Weekly Report (Apr-17)
Yearn Finance, & Hundred Finance exploit. Canon, Adidas, and Mastercard web3 initiatives.
Playing the video that you've selected below in an iframe
Dynamic Finance, NFT Cloud & Friendsies exploit. Warner Bros., OneOf, & Coinbase web3 initiattives.
Web3 has revolutionized the way we conduct online transactions. The trustless and transparent nature of decentralized platforms has piqued the interest of users and investors alike since the advent of blockchain technology. However, as the number of DeFi applications has grown, so has the risk of scams or rug pulls. These scammers use the lack of regulation in the DeFi space, as well as the anonymity provided by blockchain technology, to disappear with funds. As a result, before investing in any DeFi project, investors and users should exercise caution and conduct thorough due diligence to avoid falling victim to a rug pull.
Dynamic Finance was exploited due to insufficient reentrancy protection in the StakingDYNA contract, which caused the protocol to lose 73 BNB, worth approximately $22,400. The deposit function provided the lastProcessAt value in their contract. However, this value was only recorded for the first deposit or stake due to the logic of the code. At timeframe A, the attacker opened a new vault and deposited a small amount of DYNA. At some point in timeframe B, they took out a fairly large flash loan to borrow DYNA and deposited it before redeeming the deposit, getting rewards, and paying back the flash loan. The attacker then withdrew the rewards and capital multiple times, using the redeem function to keep the assets for profits. We have outlined a detailed analysis of the exploit in this blog post.
NFT Cloud was exploited because the staking contract didn't check the staking status of CloudNFT correctly, resulting in the loss of 265 BNB, worth approximately $81,000. The platform works in such a way that users can deposit CloudNFT and claim Cloud tokens as rewards, where one CloudNFT can only be deposited once. However, the staking contract didn't check the staking status of the first deposited token. Therefore, validations for NFT ownership and lockUntil checks are bypassed when only one token is deposited. The attacker deposited only one CloudNFT to bypass this validation and repeated this process multiple times to claim higher rewards.
Hope Finance, a Tomb-fork based in Arbitrum, published a tweet accusing a team member of rugging the project and stealing KYC information. The scammer changed the router address of the TradingHelper contract using a multisig wallet. The stolen funds totaling $1.86 million were bridged to Ethereum via Celer before being deposited into Tornado Cash.
Friendsies, an Ethereum NFT project, announced that all future plans for the project would be paused after raising more than $5.3 million in ETH in last year's mint. Some users who sought information on the news after the announcement discovered that they had been blocked on Twitter. After a short while, Friendsies removed its social media account, leading to a rug pull.
Funko and Warner Bros. have joined forces to release the digital collectibles for the hit HBO show House Of The Dragon on February 28th. Fan favorites such as Daemon Targaryen, Rhaenyra Targaryen, and Viserys Targaryen appear in the first collection. This collection transforms the beloved HOTD characters into the brand's iconic toys. The HOTD Digital Pops are divided into two tiers: Standard Collectible packs and Premium Collectible packs. The Standard Pack contains 5 digital collectibles worth $9.99 USD. The Premium Packs, on the other hand, include 15 Digital Pops and cost $29.99 USD. In addition, with each purchase, fans have the chance to reveal one of the six rare Funko Digital Pops.
OneOf has collaborated with Globe Entertainment to release The Beatles: Vintage Slides, a collection of rare and vintage band photos of The Beatles. The collection honors the band's everlasting influence on fans and musicians all over the world by combining physical memorabilia with a digital certificate of authenticity. The Beatles NFT consists of 40 vintage photo slides. Each purchaser will receive a Tezos blockchain-minted Digital Certificate of Authenticity. The slides are framed and have an NFC chip embedded in them. The pre-sale is only available to OneOf OnePass holders, who can purchase access to the slides of their choice for around $199. OnePass members have first dibs on slides 21-40, priced at $250 each, before the public pre-sale begins. During the main sale event on March 2, 2023, OneOf will sell the remaining photo slides for $300.
Coinbase has announced the launch of Base, a layer-2 scaling network for Ethereum developed in collaboration with Optimism. The exchange released a free open edition Ethereum NFT called 'Base, Introduced' that anyone can mint using Zora. It’s an open edition NFT, which means that anyone can claim one of the identical collectibles until the minting window ends on Sunday, with a limit of one NFT per wallet. Over 24,000 Ethereum NFTs have been minted since the announcement of the news.
Neptune Mutual announced that the underwriting capital for DYDX V3cover on Arbitrum had been fully utilized and encouraged new LPs to contribute to the pool's liquidity in order to benefit from the relatively high LP returns as a result of the high utilization.
Bumper has announced that their pre-launch liquidity mining program will begin on March 1st.
Nexus Mutual announced that their V2 contract deployment will take place from February 27 through March 5. After the contracts are deployed, the team will update the Nexus Mutual UI and migrate the smart contracts from V1 to V2.