Security

DeFi securitization of real-world assets poses credit risks, opportunities: S&P

Decentralized finance protocols could attract institutional interest if they get securitization right, according to S&P Global Ratings.

Decentralized finance’s (DeFi) use case in traditional finance could grow in the coming years as new protocols attempt to support the securitization of real-world assets, according to a new research report from credit rating agency S&P Global Ratings. 

The financing of real-world assets, or RWAs, will likely be a key focus area for DeFi protocols moving forward, S&P said in a report titled “DeFi Protocols For Securitization: A Credit Risk Perspective.” Although the industry is still in its nascent stages, S&P highlighted several benefits DeFi could bring to securitization, including reducing transaction costs, improving transparency on asset pools, reducing counterparty risks and enabling faster payment settlement for investors.

“The early development of DeFi focused primarily on applications providing financial services within the crypto ecosystem, such as lending collateralized by crypto assets, investment tools for crypto assets, and crypto trading platforms,” analysts Andrew O’Neill, Alexandre Birry, Lapo Guadagnuolo and Vanessa Purwin wrote, adding:

“These initial use cases were broadly disconnected from the real economy. The financing of RWAs has emerged as a theme in the DeFi space, with lending protocols offering loans originated in the traditional way, based on borrower underwriting rather than backed by crypto assets pledged as collateral.”

DeFi securitizations aren’t without risks, however. S&P identified legal and operational risks associated with their issuance, as well as the potential for a mismatch between fiat currency-denominated assets and digital currency liabilities. Addressing these risks could be the difference between a robust DeFi securitization industry and one failing to attract interest from traditional finance.

S&P Global Ratings is one of the big three rating agencies on Wall Street. While the company is researching DeFi protocols, it does not currently rate any projects.

The DeFi industry rose to prominence in mid-2020 as the promise of higher yields and easier access to credit markets attracted crypto-native investors. According to most metrics, DeFi activity peaked in the third quarter of 2021 — in November of that year, the total value locked (TVL) on DeFi platforms eclipsed $180 billion.

The DeFi industry has further room to grow beyond crypto TVL measures, according to S&P Global Ratings. Source: DefiLlama.

Related: Fractional NFTs and what they mean for investing in real-world assets

Asset tokenization, or the process of issuing security tokens representing real tradeable assets, has long been viewed as a viable use case for blockchain technology. According to Ernst & Young, tokenization creates a bridge between real-world assets and their accessibility in a digital world without intermediaries. The consulting agency believes tokenization can “provide liquidity to otherwise illiquid and non-fractional markets.”

Scammers are targeting crypto users with new ‘zero value TransferFrom’ trick

The trick allows the attacker to confirm zero-value transactions from the victim’s wallet, hijacking the user’s transaction history.

Data from Etherscan shows that some crypto scammers are targeting users with a new trick that allows them to confirm a transaction from the victim’s wallet, but without having the victim’s private key. The attack can only be performed for transactions of 0 value. However, it may cause some users to accidentally send tokens to the attacker as a result of cutting and pasting from a hijacked transaction history.

Blockchain security firm SlowMist discovered the new technique in December and revealed it in a blog post. Since then, both SafePal and Etherscan have adopted mitigation techniques to limit its effect on users, but some users may still be unaware of its existence.

According to the post from SlowMist, the scam works by sending a transaction of zero tokens from the victim’s wallet to an address that looks similar to one that the victim had previously sent tokens to.

For example, if the victim sent 100 coins to an exchange deposit address, the attacker may send zero coins from the victim’s wallet to an address that looks similar but that is, in fact, under the control of the attacker. The victim may see this transaction in their transaction history and conclude that the address shown is the correct deposit address. As a result, they may send their coins directly to the attacker.

Sending a transaction without owner permission 

Under normal circumstances, an attacker needs the victim’s private key to send a transaction from the victim’s wallet. But Etherscan’s “contract tab” feature reveals that there is a loophole in some token contracts that can allow an attacker to send a transaction from any wallet whatsoever.

For example, the code for USD Coin (USDC) on Etherscan shows that the “TransferFrom” function allows any person to move coins from another person’s wallet as long as the amount of coins they are sending is less than or equal to the amount allowed by the owner of the address.

This usually means that an attacker can’t make a transaction from another person’s address unless the owner approves an allowance for them.

