エピソード
-
Show Notes--->https://wolfdefi.com/i-degen/e22-ethereum-merge-security-with-david-theodore/
-
Full show notes --> https://wolfdefi.com/i-degen/e21-gala-games-gets-owned-by-a-whitehat/
-
エピソードを見逃しましたか?
-
Full show notes --> https://wolfdefi.com/i-degen/e20-team-finance-hacked-profanity-hacks-continue/
-
Full Show notes can be found here.
Be on the lookout for a new I, Degen Sequence on Zeevo in the next few days 😉
Stay up, fren.
-
Full show notes on -->WolfDeFi.com 💀
-
---> Full show notes on HackMD <---
I, Degen - E17: OPSEC at DEVCON 6 - 10/06/2022
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.
Episode Summary
This week we’ll do our usual weekly review of crypto security-related topics. We’re going to dig into the issue of conference OPSEC, or operational security, as we’re less than a week out from Ethereum’s flagship developer conference, and rumors swirl about security concerns in Bogota.
I,Degen - Weekly Review
Sunday, October 2nd - Transit Swap Users Rocked for 21MTransit Swap has lost $21M to a vulnerability which allowed an unknown attacker to drain the wallets of users who had approved the protocol’s swap contracts.Leading up to Ethereum’s flagship developer conference being held in Bogota, Columbia next week, a wave of Tweets and some articles surfaced questioning the safety of conference goers. FUD or legit concern? Well dig more into this on deep dive in a few minutes.Office of the National Cyber Director Requests Your Insight and Expertise on Cyber Workforce, Training, and EducationOur Nation continues to face a significant shortfall in cyber talent, with estimates of approximately 700,000 open positions.October 1st, 2022 - No Digital Dollar Act Introduced - From Bitcoin.comU.S. Senator James Lankford (R-OK) announced Thursday that he has introduced a bill titled “No Digital Dollar Act to prohibit the U.S. Treasury and the Federal Reserve from interfering with Americans using paper currency if a digital currency is adopted and makes certain individuals can maintain privacy over their transactions using cash and coins.”October 4th, 2022 From Axios- Why Kim Kardashian got fined and Matt Damon didn’tKim Kardashian was fined $1.26 million Monday for touting crypto schemes — even as much more high-profile pitches from the likes of Matt Damon and Larry David have gone unpunished. The seeming double standard is a function of a subtle yet crucial distinction in securities law.Where Kardashian crossed the line was when she endorsed a crypto asset security.How it works: If you’re endorsing a company, the only rules that apply are the relatively lax ones from the FTC.If you’re shilling a security, then disclosing that you were paid — as Kardashian did with an #AD hashtag — is not enough; you also need to disclose how much you were paid.The bottom line: If you’re going to tout crypto, tout a crypto company, not a coin.Moving on… Usually, we focus on looking back at crypto security-related events of the previous week. I thought maybe we could also highlight any relevant upcoming events each week.
I, Degen - Looking Forward
Devcon next week - There will be a keynote talk on the Nomad Bridge Hack. I think there will be a live stream if you are not attending.November 15th, PyChain - The First Virtual Event for Python and Blockchain DevelopersCall for speakers is openFree TicketsI, Degen - Deep Dive
A wave of Tweets and some articles surfaced questioning the safety of conferencegoers leading up to Ethereum’s flagship developer conference in Bogota, Columbia, next week.
Veteran Devcon attendees will remember a similar panic from previous events, including Devcon III in Cancun, Mexico, where
Is this FUD or a legit concern? Let’s dig in.
Question: Is this a credible threat, in which there is a concentrated effort to target Devcon attendees, or is this FUD?
If we follow the Tweets, the picture is unclear.
This year Devcon security panic seems to have started with news outlets picking up a tweet from crypto_mackenna.
However, it’s worth note the article in question doesn’t mention Crypto_McKenna follow-up Tweet reply on that same day which balances the original Tweet.
Also, some sensational crypto influencer tweets that we’ll ignore. Mainly because they are purely opinion based, don’t provide any credible evidence of a threat, and are likely just ego-feeding clout farmers. I mention them because it is essential to understand and acknowledge that they play into the overall perception and conversation, even if they hold little substance and merit.
Staying safe at Devcon in Bogota Twitter threads:
- @lililashka
-@camiinthisthang
Good OPSEC at conferences in general
While those are important and contain good information relevant to staying safe in Bogota, I thought it might be helpful to dig deeper and tap into the wealth of existing information on conference OPSEC.
OPSEC for Defcon #1 from Darkangle.net
Before we continue, you should understand that everyone’s security needs are not the same.ZW: What is the personal threat model? Most crypto people don’t need to defend against nation states.
Maintaining custody of your devices is a sound defense from parties that would seek to make modifications to your equipment or outright steal your hardware. This means of security only requires you to make sure you know where your stuff is, and whose handl... -
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.
Episode Summary
This week we discuss the draft of the US House’s Stablecoin bill. CFTC’s 250k fine for BzX & the Ooki DAO. We talk about the 0xBAD MEV bot getting owned, and we dig into the recent paper on reversible ERC20 and ERC721 transactions.
I, Degen - Weekly
9/20/2022 - From CryptoBreifing - US House proposes stablecoin bill that would put a two-year ban on algorithmic stable coinsU.S. lawmakers are reportedly drafting a bill to place a two-year ban on certain stablecoins.The House Stablecoin Bill would target “endogenously collateralized stablecoins.”The bill would allow both banks and non-banks to issue stablecoins. However, bank issuers would need approval from federal regulators such as the OCC. As for non-bank issuers, the legislation directs the Federal Reserve to establish a process for making application decisions.The House Stablecoin Bill would make it illegal to issue or create new stablecoins that mimic the functionality and features of TerraUSDNOTE: This is an early draft, not final so take it for what it is.
2M in assets seized from Whitby, Ont Man Aiden Pleterski, who calls himself “Crypto King,” had $2 million of assets seized, Lamborghini, two McLarens, and two BMWsPleterski was reportedly given $35 million by 140 investors.Now, he’s being sued by former investors in a bankruptcy proceeding and two civil lawsuits.Investors told the publication that at least $35 million given to Pleterski’s company, AP Private Equity Limited, went missing.No criminal charges yet9/22/2022 - CFTC Press ReleaseBy transferring control to a DAO, bZeroX’s founders touted to bZeroX community members the operations would be enforcement-proof—allowing the Ooki DAO to violate the CEA and CFTC regulations with impunity, as alleged in the federal court action.
–> CFTC Penalizes Blockchain Protocol $250K, Files Action Against Successor DAO
9/27/2022 - Coindesk The CFTC Served Ooki DAO Papers by Posting Them in an Online Discussion Forum
Members of Ooki DAO – which operates a protocol that offers illegal, off-exchange tokenized margin trading and lending services – were notified of the lawsuit when a CFTC paralegal posted the complaint and other documents to an online discussion forum meant for DAO members to discuss governance issues, a CFTC attorney claimed in a court filing. The documents were simultaneously submitted through a help chat box on the DAO’s website.
