Security

Balancer warns some LPs to remove liquidity ASAP because of a ‘related issue’

The team did not disclose what the issue is but stated that it “cannot be mitigated by the emergency DAO.”

In a Jan. 6 tweet, decentralized finance protocol Balancer warned certain liquidity providers to remove their LPs “ASAP” due to an ongoing issue related to some of the service’s pools. Some pools have had their fees set to zero by the Balancer emergency multisig, but the team indicated that not all effects of the still-unknown issue could be mitigated in this way.

Balancer said the pools that need to be withdrawn include DOLA/bb-a-USD on Ethereum, It’s MAI Life and Smells Like Spartan Spirit on Optimism, and Tenacious Dollar on Fantom.

IMPORTANT: Because of a related issue, LPs of the following pools should remove their liquidity ASAP as the issue cannot be mitigated by the emergency DAO. https://t.co/WcBeBvjdY2

— Balancer (@Balancer) January 6, 2023

At 2:03 am UTC on Jan. 6, Balancer took to Twitter to announce an “issue” with liquidity pools on the platform. It stated that protocol fees have been set to zero to mitigate the issue and that more details “will be publicly disclosed in the near future.”

Protocol fees of some Balancer pools have been set to 0 to avoid an issue that is now mitigated and will be publicly disclosed in the near future.

This has been done by the emergency multisig, a 4/7 comprised of BLabs engineers and Balancer Maxis: https://t.co/AZo7yBQD17

— Balancer (@Balancer) January 6, 2023

Balancer stated that if a pool’s transaction fees have been set to zero by the emergency multisig, no further action is needed on the part of LPs. The pools will continue to accumulate fees, but Balancer itself will not take its cut.

Balancer is the sixth-largest decentralized exchange (DEX) by trading volume, handling over $52 million in crypto trades each day, according to analytics platform DefiLlama.

Initial responses from the community have noted the vagueness of Balancer’s messages, leading some to assume the worst:

here we go again

— rugged-by-powell (,) (@powellruggedme) January 6, 2023

Back in December, the Raydium DEX was targeted by a fee exploit where the attacker used an admin key to change pool parameters, tricking the pool smart contract into behaving as if the entire pool consisted of accumulated admin fees.

Indonesia to launch national crypto exchange in 2023: Report

The platform comes as a part of the plan to shift the regulatory oversight from the commodities agency to the securities authority.

As a part of its reform of crypto regulation, Indonesia will create a crypto exchange in 2023, according to reports. The platform is planned to be launched prior to a shift of regulatory power from commodities to securities authority.

On Jan. 4, the head of the Commodity Futures Trading Regulatory Agency of Indonesia (Bappebti), Didid Noordiatmoko, stated that a crypto exchange should be set up this year. The move comes as a part of broader financial reform launched in December 2022.

In accordance with the reform, in the next two years, the crypto oversight will be taken from Bappebti, a commodities-focused agency, by the Financial Services Authority (FSA).

The Financial Sector Development and Reinforcement bill (P2SK) was ratified by the House of Representatives of Indonesia on Dec. 15 to become the primary legal reference in the financial service sector. Explaining the shift of authority from Bappebti to the FSA, cemented by the bill, Suminto Sastrosuwito, a head of Financing and Risk Management of the national finance ministry, claimed that:

“In fact, crypto assets have become investment and financial instruments, so they need to be regulated on an equal basis with other financial and investment instruments.”

Indonesia imposed a blanket ban on crypto payments starting in 2017, while trading in digital assets has largely remained legal in the country. In the first days of January, Noordiatmoko revealed that the value of crypto transactions in the country fell by half in 2022 — from 859.4 trillion Indonesian rupiahs ($55 million) to 296.66 trillion ($19 million).

In December, Bank of Indonesia Governor Perry Warjiyo announced the release of the conceptual design of a digital rupiah — a currency the equivalent of the country’s fiat — which will be made available for public discussion.