However, there is a loophole in this restriction. The allowed amount is defined as a number (called the “uint256 type”), which means it is interpreted as zero unless it is specifically set to some other number. This can be seen in the “allowance” function.

As a result, as long as the value of the attacker’s transaction is less than or equal to zero, they can send a transaction from absolutely any wallet they want, without needing the private key or prior approval from the owner.

USDC isn’t the only token that allows this to be done. Similar code can be found in most token contracts. It can even be found in the example contracts linked from the Ethereum Foundation’s official website.

Examples of the zero value transfer scam

Etherscan shows that some wallet addresses are sending thousands of zero-value transactions per day from various victims’ wallets without their consent.

For example, an account labeled Fake_Phishing7974 used an unverified smart contract to perform more than 80 bundles of transactions on Jan. 12, with each bundle containing 50 zero-value transactions for a total of 4,000 unauthorized transactions in one day.

Misleading addresses

Looking at each transaction more closely reveals a motive for this spam: The attacker is sending zero-value transactions to addresses that look very similar to ones the victims previously sent funds to.

For example, Etherscan shows that one of the user addresses targeted by the attacker is the following:

0x20d7f90d9c40901488a935870e1e80127de11d74.

On Jan. 29, this account authorized 5,000 Tether (USDT) to be sent to this receiving address:

0xa541efe60f274f813a834afd31e896348810bb09.

Immediately afterwards, Fake_Phishing7974 sent a zero-value transaction from the victim’s wallet to this address:

0xA545c8659B0CD5B426A027509E55220FDa10bB09.

The first five characters and the last six characters of these two receiving addresses are exactly the same, but the characters in the middle are all completely different. The attacker may have intended for the user to send USDT to this second (fake) address instead of the real one, giving their coins to the attacker.

In this particular case, it appears that the scam did not work, as Etherscan does not show any transactions from this address to one of the fake addresses created by the scammer. But given the volume of zero-value transactions done by this account, the plan may have worked in other cases.

Wallets and block explorers may vary significantly as to how or whether they show misleading transactions.

Wallets

Some wallets may not show the spam transactions at all. For example, MetaMask shows no transaction history if it is reinstalled, even if the account itself has hundreds of transactions on the blockchain. This implies that it stores its own transaction history rather than pulling the data from the blockchain. This should prevent the spam transactions from showing up in the wallet’s transaction history.

On the other hand, if the wallet pulls data directly from the blockchain, the spam transactions may show up in the wallet’s display. In a Dec. 13 announcement on Twitter, SafePal CEO Veronica Wong warned SafePal users that its wallet may display the transactions. In order to mitigate against this risk, she said that SafePal was altering the way addresses are displayed in newer versions of its wallet so as to make it easier for users to inspect addresses.

In December, one user also reported that their Trezor wallet was displaying misleading transactions.

Cointelegraph reached out through email to Trezor developer SatoshiLabs for comment. In response, a representative stated that the wallet does pull its transaction history directly from the blockchain “every time users plug in their Trezor wallet.”

However, the team is taking steps to protect users from the scam. In an upcoming Trezor Suite update, the software will “flag the suspicious zero-value transactions so that users are alerted that such transactions are potentially fraudulent.” The company also stated that the wallet always displays the full address of every transaction and that they “strongly recommend that users always check the full address, not just the first and last characters.”

Block explorers

Aside from wallets, block explorers are another type of software that can be used to view transaction history. Some explorers may display these transactions in such a way as to inadvertently mislead users, just as some wallets do.

To mitigate against this threat, Etherscan has begun graying out zero-value token transactions that aren’t initiated by the user. It also flags these transactions with an alert that says, “This is a zero-value token transfer initiated by another address,” as evidenced by the image below.

Other block explorers may have taken the same steps as Etherscan to warn users about these transactions, but some may not have implemented these steps yet.

Tips for avoiding the ‘zero-value TransferFrom’ trick

Cointelegraph reached out to SlowMist for advice on how to avoid falling prey to the “zero-value TransferFrom” trick.

A representative from the company gave Cointelegraph a list of tips for avoiding becoming a victim of the attack:

  1. “Exercise caution and verify the address before executing any transactions.”
  2. “Utilize the whitelist feature in your wallet to prevent sending funds to the wrong addresses.”
  3. “Stay vigilant and informed. If you encounter any suspicious transfers, take the time to investigate the matter calmly to avoid falling victim to scammers.”
  4. “Maintain a healthy level of skepticism, always stay cautious and vigilant.”

