Smart Contract

Fake Ethereum Denver website linked to notorious phishing wallet

Hackers continue to create fake Web3-enabled websites to fleece unsuspecting victims’ browser-based wallets, with ETHDenver being the latest victim.

A fake website of the popular Ethereum Denver conference is the latest phishing target of a red-flagged smart contract that has stolen over $300,000 worth of Ether (ETH).

The popular conference saw its website duplicated by hackers this week in order to trick users into connecting their MetaMask wallets. According to Blockfence, which identified the fraudulent website, the smart contract has accessed more than 2,800 wallets and stolen over $300,000 over the past six months.

ETHDenver also issued a notice to its followers on Twitter warning of the malicious website.

Blockfence CEO Omri Lahav told Cointelegraph that users were prompted to connect their MetaMask wallets via the usual “connect wallet” button. The website prompts a transaction that, if approved, carries out the malicious function and steals the users’ funds.

Blockfence’s research team identified the incident while tracking different trends in the industry. Lahav said that the smart contract executing the scam had stolen over 177 ETH since its deployment midway through 2022:

“Since the smart contract was deployed almost six months ago, it’s possible that it was used on other phishing websites.”

Hackers had gone as far as paying for a Google advertisement to promote the malicious website’s URL, banking on search trends being high, with ETHDenver taking place on Feb. 24 and 25. The fake website appeared second on a Google search, above the actual ETHDenver website.

As Cointelegraph previously reported, hacks and scams continue to be commonplace in the cryptocurrency ecosystem. 2022 saw over $2.8 billion of cryptocurrency stolen through a variety of hacks and exploits.

China’s digital yuan gets smart contract functionality alongside new use cases

China’s central bank digital currency (CBDC) has seen new use cases in recent days, including buying securities and making offline payments.

China’s central bank digital currency (CBDC) — the digital yuan, or eCNY — has received upgrades giving it smart contract functionality alongside a series of newly unveiled use cases.

The smart contract function was launched on the Meituan app, a Chinese app offering retail and food delivery services, according to a Jan. 17 report by local cryptocurrency media outlet 8btc.

When Meituan users place an order and pay with their e-CNY wallet, a smart contract triggers and searches for keywords and purchased items in their order. If a user buys something on the list of keywords for the day, they go in the draw to win part of a prize.

The prize is a share of a “red envelope” known locally as hongbao containing 8,888 yuan, worth a little over $1,300.

Hongbao are small packets traditionally used for gifting money around Chinese New Year as a gesture of good luck.

A user prepares to send a digital red packet on the messaging app WeChat. Image: YouTube

In December, the e-CNY wallet app introduced a feature for users to send digital red envelopes in a bid to boost adoption before the Chinese New Year on Jan. 22.

Digital yuan sees new avenues for use

Alongside the latest development, new uses for the e-CNY have also been added over the last few days.

A Jan. 16 report from the China Securities Journal said e-CNY was used to buy securities for the first time. Investors can also use the CBDC to buy securities with the mobile app for Soochow Securities, a local brokerage firm.

The digital yuan wallet app also received an update with users now able to make contactless payments using Android phones even if their device is without internet or power, according to a Jan. 11 Yicai Global report.

The new uses for the digital yuan come as China has been struggling with the adoption rate of its CBDC.

Related: CBDCs not worth the costs and risks, says former BoE advisor

A former official from the People’s Bank of China (PBOC), the country’s central bank, even made a rare public admission in December that the digital yuan’s “usage has been low” and “highly inactive,” adding “the results are not ideal.”

On Jan. 10, the PBOC included e-CNY in currency circulation reports for the first time, revealing the CBDC represented roughly 0.13% of the 10.47 trillion yuan ($1.54 trillion) in circulation at the end of 2022.

Maple Finance 2.0 overhaul aims to speed the process for loan defaults

The overhaul of the protocol, dubbed “Maple 2.0,” comes only weeks after the decentralized lending platform saw two major defaults on the back of FTX’s collapse.

