Multichain Executor has been ‘draining’ AnySwap tokens: Report

July 11, 2023 Coin Telegraph

anyswap

The contract has used an “anySwapFeeTo” function to transfer hundreds of thousands of dollars worth of tokens to itself, which on-chain sleuth Spreek suspected may have been malicious.

A person is using the Multichain Executor to drain tokens associated with the AnySwap bridging protocol, according to a July 10 report from on-chain sleuth and Twitter user Spreek. The report follows outflows of over $100 million from Multichain bridges that occurred on July 7, which were reported by the Multichain team as “abnormal.”

The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA pic.twitter.com/gqDaXMBl96
— Spreek (@spreekaway) July 10, 2023

According to Spreek’s July 10 report, “The Multichain Executor address has been draining anyToken addresses across many chains today and moving them all to a new EOA [externally owned account].”

An image attached to the post shows Ethereum transaction 0x53ede4462d90978b992b0a88727de19afe4e96f0374aa1a221b8ff65fda5a6fe. Blockchain data reveals that this transaction called the “anySwapFeeTo” method on the Multichain Router: V4 contract, causing approximately $15,275.90 worth of anyDAI — a derivative version of the Dai (DAI) stablecoin — to be minted on Ethereum and sent to the Multichain Executor, who then burned it and exchanged it for the underlying DAI backing the asset.

*DAI conversion by the Multichain Executor. Source: Etherscan*

In a separate comment, Spreek said the funds are being sent to the following address: 0x1eed63efba5f81d95bfe37d82c8e736b974f477b. Ethereum blockchain data shows that this address received the redeemed DAI from the Multichain Executor on July 10, about five minutes after the previous transaction.

Data for BNB Smart Chain (BSC) shows that the Multichain Executor also called the anySwapFeeTo function on its network for $208,997 worth of anyUSDC. This resulted in $208,997 worth of the tokens being converted into its underlying Binance-Pegged USDC, which were subsequently sent to this same address. In other BSC transactions, the contract used this process to convert 50.80 anyBTC, worth $39,251.43 at the time, to equivalent Binance-Pegged Bitcoin and send it to this address.

The transactions add up to approximately $263,524.33 worth of tokens sent to this address through the anySwapFeeTo method.

Spreek said this behavior could be part of the normal functioning of the protocol. On the other hand, a different account had engaged in similar behavior the day before, Spreek stated. The other account eventually sold the drained tokens, providing evidence that it was malicious:

“It is unclear whether this is authorized behavior. Previously the same method was used yesterday by a different MPC address on the anyUSDT token on mainnet. The tokens were then immediately sold to ETH, suggesting that that similar address was the actions of a malicious actor.”

The on-chain sleuth theorized that the attacker may be using the anySwapFeeTo function to set fees to an arbitrarily large amount, allowing them to drain users’ funds. This function “[a]pparently allows ANY value to be set, so the address is simply choosing the total value of the token held in that anyToken,” Spreek stated.

The Multichain incident has baffled blockchain analysts, as no one has been able to prove whether it resulted from an exploit or is simply the result of large tokenholders moving their funds between networks. The mystery began on July 7, when over $100 million worth of tokens were withdrawn from the Ethereum side of Multichain’s Fantom, Moonriver and Dogechain bridges and sent to wallet addresses with no previous transactions. These withdrawals represented the majority of funds held on each bridge.

The Multichain team declared that the withdrawals were “abnormal” and told users to stop using the protocol. However, the team did not declare what the source of the anomaly was or could be.

On July 8, stablecoin issuers Circle and Tether froze some of the addresses that received funds tied to the strange transactions. On July 11, blockchain analytics firm Chainanalysis said the incident “looks more like a hack or rugpull and less like a migration.”

The Multichain team says their CEO is missing and that they’ve shut down some bridges due to no longer having access to some of the network’s multi-party computation network servers.

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.

Chibi Finance $1M alleged rug pull: How it happened

July 3, 2023 Coin Telegraph

Chibi Finance M alleged rug pull: How it happened

Arbitrum

The exploiter used a “panic” function buried within eight different smart contracts to remove $1 million worth of users’ funds without their permission.

