Solana faces wave of drain attacks linked to trading bots including Solareum

The Solana ecosystem is grappling with a spate of drained wallets. A cause has yet to be definitively determined, but some of the thefts were linked to the use of trading bots like Solareum. Solareum speculated that the exploits may have been linked to compromised Telegram bot tokens, which could have allowed the attackers to obtain private keys from message history.

Solareum later wrote that they would be closing the project, and deleted their website. This drew some criticism from users who accused them of doing nothing to investigate the hack, or even being responsible themselves. The project wrote on Twitter, "We at #SOLAREUM team can clarify that we DO NOT steal money." Ah, well, in that case.

Other bots may have been involved in the theft, though it's not clear at this point. Though there was some speculation that a trading bot called BonkBot was to blame, that seems to have been unfounded.

The total theft amount is not clear, but exceeds $500,000.

Prisma Finance hacked for $12 million; attacker makes detailed demands

The defi protocol Prisma Finance was hacked for 3,257 ETH ($11.5 million). An attacker was able to take advantage of a flaw in the project's smart contracts, allowing them to manipulate users' positions and steal some of their collateral. Two other watchful attackers observed the attack strategy and replicated it, stealing a combined additional 173 ETH (~$610,000).

Plasma paused the protocol after detecting the attack.

The first attacker, who stole the bulk of the assets, sent an on-chain message to Prisma claiming that they had performed a "whitehat rescue", and inquired about returning the funds. In later messages, however, they asked the project to answer questions about their security practices and projects' responsibilities to users to prevent attacks. The attacker then transferred the stolen funds to Tornado Cash — indicating their return is unlikely.

In another message, the attacker was angry that Prisma had not expressed gratitude to them or remorse to their users, and was angry they had used terms like "exploit" and "attack" in their description of the incident. They demanded that the team reveal their identities, apologize, and thank the attacker in an online press conference.

Sam Bankman-Fried sentenced to 25 years in prison

Sam Bankman-FriedSam Bankman-Fried (attribution)
Sixteen months after the collapse of his FTX cryptocurrency exchange, Sam Bankman-Fried has been sentenced to 25 years in prison. He has also been ordered to pay an $11 billion monetary judgment.

The sentence follows his conviction on all seven felony charges in November 2022 — a decision reached by the jury within hours of beginning their deliberations.

Bankman-Fried intends to appeal the conviction.

  • Minute Entry for proceedings held before Judge Lewis A. Kaplan: Sentencing held on 3/28/2024 for Samuel Bankman-Fried [archive]

LENX co-founder accused of $10 million rug pull

The LENX cross-chain bitcoin liquidity protocol has recently been accused of a $10 million rug pull after community members observed massive withdrawals of treasury funds which were then sent to Binance accounts.

One of the co-founders, known only as "Paul", claimed on Discord that he was "trying to investigate" the movement of funds, which have been blamed on the project's other co-founder, John Kim.

Conversations on Discord suggest that a remaining $3 million in treasury funds were protected, and that the remaining LENX team may have been able to convince Binance to freeze the account that received stolen funds. However, little has been verifiably confirmed to date.

LENX is backed by the Frax Finance lending protocol.

KuCoin and founders criminally charged

The cryptocurrency exchange KuCoin and two of its founders, Chun Gan and Ke Tang, were indicted in the Southern District of New York on charges of conspiring to operate an unlicensed money transmitting business and conspiring to violate the Bank Secrecy Act. Both founders are Chinese citizens, and neither has been located or arrested.

According to prosecutors, they tried to conceal that the exchange had customers from the United States in order to claim that they were exempt from US anti-money laundering laws. They also marketed KuCoin as a KYC-optional exchange where customers from the US could operate unverified accounts.

The charges against the founders carry maximum sentences of five years in prison.

"Munchables" crypto game exploited for $62.5 million

A small round furry shape with big blue eyes and thin legs, somewhat resembling a soot spriteA Munchable (attribution)
The "Munchables" crypto game explains: "Schnibbles grow on every realm across the Munchable's world. Each realm has their own unique and distinctive schniblet, and the Munchables react differently based on their compatibility to the schniblets fed to them. When creating an account for the Munchables, you must choose the location of your snuggery." Right then.

