Autor Cointelegraph By Zhiyuan Sun

Aurora pays $6M bug bounty to ethical security hacker through Immunefi

Aurora pays $6M bug bounty to ethical security hacker through Immunefi

Uverejnil používateľ | jún 7, 2022 |

On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with $145+ million bounties available and $45+ million bounties paid out.On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH in the Aurora Ethereum Virtual Machine as to drain and siphon the corresponding nested ETH (nETH) pool on NEAR. At the time of discovery, the pool contained more than 70,000 ETH worth at least $200 million.Mitchell Amador, founder and CEO at Immunefi, said: “Hats off to Aurora and pwning.eth for the flawless overall processing of the report. The bug was quickly patched, with no user funds lost.” Aurora had launched a bug bounty program with Immunefi just one week before discovering the security vulnerability. Meanwhile, Frank Braun, head of security at Aurora Labs, commented: “We look at the bug bounty program as the last step in a layered defense approach and will use this bug as a learning opportunity to improve earlier steps, like internal reviews and external audits.Though arguably innovative, cross-chain communication protocols have been a prime target of hackers as of late. In February, one of the largest decentralized finance hacks occurred when the Wormhole token bridge was drained of over $321 million in digital assets after hackers exploited an infinite minting glitch between its wrapped ETH and ETH pool. 

Čítaj viac
IRA Financial Trust to sue Gemini over $36M crypto assets exploit back in February

IRA Financial Trust to sue Gemini over $36M crypto assets exploit back in February

Uverejnil používateľ | jún 6, 2022 |

On Monday, IRA Financial Trust, a platform providing self-directed digital asset retirement and pension accounts, filed a lawsuit against cryptocurrency exchange Gemini for alleged negligence in safeguarding customers’ digital assets during a critical exploit. The firm’s client accounts were held in Gemini’s custody. On February 8, a breach led to the siphoning of $36 million in crypto assets from customers’ accounts via unauthorized withdrawals. Since then, both companies have blamed each other for being responsible for the loss of funds. To complicate matters, an allegedly fake 911 call coincided with the time of the hack that distracted many of IRA Financial Trust’s employees from their desks. To avoid single points of failure in its security systems, Gemini possesses multiple security features such as two-factor authentication, whitelisting withdrawal addresses and fraud detection algorithms.However, IRA Financial Trust alleged that there was instead a single point of failure within Gemini’s API systems. The firm claimed a mastery key existed for clients’ accounts with the ability to bypass all built-in security measures. “Hackers were able to gain control of IRA’s master key by committing crimes,” the release simply claimed.One scenario is that a series of alleged unencrypted, unsecured e-mail exchanges between Gemini and IRA Financial Trust served as the backdrop for the breach. IRA Financial Trust denies that it was informed by Gemini about the power of the “master key” in the first place. The lawsuit comes less than a month after the two parties attempted to settle the issue out of court.Cointelegraph reached out to representatives at Gemini for comment, but did not hear back in time for publication.

Čítaj viac
CertiK shares security tips following third BAYC security compromise in six months

CertiK shares security tips following third BAYC security compromise in six months

Uverejnil používateľ | jún 6, 2022 |

On June 4, the popular nonfungible token, or NFT, project Bored Ape Yacht Club (BAYC) suffered its third security compromise this year. Nearly 142 Ether (ETH) ($250,000) worth of NFTs was stolen after hackers gained access to the Discord account of a BAYC community manager and posted a message with a link to a fake website.The link advertised a limited-time free-NFT giveaway to users who connected their wallets, which were then drained of NFTs. During two prior occasions in April, hackers breached BAYC’s Discord and Instagram pages and managed to siphon 91 NFTs, worth over $1.3 million at the time of the second attempt, via a phishing link. As told by blockchain security firm CertiK, hackers quickly moved stolen funds to obfuscation platform Tornado Cash, making it impossible to trace any further flow of funds on the blockchain. In a statement to Cointelegraph, sources at CertiK explained that however legitimate the project may seem, “NFT holders should also be highly suspicious of anyone claiming to offer free assets, as these can often be phishing attacks.” In addition, CertiK wrote:”In the case of the June 4th attack, the malicious carbon-copy site had some small differences. Firstly, there were no links to social media sites on the phishing site. There was also an added tab titled “claim free land” and specifically targeted popular NFT projects.”As a precautionary measure, Certik recommended crypto enthusiasts look for subtle peculiarities on such sites, as they are frequently an indicator of malicious activity. “At the very least, users engaging with such giveaways should always make an effort to confirm the legitimacy of the site by comparing it with a known and confirmed site and looking for any discrepancies,” they concluded.

