Soon after, TreasureDAO advised users to âdelist everythingâ through messages posted on its Discord server, then later informed the community it had identified the issue.
Smol Brains are the most popular NFTs traded on Arbitrum, and 17 were stolen. Based on their listed prices on the TreasureDAO platform, their dollar value was around US$1.4 million.
Many More NFTs Stolen in the Same Exploit, Though Some Were Returned
However, according to analysis by blockchain security and data firm PeckShield, more than 100 NFTs from several collections were stolen from the marketplace.
1/ The @Treasure_DAO was exploited in a series of txs (one hack tx: https://t.co/rUTIGgWEth), leading to 100+ NFTs stolen from several collections of Treasure Marketplace.
American crypto journalist Laura Shin, backed by research from blockchain surveillance firm Chainalysis, claims to know the identity of the hacker who drained millions of dollars’ worth of ETH from The DAO in June 2016.
EXCLUSIVE: With the publication of my book today, I can finally announce: in the course of writing my book, my sources and I believe we uncovered the identity of the Ethereum's 2016 DAO hacker.
Shin accuses Austrian programmer and former TenX CEO Toby Hoenisch of masterminding the US$60 million hack that precipitated the loss of 3.6 million ETH, worth close to US$10 billion on todayâs exchange rate.
Hoenisch Denies the Allegations
Hoenisch has already denied Shin’s allegations, reportedly telling the former Forbes senior editor that her “statement and conclusion [are] factually inaccurate”.
The DAO was one of the world’s first decentralised autonomous organisations, serving as an open-source venture fund platform for crypto projects. It had raised 12.7 million ETH, worth around US$150 million at the time, from crowdfunding.
When it was hacked in 2016, nearly a third of The DAO’s funds were drained. Shin and Chainalysis tracked the movement of the stolen funds, which she says led her to Hoenisch.
âWe identify the apparent hacker – he denies it – by following a complicated trail of crypto transactions and using a previously undisclosed privacy-cracking forensics tool,â Shin writes, revealing the tool as having been supplied by Chainalysis.
How the Hack Was Engineered
Shin says that whoever hacked The DAO swapped the stolen ETH for BTC and then sent the latter to a Wasabi wallet, which was used to scramble BTC transactions in a process called “mixing”. But Chainalysis was able to “de-mix” the transactions and trace them to four different exchanges.
Evidence revealed someone had exchanged the BTC for the privacy coin Grin, which was withdrawn to a non-custodial Grin node called “grin.toby.ai”. The name “toby.ai” had been used by Hoenisch on various social media accounts and was one of his email addresses, Shin wrote. The IP address hosting that node also hosted another node called “TenX” – the name of Hoenisch’s former company.
According to Shin, Hoenisch was aware of The DAO’s code and had written blog posts warning of potential hacks. Shin breaks down the 2016 exploit in forensic detail in her new book, The Cryptopians: Idealism, Greed, Lies, and the Making of the First Big Cryptocurrency Craze, published this week.
Atom Protocol (not to be confused with the Atom token from Cosmos Protocol) has rugpulled investors in the most polite way possible …
‘We Have to Close the Project, Sorry’
Atom Protocol is an Avalanche-based DeFi (decentralised finance) protocol that was shut down this week within a day of launch. At first, the protocol was receiving a lot of hype from the Avalanche community as more participants joined the network and created new nodes:
But all turned out for the worst. Within a day of launch, the developers of the Atom Protocol had left a message on Twitter saying: âThere’s a problem/mistake in contracts, we can’t do anything. We have to close the project, sorry.â
Just got rugged in the most polite way possibleđ
Reminder that KYC =/ wonât rug
With the amount of rugs these days, any new defi project is high risk.
The Atom Protocol went through a KYC (Know Your Customer) process, which basically verifies the identification of the responsible party behind a financial entity, such as banks. But a KYC is just a way to verify that the entity isn’t managed by malicious actors – it doesn’t prevent them from scamming investors.
The Avalanche community is blaming Assure DeFi, the protocol responsible for Atom Protocol’s KYC process. Assure responded by stating the community was âmisunderstanding the role of KYC/verificationâ:
So that in the event that a scam/rugpull occurs, an accountability path exists allowing for criminal pursuit.
Remember, without the KYC process we provide, there would be little to no accountability and those affected would not have a chance of fund recovery/justice.
Neither KYC nor audits guarantee that a DeFi project is 100 percent legitimate, so the best way to proceed is to always DYOR (Do Your Own Research), and always invest only what you can afford to lose.
An audit is, however, much more reliable than a mere KYC process. On January 7, blockchain security firm CertiK identified Arbix Finance as a potential rugpull, warning users to stay away from it and its ARBX token.