Sam Bankman-Fried’s Alameda Research troubles predate FTX: Report

SBF had claimed that the operations of FTX and Alameda were independent, but the recent lawsuit has revealed that both firms worked in conjecture from day one.

New reports into Sam Bankman-Fried and his collapsed exchanges revealed that Alameda Research, the now-bankrupt crypto trading firm, almost collapsed in 2018, even before FTX was in the picture.

A report published in The Wall Street Journal citing former employees revealed that Alameda incurred heavy losses from its trading algorithm. The algorithm was designed to make a large number of automated and fast trades. However, the firm was losing money by guessing the wrong way about price movements.

In 2018, Alameda lost nearly two-thirds of its assets due to the price fall of the XRP (XRP) token and was in a blink of a collapse. However, Bankman-Fried reportedly managed to rescue the trading firm by raising funds from lenders and investors on a promise of returns of up to 20% on their investment.

As per the report, In Jan. 2019, Alameda sponsored the inaugural Binance Blockchain Week conference, and SBF used the event to get in touch with investors to get funding for his failing trading firm.

Later in April 2019, FTX was launched with a promise to offer a safe haven for institutional investors. With the launch of the FTX, Bankman Fried used Alameda to fuel its growth as the trading company became the major market maker for the exchange. It was always open for other traders to purchase from and sell to. People familiar with Alameda’s tactics claim that the exchange occasionally adopted the losing side of a deal to draw clients.

While Bankman Fried had claimed earlier that Alameda and FTX have always operated independently, the recent lawsuit by the United States Securities and Exchange Commission (SEC) suggests otherwise.

The lawsuit revealed that Bankman Fried instructed to create a piece of code to gain an unfair advantage. The code would let Alameda maintain a negative balance on FTX regardless of the amount of collateral it placed with the exchange. Bankman-Fried also ensured that Alameda’s FTX collateral wouldn’t be immediately sold if its value dropped below a particular threshold.

The recent report established that Alameda was a sinking ship from its early days. However, Bankman Fried not just rescued it in 2018 with borrowed funds but later used it to create the now-collapsed FTX crypto exchange and fuel its growth.

BitKeep exploiter used phishing sites to lure in users: Report

The attacker appears to be attempting to cash out funds using Binance and Changenow.

The Bitkeep exploit that occurred on Dec. 26 used phishing sites to fool users into downloading fake wallets, according to a report by blockchain analytics provider OKLink.

The report stated that the attacker set up several fake Bitkeep websites which contained an APK file that looked like version 7.2.9 of the Bitkeep wallet. When users “updated” their wallets by downloading the malicious file, their private keys or seed words were stolen and sent to the attacker.

【12-26 #BitKeep Hack Event Summary】
1/n

According to OKLink data, the bitkeep theft involved 4 chains BSC, ETH, TRX, Polygon, OKLink included 50 hacker addresses and total Txns volume reached $31M.

— OKLink (@OKLink) December 26, 2022

The report did not say how the malicious file stole the users’ keys in an unencrypted form. However, it may have simply asked the users to re-enter their seed words as part of the “update,” which the software could have logged and sent to the attacker.

Once the attacker had users’ private keys, they unstaked all assets and drained them into five wallets under the attacker’s control. From there, they tried to cash out some of the funds using centralized exchanges: 2 Ether (ETH) and 100 USD Coin (USDC) were sent to Binance, and 21 ETH were sent to Changenow.

The attack happened across five different networks: BNB Chain, Tron, Ethereum and Polygon, and BNB Chain bridges Biswap, Nomiswap and Apeswap were used to bridge some of the tokens to Ethereum. In total, over $13 million worth of crypto was taken in the attack.

It is not yet clear how the attacker convinced users to visit the fake websites. The official website for BitKeep provided a link that sent users to the official Google Play Store page for the app, but it does not carry an APK file of the app at all.

