Software is inherently unforgiving. Stupid mistakes render stupid consequences. Recently, this led to one of the largest thefts in a DeFi protocol.
Wormhole, a bridge for connecting Ethereum and Solana and other DeFi blockchains, was hit by a hacker, who stole $326 million in cryptocurrency.
An exploit in the code allowed the attacker to mint 120,000 wETH (wrapped ether) on the Solana blockchain out of thin air. The hacker then exchanged 93,750 wETH for ETH on Ethereum and the rest for SOL, the native token of Solana, and USDC. (Elliptic, Cointelegraph)
Cross-chain bridges allow you to stake crypto (generally, ETH) so you can spend it like the native crypto on another blockchain. In the case of Wormhole, wrapped ETH, an ERC-20 token that represents ETH one-to-one, serves as a sort of I.O.U. The hack resulted in Wormhole sitting on lots of unbacked wETH.
Wormhole developers offered the hacker a $10 million bug bounty for the return of the funds. Why the hacker would want to relinquish $326 million for $10 million, I’m not sure.
Security researcher Sam Sun explained how the thief carried out the heist: “Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.” (Twitter)
How did the hacker even know about this vulnerability? According to DedmundFitzgrld: “The fix was pushed to GitHub a couple weeks ago but not deployed. So the attacker found the exploit by scanning the commits to GitHub. The vulnerability was out there for all to see.” (Twitter)
Jump, a high-frequency trading group with crypto ambitions, stepped in to save the day. The Chicago-based firm somehow came up with the funds to replace all of the 120,000 ETH. Apparently, it had a spare $326 million sitting around? (Twitter, Fortune)
What do we know about Jump? Last August, it bought Certus One, which helped develop the Wormhole bridge. Jump also executes some crypto orders for Robinhood.
Jump holds a heavy bag of Solano tokens. It can’t risk a lack of confidence in the market, so it likely borrowed a pile of ETH to fix the problem. Who did it borrow the funds from? One guess: Tether, who last year issued the firm $1.1 billion in USDT, according to one analysis.
Qubit also hacked
Days before Wormhole was hacked, Qubit Finance was breached for $80 million in crypto. Similar to Wormhole, Qubit operates a bridge between Ethereum and the Binance Smart Chain network.
In this case, the hacker was able to exploit a security flaw in Qubit’s smart contract code that let them send in a deposit of 0 ETH and withdraw almost $80 million in Binance Coin in return. (Verge)
Qubit has been trying to convince the bank robbers to return the money. They started by offering a bounty of $250,000, and eventually upped it to $2 million — still, a piddling amount compared to what the hackers stole.
Now, they are resorting to threats:
“If you don’t come forward to claim the generous bounty and return the funds, you will face lasting consequences that vastly outweigh the benefits of holding onto funds that you can’t readily access,” Qubit said in a tweet.
Bored Ape founders revealed
Buzzfeed just identified the two main founders of BAYC — Greg Solano, a 32-year-old writer and editor, and Wylie Aronow, a 35-year-old originally from Florida. The pair don’t have any dark pasts, as far as anyone knows. (Buzzfeed)
“These 2 amazing partners of mine,” Guy Oseary tweeted with a pic of them at Apefest. Oseary is the music industry veteran who represents them. He also represents NFT project World of Women. And he is a buddy of Jimmy Fallon, so that explains a few things.
Oseary says the founders were “doxxed against their will,” which is a bizarre statement given you are talking about the founders of a multi-billion-dollar enterprise.
As Buzzfeed puts it: “This reveals a unique problem with the idea of a billion-dollar company run by an unknown person: How do you hold them accountable if you don’t know who they are?”
A16z mulls buying a chunk of BAYC
Yuga Labs, the startup behind Bored Apes Yacht Club, is in talks with Andreessen-Horowitz (a16z), who is considering buying a major stake in the startup, which would value it at $5 billion. (FT)
I’m losing count of all of the NFT projects a16z is funneling money into — over a dozen, for sure. The VC firm is a major force behind the frothy NFT market.
