Cryptospace Spotlight 2022 #14 (3 Apr 2022)
Ronin Finance falls as the largest DeFi exploitation of over $600M, EU tightening controls over crypto wallets holders, and Metaverse is said to be as big as $10T in value by 2030!
Technology and Industry
Bitcoin hits the 19 million milestone leaving the last 2 million Bitcoin to be mined [more]
MetaMask rolls out Apple Pay integration and other iOS updates. MetaMask is adding integrations with payment gateways on its mobile wallet to increase options for buying crypto. [more]
Kraken has implemented Lightning Network - a scalability solution, or layer-2, built on top of the Bitcoin blockchain that allows users to quickly send and receive BTC. [more]
The network can execute millions of transactions per second — compared to Visa’s processing of about 65,000 transactions per second, according to the company.
Citi report values metaverse at $10 trillion plus by 2030 [more]
Europe - European Union lawmakers voted today in favor of controversial measures to outlaw anonymous crypto transactions, a move the industry said would stifle innovation and invade privacy. [more][more-EU]
India - India’s tax on cryptocurrencies came into effect Thursday placing the burden on businesses and individual investors to cough up 30% cut on profits they receive. [more]
In addition to the capital gains tax, India’s citizens will also be forced to pay a 1% tax deducted at source (TDS) — set to take effect on July 1.
United States - Sen. Elizabeth Warren said that it's time for the U.S. to create its own central bank digital currency (CBDC) [more]. On the other hand, Sen. Ted Cruz introduced companion legislation into the United States Senate for Minnesota Representative Tom Emmer’s bill that prohibits the Federal Reserve from issuing central bank digital currency, or CBDC, directly to individuals. [more]
Japan - The Bank of Japan has warned G7 nations that a common regulatory framework for cryptocurrencies needs to be introduced quickly to discuss digital assets to be used to skirt sanctions. [more]
Japan’s government is attempting to push through a revision of the country’s Foreign Exchange Act as it seeks to clamp down on crypto’s use as a means to evade sanctions imposed on Russia. [more]
Vietnam - Deputy Prime Minister has tasked the country’s Ministry of Finance with spearheading research for the implementation of a legal framework governing digital assets. [more]
Axie Infinity’s Ronin Network suffered USD625 million exploit on 29 Mar with the loss of 173,600 Ethereum and 25.5M USDC. This is one of the largest (if not, the largest) exploit in DeFi history. [more] [more-Ronin-update] [more-Elliptic][Ronin-exploiter-walletaddr]
Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals.
Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO.
The validator key scheme is set up to be decentralized so that it limits an attack vector, similar to this one, but the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator. The signature in the malicious withdrawals match up with the five suspected validators.
Tentative root cause: This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.
Elliptic noted that around $16 million in ETH has been laundered. This leaves $524 million in various Ethereum accounts, which appear to belong to the attacker.
Ola’s DeFi protocol operates across several blockchains, and Thursday’s attack targeted its deployment on the Fuse network through Voltage Finance – an Ethereum Virtual Machine-compatible blockchain.
Ola's services on the Fuse network were exploited for 216,964.18 USDC, 507,216.68 BUSD, 200,000.00 fUSD, 550.45 wrapped ether, 26.25 wrapped bitcoin and 1,240,000.00 FUSE. All of that is worth over $4.67 million at current prices.
The attack occurred via a re-entrancy vulnerability in the ERC677 token standard.
In the first heist transaction, the attacker took a 515 WETH flash loan from the WETH-WBTC pair on Voltage Finance to fund the attack. In later transactions, the attacker avoided a flash loan by using the funds that had already been stolen, the post-mortem report confirmed. Voltage is a decentralized trading protocol that allows for the automated trading of DeFi tokens on the Fuse network.
Attackers were able to trick Voltage’s smart contracts by transferring wrapped assets from Voltage to the hacker’s addresses.(0xbcdb800d77ccaac6597830b026d6af78a1118f42).
Revest indicated that it is a “highly sophisticated attack on a vulnerability that went unnoticed during our Solidity.Finance audit as well as the multiple peer-reviews to which we subjected our code”
Security firm noted that the hack was made possible due to “missed reentrancy protection for the key functions of Revest.”
Revest CEO said Revest will not be able to recover the funds from the hackers and do not have the money to cover the losses suffered by victims using their platform.
An unknown hacker gained access to the official Discord meant to host members of Bored Ape Yacht Club, Mutant Ape Yacht Club and Mutant Ape Kennel Club, three NFT collections from Yuga Labs on 1 Apr. [more]
The hacker successfully posted a phishing link in the Mutant Ape Kennel Club channel. It has been reported the hacker may have carried out the attack via Ticket Tool, a popular Discord bot that automatically generates support tickets.
Yuga Labs team cautioned users not to mint any NFT using a link posted on its Discord and other Discords are also being attacked.
The lost funds were denominated in ETH, WBTC and DAI. Further blockchain data indicates that some of the exploited ETH holdings were sent to Tornado Cash, a popular transaction mixer on the Ethereum network, within the hour of the exploit's occurrence.
The exploit was facilitated after the attacker manipulated the price of INV, the governance token for Inverse Finance. This was accomplished after conducting a swap on SushiSwap worth 500 ETH.
This is a developing story.