"Can't believe @Trip a multibillion company is also a rugged project," wrote one person in response to the shutdown announcement.
Trip.com accused of "rug pull" as it shuts down its Trekki NFTs
Travel company Trip.com has some perturbed crypto holders on its hands, after shutting down the "Trekki" NFT project it launched in June 2023. The company's dolphin-themed NFTs had come with a roadmap that promised eventual staking features, "travel to grow" and "travel to earn" mechanisms, and other developments, which have been cancelled. However, Trip.com promised that its discount coupon functionality would remain.
Blockchain developer loses over $48,000 after posting private key to Github
A blockchain developer posted on Twitter that he had lost almost $50,000 after his cryptocurrency wallet was drained. He explained that he had been working on a software project on Github in a private repository that contained his wallet's private key. In order to apply for a funding grant from the Optimism project, he had to make the repository public. However, he forgot that the secret key was in the repository.
Generally, it is very bad practice to store sensitive secrets in Github, even when projects are set to private.
"Got drained of everything," he wrote on Twitter. A commenter asked how long it took for the attacker to steal the money after the private key became publicly visible. "2 min", he replied.
tea.xyz causes open source software spam problems, again
The tea.xyz protocol first earned an entry on Web3 is Going Just Great in late February, when their plan to reward open source software contributors resulted in crypto enthusiasts with no intention of participating in OSS opening endless pull requests to claim ownership of prominent OSS projects. This spam was disruptive to said projects, whose (usually volunteer) maintainers had to figure out what was going on and then try to stop the spammy PRs.
Max Howell, the creator of tea.xyz (and creator of homebrew, though he's no longer involved), seemed apologetic, and promised to make changes to the protocol to stop this spammy behavior.
Now, deprived of that avenue, people are just creating massive waves of empty software packages, with nothing other than a "teafile" with their crypto wallet address for rewards, and submitting them to package managers like NPM and RubyGems.
This spam prompted a blog post from RubyGems, who wrote that they had to devote time to strengthening limits on package publishing and "ensuring [accounts] didn't disrupt the community further."
Security researchers at Phylum also wrote up the protocol's impact on the JavaScript world, which has seen as many as 7x as many packages published on NPM as previous daily averages. "Automated sustained spamming of this volume for months on end is rare and does nothing but cause heavy strain on the ecosystem itself, degrading the performance of the ecosystem for genuine users and straining open source security researchers," they wrote.
Kickstarter's bizarre "pivot to blockchain" spurred by secret $100 million Andreessen Horowitz investment
Web3: a technology so promising you can't even pay a company $100 million to use it.
Crowdfunding website Kickstarter surprised and dismayed many of its users in December 2021 when they announced they would be moving the product to the blockchain in December 2021 for... reasons. That blockchain would just so happen to be the relatively unknown Andreessen Horowitz-backed Celo blockchain. "How this will actually work, beyond Kickstarter being able to yell 'blockchain' like a spell to summon investors ... is unclear," wrote Tom McKay at Gizmodo.
He probably didn't realize how right he was, but now it's been revealed that KickStarter was able to land a $100 million investment from Andreessen Horowitz with handwavy proclamations about the blockchain that its own COO didn't seem to quite understand.
The company seems to have since given up on its blockchain ambitions — in no small part thanks to user revolt. It seems that $100 million windfall didn't include any terms actually requiring Kickstarter to follow through.
tea.xyz causes a flood of spam pull requests to open source projects
This crypto skeptic I've heard of once said "Show me the incentive and I will show you the outcome."
A project called tea.xyz promised people they could "get rewards for [their] open-source contributions", complete with a flashy website describing how it would "enhance the sustainability of open-source software".
So far, it's achieved the exact opposite. Promising to reward open source contributors with crypto tokens, the project asked users to verify their access to open source projects by merging in a YAML file containing their crypto wallet address. This kicked off a flood of pull requests to prominent, often non-crypto-related open source projects by people who had never contributed to the project (or, often, any open source project), but who wished to merge in a file describing them as a "code owner".
Particularly impacted by this project was the open source blogging platform Ghost, which was used as an example in the demo video released by tea.xyz, and which received several PRs of this kind. A somewhat flummoxed maintainer of the repository replied to one PR: "[I]n practice the TEA project is not helping to support the Ghost project, but is instead causing a rush of self-serving PRs to be submitted to cash-in on other people's work. ... This why people hate on crypto." A maintainer of another unrelated open source project called "ghost" also reported receiving an influx of spam PRs.
This is not the first time crypto has generated massive Github spam, although another recent incident was (blessedly) mostly limited to open-source crypto projects and didn't waste the time of non-crypto-related projects as this one has.