After a month-long fight against the exploit, the Multichain team has also announced a compensation plan for affected users.
On January 10, blockchain security expert Dedaub alerted Multichain to two vulnerabilities in its liquidity pool and router contracts, affecting eight cryptocurrencies including wrapped ETH (WETH), wrapped BNB (WBNB), Polygon (MATIC) and Avalanche (AVAX):
1/3 We recently identified the "phantom functions" code pattern, which would have led to likely the largest crypto hack ever.
Your code may be vulnerable! You need to check for the pattern in your Solidity/EVM code! https://t.co/pxRqCQFbnS
A week later, the Multichain team advised users to revoke approvals for the vulnerable smart contracts as a means of immediate damage control. However, the warning announcement only encouraged more hackers to try the exploit, resulting in losses exceeding US$3 million:
Risk Remains for Users Yet to Revoke Contract Approvals
Multichain advised that the vulnerability of the liquidity pool had been fixed by upgrading the affected tokensâ liquidity to new contracts, but warned: âThe risk remains for users who have yet to revoke approvals for the affected router contracts. Importantly, users themselves have to be the ones to revoke the approvals.â
Late last week, Multichain reported that 4,861 of the 7,962 affected users had revoked approvals while advising the remaining 3,101 addresses to take action as soon as possible. Of the 1,889.6612 WETH and 833.4191 AVAX stolen funds, the team was able to recover 912.7984 WETH and 125 AVAX (worth nearly US$2.55 million and $10,000, respectively).
âHowever, in spite of our best efforts, a total of 976.8628 WETH has been stolen,â confirmed Multichain. To be eligible for compensation through reimbursement of losses, Multichain asked users to submit a ticket on the website by February 18.
At least US$3 million worth of non-fungible tokens (NFTs) have been stolen in a phishing attack targeted to dozens of users in the decentralised marketplace OpenSea.
Attack Unrelated to OpenSea Platform, Says Co-Founder
In a tweet, OpenSeaâs CEO Devin Finzer said that the attack wasnât related in any way to the OpenSea website – it was rather a phishing attack where at least 32 users were tricked into signing a migration authorisation of their NFTs to the hacker’s wallet.
As far as we can tell, this is a phishing attack. We donât believe itâs connected to the OpenSea website. It appears 32 users thus far have signed a malicious payload from an attacker, and some of their NFTs were stolen.
On February 19, OpenSea announced a smart-contract upgrade that requires users to migrate their NFTs from the Ethereum blockchain to the new set of smart contracts. Failing to do so leaves their old NFT listings inactive.
But four weeks ago, the hackers deployed a smart contract on Etherscan with the goal of collecting as many signatures as possible from OpenSea users. The OpenSea smart-contract update came at perfect timing for hackers, as the short deadline of the upgrade gave them a small window of opportunity to deceive users.
The hackers started sending phishing emails to trick users into signing a message to migrate their NFTs to the new OpenSea smart contract, but it was instead someone else’s wallet:
đ¨ NFT EXPLOIT đ¨
The hacker is using a helper contract deployed 30 days ago, to call an OS contract deployed 4 years ago, with valid atomicMatch() data.
Likely a signature phishing attack from several weeks back, the attacker is exploiting now before all listings expire. pic.twitter.com/pKEjoIR534
After the attack, Finzer warned OpenSea users to always double-check what they’re signing. Affected users are currently dealing with OpenSea Support to investigate the attack:
Always double check that you are interacting with https://t.co/GKLwAgML2x in your browser when you sign messages.
OpenSea has been in hot water recently due to continuous attacks and bugs found on the platform. On January 4, the platform had to freeze 16 Bored Apes worth US$2.2 million that had been stolen in a phishing attack.
Just a few weeks later, hackers found a bug on the OpenSea platform that allowed them to purchase NFTs at well below market value.
Hackers are using Telegram bots to trick users into handing them access to their cryptocurrency accounts. One US citizen lost US$106,000 after a fake phone call from a bot pretending to be from crypto exchange Coinbase.
One-time password (OTP) bots are specifically made for hackers. The customer only needs to enter the victim’s phone number and name, and the bot uses these credentials to stage a phone call posing as a crypto exchange or bank.
Customers pay a monthly fee to use the authentication code to operate the bot. Some services cost US$300 per month and provide additional tools at fees ranging from $20 to $100 for more live phishing panels.