Crypto lending platform Maple Finance has unveiled a major protocol upgrade aimed at making defaults and liquidation procedures less cumbersome in the wake of recent defaults.

Maple Finance is a decentralized credit market powered by blockchain technology. Instead of requiring loans to be overcollateralized, it instead allows managers to issue loans from its lending pools based on a set of risk-management criteria, according to the protocol’s documentation.

But in the wake of FTX’s collapse, the platform experienced two major defaults from borrowers on the platform.

On Dec. 1, algo trading and market maker Auros Global missed its payment of 2,400 Wrapped Ether (wETH) following Alameda’s demise, causing the loan to go into a five-day grace period. That grace period has since passed, and the borrower has begun to incur penalties, according to a post by lender M11Credit.

Days later on Dec. 6, crypto hedge fund Orthogonal Trading admitted to having been “severely impacted by the collapse of FTX,” prompting M11Credit to issue a notice of default on the fund’s $36 million in loans.

The new protocol overhaul, dubbed “Maple 2.0,” will upgrade its smart contracts so that defaults such as these can be more quickly handled and settled by loan managers, known as “pool delegates.”

Previously, loans could only be put into default if a borrower missed a payment and the grace period passed. This meant that collateral could not be liquidated even if the borrower admitted in advance that they couldn’t make payments.

In a blog post explaining the platform’s new features, Maple said that pool delegates will now be able to declare an early default if a borrower meets a condition of default, which will makthe loan payable immediately.

Furthermore, if a borrower doesn’t pay within the grace period, the delegate can liquidate the loan — meaning all lenders within the pool can realize the loss immediately while recovery is pursued, Mapleadded.

Related: Politicians attack crypto, demand regulation at FTX congressional hearing

The new version of Maple Finance also includes features meant to make quality-of-life changes to the lending platform.

Withdrawals can now be scheduled and prorated, and lenders can request withdrawals at any time, whereas previously they needed to wait a minimum of 30 days to withdraw after their deposit.

Pool delegates now provide “first loss capital,” meaning they are the first to suffer in the event of a default. The Maple team believes this will more closely align pool delegates’ interests with the interest of lenders.

The upgrade also introduces the automatic compounding of interest, so that interest earned is automatically reinvested into the pool and does not need to be redeposited.

Other changes include the adoption of ERC-4626 standards, allowing for more decentralized finance (DeFi) integrations and partnerships, as well as improved data and dashboards.

This AI chatbot is either an exploiter’s dream or their nightmare

The crypto community has come across an AI-powered chatbot that can be used to audit smart contracts and expose vulnerabilities.

The online crypto community has discovered a new Artificial Intelligence (AI)-powered chatbot that can either be used to warn developers of smart contracts vulnerabilities or teach hackers how to exploit them. 

ChatGPT, a chatbot tool built by AI research company OpenAI, was released on Nov. 30 and was designed to interact “in a conversational way” with the ability to answer follow-up questions and even admit mistakes, according to the company.

However, some Twitter users have come to realize that the bot could potentially be used for both good and evil, as it can be prompted to reveal loopholes in smart contracts.

Stephen Tong, co-founder of smart contract auditing firm Zellic asked ChatGPT to help find an exploit, presenting a piece of smart contract code.

The bot responded by noting the contract had a reentrancy vulnerability where an exploiter could repeatedly withdraw the funds from the contract and provided an example of how to fix the issue.

This similar type of exploit was used in May by the attacker of the Decentralized finance (DeFi) platform Fei Protocol who made off with $80 million.

Others have shared results from the chatbot after prompting it with vulnerable smart contracts. Twitter user devtooligan shared a screenshot of ChatGPT, which provided the exact code needed to fix a Solidity smart contract vulnerability commenting “we’re all gonna be out of a job.”

With the tool, Twitter users have already begun to jest they’re able to now start businesses for security auditing simply by using the bot to test for weaknesses in smart contracts.

