KyberSwap Frontend Exploit, Hacker Stole $265K

KyberSwap Frontend Exploit, Hacker Stole $265K

A malicious Google Tag Manager (GTM) website code allowed a hacker to steal $265,000 of users’ funds. The hack was targeting whales’ wallets. 

On September 1st, 8:24 PM UTC, KyberSwap discovered a bug in its website code which allowed hackers to steal approximately $265,000.

According to the DeFi platform, two “whale” addresses were apparently affected by the attack. KyberSwap announced its intention to all affected users. Kyber claimed it discovered the exploit that allowed hackers to insert fake approvals, allowing them to transfer funds to an address. The attack was detected on Sept. 1, and the threat was “neutralized” within two hours.

What happened to KyperSwap?

KyberSwap was the victim of a website exploit. On Sept 1st,  8:24 PM UTC, they discovered a suspicious element on their front end. In order to further investigate the issue, they decided to shut down the website while the smart contracts and everything related to the blockchain were not disturbed. The issue was a malicious Google Tag Manager (GTM), which allied the attacker to steal users’ funds. 

It seems that the Google Tag Manager was designed to specifically target whale wallets to grant the attacker access to larger funds. After the code was eliminated, the KyberSwap UI was restored and made available for users. The UI was unavailable for just over two hours. Meanwhile, the malicious code was eliminated from the KyberSwap UI, and the hacker’s wallet was identified. 

The KyberSwap announced to its users about the recent bug on the platform’s Twitter account and urged other DeFi protocols to inspect their frontend code to prevent similar attacks. 

This decentralized exchange allows users to trade currencies across different blockchains. The blockchain contracts of KyberSwap were not affected. They have also identified the affected addresses. 

Kyber tweeted, “We have compiled a complete list of confirmed and suspected attacker addresses used during this period, including tracking interactions with centralized exchanges and OpenSea.”

While this attack ranks amongst the lowest losses suffered by the DeFi projects, these thefts add up to millions of dollars that have disappeared from users’ funds. It also makes it very clear to anyone paying attention that DeFi platforms have penetrable UIs that can be exploited by creative hackers. 

KyberSwap is not safe to use, although users are advised to exert caution when doing so. 

A complete list of the confirmed and suspected attackers’ addresses have been made public on their blog. There’s also a complete list of the addresses of the smart contracts related to using KyberSwap.  Additional info about the incident can be found in the same blog – Notice of Exploit of KyberSwap Frontend

Will KyberSwap retrieve the stolen funds?

Blockchain transactions are irreversible, and KyberSwap might not be able to get the funds back, even if they have traced the wallets. The only way to get the stolen funds back is if the hackers decide to transfer them back. 

For that reason, the Kyber protocol has urged the attacker to send the funds back. Not only that, but they are offering a bug bounty of 15% from the stolen funds. 

Here’s the message for the KyberSwap hacker: 

“Hello attacker. We know the addresses you own have received funds from central exchanges, and we can track you down from there. We also know the addresses you own have OpenSea profiles and we can track you through the NFT communities or directly through OpenSea. As the doors of exchanges close upon you, you will not be able to cash out without revealing yourself. As a bug bounty, we are offering you 15% of the funds if you return it and have a conversation with our team. To confirm, send the funds to the following Polygon address: 0x2dc0ba6ba3485edd61f17ffabf4c7a9626001d50” 

ENS’s eth.link Could Be Lost Because There’s Nobody To Renew Its Web Address

ENS’s eth.link Could Be Lost Because There’s Nobody To Renew Its Web Address

Eth.link will be put up for sale on Sept. 5, according to GoDaddy.

The eth.link page domain is about to expire, and the members of the ENS DAO community are forced to replace it. The Web3 sites use decentralized structures like the ENS (Ethereum Name Service), which are similar to the traditional DNS. 

The only person that has access to renew the domain is the former Ethereum developer, Virgil Griffith, who is currently serving a 63-month sentence. He pleaded guilty to helping North Koreans to use cryptocurrencies to circumvent the sanctions. After giving a talk about cryptocurrencies in Pyongyang in April 2019, Virgil Griffith was arrested in November 2019. 

