Blockchain Intel Tuesday #10

February 15, 2022 - BlockFi settles with SEC over high-yield accounts. Rugpulls executed against several dog meme theme tokens. Tons of new hacks and scams including a thorough walkthrough of crypto bridges. Read on...

Blockchain News
Notable Hacks and Scams
  • DataDAO Finance, a decentralized NFT base yield farm on Fantom chain, executed a rug pull where the contract has a backdoor allowing insider to steal user funds. The project Twitter account has already deleted. Total losses ~ $100,000

  • Popular Atlanta Rapper Gunna was unmasked by zachxbt for the rug pull his own token PushinPETH which the rapper denied. Total losses ~ Unknown

  • Wormhole Network provides a crypto bridge between Solana and Ethereum networks. The bridge experienced an exploit in which 120k weth (80k on Ethereum, and 40K on Solana) were taken. For a total sum around $326 million. Wormhole is in the process of reaching to the hacker with an offer of $10M bounty for the return of the remaining funds. No news on that front. Total losses ~ $326M

  • Meter Passport crypto bridge was also hacked a few days later. Passport has a feature to automatically wrap and unwrap gas tokens like ETH and BNB for user convenience. The contract did not block direct interaction of the wrapped ERC20 tokens for the native gas token and did not properly transfer and verify the correct number of WETH transferred from the callers' address. A loss of $4.3M including 1391 ETH and 2.7 BTC has been recorded. Total losses ~ $4.3M

  • Bomb Crypto silently patched an ongoing vulnerability that allows someone else other than the player to claim the earned bcoins in the chest. This vulnerability was reported by multiple players even when they did not claim. Peckshield provided specific guidance to the issue. Unknown specific losses, but at least 20 players reported lost of their wallets (with one holding 68 bcoins). Total losses ~ Unknown

  • Polygon’s native stablecoin protocol, Qi Dao, faced an exploit on its Superfluid vesting contract, which led to a 65% drop in the price of the governance token Qi Dao (QI). QI’s price fell from $1.24 to $0.18. The protocol enables users to move assets on-chain in a constant flow in real-time from one wallet to another. While there was no impact on users’ funds, the hackers behind the attack managed to get away with $20 million worth of tokens including 24 Wrapped Ether (wETH), 562,000 USD Coin (USDC), 44,000 Stake DAO (SDT), 1.5 million Museum of Crypto Art (MOCA), 23,000 Stacker Ventures (STACK) and nearly 40,000 sdam3CRV. Early information suggests that the stolen funds belonged to some of the early backers of the project and included team-vested tokens as well. Total losses ~ $13M

  • Dego Finance notified users that the address providing liquidity on Uniswap and Pancakeswap was hacked allowing the DEGO liquidity pairs to be drained. Together, the exploiter withdrew more than $10 million from both Dego Finance and Cocos Blockchain Expedition (cocos-bcx). Cocos-BCX has not commented on the event. However, according to https://cryptobriefing.com/bsc-ethereum-defi-projects-hit-14-4m-hack/, it is speculated that both projects may run by the same team. A day later, COCOS-BCX moved funds into a multi-signature wallet. Total losses ~ $14.4M

  • BabyMusk is a tribute coin to Elon Musk. Its community has one main goal: to catch Elon’s attention such that he will join the project. The project raised about $2 million during its initial coin offering (ICO) in early February 2022. The initiative’s developers went to considerable measures to make the token look legitimate, saying that their goal was to “revolutionize the meme industry.” Until a couple of days back, Baby Musk Coin seemed to be the new big meme-coin to invest in. Like most other cryptos from this space, even BABYMUSK appeared to offer fancy gains. It also mingled well next to other prominent names like BabyDoge and Dogelon Mars. However, a couple of users were quick to bring to light the red flags. Pseudonymous user “NOSHIT” underlined the large-sized BABYMUSK holding by developers and the fact that users couldn’t sell. As such, NOSHIT labeled it a honeypot scheme. Certik indicated that 1571 BNB or 660k was moved to Tornado Cash. Total losses ~ $404,000

  • Teddy Dog Token planned airdrops were hacked because of a loophole in the pre-sale web site, allowing the hackers to attack and steal the private key of the public offering wallet and attack the pot pool in PancakeSwap. Over 1000 BNB tokens were taken. The project has returned all BNB deposited by users for the pre-sales. Teh TDG tokens will be repurchased and burned. Total losses ~ $660,000

  • ValentineFloki is a Meme Coin with real life utility and Metaverse Integration + NFTs promising a 7% BUSD Reward. Liquidity was removed and owner ran off with 226 BNB. Total losses ~ $89,270

  • IRA Financial Trust discovered suspicious activity that has affected a limited subset of their customers (about a dozen accounts) with accounts on the Gemini cryptocurrency exchange. The company has provided individual notification to all affected customers and has separately notified non-impacted customers. Due to the ongoing investigation, IRA Financial Trust is unable to comment to individual queries. Gemini provided a follow-up statement that the movement was authorized and was not due to any hacking activities against its platform. Total losses ~ $36M