Blockchain security platform Immunefi has launched an on-chain system for bug bounties, according to a Sept. 26 announcement. The new system, called “Vaults,” allows Web3 developers to escrow funds in an on-chain address and use them to pay out bug bounties to white hat hackers.
Immunefi believes the new system will help projects “demonstrate to whitehats […] that they have allocated sufficient funds to pay bounties,” which it hopes will result in “more top-tier bug reports” being submitted.
List of Immunefi bug bounties. Source: Immunefi
Software developers often offer rewards, called “bug bounties,” to hackers who discover exploits or other bugs in their software. This sometimes allows vulnerabilities to be found before bad actors can exploit them. Hackers who submit bug reports for rewards instead of taking advantage of an exploit are called “white hat” hackers, while “black hat” hackers use their knowledge for malicious purposes.
According to the announcement, the new Immunefi system allows projects to deposit their bug bounty funds to a Safe multisig smart contract (formerly called a “Gnosis Safe”). This provides white hats with on-chain proof that the funds are available. Once a bug is submitted and a project has confirmed it’s genuine, the project can release the funds to the bug reporter’s wallet.
During Vault’s launch, Ethereum infrastructure provider SSV posted a $1 million deposit to help pay bug bounties for its software. Decentralized exchange Ref Finance, which is on the Near network, also uses the new system. SSV DAO contributor Eridian claimed that on-chain bug bounties will help provide better security for the DAO’s validator services, stating:
“The Vaults System will help us provide added reassurance for any researcher engaging with our bounty program, and in turn help secure the protocol even further. A good win-win. Building further trust with the community by showcasing dedicated funding, and streamlining the payment process, will ultimately strengthen our security efforts.”
A “glitch” in MetaMask that caused it to overestimate opBNB gas fees has now been fixed, according to a social media post from BNB Chain. Many users pay the default recommended fee displayed in their wallets, so a misestimation can cause users to overpay.
opBNB is an optimistic rollup layer-2 of Ethereum. It was launched on Sept. 13 and was developed by the team that created BNB Chain. According to the team, they discovered recently that “Metamask had set a default minimum recommendation price for gas based on the average of all networks.” This was a reasonable policy for other L2 networks, the team said, but it “didn’t quite align with opBNB.” The team claimed that opBNB fees “can be much lower than other L1 and L2 networks,” making the estimation inaccurate.
To solve this problem, BNB Chain contacted the MetaMask team, who were “extremely helpful and agreed to update their algorithm.” As a result, the wallet now accurately displays the network’s fees.
According to the BNB Chain team, users can now check each network’s fees by switching to opBNB from within MetaMask and attempting to perform a transaction, which they say will prove that the network often has lower fees than competitors.
opBNB was developed using the OP Stack, a modular framework that can be used to create interoperable blockchain networks. The OP Stack was developed by the OP Labs team, which is attempting to create a “Superchain” comprised of multiple interconnected blockchain networks. The Superchain faces competition from Polygon’s “Supernets,” which attempts to accomplish a similar aim.
Huobi Global exchange was hacked on Sept. 24, according to a report from blockchain analytics platform Cyvers. A total of $7.9 million of crypto has been drained in the attack. Huobi is also known as “HTX,” as it recently rebranded.
A known Huobi hot wallet posted a message to the attacker in Chinese. According to the message, the exchange knows the identity of the attacker and has offered to let them keep 5% of the drained funds as a “white-hat bonus,” but only if the attacker returns the remaining 95%.
On September 24 at 10 a.m. UTC, the suspected Huobi hot wallet 0x2Abc22eb9A09EbBE7b41737CCde147F586EfeB6A sent 4,999 Ether (ETH), worth approximately $7.9 million, to an address which had no previous history. The following morning, a separate wallet belonging to Huobi sent a message to the attacker in Chinese. It stated (according to a Google translation):
We have confirmed your true identity. Please return funds to 0x18709E89BD403F470088aBDAcEbE86CC60dda12e. We will provide you with a 5% white hat bonus. This offer is valid for 7 days and ends on October 2, 2023. If you do not return the funds by the deadline, we will request judicial intervention.
Cyvers reported the attack on Sept. 25. The wallet that sent the message is identified as a Huobi hot wallet by blockchain analytics platform Arkham Intelligence.
This is a developing story, and further information will be added as it becomes available.
Google Cloud’s BigQuery service just added 11 blockchains networks to its data warehouse, according to a September 21 blog post. The new networks include Avalanche, Arbitrum, Cronos, Ethereum Görli testnet, Fantom, Near, Optimism, Polkadot, Polygon mainnet, Polygon Mumbai testnet, and Tron.
BigQuery is Google’s data warehouse service. Enterprise firms can use it to store their data and make queries of it. It also provides some public datasets that can be queried, including Google Trends, American Community Service demographic information, Google Analytics, and others.
In 2018, Google launched a Bitcoin dataset as part of the service, and later that year, it added Ethereum as well. It continued to expand its blockchain coverage in February of 2019, adding Bitcoin Cash, Dash, Dogecoin, Ethereum Classic, Litecoin, and Zcash. The September 21 announcement means that BigQuery now carries data from a total of 19 blockchain networks.
In addition to adding these new blockchains, Google has also implemented a new feature intended to make blockchains queries easier to execute. Through a series of user-defined functions (UDFs), the team has provided methods to handle the long-form decimal results often found on blockchains. In its post, Google claimed that these new functions will “give customers access to longer decimal digits for their blockchain data and reduce rounding errors in computation.”
Google Cloud has been taking an increasing interest in blockchain tech in 2023. On July 7, it partnered with Voltage, a Lightning Network infrastructure provider. And it partnered with Web3 startup Orderly Network on September 14 to help provide off-chain components for decentralized finance.
Decentralized exchange Pancakeswap now offers Transak as a provider in its “buy crypto” tab, giving Pancakeswap users an additional option when shopping for crypto, according to an announcement on September 21. Mercuryo and Moonpay were previously providers for this feature, making Transak the third provider to be added.
Pancakeswap is a multichain decentralized crypto exchange (DEX). It’s available on 8 different blockchain networks, including BNB Chain, Ethereum, Base, Polygon zkEVM, and others. It has over $1.3 billion worth of crypto locked in its contracts and does over $150 billion in volume per day, according to crypto analytics platform DeFi Llama.
As with all DEXs, Pancakeswap can’t perform fiat to crypto conversions on its own. Users have to first own cryptocurrency in a wallet before they can use the exchange. Its development team recently implemented the “buy crypto” feature in an attempt to fix this problem by allowing users to onboard with third-party providers like Mercuryo, Moonpay and now Transak. Transak claims to be integrated into over 350 Web3 apps, making it one of the most accessible crypto onboarding services.
According to the announcement, Transak will provide “over 20 different payment options based on global needs,” including debit cards, Google Pay, Apple Pay, bank transfers, and others, and will provide nine different cryptocurrencies across seven different blockchain networks to Pancakeswap users.
Pancakeswap’s pseudonymous leader, head chef Mochi, stated that the integration will help make decentralized finance protocols easier to use:
“[I]t’s imperative that entry points remain simple yet robust. Transak’s expertise in fiat on-ramping, combined with PancakeSwap’s platform capabilities, promises an era where diving into decentralized finance is intuitive and barrier-free for all.”
Pancakeswap launched a web3 game called “Pancake Protectors” on May 30. The game gives extra perks to holders of the DEXs governance token, CAKE. The token’s inflation rate was reduced to 3%-5% through a governance vote in April.
Proof of Play, a company led by Farmville co-creator Amitt Mahajan, raised $33 million to create Web3 games, according to a Sept. 21 announcement. Majahan is the CEO of Proof of Play, and Twitch co-founder Emmett Shear is a board member.
The funding was co-led by Chris Dixon at Andreessen Horowitz (a16z) and Neil Mehta at Greenoaks. Investors Naval Ravikant, Balaji Srinivasan and the founders of streaming platform Twitch also participated, as well as Web3 firms Anchorage Digital, Mercury, Firebase, Zynga and Alchemy.
Proof of Play released a closed beta of its first game, Pirate Nation, in December 2022.
Pirate Nation Web3 game. Source: Proof of Play
In its announcement, the company claimed it can overcome many roadblocks players commonly encounter when attempting to play Web3 games. It stated that it possesses “a set of technological and product innovations” that will “quickly immerse players in fun gameplay” without learning about blockchain first.
Proof of Play also stated that it is committed to decentralization. Pirate Nation is a “Forever Game” that can be run without external servers or creator intervention, adding that the company intends to open-source its technology framework in the future to decentralize further.