The BitKeep attack was first reported by Peck Shield at 7:30 am UTC. At the time, it was blamed on an “APK version hack.” This new report from OKLink suggests that the hacked APK came from malicious sites and that the developer’s official website has not been breached.

1inch launches Fusion upgrade to improve swap security and profitability

As a decentralized trading and matching system, the 1inch Swap Engine connects DeFi users and provides liquidity for crypto trades through professional market makers.

Leading decentralized finance (DeFi) aggregator 1inch Network announced a major upgrade — Fusion — around its 1inch Swap Engine. The Fusion upgrade aims to deliver cost-efficient, secure and profitable swaps for crypto investors.

The Fusion mode in 1inch Swap Engine allows DeFi investors to place orders with a predecided price and time range without paying network fees. In addition, the upgrade includes network improvements such as updated staking contracts and tokenomics.

As a decentralized trading and matching system, the 1inch Swap Engine connects DeFi users and provides liquidity for crypto trades through professional market makers. Explaining the intent behind the Fusion upgrade, 1inch Network co-founder Sergej Kunz stated:

“Fusion makes swaps on 1inch dramatically more cost-efficient, as users won’t have to pay network fees, plus, an extra layer of security is added, protecting users from sandwich attacks.”

Going against the traditional centralized approach, 1inch’s latest upgrade allows investors to perform secure noncustodial swaps, which are executed in a totally permissionless and trustless way.

According to the announcement, 1inch offers limitless liquidity and uses a new type of decentralized order-matching approach based on the Dutch auction model, as shown below.

The Fusion mode allows users to exchange tokens on various decentralized exchanges (DEXs) without paying any network fees. The upgrade also allows users to choose the order execution time as per their unique requirements.

Moreover, the Fusion mode provides protection against the maximum extractable value (MEV), which refers to the maximum value that can be extracted from block production in excess of the standard block reward and gas fees.

Alongside the upgrade, 1inch launched the 1inch Resolver Incentive Program, which will help resolvers get a refund on the gas spent on filling users’ orders in Fusion mode until Dec. 31, 2022.

Security experts believe that bridge attacks will still pose a major challenge for the DeFi sector in 2023.

Speaking to Cointelegraph, Theo Gauthier, founder and CEO of Toposware, pointed out that bridges have an “inherent vulnerability” because they rely on the security of the chains it connects to.

In this regard, one of the major technologies available is zero-knowledge proofs (ZKPs), which allow data to be verified and proven as accurate without revealing further information.

LastPass attacker stole password vault data, showing Web2’s limitations

LastPass users with weak master passwords may need to change the individual passwords they stored with the service.

Password management service LastPass was hacked in August 2022, and the attacker stole users’ encrypted passwords, according to a Dec. 23 statement from the company. This means that the attacker may be able to crack some website passwords of LastPass users through brute force guessing.

Notice of Recent Security Incident – The LastPass Blog#lastpasshack #hack #lastpass #infosec https://t.co/sQALfnpOTy

— Thomas Zickell (@thomaszickell) December 23, 2022

LastPass first disclosed the breach in August 2022 but at that time, it appeared that the attacker had only obtained source code and technical information, not any customer data. However, the company has investigated and discovered that the attacker used this technical information to attack another employee’s device, which was then used to obtain keys to customer data stored in a cloud storage system.

As a result, unencrypted customer metadata has been revealed to the attacker, including “company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.”

In addition, some customers’ encrypted vaults were stolen. These vaults contain the website passwords that each user stores with the LastPass service. Luckily, the vaults are encrypted with a Master Password, which should prevent the attacker from being able to read them.

The statement from LastPass emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the Master Password, stating:

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

Even so, LastPass admits that if a customer has used a weak Master Password, the attacker may be able to use brute force to guess this password, allowing them to decrypt the vault and gain all of the customers’ website passwords, as LastPass explains:

“it is important to note that if your master password does not make use of the [best practices the company recommends], then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”

Can password manager hacks be eliminated with Web3?