On June 26, decentralized finance (DeFi) aggregator Chibi Finance was exploited by its own deployer account, and $1 million worth of cryptocurrency was drained from its contracts in an apparent rug pull or exit scam. The protocol’s official user interface disappeared, producing a 404 error, and all social media for the app was taken down. After the funds were drained, they were swapped for Wrapped Ether (WETH) and bridged to Ethereum, where they were afterward sent to Tornado Cash by the attacker.

The price of the Chibi Finance (CHIBI) governance token fell by over 90% as the news broke.

But “rug pulls” shouldn’t be possible in DeFi. After all, these apps, by definition, don’t run on centralized infrastructure. So the app’s creator shouldn’t be able to run off with everyone’s crypto or cash.

For this reason, it might be useful to analyze how the alleged scam was pulled off.

CertiK has produced a detailed report after investigating the incident. When combined with blockchain data, this report can shed light on how the attack occurred and what users can do to protect themselves against similar attacks or scams in the future.

The Chibi Finance app

Before its user interface went offline, Chibi described itself as “the most popular yield aggregator on Arbitrum.” It claimed to allow users to gain yield from across the Arbitrum ecosystem.

According to CertiK, the DeFi aggregator has been growing in total value locked (TVL) — a measurement of the value of crypto held in an app’s contracts — since it launched in April. On June 21, Chibi announced it had achieved $500,000 in TVL. At the time, the team stated a goal to reach $1 million.

On June 26, the app was listed on CoinGecko for the first time, giving it greater exposure. It seems to have reached its $1 million goal shortly after this event, right before the tokens were drained from its contracts. As a result, investors lost over $1 million worth of crypto in the attack or scam.

Chibi Finance contracts

The attack exploited a loophole in eight different contracts used in the Chibi Finance protocol. These contracts were forked from other projects and were not unique to Chibi. For example, one of them was StrategyAave.sol at Arbitrum address 0x45E8a9BA6Fcd612a30ae186F3Cc93d78Be3E7d8d, which has also been deployed to several other addresses on Abitrum, Ethereum, the BNB Smart Chain and other networks.

Another example is the StrategySushiSwap.sol contract at 0x9458Ea03af408cED1d919C8866a97FB35D06Aae0. This also has several versions on Arbitrum and other networks.

These contracts appear to be commonly used in DeFi aggregator applications, not just Chibi Finance.

Panic function

Blockchain data reveals that some of the contracts used by Chibi Finance contain a “panic” function that can be used to withdraw all tokens from a pool and send them to a particular address. This function was essential to the attacker’s method. Here is an explanation of how it works, with StrategySushiSwap.sol being used as an example:

Lines 340–343 of StrategySushiSwap.sol state that if the panic() function is called, it will call a second function named “emergencyWithdraw” on the ISushiStake contract.

*The panic() function in StrategySushiSwap.sol contract. Source: Blockchain data.*

The ISushiStake contract, in turn, is just an interface. It contains no executable code. Instead, it points to the SushiSwap: MiniChefV2 contract at 0xF4d73326C13a4Fc5FD7A064217e12780e9Bd62c3.

The MiniChefV2 address is listed as an official contract for the decentralized exchange, SushiSwap. So the “panic” function calls an “emergencyWithdraw” function within SushiSwap.

At the SushiSwap address, the emergencyWithdraw function can be seen on lines 626–643.

*SushiSwap MiniChefV2 emergencyWithdraw function. Source: Blockchain data.*

This function allows the owner of funds to withdraw without taking rewards. This may be useful in an emergency. For example, a user may want to call this function if a bug in the reward contract causes them not to be able to receive rewards.

The emergencyWithdraw function has a failsafe to prevent use by unauthorized persons. It states on line 360, “UserInfo storage user = userInfo[pid][msg.sender],” meaning that the “user” is defined as the sender of the message. Under normal circumstances, this should allow a user to emergency-withdraw their own funds, but not funds belonging to anyone else.

