PeckShield

Allbridge offers bounty to exploiter who stole $573K in flash loan attack

Allbridge offered a hacker who pilfered $573,000 from its platform a chance to come forward as a white hat and forgo any legal ramifications.

The attacker behind a $573,000 exploit on the multichain token bridge Allbridge has been offered a chance by the firm to come forward as a white hat and claim a bounty.

Blockchain security firm Peckshield first identified the attack on April 1, warning Allbridge in a tweet that its BNB Chain pools swap price was being manipulated by an individual acting as a liquidity provider and swapper, who was able to drain the pool of $282,889 in Binance USD (BUSD) and $290,868 worth of Tether (USDT).

In an April 1 tweet following the hack, Allbridge offered an olive branch to the attacker in the form of an undisclosed bounty and the chance to escape any legal ramifications.

“Please contact us via the official channels (Twitter/Telegram) or send a message through tx, so we can consider this a white hat hack and discuss the bounty in exchange for returning the funds,” Allbridge wrote.

In a separate series of tweets, Allbridge made it clear they are hot on the trail of the stolen funds.

With the help of its “partners and community,” Allbridge said it’s “tracking the hacker through social networks.”

“We continue monitoring the wallets, transactions, and linked CEX accounts of individuals involved in the hack,” it added.

Allbridge also stated it’s working with law firms, law enforcement and other projects affected by the exploiter.

According to Allbridge, its bridge protocol has been temporarily suspended to prevent the potential exploits of its other pools; once the vulnerability has been patched, it will be restarted.

“In addition, we are in the process of deploying a web interface for liquidity providers to enable the withdrawal of assets,” it added.

Blockchain security firm CertiK offered an in-depth breakdown of the hack in an April 1 post, identifying the method used was a flashloan attack.

CertiK explained the attacker took a $7.5 million BUSD flash loan, then initiated a series of swaps for USDT before deposits in BUSD and USDT liquidity pools on Allbridge were made. This manipulated the price of USDT in the pool, allowing the hacker to swap $40,000 of BUSD for $789,632 USDT.

Related: DeFi exploits and access control hacks cost crypto investors billions in 2022: Report

According to a March 31 tweet from PeckShield, March saw 26 crypto projects hacked, resulting in total losses of $211 million. 

Euler Finance’s March 13 hack was responsible for over 90% of the losses, while other costly exploits were suffered by projects including Swerve Finance, ParaSpace and TenderFi. 

Cointelegraph contacted Allbridge for comment but did not receive an immediate response.

Magazine: Crypto winter can take a toll on hodlers’ mental health

Euler hacker seemingly taking their chances, sends funds to crypto mixer

Before the move, the hacker apparently refunded at least one victim, leading to a slew of on-chain messages from other purported victims.

The hacker responsible for the $196 million attack on Euler Finance has begun moving funds into crypto mixer Tornado Cash, only hours after a $1 million bounty was launched to uncover the hacker’s identity.

Blockchain analytics firm PeckShield tweeted on March 16 that the exploiter behind the flash loan attack on the Ethereum noncustodial lending protocol was “on the move.”

The exploiter transferred 1,000 Ether (ETH), approximately $1.65 million, through sanctioned crypto mixer Tornado Cash.

It comes only hours after Euler Labs tweeted that it was  launching a $1 million reward for information leading “to the Euler protocol attacker’s arrest and the return of all funds.”

Just a day earlier, Euler sent an on-chain message to the exploiter’s address, warning it would launch a bounty “that leads to your arrest and the return of all funds” if 90% wasn’t returned within 24 hours.

The movement of the funds to the crypto mixer could indicate that the hacker is not being swayed by Euler’s amnesty offer. 

Peckshield noted that around 100 ETH, worth $165,202 at the time of writing, was sent to a wallet address that is likely owned by one of the victims. An on-chain message sent by the wallet address had earlier pleaded for the attacker for the return of their “life savings.”

This led to a slew of other victims sending messages to the address in hopes of also getting their funds returned.

Related: Euler attack causes locked tokens, losses in 11 DeFi protocols, including Balancer

One message stated they “are twenty-six families from jobless rural areas,” who lost “a million USDT in total,” adding their share of funds in the protocol was the “life-savings from our past decades of work in factories.”

Another apparent victim messaged the attacker congratulating them on the “big win” and said they invested funds into Euler they “desperately needed” for a house.

“My wife is going to kill me if we can’t afford our house […] Is there anyway [sic] you can help me? I have no idea what to tell my wife,” they wrote.