–>coindeskTerra Luna Saga Continues --> Interpool issues arrest warrant for Do KwonReddit user claims Gemini shut down their account because the interacted with Wasabi BTC MixerLazarus Hacker Group targets MacOS users with fake crypto.com jobs postingsChina busts ring of 93 people for allegedly laundering more than 5B9.15 Gang4 years of operationThe group, in operation since 2018, also facilitated the cashing of illicit funds from fraud, gambling, and other crypto-related activities into U.S. dollar to eliminate traces of illegality.Binance launches Global Law Enforcement Training Program to help LE fight cyber crime0xBAD MEV Bot gets ownedI, Degen - Deep Dive
Tracking separate doc with notes for ERC20R stuff here
I, Degen - Freestyle Convo
Dear Redditors: If you torture the data long enough, they will confess anything
First Chess, now Poker…
I, Degen - Hack Attempt of the Week
Github Key Scraper - This is not new, but never a bad idea to have a reminder: Be careful what you commit to your repos.
[[[Outro]]]
We do our best to report accurately on the topics we discuss but we’re not always going to get everything right. Please comment here or reach out to us @idegenfm with corrections or comments!
Full show notes on hackmd @ https://hackmd.io/@idegen/E16-Reversible-ERC20-ERC721
-
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.
Episode Summary
In this episode, we hunt for Do Kwon and look at the White House’s comprehensive framework for the responsible development of digital assets. Then we look into Wintermute’s 160M key generation issue. We discuss emerging post-merge Ethereum narratives and the Omni bridge replay attack. We also get into an IRL customs scam for our hack attempt of the week.
I,Degen - Weekly
9/14/22 - South Korean Court Issues Arrest Warrant for Terra Luna founder Do Kwon [2]The wanted crypto developer Do Kwon, who is accused of fraud by investors following the $45 billion (€45 billion) collapse of his cryptocurrencies Luna and TerraUSD, is reportedly trying to evade South Korean authorities.Prosecutors have accused Kwon of financial fraud, arguing that his terraUSD stablecoin was a kind of investment security under South Korea’s capital markets act [2]Kwon moved from South Korea to Singapore, where the now defunct stablecoin issuer Terraform Labs, which he co-founded, has a base. However, Singapore Police Force said on Saturday he is currently not in the city-state.South Korean prosecutors told Bloomberg in a text message on Monday that there has been “circumstantial evidence of escape” since he left Singapore. The media outlet said prosecutors declined to comment on whether the office knows of Kwon’s whereabouts or if it will contact the international police agency Interpol.Last week, Kwon was charged with violating the Capital Markets Act, and an arrest warrant was issued for him and five allegedly connected to the case who were believed to be in Singapore.
–EuroNewsWhite House Releases Comprehensive Framework for Responsible Development of Digital AssetsOver the past six months, agencies across the government have worked together to develop frameworks and policy recommendations that advance the six key priorities identified in the EO: consumer and investor protection; promoting financial stability; countering illicit finance; U.S. leadership in the global financial system and economic competitiveness; financial inclusion; and responsible innovation.The nine reports submitted to the President to date, consistent with the EO’s deadlines, reflect the input and expertise of diverse stakeholders across government, industry, academia, and civil society. Together, they articulate a clear framework for responsible digital asset development and pave the way for further action at home and abroad.Protecting Consumers
Still sellers commonly mislead consumers about digital assets’ features and expected returns, and non-compliance with applicable laws and regulations remains widespread. One study found that almost a quarter of digital coin offerings had disclosure or transparency problems—like plagiarized documents or false promises of guaranteed returns.The reports encourage regulators like the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC), consistent with their mandates, to aggressively pursue investigations and enforcement actions against unlawful practices in the digital assets space.The reports encourage Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC), as appropriate, to redouble their efforts to monitor consumer complaints and to enforce against unfair, deceptive, or abusive practices.The reports encourage agencies to issue guidance and rules to address current and emergent risks in the digital asset ecosystem. Regulatory and law enforcement agencies are also urged to collaborate to address acute digital assets risks facing consumers, investors, and businesses. In addition, agencies are encouraged to share data on consumer complaints regarding digital assets—ensuring each agency’s activities are maximally effective.The Financial Literacy Education Commission (FLEC) will lead public-awareness efforts to help consumers understand the risks involved with digital assets, identify common fraudulent practices, and learn how to report misconduct.Advancing Responsible Innovation
The Office of Science and Technology Policy (OSTP) and NSF will develop a Digital Assets Research and Development Agenda to kickstart fundamental research on topics such as next-generation cryptography, transaction programmability, cybersecurity and privacy protections, and ways to mitigate the environmental impacts of digital assets.Quite a bit more to the report.
And the Forbes Headline reads…
Joe Biden Just Sent A Stark Warning To Bitcoin And Crypto After $2 Trillion Price CrashWhat is your narrative?
What do the machines think?
(June 9th, Wintermute OP issue)[https://rekt.news/wintermute-rekt/] and now this… ()[https://rekt.news/wintermute-rekt-2/]Let’s start with a story that broken on September 14th. 1Inch, a dex aggrator protocol’s community discovered an issue with Profanity, a Ethereum address generator tool
Even worse, the possibility of this issue was raised on the Profanity Github on January 17th, 2022.
Why didn’t Wintermute act when the Profanity issue was raised with proof six days ago? Well, the did:
Around the time that the disclosure happened, Wintermute removed all ether from an admin address which suggests that they realized it might have been vulnerable. However, they forgot to remove this address as an admin from their vault.The attacker is likely a seasoned hacker/solidity developer. They created a helper contract, deposited stables into curve to avoid blacklisting, and figured out this vulnerability in a closed sourced vault contract in the first place.
–Mudit’s BlogThe stolen funds were mostly various stablecoins, totalling $118.4M. The majority of these were deposited into Curve’s 3pool, presumably in an attempt to avoid any blacklisting.The exploiter is now the 3rd largest holder of 3CRV with over 13% of the supply.I, Degen - Deep Dive
Reflecting on the merge ETH?
Ethereum itself
Social Attacks - Narrative-based attacks in crypto. We tend to think about FUD...
-
I, Degen - E14: All Eyes On Ethereum - 9/11/2022
Listen at: idegen.fm
Contact us: @idegenfm
Full show notes with images on HackMD - https://hackmd.io/@idegen/E14-All-Eyes-On-EthereumIntro
Welcome to I, Degen - A podcast about crypto technology, security, and culture. With a healthy balance of enthusiasm and skepticism, we dig into a weekly look at crypto, cutting through the misinformation and hype in search of signal in the noise.
Episode Summary
All eyes are on Ethereum - we are now less than four days out from the merge. We’ll talk about some possible scenarios the merge might bring and what you can do to stay safe during the merge. We’ll also look into recent updates on the Tornado Cash sanctions, a new report on fraudulent crypto trading volume, and other crypto security-related news.
I,Degen - Weekly
Cryptosphere
From August 23rd, SudoRare, a LooksRare clone rugs 820K after just 6 hours of operation Rugged funds likely moved to a KYC’d address on Kraken.SudoRare, an NFTplatform that forked from SudoSwap and LooksRare, is just the latest crypto project to run off with users’ funds. The project also deleted all of its social media accounts Tuesday morning. - Coinbase launches Liquid Staked derivative (LSD) cbETH ahead of the merge - [1][2][3]Earn 1 MIL if you can find a good bug in Ethereum before the mergeAugust 26th, 2022 - Tailiban Outlaws Crypto in Afganistan and begins arresting sellers that refused to comply Bloomberg articlePassword managment first LastPass had it’s developer systems hacked to steal source codeAccording to Forbes, more than 1/2 of all Bitcoin trades are ‘fake’The U.S. Commodity Futures Trading Commission defines wash trading as “entering into, or purporting to enter into, transactions to give the appearance that purchases and sales have been made, without incurring market risk or changing the trader’s market position.” The reason why some traders engage in wash trading is to inflate the trading volume of an asset to give the appearance of rising popularity. In some cases trading bots execute these wash trades in tokens, increasing volume, while at the same time insiders reinforce the activity with bullish remarks, driving up the price in what is effectively a pump and dump scheme. Wash trading also benefits exchanges because it allows them to appear to have more volume than they actually do, potentially encouraging more legitimate trading.“Fraudulent or non-economic”
The biggest problem areas regarding fake volume are firms that tout big volume but operate with little or no regulatory oversight that would make their figures more credible, notably Binance, MEXC Global and Bybit. Altogether, the lesser regulated exchanges in our study account for approximately $89 billion of the true volume (they claim $217 billion).On Forbes method:
We apply volume discounts based on a proprietary methodology that relies on 10 factors such as an exchange’s home regulator if any and volume metrics based on an exchange’s web traffic and estimated workforce size.So, private trading firms numbers are being grok’d by proprietary methodology.
