$100M drained from Solana DeFi platform Mango Markets, token plunges 52%

October 12, 2022 Coin Telegraph

The platform’s treasury was drained of over $100 million worth of cryptocurrency after an attacker manipulated price data of its native token to take out loans against their holdings.

Solana (SOL) based decentralized finance (DeFi) exchange Mango Markets has been hit with a reported exploit of over $100 million through an attacker manipulating price oracle data, allowing them to take out under-collateralized cryptocurrency loans.

The exploit was first identified by blockchain security firm OtterSec which tweeted the exchange had been drained of over $100 million due to the attacker manipulating the value of their Mango (MNGO) native token collateral, then taking out “massive loans” from Mango’s treasury.

It appears the attacker was able to manipulate their Mango collateral. They temporarily spiked up their collateral value, and then took out massive loans from the Mango treasury. pic.twitter.com/2IJrB9RcEJ
— OtterSec (@osec_io) October 11, 2022

The Mango Markets team tweeted soon after warning users not to deposit funds until “the situation was more clear” and asked the attacker to contact them to discuss a bug bounty.

The team later confirmed the manipulation of a price oracle — a price data feed of the value of its MNGO token — and stated that it had disabled deposits whilst it continued investigations of the incident.

We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.

If you have any information, please contact blockworks@protonmail.com to discuss a bounty for the return of funds. 2/
— Mango (@mangomarkets) October 11, 2022

Due to news of the exploit, the price of the platforms’ MNGO token has fallen by around 52% in the last 24-hours at the time of writing according to data from CoinGecko.

The exploiters' account on the platform shows the three largest withdrawals were for $50 million worth of USD Coin (USDC), over $26.7 million worth of a Solana staking token called Marinade Staked SOL (mSOL), and nearly $24 million worth of SOL.

Over $14.7 million worth of MNGO was withdrawn and Mango said it’s “taking steps to have third parties freeze funds in flight.”

Meanwhile, the QANplatform blockchain also suffered from an exploit of its ownon Oct. 11, with its Ethereum (ETH) bridge drained of around $1.89 million worth of its native QANX token according to blockchain security company Beosin. QANplatform says it’s investigating the incident.

Binance CEO Changpeng Zhao Says Crypto Titan Has Unmasked Two Suspects Involved in $265,000 DeFi Hack

September 5, 2022 The Daily Hodl

Crypto Exchange Gemini Hit With Lawsuit for Alleged Negligence Over $36,000,000 in Customer Funds

June 8, 2022 The Daily Hodl

Targeted phishing scam nets $438K in crypto and NFTs from hacked Beeple account

May 23, 2022 Coin Telegraph

beeple

Links posted to a fake Louis Vuitton non-fungible token (NFT) raffle were made to capitalize on a recent real collaboration between Beeple and the luxury fashion brand.

Digital artist and popular non-fungible token (NFT) creator Mike Winkelmann, more commonly known as Beeple, had his Twitter account hacked on Sunday, May 22 as part of a phishing scam.

Harry Denley, a Security Analyst at MetaMask, alerted users that Beeple’s tweets at the time containing a link to a raffle of a Louis Vuitton NFT collaboration were in fact a phishing scam that would drain the crypto out of users' wallets if clicked.

⚠️ Beeple's Twitter account has been compromised (ATO) to post a phishing website to steal funds.

0x7b69c4f2ACF77300025E49DbDbB65B068b2Fda7D
0xF305F6073CFa24f05FF15CA5b387DD91f871b983 pic.twitter.com/0MPNwOPlEu
— harry.eth (whg.eth) (@sniko_) May 22, 2022

The scammers were likely looking to capitalize on a real recent collaboration between Beeple and Louis Vuitton. Earlier in May, Beeple designed 30 NFTs for the luxury fashion brand’s “Louis The Game” mobile game which were embedded as rewards to players.

The scammer continued to post phishing links from Beeple’s Twitter account leading to fake Beeple collections, luring in unsuspecting users with the promise of a free mint for unique NFTs.

Bad actors continue have access to Beeples Twitter account and they have now tweeted another phishing domain.

This one just prompts the user to send ETH to an EOA (0xcad7fc974F61A08ADEF110D1BA446fa5b5B5Bb27).

Infra: 44.227.238.106 pic.twitter.com/HzTga1OvNK
— harry.eth (whg.eth) (@sniko_) May 22, 2022

The phishing links were up on Beeple’s Twitter for around five hours and on-chain analysis of one of the scammers' wallets shows the first phishing link scored them 36 Ethereum (ETH) worth roughly $73,000 at the time.