According to on-chain data, the $196 million stolen from Euler consisted of Dai (DAI), USD Coin (USDC), staked ETH and wrapped Bitcoin (WBTC).

Bitcoin bulls’ desire for a trend reversal could be obliterated by this week’s $565M options expiry

Significant headwinds continue to batter BTC, and this week’s options expiry is unlikely to provide any relief.

Bitcoin (BTC) fell below a four-day narrow trading range near $22,400 on March 7 following comments by United States Federal Reserve Chair Jerome Powell before the Senate Banking Committee. During the congressional appearance, the Fed chairman warned that he bank is prepared to tame inflation by pushing for more significant interest rate increases.

Powell added that “the ultimate level of interest rates is likely to be higher than previously anticipated” and that recent economic data was “stronger than expected.” These remarks significantly increased investors’ expectations of a 50 basis point interest rate hike on March 22, putting pressure on risk assets such as stocks, commodities and Bitcoin.

That movement could explain why the $565 million Bitcoin weekly options expiry on March 10 will almost certainly favor bears. Nonetheless, additional negative crypto market events might have also played a significant role.

Bitcoin from the Silk Road and Mt. Gox are on the move

The movement of multiple wallets linked to U.S. law enforcement seizures on March 8 added to the price pressure on Bitcoin investors. Over 50,000 Bitcoin worth $1.1 billion were transferred, according to data shared by on-chain analytics firm PeckShield.

Furthermore, 9,860 BTC were sent to Coinbase, raising concerns about the coins being sold on the open market. These wallets are directly linked to the former Silk Road darknet marketplace and were seized by law enforcement in November 2021.

Mt. Gox creditors have until March 10 to register and choose a method of compensation repayment. The movement is part of the 2018 rehabilitation plan, and creditors must choose between “early lump sum payment” and “final payment.”

It is unclear when creditors can expect to be paid in cryptocurrency or fiat currency, but estimates indicate that the final settlement could take several years.

As a result, Bitcoin’s price drop to $22,000 on March 8 effectively confirmed bears’ advantage on the March 10 options expiry.

Bulls placed far more bets, but most will be worthless

The March 10 options expiry has $565 million in open interest, but the actual figure will be lower because bulls have concentrated their bets on Bitcoin trading above $23,000.

Bitcoin options aggregate open interest for March 10. Source: CoinGlass

The 1.63 call-to-put ratio reflects the disparity in open interest between the $350 million call (buy) options and the $215 million put (sell) options. However, the expected outcome is likely to be much lower, as bulls were caught off guard when Bitcoin fell below $23,000 on March 3.

For example, if the price of Bitcoin remains near $22,100 at 8:00 am UTC on March 10, only $6 million in call (buy) options will be available. This difference occurs because the right to purchase Bitcoin at $22,500 or $24,000 is rendered null if BTC trades below that level on expiry.

Related: Bitcoin clings to $22K as US dollar strength rises to December levels — What’s next?

The most likely outcomes favor bears by a wide margin

Below are the four most likely scenarios based on the current price action. The number of options contracts available on March 10 for call (bull) and put (bear) instruments varies depending on the expiry price. The imbalance favoring each side constitutes the theoretical profit:

  • Between $20,000 and $21,000: 0 calls vs. 7,200 puts. The net result favors the put (bear) instruments by $150 million.
  • Between $21,000 and $22,000: 100 calls vs. 5,000 puts. The net result favors the put (bear) instruments by $105 million.
  • Between $22,000 and $23,000: 1,400 calls vs. 1,900 puts. Bears have a modest advantage, profiting some $55 million.
  • Between $23,000 and $24,000: 4,600 calls vs. 600 puts. The net result favors the call (bull) instruments by $95 million.

This rough estimate takes into account only call options in bullish bets and put options in neutral-to-bearish trades. Nonetheless, this oversimplification excludes more complex investment strategies.

A trader, for example, could have sold a call option, effectively gaining negative exposure to Bitcoin above a certain price, but there is no easy way to estimate this effect.

To turn the tables and secure a potential $95 million profit, Bitcoin bulls must push the price above $23,000 on March 10. However, given the negative macroeconomic pressure and the FUD emanating from Mt. Gox and Silk Road, the odds favor bears in this week’s options expiry.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.

The views, thoughts and opinions expressed here are the authors’ alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Wallet tied to Uranium Finance hacker reawakens after 647 days, shifting $3.3M

The hacker has other associated wallets that have also shifted funds to privacy networks such as Aztec.

One of the wallets associated with the $50 million exploit of Uranium Finance in April 2021 appears to have awoken after 647 days of dormancy, with funds headed towards crypto mixer Tornado Cash.

