In this 3-2-1 Q&A blog, we will answer 3 questions our users asked us, 2 most critical twitter threads our readers need to be aware of, and we’ll analyze 1 DeFi hack. In summary, here is what you will be learning about:
Question 1. Where is money flowing in the digital asset space?
Question 2. What is the latest update on Regulations in Crypto Space?
Question 3. What is new at Coinchange?
Twitter Thread #1: What is ‘Supply Chain Attack’ in Crypto?
Twitter Thread #2: Coinbase and BlackRock Partnership.
DeFi Hack Analyzed: Nomad Bridge Attack.
Based on the Coinshares Digital Asset Fund Flows Weekly report, July represented the strongest month of inflows by far in 2022 totaling US$474m, almost reversing all of the June outflows totaling US$481m.
Also, the last week of July saw outflows in short-Bitcoin positions, totaling US$2.6m, which was the first week of outflows since the recent bear market saw a five-week run of inflows.
So which assets are the funds flowing into? Well, Bitcoin and Ethereum saw the largest inflows of $306.3 M and $137.9 M respectively, followed by Solana as the third asset of choice. And interestingly, if you look at the countries that benefited the most from July inflows, Switzerland is at the #1 spot with an astounding $357 M, followed by Canada at $61.4 M and the United States at 3rd position with $56.7 M inflows.
Overall, we can say that it is a good sign that money has started flowing into the ecosystem.
Tornado Cash (TC) is a mixing service meaning users can anonymize transactions. TC pools together the funds and sends them out to different addresses without revealing where they went. This was started in good faith to maintain privacy for some high-profile participants. Some donors don’t like to reveal where they donate money and TC was used for those donations. Ethereum POS has also been funded through TC. However, it became a double-edged sword when hackers started using it to wipe out the traceability of stolen funds. Especially the Ronin bridge hack by the North Korean hacking group using TC. That event has probably made the US Treasury take such an extreme step of banning a piece of open source code. This is the first time in their existence that a piece of code has been sanctioned. Not only that, Tornado cash developer has his GitHub suspended. So what does all this mean? Well, it means that open source software can be used for good and bad reasons and we need to mitigate the bad uses. Chainalysis as an example has tools such as KYT that can help mitigate this. Since this is the first sanction of its kind, we will keep monitoring how this unfolds and speed up regulations in other aspects of crypto.
Coinchange started development in 2019 and launched in August 2021. As of Aug 10th, 2022, Coinchange has been paying yield for 1 year! We have continued providing yield to our customers through the bull and the bear market and we continue to generate yield with our risk-mitigated strategies. This is a very proud moment for the entire Coinchange team and here are some of the milestones that we achieved so far:
This is just the beginning and there are many more exciting announcements to come. Stay tuned.
The 1st thread explains what is a Supply Chain Attack in crypto.
In crypto, we have a lot of open source projects and these projects often depend on other open source projects. So when an application that a lot of other projects depend on pushes an infected version, it affects all the projects. Attackers hunt for unsecured network protocols, unprotected server infrastructures, and unsafe coding practices. They modify the source code, infect it, and hide it in software ‘build and update’ processes. And since trusted vendors release the software updates, these updates are signed and certified without being aware that their apps or updates are infected with malicious code when they're released. This is why supply chain attacks are so dangerous-- the trusted developers of the applications rarely know they are shipping infected software. The current explanation for the ongoing Solana exploit is most likely a supply chain attack which explains why some wallets that have been dormant for months are getting drained. This investigation is still ongoing so the exploit may *not* be supply chain related, but it appears likely.
This is a web2 attack and not a web3 one. Crypto wallets themselves were not hacked. But the web2 app on people’s cell phones that depends on a third-party server to store users’ seed phrases was compromised giving attackers access to multiple wallets at the same time. Essentially we are making a decentralized infrastructure trust a centralized infrastructure creating a weak link that hackers have been using successfully to drain user funds recently (Uniswap phishing attack, BadgerDAO UI attack, GoDaddy domain hacked crypto, Quickswap UI).
Why you should know about the partnership between Coinbase and BlackRock.
On Aug 4th, Coinbase announced that they are partnering with BlackRock, the world’s largest asset manager, to provide direct access to crypto to the institutional clients of Aladdin®, which is BlackRock’s end-to-end investment management platform. Their first choice of asset is Bitcoin. Coinbase Prime will provide crypto trading, custody, prime brokerage, and reporting capabilities to Aladdin’s Institutional client base.
The Global Head of Strategic Ecosystem Partnerships at BlackRock said “Our institutional clients are increasingly interested in gaining exposure to digital asset markets and are focused on managing the operational lifecycle of these assets efficiently sets. This connectivity with Aladdin will allow clients to manage their bitcoin exposures directly in their existing portfolio management and trading workflows for a whole portfolio view of risk across asset classes.”
It is very encouraging to see Coinbase pushing the industry forward and creating new access points as institutional crypto adoption continues to rapidly accelerate. In 2017, BlackRock CEO Larry Fink called bitcoin an ‘index of money laundering’ He said Bitcoin just shows you how much demand for money laundering there is in the world. Five years later, Blackrock's clients are actively seeking exposure to crypto which might be the reason why the relationship with Coinbase was struck in the first place.
Nomad just got drained for nearly $200M in one of the most chaotic hacks ever.
First of all, Nomad is a protocol that allows the transfer of funds between blockchains aka it is a bridging protocol. There were a series of transactions over the Nomad Bridge between the Moonbeam and Ethereum networks where users would initiate a transaction sending 0.01 WBTC to the bridge from Moonbeam and they would receive 100 WBTC on the Ethereum network. Send 0.01 WBTC and receive 100 WBTC. Typically these transactions should be a two-step process. 1. Proving the validity of the transaction and 2. Processing it. In this case, the transaction was processed without proving validity. In an upgrade to the protocol, Nomad decided to initialize the value of trusted roots to 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case, it had a tiny side effect of auto-proving every message. This is why the hack was so chaotic - once an attacker started the hack transaction, anyone could simply copy the transaction without knowing how it worked, and execute the hack from their account allowing them to steal the funds.
PeckShield found that one of the Nomad bridge exploiters is also a RariCapital (Fuse Arbitrum) exploiter, who gained ~$3m in this exploit. Also, the Connext protocol which is a bridging protocol had collaborated with Nomad to provide liquidity on Nomad and they lost 3m in this hack out of the 190m.
Once it became known, the whitehat hackers stepped in to execute the hack in the same way only to return the funds to Nomad. The Nomad team is asking hackers to return at least 90% of the stolen funds or else risk legal action. So far they have managed to recover $32M.
Coinchange doesn’t provide liquidity to bridges. We only use the bridges to transfer assets from one chain to another. Before we integrate and use the bridge we assess 4 main risks with our risk assessment framework, mainly: Smart Contract risk, Financial/liquidity risk, Operational Risk, and Decentralization risk. We pay particular attention to the messaging being used by the bridge and the trust assumption. This process we have in place at Coinchange helps us select only the most secured bridge for our cross-chain strategies. Additionally, the learnings from these hacks are included in our research processes making it a robust framework.
This concludes our 3-2-1 Q&A Blog. We’ll see you in the next one, two weeks from now. Meanwhile, kick back and earn passive income using Coinchange. Sign up today!