The second link netted the scammers around $365,000 worth of ETH and NFTs from high-value collections such as the Mutant Ape Yacht Club, VeeFriends, and Otherdeeds amongst others bringing the grand total value stolen from the scam to around $438,000.

On-chain data shows the scammer selling the NFTs on OpenSea and putting their stolen ETH into a crypto mixer in an attempt to launder the gains.

Beeple later tweeted that he had regained control of his account and added to remind his followers that “anything too good to be true IS A F*CKING SCAM.”

ugh we’ll that was fun way to wake up.

Twitter was hacked but we have control now. Huge thanks to @garyvee ‘a team for quick help!!!!
— beeple (@beeple) May 22, 2022

Beeple has created three of the top ten most expensive NFTs sold to date including one which sold for $69.3 million, the most expensive ever sold to a sole owner. This attention has made him a target for hacks.

In November 2021, an admin account on Beeple’s Discord was hacked with scammers there also promoting a similarly fake NFT drop which resulted in users losing around 38 ETH.

Earlier this month, cybersecurity firm Malwarebytes released a report which highlighted a rise in phishing attempts as scammers try to cash in on NFT hype. The firm noted the use of fraudulent websites depicted as legitimate platforms is the most common tactic used by scammers.

AkuDreams dev team locks up $33M due to smart contract bug

April 25, 2022 Coin Telegraph

AkuDreams dev team locks up M due to smart contract bug

Aku

A highly anticipated NFT project has been hit with an exploit and a smart contract bug, causing a disruption to its auction and leaving the team with $33 million unable to be accessed.

The highly anticipated NFT project Akutars was marred by both an exploit and a bug on the weekend causing over 11,500 Ethereum (ETH) worth nearly $33 million to be locked forever within a smart contract, inaccessible even to the development team.

The exploit however, was conducted by someone trying to show a vulnerability in the project and not to steal funds via a hack.

The project went live on Friday April 22 with a Dutch Auction, a type of auction where the price lowers until it receives a bid, with the first bid winning the sale as long as the price is above reserve.

The auction opened at 3.5 Ethereum with only 5,495 of the available 15,000 NFTs up for sale and the smart contract set to refund any bidders who were underbid. Holders of an “Aku Mint Pass” were also given a 0.5 Ethereum discount on each minted NFT.

The $33M Bug

In a April 23 Twitter thread explaining the whopping $33 million bug, 0xInuarashi, a developer of multiple NFT projects explained Akutars' smart contract was coded so that refunds to bidders had to be processed first before the team could withdraw any funds.

The contract had a caveat that a minimum number of bids had to be made before it would allow for the team to withdraw, but the minimum number of bids was set to equal the amount of NFTs available for auction.

Unfortunately, due to some buyers minting multiple NFTs within the same bid, the terms of the contract mean it will never unlock, sealing away the nearly $33 million in Ethereum forever.

Cointelegraph contacted the Akutars team for comment but did not immediately hear back.

The exploit

In a now deleted tweet posted by the Akutars that was shared by DeFi developer foobar, it said that developers reached out to them warning that their contract could be exploited but appeared to shrug them off completely as they labelled the potential exploit a “feature”.

The AkuDreams team pretended that this was a feature, not an exploit, when multiple developers raised concerns prior to mint. Bizarre justifications. pic.twitter.com/cVgEXnnWzF
— foobar (@0xfoobar) April 23, 2022

During the mint an unknown individual executed what’s known as a “griefing contract” which locked the ability of the Akutars contract to process refunds to those underbid. The individual even embedded a message on the blockchain to the Akutars team saying they would stop the contract:

“Well, this was fun, had no intention of actually exploiting this lol. Otherwise I wouldn’t have used Coinbase. Once you guys publicly acknowledge that the exploit exists, I will remove the block immediately.”

Akutars then promptly responded by taking responsibility for the code and suggested that the exploit “was not done out of malice” and the person “intended to bring attention to best practices for highly visible projects.”

Quick Update (will go into more detail asap):

1. The exploit in the contract was not done out of malice; the person intended to bring attention to best practices for highly visible projects & novel mechanics. They unblocked the exploit quickly after we dug in and took ownership
— Aku :: Akutars (@AkuDreams) April 23, 2022

In a tweet on the same day, the project's founder and former pro-baseballer Micah Johnson offered an apology to the community, noting that after letting them down he will "continue to build brick by brick" and work tirelessly to avoid any similar issues moving forward.

The team also said that it will be issuing 0.5 Ethereum refunds to pass holders as well as airdropping the NFT to successful bidders.