Screenshot of bot. Source: Intel471
The image above is an example of an OTP bot in action, named SMS Buster. According to intelligence firm Intel471, these bots are “remarkably easy to use” and relatively cheap considering the amount of money hackers can pull out:
SMS Buster requires a bit more effort from an actor in order to obtain account information. The bot provides options to disguise a call to make it appear as a legitimate contact from a specific bank while letting the attackers choose to dial from any phone number. From there, an attacker could follow a script to track a victim into providing sensitive details such as an ATM personal identification number (PIN), card verification value (CVV) and OTP, which could then be sent to an individualâs Telegram account. The bot, used by attackers targeting Canadian victims, gives users the chance to launch attacks in French and English.
Intel471 blog post
Obstetrician Loses $100k
As per a CNBC report, American obstetrician Dr Anders Apgar fell victim to one of these bots after receiving a phone call that seemed legitimate to him, along with a series of banner notifications on his phone informing him his Coinbase account was in jeopardy.
The bot tricked Apgar into thinking his account was in potential danger, prompting him to enter an OTP code generated by his phone’s mobile app. The code was then forwarded back to the bot’s customer, giving him access to Apgar’s funds, which contained US$106,000 in bitcoin.
A Coinbase representative told CNBC it would never make unsolicited calls to customers:
Coinbase will never make unsolicited calls to its customers, and we encourage everyone to be cautious when providing information over the phone. If you receive a call from someone claiming to be from a financial institution, do not disclose any of your account details or security codes. Instead, hang up and call them back at an official phone number listed on the organisationâs website.
Coinbase representative
Beware of OTP Bots
OTP bots have become popular among hackers as they’re easy to use and profitable. Profitable because most sites and online services use the 2FA (two-factor authentication) model, which requires the user to supply both a password and a verification code (the OTP).
The 2FA model was widely embraced by most websites to protect their users’ accounts. Even if hackers have a user’s password, they still need to enter the verification code sent to the mobile device in order to access the account.
An unknown actor has taken over the Build Finance DAO by using an inflated number of votes to pass a self-serving proposal, allowing the minting of millions of BUILD and other coins and a subsequent getaway, effectively killing the DAO.
The Build Finance DAO has been the target of a hostile governance takeover in which a malicious actor has put forward and succeeded with a proposal to take control of the Build token contract. 1/18
According to a Twitter thread, Build Finance DAO suffered a “hostile governance takeover” with the attacker taking control of the key infrastructure from the DAO. By doing this, the malicious actor was able to wreak havoc on the protocol and drain nearly all of its funds, leaving the community out to dry.
The loss cost the DAO an estimated US$470,000 at the time of the incident. Since then the price of BUILD has tanked after the individual sold more than 1 billion coins into the market, flooding the supply.
It is with deep regret that we have to inform the community of this total and irrecoverable loss of BUILD DAO treasury assets through the deeds of one malicious actor.
BUILD Finance DAO tweet
What is a Hostile Governance Takeover?
On February 9, a proposal was made to pass full control of the governance contract, minting keys and treasury to a user named ‘Suho.eth’. After a failed first attempt, the attacker took additional steps to hide evidence of the proposal by disabling the gitbooks and proposal bot.
By sneaking the proposal underneath the radar, the unknown actor used a large supply of tokens to vote through the proposal, allowing total control of the DAO.
With all the access rights, the attacker was able to mint 1.1 billion BUILD tokens as well as drain the liquidity pools on two decentralised exchanges, Balancer and Uniswap. After this, the attacker took a further 130,000 METRIC tokens from the projectâs treasury, sold them, and minted an additional 1 billion BUILD tokens.
Since then, the perpetrator has sent a significant amount of funds to the mixing service on Ethereum, Tornado Cash. The funds transferred add up to around 160 ETH, or just over US$500,000 at the time of writing.
A DAO Left With Nothing
After the looting of its treasury and liquidity pools, members of Build Finance tried make contact with the attacker but it seems there is no reparation in sight. With such major damage done to the DAO’s liquidity, it would be difficult to continue with its project goals.
We would welcome a discussion in the discord with community members about the way to move forward from this, but it is difficult to see a future for BUILD with only its brand recognition and IP assets, and no liquid treasury.
A white hat hacker recently discovered a critical security bug on Optimism – a layer-2 scaling solution on Ethereum – that could have allowed him to exploit a set of smart contracts to print an unlimited amount of Ether (ETH). Instead, the hacker reported the issue to the Optimism team, who rewarded him with US$2 million for discovering the bug.
Jay Freeman, a software engineer who goes by the online handle of Saurik, discovered the bug on the project’s fork of Geth (Go Ethereum) – a popular standalone implementation for Ethereum-based protocols.
The Optimism team admitted in a blog post that the bug had been previously triggered by an Etherscan employee, and that it had gone unnoticed.
Analysis of Optimismâs chain history showed that the bug was not exploited. A fix for the issue was tested and deployed to Optimismâs Kovan and Mainnet networks (including all infrastructure providers) within hours of confirmation.