The Proof of Play team includes members from several large gaming and web companies, including Epic Games, Zynga, EA, Activision and Google.
Multimillion-dollar funding rounds from Web3 companies have become the norm in 2023. EVE Online developer CCP Games raised $40 million in March to develop a new spinoff EVE game, and Hyperplay raised $12 million in June to further develop its distribution platform and Steam competitor.
A group of decentralized finance (DeFi) protocols have teamed up to solve liquidity problems in the Cosmos ecosystem. The teams involved include cross-chain bridging protocol Wormhole, liquidity aggregator Swing, lending protocol Tashi, and Cosmos network Evmos.
According to statements from two of the teams involved, Wormhole will register five new bridged tokens for use on Evmos: Tether (USDT), USD Coin (USDC), wrapped Ether (wETH), wrapped Bitcoin (wBTC) and Solana (SOL). A Wormhole governance vote on this part of the proposal began on September 19 and currently has near unanimous support.
Once the tokens are launched on Evmos, they will be implemented into Swing protocol, which will allow users to send them to Evmos from any network that Swing supports, including BNB Chain, Polygon, Fantom, and others.
Tashi will also implement Swing into its user interface, allowing users to bridge the coins and deposit them as collateral with a minimum of button clicks. Users will then be able to take out loans of either Cosmos-based or Ethereum-based coins using this collateral, swap the loaned coins for others, deposit them into liquidity pools, or perform other common DeFi actions.
Caption: Tashi user interface. Source: Tashi.
According to representatives from both Swing and Tashi, the integrations are ready to go live and are simply waiting for the Wormhole proposal to pass and be implemented. The proposal’s vote will come to an end on September 24, which implies that the new liquidity system should go live soon afterwards.
In a conversation with Cointelegraph, Tashi co-founders Lindsay Ironside and Kristine Boulton claimed that the new system is needed to fix a “crisis” in liquidity within the Cosmos ecosystem. “We’ve got this chain that continues to deliver these amazing opportunities, but nobody’s using it because they can’t get liquidity there,” Boulton stated. But “[Wormhole], they’re on, I think it’s 29 different chains right now […] so it is an opportunity to fix that crisis.”
Ironside stated that she felt a new system was needed after she first began using the Cosmos ecosystem. She had a bad user experience the first time she attempted to swap USDC for Cosmos (ATOM) and send it to Evmos. In order to obtain the ATOM, she needed to first bridge her USDC to Cosmos Hub. But once the USDC was on the network, she didn’t have the ATOM to pay the gas fee to make the swap.
According to Ironside, this experience caused her to realize that the team needed to focus on this problem. “Coming in as new users […] and trying to figure out where the solutions to these problems were, [that] was a big deal,” she remarked.
In a separate conversation, Swing CEO Viveik Vivekananthan agreed that the new system will potentially fix these problems. If a user wants to swap USDC for a different coin on Evmos, Swing will convert a small portion of the coins sent into the Evmos native coin, which will then be spent on gas to make the swap. This will allow users to onboard into Evmos using any supported coin, Vivekananthan explained.
In the beginning, Swing will only be able to bridge tokens from mostly non-Cosmos networks into Evmos, he stated, but the team plans to expand its compatibility to allow bridges between different Cosmos networks in the future.
Wormhole has integrated Circle’s Cross-Chain Transfer Protocol (CCTP), allowing USD Coin (USDC) to be transferred between Ethereum, Avalanche, Arbitrum and Optimism via Wormhole-based bridges, according to a Sept. 20 announcement.
The new feature is available to end-users via the Portal bridge, and developers can integrate it into their own apps using Wormhole Connect.
Portal USDC bridge. Source: Portal
The Wormhole team claimed that the new integration will reduce liquidity issues and user confusion. “On these new and emerging chains, multiple versions of these bridged USDC tokens can exist,” it stated, “which can lead to fragmented liquidity, poor pricing, and a confusing experience for users and developers alike.” CCTP will help fix this problem by “creating a natively cross-chain USDC that can be burned and minted across connected chains,” it stated.
When Circle first issued USDC, it was only available on Ethereum. If a user wanted to transfer USDC to another chain, they needed to use a bridge to lock up their native USDC on Ethereum and mint a derivative version on the other chain. However, multiple bridging protocols with various derivative versions of USDC could sometimes cause confusion among end-users.
But for a user to transfer native USDC from one network to another, they still needed to deposit their coins to a Circle partner’s account and then withdraw them to another network using that account. Partially because of this complexity, many users continued to use bridged versions of the coin instead of its native version.
On April 26, Circle launched CCTP, which is a set of smart contracts and an application programming interface (API) that can be used to burn USDC on one chain and have it be re-minted on another chain without the user needing to deposit to a Circle partner account.
At the time of its launch, CCTP only allowed transfers between Ethereum and Avalanche or vice-versa. Since then, it’s been expanded to support Optimism and Arbitrum networks as well. Circle plans to add additional networks in 2023, according to the protocol’s documents.
The Sept. 20 announcement states that CCTP has now been integrated into the Wormhole bridge interface, allowing Wormhole users to transfer native USDC between CCTP-supported chains for the first time. These networks currently include Ethereum, Optimism, Avalanche and Arbitrum.
Wormhole is not the only bridge that has implemented or intends to integrate with CCTP. Wanchan provides a similar feature, and according to Circle’s April 26 announcement, Celer, Hyperlane, LayerZero and LI.FI have also stated that they intend to implement it soon.
Outflows from crypto exchange-traded products (ETPs) reached $455 million over the previous nine weeks, according to a report from asset manager CoinShares. Outflows from ETPs generally indicate negative sentiment towards cryptocurrencies.
Crypto exchange traded products are designed to track crypto prices. When shares of these funds fall below their target prices, they sell off cryptocurrencies, causing outflows.
The week leading up to Sept. 18 saw outflows of $54 million — capping off nine weeks in which only a single week saw inflows. Bitcoin (BTC) saw the biggest drawdown from all exchange-traded products and was responsible for 85% of all outflows from these funds. Last week, over $45 million worth of Bitcoin was sold into the market by ETPs.
Ether (ETH) funds were also not spared in this deluge of selling. They saw outflows of approximately $5 million last week.
Despite these outflows, a few ETPs representing altcoins did well last week. Solana (SOL) ETPs saw net inflows of $700,000, Cardano (ADA) gained $430,000 and XRP added $130,000.
CoinShares also provided data about the regional origin of crypto ETP outflows. The U.S. was responsible for 77% of the outflows, with Germany, Canada, and Sweden also having caused a sizable percentage of the outflows.
Crypto ETPs offer an easier way for investors with traditional financial accounts to invest in digital assets. However, the issuance of a spot Bitcoin ETF has faced numerous regulatory and legal barriers in the U.S. In March, the Securities and Exchange Commission (SEC) denied VanEck’s proposal for a Bitcoin Trust. On Aug. 11, a U.S. Federal Appeals Court ruled that the SEC had been “arbitrary and capricious” in denying a Bitcoin ETP proposal from Grayscale.
Binance Holdings CEO Changpeng Zhao (CZ) has shot down speculation surrounding the departure of Binance.US CEO Brian Shroder, noting that he i “taking a deserved break” after a successful two year stint at the company.
Binance.US is a subsidiary of Binance Holdings, and the U.S. based exchange has seen a handful of other top executives recently step down from the firm amid lawsuits from the Securities and Exchange Commission and Commodities Futures Trading Commission.
In a Sept. 15 statement via X (Twitter), CZ urged people to “ignore FUD” around the recent shuffling of execs, as he suggested that Shroder was leaving the firm amicably after accomplishing everything he “set out to do when he joined two years ago.”
“Under his leadership, Binance.US raised capital, improved its product and service offerings, solidified internal processes, and gained significant market share, all of which helped to build a more resilient company for the benefit of customers. We are grateful for his contributions,” CZ said.
Binance is facing lawsuits from both the SEC and CFTC over several alleged violations of SEC and CFTC laws, including the alleged sale of unregistered securities and mishandling of customer funds. As part of its lawsuit, the SEC claimed that the US and international branches of Binance have illegally commingled funds between each other.
In the midst of this lawsuit, Binance.US announced on September 13 that it was laying off a third of its staff and that Shroder was leaving his position as CEO. On September 14, an additional two executive departures were reported as both head of legal Krishna Juvvadi and chief risk officer Sidney Majalya decided to quit the company. The departures fueled speculation on Twitter that Binance may be facing worse legal troubles than previously understood.
Seemingly referencing the lawsuits in his X post, CZ also asserted that the crypto market “is in a different place now than it was two years ago,” as crypto firms face an “increasingly hostile regulatory environment.” In his view, the new CEO for Binance.US, Norman Reed, is the “right person” to lead the US exchange in this new era.