The mistakes that were made are no more costly to anyone than myself. I’ve reinvested most everything into building Aku.

& most everything will go back to refunds and we will keep building what we set out to do.

Brick by brick. https://t.co/vQiPbl0Jpl
— Micah Johnson (@Micah_Johnson3) April 23, 2022

In an update posted on Sunday April 24 the team said it had rewritten its minting contract which was then audited by several developers and plans to mint on Monday April 25.

This article has been updated, with the headline changing from "$34M" to "$33M"

North Korean Hackers Behind $600,000,000 Attack on Axie Infinity (AXS), According to U.S. Treasury

April 15, 2022 The Daily Hodl

Bitfinex-backed LEO soars to record high on supply crunch expectations

February 9, 2022 Coin Telegraph

Bitcoin

The token surged almost 70% in a day after the U.S. Department of Justice announced that it had recovered most of the stolen funds from the 2016 Bitfinex hack.

Unus Sed Leo (LEO) surged by almost 70% on Feb. 9 to reach its record highs as traders assessed the potential of an incoming supply crunch in its market.

The token was issued in 2016 to refinance crypto exchange Bitfinex after it lost about $70 million worth of Bitcoin (BTC) in a hacking incident. In its original whitepaper explaining LEO, Bitfinex had promised that if they could recover the lost funds, they would use 80% of the proceeds to buy back and burn LEO.

Around 80% of stolen Bitcoin recovered

On Feb. 8, the U.S. Department of Justice (DOJ) announced that it last week had seized over $3.6 billion worth of Bitcoin stolen — around 94,000 BTC — from Bitfinex in 2016, valued as per the current bitcoin-to-dollar exchange rates. Overall, Bitfinex had lost 119,754 BTC to the hack, meaning the cryptocurrency tied to the incident was worth around $4.5 billion at the time of DOJ's seizure.

Bitfinex confirmed its promise to use the recovered funds to buy back and burn LEO tokens in a statement issued Tuesday, noting that the process would complete within 18 months of the date it receives the amount.

DOJ officials told the press that they plan to set up a court process for victims to reclaim their stolen Bitcoin funds.

Nonetheless, they did not disclose how long the process would take to finish. If past is any indication, crypto refunds tied to exchange-related hacks take time. For instance, victims of Mt. Gox's $460-million hack — from 2013 — are still waiting for their refunds.

But LEO bulls ignored such red flags and went ahead with raising their bids for the token this Tuesday, anticipating that the upcoming supply crunch would make the token more valuable in the long run. As it happened, LEO's price rose to its all-time high of $8.144, only to follow the upside move with a correction that saw the token going to as low as $7.04 early on Wednesday.

*LEO/USD daily price chart. Source: TradingView*

Mixed outlook for LEO

Adam Cochran, Partner at activist venture capital firm Cinneamhain Ventures, identified problems with the ongoing LEO price rally, noting that not all the recovered funds would go through Bitfinex unless those holdings belong to the exchange themselves.

"There could, of course, be some weird deal structure in place, with the custom tokens Bitfinex issued, where they essentially claim they bought the loss off of other customers and so the Bitcoin is theirs and they can claim it all, and then later distribute," the executive tweeted Tuesday, adding that he "personally" won't be purchasing LEO while expecting a quick buyback from Bitfinex.

6/6

But if you are buying LEO for recovery plans, I'd dial down the % chance it happens that way, and maybe wait for impatient buyers who expect an instant recover to sell into stronger hands over coming months.
— Adam Cochran (adamscochran.eth) (@adamscochran) February 8, 2022

Conversely, Alexander Mamasidikov, co-founder of crypto wallet service, MinePlex, called the recovery of Bitfinex funds a "right fundamental" that could back LEO's growth in the future.

"Native to Bitfinex, LEO has the chance of tagging along with the future ecosystem growth of the trading platform, a move that is billed to guarantee the coin’s continuous uptrend," said, adding:

"LEO is arguably underpriced when compared to the native tokens of its major competitors. In the mid-term, LEO is poised to touch the $10 resistance point while a quarterly close of $12 is likely should this current growth pace be sustained."

The views and opinions expressed here are solely those of the author and do not necessarily reflect the views of Cointelegraph.com. Every investment and trading move involves risk, you should conduct your own research when making a decision.

Justice Department Seizes Over $3.6 Billion Worth of Bitcoin Linked to Bitfinex Hack

February 8, 2022 The Daily Hodl

Nearly $2.3 Billion Worth of Bitcoin Moved Out of Wallet Involved in 2016 Bitfinex Hack: Whale Alert

February 2, 2022 The Daily Hodl

crypto hack