Weekly Report (Jan-23)

6 min read
Weekly report of jan 23, 2023

Midas Capital and Thoreum Finance exploited. Rarible, and Yves Saint Laurent web3 initiatives.


  • Rarible has announced a marketplace builder for Polygon based NFTs.
  • Yves Saint Laurent has filed trademark applications for NFT and Metaverse.
  • University Of Singapore has invented VR Glove to level up user experience in the metaverse.

NFTs and Metaverse have continued to attract institutions, public figures and brands despite facing an extended bear market. These digital assets are likely to play a significant role in the next wave of change across many industries, including art, games, music, and fashion, as they combine the fascinating worlds of virtual reality (VR), the interactive immersive experience, the interconnected participation of social media, and the lucrative trading of cryptocurrencies.

Blockchain Hacks#

Midas Capital was exploited by a hacker due to read-only reentrancy issue, causing a loss of assets worth 663,101 MATIC amounting to over $660,000. The team had listed the WMATIC-stMATIC Curve LP token on their platform, which was manipulated by means of a flash loan from Balancer V2, AAVE V3, and AAVE V2, allowing the attacker to inflate the LP token price and borrow against it. The attacker used 270,000 $WMATIC in collateral to mint about 131,000 jFIAT tokens. After a series of price changes, the attacker created a new contract and utilized 1/10 of the borrowed amount to liquidate the debt and redeem 103,000 jFIAT tokens. When the supplied liquidity was removed from Curve, the hacker triggered a callback that allowed them to borrow assets at an inaccurate price of the Curve LP in Midas Capital, increasing their collateral by tenfold. In this blog, we have provided a detailed analysis of the exploit.

The OMNI Real Estate project (ORT Token) on the BNB chain was attacked owing to a smart contract vulnerability, after which the hacker gained 236 BNB, worth approximately $70,705. The vulnerability occurred due to the existence of a flaw in their StakingPool Contract, which did not have adequate parameter validation. When the attacker called the invest function of the contract the end date value was set to 0, which effectively passed the contract’s verification. The attacker thus invested 1 Wei and then invoked the withdraw function to withdraw ORT token rewards. These operations were repeated to earn profit. The ORT tokens were later swapped to BNB for profits. The detailed analysis of the exploit can be found in our blog here.

A flash loan attack on Upswing Finance resulted in the loss of approximately 22.58 ETH, worth $35,800. The attack occurred owing to the design flaw of UPStkn token, which allowed the hacker to manipulate its price in the liquidity pool. The UPStkn token would be accumulated when transferring, specifically if the receiving address is a pair address. If the receiver is a UNI pool, the amount of UPStkn token in the pool will be burned, which will alter the pool pricing and provide the hacker an opportunity to make profit from it. The attacker utilized about 18 swaps to lift UPStkn token selling pressure, exchanging 1.31 ETH for 136,299.97 UPStkn tokens, then transferred 0 UPStkn tokens to himself to trigger the release Pressure, which burned the LP's 573,300.39 UPStkn tokens in order to increase the price of UPStkn. The attacker then sold the earlier obtained 136,299.97 UPStkn for a profit of 22.589 ETH after manipulating the token price. We have provided a detailed analysis of the exploit in this blog.

Thoreum Finance was hacked as a result of smart contract vulnerability, causing the protocol to lose approximately 2260 BNB worth $580,000. The vulnerability occurred due to an incorrect implementation of the transfer function in their contract, in which if a wallet sent funds to itself, the amount of tokens in the wallet would be increased by as much as the sent amount. The attacker deposited BNB in order to obtain WBNB tokens, utilized a function of the contract to mint THOREUM tokens, swapped everything on BiSwap, and finally transferred the tokens to themselves. When an exploiter-deployed contract performed a transfer call to itself, its balance grew as a result of the vulnerable logic in the transfer function. This procedure was repeated several times after which the contract held more than 500,000 THOREUM tokens, which were converted to WBNB and laundered to Tornado Cash. A detailed analysis of the exploit can be checked in this blog.

According to Beosin, the FFF token was a rug pull, in which funds worth $648,000 were siphoned off. The creator of First Free Finance minted a large amount of FFF tokens then ultimately sold them.

Metaverse, and NFTs#

Rarible, a leading NFT marketplace, has announced the availability of a marketplace builder for Polygon-based NFT collections. With this advancements, Polygon creators may engage with and extend their networks in entirely new ways. The marketplace builder requires no coding knowledge to use and does not charge any additional fees for any activity. Users will also be able to mint NFTs and construct personalized storefronts on Polygon. It also has an aggregation function, which allows users to access collections from other major secondary markets.

Yves Saint Laurent, the French luxury fashion house, has filed trademark applications for its name and logo to be used in the metaverse and in the NFT space. This news follows a tweet from Mike Kondoudis, a registered trademark attorney with the United States Patent and Trademark Office (USPTO). Makeup, skin care, and facial care preparations, for example, will be available for use in virtual worlds and the metaverse. The trademark also include the provision of digital multimedia content that will be authenticated through the use of NFTs. The files include fragrance, toiletry, and cosmetics-related artwork, text, audio, and video. In addition, the trademark filings suggest providing a Yves Saint Laurent online retail store with virtual goods.

The University of Singapore has developed a virtual reality glove that allows you to feel objects in the metaverse. The procedure includes pressured fingertips and restricted motion to simulate the sensation of picking up objects in real life. The purpose is to let medical personnel practice in Virtual Reality, such as grasping surgical instruments or checking a patient's pulse. The VR glove is a significant leap in wearable technology because it is a completely untethered haptic system. With this superfast feedback loop, the glove interacts with the metaverse in nearly real-time, with minimal lag for users. Furthermore, the gloves are lighter and less expensive than those currently on the market.

OnChain Insurance Industry News#

Neptune Mutual announced that the underwriting capital for the Binance Exchange cover pool and Curve Finance V2 were fully utilized, and encouraged new LPs to contribute to the liquidity to the pool to benefit from the relatively high LP returns resulting from the high utilization.

Additionally, Neptune Mutual announced the launch of “Popular DeFi Apps”, a new diversified cover pool that's been created and funded by one of their partners. One Inch, Sushiswap, Compound, Uniswap V3, Convex Finance, GMX, dYdX, AAVE V3, and Bancor are among the companies in the cover portfolio.

Nexus Mutual has scheduled the release of V2 of their protocol for the first week of February. Among the protocol enhancements are tokenized cover features and tracking of key metrics.

InsurAce Protocol has released their 2023 roadmap, which focuses on increasing revenues, launching new products, and developing the Crypto Deposit Insurance Scheme (CDIS).