Oracle attack on Solend costs the project $1.26 million
Solend announced that an exploiter had manipulated the oracle price of an asset on their platform, allowing them to take out a loan that left the platform with $1.26 million in bad debt. They reported that they had paused affected pools, and did not anticipate other pools on the platform were at risk.
Mango Markets suffers loss of more than $116 million
Mango Markets, a Solana-based defi project offering borrowing, lending, and leverage trading, was exploited for $116 million. An attacker manipulated the supposed value of their collateral on the platform, allowing them to take out massive loans from the project treasury that they never repaid. In total, they stole around $116 million worth of Solana tokens. However, only a few exchanges have sufficient liquidity to support exchanging or withdrawing that quantity of tokens, and those exchanges (Coinbase, Binance, and Kraken) froze the attacker's wallets.
Mango Markets posted on Twitter to urge users not to deposit into the project, and asked the hacker to contact them "to discuss a bug bounty". The hacker had their own plans, instead submitting a governance proposal in which they would return $46 million of the stolen funds (keeping $70 million) in exchange for a promise that the protocol would not try to freeze the assets or pursue criminal charges. The hacker then used their 32 million governance tokens to vote in support, but ultimately were not able to get the proposal to pass. A different proposal with largely the same terms, but which left the attacker with only $47 million of the stolen funds, passed shortly after.
One misconfigured node apparently takes the entire Solana network offline
In the latest illustration of our marvelous new decentralized, resilient blockchain future, one single Solana node apparently was able to take down the entire Solana network. Solana outages are nothing new, and tend to end (as this one did) with Solana issuing instructions to the people who run their validators, asking them all to turn them off and on again.
A validator operator reported that "It appears a misconfigured node caused an unrecoverable partition in the network." It's a bit startling that, in a supposedly decentralized network, one single node can bring the entire network offline.
Helium ditches its blockchain
Helium is a network of wireless hotspots that decided to bolt on a cryptocurrency layer a few years after it was created. Through this, they hoped to convince people to spend hundreds of dollars on Helium hotspots, which earn an average of 0.07 HNT ($0.37) a day (2.1 HNT/$11.24 a month) for supplying connectivity to internet of things devices.
Now, Helium is ditching its custom Helium chain in favor of a Solana-based token, and scrapping the blockchain entirely for the portions of its service that actually used the blockchain for anything beyond handling rewards.
Helium seems to have realized, finally, that blockchains tend to be slow as hell. In a blog post about the change, they wrote that "specific transactions, including Proof-of-Coverage and Data Transfer Accounting, are processed on-chain unnecessarily. This data bottleneck can cause efficiency issues such as device join delays and problems with data packet communications, which bloats the Network and causes slow processing times." They outline their plans to move these portions of the project to a "more traditional large data pipeline" — that is, infrastructure that's actually well-suited to that kind of processing.
- "HIP 70: Helium Core Team Proposes to Migrate to Solana", Helium Foundation
- Helium Tracker
OptiFi developer accidentally closes the project contract, irretrievably locking $661,000
OptiFi, a derivatives defi project, accidentally and permanently shut down the project smart contract, irretrievably locking up $661,000 — the project's entire fund. A developer had been trying to push an update to the project, and ran into issues related to Solana network congestion (a recurring issue). While trying to clean up from a partially-executed transaction, the developer accidentally ran a command that closed the project's primary smart contract.
OptiFi has promised to return user deposits and settle all positions. In a post-mortem, they wrote that they had learned that "Every deployment needs a rigorous process and single point failure can be avoided. Please don't rush like what we did, especially for defi projects". They further outlined a "peer-surveillance approach" in which three people would be required to deploy any changes together. They also asked the Solana team to implement a two-step confirmation for such a potentially destructive command.
Whistleblower website alleges that the creators of the Avalanche blockchain paid lawyers to attack competitors
An anonymous whistleblower website called "CryptoLeaks" has alleged that Ava Labs, the company behind the Avalanche blockchain, paid lawyers to sue competitors and obtain confidential information through legal discovery. The site includes secretly recorded videos of Kyle Roche, a founding partner of the Roche Freedman law firm which has filed class action lawsuits against numerous companies including Solana, Binance, and others. In some of the surreptitiously recorded videos, Roche is visibly drunk.
"A pact was formed that involved Ava Labs granting Roche Freedman a massive quantity of Ava Labs stock and Avalanche cryptocurrency (AVAX), now worth hundreds of millions of dollars, in exchange for Roche Freedman agreeing to pursue a hidden purpose," the site claims.
The site does include video clips of Roche saying some surprising things, although the clips are very short and devoid of context. The whole thing should be taken with a grain of salt.