Binance is the largest crypto exchange by volume in the world. It has come under increasing criticism since the third-largest exchange, FTX, went bankrupt in November and FTX executives were charged with fraud. Critics say that Binance has not been transparent enough about its business practices and has not proven that it is solvent. However, CZ has brushed off these concerns, stating that the firm has “no liquidity issues” and that claims against it are unfounded.
Ethereum developers launched a new testnet on Sept. 15. Called “ Holešky,” the network is expected to be used for staking, infrastructure and protocol-development, according to its developer documents. Sepolia will remain the dominant network for application development.
An initial supply of 1.6 billion Holesky testnet Ether (HETH) will be allocated to validators on Holešky’s launch day to bootstrap the network into operation, according to Ethereum developer Tim Beiko. This represents ten times the amount of ETH present on mainnet. Beiko stated that developers were comfortable with producing this amount because “devnets [are] regularly using 10B supply.”
Previously, Goerli testnet was used to test new staking, infrastructure, and protocol developments. Goerli is the oldest Ethereum testnet in operation, having been launched in 2018. In October, protocol developers began complaining that Goerli had too low of a supply of ETH to adequately handle testing needs. Given its large initial supply of ETH, Holešky is expected to help alleviate this problem.
Since Sepolia was launched in 2021, the Ethereum team has been urging application developers to move from Goerli to Sepolia, leaving only protocol developers remaining on the old network prior to the launch of Holešky. They plan to deprecate Goerli in January, 2024. After deprecation, Goerli will be maintained for another year, then shut down entirely, according to its documentation.
Holešky could see a lot of use, as Ethereum devs have an ambitious roadmap ahead of them. They intend to implement proto-danksharding, danksharding, and other features they believe will reduce fees, as well as features like Verkle trees that are intended to make running a node less expensive. Each of these features will need to be trialed on a testnet before being implemented on mainnet.
Crypto exchange Remitano experienced large withdrawals under suspicious circumstances on September 14, with some blockchain analysts concluding that it may have been hacked. A total of $2.7 million worth of crypto has been withdrawn through the suspicious transactions. Tether has frozen one address the attacker allegedly used, potentially saving $1.4 million worth of customers’ crypto.
At approximately 12:45 p.m. on September 14, a known Remitano hot wallet began sending funds to an address with no prior history. Approximately $1.4 million worth of Tether (USDT) and $208,000 worth of USD Coin (USDC) stablecoins, as well as 104,000 Ankr tokens (worth $2,000 at the time) were moved to address 0x74530e81E9f4715c720b6b237f682CD0e298B66C.
Blockchain analytics platform Cyvers has alerted the crypto community about the alleged suspicious transactions.
Tether subsequently froze the address to prevent the attacker from cashing out USDT, which prevented $1.4 million of the drained crypto from being moved any further. Remitano has not yet issued a statement regarding the incident.
This is a developing story, and further information will be added as it becomes available.
Web3 game Gods Unchained released a new gameplay format that allows players to compete with semi-random cards they receive at the start of a tournament. Called “Sealed Mode,” the format is intended to reward highly skilled players, even if they don’t have a large or expensive card collection. The new format was announced via a blog post on Sept. 13.
“Sealed deck” tournaments are common in paper collectible trading card games such as Magic: The Gathering, but are relatively rare in digital trading card games.
According to the post, players can participate in sealed mode if they pay an entry fee of 15 Gods Unchained ($GODS) tokens, worth approximately $2.65 at the time of publication. Once they pay this fee, they receive a random selection of three gods they can choose to build a deck around. In addition, they receive 60 random cards drawn from multiple Gods Unchained card sets, including Etherbots, Mortal Judgement, Winter Wanderlands, and others.
Although the pool of cards is semi-random, it also contains a minimum number of cards of specific types to ensure that a viable deck can be built with it. For example, each pool has at least 12 cards that cost 3 mana or less.
Out of each player’s pool of 60 cards, they must build a minimum 30-card deck, the post stated. The players must build their decks entirely out of the cards provided and cannot use cards from their own personal collection.
After building a deck, players compete until they either lose three matches or win seven. The players with better records at the end of the tournament receive more rewards than the players who have worse records. Some cosmetic rewards are only available in sealed mode and can only be obtained by players who win four matches or more.
‘Sealed mode’ in Gods Unchained is meant to be similar to ‘sealed deck’ or ‘draft’ tournaments for face-to-face card games like Yu-Gi-Oh!, Pokemon, and Magic: The Gathering. Players of these games often use sealed formats to collect cards. However, because most digital card games do not allow players to ‘own’ their cards in any meaningful sense, sealed tournaments were virtually unknown in the digital card game world. In Gods Unchained, each card is represented by a nonfungible token stored on the Immutable X network, a layer-2 of Ethereum.
Gods Unchained was one of the first Web3 video games released by Immutable. In May, Immutable stated it was developing a wallet application called “Passport” that would allow gamers to log in without needing to copy down seed words. On Aug. 15, Immutable released its zkEVM testnet, which it claimed will help scale Ethereum for video game players.
The account that overpaid $500,000 in fees on Sept. 10 for a Bitcoin (BTC) transfer belonged to Paxos, according to a Sept. 13 statement from the company. Paxos claimed that end users have not been affected and all user funds are safe. Paxos is most well-known as the issuer of stablecoins, including PayPal USD (PYUSD) and Pax Dollar (USDP), but also runs a crypto brokerage firm that carries Bitcoin.
The statement comes after Twitter users were speculating that PayPal may have been responsible for the transaction, due to a related wallet account that had been identified by analytics platform OXT as belonging to PayPal. A Paxos representative told Cointelegraph that PayPal was not responsible, as the error was theirs, stating:
“Paxos overpaid the BTC network fee on Sept. 10, 2023. This only impacted Paxos corporate operations. Paxos clients and end users have not been affected and all customer funds are safe. This was due to a bug on a single transfer and it has been fixed. Paxos is in contact with the miner to recoup the funds.”
The mistaken transaction was first discovered on Sept. 10, shortly after it had occurred. According to blockchain data, the sender paid fees of approximately 20 BTC (over $515,000 worth at the time) to send just 0.07 BTC (worth less than $2,000 at the time). At the time, Casa wallet co-founder Jameson Lopp declared that the sending account “looks like an exchange or payment processor with buggy software” as it had made over 60,000 transactions from the same address.
The block that contained the transaction was confirmed by Bitcoin mining pool F2Pool. On Sept. 10, the pool’s management offered to return the funds to whoever sent the transaction, if a claim was made within three days. Otherwise, the exorbitant fee would be paid out to the pool’s hash power contributors.
Before Paxos made its statement, Bitcoin enthusiast Mononaut declared on Twitter that PayPal was responsible for the transaction.
According to Mononaut, the sending account bc1qr35hws365juz5rtlsjtvmulu97957kqvr3zpw3 had exhibited behavior that “closely matches the behavior of a now inactive wallet [bc1qhs3gptkxem5y7yaq2yg0un2m8hae6wt87gkx4n].” This inactive address was labeled “Paypal” by blockchain analytics platform OXT.
To add further evidence for their hypothesis, Mononaut pointed out that this old wallet address transferred its funds to the new address through an intermediate account. Bitcoin blockchain data shows that the old address labeled “Paypal” by OXT transferred approximately 18.5 BTC to address bc1qlm0xlahpysq2v9yh5rhcc430xjz3xknqqnyvaf on June 19. That account then sent around 5.37 BTC to the new address that later made the mistaken transaction. Lopp shared the thread, wondering aloud if PayPal would request their funds back.
Paxos later issued its statement confirming that the mistake had been theirs, not PayPal’s.
Paxos isn’t the first crypto user or company to potentially pay thousands of dollars in fees because of a mistake. In 2019, one Ethereum user lost over $300,000 when he mistakenly pasted values into the wrong fields. Luckily for him, the mining pool agreed to return 50% of the funds he lost. In 2020, another Ethereum user mistakenly paid $9,500 for a $120 trade. The user claimed that the mistake had “destroyed [his] life.”
In its statement, Paxos claimed that it had contacted the mining company that confirmed the transaction and is attempting to recover the lost funds.
On Sept. 12, crypto exchange CoinEx experienced abnormally large outflows to an address with no prior history, leading security experts to suspect the exchange was hacked. Blockchain security platform Cyvers Alerts has estimated the losses to be approximately $27 million.