Although the maximum sentence for the crime was 20 years, Griffith’s plea agreement with federal prosecutors reduced the sentence to a range between 63 and 78 months, which is approximately 5 to 6.5 years. Since Griffith is still serving his sentence, the eth.link expired on July 26, and there’s nobody else who can renew it. As of September 6, 2022, the eth.link domain will be available for registration, and anyone can take it. 

What is eth.link?

The eth.link is the EthDNS that serves the .eth community. 

ENS DAO, a decentralized autonomous organization (DAO), governs the Ethereum Name Service protocol. This is a Web3 version for Domain Name Service providers. ENS is responsible for many.eth domains that have appeared in the Ethereum community. As a way to purchase their own domains, users have purchased .eth name. ENS names can be linked to your wallet address to make it easier to send and receive cryptocurrency (instead of typing out a complex Ethereum address).

The ENS gives DNS information to the distributed authority without conflating ownership and authoritative serving. Using ENS, domain owners have full control of their DNS records. Smart contracts allow ENS to irrevocably assign subdomains of domains to other entities.

So far, the ENSLink was used as the EthDNS, and anyone who used an ENS was able to use it to see the associated ENS records. 

However, instead of showing all the information about how to use the ethDNS, the eth.link will now show an empty page with an expiration banner on top. 

The Executive Director of ENS stated that Virgil Griffith was working with the Ethereum Foundation when ENS was launched, and he was an early contributor to the ENS protocol. However, it’s important to note that ENS is a permissionless protocol, and it can be used by anyone to build decentralized applications (DApps) on top of it. Virgil Griffith used the eth.link traditional domain to build an application that would resolve the ENS domains. The DAO got used to the DApps, and it was using it to fetch information about all ENS names. However, the ENS DAO is now operating another domain (eth.limo) which is now handling the same requests and resolving the ENS domains. 

What is ENS?

ENS or Ethereum Name Service is a distributed naming system that interacts with the Ethereum blockchain and map human-readable domains to blockchain addresses. 

ENS is used as a store for DNS information. It provides the distributed authority of DNS without conflating ownership and authoritative serving of information. By using ENS, the owner of a “.eth” domain has full control over their own DNS records. Effectively, an ENS is doing for the Ethereum blockchain what the DNS is doing for the WWW. 

In the last couple of years, the ENS has seen significant growth. While the first million domains were sold over the course of five years, it only took about four months to surpass the 2 million milestone. 

Dogechain Offers Smart Contract Capabilities to DOGE Owners

Dogechain Offers Smart Contract Capabilities to DOGE Owners

The U.S. government decided to act upon the Ethereum blockchain, and it’s imposing a ban on Tornado Cash, the cryptocurrency tumbler. 

At the beginning of August 2022, the U.S. Treasury Department announced that it had banned Tornado Cash, the famous crypto-mixing service. In a move likely to have wide-reaching implications for crypto, all American “persons” are prohibited from interfacing with the open source protocol.

Circle, the issuing entity behind USDC stablecoin, immediately removed 38 addresses from their transaction history that were connected to Tornado. Anecdotal evidence suggests that bans are being enforced by other platforms and companies.

By instating this bad, the Office of Foreign Assets Control has created made it a crime to use Tornado Cash. It is now more difficult to maintain transactional secrecy for Ethereum, the most widely used blockchain. Platforms and individuals need to assess their exposure and take steps toward avoiding regulatory action. However, it’s still unclear whether or not the regulators will enforce such a ban and how blockchain protocols will comply. 

What is Tornado Cash?

Tornado Cash is an open-source project that allows crypto users to hide their transactions histories from the public. It is claimed by the U.S. government that Tornado Cash was used to launder more than $103.8 million through hacks of Nomad Token Bridge and Horizon Harmony Bridge earlier in the summer and was also used by Lazarus Group, a North Korean hacker group. 

The U.S. Treasury sanctioned Tornado Cash for its use by Lazarus Group, a North Korean hacker group. Also, it cited the laundering of more than $103.8 million through hacks of Nomad Token Bridge and Horizon Harmony Bridge earlier in the summer.

Since its 2019 launch, Tornado Cash was used to launder more than $7 billion worth of cryptocurrency.

Soon after the U.S. Treasury announcement, the Discord server for that group vanished, and unknown persons also took down the forum on Tornado Cash’s community website. A member of Tornado Cash’s developer group was also taken into custody in the Netherlands by law enforcement.