Ava Labs founder Emin Gün Sirer dismissed the claims on the site as "conspiracy theory nonsense". Roche published a statement about the " numerous unsourced false statements and illegally obtained, highly edited video clips that are not presented with accurate context", in which he said that his statements about filing class action suits at the behest of Ava Labs were "false, and were obtained through deceptive means, including a deliberate scheme to intoxicate, and then exploit me, using leading questions. The statements are highly edited and spliced out of context."
DegenTown NFT project rug pulls after promotion from Magic Eden
DegenTown, a collection of brightly-colored cel shaded humanoid figures, launched with much promotion from Magic Eden on their Launchpad minting service. Magic Eden aims to provide collectors with a level of trust in the project by requiring creators to disclose their identities to the company.
DegenTown first suffered issues in July, when the project's Twitter account was allegedly hacked, and users were tricked into approving a contract that drained their wallets. One individual behind the project promised they would compensate the users whose wallets were drained, but never did.
The project ultimately rug pulled instead, with Magic Eden acknowledging it in a blog post and Twitter thread on August 17. They wrote that they were "urging the original Degen Town founders to return the funds" — however, this is complicated somewhat by the fact that the identity of one of them is not known to Magic Eden. They explained, "Our prior policy was that we doxxed founders. NFTRamo claimed to be an advisor but we learned that he was actually the founder of the project and used being an advisor as a way of skirting our doxxing processes." This is not the first time their identity verification process was sidestepped — they introduced it after a serial rugpuller used their platform to anonymously sell and then rug pull another NFT project, but that same person was able to do it again only a few months later.
The DegenTown project minted 8,000 NFTs for 3 SOL apiece, bringing in $923,000. Beyond that, the creators took 7.5% in royalties on secondary sales. Magic Eden has said that they were able to get one of the two founders to return the funds they'd earned from the mint, and that they planned to use them to compensate buyers.
- "Magic Eden Response to Degen Town", Magic Eden blog
- Twitter thread by Magic Eden
Ian Macalinao revealed to have pumped the total value locked on the Solana ecosystem by pretending to be 11 developers working on over a dozen projects
CoinDesk revealed that eleven developers behind Solana projects including Sunny Aggregator and Cashio were all actually personas created by Ian Macalinao. Macalinao created the Saber protocol on Solana, and used his personas to build what appeared to be independent projects that all used Saber. In doing so, he was able to artificially inflate the apparent total value locked (TVL) on Solana by double-counting the same tokens. At their peak popularity, Saber and Sunny were responsible for the $7.5 billion of Solana's $10.5 billion TVL.
In an unpublished blog post where he confessed to his deception, he wrote, "I believe it contributed to the dramatic rise of SOL". He wrote the post shortly after one of his persona's projects, Cashio, was hacked for $52 million, but apparently shelved it.
Ian Macalinao's brother Dylan, the other co-founder of Saber protocol, aided in the scheme by lending credibility to Ian's various personas to those who had doubts about trusting money to projects led by pseudonymous individuals.
All told, Ian Macalinao was responsible for the Saber protocol, the Protagonist VC firm and incubator, and Ubeswap under his real name. He created Sunny Aggregator as Surya Khosla, Cashio as 0xGhostchain, Goki as Goki Rajesh, Quarry as Larry Jarry, TribecaDAO as Swaglioni, Crate as kiwipepper, aSOL as 0xAurelion, Arrow as oliver_code, Traction.Market as 0xIsaacNewton, Sencha as jjmatcha, and VenkoApp as ayyakovenko.
Thousands of Solana wallets drained in attack that nets over $6 million
Nearly 8,000 Solana wallets were drained for at least $6 million worth of assets, including native SOL tokens and SPL tokens like USDC. The attack went on for nearly a day before Solana identified the likely cause: private keys that were exposed to an application monitoring service used by the crypto wallet Slope. Both Solana and Slope were vague about further details but explained that they were continuing to investigate.
Nirvana Finance drained of $3.5 million
The Solana-based yield farming project, Nirvana Finance, was exploited by an attacker who used flash loans to drain the project of just under $3.5 million. The attacker took out a $10 million loan from the Solend project, used it to mint ANA tokens, swapped the ANA for $13.5 million, and then repaid the loan. The attack was similar to the attack on Crema Finance earlier in the month.
The attack caused the project's ANA token to plunge in value by 80%, and the project's NIRV stablecoin to lose its dollar peg, falling to $0.08. Nirvana Finance tweeted, "Please be advised: ANA has lost its collateral, and NIRV has lost its peg. Until the thief restores funds, these tokens will not have exchange value. Be very careful with trading NIRV & ANA, as they currently have no guaranteed value."
They also tweeted at the hacker, promising to stop investigating the hacker's identity and to pay a $300,000 "bounty" in exchange for the funds back. They wrote, "You have not taken money from VCs or large funds — the treasury you have taken represents the collective hopes of everyday people."
The project had promised its users over 60% APY, and its Twitter account described ANA as "the balanced risk investment with adaptive yield".