At approximately 1:21 p.m. UTC on Sept. 12, a known CoinEx hot wallet transferred around 4,947 Ether (ETH), worth $7.9 million at the time, to Ethereum account 0x8bf8cd7F001D0584F98F53a3d82eD0bA498cC3dE. The receiving account had no prior history before this transaction.
Immediately after this transaction, the CoinEx hot wallet began transferring large amounts of tokens to the same address. Approximately 408,741 DAI stablecoin, 2.7 million Graph (GRT) tokens, 29,158 Uniswap (UNI) tokens, and many other tokens were transferred from the wallet.
Blockchain security firm PeckShield reported the outflow as “suspicious.” CryptoQuant head of research Julio Moreno also claimed that the behavior of the CoinEx wallet was “strange” as Ether reserves “are now basically zero ETH.”
At the time of publication, Coinx has not made a public statement about the incident.
This is a developing story, and further information will be added as it becomes available.
A group of crypto and blockchain firms joined together to create a Texas crypto advocacy group, according to a Sept. 11 announcement. The group is called “Crypto Freedom Alliance of Texas,” and is founded by a16z crypto, Coinbase, Ledger, Bain Capital Crypto, Blockchain Capital, and Paradigm. The group is promoting “the development of coherent and predictable regulations for digital assets in Texas.”
To further its goals, the Crypto Freedom Alliance will foster educational initiatives that will target government officials, corporations, non-profits, and other organizations in an effort to highlight the value of Web3 in the state of Texas, the announcement stated.
Cointelegraph met up with a16z crypto’s global head of policy, Brian Quintenz, at the Permissionless II conference in Austin to get further details on the new group. According to Quintenz, Texas is uniquely suited to become a haven for Web3 developers, but this necessitates forming an advocacy group to tackle issues in the state.
For example, Quintenz argued that decentralized autonomous organizations (DAOs) often need legal jurisdiction to operate. Texas is an attractive state, thanks to its adoption of the Uniform Code of Unincorporated Associations.
“Modifying the unincorporated association law that applies more generally to limited liability types of entities is a state issue, and there are only a few states that have adopted the Uniform Code of Unincorporated Associations […] Texas is one of them,” Quintenz stated.
However, small changes would need to be made to this code to allow DAOs to be recognized as legal entities:
“One of the things we continue to try to do is to advocate and educate around creating a legal entity for DAOs that makes some changes to the unincorporated association framework but makes it more restrictive. We don’t want to just open it up to anybody and say ‘Oh, I’m a DAO.’ You can only really qualify for this if you’re a decentralized kind of organization.”
In addition to advocating for changes to the unincorporated association laws, Quintenz said the group would also push for crypto-friendly tax laws, bank charter laws and bank regulations. He considered Wyoming’s bank charter laws to be “a positive example” of what can be accomplished by crypto-friendly legislatures.
Google Chrome launched its built-in tracking and ad-curation platform, “Privacy Sandbox,” on Sept. 11, according to a company blog post. The platform was originally rolled out to a small percentage of users but is now available to around 97% of users. Google said the remaining 3% will be onboarded over the next few months.
Privacy experts have criticized the new tracking system. But in its announcement, Google defended it, stating that Privacy Sandbox needs to be implemented to eliminate third-party cookies and fingerprinting.
Over 80% of websites use Google’s Adsense service to generate ads on their pages, according to business analytics platform 6sense. To target ads to readers effectively, Adsense embeds cookies in the user’s browser. These cookies track the user’s behavior as they browse from site to site, gathering data that can be used to determine what products they may be interested in buying. Because these cookies are produced by Google rather than the website being visited, they are often called “third-party cookies.”
Some competing ad platforms such as Microsoft Ads also use third-party cookies.
Privacy advocates have criticized the practice of embedding third-party cookies, and some users have sought ways to block them. Apple’s Safari, Mozilla’s Firefox and Brave’s Brave browser have all implemented blocks on third-party cookies by default. Chrome users can also choose to block these cookies through the settings menu.
In a January 2020 blog post, Google argued that browsers should not block third-party cookies by default until an alternative tracking system is created. “Some browsers have reacted to these concerns by blocking third-party cookies,” the post said, “but we believe this has unintended consequences that can negatively impact both users and the web ecosystem.”
According to Google, blocking third-party cookies may lead to “[encouraging] the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control.”
The Sept. 11 announcement echoes these earlier statements, claiming:
“Without viable privacy-preserving alternatives to third-party cookies, such as the Privacy Sandbox, we risk reducing access to information for all users, and incentivizing invasive tactics such as fingerprinting.”
Google Chrome’s new Privacy Sandbox platform allows user data to be tracked within the browser itself. For this reason, Google believes it will enhance privacy, as it will do away with the need for third-party cookies. However, Google also emphasized that it will not start blocking third-party cookies by default until a later date.
The Electronic Frontier Foundation, a digital privacy advocacy group, argued that an earlier version of the Privacy Sandbox did little to enhance privacy, as it continued to track users’ behavior, albeit within the browser instead of through cookies. According to them, the Privacy Sandbox could be even more invasive than third-party cookies in some respects.
The new Chrome interface reveals that Privacy Sandbox can be turned off through three different settings within the “Ad privacy” menu.
Chrome Ad privacy settings. Source: Chrome browser for Android.
Brave browser also implements a platform called “Brave Ads” that tracks users’ behavior. This feature is turned off by default, and if users choose to opt in, they get paid in Basic Attention Token for ads they view.
The $41 million hack of crypto gambling site Stake was carried about by the North Korean Lazarus Group, the U.S. Federal Bureau of Investigation (FBI) stated in an announcement on September 7. This group was also responsible for the Atomic Wallet, Alphapo, and CoinsPaid attacks in June and July and has stolen more than $200 million of crypto in 2023, the announcement stated.
Stake is a crypto gambling platform that offers Casino games and sports betting. It was the victim of a cyberattack on September 4 that drained over $41 million worth of cryptocurrency from its hot wallets. The Stake team stated that the hacker only obtained a small percentage of funds and that users would not be affected.
According to the FBI statement on September 7, the Bureau has carried out an investigation and has concluded that the attack was performed by the Lazarus Group, a notorious cybercrime organization believed to be associated with the Democratic People’s Republic of Korea (DPRK). DPRK is also known as “North Korea.”
The FBI listed the addresses where the stolen funds are now held, which exist on the Bitcoin, Ethereum, Binance Smart Chain and Polygon networks. They recommended that all crypto protocols and businesses review the addresses used in the hack and avoid transacting with them, stating:
“Private sector entities are encouraged to review the previously released Cyber Security Advisory on TraderTraitor and examine the blockchain data associated with the above-referenced virtual currency addresses and be vigilant in guarding against transactions directly with, or derived from, those addresses.”
The U.S. agency also blamed Lazarus for the Alphapo, Coinspaid and Atomic Wallet hacks, stating that losses from all of these hacks adds up to over $200 million the group has stolen in 2023. Alphapo is a payment processor that suffered over $65 million in suspicious withdrawals on July 23. Coinspaid, another payments firm, lost over $37 million through social engineering sometime in late July. And Atomic Wallet users lost a whopping $100 million in June through an unknown exploit.
A BNB Chain rug pull scams users out of $2 million ($11 million at today’s BNB prices). Users ask Binance for help. Binance says it has frozen the funds but then retracts the statement. The funds sat in the address for nearly two years when Binance suddenly took action to freeze the scammer’s wallet, which had grown to $10.8 million. Previously, Binance had stated that it could not freeze wallets outside exchange addresses due to BNB Chain’s decentralized nature. Users are unhappy and demand Binance to do more. This is the story of the PopcornSwap scam.
On January 28, 2021, decentralized exchange PopcornSwap on Build N Build (BNB) Chain executed an exit scam, stealing over $2 million of liquidity providers’ assets through a little known “preUpgrade” function contained in the exchange’s smart contract. Users held out hope that Binance, creator of BNB Chain, would be able to freeze the scammers’ address. The BNB held in the scammer’s account has grown to over $10 million in value since then as users speculated on whether or not the funds had been frozen.
An investigation reveals that contrary to popular belief, Binance is in fact able to freeze private wallet addresses on BNB Chain, so long as all validators consent. Although the attacker’s address was ultimately frozen by Binance, this action occurred nearly two years after the scam. In the intervening two years, the attacker voluntarily kept funds in the original account and did not move them.
The PopcornSwap rug pull
In 2021, PopcornSwap became one of the first decentralized exchanges on the newly launched Binance Smart Chain (BSC), which was later renamed “BNB Smart Chain.” Some of the network’s users flocked to PopcornSwap to deposit liquidity, hoping to profit from the high trading volumes they expected to materialize on BSC. But instead of getting the record yields they had expected, they lost all of the funds they had deposited. PopcornSwap was a fork of Pancakeswap, which was itself a fork of Sushiswap on Ethereum. And it just so happened that Sushiswap contained a “preUpgrade” function that allowed developers to approve themselves as spenders for every liquidity provider (LP) token, letting them drain all of the assets held by the protocol.
