Prysm consensus client bug causes Ethereum validators to lose over $1 million
Ethereum validators running the Prysm consensus client lost around 382 ETH ($1.18 million) after a bug resulted in delays that caused validators to miss blocks and attestations. Though the bug had been introduced around a month prior, it did not affect validators until Ethereum completed its "Fusaka" network update on December 3. Around 19% of Ethereum validators use the Prysm consensus client, which is developed by Offchain Labs.
- "Fusaka Mainnet Prysm Incident", Prysm
- Client Distribution, Clientdiversity.org
Cardano founder calls the FBI on a user who says his AI mistake caused a chainsplit
On November 21, the Cardano blockchain suffered a major chainsplit after someone created a transaction that exploited an old bug in Cardano node software, causing the chain to split. The person who submitted the transaction fessed up on Twitter, writing, "It started off as a 'let's see if I can reproduce the bad transaction' personal challenge and then I was dumb enough to rely on AI's instructions on how to block all traffic in/out of my Linux server without properly testing it on testnet first, and then watched in horror as the last block time on explorers froze."
Charles Hoskinson, the founder of Cardano, responded with a tweet boasting about how quickly the chain recovered from the catastrophic split, then accused the person of acting maliciously. "It was absolutely personal", Hoskinson wrote, adding that the person's public version of events was merely him "trying to walk it back because he knows the FBI is already involved". Hoskinson added, "There was a premeditated attack from a disgruntled [single pool operator] who spent months in the Fake Fred discord actively looking at ways to harm the brand and reputation of IOG. He targeted my personal pool and it resulted in disruption of the entire cardano network."
Hoskinson's decision to involve the FBI horrified some onlookers, including one other engineer at the company who publicly quit after the incident. They wrote, "I've fucked up pen testing in a major way once. I've seen my colleagues do the same. I didn't realize there was a risk of getting raided by the authorities because of that + saying mean things on the Internet."
Paxos accidentally mints more than twice the global GDP in PayPal stablecoins
Paxos, the issuer of PayPal's PYUSD stablecoin, accidentally minted 300 trillion of the supposedly dollar-pegged token. For context, this is approximately 2.5x the global GDP, and around 125x the total number of US dollars actually in circulation.
Paxos later announced that the mint was an "internal technical error", and that they had burned the excess tokens.
While PayPal promises its customers that "Reserves are held 100% in US dollar deposits, US treasuries and cash equivalents – meaning that customer funds are available for 1:1 redemption with Paxos," there clearly isn't much in the way of safeguards to ensure that is always the case. As with most stablecoin issuers, Paxos merely issues self-reported and unreviewed portfolio reports, and monthly third-party attestations (not audits) of reserves.
Kinto token crashes; community claims rug pull, Kinto claims hack
The price of Kinto's $K token suddenly crashed 90%, sparking accusations of a rug pull. A tranche of investor tokens had just been unlocked recently, leading some to speculate that investors dumped their tokens on retail buyers.
However, Kinto blamed the token crash on the exploit that was recently disclosed by VennBuild, claiming on Twitter that "we got hacked by a state actor". Venn seemed to corroborate Kinto's explanation that the crash was related to the exploit, tweeting that although they had tried to warn all vulnerable projects before publicly disclosing the bug, "Sadly the Kinto token was not found despite being vulnerable, and exploited without time to mitigate."
Kinto has announced a plan to try to fundraise to cover a $1.4 million loss in liquidity, then create a new $K token based on a snapshot of previous token holdings.
Security researchers disclose exploit that put over $10 million across multiple protocols at risk
On July 9, security researchers at VennBuild and other firms disclosed a "critical backdoor" affecting thousands of smart contracts, which one of the researchers said left "over $10,000,000 at risk for months". The researchers suggested that the backdoor was likely created by Lazarus, a North Korean state-sponsored hacking group.
According to the researchers, they found thousands of contracts affected by the exploit, and worked with multiple protocols to upgrade contracts or withdraw vulnerable funds. The researchers theorized that the attackers were "likely a sophisticated group waiting for a bigger target, not small wins."
Term Finance loses $1.65 million due to misconfiguration, recovers $1 million
The Ethereum-based lending project Term Finance lost $1.6 million when an oracle misconfiguration resulted in unintended liquidations. The team later announced that they had "successfully negotiated [the] return" of 333 ETH (~$600,000) that had been lost, and that another roughly 223 ETH (~$400,000) had been "captured internally", leaving the final loss at around 362 ETH (~$650,000).
Abracadabra loses $13 million in "Magic Internet Money"
An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra project. The attack was enabled by a bug in the platform's smart contracts, and the hacker ultimately made off with around 6,262 ETH.
This is the second time Abracadabra has been exploited, after suffering a $6.5 million theft in January 2024.
1inch loses $5 million to smart contract bug
An attacker exploited a smart contract belonging to the 1inch DEX aggregator, stealing $5 million in the USDC stablecoin and wETH. According to the platform, the vulnerability existed in "smart contracts using the obsolete Fusion v1 implementation", and the stolen funds belonged to resolvers (that is, entities that fulfill 1inch orders) rather than users.
UniLend exploited for almost $200,000
The UniLend project, which advertises itself as a "unified platform for all things AI and defi", was exploited for almost $200,000. An attacker was able to take advantage of a bug in a smart contract that handled token redemption.
UniLend acknowledged the hack, downplaying it as affecting "only" 4% of the platform's $4.7 million TVL. They offered a bounty to the attacker.
Alpaca Finance proposes $50,000 restitution for $2.8 million in losses
Users of the Alpaca Finance lending protocol suffered losses when the protocol's sloppy oracle implementation finally resulted in consequences. Although many had warned the project about their glacial oracle setup, and the vulnerabilities they were opening themselves up to, the project repeatedly denied any issues and even banned those voicing concerns.
Then, when a new token called THENA was listed on Binance and experienced major volatility as trading opened, Alpaca's issues came to a head. As the token price surged, the slow oracle failed to reflect price changes, allowing people to withdraw far more THENA than they had posted as collateral. THENA lenders have lost an estimated $2.8 million.
On December 10, Alpaca Finance proposed distributing $50,000 "saved" by their liquidation bot to the lenders who had lost funds. Alpaca Finance also banned users complaining about their losses in the project Discord, dismissing them as a "group bot/FUD attack".