There does not appear to be anything malicious about this function in SushiSwap. However, a problem can arise if the user does not call this function directly from their own wallet.

For example, when a user deposited funds using Chibi Finance, their crypto was sent to SushiSwap by the StrategySushiSwap contract, not by the end-user directly. This meant that the Chibi Finance app was recognized as the “user” when attempting to emergency-withdraw funds. This, in turn, allowed Chibi to withdraw the users’ funds on users’ behalf.

However, the funds should have still been safe as long as the panic function could only be called by the end-user.

Unfortunately, the panic function does not have this requirement. Instead, it is simply listed within the Chibi Finance contract as an “onlyGov” function, meaning that an admin can call it, but no one else. The attacker relied on this loophole to carry out their attack.

How the Chibi Finance attack was carried out

According to the CertiK report, Ethereum username Shadowout.eth withdrew 10 Ether (ETH) from Tornado Cash on June 15. These funds were bridged to Arbitrum, and 0.2 ETH was sent from this user to address 0x80c1ca8f002744a3b22ac5ba6ffc4dc0deda58e3. This second account then created a malicious contract on June 23 at address 0xb61222189b240be3da072898eda7db58b00fd6ee.

The attacker called the “add pool” function on this malicious contract eight times on June 23. Since the contract is unverified, the code for this “add pool” function is unknown. However, CertiK speculated that each of these transactions may have added a Chibi Finance contract to a list within the malicious contract’s data for a total of eight contracts in the list.

On June 27, the deployer account for Chibi Finance transferred admin rights for the eight Chibi Finance contracts to the malicious contract. It did this through eight separate transactions, each one calling the “setGov” function on a particular contract.

*Admin rights for one of the Chibi Finance contracts being changed. Source: Blockchain data*.

After the malicious contract gained these governance rights, its creator called its “execution” function. This caused it to call “panic” on each of the eight contracts, which in turn called “emergencyWithdraw” on related pools in DeFi apps such as SushiSwap, Aave and Global Hectare.

The result was that all of the funds deposited by users to these pools through Chibi Finance were drained by the attacker, resulting in losses of over $1 million to investors.

How can Chibi-style rug pulls be avoided?

Given that the attack relied on a “panic” function that allowed an admin to drain all of the users’ funds, one way to avoid a Chibi-style rug pull would be not to use apps that have this function.

On the other hand, if an aggregator doesn’t have a “panic” function, there is a risk that the user’s funds could get stuck if a bug or exploit is discovered within the aggregator app. Users may want to consider these tradeoffs if they decide to use aggregator apps instead of directly interacting with the underlying pools.

DeFi users may also want to consider that smart contract code can be extremely complex, and it may not be possible for most users to determine on their own whether an app has a security flaw. As CertiK claimed in its report:

“The Chibi Finance incident demonstrates the risks that are associated with centralization in the Web3 space.[...]It is an unrealistic expectation for regular investors to spot and understand the centralization risks within projects like Chibi Finance by simply doing their own research.”

For this reason, users may want to check an app’s published audits before using it, CertiK stated.

Chibi Finance claimed to be audited by blockchain security firm SolidProof. The contents of the alleged audit are no longer available, as the project’s GitHub has been taken down and was never saved by internet archives. Cointelegraph could not determine whether the risks posed by the “panic” function were disclosed in the audit report or even whether an audit took place.

Cointelegraph has reached out to SolidProof for comment but did not receive a reply by publication.

Rug pulls or exit scams have become a common problem in the DeFi space. On June 1, blockchain security firm Beosin reported that over $45 million was lost from rug pulls in May, outpacing regular DeFi exploits. In April, the Ordinals Finance protocol was also allegedly rugged for $1 million through a “safuToken” transfer function.

Nifty News: UK Royal Mint NFT, $960k Billionaire Dog rug and Pudgy Penguins

April 5, 2022 Coin Telegraph

Nifty News: UK Royal Mint NFT, 0k Billionaire Dog rug and Pudgy Penguins

Coin Telegraph

The Royal Mint NFT featured in a series of announcements aimed at making the UK a global crypto hub, with officials saying the NFT is “an emblem” of the approach the UK “is determined to take”.