Who uses Tornado Cash?

Instead of pursuing identifiable bad actors or targeting hackers, the government has placed a ban on the protocol. Elliptic, an analytics firm, claimed it had found $1.5 billion worth of illicit funds through ransomware fraud, hacks, and hacks.

Chainalysis, the blockchain analysis company, released a report that claimed that the use of crypto-mixers hit an all-time high monthly level in April 2022. This was after $51.8 million had been laundered through different platforms.

Tornado is also an important component of the Ethereum money stack. While this wasn’t the only method to anonymize transactions on blockchain, or the only coin tumbler used, it was the most widely used tool. The vast majority of applications supporting ETH will have exposure to the mixing service. Even Ethereum co-founder, Vitalik Buterin, has admitted to having used Tornado Cash before donating money to Ukraine in the spring of 2022.

But a government can’t really ban a blockchain protocol

But as with any smart contract deployed on a blockchain, it can’t be shut down by any authority. Although the use of the Tornado Cash smart contract has been deemed a criminal action, the ruling can’t actually stop anyone from using it or even re-deploying its open-source code on a different blockchain. 

Surely, there have been some reactions to the ban. Some Tornado Cash users have been sending small amounts of crypto to celebrities’ crypto owners. The issue is that anyone who knows your public wallet address (which is not hard to find) can send you transactions, even a transaction from Tornado Cash, and there’s no way to refuse a transaction. In this case, there can be innocent people that might have wallets that can be tied to the banned protocol – but are they really to be blamed?

While some platforms such as Circle and MakerDAO are trying to follow the rules, it is clear that blockchain financial apps can’t exist by following the archaic regulations of governments. 

Crypto and AI Set for Major Energy Consumption Surge by 2026

Crypto and AI Set for Major Energy Consumption Surge by 2026

As the International Energy Agency (IEA) forecasts, AI’s energy consumption is poised for an explosive increase, overshadowing even the substantial growth in crypto’s energy use. Despite AI’s burgeoning demand, the spotlight remains on cryptocurrency for its significant energy footprint.

Tornado Cash Becomes the First Smart Contract Banned by the U.S. Government

Tornado Cash Becomes the First Smart Contract Banned by the U.S. Government

The U.S. government decided to act upon the Ethereum blockchain, and it’s imposing a ban on Tornado Cash, the cryptocurrency tumbler. 

At the beginning of August 2022, the U.S. Treasury Department announced that it had banned Tornado Cash, the famous crypto-mixing service. In a move likely to have wide-reaching implications for crypto, all American “persons” are prohibited from interfacing with the open source protocol.

Circle, the issuing entity behind USDC stablecoin, immediately removed 38 addresses from their transaction history that were connected to Tornado. Anecdotal evidence suggests that bans are being enforced by other platforms and companies.

By instating this bad, the Office of Foreign Assets Control has created made it a crime to use Tornado Cash. It is now more difficult to maintain transactional secrecy for Ethereum, the most widely used blockchain. Platforms and individuals need to assess their exposure and take steps toward avoiding regulatory action. However, it’s still unclear whether or not the regulators will enforce such a ban and how blockchain protocols will comply.

What is Tornado Cash?

Tornado Cash is an open-source project that allows crypto users to hide their transactions histories from the public. It is claimed by the U.S. government that Tornado Cash was used to launder more than $103.8 million through hacks of Nomad Token Bridge and Horizon Harmony Bridge earlier in the summer and was also used by Lazarus Group, a North Korean hacker group.

The U.S. Treasury sanctioned Tornado Cash for its use by Lazarus Group, a North Korean hacker group. Also, it cited the laundering of more than $103.8 million through hacks of Nomad Token Bridge and Horizon Harmony Bridge earlier in the summer.

Since its 2019 launch, Tornado Cash was used to launder more than $7 billion worth of cryptocurrency.

Soon after the U.S. Treasury announcement, the Discord server for that group vanished, and unknown persons also took down the forum on Tornado Cash’s community website. A member of Tornado Cash’s developer group was also taken into custody in the Netherlands by law enforcement.



Who uses Tornado Cash?