The sudden move was highlighted on Mar 7 by cybersecurity firms PeckShield and CertiK on their respective alert accounts on Twitter.

According to data from Etherscan, the hacker moved the 2,250 Ether (ETH), worth $3.35 million, over a seven-hour period in transactions ranging from 1 ETH to 100 ETH — with all the funds heading to Tornado Cash.

This is, however, just one of the wallets associated with the hacker. Another Ethereum wallet linked to the hacker shows it was last active 159 days ago, with 5 ETH being sent to privacy-focused Ethereum zk-rollup on Aztec.

This marks yet another occasion in 2023 in which a hacker’s wallet has come out of dormancy after a lengthy hiatus. In January, the Wormhole hacker moved around $155 million worth of ETH almost a year after exploiting the Wormhole bridge for $321 million in early 2022.

The same month, a notorious hacker dubbed the “blockchain bandit” also moved around $90 million after a six-year slumber. 

In February, the Wormhole hacker moved another $46 million worth of stolen funds, while popular blockchain sleuth ZachXBT highlighted via Twitter on Feb. 23 that “dormant funds left over” from the April 2018 $230 million Gate.io exchange hack by “North Korea began to move after over 4.5 years.”

Binance Smart Chain-based automated market maker Uranium Finance was exploited on April 28, 2021. The hack itself was reportedly the result of a coding vulnerability that allowed the hacker to siphon $50 million during Uranium’s v2.1 protocol launch and token migration event.

The platform seemingly shut down shortly after the hack, with its last tweet published on April 30, 2021, urging users to remove funds from its various liquidity pools.

Unanswered questions

It is also worth noting that on April 28, 2021, someone claiming to be a member of the project’s development team suggested in the Uranium Discord channel that the hack may have been an inside job.

They outlined that only a small number of team members knew of the security flaw prior to the v2.1 protocol launch, and questioned the suspicious timing of the hack being just two hours before launch.

Since then, reports have gone cold on the project and its victims. However, Binance forum posts from last October suggest that users have been left out in the cold.

Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

On Oct. 26, User “RecoveryMad” made a post asking for a follow-up on the hack, and noted that the person representing the Uranium team in the community Telegram had “vanished.”

In response, user “nofiatnolie” claimed that “No investigation was performed. It was swept up under the rug. There are still victim groups with no answers and crowd-sourced investigations [are] pointing at the developers of Uranium and others as the suspects.”

BingChatGPT ‘pump and dump’ tokens emerging by the dozen: PeckShield

Blockchain security firm PeckShield on Twitter said it has found dozens of pump-and-dump tokens purporting to be related to ChatGPT.

Blockchain security firm PeckShield has raised the alarm after finding dozens of tokens purporting to be related to artificial intelligence (AI) powered chatbot ChatGPT.

“In a Feb. 20 post, the firm revealed at least three “BingChatGPT” tokens appear to be part of honeypot schemes — a smart contract that tricks a user into sending Ether (ETH), which the attacker then traps and retrieves.

Some of the addresses reportedly associated with the BingChatGPT tokens. Source: PeckShield

According to PeckShield, at least two of the tokens identified have already lost nearly 100% of their value, while a third is at a 65% loss — in what is often referred to as a “pump and dump” scheme or “rug pull.”

A pump-and-dump scheme typically involves the creators orchestrating a campaign of misleading statements and hype to persuade investors into purchasing tokens, then secretly selling their stake in the scheme when prices go up. 

At least one of the bad actors behind the tokens, “Deployer 0xb583,” is responsible for creating “dozens of tokens with a pump & dump scheme,” said PeckShield.

While PeckShield did not explain why the bad actors are using the name BingChatGPT for their tokens, the scammers could be trying to take advantage of the Feb. 7 announcement that OpenAI’s ChatGPT tech is being integrated into Bing and Microsoft’s Edge web browser.

The token’s name might be an attempt to trick victims into thinking they are somehow related to Microsoft and take advantage of the hype around AI chatbots.

Blockchain analytics firm Chainalysis recently noted in a Feb. 16 report that nearly 10,000 new tokens launched in 2022 had all the on-chain characteristics of being pump-and-dump schemes.

According to the Blockchain analytics firm, 1.1 million tokens were launched last year, but only 40,521 had an “impact on the crypto ecosystem,”with at least ten swaps over four consecutive days of trading in the week following their launch.

An example of a crypto pump and dump scheme. Source: Chainalysis

“Of the 40,521 tokens launched in 2022 that gained sufficient traction to be worth analyzing, 9,902, or 24%, saw a price decline in the first week indicative of possible pump and dump activity,” the firm said. 