The U.K. government Treasury announced on Monday, April 4th, that it has asked the Royal Mint to create one non-fungible token (NFT) to be issued by the end of the year “as an emblem of the forward-looking approach the UK is determined to take.”

Chancellor @RishiSunak has asked @RoyalMintUK to create an NFT to be issued by the summer.

This decision shows the the forward-looking approach we are determined to take towards cryptoassets in the UK. pic.twitter.com/cd0tiailBK
— HM Treasury (@hmtreasury) April 4, 2022

The NFT was part of a series of announcements by the Economic and Finance Ministry to make the United Kingdom a global cryptocurrency hub, including amending a regulatory framework on stablecoin payments.

The NFT will be “issued by summer”, with no date publicly set for the release of the token.

Billionaire Dog NFT rug pull

Self-confessed “on-chain sleuth” “zachxbt”, popular for his Twitter threads investigating crypto figures and projects, has made a new thread on Monday alleging that French influencer Laurent Correia had a major role in an NFT project that rugged.

1/ Time for another $960k NFT rug this time involving Laurent Correia a popular French influencer with a reality TV show. pic.twitter.com/QkGeDecr5f
— zachxbt (@zachxbt) April 4, 2022

The Billionaire Dogs Club project launched in mid-December 2021 at a public mint price of 0.2 ETH, low demand for the NFTs saw the project restrict supply from 6,500 tokens to 2,000 in a bid to garner interest for the project.

According to “zachxbt”, the Discord channel and the team behind the project disappeared a week later, leaving NFT owners holding the bag. On-chain analysis by the analyst revealed that of the estimated $960,000 generated by the project, $400,000 was allegedly sent to Correia’s public crypto wallet.

4/ Here’s a breakdown where the proceeds from the project went.

Laurent himself received over $400k to his public wallet. pic.twitter.com/sckMfLoT5V
— zachxbt (@zachxbt) April 4, 2022

The same wallet was used to purchase other high-value NFTs which Correia posted on his social media accounts. Zachxbt tagged the Dubai Police, the local law enforcement where Correia lives, tweeting that it’s “sickening to see a DOX’d influencer so blatantly rug a project like this.”

Pudgy Penguins sold to Netz Capital

The team behind the Pudgy Penguins NFT project tweeted on Sunday, April 3rd, that the collection was under new management, Luca Netz of Netz Capital purchased the project for 750 ETH, about $2.5 million at the time.

Looking forward to spreading love across the Meta ❤️ https://t.co/ZBEF3W6XV2
— Luca Netz (@LucaNetz) April 3, 2022

A few months prior, the project voted out its controversial founder Cole Villemain, who has been subject to questions about his past dealings in projects, giveaways, and other businesses.

With the purchase of the 8,888 Pudgy Penguin NFTs, Netz will receive all future royalties from secondary sales.

Other Nifty News

Visa has announced the launch of it’s Creator Program, a mentorship program aimed at helping entrepreneurs accelerate their business through NFTs. Visa says the goal is to bring together digital creators to empower and educate them on blockchain technology and NFT commerce.

Non-custodial cryptocurrency platform ShapeShift DAO launched an NFT auction in support of female artists in the NFT and blockchain industry, the auction started on April 4th on OpenSea and runs until 11th April.

‘Evolved Apes’ NFT creator allegedly absconds with $2.7 million

October 6, 2021 Coin Telegraph

<div>'Evolved Apes' NFT creator allegedly absconds with .7 million</div>

Coin Telegraph

Some members of the NFT project are attempting to continue the development of the game while efforts are underway to apprehend the alleged culprit.

Investors in Evolved Apes, a recently launched “pfp” — short for profile picture — nonfungible token (NFT) are grappling with the disappearance of the project’s anonymous developer.

