Weekly Report (Nov-07)

6 min read
Weekly Report Nov7

A total loss of $32.5M in a week; government, and other big brands to launch NFTs, and more.


  • Multiple DeFi hacks resulted in over $32.5 million in stolen assets.
  • GameStop has confirmed the launch of its NFT marketplace on ImmutableX.
  • Visa has collaborated with Crypto.com to auction off World Cup-themed NFTs.
  • Meta announced a toolkit for Instagram users to mint NFTs on the Polygon blockchain.
  • Kraken has launched the beta version of its NFT marketplace.

So far this year, October has seen the most losses due to blockchain hacks, smart contract vulnerabilities, scams, and other exploits. The total amount of hacked funds increased by more than 430% compared to September, resulting in more than $718 million stolen from DeFi protocols across 11 major hacks.

Blockchain Hacks#

Skyward Finance, an on-chain asset issuance IDO platform on the NEAR protocol, suffered a vulnerability exploit and lost over 1.08 million $NEAR tokens with a value of approximately $3.2 million. The vulnerability existed because the contract's redeem skyward function, which is used to redeem the treasury from the protocol, lacked a check and parameter validation. This function did not check whether the passed-in token account id values are duplicates. The hacker utilized this opportunity to withdraw multiple wrap.near tokens in a single transaction. The attacker submitted multiple token account ids and utilized the loop values to deposit the rewards multiple times to drain their treasury. We have decoded the analysis of this exploit in our blog post.

Rubic, the multi-chain exchange protocol, was exploited due to malware that stole the private key following the disclosure of an administrator's wallet address, which controls the RBC/BRBC cross-chain bridge and staking rewards. The attacker sold approximately $ 303,758 worth of RBC/BRBC on Uniswap and PancakeSwap. The team said that the user's staking funds were secure and none of their smart contracts had been compromised.

Deribit, the cryptocurrency derivatives exchange, suffered a loss of approximately $28 million due to an exploit involving a compromised hot wallet. The breach was isolated and quarantined to their BTC, ETH, and USDC hot wallets, resulting in the loss of 6,967.65 ETH, 691 BTC, and approximately 3.41 million USDC, with the hacker exchanging USDC for 2,143.95 ETH. After the event, they began conducting security checks, halting withdrawals from Copper Clearloop and Cobo, among other third-party custodians. The team reported that no client assets, fireblocks, or cold storage addresses were compromised. The customer's funds will remain secure, and losses will be covered by the company's reserves.

Solend, a Solana-based lending protocol, was exploited due to price manipulation against USDH affecting Stable, Coin98, and Kamino's isolated pools, resulting in $1.26 million in bad debt. The team asserted that all other pools, including their Main pool, are secure and that the affected pools have been disabled. The attacker manipulated the USDH price on a switchboard v1 feed to be greater than $8, and then borrowed a large amount of other tokens based on the inflated collateral size.

Loopring, the Ethereum Layer2 zkRollup protocol, was a target of a coordinated large-scale DDoS attack. This caused the operation of the protocol's services to be down for 11 hours, while the funds were completely safe. The team attempted to mitigate the issue by first shielding and limiting requests to reduce unnecessary traffic but was unable to resolve the problem. They later contacted AWS security engineers for additional support, after which the backend, and wallet services were restored.

Metaverse, and NFTs#

Meta has continued its unrelenting advance into the frontier world of the blockchain. This time around they announced an end-to-end toolkit allowing Instagram users to mint NFTs on the Polygon blockchain and sell them on social media. The statement stated that certain U.S.-based creators will be given the opportunity to produce digital artifacts that would be available for purchase both within and outside of Instagram. The platform continued by saying that its users may now also present video NFTs, and that OpenSea would give the metadata of select collections, including the descriptions and titles of the items in those collections.

The government of Hong Kong launched a NFT-backed initiative to promote fintech during their Hong Kong Fintech Week 2022. Along with launching a green bond and its e-HKD, the Hong Kong government also launched an NFT, which served as evidence of attendance at the fintech week. These NFTs will serve dual purposes as both souvenirs and evidence of attendance at the event. The proceeds from the sale of NFTs will be used to promote the 2023 Hong Kong Fintech Week by providing early notification and discounts for attendees.

ImmutableX has announced the official launch of the GameStop NFT Marketplace, which provides GameStop players and GameStop Powerup Pro loyalty customers across the United States access to web3 games and NFT gaming assets. This integration enables some of the world's most popular web3 games, such as Gods Unchained, Guild of Guardians, and Illuvium, to be built on ImmutableX. In addition, it enables 100% gas-free and carbon-neutral minting and trading on the GameStop NFT Marketplace. Visitors to the marketplace will be able to access low-cost in-game assets to buy and sell.

Visa has partnered with Crypto.com to bring NFTs to the World Cup with their Masters of Movement campaign, a fan experience that includes a world cup themed NFT auction for charity. Visa will mint and auction off five NFTs inspired by some of the most memorable goals in both Men’s and Women’s World Cup history, scored by legendary players including Michael Owen, Tim Cahill, Jared Borgetti, Carli Lloyd, and Maxi Rodriguez. The auction, which is taking place on Crypto.com, allows fans to bid on the NFTs with all proceeds benefiting Street Child United, a UK charity that aims to protect and support children living on the street. The fans who placed the highest bids will receive not only their new NFT in their Crypto.com wallets, but also printable art files and signed memorabilia from each of the players whose goals are featured in the NFTs.

Kraken, the cryptocurrency exchange, has launched the beta version of its long awaited NFT marketplace, creating an intuitive and gasless destination for making all of those essential NFT purchases, available for users who claimed a whitelist back in May. The company has stated that the new platform will be available to the general public soon. Collectors will find a 70-strong curated offering of top selling tokens among its vast array of NFTs from a number of leading blockchains, as well as purchases in over 200 cryptocurrencies and 8 different forms of fiat payment. They've also included a slew of useful buying tools in the package, such as a rarity detector, multi-chain compatibility, and industry-leading security.

OnChain Insurance Industry News#

Neptune Mutual attended Hong Kong Fintech week and were both present at the event as well as having an online presence with a virtual booth. DWF Labs hosted a podcast with Neptune Mutual co-founder, Edward Ryall, to provide an update on the Neptune Mutual project.

Sherlock Protocol kick started their audit contest with multiple DeFi protocols. Users could submit their findings using the issue page in their private contest repository of the associated protocols, and earn generous rewards based on their findings' severity.

Risk Harbor has added a vault to keep the Arbitrum ecosystem safe by releasing a new Arbitrum vault through Core Vault 4. This core vault will secure GMX, Stargate Finance, and Mycelium.