Category: DeFi

Categories
Crypto News DeFi Hackers Tokens

Lending Protocols ‘Agave’ and ‘Hundred Finance’ Exploited for $11 Million

Two lending DeFi (decentralised finance) protocols, Agave and Hundred Finance, have been exploited for approximately US$11 million, both companies confirmed on Twitter this week:

Reentrancy Bug Responsible

Looking at the transaction data on Tenderly, it seems both protocols were hacked using reentrancy attacks, which is a vulnerability in Solidity, the programming language in which Ethereum is written.

Reentrancy is when an attacker manages to trick a function on the Solidity smart contract, called “callAfterTransfer” – the function then makes an external call to another untrusted contract.

Once the hacker has access to the untrusted contract, they can make recursive calls using the protocols’ funds without having to put up additional collateral.

Blockchain and security researcher Mudit Gupta shed some technical light on the hacks, stating that the attacker introduced code after the callAfterTransfer function to run a flash loan exploit, allowing them to borrow funds before the protocols were able to calculate the debt and prevent further borrowing.

Both protocols were hacked on the Gnosis chain, which is an EVM-compatible blockchain. Gupta added that what allowed reentrancy attacks was the fact that “the official bridged tokens on Gnosis are non-standard and have a hook that calls the token receiver on every transfer”:

Agave is a fork of DeFi lending protocol Aave, while Hundred Finance is a fork of Compound. Compound, on one hand, doesn’t follow the check-effects-interaction patterns, which is a recommended practice while making external calls in Solidity.

Aave does follow that practice, but according to Gupta there is a “path via liquidations using which the attacker broke the pattern”.

Tokens Wear the Fallout

Unsurprisingly, the native tokens of both protocols took a blow, both dropping by double digits, according to data from CoinMarketCap. But it seems they have recovered by at least 15 percent from their previous price.

After draining both protocols’ funds, the attacker went on to launder the money using Tornado Cash. Etherscan hasn’t labelled the attacker’s address with a DeFi exploit.

The event comes a week after Fantasm Finance was hacked for US$2.6 million through a flash loan attack, also using Tornado Cash to launder the funds.

Categories
Airdrop Blockchain Cosmos Crypto Wallets DeFi

Users Left Fuming After Evmos’ Cosmos Cross Chain Fails to Launch

Evmos, a layer-1 blockchain compatible with EVM (Ethereum Virtual Machine) built on Cosmos, is facing a community backlash after the protocol failed to launch this week due to numerous bugs found on the network.

The launch of the Evmos mainnet, which came with a rather ambitious token airdrop, was highly anticipated by the Cosmos and Ethereum communities as it allowed cross-chain transfer between the two blockchains.

Critical Security Bug Halts Network

But it seems the launch was riddled with gremlins. Two days before the launch, a “critical security bug” was found on the network, which rushed validators to implement a fix improperly and subsequently caused a network halt:

Users were reporting problems related to hardware and software wallet integrations, which were apparently higher than the network was able to handle. On top of this, some users were claiming a “lack of organisation” and numerous delays surrounding the launch of the mainnet:

The team behind Evmos said developers and validators were reportedly still working on the matter and unable to reach a consensus on the next steps for the protocol.

Launch Suspended Till Further Notice

The backlash forced the Evmos team to suspend the launch for an undetermined number of days to address the community’s concerns, and that the network would be reviewed internally via a postmortem:

Evmos Responds to Backlash

While the community backlash was rather harsh for Evmos, some other users were supportive of the response from the Evmos team to handle the issues and give clarity to its community.

Some other DeFi projects are the opposite, however. Such was the case in January with the cross-chain bridge Multichain when it lost over US$3 million through a security hack. The protocol was sending “mixed messages”, stating the issue had been fixed, but it later reminded users to revoke approvals of the token.

Categories
Algorand DeFi Ethereum Hackers Illegal Polygon Scams

Fantasm Finance DeFi Project Exploited for $2.6 Million

This week’s attack on Fantom Network-based synthetic asset protocol Fantasm Finance saw the loss of US$2.6 million worth of Ethereum. The stolen funds were run through the Tornado cash mixing service and totalled 1,007 ETH.

According to the protocol’s Medium page, the team will conduct a postmortem and consider all compensation options for victims.

Another Day, Another DeFi Hack

The address of the attacker shows the extent of the theft, with 1.8 million FTM remaining in the pool for redemption:

Since the March 9 exploit, the attacker has been using Tornado cash to mask transactions. Tornado Cash is a service that breaks the link between source and destination addresses, thereby obscuring the transaction history.

