system and receive 1 USD worth of TRX. When USDD’s price is higher than 1 USD, users and arbitrageurs can send 1 USD worth of TRX to the decentralised system and receive 1 USDD. Regardless of market volatility, the USDD protocol will keep USDD stable at 1:1 against the US dollar via proper algorithms in a decentralised manner.
Justin Sun, CEO, Tron
Tron DAO to Establish US$10 Billion Reserve, Offer 30% Interest Rate
In a related announcement, Sun explained that Tron DAO, the decentralised autonomous organisation created to manage USDD, will establish the Tron DAO Reserve, which aims to raise US$10 billion from unnamed “prominent blockchain industry players”. This plan closely mirrors a recent announcement from Terra founder Do Kwon, who outlined his intention to acquire US$10 billion in BTC to act as a reserve for Terra’s algorithmic stablecoin, UST.
Sun said that the purpose of the Tron DAO Reserve would be to “safeguard the overall blockchain industry and crypto market, prevent panic trading caused by financial crises, and mitigate severe and long-term economic downturns”.
Sun added that Tron DAO Reserve would offer a “basic risk-free” interest rate of 30 percent, which surprised some Twitter users who considered it unrealistically high and unsustainable:
1/3 @trondao announced its algo-stable #USDD, backed by $TRX and $10 Billions. The cripto world continues to innovate, but the interest paid on the #UST already seems unsustainable to me. The 30% return on the $USDD is really a ponzi scheme!
According to CoinGecko, TRON’s native token TRX gained about 18 percent following the announcement, hitting a high of US$0.074. TRX has since lost about half those gains and sits at US$0.067 at the time of writing.
While the announcement sparked investor interest, not everyone was convinced. Several Twitter users pointed out that the Tron blockchain itself isn’t exactly leading the way on decentralisation. Others pointed out that the plan resembled a poor man’s version of Terra’s UST being run by a guy with a less than stellar reputation:
US-based decentralised exchange (DEX) Uniswap has been hit with a lawsuit that alleges the “sale of unregistered securities”.
The plaintiff in this case is Nessa Risley, a North Carolina resident who filed the class-action lawsuit in the Southern District of New York. Risley claims to have purchased roughly US$10,000 worth of “fraudulent” ERC-20 tokens via Uniswap between May and June of 2021.
The lawsuit names Hayden Adams, Uniswap’s founder, as defendant along with his company Universal Navigation Inc (formerly Uniswap LLC). Co-defendants are venture capital firms Andreessen Horowitz (a16z), Union Square, Ventures and Paradigm.
Guidance Lacking in Risk Assessment
The lawsuit states that having received the necessary disclosures, the plaintiff and other investors would have the necessary guidance to assess the risks of their investments.
Had the tokens been registered as required, the Plaintiff and other investors would have received necessary and meaningful disclosures that would have enabled them to reliably assess the representations being made by the Issuers and the riskiness of their investments. Without these disclosures, they were left to fend for themselves.
Risley v Uniswap lawsuit
Decentralised exchanges, unlike their centralised counterparts, don’t require AML (anti-money laundering) or KYC (Know Your Customer) checks to list tokens on their platforms. Risley claims that Uniswap failed to conduct proper identity checks before listing the tokens on its platform:
Uniswap lawsuit has me rolling.
She needed consistent disclosures to figure out that "Rocket Bunny Token" and "BoomBaby" and "Matrix Samurai" were not legitimate, sensible investments.
Lawsuits against crypto companies are not uncommon. A month ago, Crypto News Australia reported how Coinbase had been dragged into a class-action lawsuit which, among other things, claims that it sold 79 different digital assets that constituted unregistered securities.
Controversial tokens can also place exchanges on hot water. In November 2021, an Australian law firm filed an A$100 million class-action suit against the issuers of Qoin, promoted by the backers of 30-year-old trading exchange Bartercard.
