Safeheron Weekly Dispatch | JUL 01 '22

Security Incidents

Ethereum Lending Protocol XCarnival Hit With $3.8M Exploit

A hacker exploited a smart contract flaw that allowed a pledged asset to also be used as collateral, in this case a Bored Ape Yacht Club NFT. The vulnerability was exploited in multiple transactions over a short period of time. The XCarnival team offered the hacker a 1,500 ETH bounty. A wallet tagged as "XCarnival Exploiter" sent 1,467 ETH to the affected wallet.

Nickydooodles.eth Was Attacked With 17 ETH & All NFTs Loss

Metabergs creator Nickydooodles.eth disclosed that his wallet is under attack with 17 ETH and all NFTs lost. The hacker attacked via phishing, under pretense of collaboration and tried to control his Twitter account.

OpenSea’s Email Vendor Customer.io’s Employee Misused the Employee Access

OpenSea learned that an employee of Customer.io, their email delivery vendor, misused the employee access to download and share email addresses – provided by OpenSea users and subscribers to our newsletter – with an unauthorized external party. This security incident has been reported to law enforcement.

NFT platform Quixotic on Optimism Has a Serious Vulnerability

In its fillSellOrder function of the market contract, only the sell order is checked, but the buyer's buy order is not checked. The attacker first creates a worthless NFT and then calls the fillSellOrder function to generate a sell order for this NFT, passing in the victim's address and the token that the user has approved to the market, to steal the user's approved assets.

Industry Updates

Safeheron

Safeheron Partners With everPay on Arweave to Increase Security Performance by 47X

Safeheron has implemented and open-sourced the TSS-RSA (Threshold Signature Scheme of RSA) algorithm library to reduce further risk of key compromises, which will resolve all problems stated above. It has the ability to shorten the private key shards’ generation time from 30 minutes to 0.5 minutes, with a performance improvement of nearly 47 times. Safeheorn will soon launch the TEE-Based RSA Key Shard Service to be the solid security infrastructure for everPay and the whole Arweave ecosystem.

Metaco

Societe Generale - FORGE Partners with METACO to Expand its Digital Asset Custody Operations

Since 2019, Societe Generale and its subsidiary SG - FORGE structured several native security token issuances deployed on blockchain for their clients. The partnership enables SG - FORGE to continue setting the agenda on the integration of security tokens into traditional finance, and leverage METACO's digital asset custody platform, Harmonize, to further expand its offering.

Caceis

Caceis Recruits Taurus for Digital Custody Offering

Caceis will link its own services and systems with the Taurus platform with the focus on three areas - secure custody of digital assets and smart contract management; digital assets issuance and tokenisation via blockchain; connectivity with other blockchains via Taurus.

Gnosis Safe

Gnosis Safe Partners With MetaMask Institutional

With this partnership, MMI expands its cryptocurrency custody offerings to integrate custody options for Web3-native organizations such as decentralized autonomous organizations (DAOs).

Cactus Custody

Cactus Custody Launches Institutional Custody Service for NFTs

Cactus Custody launches Warm and Cold custody services for Non-Fungible Tokens (NFTs). The warm storage solution allows for the creation of multiple business lines for asset segregation, seamless interactions with various NFT marketplaces via Cactus Custody DeFi Connector, and the availability of proprietary bank-grade vaults to safeguard private keys. The cold storage solution utilizes a multi-sig mechanism where private keys are stored offline in multiple bank-grade vaults located in 4 countries across 3 continents.

Flowdesk

Flowdesk Raises $30M in a Series A Round

Flowdesk plans to use the funding to build out its trading infrastructure for its market-making services. Headquartered in Paris, the company also offers digital asset management, brokerage and custody services. Flowdesk obtained approval from French regulator Autorité des Marchés to offer the brokerage and custody services.

ConsenSys and StarkWare Partner to Bring ZK-Rollups to Infura and MetaMask

MetaMask has created a StarkNet snap (only available in MetaMask Flask) for developers to build on the network, while Infura is offering a private beta for developers to experience the power of the Infura network on StarkNet.

NewsFlash

• Nubank now offers crypto trading to 54 million customers across Brazil, Mexico, and Colombia.

• Ethereum Gray Glacier upgrade goes live.

• Meta is to shut down Novi service in September.

• Brazilian unicorn CloudWalk which provides payment solutions for SME raises $150 million in a new investment round and launches its own blockchain.

• Blockchain analytics firm Kaiko raises $53M Series B.

• Web3 metaverse platform Mona raises $14.6M for creators.

• Zero trust network access solution provider Cyolo raises $60 million in Series B round. Cyolo’s identity based access approach gives organizations to connect to their digital assets across multiple IT and OT environments.

• Web3-focused venture capital firm Reciprocal Ventures launches a $70 million fund.

• BlockFi and FTX.US signed definitive agreements worth $680M revolving credit facility and acquisition.

Market Regulation

North America

• Biden administration is poised to delay collecting billions of dollars in crypto taxes.

• US treasury secretary Janet Yellen pushes for stablecoin regulation by end of the year.

• BlockFi obtained Money Services License in Iowa.

• DOJ announces charges over Baller Ape Club NFT and other three crypto frauds.

Europe

• UK Government is considering expansion of investment manager exemption (“IME”) to include crypto assets.

• EU agrees on Crypto Authorization Law, MiCA, which also introduces tough requirements for stablecoin issuers.

• EU reached a provisional deal on a new bill aiming to ensure that crypto transfers can always be traced and suspicious transactions blocked.

• The Basel revises bank crypto capital plan to include blockchain.

Asia

• Binance has signed a memorandum of understanding with the Securities and Exchange Regulator of Cambodia (SERC) together to develop digital assets regulations in the country.

Africa

• The Moroccan central bank Bank Al-Maghrib is presently working on a cryptocurrency regulation framework bill which is set to be introduced soon. The regulatory framework will result in Morocco’s money laundering and anti-terrorism financing regulations being upgraded.

Industry Briefing

The bear market still witnesses ongoing volatility, such as 3AC rapidly collapsing, the aftershock of Terra break-down, etc. Market players all have intertwined connections; you can see the butterfly effect in different cases. The crypto assets will still be under ups and downs in prices, and an economic recession may come.

Cryptocurrency and blockchain companies raised at least $26.4 billion across 992 deals in the first five months of the year, according to data from Dove Metrics, a crypto fundraising database. The amount was triple the $8.8bn recorded in the same period last year. And, the biggest share of global cryptocurrency funding from January to May was taken by infrastructure (34%), followed by centralized finance (26.3%).

For security incidents in this week, major cause is the contract vulnerability exploits, and we also need to pay attention to the insider malicious acts from any third party. According to PeckShield, the 1st half of 2022 has witnessed about $1.88 billion in crypto theft in DeFi, which has increased by 208% compared to the 1st half of 2021. In a quite uncertain, quickly changing market, attack methods are developing too. And especially in the current chaotic market, it's sad to see those attacks get what they want. Security is a necessity all the time, and always need to be improved.