Related: Wormhole hacker moves another $46M of stolen funds

While a price drop on its own is not an indication of wrongdoing on the part of token creators, the firm noted that it examined 25 in particular and found “they were almost certainly designed for a pump and dump,” with malicious honeypot code that prevents new buyers from selling the token.

Defrost v1 hacker reportedly returns funds as ‘exit scam’ allegations surface

“Merry Christmas guys. We got a lump of coal from Santa Claus,” wrote one user in response to the allegations and the incident.

On Dec. 26, blockchain security firm CertiK issued a warning alleging that Defrost Finance, a decentralized leverage-trading platform on the Avalanche blockchain that recently suffered an exploit, is an “exit scam.” The move came just as Defrost announced that “the hacker involved in the V1 hack [but not the v2 hack] has returned the funds.” CertiK wrote

“On 24 December we have seen an #exitscam on @Defrost_Finance. We have attempted to contact multiple members of the team but have had no response. The team are not KYC’d but we are using all the information that we do have to assist with authorities.”

On Dec. 23, Defrost Finance suffered a flash loan attack that drained protocol users of $12 million in assets on its v1 and v2 protocols. Immediately after the exploit, blockchain analytics firm PeckShield also issued a warning, alleging the operation was a “rugpull”:

“We received community intel warning the rugpull of @Defrost_Finance.Our analysis shows a fake collateral token is added and a malicious price oracle is used to liquidate current users. The loss is estimated to be >$12M.”

In a brief post-mortem analysis, project developers said that hackers also managed to steal the owner key for a much larger attack on its v1 protocol than the flash loan exploit. Defrost has offered to negotiate “sharing 20% (negotiable) of the funds in exchange for the bulk of assets and are calling on the hackers to contact us asap.”

After posting an Ethereum wallet address on its social page, close to $3 million worth of digital assets had been transferred there at the time of publication. In a Medium post published hours later, Defrost explained that the v1 hacker had returned the stolen funds to an address controlled by the project developers.

“We will soon start scanning the data on-chain to find out who owned what prior to the hack in order to return them to the rightful owners. As different users had variable proportions of assets and debt, this process might take a little. However, it will be concluded fairly swiftly.”

CertiK’s Skynet alert for Defrost. Source: CertiK

This is a developing story and will be updated accordingly.

Update (Dec. 26 at 3:50 pm UTC): Added information from Derost regarding the return of funds from the v1 attacker

‘Everything is fine’ — Gala Games calls for calm after fears of multi-billion dollar hack

Gala Games said the unusual activity of its pGALA token was actually part of efforts to safeguard it from potential attack.

Blockchain gaming company Gala Games urged its community for calm after misplaced fears of a  multi-billion dollar rug pull or hack caused the GALA token to temporarily crash 25.6%.

The initial panic, which Gala Games later implied was unfounded, came after a single wallet address appeared to mint over $2 billion GALA tokens out of thin air — which was flagged by blockchain security firm PeckShield on Nov. 3.

Fears that the unusual activity was a sign of an exploit or rug pull caused the GALA token price to drop a dramatic 25.6% from $0.0394 to $0.0293 over a 130-minute stretch late on Nov. 3, according to data from CoinGecko.

However, Gala Games took to Twitter on Nov. 4 to dispel the “FUD” surrounding its native token, explaining that “lots of people are tossing around words like ‘hack’ and ‘rug’. Neither of these is the case.”

Gala Games president for blockchain Jason Brink explained that the unusual activity detected on decentralized exchange (DEX) PancakeSwap was performed by pNetwork, who was working to drain the liquidity pool as a means to safeguard it from a potential vulnerability.

In a separate tweet, pNetwork, the cross-chain interoperability bridge used by Gala Games on the BNB Smart Chain, confirmed that a “misconfiguration” event took place. It also responded to a tweet from Peckshield to note that it “coordinated the white hat attack” to prevent pGALA from being exploited:

The explanations appear to have quelled some panic, with the GALA token price since partially recovered from its 24-hour low of $0.0293 to now sit at $0.352.

Related: Major hack on play-to-earn crypto games a ‘matter of time:’ Report

Gala Games confirmed that all GALA tokens on Ethereum and GALA-related assets on the GALA bridge were safe. The team, along with pNetwork, informed the community of its decision to “temporarily suspend” transaction activity on the bridge.

Brink also advised not to buy pGALA on PancakeSwap “for now.”

“A new pGALA token will be created to replace the old compromised one,” which will be sent to those who owned pGALA before the pool was drained, pNetwork said.