Instead of pursuing identifiable bad actors or targeting hackers, the government has placed a ban on the protocol. Elliptic, an analytics firm, claimed it had found $1.5 billion worth of illicit funds through ransomware fraud, hacks, and hacks.

Chainalysis, the blockchain analysis company, released a report that claimed that the use of crypto-mixers hit an all-time high monthly level in April 2022. This was after $51.8 million had been laundered through different platforms.

Tornado is also an important component of the Ethereum money stack. While this wasn’t the only method to anonymize transactions on blockchain, or the only coin tumbler used, it was the most widely used tool. The vast majority of applications supporting ETH will have exposure to the mixing service. Even Ethereum co-founder, Vitalik Buterin, has admitted to having used Tornado Cash before donating money to Ukraine in the spring of 2022.

But a government can’t really ban a blockchain protocol

But as with any smart contract deployed on a blockchain, it can’t be shut down by any authority. Although the use of the Tornado Cash smart contract has been deemed a criminal action, the ruling can’t actually stop anyone from using it or even re-deploying its open-source code on a different blockchain.

Surely, there have been some reactions to the ban. Some Tornado Cash users have been sending small amounts of crypto to celebrities’ crypto owners. The issue is that anyone who knows your public wallet address (which is not hard to find) can send you transactions, even a transaction from Tornado Cash, and there’s no way to refuse a transaction. In this case, there can be innocent people that might have wallets that can be tied to the banned protocol – but are they really to be blamed?

While some platforms such as Circle and MakerDAO are trying to follow the rules, it is clear that blockchain financial apps can’t exist by following the archaic regulations of governments. 

What Will Happen to Miners After the Ethereum Merge Is Complete

What Will Happen to Miners After the Ethereum Merge Is Complete

Ethereum miners will need to switch course as soon as September, when the network will no longer require miners to validate transactions and create new blocks. They might consider mining other cryptocurrencies or even give up completely. 

After The Merge, the Ethereum miners will no longer be part of the network participants, and they will have to shift their use of the network. The roles of Ethereum miners will now be obsolete, and they are forced to find alternative income streams. 

The sudden change took, in fact, years of research and development, but after The Merge, Ethereum will finally be described as a safer, energy-efficient, and scalable blockchain network. 

After the Ethereum network moved to a Proof-of-Stake consensus mechanism (PoS), it is now that Ethereum miners face a sudden change. Their role effectively ends, and they are forced to look for alternative income streams.

This historical moment for the Ethereum community, known as the “The Merge,” is expected to take place on September 15th, 2022, but might take place even sooner. 

What’s the Ethereum Merge?

The Ethereum Merge is the switch from a Proof-of-Work (PoW) to a Proof-of-Stake (PoS) consensus mechanism. In plain English, a PoS blockchain doesn’t require miners (aka energy-intensive computers) to validate transactions and create new blocks but replies on stakers and validators.  

This will have many benefits, including the elimination of energy-intensive mining. To secure the network, the network will instead use staking.

Over the years, as more applications have been deployed on Ethereum, users have been hit with high transaction fees, low scalability, and even network congestion. But all of these are expected to change in the near future. 

When complete, the Merge will eliminate Ethereum’s high gas fees, improve scalability and security, and provide greater sustainability.

What will happen to Ethereum miners?

Since its creation, Ethereum has relied on GPU (graphics processing unit) rigs to perform the process of Ethereum mining. They are more flexible than the ones used for bitcoin mining, and can be reconfigured to mine other coins more easily. GPUs are used by gamers but can also be used to mine other cryptos such as Ergo, Ravencoin, and Ethereum Classic.

But as Ethereum is being upgraded, all these miners will have to either start mining other coins or give up crypto mining entirely. It’s worth noting that a profitable mining rig costs more than $1,000, and the operation’s success relies on the cost of electricity, which has also gone up dramatically since the beginning of 2022. 

In the past, Ethereum mining was very popular due to its profitability. However, miners will have to switch course and employ their GPUs on other blockchains. While a shift to mining other cryptocurrencies could result in a decrease in profits in the short term, it still represents income for owners of these expensive mining rigs. 