Judging from this advice, the most important thing for crypto users to remember is to always check the address before sending crypto to it. Even if the transaction record seems to imply that you’ve sent crypto to the address before, this appearance may be deceiving.

Australia and the UK share their big picture of crypto: Law Decoded, Jan. 31–Feb. 6

While the British Treasury emphasizes the liberal approach, Australia goes with the profound taxonomy of all the crypto assets.

The U.K. outline of the future financial services regulatory regime for crypto covers a broad range of topics, from the troubles of algorithmic stablecoins to nonfungible tokens and initial coin offerings. And it’s certainly good news for the industry, as the upcoming regulation doesn’t propose a ban on algorithmic stablecoins or excessive requirements on data sharing for digital asset operators.

The Australian consultation paper on “token mapping” is a foundational step in the government’s multistage reform agenda to regulate the market. Based on the “functional” and technology-neutral method, the paper proposes several basic definitions for all things crypto. Its taxonomy of four types of crypto-related products includes crypto asset services, intermediated crypto assets, network tokens and smart contracts.

And let’s not forget about Hong Kong, where the local monetary authority has issued a consultation summary. In contrast to the U.K., it proposes a prohibition on the operations of algorithmic stablecoins in the country.

Not every week, two major jurisdictions almost synchronically present their vision of how crypto should be regulated in the coming years. Within three days, the treasuries of the United Kingdom and Australia shared their consultation papers, consisting of 80 and 60 pages, respectively. 

SEC settles on security claim in LBRY case

The United States Securities and Exchange Commission (SEC) admitted on record that the sale of LBRY Credits (LBC) tokens in the secondary market doesn’t constitute a security. In what many called a victory for the entire crypto industry against the SEC’s overreach regulation by enforcement, Attorney John Deaton settled a major debate during the appeal hearing. The ruling in the case was a relief for many in the crypto community, especially XRP (XRP) holders, as Ripple is currently facing a securities lawsuit from the SEC over the sale of XRP tokens. 

Continue reading

FTX debtors seek subpoenas for inner circle of Sam Bankman-Fried

As bankruptcy proceedings continue, FTX and affected parties have requested subpoenas for information and documents from close relatives of former CEO Sam Bankman-Fried. A motion filed in the United States Bankruptcy Court for the District of Delaware seeks to glean valuable information from the likes of Gabriel Bankman-Fried and Barbara Fried, the brother and mother of the FTX founder. According to the filing, FTX and its debtors are pursuing estate assets belonging to the company and investors.

Continue reading

Bank of China ex-advisor calls Beijing to reconsider crypto ban

Huang Yiping, a former member of the Monetary Policy Committee at the People’s Bank of China, believes that the Chinese government should think again about whether the ban on cryptocurrency trading is sustainable in the long run. The former official argued that a permanent ban on crypto could result in many missed opportunities for the formal financial system, including those related to blockchain and tokenization. 

Continue reading

How to protect against crime in the metaverse

To protect against crime in the metaverse, take precautions, such as using secure passwords, and report suspected criminal activities to law enforcement.

How to protect yourself in the metaverse

To protect yourself in the metaverse, use strong passwords, be cautious of suspicious activity, and limit the amount of personal information shared online.

Here are some ways to protect yourself in the metaverse:

  • Use strong and unique passwords: Create secure passwords utilizing a variety of letters, numbers and symbols and steer clear of using the same one for many accounts.
  • When disclosing personal information, exercise caution: Be cautious when sharing information online and be on the lookout for unauthorized requests for personal information.
  • Utilize two-factor authentication: To further secure your accounts, use two-factor authentication.
  • Update your hardware and software: To guard against any vulnerabilities, make sure to keep your software and devices up to date with the most recent security upgrades.
  • Report suspicious activity: Inform the proper authorities or the platform’s moderation team of any questionable activity or behavior.
  • Pay attention to phishing attempts: To deceive you into revealing personal information or login passwords, you should be on the alert for phishing attempts.
  • Use a virtual private network (VPN), if possible: When entering the metaverse, use a VPN to secure your internet connection and safeguard your personal data.
  • Set privacy preferences: Utilize the privacy settings and tools offered by the metaverse platforms to control how much of your personal information is exposed to others.
  • Be aware of the potential sexual harassment: Take precautions to shield yourself from offensive or unwanted behavior by being aware of the possibility of sexual harassment in the metaverse.
  • Beware of scammers: Criminals may try to fool you by using social engineering, making up identities or impersonating.