Attacks on DeFi Remain Rife

The crypto space and DeFi, in particular, have been under attack by hackers seeking to exploit protocols. The reason for the frequency with which new projects launch without undergoing a security audit makes them very vulnerable to attackers. In January, Algorand-based DeFi platform ‘Tinyman’ was exploited for US$3 million. The team at Algorand quickly tweeted it it had been compromised and pulled the remaining liquidity from the project.

The most recent DeFi attack prior to Fantasm targeted Polygon DeFi protocol QiDao’s Superfluid vesting contract, draining US$13 million. User funds on QiDao however remained safe, as the exploit was “solely on Superfluid”, according to the Polygon-based DeFi protocol.

Categories
Aave Avalanche Crypto News DeFi

Avalanche Launches $290 Million Program to Support ‘Multiverse’ Development

Avalanche (AVAX) has committed a whopping US$290 million, or 4 million AVAX tokens, as an incentive to attract gaming, DeFi and NFT ‘Subnets’ to its platform. The goal of the “Multiverse” incentive fund is to create a network of application-specific blockchains according to a press release on its Medium page.

Multiverse an ‘Ongoing Initiative’

The Avalanche Multiverse will be an ongoing initiative with no specified end date, along with six phases to support various projects, according to the foundation. Subnets, also known as subnetworks, are validators that allow others to establish their own Layer 1 or Layer 2 blockchains on Avalanche. Because Avalanche is proof-of-stake, projects can become validators staking $AVAX tokens.

DeFi Kingdoms, a play-to-earn game built atop the Ethereum sidechain Harmony, has created its own Avalanche subnet as part of the multiverse initiative, along with a new Avalanche-native token, $CRYSTAL.

The entire DeFi Kingdoms universe is written into smart contracts, pushing the envelope of what is possible with blockchain technology. We began looking very early on for technology that could help us scale and introduce new features like using our native tokens for gas fees, without sacrificing security or decentralisation. Avalanche’s revolutionary subnet technology is the perfect fit.

Frisky Fox, executive director, DeFi Kingdoms

Ava Labs, which helps drive the development of Avalanche, has partnered with Aave, Golden Tree Asset Management, Wintermute, Jump Crypto, Valkyrie, and Securitize to build the subnet. Participants will need to undergo know-your-customer (KYC) checks, allowing traditional financial institutions to build on the blockchain.

Stani Kulechov, founder and CEO of Aave, said in a statement: “Avalanche Subnets enable us to create an ideal environment for institutions to migrate on-chain.” He added: “This is a significant leap toward a future where the barriers between traditional and decentralised finance cease to exist.”

According to Emin Gün Sirer, director of the Avalanche Foundation, “Subnets will be the next growth engine in crypto, enabling novel functionality only possible with network-level control and open experimentation on a scale we haven’t yet seen.”

Avalanche Rife with Issues of Late

In September last year, Avalanche DeFi project Vee Finance lost over US$35 million in a hack. In late February, the Avalanche-based DeFi protocol “polite” rug pulled investors and the protocol was shut down within the first day of its launch.

Categories
Crypto News DeFi Illegal NFTs Scams

Suspicious Code Detected in ETH Smart Contract Putting NFT Projects at Risk

According to the famous DeFi detective who goes by “Zahcxbt” on Twitter, 31 NFT projects may be at risk due to what he calls “suspicious code”. He posted a lengthy thread on Twitter and raised the issue of NFT project Thestarlab, which he alleges was compromised for 197.175 Ether (ETH), worth about US$580,325.

Zachxbt quoted his fellow blockchain investigator “MouseDev” who came to the following conclusion after reviewing the code behind Thestarlab:

What this means is that the contract can never truly be renounced or transferred! Only an additional owner. The original deployer will always be considered the owner! You can also check the relinquish and transfer ownership functions to see they never overwrite _creator.

MouseDev

MouseDev supposes that when the developer of the project deployed the contract, they stored two variables as the owner. “Then they later changed one of them to the null address to appear as though they relinquished but kept another unchanged variable,” MouseDev claims.

According to this information, Zachxbt claims to have uncovered 31 NFT projects that all contracted the same Fiver developer to launch the problematic smart contract. Zachxbt also remarked: “Please do proper due diligence. Always review the contract beforehand, especially if outsourced. Luckily, since then a few of the projects were able to migrate contacts and confront the Fiver dev. After reviewing internally, a few found other red flags as well.”

Thank Goodness for DeFi Detectives

DeFi detectives have been many a project’s saviour. “Void-of-Silence” posted on Twitter: “Some old info I’ve posted along with some new info out today 💚 a readdressing of the situation would be awesome or a new post about it all 🔥”

Another fellow detective who goes by “Thats AOK” replied to MouseDev’s Tweet by saying: “RUG RUG RUG RUG RUG RUG RUG.”