Between 1:26 p.m. and 5:53 p.m. UTC, January 28, 2021 BSC address 0xFd6042Df3D74ce9959922FeC559d7995F3933c55 used the aforementioned function to drain the protocol’s $2 million worth of crypto, swapping all of it into the network’s native coin, BNB, in the process. PopcornSwap LPs had lost everything. The attack ended at 5:53 p.m. UTC, January 28, when Fake_Phishing7 initiated a final transaction swapping 250,913 Binance-pedgged USD Coin (USDC) for 5,536 BNB. This left the scammer with approximately 48,511 BNB, worth $2 million at the time (and $10.8 million now), held in its address.
PopcornSwap funds have remain unmoved for over two years. Source: BSC Scan
Victims ask Binance for help
In the wake of the rug pull, victims formed the PopcornRugPull Telegram group. They urged one another to reach out to Binance and report the fraud, asking Binance to freeze the scammers address before any funds could be cashed out. Some users believed that Binance could freeze the scammer’s private wallet address. Others argued that this was impossible, as a centralized exchange cannot freeze a private wallet address.
A Popcornswap victim urging others to report the fraud. Source: Telegram.
On January 29, 2021 Binance responded to one of the PopcornSwap victims. A user who calls themselves “Richie” posted an image of the email they received. In it, the Binance customer service agent mistakenly stated that “the wallet of the scammer has been frozen.” The customer service agent urged Richie and all PopcornSwap users to be patient “until the whole situation gets resolved by authorities.”
Caption: Binance customer support representative stating in early 2021 that the Popcornswap scammer’s address had been frozen. Source: Telegram.
But by October 2022, the stolen funds remained unmoved, and all attempts to get customer service to respond were met with form letters asking users to contact police. PopcornSwap victims were bewildered by the exchange’s seemingly callous response to users’ requests for reimbursement. However, blockchain data shows that at the time of these complaints, Binance did not have any possession of the stolen funds, nor was it affiliated with the entity that stole users’ money.
Contrary to the statement from Binance’s customer service representative, data from BNB Smart Chain shows that the scammer’s address was not frozen prior to October 6, 2022. Instead, the funds remained in the attacker’s account and were never deposited to a centralized exchange nor bridged to another network. The scammer failed to cash out their stolen loot and never profited from the attack. But this failure was due to the scammer’s own lack of initiative, not due to any freezing action performed by Binance.
The October 6, 2022 freeze
On October 6, 2022, in an attack completely unrelated to the PopcornSwap scam, the BSC Token Hub bridge was exploited for over $570 million. The exploiter used a loophole within the bridge code to issue 2 million BNB on Smart Chain without first depositing them to the Beacon Chain side of the bridge. This meant that the total supply of BNB increased by 2 million on BSC.
The attacker immediately bridged $100 million worth of the exploited BNB to other networks, effectively putting the funds out of reach of BSC validators. In response, BSC developers proposed a hard fork of the network that would shut down the bridge and freeze the exploiter’s address. While drafting this proposal, the team also included a line in the code freezing the PopcornSwap scammer’s address.
This upgrade was unanimously approved by all of BNB Chain’s validators. As a result, both the bridge exploiter’s and PopcornSwap scammer’s addresses were banned from performing any outgoing transactions after October 6, 2022. However, the new proposal did not include code transferring the frozen funds to another address. Victims say that Binance could have done more to mitigate the incident.
Binance responds
In a conversation with Cointelegraph on August 31, a representative from Binance confirmed that the October 6, 2022 proposal to freeze address 0xFd6042Df3D74ce9959922FeC559d7995F3933c55, also known as “Fake_Phishing7,” was made by Binance. The representative also confirmed that this was merely a proposal, which could not be implemented without the consent of validators. In this case, the proposal was agreed to unanimously by all network validators. They stated:
“At the request of PopcornSwap victims, Binance proposed blacklisting the attacker’s address alongside the BNB Bridge attacker in October 2022, which was submitted by the BNB Chain team and approved by network validators.”
Binance also confirmed, in agreement with blockchain data, that the funds were never moved into Binance’s possession. “We can confirm that the scammer did not transfer funds to Binance, and we don’t have control over the funds,” they stated. “BNB Chain is an open-source and decentralized ecosystem; wallets and/or their funds cannot be frozen at will [and] governance decisions are coordinated by the community.”
Binance claimed that the investigation has not been closed, and that the exchange stands ready to comply with police if it can be of assistance “This case remains under investigation, and our investigations team is always ready to support law enforcement in pursuit of those responsible,” it stated.
The Pocornswap scam: a cautionary tale
Victims of the PopcornSwap scam lost over $2 million of their hard-earned money as a result of it. Seeing that Binance was the developer of BNB Smart Chain, they turned to it for help. The exchange refused to help citing the decentralized nature of blockchains. However, Binance subsequently reversed course and froze the scammer’s private address with the agreement of BNB Chain validators.
The PopcornSwap scam also serves as a cautionary tale of the risks of using smart contracts. If a smart contract contains a loophole that allows an attacker to drain users’ funds, the victims will face an uphill struggle trying to get reimbursed by validators after the attack is completed, since forks of a blockchain essentially require unanimous consent to be implemented. Such is the nature of blockchains. In addition, take note that despite their decentralized claims, entities can in fact, exercise control over users’ assets if they wish.
Cointelegraph Editor Zhiyuan Sun contributed to this story.
Blockchain analytics platform Arkham Intelligence claims to have identified the addresses of the Grayscale Bitcoin Trust. The trust consists of more than 1,750 addresses holding a total of over $16 billion worth of Bitcoin (BTC), according to a Sept. 6 thread on X (formerly Twitter). Arkham claimed that Grayscale is “the 2nd largest BTC entity globally.”
The Grayscale Bitcoin Trust holds over $16 billion in BTC. Its issuer, Grayscale, is currently battling with the U.S. Securities and Exchange Commission (SEC) as it attempts to transform the trust into an exchange-traded fund (ETF).
Members of the Bitcoin community have long speculated about where Grayscale keeps its huge stockpile of BTC. Grayscale has so far refused to provide the addresses of its wallets, citing “security concerns.” Some Twitter users have criticized Grayscale for not releasing the addresses, accusing them of carrying less Bitcoin than they claim.
A search for “Grayscale Bitcoin Trust” within Arkham on Sept. 9 revealed the following five addresses:
16vd2YfcGK9mw3GZXzL5o23m7gdBGXKHNz
1GRGfd3TtBA2vMjoHH3hVpE6CRx5nZ1YJp
15gioFeKnUjerTQ9LYNreW3Bt9kn9xrTU4
1DtdMtJL2zggkoFPDbEbM2Ja1EYH8LeH9B
1CU9gusmCCfCjsmGatxbzvXLqoisgnaV9n
The first three addresses hold roughly $51 million worth of Bitcoin in total, according to Arkham. The last two hold no funds but do show transactions coming from other Grayscale Bitcoin Trust addresses, including 1L8k2SD9sdTTzdDxA19QdobLbUyKyV2RVi and 1CS1M4oVbcFnZjZ5hU5bk6vLi2Q5VSsmpX. Arkham does not provide a full list of addresses for the Grayscale entity, but it does label each Grayscale address clearly as part of the transaction history of each wallet.
Grayscale’s entity page on Arkham shows it is carrying 627,779,000 BTC valued at over $16 billion.
Grayscale Bitcoin holdings. Source: Arkham.
This is similar to the amount claimed on Grayscale’s website, implying that it does have enough Bitcoin to satisfy withdrawals.
Arkham has often come under criticism for revealing private information about blockchain users, as some Twitter users have labeled it a “snitch-to-earn” platform. However, the platform’s CEO has argued the company is only trying to even the playing field between big institutions and smaller players who would otherwise lack information.
Base network’s “Onchain Summer” promotion in August resulted in over 700,000 non-fungible tokens (NFTs) minted by over 268,000 unique wallets, according to a Sept. 6 announcement from the team.
Coinbase launched Base, its Ethereum layer-2, on Aug. 9. To spur adoption, the network’s team implemented a month-long launch event. It partnered with over 50 companies, artists, and creators to release new digital art NFTs exclusively on Base. Each art set was released on a different date, requiring users to return to the network repeatedly to collect every piece.
Over the first two weeks of the promotion, over $242 million worth of crypto was bridged to Base, with over 130,000 unique wallets using it each day.