Celebrities are shilling Bored Apes left and right to the point where it is downright nauseating and rumor has it the Bored Apes will make an appearance in the Super Bowl halftime show on Feb. 13.
The problem with investing in high-value NFTs is they are not easy to dump on retail. You have to find that special buyer with loads of disposable ETH. Fungible tokens, on the other hand, are much more liquid — especially if you can get them listed on Coinbase.
This is why DAOs (with their ERC-20 governance tokens) and fractionalized NFTs are becoming the thing. It’s like the 2017 initial coin offering craze all over again. Only now we’re talking about Web3 and “democratizing” companies and JPEGs.
Sometime soon, expect Yuga Labs to issue an ERC-20 token with a huge pre-mine for investors. The token will likely represent its NFTs in some way or else give holders special access to future Yuga Lab NFTs — something like that. Bored Apes have been heavily pumped, so at this point, it’s just a matter of creating a fungible token to lure in suckers at a much greater scale. At the end of the day, it is all about creating the illusion of exclusivity or having access to something special.
Yuga Labs has talked about issuing ERC-20 tokens in the past, saying the plan was to work with law firm Fenwick and West and Horizon Labs — issuers of the ZEN token, which is already listed on Coinbase. So this is nothing new. It’s been in the works all along.
What a tangled Web we weave
We’ve been wondering a lot about why celebs are hyping Bored Apes. Who is talking them into this? What’s the deal?
Max Read did the smart thing — he followed the money trail, and mapped out the celebrity NFT complex. Jimmy Fallon (who was shilling his Bored Ape on National TV) is represented by talent and sports agency Creative Artists Agency. Lo and behold, CAA is an investor in OpenSea and recently signed a deal to represent the NFT collector 0xb1, who owns NFTs from Bored Ape Yacht Club and World of Women. There’s more. Lots more. Take a look at the map. (Substack)
Last week Justin Beiber bought a Bored Ape NFT for $1.3 million (500 ETH), as one of several purchases he made on OpenSea within a short period. As Dirty Bubble Media explains, all of the NFTs were gifted. They were bought by the InBetweeners project, a collection of NFTs owned by artist Gianpiero D’Alessandro, who has designed merchandise for Bieber, Snoop Dogg, and others.
Bieber never disclosed any financial relationship between himself and the inBetweeners project. As Dirty Bubble points out, this is a big no-no, according to FTC rules. (Substack)
Gwyneth Paltrow also has a Bored Ape, thanks again to MoonPay Concierge. Every time someone buys a Bored Ape via MoonPay, they seemingly have to announce it on social media. (Twitter)
HitPiece and its shady founder
A new project called HitPiece appeared out of nowhere and started scraping Spotify and “staking” songs as NFTs — without the artists’ permission.
Naturally, artists found out and started hurling obscenities at the project via social media.
“Yo a bunch of industrial scene acts (including me) have NFTs for sale on the site hitpiece.com I did not put it online and I assume you probably didn’t either, fucked up,” Choke Chain tweeted.
“Each HitPiece NFT is a One of One NFT for each unique song recording. Members build their Hitlist of their favorite songs, get on leaderboards, and receive in real life value such as access and experiences with Artists,” Hitpiece said on its website. (NNE)
The brains — or lack of brains — behind HitPiece turns out to be music industry guy, Rory Felton, who has a history of shady dealings. (Twitter thread)
Felton launched HitPiece in December along with music exec and former rapper Michael Barrin (aka “MC Serch”), and venture capitalists Ryan Singer and Blake Modersitzki. (Festival News)
Anyhow, Hitpiece.com has been taken down. If you go to the website, all you get now is a message that says, “We Started The Conversation And We’re Listening,” whatever that means. (archive)
Gamers hate NFTs!
Gamers want nothing to do with NFTs. They see NFTs as a cash grab and forcefully push back on any game company’s efforts to incorporate NFTs in anything.