Tornado Cash is apparently using Chainalysis oracles to block access from US Office of Foreign Assets Control (OFAC) addresses. The blockade only applies to the Tornado front-end, not the underlying smart contract:
Tornado Cash uses @chainalysis oracle contract to block OFAC sanctioned addresses from accessing the dapp. Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.https://t.co/tzZe7bVjZt
As a fully decentralised protocol for private transactions of Ethereum, Tornado Cash last year announced it would be integrating with Arbitrum, the layer-2 solution that leverages optimistic rollups for Ethereum dApps.
Maintaining financial privacy is essential to preserving our freedom, [though] it should not come at the cost of non-compliance.
Tornado Cash
Tornado Cash works by “breaking the on-chain link between source and destination addresses”. Deposits go into a smart contract, where they are mixed around with others, and can then be withdrawn by a new address, making it more private.
The Chainalysis oracle is a smart contract that works on Ethereum and several other networks, including Avalanche, BNB Smart Chain, and sidechain and layer-two networks such as Polygon and Optimism. Simply put, Tornado Cash is a piece of code that scans crypto addresses and determines whether they are subject to sanctions from the US or other governments, and if so, the wallet is blocked.
Tornado Cash Facilitates Hackers
Earlier this month, Inverse Finance, a decentralised lending protocol built on Ethereum, lost over US$15 million in a DeFi hack. Hackers were able to take out massive loans and get away with it through Tornado Cash.
An attacker has drained US$182 million from Beanstalk stablecoin protocol in a flash loan attack, the second nine-figure DeFi exploit in just a month. Beanstalk joins a growing list of Ethereum DeFi protocols to suffer multimillion-dollar breaches:
The attack on Beanstalk, a credit-based stablecoin built on Ethereum, mirrors an incident last year where PancakeBunny’s DeFi protocol suffered a US$45 million loss from the ecosystem. In the Beanstalk case, an attacker used a flash loan exploit to drain the protocol’s funds and Etherscan data shows Aave’s flash loan feature was leveraged to withdraw liquidity from the protocol. The hacker then used Uniswap to trade DAI, USDC and USDT for Ethereum.
The market for Beanstalk’s BEAN stablecoin collapsed as a result of the attack and the token was down 86 percent at the time of writing.
Native Tokens Used to Drain Funds
Beanstalk has since reported that the flash loan on Aave enabled the attacker to amass a large amount of Beanstalk’s native governance token, Stalk. Through the voting powers granted by the tokens, the attacker was then able to pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet:
4/ The initial funds to launch the hack are withdrawn from @SynapseProtocol and most of the result gains are deposited to @TornadoCash. Currently 15,154 ETH still stays in the hacker’s account. Note the hacker donates 250k USDC to Ukraine Crypto Donation. pic.twitter.com/jBjUJ0JbGj
Some Stolen Funds Diverted to a Ukrainian Relief Wallet
Beanstalk’s smart contracts were audited, but the audit was completed before the introduction of the flash loan vulnerability. No information has yet been forthcoming on whether funds would be reimbursed to users. According to PeckShield, the attacker appears to have donated US$250,000 of the stolen funds to a Ukrainian relief wallet.
One of Ichi Foundation’s pools on Rari has spun itself into a debt crisis due to falling BTC prices and an overzealous tolerance for collateral.
Negative Debt Cycle Hurts ICHI Token
According to a statement tweeted by Ichi, recent volatility seen with the ICHI token was caused by a cascade of liquidations made worse by the fact that the pool was overcollateralised. This then forced the price of the coin down dramatically.
In a tweet from Rari Capital – a lending and borrowing protocol that hosted Ichi’s Fuse pool – the pool was “experiencing bad debt due to cascading liquidations”:
The Ichi Fuse Pool (#136) is currently experiencing bad debt due to cascading liquidations.
This is a permissionless pool that is owned and operated by @ichifoundation. We hope to see an announcement from Ichi regarding redemption strategies and next steps to make users whole.
