Cryptospace Spotlight 2022 #29 (17 Jul 2022)
BIFROST's BiFi lost 1,852 ETH after its server key got compromised, NFT platform Omni lost 1,300 ETH through reentrancy attack, and Terra's plot thickens!
Technology and Industry
Tencent has reportedly shut down one of the two nonfungible token (NFT) platforms owing to declining sales aided by the regressive monetary policies of the Chinese government. [more]
A survey conducted by the Federal Reserve Board of the United States suggested that 56% of major banks did not consider crypto-related products and services a priority in the near future. [more]
The Walt Disney Company announced the six companies that will be joining the 2022 Disney Accelerator. This year focus is on building the future of immersive experiences and specializes in technologies such as augmented reality (AR), non-fungible tokens (NFTs) and artificial intelligence (AI) characters. [more]
Circle released an unaudited report on USDC stablecoin indicating that it is now fully backed by cash and US treasuries. [more]
Mastercard has partnered with Middle Eastern global digital asset gateway, Fasset, to expand its financial services to Indonesia. The collaboration between Mastercard and Fasset aims to use the digital asset market in furtherance of financial inclusion goals. [more]
Terra’s plot thickens - The ongoing inquiry into Terra’s crash has reportedly taken a new turn as authorities have connected a new crypto entity called “Flexe” to Terra and Do Kwon. [more]
Kwon Do-hyung, also known as Do Kwon, the CEO of Terraform Labs, is the lone internal director of FLEXE Corporation, according to KBS. The so-called company reportedly only exists on paper.
Authorities claim to have tracked cash movements that originated in Terra’s Singapore base and totaled 6 billion Korean won (about $4.5 million) and 12 billion won (about $9 million). The funds then traveled to Terra’s office in the British Virgin Islands before reaching FLEXE in South Korea and other Terra affiliates.
Three Arrows Capital liquidators have moved to secure the company’s assets in Singapore through law firm WongPartnership LLP. If Singapore’s High Court approves the liquidator’s requests, Three Arrows Capital may have more assets sold off to creditors. [more]
Celsius bankruptcy documents claim $1.2 billion balance sheet gap. [more]
OKY received provisional virtual assets license from the Dubai Virtual Assets Regulatory Authority (VARA). [more]
Europe - European Central Bank (ECB) called on policymakers and member states to pass the Markets in Crypto-Assets (MiCA) law, Europe’s first attempt at comprehensive policy around cryptocurrencies, ironed out in late June. The law needs “to be implemented urgently,” the EU said in its report on stablecoins. [more]
MiCA will require stablecoin issuers to maintain ample reserves and regularly update disclosure documents. Stablecoins specifically threaten financial stability because of their contagion risks. These types of digital assets, which either rely on reserves or algorithms to maintain value, have become an increasingly important part of the crypto industry, the ECB said.
ECB also published the report titled “Mining the environment — is climate risk priced into crypto-assets?” on July 12. In the report, the ECB research group reinforces the environmental narrative about the battle of protocols, where the proof-of-work (PoW) concept represents a threat to the planet. In contrast, the proof-of-stake (PoS) is the only sustainable crypto option, experts argue. [more]
Russia - Russia bans security tokens, utility tokens and NFTs as forms of payment. [more]
International - The International Organization of Securities Commissions (IOSCO) and the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) issued final guidance on stablecoin practices. [more]
The BIS guidance states that if a stablecoin acts as a means of transferring and is deemed “systemically important” it must follow traditional Principles for Financial Market Infrastructures (PFMI), international standards developed after the global financial crisis. Payment systems, central securities depositories, securities settlement systems, central counterparties and trade repositories must all follow the same guidelines.
Security and Risk
The attacker deposited NFTs from a collection called Doodles. These NFTs were used as collateral to borrow wrapped ETH (WETH).
The attacker then exploited the reentrancy vulnerability by withdrawing all but one of the NFTs deposited as collateral. This action triggered a malicious callback function to the benefit of the attacker. This function allowed the hacker to use the borrowed funds to buy even more Doodles before liquidating the loan position.
The attacker then used the Doodles acquired with the initial loan as collateral to borrow more WETH. Omni, however, did not recognize this new debt position, so the hacker could withdraw the NFTs without paying back the loan.
The attack drained more than 1,300 WETH ($1.4 million) from the protocol.
10 Jul - BIFROST officially released a report saying that the BTC address registration server of the BiFi service was attacked. As a result, the attacker was able to borrow 1,852 ETH with fake deposit. [more]
According to the analysis, the attack was limited to the BTC address registration server, and no vulnerabilities have been detected in both the smart contracts and the BiFi protocol.
BiFi issues and uses an address for each user who deposits BTC. The deposit addresses are signed and delivered to the address issuing server and the addresses are reflected on BiFi when the signature is verified.
In the attack, the server key of the address issuing server was exposed and the attacker was able to self-sign their own deposit address. Since the attacker could generate a valid signature on the deposit address, BiFi mistakenly recognized the attacker’s BTC transfer as a BTC deposit into BiFi.
Ronin hack update - Infiltration. A senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist.
Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs made through the professional networking site LinkedIn.
After multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package.
The fake “offer” was delivered in the form of a PDF document, which the engineer downloaded — allowing spyware to infiltrate Ronin’s systems. From there, hackers were able to attack and take over four out of nine validators on the Ronin network — leaving them just one validator short of total control.