Worth note, the Bitwise Study from early 2019 said 95% of BTC trading was fake… so it’s getting better.
In case you’re interested in this topic, here is another nice paper from 2019 that talks about fake BTC trading
spoiler! -New Netflix show on John Mcafee rasies questions about his death - supposedly he called his ex-gf after his ‘death’ to say he faked it.Australia Establishes Federal Crypto Police Launched in August, the unit will help combat crypto criminals by targeting their assets and providing investigative tracing capability and insight to other AFP authoritiesThe new crypto unit will operate as part of its Criminal Assets Confiscation Taskforce (CACT), which has been seizing illicit crypto funds since 2018, but without a dedicated standalone teamThe Australian Federal Police have confiscated over AU$600 million (US$408 million) in illicit funds and property since 2020, and though the amount of crypto funds seized were small compared to “traditional” criminal assets, the additional focus helps provide intelligence insightsSolana didn’t go down this week - high TPS spike that might have caused a network outage before, didn’t cause one this time.September 5th withdrawals frozen at crypto mining firm Poolin because of a lack of liquidity - From theBlock.Poolin, one of the world’s biggest crypto mining pools, is suspending bitcoin and ether withdrawals from its wallet service due to “liquidity problems.”And now, from September 9th Bitcoin hash rate cut in half as miners leave
This is significant because 1) Poolin is a China-based mining pool service, operating in China after the mining ban, and 2) the pool was estimated to have roughly 10% of the hash rate before withdrawals were suspended.Flash Loan used against single NXUSD market on NerusAt approximately 10:30PM UTC on September 6th, the Nereus team notified the community of an incident through the community discord; this was later picked up by CertiK and other on-chain analysis groups and reported broadly as a flash-loan exploit resulting in a $371k gain.An exploiter was able to deploy a custom smart contract and that leveraged a $51M flash loan to manipulate the AVAX/USDC Trader Joe LP pool price for a single block resulting in the ability for the exploiter to mint 998,000NXUSD against ~$508k worth of collateral.In the hours that followed, Nereus quickly consulted s... -
I, Degen - Episode 13 - Open Source Audio Audit with Kevin Seagraves & Zach Herring from Niftyapes.money
If you have a moment, please check out episode 13 I, Degen sequence on Zeevo. Give your feedback on the show, and we'll mint you a custom token of appreciation 🙏
Listen at: idegen.fm
Contact us: @idegenfm
Intro
On this episode of I, Degen we chat with Kevin Seagraves and Zach Herring from Niftyapes. They recently came out of stealth mode to launch their NFT lending platform and bravely agreed to an open-source audio audit with us.
Welcome to I, Degen gentleman, and thanks for taking the time to chat with us. Before we jump into the audit, can you tell us a bit about yourselves and what NiftyApes is?
Intros Kevin Seagraves & Zach Herring:
Who are we talking to?
Tell us about your background and how you built an NFT lending platform.For KS: Can you tell us more about your work with ETHSecurity?
Hunt questions:
Intro NiftyApes:
What is NiftyApes?How does it work?Why did you build it?Who’s gonna use it?What is HARBERGER AUCTION?When release?Let's talk about the “regen” side of Nifty Apes and the 1%? that goes to public goods. Why was it essential for you to do this?Open Source Audit:
Security audits are expensive and rarely a priority for founders. This is especially dangerous when it comes to Defi apps and protocols, given the natural ability of an attacker to take something of value.
The idea for our Open Source Audit is to help others learn about securing a crypto project by asking some questions about how you’ve approached the security of the Niftyapes.
Can you give us a high overview of the tech stack? How does NiftyApes look from a zoomed-out view? What web2 components are at play, and what web3?Can you talk a little bit about your overall approach to securing niftyapes?How have you approached the security in your web2 interface?KS: we only store tx receipts in DB after a tx has taken place and been confirmed, so the attack surface for us on Web2 is low.
3(b). Have you taken steps to ensure your DNS records are secure?
Contract audits - Can you give us an overview of your process with the contract audits?How did you find your auditors?What was the process like?What did they find?You guys have gone out of your way to make security a priority for NiftyApes (from the front page):Does NiftyApes have a bug bounty program? If so, how does it work?Nocoiners and others have been all over a brewing problem at NFT lending platform, BendDAO. Specifically,“The NFT lending platform BendDAO has collateralized almost 3% of the entire Bored Ape collection, and many NFTs have recently entered the “danger zone” of liquidation.”ZW: Would this kind of thing be a potential problem on Niftyapes too?
Game theoretical bugs are new and emerging class of attacks in DeFi that don’t necessarily exploit bugs in code but instead bugs in the relationship between values of pools, balances, and the connected systems.In the coming years, we will likely look back at this as the golden age of on-chain hacks, where trivial bugs lead to massive payouts for blackhats.ZW: Are you tracking any risks related to game theoretic bugs? For example like, Flash Loan attacks?
The unprecedented sanctioning of the Tornado Cash contract addresses by US Treasury in early August has added a new complexity for DeFi developers. What is your take on the sanctions at NiftyApes?Any advice for crypto founders on developing and deploying more secure projects?Outro Questions:
Top musical artist you’re listening to right now?Tech gadget you can’t live without?Best book you’ve read recently? Or a book that has a notable impact on you?Your preferred place for crypto news?Contact Info for NiftyApes
You can find more info about NiftyApes on their website niftyapes.money or their Twiiter @niftyapes.
You can find Kevin Seagraves on Twitter [@captnseagraves] (https://twitter.com/captnseagraves) and Zach Herring @zherring
Full show notes on hackmd can be found here. -
I, Degen - E12: Ethereum Fights to Remain Censorship Resistant - 8/24/2022
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, mysteries, exploits, and anything that feeds our crypto curiosity. We dig in, cutting through the misinformation and hype in search of a signal in the noise.
Episode Summary
This week we have a bunch of weekly news updates. Then we take a deep dive into the upcoming Ethereum merge and rippling effects on Ethereum protocol level censorship from the OFAC Tornado Cash sanctions.
I,Degen - Weekly Stories
1.The Chicago Mercantile Exchange (CME) Group will launch Ethereum option contracts on its platform on September 12. The company announced that it’s waiting for regulatory review, and if approved, these new investment products will join its ETH futures and mini futures contracts.
2.Alleged Russian Money Launderer Extradited from the Netherlands to U.S.
