Web3 is Going Just Great

July 30, 2024

DraftKings abruptly shutters its Reignmakers NFT project and marketplace due to "recent legal developments"

American sports gambling behemoth DraftKings announced the shutdown of its Reignmakers NFT game and NFT marketplace, effective immediately. Reignmakers was a fantasy sports game that allowed players to purchase digital trading cards used for digital fantasy leagues.

In an announcement in the project Discord and on their website, DraftKings wrote that the shutdown was "due to recent developments". They offered holders the ability to cash out their Reignmakers cards "based on factors that include, but are not limited to, the relative size and quality of your digital game piece collection". Holders were also invited to transfer their NFTs to their own cryptocurrency wallets, although the DraftKings-run "contests" in which people used their NFTs to try to earn rewards and win prizes will no longer exist. It's also unclear whether some NFTs, built to not be transferrable off-marketplace, will be able to be retained by their holders.

Members of the DraftKings Discord reacted with chagrin to the news, and doubt that the vague promises of cash payments would amount to much. "What kind of compensation u think we get coming to us? Pennies?" wrote one. "Yeah I'm out like $20k," said another. Some blamed the shutdown on a recent lawsuit from a holder of the Reignmakers NFTs who lost $14,000 — a lawsuit which recently survived the motion to dismiss stage.

July 28, 2024

Compound DAO passes $24 million proposal in alleged governance attack

(attribution)

A controversial proposal in front of the Compound Finance DAO has narrowly passed, granting 499,000 COMP (~$24 million, and amounting to 5% of the project's treasury) to an outside group. A Compound Finance whale, "Humpy", proposed the vote to allocate the tokens to a protocol created by a group called the "Golden Boys", which Humpy also leads. The vote was the third attempt to allocate tokens to the Golden Boys' group, after two unsuccessful votes in May and earlier in July.

Humpy has previously been accused of governance attacks on other protocols, including Balancer and SushiSwap.

Prior to the proposal's passage, some Compound Finance DAO members raised objections. "In my personal opinion, the actions of Humpy and the Golden Boys can be considered a governance attack if they persist in their attempts to take funds from the protocol in clear opposition to the will of all other Compound DAO delegates," stated Compound Finance security adviser Michael Lewellen, who also described the proposal as "a malicious attempt to steal funds from the protocol".

Afterwards, Lewellen wrote that "OpenZeppelin is working with all active delegates and Compound contributors to assess our options for protecting the protocol. We see serious risks to the future decentralization of the DAO as a result of Proposal 289 passing and so we are exploring options to mitigate or reverse this outcome."

"Compound DAO asleep at the wheel as $25M governance 'attack' passes", Protos
"$24 million Compound Finance proposal passed by whale over DAO objections", The Block
"Trust Setup for DAO investment into GoldCOMP", Compound Finance discussion
"Governance Security Notice: goldCOMP Proposal 247", Compound Finance discussion

July 24, 2024

MonoSwap hacked for at least $1.3 million

(attribution)

The MonoSwap DEX announced on July 24 that it had been compromised, and urged its users to withdraw their funds to avoid losses. According to the project team, one of their developers had been lured into a call with someone pretending to be a venture capitalist, who convinced them to download what they claimed was video call software, but which instead was malware. MonoSwap claimed this gave the hackers "access to all MonoSwap-related wallets and contracts".

The malicious video chat software attack vector has been widely used in the crypto world, with a victim losing cryptocurrency to an attacker using the same technique and impersonating an Andreessen Horowitz partner last month.

So far, the MonoSwap attacker has laundered $1.3 million via the Tornado Cash cryptocurrency mixer.

July 23, 2024

dYdX v3 exchange website compromised amid sale announcement

(attribution)

Crypto exchange dYdX has announced that the website for their v3 exchange was compromised, and is urging people not to use it. This announcement came almost simultaneously with a report from Bloomberg that the company behind the exchange was looking to sell the software behind the v3 exchange, after they’d upgraded to what they call v4.

The affected domain was hosted on Squarespace, which could connect this compromise to similar events earlier in the month affecting domains registered there.

July 20, 2024

ETHTrustFund rug pulls for $2.2 million

(attribution)

The operators of a project called ETHTrustFund on Coinbase's Base layer-2 Ethereum blockchain have apparently rug-pulled the project. The ETHTrustFund project was a fork of the Olympus DAO project on Base, but there was months of inactivity on the project following its March launch. Then, on July 20, the developer deleted his Telegram and Twitter accounts and the project's website, and suddenly moved the project treasury to a new wallet. The funds were then laundered through Railgun and Tornado Cash.

