...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.
Created by Molly White. Subscribe to her newsletter for weekly recaps.
DeltaPrime paused the protocol on both Arbitrum and Avalanche, stopping the attacker from being able to steal more funds than they already had.
DeltaPrime was hacked previously on September 16, losing $6 million after a leaked private key enabled an attacker to mint a huge number of the platform's stablecoin deposit receipts.
An exploiter was able to take advantage of an arbitrary call error that allowed them to steal funds from these various contracts, amounting to around $56,000. Various people associated with Aave emphasized that there was no risk to user funds or flaw in the core Aave protocol, and one described the hack as "raiding the tip jar".
After the dismal launch, Howard tried a few somewhat desperate-seeming moves to try to attract interest in the project: promising to send free crypto to some holders, redoing all the art after criticism of its quality, and slashing the NFT supply to 1,500. Despite all that, only 465 NFTs have sold (15% of the original supply, netting Howard 930 AVAX — around $28,400).
The flop was so bad that a member of the team behind the Avalanche blockchain put out a tweet distancing themselves from the project, stating that they didn't even know about the project until he announced it. "Gone are the days that individuals/Brands with large followings can just drop IP related NFTs out of nowhere and expect it to do well," they wrote, seemingly criticizing Howard's approach by writing that NFT creators must "mak[e] sure to do it in an organic way with proper intentions."
Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.
Avalanche co-founder and CEO Emin Gün Sirer drew widespread mockery when announcing that "the amount lost is only $3m", apparently not perceiving that $3 million is a massive sum to most people. He also didn't mention that it constituted almost the entire total TVL of the Stars Arena project, which was left with less than $1 in tokens following the attack.
Stars Arena was fortunate, in that the hacker ultimately contacted them offering to make a deal. The attacker returned 90% of the funds, keeping $300,000 as a "bounty".
This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.
Today, Sifu himself was the victim of a theft as a bug in the SushiSwap decentralized exchange allowed a hacker to make off with around 1,800 ETH (more than $3.3 million) belonging to him. According to SushiSwap leader Jared Grey, around 300 ETH (~$557,000) of Sifu's funds were subsequently recovered.
Analysts have found that almost 200 addresses on the Ethereum network have approved the vulnerable contract, and around 2,000 addresses approved the vulnerable contract on Arbitrum, Polygon, and other chains. It's not yet clear how much was stolen in total. SushiSwap leader Grey urged users via Twitter to revoke approval for the vulnerable smart contract.
However, shortly after the NFT sales began, the platform crashed. Then, very soon after the sale began and Togg began addressing the issues with the platform, a series of earthquakes devastated portions of Turkey. As a result, Togg announced they would be postponing the sale until a later announcement.
On March 8, Togg announced that they had canceled their plans to conduct the pre-order process by NFT drawing, and that any NFT holders would not be prioritized in the pre-order.
This infuriated some customers who had purchased AVAX solely intending to use it to obtain a pre-order slot — particularly because AVAX is now priced below $15, meaning those who've been holding AVAX since purchasing it have lost 25%.
The exploit was a flash loan attack that allowed them to drain some protocol pools, also causing the stablecoin to lose its dollar peg and drop to around $0.48. A team member reported on the project's Discord that "all operations are paused until we get more clarity".
The following day, the project reported they had recovered $2.4 million of the stolen funds, and were working with crypto sleuth zachxbt, who had leads as to the hacker's identity. Later that month, Platypus announced that French police had arrested two suspects, who had tried to withdraw stolen funds through Binance — to whom they had submitted identification documents for KYC purposes.
Observers were quick to notice that the "hack" was made possible by the addition of a fake collateral token, which was then manipulated to liquidate the protocol's users, suggesting the "hack" was likely an inside job.
On December 26, Defrost claimed that the "hacker" had miraculously returned the money. The announcement didn't seem to convince the project's users, who left comments like, "It was never hacked. You tried to rug your users".
Defrost Finance's team had previously run a project called FinNexus, which also suffered a "hack" in May 2021 that was widely believed to have been a rug pull.
No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.