Clueless to that trend, GameStop has teamed with Immutable X to launch an NFT marketplace. They’re also creating a $100 million fund for grants to build on the platforms. While Gamestonk investors might think this is great, it should thoroughly piss of GameStop customers. (Verge)
Team17, the outfit behind the many Worms games, pulled the plug on its MegaWorms NFT project (they wanted to create NFTs of all the Worms games characters) only 24 hours after announcing the project, due to extreme backlash from customers, fans, and teamsters. (IGN)
Notice the editor’s note on the IGN story: “The subject of NFTs is currently a very controversial topic in the gaming community. IGN urges community members to be respectful when engaging in conversation around this subject and does not endorse harassment of any kind.“
Electronic Arts, another game publisher, is also backtracking from earlier NFT enthusiasm. (Eurogamer)
Other NFT news
Nike sues online sneaker reseller StockX for selling NFTs of Nike shoes. (Reuters)
How did OpenSea take over the NFT trade and become a multibillion dollar company? (Hint: they got lots of help from a16z.) (Verge)
One of the founders of Larva Labs, the project behind CryptoPunks, sold all of his v1 Punks for 260 ETH. In response, Larva Labs released an official statement saying the v1 Punks are worthless, because the project re-released all the Punks in 2017 to fix a bug.
The NFT community feels differently. They are saying that v1 Punks are the originals! What’s on the blockchain, stays on the blockchain. (NFT evening)
Coachella is selling lifetime festival passes for the first time — but you have to buy an NFT to get one. The music festival launched an NFT marketplace built by FTX US, with three collections of NFTs going on sale on Feb. 4th. (Verge)
This is part of a trend, I mentioned before. NFTs are being used to give people special access to clubs, events, restaurants, breweries, and whatnot. Wanna be part of the exclusive group? Buy our NFTs.
Tampa Bay Buccaneers quarterback Tom Brady is retiring after 22 seasons with the NFL. His business ventures, including NFT platform Autograph, will keep him busy moving forward. (Fortune)
Last year, a16z-backed Meta4 Capital created a new fund to invest up to $100 million in NFTs. In a twitter thread, Meta4Capital justifies spending money on “historically significant” or “iconic” NFTs, as if any of this means anything. It doesn’t. At the end of the day, an NFT is just a number in a database.
A racist project called “Meta Slave” offered NFTs made from photographs of Black people (all algorithmically-generated). After a swift backlash, the project rebranded to also feature “white, Asian, etc.” NFTs. The project’s Twitter and Instagram accounts have been deactivated. The collection has also been removed from OpenSea where the NFTs were being auctioned. (Vice)
Artist bayneko airdropped NFTs of microscope pictures of SARS-COV-2 to all 96,186 users of NFT platform Hic et Nunc (HEN) who hold at least one NFT. The NFT description read: “Your wallet has been infected by SARS-CoV-2, the virus responsible for COVID-19… in an act symbolic of the invasive and ubiquitous nature of the virus and its psychological effects.” (Twitter thread)
Elsewhere in cryptoland
Quote of the day: “So much dumb stuff happens in crypto, and if you are a smart intermediary that dumb stuff is your profit margin. Crypto markets are lightly regulated and brutally Darwinian, and every day the smart find exciting new ways to take money from the dumb. The returns to smart are very high.” ~ Matt Levine (Bloomberg)
On that note, another day, another rug pull. Realux promised to democratize real estate at a “very low cost in a very easy way” using a complex system of tokens backed by real estate investments. After collecting everyone’s money, the project shut down and its creators vanished. (Motherboard)
Riot Blockchain, a large crypto miner located just outside of Austin shut down ahead of a cold blast. Bitcoin miners have been drawn to Texas because of the state’s cheap electricity. They’ve been lobbying Governor Greg Abbott to make things even easier for them. (Bloomberg)
How Facebook’s Diem died. A post mortem. (Washington Post)
Jeremy Allaire’s Circle, the company behind USDC, is running ads in everything. (Twitter)
The IRS is coming for you. Intuit CEO Sasan Goodarzi warned that Americans who invested in crypto or NFTs, and actively traded equities on commission-free websites, could be dumbfounded when they learn how much they own in taxes because “they were in essence gambling with their money.” (Bloomberg)
In a podcast, Sohale Mortazavi talks about his piece for Jacobin that went viral: “Cryptocurrency Is a Giant Ponzi Scheme.” (Youtube)
The CEO of US-based crypto exchange Cryptsy, Paul Vernon, was indicted on 17 counts, including tax evasion, wire fraud, money laundering, computer fraud, tampering with records, documents, and other objects, and destruction of records in a federal investigation. (IRS)
This has been a long time coming. Cryptsy shut down in 2016, after announcing 13,000 BTC and 30,000 LTC were stolen two years prior. It was later discovered that “Big Vern” stole the money.