By being mindful of the hazards and cautions in virtual reality worlds, users can take further precautions to protect themselves. This can entail being watchful with the data they disclose online, exercising caution when speaking to strangers and blocking or reporting any individuals who engage in inappropriate behavior.

Are there any sexual harassment risks in the metaverse?

In virtual worlds, people may feel empowered to engage in unethical or criminal behavior, such as sexual harassment, due to the anonymity and lack of oversight by law enforcement agencies.

In the metaverse, sexual harassment can take many forms, including:

  • Virtual sexual assault: Sexual propositions, unwanted touching and other unwanted physical contacts could all constitute virtual sexual assault.
  • Online sexual harassment: Online sexual harassment may take the form of sending unwelcome sexually suggestive messages, exchanging inappropriate or sexually explicit photographs, or making vulgar remarks.
  • Cyberstalking: This can involve persistently sending unwelcome messages or following someone online with the intention of intimidating or harassing them.
  • Non-consensual sharing of intimate images: Sharing intimate photos or films of someone without their consent is referred to as non-consensual sharing of intimate photographs or revenge porn.
  • Online grooming: This may involve adults pursuing children or other vulnerable individuals in virtual spaces with the intention of sexually exploiting them.

Metaverse users should report any instances of sexual harassment to the relevant authorities, and metaverse companies should have strong policies in place to handle and prevent it.

What financial crimes occur in the metaverse?

Money laundering, fraud and asset theft are all types of financial crimes that can cost people and virtual communities a lot of money in the metaverse.

The use of cryptocurrencies to conceal the proceeds of criminal activity, such as the sale of illegal narcotics or weapons, by hiding the source and ownership of the money through a convoluted web of transactions is an example of money laundering in the metaverse.

A Ponzi scheme is an example of financial fraud in the metaverse, which involves the use of virtual goods or money to trick investors into thinking that their money is being put toward a successful project when, in reality, the returns are being paid from the contributions of new investors rather than from any genuine business gains. Moreover, criminals may use the metaverse to conduct financial transactions that are not reported to tax authorities in order to evade taxes.

Criminals may also utilize hacking methods to steal users’ confidential financial data in the metaverse. Similarly, criminals may use the metaverse to conduct cyberextortion, which is a type of digital blackmail in which a criminal demands payment in exchange for withholding sensitive information or data.

These are only a few instances of how metaverse users are targeted by cybercriminals; therefore, it’s crucial to be aware of these threats and take precautions to safeguard your information. One can do this by using two-factor authentication and strong passwords, being cautious about unsolicited requests for personal information, and making sure their software and devices are up-to-date with the most recent security patches.

How do cybercriminals target the metaverse?

By taking advantage of flaws in virtual systems and user behavior, such as malware infections, phishing scams and illegal access to personal and financial information, cybercriminals prey on the metaverse.

Cybercriminals may target the metaverse in a variety of ways, including:

  • Phishing scams: Thieves may employ phishing techniques to deceive victims into disclosing personal information or login credentials, which can then be used for identity or data theft or other unlawful acts.
  • Hacking: To steal money or personal information, criminals may try to hack into user accounts or metaverse platforms.
  • Malware: To access sensitive data or carry out illicit operations, criminals may use malware to infect virtual environments or devices that support the metaverse.
  • Frauds: Criminals may leverage the anonymity and lax regulation of the metaverse to carry out scams such as Ponzi or pyramid schemes.
  • Ransomware: Thieves may use ransomware to encrypt a user’s digital possessions or personal data before requesting payment in exchange for the decryption key.
  • Exploiting virtual goods and assets: Cybercriminals may use bots or other tools to buy virtual goods and assets, which they then sell on the black market for real money. 
  • Creating fake digital assets: Criminals may make false virtual assets and sell them to unwary buyers, causing the victims to suffer financial loss.
  • Social engineering: Thieves may take advantage of the metaverse’s social elements to win over people’s trust before defrauding them.