The final NFT set was released on Aug. 31; it will continue to be mintable until Sept. 7. Meanwhile, the Base team has released more detailed information about which digital art sets collectors were interested in the most.
According to the announcement, the Coca-Cola collection available from Aug. 13-16 saw the most activity, with over 80,000 pieces being minted over the period.
Vermeer, “Girl with a Pearl Earring,” from the Coca-Cola “Onchain Summer” collection. Source: Onchain Summer.
Other highly-minted collections include those of Web3 gaming platform Iskra (71,000 mints), social media platform Friends With Benefits (71,000 mints), layer-2 network Zora (70,000 mints) and music rights marketplace anotherblock (55,000 mints).
During this period, Base also saw the amount of cryptocurrency locked in its contracts steadily increase, reaching a peak of over $402 million on Sept. 3, according to data from DefiLlama.
Base network total value locked (TVL). Source: DefiLlama.
Despite these achievements, Base’s launch hasn’t been entirely smooth. The network suffered an outage on Sept. 5 when its sequencer stopped producing blocks. Multiple scams have been promoted on the network as well, including $6.5 million rug-pull Magnate Finance.
Circle’s USD Coin (USDC) has launched natively on both Base and Optimism networks, allowing Circle account holders to send USDC stablecoin from their accounts to Base or Optimism. Coinbase has also made USDC transfers to Base available, according to a Sept. 5 social media post. Circle claimed that it is working with “ecosystem partners” to develop a system for users to swap old, bridged versions of USDC for the new, official versions.
Coinbase’s Base network launched on Aug. 9. But at launch, Coinbase users could not send USDC to the Base network from their exchange accounts, nor could Circle account holders. Base users relied on a bridged version of USDC, called “USDbC,” to make U.S. dollar transactions. On Aug. 29, Circle CEO Jeremy Allaire announced that a native version of USDC would be made available “next week,” but no specific date was given.
The Sept. 5 announcement states that the coin is now available natively on Base. On the same day, the Coinbase interface started showing an option to transfer USDC to Base.
Despite this official launch, many decentralized exchanges on the network continue to use the old version of the coin. At the time of publication, Uniswap, Baseswap, Aerodrome, Maverick, and other DEXs continue to show the old contract address when users select the stablecoin.
The announcement stated that USDC has also been launched on Optimism, providing a replacement for the USDC.e token that was previously used on the network. As with Base, Optimism DEXs do not appear to have been integrated with the new version yet.
Circle has been attempting to fight back after its stablecoin lost market share to Tether (USDT) throughout early 2023, but it also faces increasing competition after the launch of two new stablecoins during the summer. First Digital USD was launched in June, and Binance began promoting it in August. PayPal also launched its PYUSD stablecoin on Aug. 7.
Crypto gambling site Stake has experienced $16 million in withdrawals on Sept. 4 in what security platform Cyvers Alerts is calling “suspicious transactions.” The withdrawing account has been labeled “Stake.com Hacker” by Etherscan, implying that the drained funds may be the result of a stolen private key.
Blockchain data shows very large withdrawals from Stake.com contracts into the alleged attacker’s account. The first transaction occurred at 12:48 p.m., transferring approximately $3.9 million worth of Tether (USDT) stablecoin from Stake to the attacker’s account. The next two transactions removed 6,001 Ether (ETH), worth approximately $9.8 million at the current price. The attacker continued to remove tokens over the next few minutes, including approximately $1 million USD Coin (USDC), $900,000 worth of Dai (DAI) stablecoin, and 333 Stake Classic (STAKE) ($75.48). Cyvers has estimated the total value of crypto drained at $16 million.
After draining the funds, the alleged attacker distributed them to multiple accounts. At the time of publication, Stake has not made an announcement regarding the suspicious withdrawals.
Stake is a crypto gambling protocol that offers dice games, Blackjack, Lingo, and other casino games, as well as sports betting for basketball, tennis, volleyball and others.
This is not the first time in 2023 that crypto gambling sites may have been targeted by hackers. On July 23, payments provider Alphapo suffered $31 million in suspicious withdrawals. Alphapo was a provider for several crypto gambling sites, including Hypedrop, Bovada, and Ignition.
This is a developing story, and further information will be added as it becomes available.
Human ID project Worldcoin signed up over 9,500 users in Argentina in a single day in August, setting a record for single-day signups. To achieve this feat, facilitators onboarded participants at an average rate of less than nine seconds per person, according to an Aug. 31 announcement from the project.
Argentina has Worldcoin facilitators in 38 different locations, according to the project’s website. Most locations are in the country’s capital city of Buenos Aires.
Worldcoin is a blockchain-based project that allows individuals to prove they’re human by having their irises scanned. When a user verifies their humanness, they are given a “World ID” that can be integrated into future applications to prove they are not a bot or artificial intelligence program. The project was founded by OpenAI co-founder Sam Altman, who argued that human IDs would be needed in the future as artificial AI programs become more sophisticated and less distinguishable from humans.
Worldcoin launched on July 25 and almost immediately came under criticism from data privacy advocates. Critics claimed that it is too centralized and could easily leak users’ biometric data, leading to negative consequences for users.
In their Aug. 31 post, the team claimed that many Argentinians are signing up for World IDs anyway, despite the controversy. “There was a significant increase in demand for World ID verifications in countries around the world [after launch],” they stated. This “continued into August, which saw 9.5K Argentinians verify their World ID in a single day.”
The post also stated that the surge in signups caused the Worldcoin app to “temporarily become the number one app in Argentina on the App Store.”
Worldcoin gives its native coin, WLD, to new users after they sign up. Currently, the signup bonus is 25 WLD, which is worth approximately 10,239.48 Argentinian Pesos (ARS) or $29.25 on the open market. According to cost-of-living data from travel website Expatistan, this is enough to buy two meals from the “basic lunchtime menu” in the business districts of major cities within Argentina. The coin hit an all-time high on launch day, when the 25 WLD bonus was worth approximately 23,791 ARS, or $68.
The project claims that it “is fully compliant with all laws and regulations governing biometric data collection and data transfer.” In response to criticism, the Argentinian government has opened an investigation of Worldcoin’s privacy practices. Worldcoin has also been suspended in Kenya, and the Worldcoin team has responded with a document arguing that it has complied with all privacy laws in the country.
Circle’s United States dollar stablecoin, USDC, will launch natively on the Base network “next week,” according to an Aug. 29 social media post from CEO Jeremy Allaire. The new version will replace the current US Dollar Base Coin (USDbC) that most users rely on as a substitute.
Coinbase’s Base network launched on Aug. 9. At the time, no native version of USDC existed on the network. Users could not deposit cash into a Circle account and receive equivalent USDC on Base. To solve this problem, the Base team allowed users to bridge USDC from Ethereum via an official bridge app. The token issued by the bridge is called “USDbC,” and is backed by native USDC locked on the Ethereum network.
The Aug. 29 announcement states that Circle will soon begin issuing USDC on Base, eventually doing away with the need for a bridged coin backed by the Ethereum version.
According to an accompanying blog post, the contract for the new token has already been deployed to Base. On launch day, the team will explain how the current USDbC can be redeemed for native USDC. The team will also “work with ecosystem apps” to allow liquidity providers to “smoothly transition” to providing liquidity for the new coin, and the current Base bridge that issues USDbC will continue to operate normally for the time being.
The Circle team has not announced a specific date for the coin’s official launch, as Allaire stated only that it will happen sometime “next week.”
Crypto exchange Binance has removed “yellow” and “green” payment options from its peer-to-peer service after being criticized for using these code words to represent sanctioned Russian banks, Cointelegraph confirmed on Aug. 25.
Payment method searches for color-themed code words result in no hits. Source: Binance.
Binance’s peer-to-peer exchange service is a message board allowing users to offer to buy or sell cryptocurrency. It also functions as a crypto escrow service. However, unlike Binance’s main exchange platform, it leaves fiat payments to be handled by users, and no fiat money passes through Binance’s servers.
On Aug. 22, The Wall Street Journal reported that Binance was listing sanctioned Russian banks such as Tinkoff and Rosbank as transfer methods. This led to criticism that Binance may be violating sanctions by endorsing these banks as payment methods.
On Aug. 24, multiple Russian news outlets began reporting that Binance had eliminated these banks from its list of payment methods. However, these banks had reappeared as code words “yellow” and “green,” with “yellow” representing sanctioned bank Tinkoff and “green” representing sanctioned bank Rosbank.