Last month, an infamous “internet detective” who goes by “Coffeezilla” confronted YouTuber “Ice Poseidon” and got him to admit to stealing US$500,000 in a blatant crypto scam. Coffeezilla later in February managed to expose an NFT scam that would have cost its users US$20 million, had it actually come to pass.

Categories
Crypto News DeFi NFTs Solana

Adobe’s Creative Platform ‘Behance’ Adds Support for Solana NFTs

Behance users can now connect their Phantom wallets to their accounts to showcase Solana (SOL) non-fungible tokens (NFTs) on their profiles.

Phantom is a Solana wallet built for decentralised finance (DeFi) applications as well as for NFTs. QuickNode, a Miami-based Web3 infrastructure platform, helped build out this feature with Adobe on Solana. 

A More Viable Alternative to Ethereum

Although Behance creators can already display their NFTs minted on the Ethereum blockchain within their profiles, high energy usage and prohibitive gas costs are driving them away.

As Adobe vice-president William Allen pointed out on Twitter this week, Solana is a proof-of-stake chain that addresses these concerns. He added that a single transaction on Solana “uses as much energy as a Google search and costs a fraction of a penny”.

For its part, Phantom tweeted that this integration is “huge” for the Solana creator economy because it allows artists “an eco-friendly and low-cost way to experiment with NFTs”.

In October last year, Adobe announced it would launch a “prepare as NFT” option to its Photoshop software. Adobe’s Content Credential system would prove that the person selling an NFT is the one who made it and allow NFT sellers to link the Adobe ID with their crypto wallets. This would allow compatible NFT marketplaces to show a verification certificate to prove the art is authentic.

Categories
Crypto News DeFi Ethereum Gas Waves

BRISE DeFi Token Soars 120% as Bitgert Offers Business DeFi Products

As the overall crypto market continues to trend downward, the top-ranked cryptocurrencies have tumbled. Ethereum is one that has completely destabilised amid the current bear market, but as its price plummets another DeFi token has soared 120 percent – Bitgert (BRISE).

Bitgert has been doing well amid a tumultuous market, as is evident from its skyrocketing price and fast-growing market cap, fast approaching US$800 million, which has many wondering why this project in particular is doing so well.

Why is BRISE Soaring?

The short answer is the launch of the Bitgert BRC20 blockchain. As a zero gas fee blockchain, Bitgert is addressing current concerns regarding the network’s high gas fees – a problem Ethereum in particular deals with – and investors are excited by this. The gas fee associated with the Bitgert chain is only US$0.0000000000001. BRC20 has also overtaken Solana to become the fastest chain available after hitting an impressive 100,000 transactions per second (TPS), way faster than Solana’s 65,000 TPS.

These features ensure that Bitgert BRC20 is the most powerful chain in the crypto space as of now, and its anticipated mass adoption has prompted investors, including crypto whales, to buy more BRISE, which adds to its bullish trend. The team is bringing in hundreds of products and projects on the BRC20 blockchain to increase chain adoption. The Bitgert Startup Studio will also be the first program that will bring hundreds of projects to the ecosystem.

DeFi Does Well Amid Bearish Market

As the overall crypto market remains bearish, some DeFi projects seem to be beating the bear. Earlier in the week, Tornado Cash Token (TORN) surged 94 percent following protocol updates. WAVES saw similar surges when it shot up 120 percent in just a week following an announcement of a partnership with Allbridge, which will connect Waves with other popular blockchain networks.

Categories
Convex Finance Crypto News DeFi

Bug Causes Convex Finance to Redeploy $12 Billion Smart Contract 

A “non-crucial” bug in Convex Finance’s reward system has necessitated the protocol to redeploy the US$12 billion smart contract, releasing all the users’ vote-locked CVX.

According to a Twitter post by Convex Finance (CVX), the bug had made it possible for expired locks to relock directly to a new address, allowing them to claim more cvxCRV rewards than they had actually earned:

Due to the way Convex works, a simple edit to the contract would not have sufficed and it needed to be redeployed. This meant that all the vote-locked tokens held in the contract would be unlocked upon redeployment.

As the team wrote in a blog post: “There were no instances of [the bug] being used prior to deployment of the new vlCVX contract. However, since Convex Finance contracts are immutable and non-upgradeable, a new contract had to be deployed. The new vlCVX contract has implemented a fix for this potential bug going forward.”