Cointelegraph tested ChatGPT and found it can also create an example smart contract from a prompt using simple language, generating code that could apparently provide staking rewards for Ethereum-based nonfungible tokens (NFTs).

ChatGPT’s example Solidity smart contract for NFT staking rewards from a simple prompt. Image: Cointelegraph.

Despite the chatbot’s ability to test smart contract functionality, it wasn’t solely designed for that purpose and many on Twitter have suggested some of the smart contracts it generates have issues.

The tool also might provide different responses depending on the way it’s prompted, so it isn’t perfect.

Related: Secret Network resolves network vulnerability following white hat disclosure

OpenAI CEO Sam Altman tweeted that the tool was “an early demo” and is “very much a research release.”

He opined that “language interfaces are going to be a big deal” and tools such as ChatGPT will “soon” have the ability to answer questions and give advice with later iterations completing tasks or even discovering new knowledge.

This AI chatbot is either an exploiter’s dream or their nightmare

The crypto community has come across an AI-powered chatbot that can be used to audit smart contracts and expose vulnerabilities.

The online crypto community has discovered a new artificial intelligence (AI)-powered chatbot that can either be used to warn developers of smart contracts vulnerabilities or teach hackers how to exploit them. 

ChatGPT, a chatbot tool built by AI research company OpenAI, was released on Nov. 30 and was designed to interact “in a conversational way” with the ability to answer follow-up questions and even admit mistakes, according to the company.

However, some Twitter users have come to realize that the bot could potentially be used for both good and evil, as it can be prompted to reveal loopholes in smart contracts.

Stephen Tong, co-founder of smart contract auditing firm Zellic asked ChatGPT to help find an exploit, presenting a piece of smart contract code.

The bot responded by noting the contract had a reentrancy vulnerability where an exploiter could repeatedly withdraw the funds from the contract and provided an example of how to fix the issue.

This similar type of exploit was used in May by the attacker of the decentralized finance (DeFi) platform Fei Protocol who made off with $80 million.

Others have shared results from the chatbot after prompting it with vulnerable smart contracts. Twitter user devtooligan shared a screenshot of ChatGPT, which provided the exact code needed to fix a Solidity smart contract vulnerability commenting “we’re all gonna be out of a job.”

With the tool, Twitter users have already begun to jest they’re able to now start businesses for security auditing simply by using the bot to test for weaknesses in smart contracts.

Cointelegraph tested ChatGPT and found it can also create an example smart contract from a prompt using simple language, generating code that could apparently provide staking rewards for Ethereum-based nonfungible tokens (NFTs).

ChatGPT’s example Solidity smart contract for NFT staking rewards from a simple prompt. Image: Cointelegraph.

Despite the chatbot’s ability to test smart contract functionality, it wasn’t solely designed for that purpose and many on Twitter have suggested some of the smart contracts it generates have issues.

The tool also might provide different responses depending on the way it’s prompted, so it isn’t perfect.

Related: Secret Network resolves network vulnerability following white hat disclosure

OpenAI CEO Sam Altman tweeted that the tool was “an early demo” and is “very much a research release.”

He opined that “language interfaces are going to be a big deal” and tools such as ChatGPT will “soon” have the ability to answer questions and give advice with later iterations completing tasks or even discovering new knowledge.

Crypto Twitter calls for calm after wETH insolvency joke goes viral

Ethereum bull Anthony Sassano and Gnosis co-founder Martin Köppelmann were among those explaining later that the Wrapped Ethereum (wETH) FUD was part of an inside joke.

An inside joke about the “insolvency” of Wrapped Ether (wETH) over the weekend has forced influencers to explain it was just a “shitpost” after members of the community took it as real. 

The wETH insolvency FUD (fear, uncertainty and doubt) seemingly began to make the rounds on Nov. 26, with false rumors alleging that wETH isn’t backed 1:1 by Ether (ETH) and is insolvent.

Blockchain developer and contributor to the ERC-721A token standard cygaar was one of the first to spread the joke, before confirming in a subsequent post that it was in fact a “shitpost” to see who was reading his content.