Related: How are metaverse assets taxed?

The “Crypto Crime Cartel” case is one real-world instance of cybercrime in the metaverse. In 2020, it was discovered that a group of cybercriminals had been working in the metaverse, more specifically in the online community of Second Life.

They tricked customers into submitting log-in and personal information via a phishing scam, which they then utilized to steal virtual money and digital assets. The group also perpetrated identity theft and other financial crimes in the real world using the stolen information. Money-laundering crypto criminals were successful in stealing digital assets and currencies worth millions of dollars.

This example demonstrates how cybercriminals might use the anonymity and lax regulation of the metaverse to carry out unlawful acts. It emphasizes the significance of exercising caution when using virtual worlds and taking precautions to safeguard private data and digital assets, such as using strong passwords, being wary of unsolicited requests for personal information and notifying the appropriate authorities of any suspicious activity.

The Decentral Games hack is just another instance of financial crime in the metaverse. A group of hackers attacked Decentral Games, a well-known metaverse gaming site built on the Ethereum blockchain, in 2021 by taking advantage of a flaw in the smart contract. They were able to steal Ether (ETH) and other cryptocurrencies valued at more than $8 million from users of the network.

This illustration shows how susceptible smart contracts and decentralized systems can be to hackers and other sorts of cyberattacks. It also demonstrates how a lack of oversight and regulation in the crypto and metaverse industries can make it simpler for criminals to commit cybercrimes and steal substantial sums of money.

What is the dark side of the metaverse?

The metaverse has the potential to alter the way we interact and engage with one another and technology. However, there are also possible drawbacks and risks, just like with any new technology. Potential problems with privacy, security and legislation are part of the metaverse’s negative side.

One of the main issues with metaverse platforms is privacy. People may disclose more sensitive data and personal information in the metaverse, increasing the risk of hacking and data breaches. Furthermore, there may be less supervision and regulation over how businesses gather and use this data, which might result in the misuse of personal data.

Being a virtual environment, the metaverse is open to various security risks, including hacking, intellectual property theft and misuse of user data that can lead to the loss of personal data, financial harm and damage to the reputation and stability of virtual communities. For instance, the metaverse may be used by criminals to commit additional crimes, propagate malware or steal personal data.

Regulation is another issue because the metaverse is a young and rapidly changing environment. Governments and other institutions can find it difficult to keep up with technology and lack the resources or tools necessary to govern it successfully. This absence of oversight may result in problems like unlawful activity and hazardous content.

However, it is also unclear how society will be affected by the metaverse because it is a brand-new area that is developing quickly. While some experts assert that technology will create more options for community and connection, others counter that it will just increase social alienation and isolation.

Developers seek solutions for Web3-related scams from internet browsers

A new suite of tools for Web3 businesses targets the safety and security of transactions, websites and smart contacts to combat exploits.

A big concern for users in decentralized finance (DeFi) is its susceptibility to exploits. A report from Privacy Affairs revealed hackers stole $4.3 billion worth of cryptocurrency from January to November 2022 — a 37% increase from the previous year.

Such exploits harm the integrity of companies and fuel skeptics from outside of the space in their case against cryptocurrencies. However, in a Feb. 2 announcement from Web3 Builders, the company revealed a suite of tools to combat this issue.

The initial browser extension TrustCheck was created to flag Web3-related scams before users continue to interact with them. This new suite of tools builds on that via a Web3 Builders transaction checker, website checker and smart contract checker.

Ricky Pellegrini, the CEO of Web3 Builders, said this is an integral moment for the industry to prove its trustworthiness.

“It’s an unfortunate truth that scams and fraud are still common in the Web3 space.”

According to the announcement, the tools scan nearly 30 million suspicious domains daily and check for vulnerabilities on around 55 million Ethereum smart contracts. 

Related: DeFi-type projects received the highest number of attacks in 2022: Report

He continued to say that, even in the last month, the suite of tools discovered dozens of scams listed on popular platforms, marketplaces and exchanges.

In the last week, there has been a slew of new attacks that have been exploiting millions from the space. This includes one on Feb. 1, in which the BonqDAO protocol lost $120 million after an oracle hack.