Going by the moniker “Evil Ape,” the developer has allegedly lived up to the name by vanishing with 798 Ether (ETH) worth over $2.7 million from the project’s coffers.

The reportedly stolen funds covered both the money realized from the initial minting process and the ETH traded in the secondary sale of the NFTs on the OpenSea marketplace.

Indeed, Evolved Apes had been one of the hyped NFT mints of recent with the 10,000-strong collection reportedly selling out in 10 minutes and the floor price rising steadily following the swift sale.

However, the project’s storefront on OpenSea shows a tanked floor price of 0.005 ETH, significantly lower than the original minting cost. The decline in the floor price is no doubt linked to the current rug pull scandal rocking the project.

Apart from allegedly siphoning all the project’s money, Evil Ape also took down the Evolved Apes’ Twitter account and website.

Before absconding with the $2.7 million, Evil Ape and the project’s creators had promised to ship a blockchain fighting game, a common promise among several avatar-style NFT developers.

Can the rugged apes of #Evolvedapes also get some love? Sure was a bad week for ape-kind #ballerapeclub! We have a new community of volunteers coming together to #fightbackapes and can use any support or expertise https://t.co/pHW23nlbbi
— Fight Back Apes (@FightbackApes) October 4, 2021

Some members of the community have come together to continue the development of the project under the umbrella of “Fight Back Apes.”

The entities behind the new faction say they wish to create a more community-centric operating model for the project, including a multisig wallet, to prevent the repeat of another Evil Ape debacle.

With Evil Ape still receiving the 4% royalties on secondary sales, the current plan is to create a new project that will airdrop new NFTs to current holders.

NFTs have arguably dominated discourse in the crypto space in 2021 with massive platforms like OpenSea recording massive trading volumes.

Given the popularity of NFTs, it is perhaps unsurprising to see alleged rogue actors like Evil Ape attempting to con unsuspecting victims.

Emoji Bait-and-Switch Raised $138,000 on Solana

September 30, 2021 The Crypto Briefing

Finance Redefined: Alchemix rugpull remuneration, and Aave v. 2.5! June 16-23

June 25, 2021 Coin Telegraph

Aave

The first-ever “reverse rug” has a surprising compensation plan, and the largest protocol in DeFi ponders growth.

After close to a month of consulting with industry experts and journalists within Cointelegraph and without, we’re proud to unveil a new segment for Finance Redefined, a.k.a. the premier DeFi industry newsletter: on-chain analysis.

Reporters will often look to public records to bolster stories, and the blockchain is no different. Everything from analyzing the wallet of the fake Banksy NFT artist to following-up with exploiter wallets in the wake of hacks, the data is often used but arguably not to the extent that it could be.

For instance, there is a wallet widely-known to be that of Mark Cuban, serial entrepreneur and owner of the Dallas Mavericks. He’s doxxed himself indirectly and directly many times — the address is the owner of markcuban.eth, for christsakes. And yet, when he announces that he’s invested in Polygon (or an algo stable shitcoin, RIP Titan) it’s news, but when he makes the moves on the wallet in real time…. the crypto-news industry ignores it?

Reporting on wallet transactions is fraught with complications, however. As Sam Trabucco of Alameda Research told me in Miami, “doxxed” Alameda wallets know that they’re doxxed (“contaminated” is the term they use internally), and trying to interpret a buy from one ‘known’ wallet may only be glimpsing a small part of a much larger picture — Alameda may be hedging with another acct, and as such public buys/sells are ultimately not indications of a wider opinion on an asset.

Check out this thread on folks trying to uncover what Alameda is doing with CRV as an example — the tail-chasing and narrative flip-flopping is extreme:

Alpha Leak!
You guys have been wondering why Sam dumps his $CVX everyday?? But rn, he's buying back!!https://t.co/e7kKO1e2QG
1/Probably he's controlling the price to accumulate more and more! This could be a good sign, @ConvexFinance => FTX soon?
— Ade- $CRV maximalist (@MrFro92) June 15, 2021

Additionally, despite ample evidence, if Mark Cuban ever came out and said that a wallet is not his — doesn’t matter if he has the ENS, doesn’t matter if he’s even claimed it as his in the past — we, as an outlet, have no way to definitively prove to the contrary, and as such explicitly linking an individual or institution to a wallet is unacceptable regardless of any amount of circumstantial evidence.