Redeployment Causes Supply Shock

With the smart contract bug causing a premature unlock of a massive portion of CVX’s token supply, the market behaved in an unfavourable way. All the unlocked CVX was now eligible to be sold on the open market. Within the first 30 minutes, prices were down 20 per cent due to sellers and a resultant massive supply shock.

According to one user: “Based on the website, 72.11 percent of $CVX supply, or 38.1 million tokens, have been unlocked. If only 30 percent of these tokens are dumped today, then about US$250 million in buys will be needed to maintain the $20 price.”

Whales Ever Buying the Dip

This provided an opportunity for a few whales to snatch up some extra CVX. With prices falling to US$15 from around $20 in a matter of hours, some whales managed to snatch up quite a parcel:

The nascent DeFi industry is unfortunately infamous for hacks and bugs due to its complexity. Crypto projects generally work hard to secure users’ funds, and DeFi protocols as large as CVX have billions to worry about. Keeping the protocol secure and fixing bugs are key to ensuring user confidence. Last October, for instance, Compound Finance (COMP) fixed a bug that had been plaguing the protocol for some time.

Categories
Crypto News DeFi Fantom yearn.finance

Dozens of Tokens Crumble as DeFi ‘Godfather’ Calls it Quits

Dozens of popular tokens have plunged after Andre Cronje, a prominent DeFi (decentralised finance) developer, decided to stop contributing to the sector, as per a March 6 announcement from his colleague Anton Nell.

Nell shared the news via his personal Twitter saying both he and Cronje were “closing the chapter” of contributing to the DeFi space:

Most of the tokens that crashed in price were associated with the collaboration of Nell and Cronje across DeFi protocols and DApps (decentralised applications).

Fantom (FTM) plunged 17.5 percent, while Yearn.finance (YFI) fell 13 percent and the tokens from Solidly (SOLID), an Automated Market Maker (AMM) that only launched a week ago, went down as much as 75 percent.

DeFi Godfather ‘Closes the Chapter’ in Crypto

Neither Nell nor Cronje gave a specific reason for their departure from the DeFi sector. Nell said only that: “This is not a knee-jerk reaction to the hate received from releasing a project, but a decision that has been coming for a while now.”

Cronje did provide some hints ahead of his departure. Last week he deleted his Twitter and updated his LinkedIn account to reflect he was longer working at Fantom.

Most users reacted in anger to the duo’s departure and some were pointing fingers at a possible rug. However, The DeFi Edge, a popular member within the crypto Twitter community, defended Cronje’s position by guessing he was “fed up” with the DeFi space – especially after the reception of the SOLID protocol, which he was reportedly left alone to work on, handling the PR, marketing, and the project’s community.

Hundreds of users were spreading FUD about the future of the projects related to Cronje, such as his brainchild Yearn.finance, claiming the project is now “dead”, but they failed to realise he hasn’t worked in the protocol for over a year now and that it has a large team of contributors and developers that backs it up.

The Fantom Foundation said on Twitter that Cronje’s departure doesn’t mean the end of the project, as it was never a one-man team – rather, it has hundreds of developers and contributors building on Fantom.

Categories
DeFi Ethereum Privacy Tornado Cash

Tornado Cash Token (TORN) Surges 94% Following Bullish Protocol Updates

The native token for the Tornado Cash protocol (TORN), an Ethereum-based privacy protocol, has surged 94 percent following the launch of its latest network updates.

Tornado Cash is a fully decentralised privacy protocol which enables anonymous transactions on the Ethereum network. The protocol achieves anonymity primarily by breaking the on-chain link between source and destination addresses when transactions are made.

Price Increase Follows Launch Of Relayers

The latest price action for TORN follows the adoption and implementation of the protocol’s 10th on-chain governance proposal, which saw the addition of relayers to the network:

The community voted overwhelmingly in favour of the proposal, which was accepted on February 19. Following the launch of relayers on March 2, the price of TORN spiked from around US$37 to around the $US67 mark.

What Are Relayers?

Tornado Cash relayers are community members who process withdrawal transactions and allow users to send transactions to accounts with no ETH balance – they are considered an important part of the protocol and improve users’ privacy. 

Relayers are compensated for their network services with a small portion of users’ deposits. Anyone can become a relayer, provided they meet the minimum balance requirement of 300 TORN and accept the terms and conditions.

TORN Gaining Momentum

The addition of relayers to the Tornado Cash protocol is a further boost following its integration of ETH layer 2 solution Arbitrum in December 2021, which saw a dramatic decrease in gas fees and improvements in transaction times:

The protocol was also recently assessed by DeFi safety, which found it to be highly secure – awarding Tornado Cash an overall score of 85 percent.