liquidity providers

Allbridge to first begin repaying stuck bridge users after recouping funds

The compensation process is expected to start next week, starting with users who had funds on the bridge “shortly before the shutdown.”

Users with funds stuck on the multichain token bridge provided by Allbridge are first in line to receive compensation under a recovery plan posted by the project following a recent exploit.

In an April 5 statement, Allbridge said it has already started a compensation process for users despite only “partly recovering funds” after it was hacked for roughly $573,000 on April 1.

“We will start with the bridge users whose transactions got stuck in pending due to the emergency shutdown,” Allbridge said, adding it will then compensate its liquidity providers (LPs).

We are committed to compensating our users affected by the exploit and are prepared to reveal our recovery plan.

Please check the latest announcement for details: https://t.co/h17VDKZ7H7

— Allbridge (@Allbridge_io) April 4, 2023

“We aim to fully compensate those victims of the exploit with funds available to us,” it wrote.

It noted that it enabled LPs to withdraw funds on April 2, with the majority withdrawing their assets from the pool. Some, however, could withdraw even more “due to the pool’s disbalance.“

Others could not withdraw “a reasonable amount” from the liquidity pool due to some users withdrawing more than their original balances and the hack’s impact on the pools.

An application form is currently being drafted for LPs who could not withdraw their assets, allowing them to apply for compensation and provide details of their losses.

The form is anticipated to be completed within the next two days. The compensation process is expected to commence next week, starting with users who “have used the bridge shortly before the shutdown.”

“All the affected parties by the exploit will be subject to additional rewards in the future, but compensation remains our main priority.”

The compensation plan comes after Allbridge tweeted on April 3 that 1,500 BNB (BNB), worth approximately $465,000, was returned to the project following a public proposal made to the hacker in an April 1 tweet.

The protocol’s exploiter seemingly accepted Allbridge’s offer of a “white hat bounty,” where they could keep a portion of the stolen funds in exchange for an assurance that no legal action would be taken.

Meanwhile, Ethereum-based noncustodial lending protocol Eurler Finance announced on April 4 that it recovered most of the $196 million stolen in a March 13 flash loan attack following successful negotiations.

The attacker managed to steal millions worth of Dai (DAI), USD Coin (USDC), staked Ether (stETH) and wrapped Bitcoin (WBTC) in the largest hack of 2023 so far.

Magazine: Crypto winter can take a toll on hodlers’ mental health

PancakeSwap changes its recipe with the launch of Version 3

PancakeSwap has released version 3 of its BNB Chain, Aptos and Ethereum-based DeFi platform, touting improved performance and lower fees.

Decentralized finance (DeFi) protocol PancakeSwap has launched version 3 of its automated market maker platform on BNB Chain and Ethereum, with the upgrade encompassing performance improvements and lower fees.

Enhanced capital efficiency is cited as a key aspect of the upgrade, with a change in how liquidity providers can allocate capital on specific price intervals. In the previous version of PancakeSwap, liquidity from providers (LPs) was distributed uniformly along the price curve of trading pairs, which the platform notes was inefficient given that assets typically trade within certain ranges.

V3 allows liquidity providers to select a custom price range to provide liquidity, allowing specific control over capital investments to higher volume trading ranges. The release also touts the provision of four new trading fee tiers from 0.01%, 0.05%, 0.25%, and 1%, which is a change from V2’s standard 0.25%.

Every token pair can have liquidity pools for each tier. PancakeSwap expects asset pairs to be drawn to tiers where incentives for LPs and traders align, with the approach an effort to balance between traders targeting the lowest fees while still incentivizing LPs.

The PancakeSwap team unpacked the different trading fee tiers in correspondence with Cointelegraph. Assets such as stable pairs where impermanent loss is low (price changes after depositing to a liquidity pool) and prices typically match fall into the 0.01% tier.

The higher percentage trading fee tiers cater to assets that have higher impermanent loss or lower liquidity. This mechanism intends to provide more fee revenue and incentive for LPs.

PancakeSwap caters to a broad DeFi user base, accounting for over $2.5 billion of total value locked and serving over 1.5 million unique users.

