The project had attracted customers by advertising yields of 76–95%.
Hypervault rug pulls for $3.6 million
Only days after the Hypervault yield farming platform announced on Twitter that they'd surpassed $5 million in total value locked, the platform suddenly shut down its website and social media accounts. Simultaneously, the crypto security firm PeckShield observed an "abnormal withdrawal" of a large quantity of various crypto assets priced at around $3.6 million, which were swapped to 752 ETH (~$3.1 million) and laundered through Tornado Cash.
SBI Crypto likely suffers $21 million theft
Crypto sleuth zachxbt observed $21 million in "suspicious outflows" from SBI Crypto, a crypto mining subsidiary of the Japanese SBI Group. The money was quickly laundered through instant exchanges and Tornado Cash, in ways zachxbt observed were similar to tactics of North Korean crypto thieves.
SBI Crypto has not made any public statements addressing the apparent theft.
ConvergenceFi hacked for $210,000
An attacker took advantage of a flaw in the code for the yield farming project ConvergenceFi, draining it of all the tokens that had been allocated for staking emissions. Because a function call in the smart contract did not do proper validation, an attacker was able to provide their own smart contract that set the amount of tokens to return to anything they wanted. Naturally, the attacker set it to return all 58.7 million tokens available to them, which they quickly swapped to around $210,000 and laundered through Tornado Cash.
Although ConvergenceFi described itself as audited, they admitted they had made changes to that portion of the code after the audits.
They assured their users that all user funds were safe, but recommended that users remove their staked funds from the platform.
- "Post-mortem | 08/01/2024", ConvergenceFi Medium [archive]
MonoSwap hacked for at least $1.3 million
The MonoSwap DEX announced on July 24 that it had been compromised, and urged its users to withdraw their funds to avoid losses. According to the project team, one of their developers had been lured into a call with someone pretending to be a venture capitalist, who convinced them to download what they claimed was video call software, but which instead was malware. MonoSwap claimed this gave the hackers "access to all MonoSwap-related wallets and contracts".
The malicious video chat software attack vector has been widely used in the crypto world, with a victim losing cryptocurrency to an attacker using the same technique and impersonating an Andreessen Horowitz partner last month.
So far, the MonoSwap attacker has laundered $1.3 million via the Tornado Cash cryptocurrency mixer.
ETHTrustFund rug pulls for $2.2 million
The operators of a project called ETHTrustFund on Coinbase's Base layer-2 Ethereum blockchain have apparently rug-pulled the project. The ETHTrustFund project was a fork of the Olympus DAO project on Base, but there was months of inactivity on the project following its March launch. Then, on July 20, the developer deleted his Telegram and Twitter accounts and the project's website, and suddenly moved the project treasury to a new wallet. The funds were then laundered through Railgun and Tornado Cash.
- ETHTrustFund, Rekt [archive]
"Read-only" CoinStats crypto application enables wallet breaches
CoinStats, an application promising to help people track their cryptocurrency holdings, has suffered a breach impacting more than 1,500 user wallets.
The application asks its users to connect their wallets to allow it to track their holdings, but promises on the website that it offers "the ultimate security for your digital assets". "Since we ask for read-only access only, your holdings are perfectly safe under any conditions," the website promises, later touting its "military-grade encryption".
CoinStats shut down the platform while investigating the incident. Losses have been estimated at around $2.2 million.
CertiK and Kraken accuse each other of misconduct over bug report and $3 million "testing"
Prominent blockchain security firm CertiK has accused American cryptocurrency exchange Kraken of threatening them after they reported a bug. According to CertiK, they discovered a bug in the exchange software, which they tested with multiple transactions over several days. Some of these were large transactions, which CertiK said they performed to test whether Kraken had alerting in place to detect higher-value transfers. When they reported the vulnerability to the exchange, they say the exchange patched the bug, but then threatened CertiK employees and demanded they repay a "mismatched" amount of crypto allegedly taken during the testing period.
However, others have noted that the number of transactions and amount of cryptocurrency taken by CertiK while "investigating" the bug seems to far exceed the norm for whitehat security researchers, and that they took cryptocurrency amounting to millions of dollars — making their "testing" look a lot more like a blackhat theft. Furthermore, CertiK made several transfers to Tornado Cash as part of their "testing" — an entity that is sanctioned by the United States.
Kraken alleged that CertiK did not disclose the full extent of their employees' transactions, and refused to return the $3 million they had taken. They also alleged that CertiK had attempted to extort them. Kraken said they had been in contact with law enforcement, and were "treating this as a criminal case".
Ultimately, CertiK returned the funds. However, it's not clear if criminal action may be ongoing.
Velocore decentralized exchange exploited for $6.8 million, Linea blockchain halts in response
The Velocore DEX, built on the Linea Ethereum layer-2 blockchain, was exploited for around $6.8 million in ETH. The hacker was able to take advantage of a bug in the project's smart contract in the logic to calculate swap fees. Using a flash loan attack funded through Tornado Cash, the attacker drained most of the tokens from the pool, bridged the tokens back to the Ethereum mainnet, and then tumbled the stolen funds back through Tornado.
In an unusual move, the operators of the Linea layer-2 blockchain chose to unilaterally halt the chain in order to stop the outflow of stolen assets. Because Linea — like many layer-2 chains — is highly centralized, it was possible for the Linea team to unilaterally stop the production of blocks.
This was very controversial, as a single operator being able to unilaterally control the operation of a blockchain goes against much of the cryptocurrency ethos. Following their action, they tried to explain that "Linea's goal is to decentralize our network - including the sequencer. When our network matures to a decentralized, censorship-resistant environment, Linea's team will no longer have the ability to halt block production and censor addresses - this is a primary goal of our network".
Tornado Cash developer sentenced to more than five years imprisonment in the Netherlands
Alexey Pertsev, one of the developers of the Tornado Cash mixing service, was found guilty of money laundering and sentenced to 64 months imprisonment in the Netherlands. Prosecutors claimed that Pertsev knew the service was being used to launder money, but "chose not to intervene". They argued that, although the developers could not necessarily prevent bad actors from laundering money through the service directly, they could have done more to prevent people from using the web interface to wash funds from known criminal wallets.
The case is a concerning one, as sanctioning software developers for how the code they write is used — particularly when it comes to software intended to protect privacy — has frightening implications. Although there is some precedent in the United States that "code is speech", and merely writing and publishing code is protected by the First Amendment, that obviously does not apply to the Netherlands. A collaborator to Pertsev, Roman Storm, is set to be tried on charges of money laundering and sanctions violations in the United States in September, and that case is likely to grapple with this exact issue.
MuskSwap and related projects exit scam for over $5 million
A person or group have raised funds for various crypto projects only to abandon them, empty the project wallets, and launder the funds through Tornado Cash. The largest of the projects was called "MuskSwap", which proclaimed: "$MUSK & MuskSwap was born to show admiration to elon musk's super projects like solarcity, tesla, space x and his constant influence on the world finance & the crypto market."
The project described itself as a DEX with a native $MUSK token, and launched in July 2021. However, the token tanked on December 25, 2021. Although the project team tried to blame the crash on "liquidity issues" and promised paths forward, they locked the project Telegram chat on March 11, 2022. On April 5, 2022, the team withdrew remaining funds and deleted the website.
Crypto analysis firm CertiK linked the MuskSwap project to several other scam tokens and projects: RocketDoge, InfinityGame, SpaceX, MUFC (themed after Manchester United), and Elona Musk. Altogether, the rug pulls have drawn in $5.1 million.