Last week, hackers compromised Azuki’s Twitter account and stole $758K in just 30 minutes. The financial services platform Robinhood also had its Twitter hacked on Jan. 25, during which hackers tried to promote a scam token.

Nicholas Horelik, the technical co-founder and chief blockchain officer at Web3 Builders said, understanding what’s happening with your transaction is critical in keeping assets safe.

“End users deserve to have this functionality on whatever platform they choose and businesses should be implementing solutions like these to ensure their customers’ safety in Web3.”

On Jan. 24, the Wormhole hacker moved $155 million of the total $321 million stolen, which was the biggest shift of stolen funds seen in months.  

Judge dismisses proposed class-action suit alleging Coinbase securities sales

The decision did not address the question of whether the 79 tokens in questions were securities, but dismissed claims based on the Securities and Exchange Acts.

A proposed class action suit against cryptocurrency exchange Coinbase, Coinbase Global and CEO Brian Armstrong alleging unregistered securities sales was dismissed in the United States District Court of Southern New York on Feb. 1. The suit, filed on March 11, claimed that 79 of the tokens listed on Coinbase were securities being sold without proper registration and customers were not warned of their risks.

The suit brought charges under the Securities Act of 1933 and Exchange Act of 1934 and used the Howey test, established by the U.S. Supreme Court in 1946, to identify the tokens. The plaintiffs argued for each token individually. In his decision, Judge Paul Engelmayer stated regarding the Howey claims:

“Were this case to reach summary judgment, this contention would emerge as a central battleground.”

But the judge assumed the tokens are indeed securities for the purposes of his analysis and did not consider claims based on Howey further. He stated that the Coinbase user agreement contradicts the plaintiffs’ claim that Coinbase was the “actual seller” of the tokens. Furthermore, Coinbase did not solicit sales under a strict legal definition. Thus, claims under the Securities Act were dismissed.

The judge stated that the claim under the Exchange Act alleged the presence of a contract involving a prohibited transaction. He dismissed that claim by noting that only the user agreement was liable to that claim, and it “did not necessitate illegal acts.” The judge cited case law throughout the analysis.

The plaintiffs’ representation apparently became aware of the flaw in their argument after the suit was initially filed. The March 11 suit was an amended complaint that did not make reference to the user agreement, but that did not sway the judge in his analysis.

Related: Breaking: Coinbase fined $3.6M in the Netherlands

The suit was filed with national claims and claims under California, Florida and New Jersey state law. The national claims were dismissed with prejudice, meaning that the plaintiffs cannot file the same claims again. The state claims were dismissed without prejudice, as the judge determined that the court had not “invested the resources necessary to resolve” the state claims.

A class action suit was filed against Coinbase in the Northern District Court of Georgia in August, claiming the exchange did not do enough to protect user wallets and locked users out of their accounts at high market volatility. In addition, it claimed that “Coinbase does not disclose that the crypto assets on its platform are securities.”

Blockchain provider SIMBA Chain awarded $30M by US Air Force STRATFI program

According to SIMBA Chain, the investment will go toward developing blockchain applications that will be used by several government organizations.

Blockchain solutions provider SIMBA Chain has been selected for a $30 million Strategic Technology Focus Initiative (STRATFI) by the United States Air Force (USAF). The initiative is focused on identifying and advancing technologies that could secure the future dominance of the U.S. Air Force. 

According to the announcement, the investment will be used to develop blockchain applications in supply chain management and programs that will be used by several government organizations, including the Office of the Undersecretary of Defense for Research & Engineering, the USAF, the U.S. Navy, the U.S. Army and the Defense Logistics Agency.

SIMBA Chain has a long-standing relationship with the Department of Defense, having developed various blockchain applications to improve critical USAF activities, such as budget tokenization for better accounting and tracking of essential components for the air service branch. The STRATFI initiative will accelerate the development of SIMBA’s blockchain platform, SIMBA Blocks, which supports the USAF’s strategic mission.

Bryan Ritchie, CEO of SIMBA Chain, views the STRATFI initiative as a strong demand signal for blockchain technology and an opportunity to increase adoption within the commercial industry. He said, “Given the interconnectedness of the DoD supply chain, it also signals an opportunity to collaborate and increase adoption within the commercial industry.”

