Weekly Report (Apr-17)

6 min read

Yearn Finance, & Hundred Finance exploit. Canon, Adidas, and Mastercard web3 initiatives.


  • Canon is set to launch a photo NFT marketplace. 
  • Adidas has expanded its Metaverse initiative with the ALTS NFT collection.
  • Mastercard has started a Web3 artist accelerator program with free Polygon-based NFTs.

Blockchain Hacks#

Terraport Finance was hacked, resulting in a total loss of $3.9 million. The team stated that a breach was detected in the Terraport Liquidity wallet; however, the detailed cause of the attack is unknown. The attacker initially drained 9,148,426 TERRA tokens, worth $1.18 million, and 15.1 billion LUNC tokens, worth $1.88 million. Shortly afterwards, they further drained 576,736 TERRA tokens worth $115K and 5,487,381 USTC tokens worth $117K, totaling approximately $3.9 million worth of stolen funds.

Paribus was exploited due to the re-entrancy issue with the old Compound V2 fork, which resulted in a total loss of approximately $67,800. The exploiter initially took a flash loan of 200 WETH and 30,000 USDT in order to deposit them into their protocol and utilize them as collateral. The attacker used the 30,000 USDT to borrow 13 ETH from the pETH pool and invoked a call to the redeem function on the pETH pool to withdraw the deposited collateral. On the redeem function of the pToken, a transfer occurred prior to the storage update, violating the check-effect-interaction pattern; therefore, the redeemed funds in ETH were subsequently utilized by the fallback function. During the fallback execution, the pETH balance remained unaltered, which allowed the attacker to use the collateral to borrow and drain funds from other contracts in the pUSDT and pWBTC pools. We have shared a detailed analysis of the exploit in this blog.

MetaPoint was exploited due to a smart contract vulnerability, which resulted in the loss of funds worth approximately $920,000. The root cause of the exploit is the existence of a public approval function, which was taken advantage of to transfer all of the user's assets. The exploiter created attack contracts to invoke a call to this approve function of this contract in bulk and approved the maximum value. After the attacks, one of the attackers' controlled addresses held over $98,000 worth of assets, while the other transferred 2515 BNB tokens worth approximately $814,000 to Tornado Cash. A detailed analysis of the exploit can be found here.

Yearn Finance was exploited in a series of transactions that resulted in a total loss of approximately $11.54 million. The root cause of the vulnerability is a bug in the misconfigured yUSDT vault, which was effectively exploited to mint a huge amount of yUSDT tokens. According to their contract implementation, the iearn USDT token (yUSDT) was misconfigured since the time of its deployment and was using the Fulcrum iUSDC token instead of the Fulcrum iUSDT token as its underlying asset. The hacked funds are worth approximately $11.54 million and include 61K USDP, 1.5 million TUSD, roughly 1.79 million BUSD, 1.2 million USDT, 2.58 million USDC, and 3 million DAI.

Bitrue announced that one of their hot wallets was compromised, during which the attackers were able to withdraw assets worth $23 million in multiple tokens, including MATIC, HOT, ETH, GALA, and QNT. The affected hot wallet only contained less than 5% of Bitrue’s overall funds, while the rest of their wallets continued to remain secure and were unaffected.

SyncDex Finance was a rug pull, in which the team swept off users' and investors' funds worth approximately $370,000. The team has since deleted its social media accounts and other groups.

Hundred Finance was exploited, resulting in a loss of approximately $7 million. The hacker was able to manipulate the exchange rate between ERC-20 tokens and htokens, allowing them to withdraw more tokens than they had originally deposited. The malicious actor was able to inflate the price of the collateral by first depositing a few WBTC to Hundred Finance, which gave them 200 hWBTC in return. They later deposited approximately 500 WBTC taken through a flash loan, which inflated the price of hWBTC in the pool by roughly 250 times. This price manipulation allowed them to borrow funds from all the pools. The borrowed amount was paid back, and the remaining funds were kept for profits.

Metaverse, and NFTs#

Canon USA has made its foray into the world of Web3, by launching a photography NFT marketplace, following a successful NFT drop the previous year. Cadabra, a photography marketplace, will emerge later in 2023, with photo collection drops and a secondary marketplace for reselling tokenized photographs across multiple categories. It also provides collectors with access to one-of-a-kind and valuable works of digital art. Artists can also sell physical prints of their work. Orders for these prints will be filled by Canon. Furthermore, the marketplace will accept credit/debit card payments as well as cryptocurrency payments.

Adidas has announced the debut of its Metaverse initiative, which includes the launch of its ALTS NFTs on the Ethereum network. Chapter 1, also known as Phase 3, was released with hopes to deliver enhanced holder benefits and new functionality in the following months. Holders of NFTs from the initial two phases can join the ALTS by burning their NFTs and receiving a new Ethereum-based NFT in exchange for only gas fees. These tokens have dynamic user identification that will alter over time because of their interactive plot. This collection includes eight separate kinds of dynamic NFTs that correspond to different rarities and interactive stories.

The Bruce Lee Estate has collaborated with Shibuya, an NFT-driven video platform, in order to create a web3 presence for the late martial artist. The Bruce Lee open-edition NFT dubbed House of Lee - Genesis, and featured a portrait of Bruce Lee designed by both digital artist pplpleasr and Shannon Lee, Bruce Lee’s daughter. The Shibuya team priced the open edition NFT at 0.008 ETH, or about $15, and saw 48,691 editions purchased, totaling 390 ETH. The team later announced that the NFT would act as a ticket to the House of Lee after the open edition concluded.

Mastercard unveiled the Polygon based music pass NFT drop during the annual NFT NYC conference, offering collectors a number of benefits for holding the token. The Mastercard Music Pass NFT is a part of the Mastercard Artist Accelerator program launched in January and can be minted for free until the end of April. Collectors with the Mastercard pass will have early access to features such as an AI-powered music generator application, educational materials, as well as access to a virtual showcase event in June featuring artists from the company’s accelerator program. 

OnChain Insurance Industry News#

Neptune Mutual announced that the underwriting capital for Curve Finance and the 1inch cover on Arbitrum had been fully utilized and encouraged new LPs to contribute to the pool's liquidity in order to benefit from the relatively high LP returns as a result of the high utilization.

In addition, they also shared the details of their Twitter Space discussion with the Arbitrum Foundation, which is scheduled for Monday, April 17th.