The cascading liquidations were brought on by various events, one of them the allowance of millions of dollars as collateral to be taken and borrowed. When the price began to decline, there wasn’t enough liquidity in the decentralised exchange (DEX) to allow liquidations. This meant that highly leveraged positions couldn’t be closed, causing the pool to fall into debt.
When prices across the crypto market dropped – following the US$250 billion market wipe at the beginning of this week – “there wasn’t enough liquidity to absorb all the ICHI liquidations, causing the price to cascade”, according to Ashwath Balakrishnan, vice-president of research at Delphi Digital. Cascading liquidations can cause the price of an asset to decline rapidly and dry up liquidity, leaving the pool in debt and holders out of pocket.
ICHI/USDT price chart: CoinMarketCap
ICHI was ranging around US$120 before April 11, the pool liquidations started around 12:30 UTC on that date and continued until 2:30 UTC on April 12. Prices have dropped all the way down to US$1.81 and have since stabilised.
Putting in the Proper Checks
The problem arose where some important parameters on the pool weren’t set optimally. As noted by Jack Longarzo – a developer for Rari Capital – the collateral factor was considerably higher than needed:
A collateral factor of 85% is extremely high. Additionally, the team didn't use supply caps and allowed an infinite amount of $ICHI to be used as collateral. This allowed $ICHI holders to borrow extensively against uncapped collateral.
Longarzo also mentioned that the team could have added supply caps to limit the amount of collateral in the pool to prevent a situation such as this. He added that a red flag for users of Fuse should be to check if the collateral in a pool is significantly more than what can be liquidated.
While the resulting liquidations were tragic to witness, Ichi’s oneToken and Angel Vault protocols, which include oneFOX, remain sound and unaffected. I wish the Ichi team and community the best in their ongoing efforts to rectify the damage and rebuild their reputation 🙏
Arbitrum, Ethereum’s largest rollup solution with over US$2 billion total value locked (TVL), has announced the launch of Nitro, a major update that reduces gas fees by half on Arbitrum’s network.
According to an official announcement from Offchain Labs – the company behind the rollup – Nitro is an advanced rollup stack that can do Arbitrum’s interactive fraud proofs over WASM (WebAssembly), an experimental low-level programming language:
So Nitro is ready?
Arbitrum Nitro is fully built out & production ready w/ fraud proofs, advanced calldata compression, the sequencer, token bridges (w/ withdrawals coming later this week), & all the other bells & whistles! pic.twitter.com/BPVEgmn3wW
The Arbitrum Nitro upgrade was under development in October 2021 by the Offchain Labs team. In essence, Nitro is a fully built-out scaling infrastructure that uses WASM instead of today’s custom-designed language and compilers.
Arbitrum is 90-95 percent cheaper and faster than Ethereum (gas fees on the rollup are usually around US$0.50 or $1). However, the integration of Nitro will further lower gas fees while increasing the throughput.
Today, we throttle Arbitrum’s capacity, but with Nitro we’ll be able to release those controls and significantly up our throughput. And while Arbitrum today is already 90–95 percent cheaper than Ethereum on average, Nitro cuts our costs even further.
Arbitrum is Ethereum’s largest optimistic rollup. Rollups are a technology used to scale the Ethereum network by taking the transaction data out of the mainnet to execute it on the rollup-specific blockchain. The transaction result is then bundled up and sent back to Ethereum, so Ethereum node validators can verify whether the data is valid.
Arbitrum has collaborated with a handful of high-performance DeFi protocols – a few months ago Crypto News Australia reported that Tornado Cash had integrated with Arbitrum to allow the Ethereum-based crypto mixer to enjoy Arbitrum’s cheap gas fees and high throughput.
Arbitrum also hosts NFTs (non-fungible tokens). A month ago, Crypto News Australia also reported that roughly US$1.4 million worth of Smol Brains – the most popular NFT collection on Arbitrum – had been stolen in an exploit, as confirmed by Arbitrum’s NFT marketplace TreasureDAO.