According to the indictment: “Between May 2013 through May 2015, Vernon used his control over Cryptsy’s accounts, known as wallets, to steal over one million dollars from Cryptsy’s cryptocurrency wallets. Once Vernon stole his customers’ funds from Cryptsy’s wallets, he deposited the funds into a personal cryptocurrency wallet and then transferred the same funds into his personal bank account.”
Sam Bankman’s FTX got a $400 billion funding round, valuing the company at $32 billion, as investors, including Softbank and Canada’s Ontario Teachers’ Pension Plan, hog piled into the madness. (I mentioned earlier that the exchange’s US arm also got a $400 million round.) (Bloomberg)
Taylor Monohan’s MyCrypto joined the Metamask team. ConsenSys acquired MyCrypto for an undisclosed sum and plans to merge MyCrypto with the MetaMask wallet. (Taylor appeared in the QuadrigaCX documentary “Dead Man’s Switch” along with me and David Gerard.) (Coindesk)
On the subject of QuadrigaCX — my review of Jennifer Robertson’s “Bitcoin Widow” was reprinted and is getting lots of attention. (Saltwire)
Steven Kimber, the Halifax author who helped author “Bitcoin Widow,” was interviewed on CBC radio about the book. He spent 50 hours listening to Robertson, he said. (CBC radio)
Douglas Johnston, a Winnipeg lawyer and writer, also reviewed “Bitcoin Widow.” His review was more critical than others. “This is autobiography, so it’s told in the first person. But Robertson puts herself at the forefront of far too much of the narrative.” (Winnipeg Free Press)
Also on the subject of Quadriga, Michael Patryn, the fraudster who was recently voted off his latest Ponzi scheme Wonderland, has been laundering his crypto. According to his wallet, he has been sending thousands of ETH through mixer Tornado Cash. (Coindesk, Etherscan)
Crypto risks destabilizing emerging markets, says the International Monetary Fund. (FT)
Binance builds a $1 million insurance fund. (Bloomberg)
El Salvador’s Chivo wallet keeps breaking. (The Block)
Silvergate Bank is paying $50 million in cash and 1,221,217 shares to buy Facebook Diem’s “intellectual property.” Silvergate wants to do a stablecoin running on the Diem blockchain. (press release, CNBC)
USDC, the second biggest stablecoin next to Tether, crossed 50 billion in circulation. (Circle)
Meanwhile, Tether is still sitting at 78 billion USDT. No new prints in 2022 yet. (Tether)
Bitcoin has climbed back to $41,500 despite no new Tether prints. (It was down to as low as $34,000 recently.) Retailers who bought BTC for $69,000 in November are still hurting.
Corey Doctorow on the great crypto crash event looming in the future: “If you think Coinbase is looking shaky and take your money out, you’d better hope they last for at least three more months, or you might have to give the money back to the bankruptcy trustees.” (Twitter thread)
Australian billionaire Andrew Forrest launched a criminal case against Facebook, alleging the company failed to prevent scam ads that used his image, and breached Australian AML laws over the spread of crypto fraud. (BBC)
The search for a crypto use case continues. (One Zero)
If you like my work, please consider supporting my writing by subscribing to my Patreon account for $5 or $20 (or even more!) a month. Every little bit helps.
Amy Castor 