Web3 is Going Just Great

...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.

Created by Molly White. Subscribe to her newsletter for weekly recaps.

Venus Protocol accumulates $2.15 million in bad debt after exploit

The BNB Chain's Venus Protocol lending protocol accumulated $2.15 million in bad debt after an exploiter manipulated the price of the Thena protocol's THE token. THE had very low liquidity, and the exploiter took advantage of it to manipulate the THE price oracle by borrowing against THE, using the borrowed funds to buy more THE, and repeating — causing the price oracle to reflect higher and higher prices. The attacker was able to avoid a supply cap on Venus by "donating" the funds rather than depositing them in the standard way.

While the exploit left the Venus Protocol with over $2 million in bad debt, it's not clear if the attacker even made money from the exploit. The exploiter's position was ultimately liquidated, collapsing the increase in THE price. However, it's possible the exploiter took advantage of the price discrepancy elsewhere to profit.

The Venus Protocol has had a number of issues in the past — notably in June 2023, when the team developing the BNB Chain had to intervene when the a thief borrowed $150 million on Venus against stolen tokens and then faced liquidation.

Theme tags: Hack or scam
Blockchain tags: Blockchain: BNB Chain
Tech tags: DeFi, lending

Trader loses almost $50 million in Aave swap gone wrong

A trader using the Aave interface attempted to swap $50 million USDT for AAVE. However, due to the enormous size of the order, the purchase had dramatic impact on the aave price. The Aave interface warned the customer about the price impact, and the trader clicked a checkbox to accept the order terms. Ultimately, they received only 324 AAVE (~$37,600) in return for their $50 million, losing 99.9% of their assets in the process.

The Aave founder offered to refund the user the $600,000 in fees collected from the transaction, and acknowledged "there are additional guardrails the industry can build to better protect users".

Theme tags: Bummer
Tech tags: DeFi

$26.9 million erroneously liquidated on Aave after Chaos Labs oracle bug

Users of the Aave defi lending protocol who had borrowed from the wstETH/stETH pool suffered erroneous liquidations when a price oracle from Chaos Labs reported an inaccurately low price ratio between the two assets. The oracle bug caused some loans to report that they were below the required "health factor" (the ratio between the assets loaned and the amount of collateral provided by the borrower), triggering forcible liquidations across the platform amounting to $26.9 million.

Chaos Labs, presumably embarrassed to have lived up to its name, promised to reimburse users whose positions were improperly liquidated.

Theme tags: Bug
Tech tags: DeFi, lending

Thief pilfers NFTs priced at $230,000 from Gondi

A thief exploited a smart contract belonging to the Gondi NFT platform to steal 78 NFTs priced at $230,000. Perhaps the most shocking part of the theft is that the attacker managed to find NFTs still holding any value at all. Around half of the stolen NFTs were taken from a single wallet.

According to Gondi, the exploiter took advantage of functionality that allowed users to sell their NFTs to automatically repay loans.

Gondi has said it has reimbursed customers by buying them "comparable items" from the same collections as their stolen NFTs, although it seems questionable that this will satisfy customers who purchased products whose whole selling point is that they aren't interchangeable.

Theme tags: Hack or scam
Tech tags: NFT

Solv Protocol exploited for $2.7 million

The Solv Protocol bitcoin defi lending and staking platform disclosed an exploit that they said affected fewer than ten users, but nevertheless netted the attacker 38 SolvBTC (a wrapped bitcoin token priced at $2.7 million). Although Solv has not disclosed specifics of the attack, some researchers have suggested it was a bug in the protocol's burn and mint functionality.
Theme tags: Hack or scam
Blockchain tags: Blockchain: Bitcoin
Tech tags: DeFi

Returned crypto stolen again from Korean authorities

After a thief drained a crypto wallet of 4 million PRTG (notionally priced at $4.9 million, but highly illiquid) after blundering Korean tax officials posted the wallet's seed phrase to social media in a photo among other seized items, the thief returned the assets. However, the tokens were quickly stolen again by a second thief, as they'd been returned to the same vulnerable wallet. The first thief turned themselves in and was arrested by Korean law enforcement shortly after taking the funds; the second thief has not been identified.
Theme tags: Hack or scam, Law