In fact, only a day before, cygaar tweeted that “WETH cannot ever go insolvent” and that “WETH will always be swappable 1:1 with ETH.”

Ether bull and host of The Daily Gwei Anthony Sassano also joined in on the wETH joke with his own parody post on Nov. 27 but had to clarify later that the initial post was “shitpost/ meme” after reading the replies.

Gnosis co-founder Martin Köppelmann was another one to get in on the joke, claiming in a Nov. 27 Tweet to his 38,800 Twitter followers that wETH is no longer fully backed by ETH and that “we might see a bank run on redeeming WETH soon.”

Hours later, he said he hoped the joke “did not cause too much confusion,” linking to a thread that explained the joke for those who weren’t in the know.

Related: What is wrapped Ethereum (wETH) and how does it work?

Speaking to Cointelegraph, Markus Thielen, the head of research at crypto financial services platform Matrixport, has also confirmed that there is little to no truth to the WETH “shitposts.”

wETH’s logic is automated by smart contracts and it isn’t controlled by a centralized entity, he explained:

“I am not too concerned about WETH as it’s a smart contract and not stored by a centralized exchange. Since the smart contract is open source, it can be checked for bugs or flaws.”

On the other hand, recent FUD against Wrapped Bitcoin (wBTC) could be warranted, said Thielen, referring to rumors that FTX may have printed 100,000 wBTC out of thin air, as FTX’s Nov. 11 bankruptcy filing does not show any Bitcoin (BTC) on FTX’s balance sheet.

“WBTC is completely different and here the concerns are valid,” Thielen explained. 

wETH is a wrapped version of ETH that is pegged at a 1:1 ratio, which aims to solve interoperability issues on Ethereum-compatible blockchains by allowing for ERC-20 tokens to be exchanged more easily.

wETH was introduced as an ERC-20 token on the Ethereum network for this reason, as ETH follows different rules and thus cannot be directly traded with ERC-20 tokens.

Despite the lighthearted humor behind the jokes, Dankrad Feist suggested to his 15,500 Twitter followers in a Nov. 27 tweet that the comments should be marked “more clearly as jokes,” as it “may not be obvious to outsiders.”

wETH is currently priced at $1,196, at a current ratio of 0.999:1 to ETH, according to data from CoinMarketCap.

Solana and Ethereum smart contract audits, explained

What are smart contract audits, how do they work, and how do they benefit the crypto projects who get their code scrutinized? Let’s find out.

Do smart contract audits improve crypto’s image?

Blockchain technology is becoming a bigger part of all our lives — and auditors like Hacken are ensuring that crypto projects put their best foot forward.

Improving the quality of smart contracts helps reduce those unpleasant headlines about major hacks in the press, and boosts the reputation of crypto projects in the public’s eyes.

Once an investigation has taken place, Hacken offers labels to ensure verified projects can declare they’re audited by Hacken on an official website. 

Reports are also attached to a crypto project’s official presence on major websites such as CoinMarketCap and CoinGecko. 

The most common types of contracts that the company interacts with include token, token sale, exchange, ERC-721, swap farming, staking, ERC-20, BEP-20 and reward pool. 

Already a member of the Enterprise Ethereum Alliance and Solana Foundation, Hacken has its sights set on winning a 20% share of the Web3 cybersecurity market by 2024.

Learn more about Hacken

Disclaimer. Cointelegraph does not endorse any content or product on this page. While we aim at providing you with all important information that we could obtain, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor can this article be considered as investment advice.

And how long do smart contract audits take?

It’s a process that takes several weeks — depending on how quickly a crypto project works.

Hacken says initial audits typically take 2 to 14 days depending on a smart contract’s complexity and size… and if it’s urgent, these investigations can be expedited. Again, for larger protocols, it might take longer — 30 days in some cases.

At this point, a project will be given recommendations on what needs to be fixed — and how quickly these changes are made will depend on them. Auditors like Hacken then offer a remediation check to ensure all of the vulnerabilities have been patched over to a high standard.