The platform also revealed upcoming features that are still in development, including a trading rewards program incentivizing traders with exclusive benefits, while a position manager feature aims to improve user experience when depositing tokens as liquidity.

Arbitrum (ARB) has been front and center in DeFi-related news in March, with its highly-anticipated airdrop seeing around $3.3 million consolidated from over 1,400 addresses into two controlling wallets.

Magazine: 4 out of 10 NFT sales are fake: Learn to spot the signs of wash trading

More than $4.7M stolen in Uniswap fake token phishing attack

Some initially interpreted the hack as an exploit of the Uniswap v3 protocol, but it was quickly clarified as the result of a phishing campaign.

A sophisticated phishing campaign targeting liquidity providers (LPs) of the Uniswap v3 protocol has seen attackers make off with at least $4.7 million worth of Ether (ETH). However, the community is reporting the losses could be even greater.

MetaMask security researcher Harry Denley was one of the first to raise the alarm bells of the attack, telling his 13,000 Twitter followers on Monday that 73,399 addresses had been sent malicious ERC-20 tokens to steal their assets.

⚠️ As of block 151,223,32, there has been 73,399 address that have been sent a malicious token to target their assets, under the false impression of a $UNI airdrop based on their LP's

Activity started ~2H ago
0xcf39b7793512f03f2893c16459fd72e65d2ed00c

cc: @Uniswap @etherscan pic.twitter.com/5W51AikFuV

— harry.eth (whg.eth) (@sniko_) July 11, 2022

At least $4.7 million in ETH has been lost in the attack, according to a Twitter post from Binance CEO Changpeng “CZ” Zhao. However, there are also reports among the crypto community that there may be more significant losses from the incursion.

Prominent Crypto Twitter user 0xSisyphus noted on Monday that a “large LP” with around 16,140 ETH, worth $17.5 million, may have also been phished.

did a large LP get phished?https://t.co/3n6oruM8Hj

the v3 NFTs in 0x09b5 all originated from this wallet which has 16k ETH ($18m) sitting in it

— Sisyphus (@0xSisyphus) July 11, 2022

How it works

According to Denley, the phishing attack works by sending unsuspecting users a “malicious token” called “UniswapLP” — made to appear as coming from the legitimate “Uniswap V3: Positions NFT” contract by manipulating the “From” field in the blockchain transaction explorer.

Users curious about their new tokens would be directed to a website purporting to allow them to swap their new tokens for Uniswap (UNI), worth $5.34 each at the time of writing.

The website would instead send the users’ address and browser client info to the attackers’ command center, which would also attempt to drain cryptocurrency from their wallets.

A Reddit post also explaining the attack noted that the attackers had stolen native tokens such as Ether, ERC-20 tokens and nonfungible tokens (NFTs) (namely Uniswap LP positions) from victims.

On Wednesday, Uniswap Labs added its own detailed explanation on Twitter about how the scam worked, emphasizing that the incident was part of a phishing scam, not an exploit.

1/ Yesterday, some Uniswap LPs unfortunately fell for a phishing scam, a problem far too common in crypto today. To be clear: there was no exploit. The Protocol always was — and remains — secure. Here’s what happened.

— Uniswap Labs (@Uniswap) July 12, 2022

Not an exploit

Binance’s CEO Zhao created some waves in the crypto markets when he first sounded alarms about the attack, calling it a “potential exploit” of the Uniswap protocol on the Ethereum blockchain.

Zhao clarified soon after the post with another update, sharing a conversation with the Uniswap team, who noted the attack was part of a phishing attack rather than any issue with the protocol.

Connected with the @uniswap team. The protocol is safe.

The attack looks like from a phishing attack. Both teams responded quickly. All good. Sorry for the alarm.

Learn to protect yourself from phishing. Don't click on links. pic.twitter.com/FIXebz3iBC

— CZ Binance (@cz_binance) July 11, 2022

CZ’s initial alarming comments coincided with a sharp drop in the Uniswap price, which fell to a 24-hour low of $5.34. The price of UNI has since recovered following the clarification to $5.48 at the time of writing but is still down 11% in 24 hours and is 87.8% down from its all-time-high.

Update: Added the Twitter thread from Uniswap Labs explaining how the phishing scam works.