According to court documents, Dubnikov and his co-conspirators laundered the proceeds of ransomware attacks on individuals and organizations throughout the United States and abroad. Specifically, Dubnikov and his accomplices laundered ransom payments extracted from victims of Ryuk ransomware attacks.3.Reaper Farm Yield Aggregator Owned
4.TikTok monitoring all keyboard inputs and taps
When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.5.Wrench Attack - 3 men targeted an Indian realtor they knew held bitcoin and abducted him while posing as sellers of a plot of land. They tortured him for 3 hours until he gave them 8 BTC. - [r/CryptoCurrency post]
Victim was not hurt, according to his wifeThe suspect was caught using a trap to lure them back to the kidnapping spot Note: These attacks are rare but often receive much media attention. Nonetheless, it’s essential to be aware. Often, you see comments like, “yeah, this is why you keep your crypto a secret!”, which happened on the Reddit post. However, is that advice practical for 'mainstream adoption?6.Hackers steal crypto from Bitcoin ATMs by exploiting zero-day bug - via Bleepingcomputer, August 20, 2022
Hackers have exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal cryptocurrency from customers.When customers would deposit or purchase cryptocurrency via the ATM, the funds would instead be siphoned off by the hackers.The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. This vulnerability has been present in CAS software since version December 2020. General Bytes Official Advisory7.iOS VPNS have leaked traffic for years, Proton CEO says.
Apple notified more than two years agoclaim/issue: any connections established BEFORE activating the VPN are not tunneledjanky trick that may or may not fully work: Turn on your VPN, then turn on airplane mode off and on.8.U.S. Lawmaker Questions Treasury Over Tornado Cash Sanctions August 23, 2022 via CryptoBriefing.com
Rep. Tom Emmer (R-MN) raised questions over the decision to sanction Tornado Cash in a letter sent to the Treasury Department today.Emmer called the ban of a “neutral, open-source, decentralized technology” a “divergence” from historical precedent.Among other things, Emmer asked what recourse law-abiding users of Tornado Cash may have to claim funds trapped in the protocol.I, Degen - Deep Dive - The Merge & Ethereum censorship in a post-sanctioned TC world.
What is the merge TLDR?
The Merge represents the joining of the existing execution layer of Ethereum (the Mainnet we use today) with its new proof-of-stake consensus layer, the Beacon Chain. It eliminates the need for energy-intensive mining and instead secures the network using staked ETH. A truly exciting step in realizing the Ethereum vision – more scalability, security, and sustainability.- https://ethereum.org/en/upgrades/merge/
What's the problem? OFAC Tornado Cash sanctions fallout continues.
Ethermine, the largest Ethereum pool, has refused to pack Tornado Cash-related transactions into blocks in the past week. Several pool technicians also confirmed the news and said it was the first time in history.— @WUBLOCKCHAIN AUGUST 20, 2022 - https://t.co/XLC3ZjddLR
Individual miners can refuse to include whatever they want, but it has little effect; the transaction just gets into the next block. Need a 51% attack (so, reverting blocks and not just excluding txs) to fully prevent txs from being included.— @VitalikButerin August 19, 2022The Case for Social Slashing <-- Best dive in Ethereum Censorship via OFAC
So, what’s the issue here?Well, one of the absolute core purposes for blockchains such as Ethereum is to provide neutrality and censorship resistance. That’s why we tolerate that the system is slow and expensive to use at times—because of these unique qualities. A threat to censorship resistance is a threat to the system’s raison d’être.Other censorship & merge-related stuff Centralized censorship of privacy protocols outside of Tornado Cash
Recently, FTX froze a user account who sent coins to @aztecnetwork’s zkmoney. According to FTX, Aztec Connect - Aztec network / zk money has been identified as a mixing service, which is a high-risk activity prohibited by FTX. -
show notes here -->https://hackmd.io/@idegen/E11-Acala-hack-and-anti-crypto-sentiment
I, Degen - E11 - Acala Bug Exploited & Exploration of Popular Anti-crypto Sentiment - 8/18/2022
CommentListen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - We track down and explore the most exciting crypto hacks, mysteries, exploits, and anything that feeds our crypto curiosity each week. We dig in, cutting through the misinformation and hype in search of a signal in the noise.
Episode Summary
This week we talk about the strange story of an Acala DeFi liquidity pool bug being exploited, leading to the minting of billions of illegitimate aUSD.
We also dive into an articulate Reddit comment that hits on a number of the more popular anti-crypto arguments floating around right now.
I,Degen - Weekly
Coinbase says it will pause deposits and withdraws temporarily during Ethereum merge as a saftey precaution. Stock drops 8%. Bloomberg LawPig Butchering Scams on the rise - Coinbase TripWireSouth Korea to block 16 unregulated exchangesAccording to the report, the law prevents unregistered crypto exchanges from operating without a license, but the 16 firms have been providing crypto services for Koreans and hosting events targeting Koreans.Canadian exchanges limit purchases to 30k a year in altcoins that are not BTC, ETH, LTC and BCHCeler Protocol DNS poisoning“The Celer protocol and smart contracts were not affected during the breach. Celer DNS root record was not compromised and was never modified.”“DNS poisoning can happen to any DeFi app frontend regardless of the protocol’s own security and we strongly suggest the entire blockchain community to turn on Secure DNS option in your web browser to reduce the such possibility to get affected.”I, Degen - Deep Dive Acala
Acala (the ‘DeFi hub’ of Polkadot)bug exploited to mint stable coins Rekt coindesk
Anti-crypto sentiment appears to be rising rapidly.
[image]
I, Degen - Most creative personal hack attempt of the week?
Zak: nothing too crazy, standard SMS ‘wrong number’ with a mild twist.
We do our best to report accurately on the topics we discuss, but we won’t always get everything correctly. Please comment here or reach out to us @idegenfm with corrections or comments!
-
https://hackmd.io/@idegen/E10-Tornado-Cash-Sanctioned-Saber-Protocol-Unmasked
I, Degen - E10: Tornado Cash Sanctioned, Saber Protocol Unmasked - 8/11/2022
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - We track down and explore the most exciting crypto hacks, mysteries, exploits, and anything that feeds our crypto curiosity each week. We dig in, cutting through the misinformation and hype in search of a signal in the noise.
Episode Summary
This week we dive into the unprecedented Tornado Cash sanctions, including the arrest of a suspected developer. We also spent some time on the fascinating story of two brothers that operated 11 anon personas to fake a thriving DeFi ecosystem on Solana with the popular Saber protocol.
Weekly Thought
What’s your crypto narrative, and how is it defined/created?
I,Degen - Weekly
Nomad Bridge Hack UpdateNomad announces bounty: CoinTelegraph reports that 88% of the exploiters were copycatsExcellent technical breakdown by Coinbase Threat IntelReport of a consensus level attack on Ethereum
Curve.fi DNS hijack results in theft of 570K - some stolen funds frozen on the move though FixedFloat
Ethereum POS merge scheduled for September 15-16 Master of Anons: How a Crypto Developer Faked a DeFi Ecosystem from CoindeskThe Macalinao brothers used a web of bogus identities to create the illusion of a dev community, juicing value on the Saber protocol and Solana blockchain. Now they’re moving to Aptos.Ian Macalinao says that Saber and Sunny comprised $7.5 billion of the total Solana TVL of $10.5 billion at their peak. He believes this contributed to SOL’s meteoric rise when the token reached a record high of $188.11 devs all the same personprotocols built on Saber, used to artificially inflate TVLCrypto data website DeFiLlama has changed the way it presents key decentralized finance (DeFi) metric metric in response to this newsI, Degen - Deep Dive Tornado Cash Sanctioned
What: U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash
What is TC, and how does it work?
