Security and Risk

12 Oct - Mango’s oracle pricing manipulation

Solana DeFi trading platform Mango Markets lost $100M due to oracle price manipulation. [more][more-Mango][more-analysis]

• The attacker manipulated the spot price of the Mango governance token (MNGO) on centralized exchanges, then used the inflated coins as collateral to borrow stablecoins, leaving the protocol with bad debt once the price of MNGO returned to normal.

• The Mango DAO, a decentralized autonomous organization that manages Mango Markets, has offered the attacker a bug bounty of $47 million. [more]

• Meanwhile, Sam Bankman-Fried warned over the use of oracle. "The oracle accurately reported the current price of MNGO," he said. "It's just that the 'current price' wasn't really anything close to the 'fair price.'" [more]

11 Oct - TempleDAO smart contract flaw

TempleDAO lost $2.3M to an attacker due to smart contract validation flaw. [more][more-analysis]

• TempleDAO StaxLPStaking contract allows users to transfer staked tokens from an earlier contract to current to continue staking.

• However, the “migrate staking” function was not restricted to the intended “migration” contract to call it. Anyone could provide a fake address and staked token amount to the function will receive the new staked tokens.

11 Oct - QANX Bridge wallet weakness

‘Quantum-Resistant' Blockchain QANplatform’s bridge “QANX Bridge” lost $1M after its wallet got compromised. [more][more-QANX]

• QANX Bridge smart contract deployer wallet was compromised due to the use of vanity address generated through Profanity tool. The project has a security issue related to low entropy levels.

• This is similar to Wintermule incident. Recap: The tool started out from 32bits of entropy and expanding that to 32bytes of secp256k1 private keys.

Other crypto picks

1. Europe - The European Parliament’s ECON Committee confirms MiCA deal and is setting up the regulation to enter force in 2024. [more]

2. Singapore - Coinbase and Blockchain.com received in-principle approval crypto payment license from the Monetary Authority of Singapore. [more] [more-2]

3. IOSCO - The International Organization of Securities Commissions, an association of organizations that regulate the world's securities and futures markets, proposed a set of new measures to address the increasing risks in digital marketing of crypto. [more] [more-IOSCO-report]

   • IOSCO proposes to oblige the management of crypto products to take responsibility for the accuracy of the information provided to potential investors on social media and apply “appropriate filtering mechanisms” for financial consumer onboarding. 

4. China - China’s central bank announced the latest statistics of its central bank digital currency (CBDC) issuance. [more]

   • By the end of August, the pilot digital yuan had a cumulative 360 million transactions, 36% higher than the 264 million three months earlier. The cumulative value of eCNY transactions was 100.04 billion yuan ($13.9bn), a 20% increase from 83 billion ($11.5bn) in May.

   • The average transaction value has declined from 314 yuan ($43.52) to 278 yuan ($38.50).

5. Ethan Buchman, co-founder of interblockchain communication (IBC) ecosystem Cosmos, said that a “critical security vulnerability” had been discovered that “impacts all IBC-enabled Cosmos chains, for all versions of IBC." [more]

   • The issue appears to have come to light after core developers of Cosmos and Osmosis (the leading decentralized exchange on Cosmos) ramped up security audits in light of a $100 million cross-chain bridge exploit on BNB Chain on Oct. 6. 

6. Web3 devs are ‘more active than ever’ amid crypto winter. Web3 development platform Alchemy noted the deployment of smart contracts increased by 40% from the first quarter of the year with consecutive all-time highs hit every month over the third quarter peaking at 17,376 in September alone. [more]

7. Decentralized Ethereum scaling platform Polygon (MATIC) announced the launch of Polygon zkEVM Public Testnet, an “Ethereum-equivalent” ecosystem with cross-compatibility to existing smart contracts, developer tools and wallets built on Ethereum and Polygon PoS. [more]

8. DEX Uniswap announced its latest raise of $165 million today, led by Polychain Capital togther with a16z crypto, Paradigm, SV Angel, and Variant. [more]

9. Google will work with Coinbase for customers to pay for cloud services with digital currencies early next year. In addition, Google said it would explore using Coinbase Prime, a service for storing and trading cryptocurrencies. [more]

10. French authorities have charged five young individuals for allegedly using a phishing website to scam victims out of millions of dollars worth of their NFTs, including those belonging to the Bored Ape Yacht Club collection.

    The five are said to have belonged to a criminal gang that stole the tokens, worth an estimated $2.5 million, between late last year and early this year. [more]