On Aug. 25, The Wall Street Journal reported that the sanctioned banks were removed from the list. The report quoted a Binance spokesperson indicating that the banks were removed after the exchange learned that account holders were using the service to circumvent sanctions. “We regularly update our systems to ensure compliance with local and global regulatory standards,” the spokesperson reportedly said. “When gaps are pointed out to us, we seek to address and remediate them as soon as possible.”
On the same day, Cointelegraph confirmed that the “yellow” and “green” payment methods were removed. Sixteen payment methods are still available for Russian ruble conversions to crypto, including Raiffeisenbank, Russian Standard Bank, Payeer, Adv Cash, and others. But Tinkoff and Rosbank are no longer on the list, nor are their code word equivalents.
Despite their official removal, Cointelegraph found that Binance P2P users are still advertising sales with “the green bank” as their payment method. These users list other methods of payment, such as Russian Standard Bank or Ak Bars Bank, in the “payment method” field but then state explicitly within the “advertiser’s terms” that they will only accept transfers using “the green bank.”
User posting a Binance P2P sale demanding payments to “only green bank.” Source: Binance.
In this way, users have been able to continue using Binance P2P to sell cryptocurrency through sanctioned payment methods.
Peer-to-peer crypto marketplaces have been controversial since their inception. Supporters argue these marketplaces are necessary to prevent government payment censorship, while detractors say they are used by criminals to move illicit funds.
Before 2023, one of the most popular peer-to-peer marketplaces was LocalBitcoins. However, it was shut down earlier this year, and some users moved to Binance P2P in response.
Paxful co-founder Ray Youssef argued on Aug. 25 that P2P marketplaces are still too centralized and too vulnerable to shutdown by governments. He is working on a new marketplace called “Civ Kit” that he claims will be much more difficult for governments to shut down.
Developers behind the Base and Optimism networks have jointly announced a revenue-sharing and governance-sharing agreement. Coinbase, the parent company of Base, has also published a list of “principles of neutrality” it will follow to prevent Base from becoming centralized. This announcement was made through three separate blog posts on Aug. 24; one from the jointly-controlled Optimism Collective, one from Base, and one from Coinbase.
According to the jointly-controlled Optimism Collective’s post, Base’s smart contracts can only be upgraded via a 2/2 multi-signature wallet account. One signature is controlled by Base and the other by the Optimism network’s team (called the “Optimism Foundation”). This means that Base cannot be upgraded without the consent of the Optimism team. As more chains opt to use the OP Stack and become part of the “Superchain,” governance will be handed over to a “security council” with representatives from all of the chains that comprise this ecosystem.
Base will also pay either 2.5% of its revenue or 15% of its profits to the Optimism Collective, whichever is greater. In return, it will receive “up to approximately 118 million OP Tokens,” allowing it to have a voice within Optimism’s protocol governance. This amount will be capped at 9% of the total votable supply “in order to maintain balance,” the announcement stated.
The post from Base was issued under the name of its principal creator, Jesse Pollack. He pledged that Base will become more decentralized over time, moving from what Vitalik Buterin called “stage 0” to “stage 2” of a Layer 2’s decentralization. The Base team will work to improve the scalability of the two current Optimism clients, op-geth and op-node, and create an entirely new client called “op-reth” to diversify the types of clients used.
The team will also continue to develop Pessimism, a real-time network monitoring tool that attempts to detect cybersecurity threats early.
In addition, Pollak confirmed that Base will share revenue with the Optimism Collective and will eventually hand over upgrade keys to an Optimism Security Council.
Coinbase’s post was published under the name of the company’s engineering lead, Will Robinson. He focused specifically on the concept of “neutrality.”
Robinson pledged that Coinbase will remain a neutral participant in the Base network. The exchange will not “custody or control the crypto that users bring to Base network,” nor will it change the order of transactions for its own benefit or “misuse any non-public information gleaned from Base.”
Robinson claimed that Coinbase’s marketing team and other branches of the company will use only publicly-available data from block explorers and other tools in their efforts to sell Coinbase’s products, gaining no insider advantage from running Base’s sequencer. Withdrawals from Base will also be processed without censorship, respecting what Robinson calls “Freedom to exit.”
Some critics of Base network have suggested that its currently centralized nature may lead to regulatory scrutiny from the United States Securities and Exchange Commission. For example, attorney Gabriel Shapiro has stated that Base “could threaten dangerous collateral damage” to the industry.
Coinbase CEO Brian Armstrong also raised eyebrows on March 7 by suggesting that “centralized players” on Base must implement identity verification. Despite these criticisms, many Ethereum investors have expressed hope that Base and the Optimism Superchain will help to onboard new users to the Ethereum ecosystem.
Crypto trading platform Cypher protocol has published a plan to recover from its $1 million exploit, stating it will “socialize” losses across the platform in an initial stage of the recovery. In the first stage of the plan, the Solana-based trading platform will produce a “pro rata redemption package” of current assets it possesses, which will become withdrawable by users through a web interface. However, the platform does not currently have enough funds to pay back all depositors, so losses will be distributed across all accounts in this initial stage rather than being borne by any particular individual or group.
In a second stage of the recovery process, the protocol will raise funds through an initial DEX offering (IDO), and these funds will be used to pay for audits and further development. At the same time that the IDO is occurring, users will be issued a “debt token” representing the remaining assets they are owed by the protocol. This debt token will grant them the right to USDC profits generated by Cypher in the future, allowing the protocol’s losses from the exploit to eventually be paid back to users.
“Our foremost priority is to direct funds towards impacted users, underscoring our dedication to rectify their financial losses,” the team stated. After these funds are paid back, the team will engage auditors Otter Sec and Mad Shield to perform public audits on the patched version of Cypher, in an attempt to discover any further bugs before they can become a problem.
The protocol will only resume “after a meticulous evaluation, ensuring every potential vulnerability is addressed.” In the meantime, the app’s smart contracts will remain frozen, the plan stated.
The $1 million Cypher exploit occurred on August 8. Security researchers have yet to determine its cause. $600,000 worth of crypto drained in the attack was frozen by various centralized exchanges, preventing the attacker from cashing them in. Cypher has announced that it will attempt to recover these funds for users through cooperation with exchanges or through seizure warrants issued by law enforcement.
Unstoppable Domains (UD) has launched an instant messaging system for owners of Web3 usernames, according to an Aug. 23 announcement from principal engineer Aaron Quirk. Owners of .crypto, .wallet, .polygon or other UD-registered usernames can now message each other across most apps that use XMTP, including the UD iOS app and website, Coinbase Wallet, and Lens protocol apps such as Lenster and Buttrfly. The announcement clarified that the Android version of UD will not provide messaging at launch but will provide this feature soon.
The new messaging integration relies on the extensible message transport protocol (XMTP), an independent protocol, to fully encrypt and send messages to recipients. This means that messages should still be available even if UD were to cease operations in the future. “Your messages will be preserved and accessible to you no matter what happens to Unstoppable,” the announcement stated.
Web3 usernames have been around since 2017. They allow crypto users to associate their crypto addresses — long strings of characters representing accounts — with more easy-to-remember names. For example, the extremely difficult-to-remember 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045 can become simply “Vitalik.eth.”
These crypto usernames have mostly been used to receive payments in the past. But a few projects are trying to expand their utility to include other applications, including messaging. For example, Coinbase Wallet launched an instant messaging system on July 12, allowing users to message each other via their .eth or .cb.id usernames. The Coinbase Wallet feature was also integrated with social media protocol Lens, thanks to the two projects’ shared use of XMTP.
However, this shared system did not extend to usernames registered through Unstoppable Domains, such as ones ending in .crypto or .polygon. According to Quirk’s announcement, this issue has now been solved. Users of Lens apps or Coinbase Wallet can now send messages to each other using their Unstoppable Domains usernames in addition to other methods.
Quirk also stated that the company will soon release an integration with Push Protocol, allowing username owners to sign up to receive notifications from Web3 projects. The projects will be able to message users via the Unstoppable Domains website or app.
On April 26, Unstoppable Domains also partnered with Binance.US, allowing its users to register names ending in .BinanceUS. And it called a truce with rival Ethereum Name Service (ENS) on July 17, allowing ENS .eth names to be sold in the UD store for the first time.
On July 14, developers of the $1.5-billion Chinese cross-chain protocol Multichain confirmed users’ worst fears. The protocol’s CEO, identified only as “Zhaojun He,” was arrested by Chinese authorities in Kunming on May 21 after months of repeated denials on official communication channels. Also allegedly arrested was Multichain’s core team, which was operating in Shanghai.
It was never disclosed why Zhaojun had been arrested or what the charges were. However, evidence suggests that Multichain funds may have been seized as part of an anti-money laundering operation in the context of a greater crackdown on crypto by Chinese authorities. In addition, an alleged fake ID used by the CEO to register Multichain’s operations only draws more questions.