So, we’ve tiptoed and wondered and thought and thought about it some more. On-chain data is both public and wildly underused by news outlets, but it’s a new source type from a journalism perspective and really uncharted ethical ground.

Some of the language decisions we’ve made might seem a little obtuse, but they’re measured and we think appropriate. Let us know what you think.

We hope you like our first installment, courtesy of Bill Zerox aka @0xbilll:

Alchemix rugpull remuneration analysis

After a rug pull, desperate community members typically beg developers to return the stolen funds and social media channels become chaotic — filled with stories of tragic loss and impoverished nurses. It only makes sense then that in the first "reverse rug" in DeFi history, it’s the developers begging the community to return the funds. The big difference is that instead of ignoring requests, as exploiters often do, the community has seemingly responded.

Last week, Alchemix suffered a bug that saw users walk away with 2262 ETH (almost $4.5 million USD, even with the recent price decline) in what is being called the first-ever “reverse rug”. Instead of using treasury funds or minting a new token, steps that other protocols have taken to recoup a loss after a bug or hack, the Alchemix team is asking users who benefited to return the ETH.

In exchange, Alchemix is promising users 1 ALCX per 1 ETH returned. If users who benefited from the bug return the full amount of ETH that they were able to withdraw, the team says the generous exploiters will also receive a “special” NFT that includes "yet-to-be-determined functionality in the Alchemix DAO.”

If you benefited from the reverse-rug, then please consider becoming an Alchemix legend and returning the free money.

Every bit counts, and all contributors will be remembered https://t.co/GqkkIBG9Ma

— scoopy trooples (@scupytrooples) June 21, 2021

Although unconventional — as the best things in DeFi are — on the surface their ask to the community has been a success. Taking a look under the hood, however, reveals that the majority of funds were donated from one altruistic Alchemist developer while the accounts that walked away with the most ETH show no signs that they will return the funds.

On-chain data shows that the majority of ‘returned’ funds have come in the form of community members donating ETH, as opposed to users returning the ETH that the bug allowed them to claim.

1129.85 ETH has been returned as of this afternoon. Breaking it down, 358.21 ETH (~32%) is from users who benefited from the bug, while 771.64 ETH (~68%) has been donated by community members.

Data taken from Dune Dashboad thanks to 0xGranger at ~2:45 EST June 23rd; https://duneanalytics.com/queries/66340/132563

The largest donation so far is a staggering 730 ETH from an apparent Alchemist developer with the ENS handle n4n0.eth. They did not receive ETH from the exploit, so they are presumably reaching into their own pockets — a testament to their belief in Alchemix and their desire to make the protocol whole.

When called out in the Alchemix discord, n4n0 simply said, “I’m in it for the tech.”

Screenshot taken from official Alchemix Discord channel

A Twitter profile with the same name lists their role as “codemonkey @ http://alchemix.fi."

Outside of n4n0.eth’s 730 ETH donation, 196 other addresses have donated a total of 41.64 ETH. While some of the addresses may be speculating that those who donate will be eligible for future airdrops, the response also shows that the community wants Alchemix to succeed.

Looking at addresses who received excess ETH from the exploit, the top 20 addresses walked away with almost 1800 ETH, ranging from 25 to 500 ETH. Of those, so far only four addresses have returned the full amount they got off with for a total of 174 ETH.

One of these addresses, themockingjay.eth, returned the 40 ETH that they were able to withdraw because of the bug. Their address shows that they are active DeFi users and early Alchemist supporters, as demonstrated by them apeing into pool 2 a couple days after the protocol launched.

Zerion currently shows themockingjay.eth’s net worth at over $2 million, demonstrating that they are characteristic of DeFi users who are in a position to support a protocol, as opposed to carry off with the funds.

