Security News & Articles
Safe introduced its Safe{Pass} program, rewarding engagement with blockchain-based smart accounts and partnerships across the ecosystem.
The Deets
- Lock and Boost: Lock SAFE tokens for multipliers on points within the Safe{Pass} program.
- Ecosystem Engagement: Earn points through daily use and transaction volumes in your Safe account.
- Partner Perks: Exclusive rewards from EigenLayer, ENS, and other top partners.
- Long-Term Benefits: The first Safe{Pass} season extends until September 30, 2024, promising extensive user benefits.
The Bulk
Safe, a leader in secure blockchain account management, is broadening its horizons with the launch of the Safe{Pass} program. This initiative is designed to deepen user engagement by rewarding active participation within the Safe ecosystem and its numerous prestigious partners such as EigenLayer, Ethereum Name Service (ENS), and Euler.
Participants in the Safe{Pass} program will need to lock their SAFE tokens, which not only secures their assets but also significantly increases their points earned through various activities. These activities include regular transactions, increased transaction volumes, and even the mere act of holding assets within the Safe platform.
As Safe{Pass} unfolds, users can look forward to unlocking stages of rewards that include early access to new features, transaction fee sponsorships, and exclusive invitations to blockchain events.
🎤 Platform Prose
Whether you're a seasoned user or new to Safe, our program is designed to reward everyone based on their level of engagement and contribution. Safe
🔜 What's Next?
As Safe continues to expand its partner network, users can anticipate even more oppoortunies to engage and earn. Campaign rollouts are expected for partners including EigenLayer, Rainbow, Wormhole, ENS, and more.
For more web3 and NFT news, visit the Lucky Trader newsfeed.
ThirdWeb, a web3 development platform, reported the discovery of a critical vulnerability in popular open-source smart contract library.
The Deets
- Affected Contracts: DropERC20, ERC721, ERC1155, and AirdropERC20 among others.
- Impact: Variety of smart contracts across the web3 ecosystem.
- Mitigation: Locking contract, taking a snapshot, and migrating to a new contract.
- Tool Available: Mitigation tool at https://mitigate.thirdweb.com for affected contracts.
The Bulk
A significant security vulnerability has been detected in a widely-used open-source library in the web3 sector. This flaw potentially impacts numerous smart contracts, including several of thirdweb’s pre-built contracts, such as DropERC20, ERC721, ERC1155, and AirdropERC20. Smart contract owners who have used thirdweb's services before November 22, 2023, are urged to take immediate action to avoid potential exploitation.
Thirdweb has swiftly responded by providing a mitigation tool to assist contract owners in assessing and executing necessary steps. These steps typically involve locking the affected contract, creating a snapshot, and transitioning to a safer contract. It's imperative for holders to withdraw tokens from any liquidity or staking pools and revoke approvals on thirdweb contracts as precautionary measures.
🎤 Platform Prose
We understand that this will cause disruption, and we are treating the mitigation of the issue with the utmost seriousness. We will be offering a retroactive gas grant to cover fees for contract mitigations.Thirdweb
🎬 Take Action
If you've deployed any pre-built smart contracts using thirdweb before November 22, 2023, visit https://mitigate.thirdweb.com immediately to assess and mitigate your risk.
🔜 What's Next?
Thirdweb is doubling down on its security measures, including a significant increase in bug bounty payouts and more rigorous auditing processes. This proactive approach aims to fortify the web3 development environment against future vulnerabilities.
For more web3 and NFT news, visit the Lucky Trader newsfeed.
Ledger's announcement of Ledger Recover, an optional subscription service for users desiring a backup of their Secret Recovery Phrase (SRP), has drawn major criticism from web3 users since its unveiling early this morning.
🧐 Wait, What?
Ledger's Recover product is designed to create another option for users who wish to maintain a backup of their secret recovery phase in another fashion.
From the announcement:
- Ledger Recover encrypts and splits your private key into three fragments, securely stored by different parties.
- This process does not compromise your SRP as it is generated and managed on the device's Secure Element chip.
- The fragments are useless individually but can restore your SRP when combined, providing an additional layer of security for users.
- The service is optional and not automatically enabled, underscoring Ledger's commitment to user choice and self-custody.
🎤 Community Quotes
Community experts quickly spoke up, pointing to the potential issue that this feature is enabled for existing devices.
Stop using Ledger hardware wallets. Migrate away from them immediately. They've shown nothing but gross incompetence and wild misunderstanding of their own purpose. And now they've publicly & admitted to intentionally backdooring their own proprietary hardware. Stop using Ledger0xFoobar
And the hits kept coming....
- "This is secure just like how our private information was secure (until it was hacked), right?"
- "The problem is the device can send the shards over the internet, introducing potential back doors and other exploits."
Meanwhile, other community members were speaking up in defense of ledger.