When you deposit your 1 ETH on the contract, you have to provide a “commitment”. This commitment is stored by the smart contract. When you withdraw 1 ETH on the other side, you have to provide a “nullifier” and a zero-knowledge proof. The nullifier is a unique ID that is in connection with the commitment and the ZKP proves the connection, but nobody knows which nullifier is assigned to which commitment (except the owner of the depositor/withdrawal account). - Understanding Zero-Knowledge Proofs Through the Source Code of Tornado Cash
Tornado Cash is a decentralized application launched on the Ethereum blockchain in 2019 that allows someone to un-link the source and destination of coins. That is to say, provide privacy or ‘mix’ coins.Why sanctions?
Tornado Cash, which has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. - Treasury.govWe should point out that statement is not factually accurate, as not all coins moving through TC were being laundered.
“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks. Treasury will continue to aggressively pursue actions against mixers that launder virtual currency for criminals and those who assist them.”- Brian E. Nelson - Secretary of the Treasury for Terrorism and Financial Intelligence
Let’s look at a breakdown of funds received by TC from Chainanalysis:
- https://blog.chainalysis.com/reports/tornado-cash-ofac-designation-sanctions/Points of interest
38 Addresses sanctionedTC dev arrested in the Netherlands on 8/10.“suspected of involvement in concealing criminal financial flows and facilitating money laundering,” and that “multiple arrests are not ruled out” as investigations into Tornado Cash continue. The Vergefirst smart contract sanctionedFamous accounts dusted by TC coinTC Withdrawals increase (but how does increase in WDs == increate in usage?) - Maybe an attempt to get coins out before the platform updates blacklists?as with most things crypto, there are lots of uninformed opinions on this oneTORN (DAO token for TC) down from ~$30 to ~$14The Resistance
-https://twitter.com/jchervinsky/status/1557804087856570368The tornado cash opportunity. How we can learn from this attack to prevent it from happening again
I, Degen - Most creative personal hack attempt of the week?
References/Links
Curve.fi DNS hack
https://twitter.com/FixedFloat/status/1557116267378708481TC Feature
https://decrypt.co/107075/ethereum-cofounder-used-blacklisted-tornado-cash-donate-ukrainehttps://twitter.com/decryptmedia/status/1557042485091831817?s=21&t=SMK4-GTe2D8y0_zA8p67NAhttps://blog.chainalysis.com/reports/torna... -
Full show notes:
https://hackmd.io/@idegen/E9-Nomad-owned-Solana-wallets-hacked-8-4-2022I, Degen - E9: Chaos In Crypto - Nomad Owned, Solana Wallets Hacked, Nirvance Finanace Crushed, & more - 8/4/2022
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - We track down and explore the most exciting crypto hacks, mysteries, exploits, and anything that feeds our crypto curiosity each week. We dig in, cutting through the misinformation and hype in search of signal from the noise.
Episode Summary
The word of the week is chaos. From the first-of-its-kind decentralized looting mob destroying Nomad to the mysterious draining of more than 8K Solana wallets, it’s been a crazy week. Sadly, there is more.
**Quick word on signal **
I,Degen - Weekly
Reaper Finance - FTM based hacked for 1.7MM Audit, Significant code update, no audit, owned.The SEC is accusing 11 individuals of running the Forsage Ponzi that generated more than 300 million from users on several blockchains (ETH, BNB,Tron) https://defi-planet.com/2022/08/officials-of-forsage-crypto-accused-of-running-a-300-million-ponzi-scheme/Two founders pled guilty to securites fraud from a 2017 ICO called “Dropl” for scamming users out of 1.9 million. The founders were sentenced to 2.5 and 3 years for their crimes (https://coinfomania.com/two-men-bag-three-years-in-prison-ico-fraud/)A bill reaches the Senate that would classify Bitcoin and Ethereum as commodities and put their regulation under the CFTC. (https://www.wsj.com/articles/senate-plan-would-put-bitcoin-ether-under-commodity-regulators-watch-11659499261)Texas based mining firm Riot Blockchain earned 9.5 MILLION in credits after agreeing to temporarily shut down their mining operation during a recent heat wave and power struggles. (https://www.bloomberg.com/news/articles/2022-08-03/bitcoin-miner-made-millions-by-shutting-rigs-during-texas-heat)Nirvana Flash Loan Attack - mini deep diveWhat is Nirvana? Buddhist state of bliss? Iconic 90’s band? Nope in this context, Solana Based Yield Protocol (what even is a ‘yield protocol’?). Also, a stablecoin.
@Huntfrye Nirvana Finance, a Solana-based yield protocol. Nirvana allowed users to earn annual yields on their locked assets by creating and destroying tokens based on user demand as the ANA tokens were bought from and sold to the protocol.
Looks pretty similar to some other algorithmic coins that rebase or change supply daily due to demand
Is this Similar to the Beanstock flash loan attack we talked about on I Degen a few episodes back?
Hacked for 3.5 MM using FlashLoansWhat’s a Flash Loan?
The loans enable merchants to obtain unsecured loans from lenders using smart contracts in place of intermediaries. No collateral is required because the contract only considers the transaction complete when the borrower pays the lender.If a borrower fails to repay a flash loan, the smart contract will halt the transaction and repay the lender’s money. – DeFi PlanetI, Degen - Deep Dives
1) Nomad looted for 190MM by a decentralized mob
What is Nomad?
Nomad is a bridge that allows you to move assets from chain to chain, such as avalanche, Ethereum, Moonbeam, EVMOS, and Milkomeda. “Wow I haven’t even heard of a couple of those”What happened?
TLDR; ~190 MM, ~2.5 Hours, Initial TX exploiting the bridge, then a swarm of copycats loot the protocol.Hunt: why not take it all at once? Good question.
Zak: let’s talk about how the hack worked.How did it happen?
Bridge stores funds - deposit ETH, receive XYZ on MoonbeamMerkel Tree used to validate cross-chain transactionsAfter a failed first attempt (costing $350k in gas), the original attacker’s exploit tx, which was copied by those that followed, was able to call the process() function directly, without having first ‘proved’ its validity. rekt.newsThis meant any process() calls could be executed as valid. In fact, a more sophisticated exploiter could have written a contract to drain the whole bridge for themselves.Initial reports claim the root of the issue was called out in the audit; however, that seems incorrect. Perhaps it was the audit the led the attacker to look at this section of the code. Still, the vulnerability that was exploited appears to have been introduced to the repository on May 23rd and then pushed to the blockchain with an update in June.
DeFi Dominos
The collateral damage from the unbacked assets is also severely affecting the chains that depended on Nomad. Moonbeam, EVMOS and Milkomeda have all taken a significant hit to their TVLs. rekt.newsHunt: The most interesting and crazy part about this hack to me was that other people noticed the hack going on in real-time, joined in the fun, and were able to withdraw funds. Whether these other users who were getting in on this honey pots were White Hats and trying to take some of the funds before the attacker could, or were they maliciously trying to steal for themselves? Nomad has placed an address on their home page asking for any white hats to return funds to a specific address.
Did you see that meme floating around Twitter? It was a bunch of people looting a stoor who were the copycat hackers after the main attacker busted into the store initially.
2) Solana Wallet Hack
What is Solana?
@Huntfrye Solana is an extremely well-funded alternate layer 1 that boasts as one of the main competitors to Ethereum. Most people agree that Solona has sacrificed some of the decentralization and security to provide extremely high throughput.What happened?