The LastPass exploit illustrates a claim that Web3 developers have been making for years: that the traditional username and password login system needs to be scrapped in favor of blockchain wallet logins.

According to advocates for crypto wallet login, traditional password logins are fundamentally insecure because they require hashes of passwords to be kept on cloud servers. If these hashes are stolen, they can be cracked. In addition, if a user relies on the same password for multiple websites, one stolen password can lead to a breach of all others. On the other hand, most users can’t remember multiple passwords for different websites.

To solve this problem, password management services like LastPass have been invented. But these also rely on cloud services to store encrypted password vaults. If an attacker manages to obtain the password vault from the password manager service, they may be able to crack the vault and obtain all of the user’s passwords.

Web3 applications solve the problem in a different way. They use browser extension wallets like MetaMask or Trustwallet to sign in using a cryptographic signature, eliminating the need for a password to be stored in the cloud.

*An example of a crypto wallet login page. Source: Blockscan Chat*

But so far, this method has only been standardized for decentralized applications. Traditional apps that require a central server don’t currently have an agreed-upon standard for how to use crypto wallets for logins.

However, a recent Ethereum Improvement Proposal (EIP) aims to remedy this situation. Called EIP-4361, the proposal attempts to provide a universal standard for web logins that works for both centralized and decentralized applications.

If this standard is agreed upon and implemented by the Web3 industry, its proponents hope that the entire World Wide Web will eventually get rid of password logins altogether, eliminating the risk of password manager breaches like the one that has happened at LastPass.

LastPass attacker stole password vault data, showing Web2’s limitations

LastPass users with weak master passwords may need to change the individual passwords they stored with the service.

Notice of Recent Security Incident – The LastPass Blog#lastpasshack #hack #lastpass #infosec https://t.co/sQALfnpOTy

— Thomas Zickell (@thomaszickell) December 23, 2022

The statement from LastPass emphasizes that the service uses state-of-the-art encryption to make it very difficult for an attacker to read vault files without knowing the Master Password, stating:

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

“it is important to note that if your master password does not make use of the [best practices the company recommends], then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.”

Can password manager hacks be eliminated with Web3?

Web3 applications solve the problem in a different way. They use browser extension wallets like Metamask or Trustwallet to sign in using a cryptographic signature, eliminating the need for a password to be stored in the cloud.

However, a recent Ethereum Improvement Proposal (EIP) aims to remedy this situation. Called “EIP-4361,” the proposal attempts to provide a universal standard for web logins that works for both centralized and decentralized applications.

If this standard is agreed upon and implemented by the Web3 industry, its proponents hope that the entire world wide web will eventually get rid of password logins altogether, eliminating the risk of password manager breaches like the one that has happened at LastPass.

Crypto on-chain crime drama sees the good guys finally win

Security firm Harpie managed to avert a crypto robbery by simply paying a higher gas fee than the exploiter.

The stories about people getting their private keys hacked or stolen are nothing new, with a number losing their life savings because of these thefts. However, in quite an anti-climax scene, a crypto user managed to save their crypto holdings despite losing their private keys.

Harpie, an on-chain security firm, revealed an instance of on-chain crime drama where the good guys eventually won. One of the users in their Discord group reportedly raised concerns about the suspected theft of their private keys. When the firm looked into said customer’s wallet, someone was indeed trying to transfer funds from the victim’s accounts.

How did we do this?

About a month ago, this user protected their tokens with Harpie.

By approving and protecting their tokens with Harpie, this user gave us permission to intervene if we ever spotted a theft on their wallet.

5/7 pic.twitter.com/33KYDKZeO1

— Harpie (@harpieio) December 20, 2022

However, the security group managed to act fast and move the victim’s funds to a noncustodial address before the hacker could transfer those funds. This contract allowed the victim to recover their lost tokens from a different, uncompromised wallet. The security firm was able to do so by offering a higher gas fee for transferring the victim’s address.

