Cryptospace Spotlight 2022 #17 (24 Apr 2022)
Beanstalk exploited for over $180M, IMF is encouraging global policymakers to address crypto related concerns, and Ethereum-based infrastructure service Infura suffers outage affecting MetaMask users!
Technology and Industry
Ethereum co-founder Vitalik Buterin claims his influence over Ethereum “keeps decreasing,” and says he has less influence today than he had six months ago. [more]
“If you watch some of the [Ethereum Improvement Proposals – EIPs] that I personally promote, some of them don’t even make it. So for a lot of them you have to try pretty hard to satisfy all people’s concerns,” the Ethereum co-founder said.
He added that the process of making things happen on Ethereum is “definitely more vetocratic” than it was three years ago, and “definitely much more than it was six years ago, when we could get a change accepted and it would get included very quickly.”
Bitcoin core latest update includes native compatibility for Apple Silicon (M1 family) chips [more]
Payments giant Stripe and Twitter are testing out stablecoin payout option to selected users of Twitter. [more]
Widely used infrastructure service Infura is suffering an outage, which is impacting an array of apps and services built on Ethereum. Those impacted included popular wallet MetaMask as well as APIs for Ethereum as well as scaling solutions like Polygon, Optimism, and Arbitrum, as well as Filecoin and NFT protocol Palm. [more]
Ethereum isn’t down.
Binance CEO tweeted that the company has recovered $5.8 million from the Aixie Infinity stolen fund as the fund moved across over 86 Binance accounts. [more]
Monero hits 5-months high as holders mobilise bank run on crypto exchanges [more]
International Monetary Fund - IMF is encouraging global policymakers to develop standards for crypto in response to growing concerns highlighted by the war in Ukraine. [more]
In its Global Financial Stability Report published Tuesday, the IMF directly addressed crypto's potential use in sanctions evasion by Russia and its potential to threaten the stability of existing financial systems through the changing banking landscape.
The global financial system has seen increasing "cryptoization" amid the war in Ukraine and the COVID-19 pandemic and Russia could martial its vast energy resources to power crypto mining and generate revenue.
United Kingdom - Bank of England’s regulatory arm - Prudential Regulation Authority (PRA) - has raised its budget by $31.6 million and to hire 100 extra staff and keep track of new risks, including those linked to crypto assets. [more]
Detailing its business plan for the coming year, the PRA says it will be overseeing the risks that arise from firms’ having exposure to or increased levels of business with cryptocurrencies
Ukrainians are allowed to buy cryptocurrencies only with foreign currency, with total monthly purchases limited to 100,000 UAH ($3,300). The relevant limit also applies to international peer-to-peer transactions.
France - In an interview, the sitting French president Emmanuel Macron stated that he does not “believe in a self-regulated financial sector. This would be neither sustainable nor democratic. It is up to the public authorities to define the right conditions to allow the sector to develop in confidence while encouraging innovation.” [more]
Crypto exchanges - Binance announced that it will restrict services to Russian users with more than €10,000 in their Binance accounts after EU’s Latest Sanctions Package [more]. In another news, Binance refuted a Reuters report claiming that it had agreed to provide Russian law enforcement with user data back in April 2021. According to Reuters, Russian intelligence was trying to track Bitcoin sent to opposition leader Alexei Navalny. [more]
Security and Risk
17 Apr - Beanstalk Farms, an Ethereum-based stablecoin protocol, was exploited for $182 million (24,830 ether and 36 million BEAN tokens) through flash loan attack. [more][more-2][more-security-analysis][more-Omincia-postmortem]
The attacker took out a flash loan on lending platform Aave, which was used to amass a large amount of Beanstalk’s native governance token, stalk. With the voting power granted by these stalk tokens, the attacker was able to quickly pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet.
The attacker laundered all stolen funds through Tornado Cash, which enables users to send and receive crypto while obfuscating its source.
The market for Beanstalk’s BEAN stablecoin collapsed as a result of the attack. The token was down 86% from its $1 peg.
Beanstalk’s smart contracts were audited by the blockchain security firm Omnicia. However, the flash loan vulnerability was introduced after the audit was completed the firm said in the post-mortem.
Omnicia pointed out that they will make sure to stress their clients that iterative updates should at all times be fully audited and communicated to them prior to deployment.
20 Apr - The National Basketball Association (NBA) plans to drop 18,000 exclusive NFTs to its fans. However, these NFTs were exploited to be minted unlimited times for free by anyone due to poor coding. [more][more-2][more-security-analysis][more-security-analysis-2]
The contract also didn’t properly keep track of the number of mints that took place per wallet. “If a contract was made, it could mint the entire collection in one transaction”
22 Apr - DeFi lending protocol Zeed, which styles itself a “decentralized financial integrated ecosystem” was exploited for over $1 million through the reward distribution vulnerability in ZEED. [more][more-security-analysis][more-security-analysis2]
However, the attacker left behind over $1,041,237.57 worth of BSC-USD Binance-Peg token in the contract and set it to self-destruction. The successful self-destruction of the contract was confirmed at 7:15 am UTC.
23 Apr - NFT project Aku Dreams saw about $34 million worth of Ethereum (ETH) locked permanently due to a fatal bug in the smart contract. [more][more-security-analysis][more-analysis-2][more-analysis-3]
An analysis by a blockchain security firm showed that there were two key vulnerabilities in the contract. The first is in faulty code over processing refunds, which has so far not been exploited. (although other analysis showed that it was exploited by “white hat”, the “white hat” subsequently recovered it.)
The second is a software bug, specifically in a function that allows the project owner to claim funds locked into the contract.
By design, the contract would first process all refund claims and only then allow the developer to withdraw funds. But due to faulty code, the contract thinks that total refund bids are higher than the amount locked into the contract, and as such, has frozen withdrawals indefinitely.
Analysis also pointed to the smart contract’s Bid count tracker for not calculating correctly. This error caused downstream validation to fail permanently; preventing withdrawal of mint funds.
CISA, the FBI, and the US Treasury Department warned today that the North Korean Lazarus hacking group is targeting organizations in the cryptocurrency and blockchain industries with trojanized cryptocurrency applications. [more]
The attackers use social engineering to trick these employees into downloading and running malicious Windows and macOS cryptocurrency apps.
MetaMask advises users to disable automatic iCloud backups of its wallet data to prevent hacks. [more]
"If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds," the MetaMask team wrote.