Roughly 9K addresses on the Solana network were compromised, draining more than 6MM worth of various tokens. For perspective, there are more than 25MM addresses on Solana as of this writing.11PM UTC on August 2nd, 2022, SOL and USDC started mysteriously being transferred from wallets.
A host of wild theories spread across crypto twitter including fro...
-
https://hackmd.io/@idegen/E8-Audius-Gets-Owned
# 7/29/2022 - I, Degen - E8 - Audius Governance Attacked
:::info
Follow--> [@idegenfm](https://twitter.com/idegenfm)
::::::success
Listen---> [https://idegen.fm](https://idegen.fm)
:::#### Intro
Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, mysteries, exploits, and anything that feeds our crypto curiosity.Welcome degens! Come one, come all.
#### Episode Summary
This week we explore the Audius governance attack.# I, Degen - Weekly
1. [Sky Mavis CEO Trung Nguyen transferred $3 million worth of AXS Gov tokens just before the hack was disclosed, but he says today that claims of insider trading "are baseless and false."](https://decrypt.co/106186/axie-infinity-ceo-moved-3m-in-tokens-before-622m-hack-disclosure-report) - From Decrypt
> funds were transferred from Nguyen’s wallet so that AXS short sellers “would not be able to front-run the news,”
2. [US Senators Push Bill to Make Small Crypto Transactions Tax-Free under $50](https://www.coindesk.com/policy/2022/07/26/us-senators-push-bill-to-make-small-crypto-transactions-tax-free/) - From Coindesk
3. [FBI detects fake crypto apps that scammed $42.7M from 244 victims](https://cryptoslate.com/fbi-detects-fake-crypto-apps-that-scammed-42-7m-from-244-victims/) - From Cryptoslate
4. [South Korean officials conclude week-long raid in Terra-LUNA case](https://cryptoslate.com/south-korean-officials-conclude-week-long-raid-in-terra-luna-case/)
5. [The recent swoon in cryptocurrency valuations “has directly impacted pricing of luxury watches from brands like Rolex and Patek Philippe,”](https://www.bloomberg.com/news/articles/2022-07-29/the-crypto-collapse-has-flooded-the-market-with-rolex-and-patek) - From Bloomberg# Deep Dive - Audius Governance Attack
**What happened?**
On July 23rd, 2022, Audius, a Web3 music platform, suffered a governance attack for $6M worth of AUDIO, it's native token.**What is Audius?**
<hunt>**Before we jump in lets talk about what proxy contracts are and how they work.**
Proxy contracts give the ability to upgrade or change a dapps contract logic, or even deploy clones.
High level, in this case (but not all proxy patterns), they separate the storage and logic layers of the app, where the proxy contract sits in front and handles storage, and another contract sits behind the proxy and handles the application logic.
![](https://hackmd.io/_uploads/ryTGghxT9.png)
source: https://blog.openzeppelin.com/proxy-patterns/
Key Point:
> Whenever a contract A delegates a call to another contract B, it executes the code of contract B in the context of contract A.> The first contract is a simple wrapper or "proxy" which users interact with directly and is in charge of forwarding transactions to and from the second contract, which contains the logic. - [OpenZepplin Docs](https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#unstructured-storage-proxies)
Instead of mapping every function one to one, the fallback function is leveraged.
> That is, the logic contract controls the proxy’s state and the logic contract’s state is meaningless. Thus, the proxy doesn’t only forward transactions to and from the logic contract, but also represents the pair’s state. The state is in the proxy and the logic is in the particular implementation that the proxy points to.
Solidity uses slots to store data.
[Storage Collision](
https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#unstructured-storage-proxies)> Using this bug, the attacker was able to call the initializer method of deployed Audius contracts that implement Initializable and change storage state that is intended to be set only once in initialization.
In other words:
>the attacker was able to reinitialise governance contracts, delegating a large number of governance tokens to themself and bypassing safeguards meant to limit malicious proposals.
So, storage collision leads to deployment of malicious governance contract, and massive fraudulent token delegation which was used to pass a malcious governance proposal to send AUDIO tokens from the Audius community pool to the attacker.
Quick massive slippage sale of 6.1MM worth of AUDIO on Uniswap for ~1MM USD/704 ETH, ETH into TornadoCash.
Take aways:
- super fast response, vuln mitigated within a few hours of discovery.
- > These contracts were deployed in October 2020 and this vulnerability has been live in the wild since that time. - [audius-governance-takeover-post-mortem](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22)
- Human angle - why swap 6MM for 1MM? In a hurry?# Weekly Freestyle
Password Manager Nightmare# Who tried to own you this week?
Evolving SMS scams, likely from Ledger breach
# References
[Audius Post Mortem](https://blog.audius.co/article/audius-governance-takeover-post-mortem-7-23-22)[OpenZepplin Audius Contracts Audit](https://blog.openzeppelin.com/audius-contracts-audit/)
[Rekt News Write Up](https://rekt.news/audius-rekt/)
https://kubertu.com/blog/solidity-storage-in-depth/
[Malicious Transaction](https://oko.palkeo.com/0xfefd829e246002a8fd061eede7501bccb6e244a9aacea0ebceaecef5d877a984/)
[OG OZ Article on Proxy Patterns from 2018](https://blog.openzeppelin.com/proxy-patterns/)
-
Please checkout the I, Degen episode #7 Zeevo sequence here - https://app.zeevo.co/dashboard/sequences/bfdded05-2c09-4b5d-96da-90f2531409f2 you're feedback would be most appreciated!
-
I, Degen - E6: Mint Bots Deliver 7hr KO to Solana & Otherside NFTs Push ETH Gas Fees to Highs - 5/6/22
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, mysteries, exploits, and anything that feeds our crypto curiosity.
Welcome degens! Come one, come all.
I,Degen - Weekly
Binnance and sequoia revealed as investors in backing Elon Musks twitter purchaseBloomberg reports Argentinian banks are now BANNED from offering to purchase of digital assets to their customers. Making two Argenenian banks backtrack on their current plans.ENS (Ethereum Name Service) NFT’s have overtaken Bored Apes in daily trading volumeUS Court orders Bitmex founders to pay 30 million in fines for illegal tradingCronos Defi project MM Finance suffers a 2 mil hack through a malicious contract. The company has promised to reimburse all users affectedThe Block, formally known as square posted Q1 earnings and processed 1.7 Billion in Btc transaction but looks to have not recently purchased BTC to add to their balance sheet.Bug exploited the Fuse protocol used by DeFi platforms Rari Capital and Fei Protocol to steal more than $80 million. - Security AffairsI,Degen - Deep Dive
Solana Blockchain’s 11th outage, 7th of 2022.- Solana Incident Report
What: May, 1st - 4M transactions per second, initiated by NFT minting bots, took down Solana blockchain by preventing nodes from reaching consensus. The bots were targeting the Metaplex Candy Machine.
What is Metaplex?
Allows users to mint and sell NFTs.On securing the network, from their site:
Security
Prevent bots from interfering with NFT sales with decentralized architecture, Certified Collections, and CAPTCHAS.Metaplex poses a solution charge a tax/fee on failed TXs.
Based on a Twitter poll on the same thread with the solution, 5k votes total. With 75% no, and 25% yes.
The speculation was that:
“Eth & AVAX maxi’s voting no”
“Bots voting no”However, the proposed solution looks like an anti-pattern!