This was only possible because the victim protected their tokens with Harpie, allowing the security firm to intervene whenever a case of possible theft came to their attention. The firm said:

“When we detected the malicious transfer, we moved this user’s funds to a noncustodial vault before that transaction could confirm by paying a higher gas fee.”

The on-chain security firm said that they have recovered about $700,000 worth of stolen funds and acts as an on-chain firewall for the community.

While what Harpie did was all about timely intervention and required access to the user’s wallet, there have been several instances where the crypto community has come together to retrieve stolen funds and nonfungible tokens as well. As Cointelegraph reported in May, the Solana community came together to “scam” a scammer in order to get back some stolen NFTs.

With blockchain and distributed ledger technology powering a majority of the cryptocurrencies, the tracking of any form of stolen funds becomes easier. On the other hand, stealing funds is only the first step for exploiters and it might take them years to move a small portion of funds, and there have been instances where they were caught even then.

Bringing community-based solutions to crypto lending can solve trust issues

The crypto lending space is plagued with trust and security concerns, but crypto lending platform BNPL Pay offers an innovative community-based lending solution.

A type of decentralized finance (DeFi) that allows investors to lend their crypto tokens in return for regular interest payments, the crypto lending space comprises both centralized and decentralized crypto entities that manage the entire process on behalf of their investors.

Offering high annual percentage yields (APY) to investors from whom the tokens have been borrowed, these lending platforms further lend the same assets in the form of collateralized crypto loans to borrowers.

However, despite providing businesses with easy access to capital and promising high yields for investors, the crypto lending space finds itself entwined in liquidity issues stemming from their unregulated and overleveraged lending practices.

As a result, crypto investors have either lost their tokens in debacles such as the Celsius Network meltdown or are gripped with fear that they may be unable to withdraw their crypto staked with distressed crypto lending platforms.

Major problems afflicting the crypto lending space

With major cryptocurrencies correcting by over 70% from levels last seen in November 2021, the crypto lending industry has been mired in a spiraling credit crisis, exaggerated by the crash of the Terra stablecoin in May 2022. The ensuing liquidity crisis has already consumed leading crypto lenders and hedge funds such as Celsius Networks, Vauld, Three Arrows Capital (3AC), Voyager Digital, and Babel Finance, further exaggerated by overleveraged trading and suspect business practices.

Consequently, the crypto lending space has been clouded with severe trust issues, with more lending platforms seeking fund infusions to tide over the current bear market.

As a niche market with limited offerings, investors or crypto firms often employ borrowed capital to indulge in speculation, hedging, or working capital.

Any over-exposure on the part of the borrower could put the lender at an immense risk of marking down the lent amount, leading to liquidity concerns in case a majority of the investors proceed to withdraw their deposited tokens. Making matters worse is the opaque nature in which most crypto lenders function, often using tokens staked by investors to pursue high-risk trades, all in the hope of turning a larger profit.

As in the case of Celsius Networks, many lenders continue to be at risk of becoming insolvent if cryptocurrency prices dip further, potentially setting off another domino effect.

What are the possible solutions to these overriding concerns?

The major problems with collateralized crypto lending are exposed during volatile market conditions, especially when cryptocurrency prices drop consistently. With a lender’s ability to repay investors hinging on price movements of the underlying staked tokens and the amount of collateral collected, there is a clear need to delink crypto lending and adopt a more community-focused approach to finding a solution.

One such example is BNPL Pay, a decentralized crypto platform where communities can create banking nodes to borrow and lend from one another.

Based on the assumption that communities can better manage trust, BNPL Pay allows each banking node to be self-governed and decide which loan requests to accept or decline. Borrowers, on their part, can set the loan terms, decide on the percentage of collateral they are comfortable with and provide any additional information as deemed fit.

As a result, both lenders and borrowers enter into an agreement with conditions set by both parties at the very start of the contract. BNPL Pay merely acts as a technology provider and facilitator without interfering with the assets covered by the contract.

