Security and Risk

7 Oct - Binance Smart Chain Hacked

Binance Smart Chain (BSC) cross-chain bridge lost ~$550 million worth of BNB (Binance native tokens) due to low level proof forging. Attacker managed to send ~$110 million worth of BNB to other chains before the network halted. [more][more-2][more-3][more-4][more-5][more-Binance-update]

• Binance indicated that a total of 2 million BNB was withdrawn. The exploit was through a sophisticated forging of the low level proof into one common library.

• Security analysts noted there was a bug in the way that the Binance Bridge verified proofs which could have allowed attackers to forge arbitrary messages. The attacker simply said to the bridge “I transferred 1M BNB to you on the Beacon Chain (BEP2), so you must give me 1M BNB on Binance Smart Chain (BEP20)”. The attacker provided fake proof that was accepted as valid.

• Separately, in the subsequent quick coordination of halting chain and pushing update raised the question of BSC decentralisation. [more]

6 Oct - DeFi Protocol Sovryn

Bitcoin DeFi protocol Sovryn got drained over $1 million due to price manipulation exploit. [more][more-Sovryn]

• The attacker first bought WRBTC with a flash swap from RskSwap and then borrowed WRBTC from the RBTC Sovryn lending contract using their own XUSD as collateral.

• The attacker then provided liquidity to the RBTC lending contract, closed their loan with a swap using their XUSD collateral, redeemed (burned) their iRBTC token, and sent the WRBTC back to RskSwap to complete the flash swap.

• This sequence of events manipulated the iRBTC price such that they were able to take out much more RBTC than they originally deposited.

  ‍

3 Oct - Transit Swap Hacked

Decentralized exchange aggregator Transit Swap had lost ~$24 million due to coding bug. Attacker returned ~$18 million and send ~$4 million to TornadoCash. [more][more-analysis][more-token-movement]

• The main reason for this attack is that the Transit Swap protocol does not strictly validate the data passed in by the user during token exchange. The attacker exploited this vulnerability in the external call function to steal tokens that were authenticated.

3 Oct - Coinbase Bank Transfer Issue

Coinbase paused transactions in US for 5 hours to address bank transfer issues. [more]

Other crypto picks

1. Solana co-founder Anatoly Yakovenko noted that he is aware of Solana’s outages concern and a “long-term fix” solution for the network is the number one priority. [more]

2. Metaverse platforms Decentraland and The Sandbox each have over $1 billion in valuation despite low user metrics. The largest number of daily users ever on Decentraland was 675, according to DappRadar. For The Sandbox, that number was larger at about 4,503. [more]

3. Euporean Union - in a statement released on Oct. 6, the European Union introduced another set of sanctions against Russia due to the prolonged and recently escalated conflict in Ukraine. The new sanctions include a complete ban on cross-border crypto payments between Russians and the EU. [more]

4. United States - The Financial Stability Oversight Council (FSOC) met Monday to discuss its new report on digital assets, designed as a framework for regulators and financial rulemakers. It noted that cryptocurrencies could “pose risks to US stability, under certain conditions”, and was particularly concerned about stablecoins, volatility and crypto token classification. [more]

5. United Arab Emirates -

   • UAE Ministry of Economy is opening its new headquarters in the Metaverse. The new headquarters will complement the ministry’s two existing offices in Abu Dhabi and Dubai, allowing the ministry to make digital services a bigger part of its operations. Visitors to the virtual headquarters will be able to sign legally binding documents, which eliminates the need for signatories to visit one of their physical locations in order to provide their signatures. [more]

   • Omar Al Olama, Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications, said that Dubai plans to start new economic metric called 'gross metaverse product'. It aims to be applied in sectors such as tourism, education, retail, real estate and government. Mr Al Olama stressed that Dubai is building the metaverse with a pragmatic view, ensuring that its development is not based on hype or unproven mechanics, but rather, on a strategy with tangible outcomes.[more]

6. MakerDAO, the governing body of the Maker Protocol, has taken the first step of its plan to reallocate $500 million of its stablecoin Dai collateral reserves into short-term United States Treasurys and corporate bonds. [more]

7. Crypto lender Celsius’ top executives withdrew a little over $17 million in cryptocurrency between May and June 2022, right before the company suspended withdrawals and filed for bankruptcy, new court records show. [more]

8. FTX aimed to expand its Visa crypto debit card internationally such as Latin American countries, European and Asian countries, after launching it in the United States earlier this year. It will let users directly tap into the crypto funds in their accounts while shopping.[more]

9. Crypto exchange Huobi Global said that it has agreed to be purchased by Hong Kong-based investment company About Capital Management's M&A fund. [more]

10. Lugano citizens in Switzerland will be able to pay merchants in crypto token such as bitcoin and tether under the collaboration of Stablecoin Tether and GoCrypto. Merchants, in Swiss city of Lugano, participating in the initiative so far include fast food giant McDonald’s. [more]

11. Celebrity influencer Kim Kardashian who was paid $250,000 to publish a post on her Instagram account about EMAX tokens, was charged with unlawfully touting a crypto security, and has agreed to a settlement for $1.26 million as well as to cooperate with the SEC’s investigation. [more]