There is a chance that a real user could hit one of these cases, especially in # 2 (Trying to mint when there are no items left in the candy machine). But we think these will not be frequent.
This is not a fool proof fix, and it will not completely stop congestion but we belive it has a substantial enough impact to attempt it.How does Solana Consensus Work?
leewayhertz.com explainsI, Degen - Freestyle Convo
BAYC Otheside Metaverse Land Sale Pushes ETH gas fee to new high.
175M on fees total, many of which failed
The Otherside Metaverse NFT mint spearheaded by Yuga Labs is thus far the largest in blockchain history55,000 Otherdeeds NFTs were sold for a flat rate of 305 Apeocin, raising $320 million using an APE value of around $19The mint congested the Ethereum network raising network fees to as high as 8,000 GweiSome users paid as much as $7k in feesRoughly 64k Ethereum in transaction fees was consumed during the mint
The floor price for Otherside NFTs had gone as high as 5 ETH on OpenSea^^ From Eth World News
UPDATE: They did refund gas fees to failed TX holders
Mental Gymnastics Required to Justify ETH Fees
We do our best to report accurately on the topics we discuss, but we’re not always going to get everything right. Please comment here or reach out to us @idegenfm with corrections or comments!
Full Show Notes:
https://hackmd.io/@idegen/I-DEGEN-E6-Mint-Bots-Deliver-7HR-KO-to-Solana -
I, Degen - E5: Akutars NFT Auction Misfire Locks 11K ETH - 4/30/2022
Listen at: idegen.fm
Contact us: @idegenfm
Intro
Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, scams, exploits, and anything that feeds our crypto curiosity.
Welcome degens! Come one, come all.
Episode Summary
In this week’s episode, we take a look at the brutal AkuTars auction bugs that permanently sacrificed 11,539 ETH to the burn 🔥_🔥
5/2 - UPDATE - We recorded this on 4/28 and since have come across some new info related to how the Aku team is working with the community to set things right. The community seems to be aligned and supports AkuDreams on the plan.I,Degen - Weekly
SilkRoads stolen BTC, recovered by US Gov and used to cover Ross Ulbricht’s debt - Beincrypto
From the block New York Lawmakers want to make rug pulling a crimeERC712R introduces refundable NFTs to help reduce scams, criticism comes fast. Nice discussion on Markets Daily podcast
BAYC holders targeted again. This time hackers owned BAYC’s Insta page, posted a scam claim for BAYC owners were entitled to an airdrop for virtual land. Instead, the link lifted ape and mutant apes, and other NFTS is the victims wallet. From the Defiant - “The hacker stole 91 NFTs in total, including four Bored Apes, and seven Mutant Apes. Just those 11 NFTs are worth $2.6M going by current floor and ETH prices as of Apr. 25.”"OG Zcash trusted ceremony anon John Dobbertin turns out to be Edward Snowden. From Zcash Media
From Coindesk Panama Legislature Passes Bill Regulating Crypto. Aimed and bringing crypto projects to Panama and other important things.Massive 15.3 million request-per-second (RPS) volumetric https DDoS attack targets undisclosed crypto launchpad. The attack only lasted 15 seconds but notable for it’s size and use of HTTPS. From HackerNews
Another from Coindesk Ethereum Name Service overtakes Bored Ape Yacht Club in daily trading volume in rush for short digit addresses. Race to grab first 10k numeric ENS addys partly to blame.I, Degen - Deep Dive
Moment of Slience - $34 million, or 11,539 eth, is permanently locked into the AkuDreams contract forever.
What is Aku?
Aku is a character created by former MLB player turned artist, Micah Johnson, after hearing a young boy ask, “Can astronauts be black?”Aku was released to the world on Feb 21, 2021 as an NFT in the form of an animated video– Aku.wolrd
Ten chapters in total, with each chapter in it’s own style.
Next, comes the Akutars…new drop, 4/22/22.
What are the Akutars:
Akutars are a collection of 15,000 unique, 3D Aku avatars with partnerships from; Puma, Planes, Vandal, Who Decides War, BBC and, Ice Cream. Each Akutar grants you entry into the ever-expanding Akuverse, where lines are blurred between the digital and physical worlds and owners gain exclusive access to culture-defining experiences, products, and collaborations.
– Akutars on OpenSeaSo this drop was dutch auction with a unique feature that allowed the lowest bid to set the price for all minters. – TweetThen, when the auction ends, any bid higher than the lowest bid will receive a refund of the lowest bid, minus gas fees.
This is an interesting and cool mechanism. However, there was some faulty logic in the contract.
First issue: If you bid on the auction from a contract, and that contract didn’t have a fallback function to handle incoming ETH, then the refund loop would fail. This was exploited, however, the attacker was kind enough to build a switch into their contract that would bypass the failure and allow the refund loop to continue.malicious bidder contract's message
There is some mention that this bug was pointed out to the AkuDreams team ahead of time and they ignored it. I wasn’t able to verify that.
Next Issue: Bigger issue. The contract was designed to keep track of the bids, and addresses that made those bids. A simple ++ was used to increment the counter. However, this counter didn’t account for cases where a single address bid on more than one Akutar. AKA, multi-mint in a single transaction. This left the total bid count short. There were 5495 total Auktars to be auctioned, but bid counter only made it to 3669.
During the refund loop, there is a check to confirm:
# this will fail because of the bid counter issue
require(_refundProgress < _bidIndex)and then, in the claimProjectFunds function:
# This too will fail
require(refundProgress >= totalBids)Sooo… 11k ETH is permanently stuck.
What’s strange:
AkuDreams Twitter appears unfazed.not audited?not tested?lots of questionable info floating around on twitter (not strange I guess)links:
Aku, The Moon God, and the new age of Web3 Mediahttps://www.instagram.com/aku.dreamsNice twitter write up from 0xInuarashiAkutars Auction ContractI, Degen - Freestyle Convo
Musk buys Twitter
[[[Outro]]]
We do our best to report accurately on the topics we discuss but we’re not always going to get everything right. Please comment here or reach out to us @idegenfm with corrections or comments!
-
Episode Summary
In this week’s episode, we take a deep dive in the fascinating flash loan governance attack delivered on the Beanstalk Farms protocol Sunday. Then we dig into trending criticism on Axie Infinity’s play to earn model.
Intro
Welcome to I, Degen - Each week, we track down and explore the most exciting crypto stories. Hacks, scams, exploits, and anything that feeds our crypto curiosity.
Welcome degens! Come one, come all.
It’s been another epic week. We will go deep on the Beanstalk Farms attack and explore some growing criticism of Axie.
But first, let’s jump into our choice-picked weekly Degen headlines.
Degen Weekly
ETH Merge pushed back from targeted June to Q 3 2022 or later. Surprised?ETH staking post merge will likely be lower than anticipated -Crypto SlateDefi superstar Andre Cronje (CRON-YE) comes back after his 3rd rage quit and starts beating the crypto needs regulation drum - The Defiant“Ethan Gach with Kotaku says” Crypto Gaming “Landlords” upset they can’t keep exploiting all the players. Diminishing returns of the play to earn game Axie infinity and showing that the long term model of some of the guilds is unsustainable long term. - KotakuNew phishing attack that involves google ads… TradeDog on twitter says that over 4.31 MILLION has been exploited in this phishing attack - TweetLazarus group, a North Korean based hacker group has claimed responsibility for the Ronin bridge attack. Last week we heard they might be responsible but this week it seems they are fully taking ownership of this insane hack - CrypturedUS House Democrats Call for Scrutiny on Crypto Mining as Environmental ThreatU.S. Rep. Jared Huffman (D-Calif.), who leads a subcommittee within the House of Representatives’ Natural Resources Committee, has recruited almost two dozen Democratic colleagues to urge federal environmental officials to devote further scrutiny to the consequences of cryptocurrency mining. - CoindeskDegen Deep Dive
Beanstalk Farms Flash Loan Governance Attack
TLDR: On April 17th, 2022 an attacker used a barrage of flash loans to purchase a majority of BEAN tokens, the native governance token for Beanstalk Farms. Using this temporarily loaned voting power allowed them successfully pass an emergency governance proposal that drained the protocol of 76M in assets, sent 250K of the stolen money to the Ukraine War Fund, and sent the price of the stable BEAN tumbling.