How much do smart contract audits cost?

As you might expect, this depends on how complex a smart contract is.

According to Hacken, this can extend to $500,000 for larger projects where there are more lines of code — not least because of the additional engineering hours it’ll take.

The company argues these costs pale into comparison with the economic damage that a smart contract vulnerability can bring.

Hacken cites data showing that, in 2021, 80% of the incidents affecting decentralized applications related to smart contracts — with losses hitting $6.9 billion.

Breaking this down even further, and we can see that the average cost per project stands at $47 million. Somehow, $500,000 looks a lot less expensive now. 

Overall, 60% of its clients have been based on Ethereum so far in 2022.

And here’s the difference it can make — after an audit, at least one critical bug was uncovered in 80% of projects. But Hacken says just 75% have fully acted on an audit report in the past — with the remainder ignoring the conclusions, or only taking a small number of recommendations into account. As a result, they had a lower security score.

How do smart contract audits benefit crypto projects?

Audits are vital for ironing out any kinks in a crypto project, and ensuring code is ready to be used by the masses.

Hackers were responsible for stealing $1.3 billion in 78 incidents across the first quarter of 2022 alone, and two-thirds of these attacks were on the Ethereum and Solana blockchains.

But what causes certain projects to be targeted… and how could a smart contract audit have helped them? 

Well, common reasons include crypto projects prioritizing speed — and failing to factor in time for a comprehensive audit from a dependable provider. 

They may also rely on their own in-house teams to perform security checks. And although this looks financially sensible, there’s a danger that internal staff may not be up to date on the latest hacking techniques used by malicious actors.

Inevitably, some will also believe that they are too good to fail. But complacency is enemy number one in the crypto space, and even the finest projects can fall victim to a hack.

Are Solana smart contract audits different?

Smart contract audits will vary slightly depending on the blockchain code is based on.

Common security vulnerabilities on Solana can include missed ownership checks, meaning attackers can use fake configurations to bypass access controls.

And while smart contracts can call functions from external smart contracts, validation failures could mean black hat hackers get an opportunity to supply malicious inputs that affect how the code operates.

Top auditing firms will access a Solana smart contract based on documentation quality, security, architecture quality and code quality. Vulnerabilities are assigned a severity level too, meaning business-critical issues can be tackled first.

How does an Ethereum smart contract audit work?

The best security firms will put code through stress tests to see how they perform in a range of scenarios.

Experts say it’s important for a project to provide a complete and clear technical specification — and ideally, offer documentation of the deployment process.

These audits aren’t just about uncovering issues that black hat hackers could take advantage of, but flaws that could stop an Ethereum smart contract from working correctly.

The attack vectors being scrutinized can get rather technical — but they include replay attacks, where valid data transmissions are repeatedly made by malicious actors in order to execute fraudulent activities. Others include reentrancy attacks, reordering attacks and short address attacks.

Once an investigation has been completed, crypto projects receive a detailed report of the vulnerabilities within their code — alongside recommendations on how to mitigate their impact, or eliminate them altogether. 

As a result, the resources saved through an effective audit can far outweigh the cost… and it can avoid reputational damage, too.

What is a smart contract audit?

Smart contract audits involve scrutinizing the code of crypto projects — highlighting security vulnerabilities.

Smart contracts are a crucial cog of the crypto ecosystem — and they’ve unlocked a plethora of use cases for blockchain technology.

But for developers who are furiously writing code, safety needs to be a number one priority. Smart contract exploits can put user funds at risk, and we’ve all seen headlines of high-profile hacks where eye-watering sums of money were lost.

An audit allows an independent organization to kick the tires of a smart contract, and detect vulnerabilities before they’re spotted by malicious actors. This can help crypto projects to achieve credibility, all while giving users peace of mind. Audits are typically done before smart contracts are deployed, as they can be difficult to fix once uploaded to a network.

Smart contracts are commonly found on blockchains including Ethereum and Solana.