Related: US Air Force files trademark application for ‘SpaceVerse’ initiative

As previously noted, this is not the first time the U.S. Air Force has experimented with blockchain technology. In June, Cointelegraph reported that the U.S. Air Force had tapped SIMBA Chain to develop a budgeting and accounting system for tracking and monitoring the military’s cash flow and supply chain quality and management. 

The goal of the project, dubbed Digital Blockchain Budgeting Accountability and Tracking (DiBaT), was to tokenize all dollars within the U.S. Air Force supply chain budget and track fund movement across billing centers, purchasing teams and suppliers.

LayerZero bridging protocol denies accusation of ‘critical vulnerabilities’

LayerZero is the protocol used by Stargate bridge, which has over $382 million locked in its smart contracts.

Summa founder James Prestwich has accused the $382 million LayerZero bridging protocol of hosting a “critical vulnerability.” 

According to a Jan. 30 post by Prestwich, this vulnerability “could result in theft of all user funds.” LayerZero CEO Bryan Pellegrino has called Prestwich’s accusation “absolutely shocking” and “wildly dishonest,” claiming that the vulnerability only applies to applications that don’t modify the default configuration.

LayerZero is a protocol used to create cross-chain blockchain bridges. Its most notable application is the Stargate Bridge, which can be used to move coins between several different blockchain networks, including Ethereum, BNB Chain (BNB), Avalanche (AVAX), Polygon (MATIC) and others. Stargate has $382 million of total value locked (TVL) in its smart contracts as of Jan. 30, according to DefiLlama.

According to its whitepaper, the LayerZero protocol provides a trustless way of moving cryptocurrencies from one network to another. It does this by using an Oracle and Relayer to verify that coins are locked on one chain before allowing a coin to be minted on a different chain. As long as the Oracle and Relayer are independent and do not collude with each other, it should be impossible for coins to be minted on the destination chain without first being locked on the originating chain.

However, Prestwich claimed in his blog post that Stargate and other bridges that use the “default configuration” for LayerZero suffer from a critical vulnerability. He saithis vulnerability allows the LayerZero team to remotely change “the default Receiving library” or to “arbitrarily modify message payloads,” which can enable the team to bypass the Oracle and Relayer to transmit any message they want across the bridge. This implies that when LayerZero is used with its default configuration, it relies upon trust in the LayerZero team rather than in a decentralized protocol for its security.

Prestwich further claimed that Stargate suffers from this vulnerability since it uses the default configuration. To mitigate against this vulnerability, Prestwich advises app developers who use LayerZero to alter their smart contracts to change the configuration. However, he says that most LayerZero apps still use the default configuration, putting them at risk.

Related: Cross-chain interoperability remains a barrier to crypto mass adoption

LayerZero CEO Bryan Pellegrino vigorously denied Prestwich’s claims, calling them “wildly dishonest” in a Jan. 30 tweet. 

In a conversation with Cointelegraph on Jan. 31, Pellegrino stated that all validation libraries “are immutable forever, period.” The team can add new libraries but “can never change, remove, or do anything to” the ones that already exist. While the team can add new libraries to the registry, if an app has already chosen a particular library or set of libraries to be used, this cannot be changed by the LayerZero team.

Pellegrino admitted that the library an app “points to” can be changed by the LayerZero team if the app developer is using the defaults, but not if it has already moved away from the default configuration.

As for Prestwich’s claim that Stargate is at risk, Pellegrino responded by saying that the StargateDAO voted on Jan. 3 to change its library from the default to a specific one that is more gas-efficient. He expects this library change to be implemented “this week (likely today).” Once this update is made, “that will never be able to change on them unless Stargate votes and changes it themselves.”

Cross-chain bridge security has been a hot topic in the crypto community over the past few years, as millions of dollars have been lost through bridge hacks. In May, the Axie Infinity Ronin Bridge was exploited for $600 million by an attacker who stole keys to the developers’ multisig wallet and used it to mint coins without any backing. A similar attack occurred against the Harmony Horizon Bridge on June 24, with $100 million in crypto stolen. The Harmony team has since relaunched the bridge using the LayerZero protocol.

SEC settles on security claim in LBRY case; community calls it a big win for crypto

The SEC was hoping to seek affirmation on an ambiguous injunction after scoring a victory during a hearing in November 2022, but judges made it clear that the judgment was only for the direct sale.