ETHTrustFund, Rekt [archive]

July 19, 2024

RHO Markets lending protocol loses $7.6 million to apparent whitehat

(attribution)

An apparent misconfiguration by the RHO Markets lending protocol allowed operators of an MEV bot to take $7.6 million from the project's users across multiple chains.

In a stroke of luck for the RHO team, the MEV bot operator sent RHO an on-chain message indicating they were willing to return all of the funds, although they first demanded that RHO "admit that it was not an exploit or a hack, but a misconfiguration on your end. Also, please provide what you are going to do to prevent it from happening again."

RHO is built on the Scroll Ethereum layer-2 network. Scroll temporarily paused the chain as RHO investigated the loss.

July 18, 2024

WazirX exchange hacked for $235 million

(attribution)

After a $230 million "suspicious transfer", Indian cryptocurrency exchange WazirX has paused withdrawals and acknowledged that one of their multisignature wallets was compromised. The attacker began selling off the tokens, causing the price of tokens like Shiba Inu to drop around 10%.

WazirX is the largest cryptocurrency exchange in India. The company was acquired by Binance in 2019, but the two companies re-separated in 2023 after a bizarre public dispute.

WazirX's June 2024 proof-of-reserves reported around $500 million in total holdings, making the $235 million theft a substantial portion of the assets held at the exchange.

Blockchain sleuth zachxbt observed that the theft had some of the hallmarks of the Lazarus Group, a North Korean hacking group that has perpetrated other 9-figure heists including the $625 million Axie Infinity theft in March 2022, and the theft of more than $100 million from Atomic Wallet users.

July 17, 2024

Trip.com accused of "rug pull" as it shuts down its Trekki NFTs

An illustration of a bright blue cartoon dolphin, wearing a safari hat and vest, holding a camera

Trekki NFT (attribution)

Travel company Trip.com has some perturbed crypto holders on its hands, after shutting down the "Trekki" NFT project it launched in June 2023. The company's dolphin-themed NFTs had come with a roadmap that promised eventual staking features, "travel to grow" and "travel to earn" mechanisms, and other developments, which have been cancelled. However, Trip.com promised that its discount coupon functionality would remain.

"Can't believe @Trip a multibillion company is also a rugged project," wrote one person in response to the shutdown announcement.

July 16, 2024

Users of LI.FI protocol suffer losses of at least $10 million

(attribution)

Users of the cross-chain swapping API LI.FI Protocol, and of projects that build on top of it, suffered wallet drains amounting to at least $10 million (and counting). An attacker was able to exploit the users who had set infinite approvals. The protocol urged those who had interacted with several affected smart contracts to revoke permission, and warned: "Please do not interact with any LI.FI powered applications for now!"

July 15, 2024

Three arrests made in relation to Metamax pyramid scheme

(attribution)

Three people have been arrested in connection to a crypto pyramid scheme called Metamax. Those behind the scam promised that people who invested in the scam could then earn income of up to $400 a day simply by watching, sharing, liking, and reviewing videos. There was, of course, a referral component as well, where people earned commission on the "investments" of people they referred. And for people who chose to invest in one of Metamax's fixed investment plans, they were promised 1.5% daily returns.

Unsurprisingly, the project turned out to be a pyramid scheme. On June 25, the Philippines SEC issued a warning, noting that the project was not registered with them, and that it "has the characteristics of a 'Ponzi scheme'". Shortly afterwards, Metamax deleted their Twitter account, and shut down victims' online access to their accounts.

Local news estimated that the scheme affected around 15,000 victims, mainly in Cyprus and Greece. Three people have been arrested in connection to the scheme, including a retired Cypriot police officer. One of the suspects turned himself in to police, claiming that he himself was a victim of the scam, and that he believed his life was in danger as he was being threatened by Metamax victims. Days later, a bomb was detonated near a home he once rented.

"Man arrested for Metamax pyramid scheme allegedly wanted to flee country", in-cyprus [archive]
"Metamax fraud suspect becomes target of bomb attack", in-cyprus [archive]
"Take the Money and Run", Rekt [archive]
Philippines SEC warning [archive]