Cryptospace Spotlight #32 (7 Aug 2022)
Nomad got raid for ~$190M due to logic error in new code, over 9,000 Solana wallets collectively lost ~$4M due to gap in hot wallet implementation, and ZB exchange's hot wallet was compromised!
Technology and Industry
Ethereum co-founder Vitalik Buterin says that centralized stablecoins such as Tether (USDT) and USD Coin (USDC) could become “a significant decider in future contentious hard forks. [more]
However, Buterin stated he “had not seen any indication” that such a contention would be an issue in Ethereum's upcoming Merge, noting that the centralized stablecoin issue is more of a concern for future hard forks.
Ethereum developers discussed and addressed the potential glitch ahead of the Merge, i.e. MEV-boost. The chance of an MEV-boost failure is slim, and contingencies proposed should ensure that the Merge still happens smoothly. [more]
The MEV-boost is an important component of “maximal extractible value” (MEV) for Ethereum. MEV refers to the income that miners (under PoW) and block builders and validators (under PoS) receive as a result of inserting or reordering of transactions within a block.
The MEV-boost, which is designed to avoid MEV centralization, is a middleware component that allows validators to request blocks from a network of builders.
If there is a malfunction in the MEV-boost, it will disrupt the entire PoS blockchain. A glitch with a relay operator could fail to release a block at the right moment. Then a series of blocks from validators running the MEV-boost would be missed.
The tie-up will let developers use Alchemy's so-called Supernode—a crypto API for Ethereum, Polygon, Arbitrum, and the recently added Solana, making it easier to create decentralized applications (dApps)
The Uniswap Foundation proposal calls for the entity to be given a $74 million budget to cover the first three years of its operations, and 2.5 million UNI tokens for the Foundation to participate in governance votes. [more]
Tiffany creates physical Cryptopunks “NFTiffs” pendants for its NFT holder. [more]
Gucci added ApeCoin to its existing list of accepted digital assets for payment. Currently, it accepts Bitcoin (BTC), Bitcoin Cash (BCH), Ether (ETH), Wrapped Bitcoin (WBTC), Litecoin (LTC), Shiba Inu (SHIB), Dogecoin (DOGE), and five U.S. dollar stablecoins. [more]
Coinbase and BlackRock announced a new partnership to allow BlackRock clients to trade and manage crypto in-house. [more]
MicroStrategy’s Saylor to step down as CEO and assumed executive chairman role to focus on Bitcoin. [more]
Revolut has launched a cryptocurrency service in Singapore. [more]
Policy and Regulatory
United States -
New Senate bill clarifies that the SEC should only oversee securities. It also clarifies that bitcoin and ether are classified as commodities, as opposed to securities which are under the purview of the Securities and Exchange Commission (SEC). The bill also introduces new categories of registration including “digital commodity broker,” “digital commodity custodian,” “digital commodity dealer” and “digital commodity trading facility.” [more]
In the newly released draft of the 2022 individual income tax return, the IRS clarified that “receiving” cryptocurrency includes digital assets earned through “rewards, awards or compensation”. [more]
Japan - Japanese cryptoasset-related firms have urged the government to make tax reforms. They are claiming that the current system is out of sync with tax rules in other countries. [more]
India - India’s chief economic enforcement agency, the Enforcement Directorate (ED), announced that they have frozen $8.14 million (64.67 Crore rupees) in assets from Binance-owned crypto exchange WazirX. [more]
Thailand’s financial regulator, the Securities and Exchange Commission (SEC), has approved four more crypto companies in the Kingdom. These include Krungthai XSpring, a crypto broker affiliated with one of the country’s leading banks, and crypto exchange T-BOX Thailand. Also crypto adviser and fund manager Coindee and Leif Capital Asset Management, which also manages funds. The four firms have yet to commence operations, however, as the regulator still needs to inspect their operations. [more]
The Bank of Thailand to pilot Retail CBDC by the end of 2022. The Retail CBDC will be tested in a limited retail environment with 10,000 participants and three major banks. [more]
Security and Risk
1 Aug - Token bridge Nomad has suffered a loss of more than $190 million in cryptocurrency after attackers (and opportunists) raided it. This is due to logic error in the new code pushed out for routine upgrade. [more][more-analysis]
Nomad’s developers had accidentally pushed a routine upgrade which told the protocol to process any transaction with the default root hash of “0x00,” where usually blockchain networks require a unique and specific root as proof that the transaction is valid.
This meant Nomad would effectively approve any transaction submitted to the protocol. After an attacker realized and initiated large illicit transfers, other users simply copy-pasted their transaction script and replaced the receiver address with their own.
Blockchain security firm PeckShield reported around 41 addresses had raided Nomad, a mixture of Wrapped Bitcoin and Wrapped Ether alongside stablecoins DAI and USDC. Notably, the same address associated with the Rari Capital hack in late-April was said to have pilfered $3.4 million in cryptocurrency. Less than $12,000 remains in Nomad’s smart contracts, down from more than $190 million before the raid, per DeFi Llama.
This incident is the third-biggest cryptocurrency hack this year after the Solana-to-Ethereum Wormhole bridge and the Axie Infinity Ronin bridge exploits, which lost $325 million and $625 million, respectively, valued at the time of the exploits.
Nomad has recovered approximately $19 million worth of cryptocurrency after pleading “white hat hackers and ethical researcher friends who have been safeguarding ETH/ERC-20 tokens” to return the lost digital assets. [more]
2 Aug - Solana network saw over $4 million stolen from over 9,000 unique wallets. Preliminary findings found that it is related to security weakness in Slope wallet - a Solana hot wallet application. [more][more-Sol-update][more-hack-data]
The Solana’s core team and founder noted that engineers from across several ecosystems, in conjunction with audit and security firms, continue to investigate the root cause of the attack, and the team believed that the core code remain sound.
The community suggested there are weaknesses in the browser/mobile based “hot wallet” applications and recommended users to start moving their digital assets to hardware base “cold” wallet.
After investigation, Solana shared its preliminary findings that these affected addresses were at one point created, imported, or used in Slope mobile wallet applications.”[more]
Slope’s Team also released a statement noting that they are still investigating this matter and will publish a full postmortem. It recommends that its users create a new wallet with a brand new seed phrase and transfer funds to it. Also, hardware wallets have been unaffected by the hack, and are also recommended for keeping assets secure amid the potentially still ongoing exploit situation.
2 Aug - ZB Exchange’s wallet was suspected to be compromised, losing approximately $4.3 million. It has suspended its services indicating that their core applications had sudden failure. [more][more-ZB][more-analysis]
ZB Exchange announced that they have “temporarily suspended Deposit and Withdrawal services” due to “sudden failure of some core applications”, and “will provide an update once completed”. However, they did not provide further update after the announcement on 2 Aug.
Security researcher, chuchuprotocol.eth, noted that the exchange’s hot wallet could have been hacked for a size of 2224 ETH. Hacked token were transferred into the hacker's wallet and were sold on the DEX.
Reaper Farm, the yield aggregator, which is located on the Fantom network, had their multi-strategy vault hacked.
The smart contract had a flaw that allowed the hacker to withdraw anybody’s assets to their account. This is because the recipient’s account verification had not been set up properly. The fund was promptly transferred out of the Fantom ecosystem and it is now in Tornado Cash.
Reaper Farm noted that the gap in the timely identification of the vulnerability was due to their change to a new smart contract standard, exclude 3rd party auditing before moving to production, and not expanding bug bounty program to cover this new contract.