Multichain co-founder Alfred Xu assured that the development team was doing “just fine” on May 24 | Source: Telegram
Victims demand answers
Despite their previous assurance of decentralization, the Multichain team revealed that the protocol’s multi-party computation servers and private keys were all under the exclusive control of Zhaojun, which were handed over to police. Without access to such items, the protocol had to shut down, and its team members were nowhere to be found.
By the time of disclosure on July 14, $1.5 billion in total value locked on Multichain bridge remains inaccessible. An attempt to “rescue” users’ assets earlier that month also resulted in the arrest of Zhaojun’s sister, or so the development team says. Since the arrest began, funds on Multichain have been mysteriously swapped or bridged to unidentified wallets.
Crypto investor ArkRide, who claims to have over $9,000 stuck in the Multichain protocol, founded a victims group shortly after the incident. The group now has over 300 members.
ArkRide tells Cointelegraph that when the group formed, the members did not even know the names of key Multichain executives. Subsequently, one member shared a document from the Singapore government’s Accounting and Corporate Regulatory Authority alleged to be a Multichain business filing. The document lists “He Xiaokun,” a resident of Jiangsu Province, China, as the “Director” of the company. After seeing this document, some allege that “Zhaojun He” is in fact a pseudonym for “He Xiaokun.” (Chinese family names are written first.)
A Singaporean business filing for the principal business entity behind Multichain.Source: Telegram
Several Multichain victims reached out to Chinese embassies and the police in their home countries in an attempt to get further information, but received no response.
Around the same time as user investigations, they were contacted by the Fantom Foundation, one of the largest users of the Multichain bridge prior to its collapse. Through several Telegram messages, sources at Fantom claimed that it has hired attorneys within China to assist in the recovery process and confirmed Multichain co-founder Zhaojun had been detained by Chinese police.
“We’ve been gathering info from different parties and have contacted a Chinese law firm to get advice moving forward,” the source also claimed that some of the Multichain funds have been frozen by centralized exchanges and stablecoin issuers and that the foundation is attempting to get these funds distributed to victims. When asked about the possibility of a rug pull, the source wrote: “I do not believe the MC team misappropriated funds.”
On July 14, Fantom co-founder Andre Cronje stated that “Multichain was a big blow” to the network, as much of its total value locked consisted of Multichain derivative stablecoins. Stablecoin issuers Circle and Tether have frozen over $65 million in assets associated with the hack, according to blockchain data.
Cointelegraph reached out to the Fantom Foundation for comments but did not receive a response by the time of publication.
In a conversation with Cointelegraph, freelance content creator PJ Krypto claimed that he has lost a full month’s paycheck from a client as a result of his funds getting stuck inside the Multichain protocol. According to him, this happened on Aug. 1, nearly a month after the team had announced that the protocol should not be used.
Multichain’s user interface gave no warning that it shouldn’t be used. (Aug. 23, 2023)
After his transfer took an unusually long time, PJ checked Multichain’s block explorer and noticed that it had an abnormally large amount of pending transactions. Alarmed, he then checked the protocol’s social media accounts.
“Nearly, my jaw dropped to the ground when I started reading everything,” he stated, continuing:
“I don’t know, I guess, sometimes, you just kinda get comfortable. You’ve used something before, and it just works. And you get a little lackadaisical, and I think that’s where I got victimized […] the silly thing is, I could have just sent it to a centralized exchange.”
The content creator stated that his paycheck is still stuck in the Multichain protocol. As a result, he has been unable to pay his team for subcontracted work they performed for him in July and will likely have to catch up these payments out of revenue from August. “It was a tough pill for them to swallow. I mean, they have bills, right? And I’m behind now on my bills for my content creation.”
ArkRide lost over $9,000 worth of crypto in Multichain on July 15 under similar circumstances. He expressed relief that his loss from the hack was small and stated that he has met others who fared much worse:
“My amount that I lost on Multichain is not as much as some people that I talked to lost because there were people who lost nearly half a million. I talked to a couple of guys who lost like $100K each, and there were some people who literally couldn’t stand from their beds, they told me they wanted to commit suicide or something like this.”
The investigation continues
The Chinese national ID system reveals concerning information on who is the actual director of Multichain. A Chinese national ID is a 15- or 18-digit number containing an individual’s residing jurisdiction, date of birth and gender.
A query revealed that the individual listed as “He Xiaokun” in Multichain’s Singaporean registration documents was born on May 10, 1955. The same search for “Yang Qiumei,” another director listed on the Multichain registration file, reveals the said individual to have been born on July 20, 1957. Xu Ruduo, the third director of Multichain — possibly referring to co-founder Alfred Xu — registered using a different type of ID. Alfred Xu has been unreachable since the arrest of his colleague.
The ID search query revealed that “He Xiaokun,” an individual listed as a Multichain director, is currently 68 years ago and lives in a village in Jiangsu.Source: ID Search
By inspection, Zhaojun appears far too young to fit the profile of either “He Xiaokun,” age 68, or Yang Qiumei, 66. Both individuals had been indicated as residing in the same address at a rural Chinese village.
A photo of Zhaojun circulated during his participation in the crypto project Fusion, circa 2017, and was previously his profile picture of his official Twitter account. Dejun Qian, co-founder of Fusion, confirmed Zhaojun was in charge of Multichain during the time of the incident. The two were previously involved in a business dispute regarding Multichain, when it was formerly known as Anyswap.
Zhaojun He as listed in Fusion’s developer team. His biography reads: “More than 10 years of experience in secure Linux R&D. Former technical director of Chinese leading security operating system. Received bachelor of software engineering, Dalian University of Technology.” Source: Fusion
Sources reviewed by Cointelegraph claim that from the very beginning (May 21), Chinese authorities accused Zhaojun of “money laundering” by bridging tainted assets from users via the Multichain protocol. As a result, the police have attempted to seize all protocol assets, user, enterprise or tainted alike, as proceeds of crime. Although some of these seizures were prevented when centralized exchanges or stablecoin issuers froze the funds, the rest have passed into the hands of Chinese authorities, these sources claim.
Wuwei Liang, a former staff member of crypto exchange CoinXP, claims that in 2019, the firm’s entire development team was apprehended by Chinese police, along with the confiscation of protocol funds and shutdown of all relevant operations. Liang Liang, the firm’s CEO, was subsequently charged with operating a “multi-level marketing operation” and a “pyramid scheme,” which could result in the criminal seizure of the projects’ users’ and enterprise’s assets al if convicted.
During the trial this July, some sources claim that key witnesses and defense attorneys were threatened with legal intimidation. A presiding judge also reportedly stated, “Presumption of innocence until proven guilty” is “not a correct principle” within Chinese law. The trial has been adjourned.
CoinXP trial participants allegedly being apprehended by police | Source: Liang Liang
In a similar incident on May 29, Chinese crypto exchange BKEX suspended withdrawals citing the need to cooperate with police on charges of “money laundering.” The exchange has not been active since, and, like Multichain, its team members are nowhere to be found. Social channels, too, have gone cold. Its website is also offline.
Crypto exchange BKEX’s last message to users before halting withdrawals.
In yet another incident, the entire development team of offshore Hong Kong dollar and Chinese yuan stablecoin issuer Trust Reserve disappeared in May after its office was raided by police. Local sources say that Trust Reserve developers had been detained. Again, the charges are unknown.
Allegations of corruption
In each of these instances, police have neither informed investors of the charges against protocol developers nor of what process investors can go through to recover their funds. CoinXP’s Liang claims that this is because police are using the legal system as a means of corruption to embezzle investors’ capital for their own benefit:
“Defense lawyers would persuade the parties and their families [of arrested crypto executive] to comply, shut down servers, hand over [private] keys, and cooperate in pleading guilty, claiming that this will result in leniency. Little do they know that this makes it easy for law enforcement to profit from unlawful conduct, ‘legally’ pushing the parties towards prison and, at the same time, ‘legally’ taking away the digital assets that belong to the users, investors and founding team.”
Whatever the reason, the Chinese government has not yet answered investors’ questions of where the funds have gone and why they have not been returned to users.
Users such as ArkRide, PJ Krypto and others in the “Multichain Scam” group have so far been unable to get answers as to where their hard-earned money went. But one thing is certain: The Multichain exploit will go down as one of the worst crypto hacks of 2023. Across the world, Multichain users’ assets have mysteriously disappeared. Although some of the funds may be recovered, many are still experiencing the trauma it caused them.
Cointelegraph Editor Zhiyuan Sun contributed to this story.