This is irresponsible hyperbole. Can't help but feel bad for concerned users reading this and panicking, thanks for ruining their day. Ledger remains as safe to use today as it was yesterday. For MOST people it is the easiest hardware solution to recommendUdi Wertheimer
❗Why It Matters
A working social recovery product would offer a major benefit to novice cryptocurrency users or those who don't want the burden of "owning" their own secret recovery phrase all by themselves. However, if (a big if, but I am not equipped to speak on the technical aspects of the release) the technical concerns raised by the community are accurately depicted, Ledger is introducing a major risk to its existing hardware wallet owners, representing an even larger negative event to the space. Ledger has been championing itself as the safest way to self-custody crypto and NFTs, but for now the validity of that statement is up for debate.
🧠 Learn More
ParaSpace, a decentralized NFT lending protocol, shared today that not all of the funds were returned from the exploit that occurred back in mid-March and resulted in 2,909 ETH being recovered. At the center of the controversy is ParaSpace founder, CEO, and CTO Ruan Yubo, who's been accused of misappropriating over 50% of the user funds that were recovered.
❗ Why It Matters
ParaSpace is one of the largest NFT Fi protocols and a place where many BAYC, MAYC, and BAKC holders stake their assets for $APE. Because over 50% of funds from the March exploit were unreturned, there are no longer enough available funds from the initial amount to cover the hole in the protocol treasury.
So this news is concerning on many levels, particularly after ParaSpace had already indicated in the aftermath of the exploit that "all user funds and assets on ParaSpace are safe and secure. No NFTs were compromised and financial losses to the protocol are minimal." Trust issues abound every day in this space...
🔙 Back It Up
On March 17, 2023, ParaSpace faced an exploit due to a vulnerability in one of ParaSpace’s smart contracts, which allowed the hacker to borrow additional tokens through a six-step process. Blockchain security infrastructure firm Blocksec initially flagged the issue before proceeding to intercept the hacker. The blackhat’s contract didn’t use enough gas, so the transaction failed. Blocksec recovered 2,909 ETH (~$5 million USD) and returned the funds to ParaSpace.
The Deets
- In March, ParaSpace recovered $5M from the hack, but the team now claims Ruan kept over 50% of the user funds for himself.
- All user funds and assets are safe and cannot be accessed by Yubo.
- Ruan has allegedly refused to comply with the team’s requests to return the funds and step down from his roles as CEO and CTO.
The Details
19 team members (including COO Thomas Schmidt and Chief Business Officer Jay Yao) have accused founder and CEO/CTO Ruan Yubo (@yuboruan) of misappropriating the users’ funds in question. The funds are administered by an EOA wallet (0x909...) owning the names ruanyubo.eth and paraspaceinsurance.eth (which actually redirects to yubo.eth).
From these user funds, since the hack, over $1,000,000 USD has outflown to various unknown wallets as well as to CEXs and Circle redemptions. The remainder of the user funds, vulnerable to ETH price fluctuations, are deposited in a user-type account on ParaSpace itself, earning further interest from users.
The team secured the protocol’s multi-sig, and removed Ruan Yubo as well as any addresses not directly controlled by the team. Additionally, they've added 2 team member addresses, increased the required signatories from 2 to 4 out of 5, and removed Yubo’s access and any addresses not directly controlled by the team from emergency admin roles in the protocol.
🎤 Founder Feedback
Here is the on-chain transaction to completing the rest 10% of all repayment of the hacker's debt according to schedule. In the next 48 hours, I will be posting a full post-mortem of each transaction analysis, and absurd it is that it has been mischaracterized as misuse of user…
— Yubo Ruan (@yuboruan) May 10, 2023
🎤 Community Quotes
TLDR on @ParaSpace_NFT I summarized it:
— Starmowa (@0xStarmowa) May 10, 2023
1) Yubo took user funds intercepted by the whitehat Blocksec in the March flashloan exploit
2) He returned a portion of that user funds, but 1.2m USD worth of assets were not returned. This left a hole in the protocol.
3) A whistleblower…
🧠 Learn More
On the "ParaSpace Current Updates" Twitter Spaces earlier today, the ParaSpace team shared their knowledge of the situation, recovery efforts, and the current status.
Fire, a web3 fraud prevention startup, raised $3.5 million in funding led by Atomic to simplify and secure user transactions with its browser extension.
❗Why It Matters
Because it's 2023 and too many Bored Apes are still getting stolen! No, but for real - Fire's funding highlights the growing need for secure and user-friendly tools that promote safe web3 experiences. By simplifying transactions and helping users avoid scams, Fire can drive adoption and growth in the crypto and NFT ecosystems, while paving the way for a more secure and accessible future in the industry.
The Deets
- Raised $3.5M in funding led by Atomic
- Browser extension allows for real-time transaction checks
- More than 50,000 users
The Details
Scams remain a significant issue in the web3 and Fire's extension acts as a real-time safety blanket, showing users if a transaction is about to occur and which wallet address and assets are involved.
Fire seeks to prevent scams like the one that duped serial entrepreneur Kevin Rose earlier this year when he accidentally transferred NFTs worth over $1 million to a malicious actor. The company currently scans wallets based on Ethereum, Polygon, Optimism, and Arbitrum.
🎬 Take Action
Interested in trying Fire? Download it from the Chrome store.