Čítaj viac
Hong Kong's Securities and Futures Commission warn of nonfungible token risks

Hong Kong's Securities and Futures Commission warn of nonfungible token risks

Uverejnil používateľ | jún 6, 2022 |

On Monday, Hong Kong’s Securities and Futures Commission (SFC) released a statement warning investors about the risks of nonfungible tokens, or NFTs, which have soared in popularity in recent years. The regulatory body wrote: “As with other virtual assets, NFTs are exposed to heightened risks, including illiquid secondary markets, volatility, opaque pricing, hacking and fraud. Investors should be mindful of these risks, and if they cannot fully understand them and bear the potential losses, they should not invest in NFTs.”However, it appears that the SFC’s specific concern lies in the securitization of NFTs. “The majority of NFTs observed by the SFC are intended to represent a unique copy of an underlying asset such as a digital image, artwork, music or video,” which do not require regulation by the SFC.But assets that push the boundary between collectibles and financial assets, such as fractionalized or fungible NFTs structured as securities or collective investment schemes (CIS) in NFTs, do fall under the SFC’s mandate. The solicitation of Hong Kong residents by companies engaged in these activities require the issuer to obtain a license from the SFC unless an exemption applies.CIS has recently gained traction as they present a plausible solution for individual investors to obtain fractional ownership of real-life collectibles that would be otherwise too cost-prohibitive for any single party. Yet, questions persist as to whether such investment structures constitute securitization. One recent effort launched by the Royal Museum of Fine Arts Antwerp (KMSKA) to tokenize a million-euro classic painting on the blockchain was conducted via debt securitization. The venture met regulatory requirements via the aid of blockchain entities Rubey and Tokeny.

Čítaj viac
Binance Staking completes initial phase of Terra 2.0 airdrop as ecosystem issues persist

Binance Staking completes initial phase of Terra 2.0 airdrop as ecosystem issues persist

Uverejnil používateľ | máj 31, 2022 |

On Tuesday, cryptocurrency exchange Binance said it completed the first stage of airdropping new Terra Luna (LUNA) tokens to holders of Terra Luna Classic (LUNC), TerraUSD (USTC) and AnchorUST (aUST). The distribution was based on “pre-attack” and “post-attack” snapshots of token holders taken at LUNC block height 7,544,910 at 14:59:37 on May 7, 2022 UTC and block height 7,790,000 at 16:38:08 on Thursday, respectively. As told by Binance, users received new LUNA tokens based on the compensation scheme outlined by Terra developers: Pre-Attack 1 aUST = 0.01827712143 LUNAPre-Attack 1 LUNC = 1.034735071 LUNAPost-Attack 1 USTC = 0.02354800084 LUNAPost-Attack 1 LUNC = 0.000015307927 LUNAAt the pre-attack time, one aUST had a value of $1.24 while one LUNC was worth approximately $75. At the post-attack time, one USTC and one LUNC were worth $0.0632 and $0.0001434, respectively. At the time of publication, each LUNA token is worth $9.25. Regardless of timestamp, approximately 30% of LUNA tokens were distributed on the spot, while the remaining 70% will be distributed monthly in a vesting schedule starting later this year, in accordance with Terra’s reformation plan. Additionally, users who staked their USTC via Binance Staking pre-attack were also eligible for the airdrop. As it turns out, users’ USTC assets were staked on-chain, with aUST as the yield-bearing token. Binance launched USTC staking only a month prior and ended the program shortly after the implosion of the Terra Luna Classic ecosystem. Related: Luna Classic pricing error leads to Mirror Protocol exploitDespite the successful airdrop on Binance, it appears that the token distribution did not go as smoothly as expected for crypto enthusiasts holding Terra assets in self-custodial wallets. Terra developers said that some users received less LUNA than expected from the airdrop and are actively working on a solution. The same day, a LUNC pricing error appears to have caused another exploit that potentially drained Mirror protocol, which is built on Terra, of all its funds. 

Čítaj viac

Získaj BONUS 8 € v Bitcoinoch

nakup bitcoin z karty

Registrácia Binance

Burza Binance

Aktuálne kurzy