With the promise of an NFT and the chance to live in Alchemix/DeFi/Crypto history forever, perhaps the response here should not come as a surprise.

Sign up for weekly DeFi news before it hits the main site!

Aave 2.5, and airdrops to come

Like many DeFi protocols, Aave isn’t having ‘growing pains’ so much as the project is sprouting wings.

A former perennial top-10 on rankings websites, they’re now the definitive #1 in DeFi with nearly $17 billion in TVL on the back of a highly successful liquidity mining program. However, in an interview with Cointelegraph Aave co-founder Stani Kulechov weighed in on the same problem dozens of protocols now face: how to continue the explosive growth in an increasingly complicated system?

“Now the question is, how do we keep growing at the same pace, and also expand the growth as new projects are coming in, as new ideas and innovation comes into the whole ecosystem?” He asked.

The first step for Aave is applying what works to new environments. The team is working on a governance bridge that can let users vote on layer-1 for decisions that will apply to the various layer-2 implementations of the market, allowing for “cross-chain decentralized decision making,” says Kulechov. This new feature will be available in a matter of weeks.

However, larger changes are coming as well:

“We believe the future is multi-asset and multi-governance. [...] This means we’ll have more inclusive decision making in the community.”

Multi-asset governance —- say, AAVE and BAL holders voting on a AAVE-specific proposal — will of course be an entirely new experiment, and comes with specific considerations for the community.

In Stani’s view, which assets other than AAVE should determine Aave’s fate largely depend on the synergy. Ultimately it will be up to AAVE holders to vote on who gets in, but Stani pointed towards protocols like Balancer — who have a forthcoming deep integration with Aave to deposit unused AMM liquidity into lending pools — as a prime option in a multi-asset governance framework. Likewise, MakerDAO is building a system where the protocol deposits DAI into Aave, and then uses aDAI as collateral in special vaults to assist with liquidity crunches — another deep integration that would possibly warrant inclusion for MKR in multi-asset governance.

This is part of a broader framework for the Aave core team stepping away from the project after the eventual Aave v3 launch. At that point, major users of the Aave protocol (including other protocols that may be using Aave), should be the ones to decide its parameters.

As a result, the day may come when the most significant votes on Aave governance come from addresses controlled by other governance communities.

What if there was a social media protocol built on top of a DeFi Protocol..?
— Aave (@AaveAave) April 17, 2021

But what will the core development team do after the launch of Aave v3? Social media protocols? High fashion on the blockchain? And will it involve potentially lucrative airdrops to current AAVE holders? Kulechov was scant with details (despite his odd Tweets on the topic here and there), but did wax philosophical when it comes to possible airdrops:

“The two key principles are distribution — how do you empower the Aave community when you distribute new assets — and secondly how you can use tokeneconomics to empower your product and your community.”

As an example of empowering a community, Stani pointed to staked Aave, stAAVE, which is used to backstop the protocol as an insurance fund in the case of a shortfall event. Depositing into this fund rewards users with more AAVE and therefore more governance power — ultimately using the token to reward deeper engagement.

The development of the backstop model — also known as Aavenomics, a whitepaper that laid out how the protocol would attract liquidity, and the security to back that liquidity — took six months. Stani said the team settled on a model where “the AAVE token becomes a way to transfer risk to community members, as they’re the ones making risk-based decisions.” This forces the community to be more involved, as they bear risk, but proportionally rewards them.

Kulechov expressed skepticism that new tokens would be needed for new projects from the core team because “you can build value with new protocols directly in the ecosystem you have, and reinforce the current value there.” He also noted that the Synthetix model, which will lead to four new tokens in the coming months, may have downsides: “The risk is that if you come to market with five new tokens, you kind of might dilute the main asset and the community there, and split your community.”

Potential fat airdrops aside, for now the focus is on the forthcoming “Aave v. 2.5,” the penultimate upgrade before v3.

