Weekly Report (May-08, 2023)


  • Blur has launched a P2P NFT lending protocol.
  • Rarible has launched an Open Editions NFT mint.
  • The Sandbox has launched the Walking Dead VoxEdit contest.
  • Alibaba Cloud has built a Metaverse Launchpad dubbed Cloudverse on the Avalanche blockchain.

Blockchain Hacks

Level Finance was exploited due to a smart contract vulnerability, resulting in a loss of approximately $1.1 million. The contract had incorrectly set the way in which rewards are calculated using the claimMultiple function. Instead of performing a += operation, it just sets the value with an = operation, so the same value gets used for deduction over and over again. Due to this error, it allowed for multiple referral claims from the same epoch. The exploiter drained approximately 214k LVL tokens and swapped them into 3,345 BNB, worth approximately $1.1 million. We have shared a detailed analysis of the exploit in this blog post.

The NeverFall project on the BNB chain was exploited due to price manipulation, resulting in a loss of approximately $74,250. The root cause of the vulnerability is due to the flawed calculation that relies on the balance of the corresponding PancakeSwap pair. The attacker took a flash loan of 1.6 million BUSD and used 200,000 BUSD to buy approximately 75.47 million NeverFall tokens via the buy function in the Never Fall contract. The buy function added liquidity to the contract with 90% BUSD deposited by the user and NeverFall tokens. The remaining 1.4 million BUSD were then swapped for NeverFall tokens in the BUSD-Never Fall pool, and the held NeverFall tokens were sold using the sell function. The attacker repaid the flash loan, after which the profit of approximately 74,250 BUSD was swapped for BNB and then laundered to Tornado Cash. In this blog, we have shared a detailed analysis of this exploit.

The stablecoin DEI launched by Deus Finance was exploited, resulting in a total loss of approximately $6.38 million. In their token contract, the order of allowance implementation was flipped. Due to this flipped ordering, the attacker was able to approve the victim using their own approval in order to burn the victim’s tokens. The exploiter is able to identify an address holding a huge amount of DEI tokens and approve to this address. They then invoked a call to the burnFrom function with the victim’s address by passing the amount parameter as zero. Due to implementation issues, the contract grants approval of all tokens from that address to the attacker’s address, and then they invoke a call to the transferFrom function in order to take away the assets for their profits. The exploiter made a profit of over $5 million on Arbitrum, $1.3 million on the BNB Chain, and roughly $135,000 on the Ethereum Mainnet. We have shared a detailed analysis of the exploit in this blog.

The Yoda project was a rug-pull, during which the scammers laundered 68 ETH, worth approximately $130,000, to FixedFloat. The team has since deleted their social media accounts and other groups.

The project, XIRTAM, was reportedly identified as a rug pull. The scammers took away approximately 1909 ETH worth of funds amounting to $3.5 million from almost 4000 users raised during the presale. All of the stolen funds were sent to Binance. The exchange stated that they have seized the assets and will be cooperating with law enforcement agencies to investigate further on the issue.

Daniel Alegre, CEO of Yuga Labs, was yet another victim of a phishing attack in which the attackers were able to compromise his Twitter account. The team worked with Twitter to regain control of the account and delete the post, which had sent out a malicious mint link. The damage caused by the event is undisclosed.

Metaverse, and NFTs

Rarible has announced the launch of a limited edition event, dubbed Open Editions, featuring 13 artists, including Forexus, Marconi, Numan, Julian Hespenheide, and a Mystery Mint. The goal of this event is to provide a platform for the artists to showcase their skills while also connecting them with enthusiastic collectors in order to grow their communities. Beginning May 2nd, the marketplace will release a new Open Edition every day for 13 days, with each mint having a 24-hour duration. The price of each Open Edition mint will be disclosed on the day it is released. Collectors who participate in the Open Editions event will gain access to a special Rarible Mystery Mint.

The Sandbox has created an exciting new VoxEdit contest in association with The Walking Dead. Fans of the legendary graphic novel can enter to win a share of 15,000 SAND tokens by creating a voxel object that reflects the essence of the franchise. In order to enter the competition, builders must create the animated NFT asset using The Sandbox’s VoxEdit software. Participants can test their voxel building skills by recreating characters like Michone, Rick, and Daryl, reliving bloodcurdling scenes from the show, or designing an item that pays homage to a favorite scene. The competition is open until May 14, and the results will be revealed on June 3. The top 10 contenders will all receive a share of the 15k SAND rewards pool, with first, second, and third place receiving 6k, 3.5k, and 2k, respectively, and the remaining runners-up receiving 500 SAND tokens.

Alibaba Cloud and Avalanche have joined forces to create a launchpad for enterprises to develop Metaverse on the blockchain. The platform, dubbed Cloudverse, is meant to provide businesses with a one-stop, end-to-end solution for simply customizing, launching, and maintaining their own metaverse environment, thereby establishing new dimensions for engaging customers. MUA DAO, a third partner, will help with the deployment of metaverse integration and customization. The collaboration aspires to expand the metaverse’s capabilities by constructing decentralized, safe, and scalable virtual environments. The companies stated that following initial outreach, each metaverse space may be ready for business in about a month, with support for aesthetics, metaeconomics, interactive functions, events, and ongoing operations.

Blur, the NFT marketplace, has built a peer-to-peer perpetual lending protocol dubbed Blend in association with Dan Robinson and Transmissions11 from Paradigm. Transactions on the new protocol would be free for the first 180 days, according to the NFT market. Holders of BLUR tokens, however, can use the DAO governance to switch on the fees after this time frame. In its whitepaper, Blend claimed that by offering loans with fixed rates that never expire, it would help unlock liquidity for NFTs. In addition, the protocol avoids any Oracle dependencies and permits lenders to liquidate their NFTs whenever they choose. Borrows also have no expiration period as long as the lender is ready to lend.

OnChain Insurance Industry News

Neptune Mutual announced the details of their NPM token launch and mentioned that an NPM/USDC pool will be open for trading on the SushiSwap DEX on Arbitrum on May 17, 2023.