🧠 Learn More
Decentralized exchange SushiSwap has suffered an exploit resulting in the loss of $3.3M from at least one user, with those who interacted within the last four days potentially impacted.
🔎 The Deets
The exploit involves an approve-related bug on the RouterProcessor2 contract. By approving the bad contract, users unknowingly allow the exploiter to steal their tokens through the "yoink" function, which was used by the first attacker. Reports indicate that only those who interacted with SushiSwap within the last four days are potentially at risk. DeFi Llama's @0xngmi has published a list of contracts across all chains that should be revoked and built a tool to check if any of your addresses have been impacted.
SushiSwap Head Chef Jared Grey has tweeted that they are working with security teams to mitigate the issue.
⚡Take Action
If you have interacted with SushiSwap in the last four days, check your addresses against the above information to see if you have been impacted. Revoking the RouterProcessor2 contract on all chains is recommended to prevent further potential attacks.
🎤 Community Quotes
Binance has temporarily suspended all spot trading due to a bug in their matching engine, according to a tweet from its official Twitter account.
The Deets
- Issue impacts spot trading on Binance
- Temporary suspension as Binance works on a fix
- Deposits and withdrawals also paused
The Details
A bug has been discovered in Binance's matching engine, specifically affecting trailing stop orders. As a result, the platform has temporarily halted all spot trading while the team works to resolve the issue. Binance CEO, CZ, estimates that the fix may take between 30 to 120 minutes, but more precise estimates will be provided as the situation develops.
In addition to suspending spot trading, Binance has also paused deposits and withdrawals. This is a standard operating procedure, ensuring the safety of users' funds during incidents like this. Binance reassures its users that their funds are secure and that normal operations will resume as soon as possible.
❗Why It Matters
This temporary suspension highlights the importance of robust and secure systems within the crypto and NFT ecosystems. As Binance is one of the world's largest cryptocurrency exchanges, any interruption to their services can have a significant impact on the market.
Additionally, this event demonstrates the need for constant vigilance and quick response to ensure that user funds and assets remain secure in a rapidly evolving digital landscape.
🎬 Take Action
Users are advised to monitor Binance's official channels for updates on the situation and further instructions. Stay tuned for information on when trading, deposits, and withdrawals will resume.
Pocket Universe, a web3 security company, warned users early this morning that "Blur signatures are now being used to steal NFTs."
❗ Why It Matters
In the tweet thread, Pocket Universe highlighted a new scam that has been used in some cases to drain wallets of their NFTs using a spoofed signature request made to appear as though it is coming from Blur.
🔎 The Deets
- The way it works, according to Pocket Universe, is that the drainer website "tricks you into signing a listing that sells your NFTs for 0 ETH in return."
- Pocket Universe notes the threat in this case is exacerbated by Blur's unreadable bulk listing messages, which make it more difficult to identify a malicious request from the marketplace.
- Users can recognize these malicious requests by checking the source of the signature request. In Pocket Universe's example, the requester was an "airdrop" website, not Blur.
- Pocket Universe says it has added protection against this exploit in a recent update.
🕳️ Go Deeper
Outputs very similar to the upcoming NFT art collection "TwelveFold" have been inscribed ahead of Yuga Lab's official release, likely using teaser images and 3D modeling to reconstruct the collection, according to a thread first created by Leonidas.og.
The Deets
While initially thought to be Yuga's true inscriptions, Leonidas retracted his initial report and a Yuga Labs' employee indicated that the art was not from Yuga in a tweet response.
- The non-Yuga collection images have a "12" drawn in the bottom corner, while Yuga's teasers did not.
- There are slight distinctions in the shapes between the two collections.
- The "0" in the "/300" on the bottom right corner of the inscription appears to be slightly different from the Yuga teasers.
❗Why It Matters
While verified ownership is often championed as a signature of NFTs, this incident raises concerns about the ability to authenticate NFTs or Ordinals easily on Bitcoin. The burgeoning NFT ecosystem on Bitcoin is still in its infancy and mistakes can be easily made if users act hastily.
🔜 What’s Next?
Official details about the release of TwelveFold are still outstanding. Yuga Labs is expected to release them shortly.
🧠 Learn More
OpenSea announced a theft prevention solution via its official Twitter account on Thursday evening.
The Deets
The latest product innovation will introduce a three-hour grace period for offer acceptance and transfers of items, as hasty transfer and offer acceptance is often an indication of suspicious activity. However, NFT owners will be able to use security solution delegate.cash to override the feature and indicate a transfer was between mutually owned wallets.
🎤 Platform Prose
Speedy transfers and resales through offer acceptances can indicate suspicious activity. This timeframe helps OpenSea, our community, and theft victims detect stolen items while also lessening the chance that buyers end up with an item that's later reported stolen.OpenSea
❗Why It Matters
Security is always at the forefront of web3 conversations, particularly after the recent hack of PROOF founder Kevin Rose. While perhaps not a perfect solution, OpenSea's announcement showcases one way the leading marketplace is working to slow down scams and malicious actors.
🧠 Learn More