Optimism blog post
Freeman provided an in-depth insight into the discovery in a separate blog. âExploiting this bug enables the attacker to have access to an effectively unbounded number of tokensâ he said.
White Hat Hacker Saves the Day
White hat hacker is the term for ethical hackers who use their skills for identifying security issues in hardware or software networks instead of exploiting them.
The Optimism community praised Freeman’s detective work instead of taking advantage of such a situation, which could have spelled disaster for the platform:
haha! As a jailbreaker from the beginning – SO cool to see you make a killing. You have done SO much for the online community. The fact that you didn't just exploit tf outta this speaks to your character. -Fanboy
While the DeFi community is filled with malicious actors waiting for their opportunity to attack, there are also numerous examples of white hat hackers working towards the greater good of the community.
Decentralised exchange SushiSwap, for example, almost went dark if it were not for the collective effort of a group of white hat hackers that prevented a potential US$350 million heist.
In December, popular Ethereum-based layer 2 scaling solution Polygon rescued all of its MATIC tokens – worth around US$24 billion – thanks to a white hat hacker who had discovered a security bug on the protocol, leading to a hard fork on the Polygon sidechain.
Bitfinexâs UNUS SED LEO token (LEO), an altcoin most had forgotten since it launched in 2019, has just surged 60 percent in value following the seizure of almost US$4 billion in Bitcoin lost in an infamous 2016 hack.
LEO Price Hits All-Time High
LEO went from trading at US$4.97 to US$8.04, according to data from CoinMarketCap, reaching an all-time high. The price has settled since to US$6.84, but the surge seems to be related to the seizure of stolen crypto assets that formerly belonged to Bitfinex users.
Bitfinex CTO Paolo Ardoino took to Twitter to express his gratitude:
Thank you very much for the hard work of the DOJ team that made this happen. UNUS SED LEO! đŚ@bitfinex is â¤ď¸âĄď¸đđ https://t.co/On9dZdoPkm
Deputy Attorney General Lisa Monaco said in a statement: âTodayâs arrests, and the departmentâs largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals.â The statement also named Ilya Lichtenstein and Heather Morgan as the two culprits charged with attempting to launder the stolen property.
In 2019, Bitfinex sold its Leo token and raised US$1 billion in 10 days. The token is a basic exchange utility token, so using it on Bitfinex lowers trading fees. However, LEO has an additional unique property. According to its whitepaper, the firm pledged to use most of any recovered BTC from the hack to purchase LEO on the open market and burn it after.
The whitepaper indicates: “Bitfinex and its subsidiaries will use an amount equal to at least 80 percent of the recovered net funds from the Bitfinex hack âŚ. to repurchase and burn outstanding LEO tokens.”
The whitepaper also gives the firm 18 months to dispose of the BTC, thereby allowing it to do so at a time-weighted average price rather than shock the market with one giant sale.
In a statement following the news of the seizure, Bitfinex said: âWe want to express our appreciation for the dedication and hard work by the DoJ team that led to this great success. We will continue to support their efforts.â
LEO comes from the Latin phrase, âunus sed leoâ, a line in the Aesopâs fable The Lioness, and the moral of the story is quality over quantity. If all goes according to plan, there will soon be considerably fewer LEO tokens in circulation.
FWIW I don't think the Finex whales holding $LEO for years will sell spot now. If early contributors get bailed OTC, less supply… The last person holding the bag is literally the winner here. There can remain only one. But a lion. Unus Sed Leo. đŚ pic.twitter.com/Jy6DDA0GSg
Another day, another DeFi hack. This time the target was QiDaoâs Superfluid vesting contract. User funds on QiDao contracts remain safe, as the exploit was “solely on Superfluid”, as the Polygon-based DeFi protocol tweeted on February 8:
Superfluid's vesting contract for QI has been exploited.
User funds on QiDao contracts remain safe. The exploit is solely on Superfluid.
The QiDao protocol allows users to borrow stablecoins against their crypto holdings at zero percent interest. Hackers were able to get away with more than US$13 million in various tokens including QI, WETH, USDC, SDT, MOCA, STACK, sdam3CRV, and MATIC. Rumour has it the stolen funds included team-vested tokens and might have belonged to some of the early backers of the project.
Dump Leads to 65% Price Plunge
The hackers behind the attack started dumping stolen QiDao on the QuickSwap decentralised exchange with high slippage, leading to a 65 percent decline in the price of the governance token:
The QiDao chart felt the pain as the price took a steep nosedive, dropping 68.05 percent in minutes, as reported by @PeckShieldAlert. According to CoinGecko, QI dropped sharply from US$1.24 to $0.18. Impressively, investors bought the dip and the price recovered to $0.80 by press time.