One of the biggest beneficiaries of the switch could be Ethereum Classic (ETC), as some expect many of the Ethereum miners to turn to Ethereum Classic. It’s worth noting that the ETC hashrate has started to rise since July. Some investors might even view Ethereum Classic as a hedge against potential disruptions in Ethereum’s blockchain during the transition from PoW-to-PoS. 

Can Ethereum miners switch to Bitcoin mining? Not really, because the two networks use different mining algorithms. Bitcoin requires ASIC-compatible hardware, which has a higher performance, but it’s also more energy intensive. ETH, on the other hand,  uses a mining algorithm called “Ethash,” which was designed to be ASIC-resistant.

After Ethereum moves to PoS, the most likely outcome is that miners will distribute their rigs among different networks that support GPU mining.

The Renowned Jewelry Brand Tiffany and Co. launched NFT Pendants

The Renowned Jewelry Brand Tiffany and Co. launched NFT Pendants

The world-famous jewelry brand launched its first NFT collection, consisting of diamond-encrusted pendants. These Tiffany NFTs are available for CryptoPunk NFT owners, and the collection is limited to 250 NFTs. 

The necklaces will be available for purchase by CryptoPunk holders in the form of NFTs (non-fungible tokens). These tokens can be used to redeem physical pendants. If the entire collection is sold, Tiffany will make around $12 million, but they can earn potentially more from the resale royalties.

Real product brands enter the NFT space

According to DappRadar data, $25 billion was spent on NFT trading volume in 2021. Comparatively, NFT trading organic volumes volume has increased to $3.7 billion in May 2022, surpassing the amount of the previous year.

Although many companies have entered the space, there are some brand names that attract more attention than others. One such brand is the world-renowned jewelry brand Tiffany and Co. 

In a recent Twitter announcement, Tiffany announced that they would be launching the “NFTiff”, an exclusive digital asst collection for CryptoPunks owners. These special NFTs are said to have been handcrafted by Tiffany’s artisans.

According to Tiffany & Co., the collection of 250 digital passes will be redeemable only by CryptoPunks holders “or the creation of a custom designed pendant and an NFT digital artwork that resembles the final jewelry design.”

Each of these special pendants and their corresponding NFTs will be specifically created to suit the Cryptopunk NFT of the owner. 

What are the conditions of these Tiffany NFTiff? 

  •  Only 250 NFTiffs passes are available for purchase (launching on August 5th, 2022)
  • Each customer may purchase a max of 3 NFTiffs.
  • The price of an NFTiff is 30 ETH.

Related: Best ways to earn free cryptocurrency and free NFTs

How are the Tiffany NFTs related to the CryptoPunks NFTs?

Tiffany’s designers will use each custom CryptoPunk to design a custom pendant for their owner, using their 87 attributes and 159 colors to select the gemstone and enamel color for the pendants. 

Of course, the final product will be unique and inspired by a very specific CryptoPunk NFT, but Tiffany also stated that they would use at least 30 gemstones and/or diamonds for their designs, such as Sapphires, Amethyst, and Spinel. The NFTiff owners will receive the first rendering of their pendants’ designs by October 2022, and they will not be able to participate in the designing process. 

What is the blockchain for the Tiffany NFTs? 

Tiffany is launching its NFTiffs on the Chain protocol, which is making all the necessary technical preparations. Deepak Thapliyal, Chain’s CEO, posted a teaser on Twitter for this upcoming collaboration with Tiffany a week before the grand announcement. 

Other big brands that have launched NFTs 

Digital ownership is attracting more investors than ever, and the metaverse seems like a place where most people want to be. That’s why we can see an increasing number of big-name brands launching their own NFTs. 

Some of these are:

  • Gucci (started a partnership with NFT marketplace SuperRare) 
  • Coca-Cola (they are minting and selling NFTs for charity)
  • Nike (the company bought RTFKT Studios, a Web3 company that creates one-of-a-kind sneakers and digital artifacts)
  • Lamborghini (they sold five beautifully designed images of a Lamborghini Ultimae launching into space above the Earth) 
  • Adidas and Prada launched a joined NFT project  (“Into the Metaverse” collection, which grans owners of Bored Ape Yach Club (BAYC) NFTs physical wearables and other digital perks)

However, not all NFT and crypto enthusiasts are pleased by all these news and big companies joining the space. Some argue that these NFTs are only meant for individuals who “love to flex.”