Things went awry in the land of the schnibbles and snuggeries when an attacker siphoned around 17,400 ETH ($62.5 million). Various descriptions of the attack circulated, with blockchain sleuth zachxbt attributing it to a recently hired developer, and crypto developer 0xQuit claiming the theft appeared to have been "planned since deploy".

Some began discussing the possibility that the Blast layer-2 blockchain might forcibly roll back the chain to "undo" the hack. Some have argued this is contra to the crypto ethos or would set a bad precedent, while others have argued that as a blockchain focused more on gaming and experimentation and less on decentralization and other facets of crypto ideology, it would be a reasonable step.

Some hours after the attack, the exploiter was convinced to return the funds.

Curio RWA project suffers $16 million exploit

Curio, a crypto project that creates tokens based on "real-world assets" (RWAs) like cars, watches, wine, and other goods, has suffered an attack that saw around $16 million drained from the project's funds.

A bug in the project's Ethereum smart contract enabled an attacker to mint 1 billion of the project's CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.

Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.

Solana memecoin frenzy sparks trend of incredibly racist meme tokens

A screenshot of many Solana tokens on DEXScreener, including:
JEWS "Jews did 911"
卐 "NAZI"
N*** TRUMP "N*** Trump"
N***OLAS "N***OLAS CAGE"
COVID "chinadidcovid"
N***Butt "N*** Butt Token"
APERAH "aperah wenfree"
BDN "Big Dick N***"
CHIGGA "Chinese N***"
HITLER "I was right"
BOJE "Book of J***ers"
WODNDOR "AuschwitzWoodenDoor"
LIBTARD "Go Woke Go Broke"
BULLJEW "BULL JEW"
wifcancer "kate wif cancer"
N*** TRUMP "N*** TRUMP 2024"
GayPedo "Gays Are Pedos"
J*** "J*** Buice"Racist Solana tokens on DEXScreener (attribution)
Solana memecoin trading has been booming lately, with people making money by speculating on tokens themed around various memes and jokes. Amid an explosion in trading innocuously-named meme tokens like dogwifhat has also been a rise in blatantly racist tokens, named after racial slurs, featuring racist caricatures, or named after antisemitic conspiracy theories.

The tokens became so popular that projects showing newly-released tokens, like DEXScreener, became full of such tokens. DEXScreener released a statement on Twitter to say that "We'll be reviewing our token profile moderation policy in the coming days. We won't be the gatekeepers of what happens on-chain, but we're definitely not here to spread hate." The replies to the tweet were, predictably, full of people accusing DEXScreener of "censorship" and "going woke".

Previously rug-pulled Lucky Star Currency project somehow rugs again

The astrology-based Lucky Star Currency project rug-pulled for $1.1 million in October 2023. You'd think that might be the end of it, but on March 22, 2024, ownership of the project was transferred to a malicious smart contract that then drained tokens priced at almost $300,000 from those who still held them.

You almost have to admire the tenacity.

TICKER project developer steals $900,000

Tweet by MIDA (@brgMIDA): "im not sorry for any of you, tbh
you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich, you were expecting to receive 10,100,1000x money for that donation or wtf, "they dont tell us it gonna 1000x when they are down the streets tho", cuz you would have otherwise mfer? go touch grass anon, and apply donating from hands to hands to people in needs in your closest physical community and turn the world a better place instead, i love you
social contracts do not have a place on the blockchain anons, i don't know why it is not much more evident for all of you"Tweet by TICKER thief (attribution)
A developer brought on to run a presale for the $TICKER token stole $900,000 from the project. 15% of the token supply was sent to the developer to distribute via an airdrop, but instead of doing so, the developer sold the majority of the tokens for around $900,000.

After the thief was identified by blockchain sleuth zachxbt, they posted a long message on Twitter, writing, "im not sorry for any of you, tbh. you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich". The thief later spent some of the money on Milady NFTs and memecoins.

zachxbt stated that he had identified the developer, including his full name, location, and other details. He encouraged those who were scammed to contact him if they were interested in pursuing legal action.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.