Enter DeFi Decade
— stani.eth =(⬤_⬤)= (@StaniKulechov) June 17, 2021

Aave 2.5 comes with a focus on risk mitigation. The update will include supply and borrow caps on certain assets, and improved liquidation mechanisms — what Stani calls “the final version before the ultimate protocol we wanted to build (v3),” and afterwards the community will take over the protocol and its development entirely. The team at Parafi Capital, who co-authored a liquidity mining proposal for Aave, are some of the chief architects of the overhaul.

Ultimately, while the Aave team continues to iterate and learn from fellow protocols, Stani says the kind of bold experimentation Aave has made (and continues to make) is the best path forward for the space:

“The best way to do things is being experimental. You actually need to fail with tokeneconomics before you can find something that actually works.”

SharedStake Dev Goes Rogue, SGT Price Plummets 95%

June 23, 2021 The Crypto Briefing

Binance Smart Chain’s TurtleDex rugpulls shortly after launch

March 20, 2021 Coin Telegraph

Binance

The file storage project has all the markings of a rugpull, but will investors be able to get their funds back?

Turns out a turtle’s arms are plenty long enough to pull a rug.

Yesterday, March 19 Binance Smart Chain (BSC) file storage project TurtleDex performed a “rugpull” exit scam — a colloquial term for when a project’s developers drain the liquidity or stored funds invested by the protocol.

Coming off a March 15 presale round that raised 9000 BNB tokens worth nearly $2.5 million, the team drained those funds from trading pools on BSC-native decentralized exchanges Pancake Swap and Ape Swap, converted the liquidity to ETH, and sent the funds to Binance exchange wallets to be sold, according to TurtleDex team wallet transactions.

Jet Fuel Finance, a yield vault protocol which had partnered with TurtleDex on a farming initiative, confirmed the rugpull on Twitter, saying they were “shocked” by the scam:

Attention - The Turtledex (#TTDX) team has exit scammed.

We are just as shocked as everyone to see this unfold.

Please see the tweet below from @DefiStalker and help us track down the funds sent to @binance #TTDX is being removed from Jetfuel. https://t.co/ZUjRmPbrs2 https://t.co/3WvsYSWATg
— Jet Fuel BSC ✈️ (@Jetfuelfinance) March 19, 2021

The TurtleDex website has gone dark and social channels have been deleted.

Some investors pointed out that the project had previously been audited and no severe security issues were identified, prompting a renewed round of criticism about the efficacy of audits.

#TurtleDex $TTDX s/contract was audited by @TechRate1 on 21st of FEB, 2021. Whilst no big issues were found, it asks the question, what is the purpose of a s/contract audit? If developers can simply pull liquidty to dump, are we even asking the right Questions?$BNB $BANANA $FUEL pic.twitter.com/L8rxtwpnYo
— DeFi Stalker (@DefiStalker) March 20, 2021

Ironically, according to screenshots prospective investors had asked the team about the possibility of a rugpull in official channels; the team responded jokingly by saying that it would be impossible, as a turtle’s arms are too short.

hello, sir pls help, I am under the water @cz_binance @binance $ttdx pic.twitter.com/ORnpMoFFuw
— Danusarf (@Danusarf) March 19, 2021

“Chasing funds back”

Despite the loss, there may be hope for jilted TurtleDex investors.

Shortly after the Meerkat Finance rugpull — one of the largest-ever DeFi scams at $31 million — a developer for the project announced that the scam was an “experiment,” and that all funds would be returned to users.

The flimsy “experiment” backing and abrupt about-face prompted some speculation that Binance may have stepped in to mitigate the effects of the scam. BSC is a semi-closed system, with Binance controlling on-and-offramps to the ecosystem; rugpulled funds have few ways to exit BSC without passing Binance’s centralized control.

Binance CEO Changpeng Zhao — better known as CZ — noted on Twitter earlier in the week that the exchange had helped in “chasing funds back” when other rugpulled projects attempted to sell funds via Binance.

Most welcome. We actually help with a few rug pulls recently too. Can't disclose details yet. https://t.co/2zybpF0Yv7
— CZ Binance (@cz_binance) March 16, 2021

Rugpull