Elixir has announced that they plan to allow deUSD holders to redeem their tokens for USDC through a process that will also eliminate the risk of Stream Finance cashing out their deUSD without repaying their loan. According to Elixir, "Stream comprised of 99%+ of the lending positions (and has decided to not repay or close positions)".
Elixir shuts down deUSD after Stream Finance halt
After the defi yield platform Stream Finance announced a $93 million loss, Elixir announced it would be discontinuing its deUSD synthetic stablecoin. Stream Finance owes $68 million to Elixir, and holds around $75 million deUSD.
Paxos accidentally mints more than twice the global GDP in PayPal stablecoins
Paxos, the issuer of PayPal's PYUSD stablecoin, accidentally minted 300 trillion of the supposedly dollar-pegged token. For context, this is approximately 2.5x the global GDP, and around 125x the total number of US dollars actually in circulation.
Paxos later announced that the mint was an "internal technical error", and that they had burned the excess tokens.
While PayPal promises its customers that "Reserves are held 100% in US dollar deposits, US treasuries and cash equivalents – meaning that customer funds are available for 1:1 redemption with Paxos," there clearly isn't much in the way of safeguards to ensure that is always the case. As with most stablecoin issuers, Paxos merely issues self-reported and unreviewed portfolio reports, and monthly third-party attestations (not audits) of reserves.
Yala stablecoin depegs after $7.6 million theft
The YU bitcoin-backed stablecoin lost its intended dollar peg after what they described as "an attempted attack", later writing that there was an "unauthorized transfer of funds". Although they initially wrote that "All funds are safe", they later stated that they "identified the stolen assets on-chain and are actively working with law enforcement to pursue recovery." Research firm Lookonchain observed a large mint of the YU token that may have been related — if so, the attacker successfully stole at least 1,501 ETH ($6.75 million), and holds a substantial quantity of YU they still haven't sold.
Despite the project's attempted reassurances, the YU stablecoin lost its $1 peg, plummeting as low as around $0.20. As of writing, about a day later, the stablecoin is still well below its peg, at around $0.94.
Resupply stablecoin lender exploited for $9.3 million
An attacker was able to exploit a vulnerability in a smart contract used by the Resupply stablecoin lender to extract about $9.3 million from the project. After depositing around $200,000, they were able to inflate the price of another token and borrow almost $10 million.
Resupply announced the theft shortly afterwards, and stated that they had paused the vulnerable contract.
Resupply is a fairly new project, having officially launched on March 20 — about three months before the exploit.
FDUSD depegs
The stablecoin issued by First Digital, FDUSD, has lost its $1 peg and sunk as low as $0.76 before returning to around $0.97 — which, in stablecoin world, is still a substantial de-peg. The drop followed concerns about First Digital's reserves amid reports that some of the assets used to back the stablecoin were trapped in investments that couldn't be liquidated.
The rumor has been amplified by Tron founder Justin Sun, who tweeted: "First Digital Trust (FDT) is effectively insolvent and unable to fulfill client fund redemptions. I strongly recommend that users take immediate action to secure their assets." First Digital responded by insisting they were solvent, and denounced Sun's comments as "a typical Justin Sun smear campaign to try to attack a competitor to his business".
Almost $50 million stolen from Infini "stablecoin neobank"
Around $49.5 million in the USDC stablecoin was stolen from the Infini crypto-focused "stablecoin neobank", a fintech company that promises "financial freedom" by "democratizing banking" and "redefining the future of digital finance".
Infini experienced a different form of "financial freedom" when attackers liberated almost $50 million from the company after a thief with access to a wallet with admin rights drained tokens, then swapped them for the DAI stablecoin, which unlike USDC cannot be frozen by its issuer.
The attack came only a day after a celebratory tweet from the company in which it had announced that they had achieved $50 million in total value locked, suggesting that the theft affected substantially all of the assets on the platform. Despite this, they have claimed that transactions on the platform are unaffected, and when someone asked how that was possible, they simply replied: "We've got solid runway to operate. No worries."
Infini attempted to contact the thief via on-chain message, threatening that they had "gathered critical IP and device information" about them, and asking them to return 80% of the funds in exchange for a promise that Infini "will cease further tracking or analysis, and you will not face accountability". However, Infini's 48-hour deadline has come and gone without any reply.
- "0xInfini Incident Analysis", CertiK
- Tweet by Infini [archive]
- Messages from Infini to the exploiter
Crypto scam money launderers charged for laundering more than $73 million through Deltec
Two people were charged in California for laundering money obtained from cryptocurrency and fiat "pig butchering" scams. After receiving the money from the investment scammers, the launderers then allegedly helped to obfuscate at least $73 million in transactions by moving the money through Deltec Bank in The Bahamas and converting it into the Tether stablecoin.
Deltec is a well-known bank in the cryptocurrency world, mostly for its ties to Tether and to FTX. In July 2023, US authorities seized tens of millions from Deltec accounts in connection to a cryptocurrency money laundering investigation. It's not clear if that was the same investigation.
Someone accidentally burns $1.36 million Tether
Someone accidentally threw away $1.36 million when they accidentally sent Tethers to the Tether contract address — making them permanently inaccessible in a process known as "burning". This is a rather common phenomenon in crypto, where it's easy to accidentally copy/paste the wrong address.
Most experienced crypto users have adopted the habit of sending small test transactions before transferring large amounts of tokens, to first check that they're using the correct address. Oddly, this person did so in this case, but then went right ahead and transferred the remaining tokens to the erroneous address.
The person may have lucked out that they were using a centralized stablecoin like Tether, whose operators hold a substantial amount of control over freezing, destroying, and creating new Tethers — and could feasibly replace the burned tokens.
Abracadabra exploited for almost $6.5 million, Magic Internet Money stablecoin depegs
Well that sure is a headline I just had to write.
The Magic Internet Money ($MIM) stablecoin has lost its dollar peg again, dipping all the way below $0.77 in a flash crash before returning to around $0.95.
The depeg appears to be related to an exploit of the Abracadabra lending protocol, which allows people to borrow $MIM. An attacker exploited an apparent flaw in the platform's smart contracts to drain around $6.5 million.
This is the second time the token has depegged, after a June 2022 incident shortly after the Terra collapse.
TrueUSD loses peg (again) as traders sell due to fears over its stability
TrueUSD, a stablecoin connected to Justin Sun, deviated from its intended $1 peg to around $0.983 as traders sold off more than $100 million of the token seeking safer options. The fears seemed to be sparked by the rapidfire and massive hacks of the Justin Sun-connected HTX (hacked for $115 million) and Poloniex (hacked for $120 million) in November.
Adding to those is the fact that TrueUSD recently paused its real-time reserves attestations, due to systems reporting liabilities that exceeded assets, though TrueUSD (obviously) claimed this was just an error.