Who:
Beanstalk is a decentralized and transparent solution to DeFi’s endemic stablecoin supply shortage. It was designed from first principles to be a paradigm-shifting DeFi primitive that makes decentralized, cost-efficient stablecoins available to anyone with an internet connection.Beanstalk was initially launched in August 2021 with just 100 Beans and has never taken traditional funding. Over the last eight months, Beanstalk organically grew to $100M in market cap, attracting $144M in long term-incentivized liquidity.Beanstalk: The Path Forward
victim: bean.money aka BeanstalkFrom the whitepaper:
To date, flawed stablecoin implementations sacrifice the main benefits of decentralized computing by requiring trust in a centralized party and limit their potential market capitalization by imposing collateral requirements.A stablecoin that (1) does not compromise on decentralization, (2) does not require collateral, and (3) trends toward more liquidity and stability, will unlock the potential of
DeFi.We propose an Ethereum-native, credit based stablecoin protocol that issues an
ERC-20 Standard token that fulfills these requirements.An on-chain price oracle leverages an existing centralized bridge between the Ethereum blockchain and the rest of the world to create a decentralized, reliable and inexpensive source for the price of a nonEthereum-native value peg.A Decentralized Autonomous Organization (DAO) governed
by a yield generating, inflationary, ERC-20 Standard token simultaneously provides security, encourages consistent liquidity growth, and dampens price volatility.Attacker:
Anon/unknownWhat:
Created two malicious governance proposals and submitted them to the governance contract and wait for 24hrsAAVE FlashLoans sourced from Tornado Cash --> Synapse Protocol Bridge:
attack details:
350M DAI
500M USDC
150M USDTBought 32M BEAN on Uniswap V2bought 11.6M LUSD?These tokens were used to add liquidity to Curve pools with BEAN for the governance votingVoted for and passed, BIP-18 & 19 (malicious proposals)Pull back liquidityRepay flash loansConverted all received funds into 24,800 ETH ($76M)ETH moved to TornadoCash
– from BEANSTALK - REKT & PeckShield’s step by stepPresumably, to avoid suspicion of an inside job, Publius, the anon behind the protocol, took the decision to reveal their identity as a group of three in a statement published to Discord.From ^^ rekt
How:
From Beanstalk whitepaper:6.5 Governance
A robust decentralized governance mechanism must balance the principles of decentralization with resistance to attempted protocol changes, both malicious and ignorant, and the ability to quickly adapt to changing information.In practice, Beanstalk must balance ensuring sufficient time for all
ecosystem participants to consider a Beanstalk Improvement Proposal (BIP), join the Silo and cast their votes, with the ability to be quickly upgraded in cases of emergency.6.5.2 Voting Period
A Voting Period opens when a BIP is submitted to the Ethereum blockchain and ends at the beginning of the 169th Season after it is submitted, or when it is committed with a supermajorityDoesn’t matter though, as it looks like a super majority of tokens was used to override the 169th season (~7 days).
5 Seasons
Thus, Beanstalk creates a cost-efficient protocol-native timekeeping mechanism
and ensures cost-efficient code execution on the Ethereum blockchain at regular intervals.Confusing… How about this:
Seasons are the Beanstalk-native timekeeping mechanism. Each Season is ∼1 hour long.What’s odd:
Variations in reports about how muc... -
I, Degen - Episode 3
Suspicious Coinbase Trades, Rug-pull Finder, more DeFi hack
Listen at: idegen.fm
Contact us: @idegenfm
Intro:
Each week we track down and explore the most interesting crypto stories we can find. We examine scams, hacks, defi exploits, and anything that feeds our crypto curiosity. Welcome degens! Come one, come all.This weeks show - evolving format, testing something new. Start with a run down of this weeks most wild and interesting crypto degen stories.1) Week in review
Crypto, DeFi, & NFT hacking
Elephant Money Flash Loan Attack Nets hacker 22.2 Million USD in various tokens from the treasury - Rekt.news, @BlockSec, Elephant Money
US Officials Tie North Korea’s ‘Lazarus’ Hackers to $625M Ronin Bridge Attack
Tornado Cash Blocks Sanctioned Addresses VIA their UI
Tornado Cash uses
@chainalysis
oracle contract to block OFAC sanctioned addresses from accessing the dapp.Maintaining financial privacy is essential to preserving our freedom, however, it should not come at the cost of non-compliance.Another Former Bored Ape Holder Suing OpenSean over inactive listing UI bugGeneral Crypto News
From the New York Times, Wolf of Wall Street is now marketing himself as a crypto guru
From CryptoSlate Russia to legalize crypto as means of payment- "Russia’s Ministry of Finance is working on draft regulations that will legalize crypto as a payment method."3. Another from CryptoSalte Monero community set to blitz CEXs in coming ‘Monerun’- "Suspicions of CEXs overstating XMR reserves will be put to the test in a coordinated run on Monero."
2) Feature - Coinbase Insider Making Bank?
What
Starting immediately and as part of an effort to increase transparency by providing as much information symmetry as possible, Coinbase will be using this blog post as a pilot to communicate assets under consideration for listing in Q2 2022 (April 1st, 2022 to June 30th, 2022).
Coinbase drops an article on April, 11th titled:‘transparency for new asset listings on coinbase’: from the article:The article inspired fears of insider trading and caused degens to hit the blockchain to see what they could find. Before we dig in, it’s worth noting that this is not a new issue for Coinbase. The BCH Coinbase insider trading issue was a thing in 2019
Post from Reddit user dragondude4 on r/cryptocurrency
Earlier today Coinbase made a “transparency post” naming about 50 assets that they are planning to list on their exchange. Most of them are illiquid shitcoins that no one can figure out why they are even listing in the first place.The post goes on to show 4-5 screen shots of tweets [like]((https://twitter.com/AlanStacked/status/1514062386851946499):
Thread blows up…but then:
So, it turns out this wasn’t a Coinbase insider, but instead a clever chart scammer.
What is chart scammer? idk, I just made that up.
Nansen AI, blockchain analytics, and intelligence platform. They do a lot of cool stuff, but in this context, the smart money dashboard lets you track flows of coins going to and from smart trader's accounts.
So the tricked the Nansen.ai into making it look like this coin was pumping:
How?
So, it looks like people gaming Nansen to make it look like honeypot/scam tokens are pumping. clever. But what does this have to do with coinbase? Nothing, so lets look at another:
This one looks legit. Indeed we can see large Pawtocol - UPI tokens being snagged up on Feb 8th before the Feb 11th coinbase announcement
It’s hard to say what this means. It could be legit. It could be insider trading from someone at Coinbase or maybe even just at UPI?
Cobie Tweet:
- もっと表示する