With funds managed via the BNPL Smart Contract suite that is additionally audited by leading cybersecurity firm PeckShield, there remains no scope for BNPL Pay to misappropriate capital or face solvency issues in the event that a borrower defaults on payments.

Where is the crypto lending space headed?

With crypto markets currently going through one of the most challenging bear periods yet, it is time for DeFi providers like crypto lenders to develop new business models unaffected by market volatility. Building trust within the stakeholder ecosystem is a must, and BNPL Pay has shown one unique way to do this.

As developers and entrepreneurs learn from the mistakes made by the growing list of bankrupt crypto lenders, the space will witness rapid transformation in the days to come. The focus needs to be on building solutions that promote financial inclusivity, targeting real-world businesses like mom-and-pop stores and solving their working capital requirements.

This will require crypto lenders to adopt more transparent business practices and adhere to stringent self-regulated disclosure norms, at least until a formal regulatory framework is mandated by the various governments worldwide.

What is certain, though, is that the next leg of growth for crypto lenders will come from attracting more mainstream crypto investors, focusing on their ability to help communities lend and borrow within themselves for greater trust and security.

Material is provided in partnership with BNPL Pay

Disclaimer. Cointelegraph does not endorse any content or product on this page. While we aim at providing you with all important information that we could obtain, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor can this article be considered as investment advice.

Identity in the metaverse at risk, says former Windows architect

As metaverse adoption climbs and users join digital reality, they put themselves at risk of identity theft in new ways, including minors who engage in metaverse games.

The metaverse is coming for users at full speed. Companies and brands are jumping into digital reality, and according to a recent survey, consumer interest is climbing alongside all the activity.

At the same time, as more users join in on metaverse activity, the risk grows for nefarious activity in digital reality. A report from cybersecurity firm Kaspersky revealed that exploitation and abuse in the metaverse are set to rise in the next year.

Threats range from scams, to be expected with digital interactions but also avatar-related identity theft and abuse.

For a better understanding of the dangers and risks users can face stepping into digital reality, Cointelegraph spoke with Andrew Newman, chief technology officer and co-founder of cybersecurity firm ReasonLabs and former architect of Microsoft’s Windows Defender anti-malware software.

The primary concept users must understand is that metaverse identity is “likely to become users’ digital identity,” according to Newman:

“As our real-life and online identities continue to merge, the stakes for identity theft on the Metaverse will increase.”

He highlighted that avatar scams have already been reported on platforms like Roblox. The example given by Newman was that the hacker may try to convince a user that they need access to their avatar for a number of reasons, with the ultimate aim of stealing their digital identity.

Although it’s a common occurrence to have digital identity threats, as money or virtual currencies become tied to metaverse avatars, these threats will increase. Newman warns consumers as more money is spent on digital assets for these avatars

“Just as we are protective of our physical assets, we need to make sure that people protect their digital assets and personal information within the Metaverse.”

The amount and various types of digital assets with real value that users can own are endlessly expanding. This incites that cyber crimes and theft will only become more complex and digital reality expands.

There is a lot of promise in blockchain and emerging technologies for transparency and security. However, Newman says users need to be vigilant nonetheless:

“We shouldn’t assume that our funds are not susceptible to theft simply because they are in the Metaverse rather than in a traditional banking network.”

Another component to identity theft in the metaverse is that minors are susceptible to such threats. In many ways, the metaverse is designed to engage both youth and young adults.

Minecraft, Fortnite, and Roblox all have attracted young user bases. Often, minors don’t grasp the importance of cybersecurity or their digital footprint. Newman said, there are already existing threats minors face in online digital worlds. However:

“Finances might shift over time from virtual in-game currency and items, to more traditional finances such as real money or crypto ties to newer ‘web3’ identities in games.”

This would create more value to be exploited from unsuspecting minors.

Currently many major Web3 developers such as Chainlink, are developing new security protocols for users in digital reality. Developers both inside and outside of the industry are looking to create a global metaverse policy to troubleshoot a list of growing concerns.