- "The disappointing tea.xyz", Connor Tumbleson [archive]
- Github pull request for Ghost [archive]
Airdrop hunters spam Github projects
After projects like Celestia and Starknet distributed airdrops of crypto tokens to people who had contributed to their open source Github repositories, airdrop hunters have begun spamming other projects in hope that they might one day receive tokens for their "contributions". In the recent Starknet airdrop, one individual received 1,800 STRK (~$3,200 at current estimates, though the token isn't actively trading yet) for an unmerged pull request fixing a typo in project documentation, so the hope that relatively trivial contributions could result in a windfall isn't completely unjustified.
Several repositories for crypto projects that have not launched tokens were inundated with hundreds of trivial Github issues apparently written in the hopes that in the event of an airdrop, they would be considered contributions.
"Please don't submit a GitHub issue just for farming purposes," wrote one employee of a crypto project receiving such spammy contributions. "The [project] core team is stretched thin enough as it is, please don't make our lives harder." Several projects had to limit who was allowed to open new issues in their repositories to try to tackle the spam.
Dwight Howard's NFT project flops
NBA star Dwight Howard is clearly at least a year (probably two) late to the time when celebrities and star athletes could drop some low-effort NFTs and sell out the whole batch immediately. After announcing his "Ballers" project on January 20, offering 3,000 NFTs for a mint price of 2 AVAX (~$60) apiece, he only managed to sell about 300 of them within a day or so.
After the dismal launch, Howard tried a few somewhat desperate-seeming moves to try to attract interest in the project: promising to send free crypto to some holders, redoing all the art after criticism of its quality, and slashing the NFT supply to 1,500. Despite all that, only 465 NFTs have sold (15% of the original supply, netting Howard 930 AVAX — around $28,400).
The flop was so bad that a member of the team behind the Avalanche blockchain put out a tweet distancing themselves from the project, stating that they didn't even know about the project until he announced it. "Gone are the days that individuals/Brands with large followings can just drop IP related NFTs out of nowhere and expect it to do well," they wrote, seemingly criticizing Howard's approach by writing that NFT creators must "mak[e] sure to do it in an organic way with proper intentions."
Blockchain chess platform Immortal Game ditches token after "heavy cheating"
After raising $12 million from crypto-focused venture funds, the Immortal Game blockchain chess platform has announced that they would be nixing most of the blockchain part by shutting down support for their "Checkmate" token and stopping development on play-to-earn and NFT projects. Although they began as a blockchain chess company, they seem to be pivoting to just being a chess company.
"We found that by offering large amounts of cash with no limit barrier to entry, we encouraged heavy cheating on the platform and degraded the user experience for our legitimate player base who want a fair and safe place to play chess online," they wrote. Who could have guessed.
Somewhat ironically, they suggested that they may still intended to look into using web3 technology for "anti-cheat measures".
Grifter-in-chief Donald Trump hawks mugshot NFTs
The collapse of the NFT bubble hasn't stopped Donald Trump from trying to cash out. Following in the footsteps of his wife, who timed things much better as far as interest in NFTs goes, the former president launched his first NFT collection in December 2022. He was later accused of using stolen artwork in the collection.
Now, Trump is hawking a new set of $99 NFTs, featuring the August 2023 mugshot taken in connection to his ongoing racketeering lawsuit. Those who purchase 47 of the NFTs — amounting to $4,653 plus fees — are promised a scrap of the suit Trump wore in the mugshot and a dinner with the president-turned-fulltime criminal defendant.
The fine print, however, reserves the possibility that neither promise will come through.
Goldfinch lending platform facing $7 million loss
Goldfinch is a decentralized lending platform aiming to provide undercollateralized loans, an unusual strategy in the crypto world where loans are typically overcollateralized due to the difficulty in evaluating the trustworthiness of borrowers and in preventing them from just taking off with the loan funds.
They may now be discovering this was a bad idea, as an impending default on a $20 million loan from February 2022 threatens the platform with a possible $7 million loss.
The loan went to a fintech credit fund called Stratos, who in turn used the money for a risky real estate technology investment (now written down to zero), crypto investments of their own (not disclosed to Goldfinch, and sold at a "near full loss"), and other investments. Stratos is, awkwardly, an investor in Goldfinch, and Stratos' founder was an advisor.
This is not the first loan gone bad for Goldfinch, who suffered a loss when an African motorcycle taxi financing company used a $5 million loan to try to plug the hole in the finances of a sister company.
A commenter on the disclosure about the distressed loan wrote, "This is the second occurrence of a lack of transparency from a borrower or a lack of auditing capability from Goldfinch. We can all appreciate that Warbler Labs will backstop the loss, but it is increasingly worrying to discover a complete lack of control from the loan underwriter, especially in the context of Stratos being an equity investor in Goldfinch."
- "Real-World Asset Loan Worth $20M Sours on DeFi Platform Goldfinch, Bringing RWA Lending Under Scrutiny", CoinDesk [archive]
- "Update on Stratos Pool", post on Goldfinch governance forum [archive]
- "DeFi protocol Goldfinch aims to sever crypto's reliance on crypto", Axios