Weekly Report (Jul-4)

6 min read
Weekly Report Jul4

OpenSea reported their email data breach. Facebook began testing NFTs with select content creators.


  • Crema Finance suffered a flash loan attack losing roughly $8.782 million worth of assets; OpenSea reported their email data breach.
  • Facebook began testing NFTs with select content creators in the US.
  • KPMG has made its first foray into the metaverse by launching its collaboration hub.
  • FC Porto becomes the first European football team to jump into the Upland Metaverse.

With numerous rug pulls, hacks, exploits, and smart contract vulnerabilities, 2022 has continued to be a busy year for hackers and scammers. The losses in stolen cryptocurrency in the first half of 2022 totaled roughly $2.181 billion, a 208 percent increase over the first half of 2021. In the previous month alone, 21 different DeFi exploits resulted in $227.76 million in stolen funds.

Blockchain Hacks#

OpenSea, the world’s largest NFT marketplace, has issued a customer warning after it was discovered that an employee of Customer.io, a platform for managing email newsletters and campaigns, leaked the email addresses of OpenSea customers to an outside party. The breach affected all users who provided their email address to the marketplace, whether for the platform or its newsletter. Following the breach, OpenSea warned customers to be wary of phishing attempts. The platform has also warned users to be cautious, to double-check the website from which you are receiving emails, to keep your password and secret phrase to yourself, and to never sign a wallet transaction directly from an email.

Hackers attacked and took over Nouns DAO’s Twitter account. Normally, phishing mint attacks in which a hacker gains privileged access and posts a phishing link take place on NFT Discord servers, but in this case, it was carried out on Twitter. The attacker distributed fake phishing links to a bogus raffle for Nouns 355 and 356. This was followed by the attacker creating a Twitter account and inviting listeners to participate in the phishing raffle. Control was regained by Nouns DAO shortly after the developer announced that the Nouns DAO’s Twitter account had been compromised and warned users not to click any links, but 20 people were affected by this attack, with a total loss of 25ETH amounting to $27,843.

Scammers also targeted JRNYclub’s Twitter account for approximately $82k, where the stolen NFTs were sent to the fraudster’s address. Although their Twitter account was hacked, the attack was classified as a targeted social engineering hack rather than a Sim Swapping attack. According to token officials, a Twitter employee was socially engineered into changing JRNYclub’s password. Following this announcement, some users have claimed that the hacks were the result of an inside job or a malicious Twitter employee.

A hacker produced a phishing pop-up on Polygon and Fantom warning users their funds were at risk and urging them to enter their private account keys. The hacker accessed Polygon and Fantom’s remote procedure call interfaces through the Web3 infrastructure platform Ankr by tricking a third party domain name system provider into giving the hacker access to Polygon and Fantom’s domains. Posing as an Ankr employee, the hacker sent Gandi, their web service provider a fake identity card and convinced the platform’s customer support service to change the email address for the domain registrar account from Ankr’s to the hacker’s Hotmail account. The attack had been quickly neutralized with Ankr being able to regain control of DNS within six hours of the attack, and all core services were unaffected, however they cannot conclusively determine whether any users fell victim to the phishing attack.

Crema Finance, the concentrated Liquidity Protocol on Solana, reported that a cyber attack has forced them to halt their program. Information from the on-chain browser SolanaFM was cited by the protocol’s official Twitter account, which stated that the missing encrypted assets were worth $8.782 million. The team later made public the thread that had been targeted, claiming that hackers had gotten over contract checks by setting up a fake account for price change data dubbed Tickaccount, and had then utilized fictitious pricing data and flash loans to steal significant fees from the fund pool.

Quixotic, the largest NFT platform in the Optimism ecosystem, had smart-contract vulnerabilities that allowed an attacker to steal ERC-20 tokens. According to the leading layer-2 NFT marketplace, no NFTs were affected by the attack, but a greater number of user assets were stolen. In the function of the market contract, only the sell order was checked, while the buyer’s buy order was not checked. As a result, the attacker first created an arbitrary NFT contract, then called the said function to generate a sell order, passing the buyer parameter as the victim’s address and the paymentERC20 parameter as the token address to be stolen, and then transferred the user who is authorized to the market contract. Hackers stole approximately 220,000 OP tokens worth $119,000, exchanged them for USDC, and then transferred them to Tornado Cash via the BNB Chain.

Metaverse, and NFTs#

Meta, formerly known as Facebook, has begun rolling out NFTs to its major social network for some U.S. creators on Ethereum and Polygon networks, with their plans in place to add support for Solana and Flow NFTs to the platform in the near future. Users will have a digital collectibles tab on their Facebook profiles where they can showcase their NFTs, which are unique blockchain tokens that signify ownership. They will also be able to link their cryptocurrency wallets to their Facebook profiles, converting their NFTs into Facebook posts that can be reacted to, liked, commented on, and shared in the same way as any other post.

KPMG, one of Canada’s and the United States’ Big Four accounting firms, has announced the launch of its first metaverse collaboration hub, as a signature piece, to assist its employees and clients in pursuing growth opportunities in the digital era of web3-based technologies. The hub will be focused on education, collaboration, training, events, and workshops, according to Cliff Justice, KPMG’s U.S. leader of enterprise innovation, who claims that it is already being used for such purposes but that KPMG plans to hire people to build it and expand it over time. The company’s long-term goal is to investigate other potential metaverse use cases, such as health care, consumer, retail, media, and financial services.

To bring European football to the metaverse, Upland has announced a strategic partnership with FC Porto. The football club will create a virtual stadium in Upland as well as a collectible team and player NFTs as part of this new partnership. Of course, its NFTs, the first suite of NFTs for a European football club, will also be a big draw for fans. However, FC Porto’s entry into Upland will result in the metaverse debut of the Portuguese city of Porto. This means that fans will be able to purchase NFT properties that correspond to their physical addresses. The Dragon Stadium in Upland, Estádio do Drago, will also be the focal point of this. The platform’s unique mechanics will even include player-owned and operated shops on the virtual properties of the metaverse.

OnChain Insurance Industry News#

Sherlock Protocol has announced that it will soon begin to provide smart contract coverage for Euro-denominated deposits from Circle Pay, through Euler Finance. The team has also announced their collaboration with Lyra Finance on the Avalon release. As a result of this collaboration, they will be closely aligned with the Lyra team and their users, providing a full audit, exploit coverage, bug bounty initiatives, and more.

Risk Harbor has announced the launch of Core Vault 3 for Risk Harbor Core V2 on Fantom. Some of the new features released include but are not limited to Levered Vaults, Automated Market Maker (AMM), and Risk Engine.