The United States Securities and Exchange Commission (SEC) admitted on record that the sale of LBRY Credits (LBC) tokens in the secondary market doesn’t constitute a security. The settlement came during an appeal hearing in the LBRY vs. SEC case on Jan. 30.

In what many called a victory for the entire crypto industry against the SEC’s overreach regulation by enforcement, Attorney John Deaton settled a major debate during the appeal hearing.

The SEC was awarded summary judgment in its favor during the Nov. 7, 2022 hearing. The judgment categorized each sale of the LBC token during a six-year period as an investment contract without going into detail about the transactions’ specifics. The SEC hoped to advance its effort to gain legitimacy in the secondary market and bring it under its purview as well. The SEC has asked the New Hampshire district court judge to affirm the wide, ambiguous injunction prohibiting its sale.

Deaton, who represented tech journalist Naomi Brockwell as an amicus curiae, sought clarity for LBC secondary market transactions because he found the injunction ambiguous and broad. An amicus curia is an individual or organization that is not a party to a legal case but is permitted to assist a court by offering information, expertise, or insight that has a bearing on the issues in the case.

Deaton cited a paper by commercial contract attorney Lewis Cohen that examined all security lawsuits in the U.S. since the SEC vs. W.J. Howey Co case. No court acknowledged that the underlying asset was security at any point throughout Cohen’s examination of security cases in the United States.

Related: The aftermath of LBRY: Consequences of crypto’s ongoing regulatory process

Deaton persuaded the judge that LBC’s secondary market transactions were not securities. The SEC requested an order that does not make a distinction between LBRY, the company’s management, and users in an effort to avoid providing clarification for LBC. The judge turned to Deaton and told him: “amicus, I’m going to make it clear that my order does not apply to secondary market sales.”

The ruling in the case came as a relief for many in the crypto community, especially XRP holders. Ripple is currently facing a securities lawsuit from the SEC over the sale of XRP tokens. The recent ruling that indicates LBC token sale in the secondary market doesn’t qualify as securities can work in favor of the long-running Ripple lawsuit. A pro-XRP Twitter account said the ruling makes XRP a non-security as well.

Another user suggested the recent ruling could force a settlement in the Ripple lawsuit and said:

“That’s going to kill the sec court case against XRP could this force a settlement?”

Others lauded Deaton for his continuous work to fight against SEC’s overreach, as he has been actively involved in the Ripple lawsuit. 

Polkadot restates its case that DOT has ‘morphed’ away from security status

The Web3 Foundation has reminded the world that, in its eyes, it has conformed to SEC requirements and DOT should no longer be considered a security.

The Web3 Foundation, which supports the Polkadot protocol, has again presented its argument that its native DOT (DOT) token is not a security. In a Twitter thread, the foundation emphasized its efforts to comply with U.S. securities laws, as well as Securities and Exchange Commission guidance on digital assets, and declared that DOT had successfully “morphed” and is software, not a security. 

The Web3 Foundation reposted an excerpt from a December Twitter Space where Angela Dalton, identified as an adviser to the foundation, described how representatives accepted the SEC’s invitation to “come in and talk to us.” Subsequently, the foundation claimed:

“The Foundation made sure the SEC’s full vision of token morphing was addressed, […] as well as taking steps to manage the distribution of the DOT token so that no individual holds a large percentage of the network, turning down purchases from VCs interested solely in investment purposes, and promoting the tech but not the token.”

“The Foundation is confident DOT has morphed and is not a security. It is software,” the foundation concluded. Polkadot is a multichain protocol that had 66 blockchains operating on it and its Kusama parachain network as of October 2022. The Web3 Foundation was founded by Gavin Wood, a co-founder of Ethereum, and released the Polkadot white paper in 2016. Polkadot completed its launch in December 2021 when it rolled out parachains, according to a Medium post.

“Our experience has been a positive one,” the foundation says in the post. “The SEC has welcomed meetings with the Web3 Foundation, and there has been a spirit of open communication and dialogue.”

Related: Staking on Polkadot, explained

The Web3 Foundation first declared DOT a non-security in November. Its position has apparently not received confirmation from the SEC. The foundation’s argument echoes key points in the SEC case against Ripple. “Morphing” is a concept put forward in a speech delivered by former SEC official William Hinman at the Yahoo Finance All Markets Summit in June 2018.