Cryptospace Spotlight 2022 #13 (27 Mar 2022)
USD50 million drained through DeFi attacks, US Treasury Secretary Janet Yellen got warmer towards crypto, and Thailand bans crypto payment!
Technology and Industry
Interlay aims to advance Bitcoin’s DeFi potential with new interoperable bridge [more]
Avalanche announced it will launch its own wallet application, called Core, and add Bitcoin bridging functionality, two initiatives aimed at simplifying the user experience and bringing more assets into the Avalanche ecosystem. [more]
DeFi protocol Teller Finance has unveiled a decentralized and unsecured lending market in Singapore aimed at helping consumers in the country obtain funds for various expenses. [more]
Called SG Loans, the service was developed in partnership with Signum Capital to allow people to obtain personal unsecured loans without the need of a bank or traditional loan provider.
LG Electronics has added blockchain and cryptocurrency to its business portfolio. [more]
ANZ became first bank to mint digital australian dollar. Leveraging its Ethereum Virtual Machine (EVM) compatible smart contract deployed through the Fireblocks platform, ANZ had successfully minted $30 million worth of its bank-backed A$DC stablecoin. [more]
Crypto users in Africa grew by 2,500% in 2021. [more]
Thailand - Thailand’s Security and Exchange Commission (SEC) said that it will ban the use of crypto as a means of payment from April 1. The SEC stressed it is only banning the use of crypto for payments and is not banning crypto trading and digital assets. [more]
Malaysia - Malaysia deputy finance minister said that cryptocurrencies will not become legal tender. This came days after another minister in Malaysia said the country should begin legalizing cryptocurrencies. [more]
Australia - The Australian Government has announced its plan to regulate the crypto industry through Digital Services Act. It is seeking industry feedback on measures that focus on custody, DAOs, taxation, licensing and issues of industry debanking. [more]
South Korea - Two crypto regulatory bodies, the Financial Information Unit (FIU) and the Financial Services Commission (FSC) have told crypto exchanges that they must abide by the FATF’s travel rule - to share and store information on sender and recipients of crypto transactions. However, the FATF’s rule implementation has been fraught with difficulties as the two platforms being used to share this data are not yet interoperable. [more]
United States - US Treasury Secretary Janet Yellen noted that there have been benefits from crypto and recognized that innovation in the payment system can be a healthy thing. However, she still has some skepticism around crypto, despite recognizing its benefits. [more]
United Kingdom -
The UK Advertising Standards Authority (ASA) sent over 50 crypto companies enforcement notices to review their advertisements. It also warned that it will take targeted enforcement action if “problem ads” continue after May 2. [more] [more-ASA]
Cryptocurrency companies could be forced to wind down their business in the UK if they fail to register with the Financial Conduct Authority (FCA) by 31 Mar. [more]
An FCA spokesperson said it has approved just 33 crypto firms' applications so far. More than 80% of the firms it has assessed to date have either withdrawn their applications or been rejected.
The International Organization of Securities (IOSCO) published a report that aims to give a perspective on DeFi and highlight some areas that may be potential areas of concern to regulators. According to the report, DeFi is growing and many of its mechanisms are very similar to traditional financial markets. [more]
The attacker, who made off with more than $1.4 million in USDC stablecoin, configured the contract used for the exploit “to self-destruct at a specific block, making it almost impossible to track what specific functions from our contracts were called in order to steal the funds”.
The hack was made possible due to a flashloan-assisted price manipulation of the LP tokens, this led to a larger number of OShare tokens being moved from the protocol.
Right after contract deployment the hacker borrowed 80 million USDC using Solidly flashloans to increase the price of the underlying LP tokens in the span of a block. This changed One Ring Share token (OShare)’s price and drove a large amount of OShare tokens out of the protocol.
When funds were stolen they were moved from Fantom back to Ethereum and into Tornado Cash. The cleaned out wallet and self-destruct contract have posed challenges to conduct a comprehensive investigation.
The hack took advantage of our pre-bridge swap feature. Our smart contract allows a caller to pass an array of multiple swaps using any address with arbitrary calldata.
The attacker started by passing a legitimate swap of a small amount followed by multiple calls directly to various token contracts. Specifically, they called the `transferFrom` method which allowed the attacker to transfer funds from users’ wallets that had previously given infinite approval to our contract for that specific token.
The attacker was able to extract varying amounts of 10 different tokens from wallets that had given “infinite approval” to the Li Finance protocol. Among the stolen tokens were USD Coin (USDC), Polygon (MATIC), Rocket Pool (RPL), Gnosis (GNO), Tether (USDT), Metaverse Index (MVI), Audius (AUDIO), AAVE (AAVE), Jarvis Reward Token (JRT) and DAI (DAI).
Cashio Dollar is a Solana-native stablecoin (CASH) launched in November 2021. It can be minted by first depositing Saber USDT-USDC liquidity provider (LP) tokens.
An "infinite mint glitch" enabled attackers to mint tokens without providing collateral. Blockchain data shows over 2 billion CASH were minted, without any USDC or USDT backing. Security researcher noted that USD50 million were drained.
The hacker used the newly minted tokens to exchange them for stablecoins on Cashio’s liquidity pools. Data from tracking tool DeFiLlama shows the total value locked on Cashio dropped by USD28 million after the attack.
Founder of the cryptoasset fund DeFiance Capital, Arthur Cheong, had one of his hot wallets compromised through spear-phishing. It has resulted in the loss of over 70 non-fungible tokens (NFTs) worth over USD1.76 million. [more]
A Cardano-based decentralized exchange, Minswap, has revealed that it has completed a maintenance mode which has helped the protocol fix a major vulnerability that could have led to a huge amount of loss for the team. [more]
Minswap revealed that the vulnerability would have allowed a bad actor to “ mint duplicated pool NFT tokens and use those NFT tokens to mint infinite LP tokens of any pool.”
The team used the exploit itself to drain the liquidity into new liquidity pools on a new smart contract.
HubSpot indicated that the attacker compromised a HubSpot employee account to steal data of its customers in the cryptocurrency industry.NYDIG, Pantera Capital, BlockFi, Circle and Swan Bitcoin were among those hit by the data breach. [more]
With the anticipation skyrocketing around Bored Ape Yacht Club’s launch of a new token, an unknown user gamed the system and received more than 60,000 APE tokens. After paying off the flash loan and the fees, they netted $820,000 (almost 300 ETH). [more]