Weekly Report (May-29)


  • The Hundreds unveiled a store on some.place Metaverse platform.
  • The Professional Fighters League plans to offer NFT VIP tickets.
  • Red Bull and Vayner3 partnered for the Doodle Art digital collection.

Blockchain Hacks

The team behind the Fintoch project performed an exit scam. Funds worth approximately $31.6 million on the BNB chain have been bridged to multiple addresses on the Ethereum and Tron networks. Fintoch reportedly advertised a 1% daily ROI and claimed to be owned by Morgan Stanley. However, both the Singapore government and Morgan Stanley had issued warnings about this ponzi investment scheme.

The LunaFi project was exploited in the Polygon chain due to a flaw in their reward calculations, which resulted in a loss of funds worth approximately $35,000. The attacker deployed a malicious contract and used it to exploit the protocol across a series of transactions; thus, the exploit continued for almost an hour. There’s no time lock mechanism on the claimRewards function while claiming the staking rewards. Therefore, the exploiter was able to deposit their funds and call the swap, transfer, and claim rewards functions to take away their share of profits. We have highlighted a detailed analysis of the exploits in this post.

CS Token was exploited on the BNB chain, resulting in a total loss of approximately 714,285 BUSD. The root cause of the attack is in the implementation of the transfer function, where the burn amount parameter is calculated using the sell amount; however, the sell amount parameter doesn’t get updated in real time. The attacker converted all of the exploited funds to ETH and cross-chain transferred them to Ethereum before eventually laundering funds worth approximately 383 ETH to Tornado Cash.

The P2P exchange Local Traders was exploited on the BNB chain, resulting in a loss of approximately 379.32 BNB. The exploit occurred because one of the functions of the contract lacked a permission check and could be called by anyone to modify the owner. The attacker first set himself up as the owner before gaining admin rights to the Oracle price feed. This allowed the exploiter to use another function of the contract to modify the token price to 1 wei. The attacker then proceeded to purchase LCT tokens at a low price and sell them for profits. In this blog, we have also shared a detailed analysis of this exploit.

SeaSwapSui was identified as a rug pull in which users and investors funds worth approximately $32,000 were stolen. The deployer of the protocol invoked an emergency withdrawal of approximately 32,787 SUI tokens and 250 million SEA tokens from the token sale contract. Following the exit scam, the team subsequently deleted their Twitter account and abandoned other social media channels.

The Jimbos Protocol was a target of a price manipulation attack, which resulted in a loss of funds worth approximately $7.5 million. The attacker took a flash loan of 10,000 ETH, and swapped it for a significant amount of JIMBO tokens in their ETH/JIMBO pool, causing a surge in the price of the JIMBO tokens. The exploiter then transferred approximately 100 JIMBO tokens to the JimboController contract, and invoked a call to the shift function in order to update the token balance of the pool. The process was repeated several times, and the excess amount of the JIMBO tokens were transferred back to the pool, and the borrowed flash loan was repaid, taking away a huge amount of profit.

Metaverse, and NFTs

The Hundreds opened an immersive store on some.place metaverse platform. The popular streetwear brand will use its some.place location to promote special apparel drops that won’t be seen elsewhere, such as some that will only be made accessible to owners of the company’s own Adam Bomb Squad NFT collectibles. The virtual storefront is a replication of its physical store in Los Angeles’ Fairfax district, with the objective of giving fans an interactive and social purchasing experience. Users can also receive incentives for their online and offline interactions in the digital and physical worlds, bridging the gap between the two facets of the brand’s presence.

The Professional Fighters League (PFL) has joined forces with Cross Tower in order to offer an exclusive NFT VIP experience for the PFL fanbase. A limited number of NFT VIP tickets will be made available by the team for the forthcoming PFL Regular Season game on June 23. Purchasers will get unique SmartCage-side seats for the PFL’s ceremonial weigh-in the day before the event. They will also have access to a VIP entrance and arena hospitality, as well as special behind-the-scenes PFL content before and after the event, as well as discounts and pre-sales for future events. In addition, selected purchasers will earn their chance to step inside the PFL SmartCage with their photo session and own PFL ring walk.

Vayner3 partnered with Red Bull for the exciting Doodle Art Program 2023, mentored by Burnt Toast. Over 120,000 participants across the world submitted unique doodles for this edition, and sixty-one national champions chose one of five doodles to incorporate into a new artwork. The winning digital collection, selected live at the World Final event in Amsterdam, will be updated by Burnt Toast to feature his signature pastel color and live permanently as the winner of Red Bull Doodle Art 2023.

Upland announced the release of the May MV Motors Car Sale, featuring a selection of 525 cars to choose from. This sale stock covered different models and colors, consisting of eight of the Series 1 models, which included five newly designed E-Trim models as well as three variations of the Series 2 model. Only the model and color were guaranteed at the time of purchase, and the order in which the cars are reserved will determine the mint numbers, starting with the lower mints first. Users’ purchases reserved the car for them, and once manufacture is complete, it will be added to their accounts.

OnChain Insurance Industry News

Neptune Mutual announced that the NPM/USDC pool was open for trading on the Uniswap V2 on the Ethereum Mainnet.

Nexus Mutual announced the launch of Sherlock’s staking pool on their platform.

Tidal Finance stated that they have successfully completed the first audit with BlockSec and have incorporated fixes to improve test coverage.