DeFi hacks in 2022: A record $2 billion to date

Greetings and welcome to Protocol Fintech. This Thursday: the persistence of DeFi hacks, Ripple’s win and Celsius’ bankruptcy.

Off the chain

WTFintech founder Nicole Casperson left some people shooketh when she tweeted this callout: “Terrify a fintech founder in 5 words or less.” I don’t know whether “Who is your compliance officer?” or “What’s your Web3 strategy” is my favorite response, but they’re all better than a stair-climbing machine for raising your heart rate.

— Owen Thomas (email | twitter)

SPONSORED CONTENT FROM GOOGLE PLAY

Android and Google Play are blank canvases. Developers are the artists who paint on them: During the past two years there has been a big debate between life and livelihood. A lot of people had to make a choice between the two. Those who could work from home didn’t have to make that hard choice because we could have both life and livelihood — and tech was the reason people could have both.

Read more from Google Play

DeFi hacks aren’t stopping

The bad news: DeFi and Web3 have seen $2 billion lost to hacks, scams and exploits to date in 2022, according to blockchain security firm CertiK’s latest report. The good news, if you can call it that: Falling crypto prices may have turned off hackers and consumers alike, with the pace of losses slowing in the second quarter.

Yet DeFi hacks are rampant. In April through June, hackers and scammers stole $745 million, following three months that saw some of the largest DeFi exploits ever.

  • In just the first four months of 2022, hackers carried off a hack of Axie Infinity’s Ronin bridge, exploited a vulnerability in the Wormhole network’s code and took over Beanstalk Farms with a governance attack.

Rug pulls and similar scams fell in the crypto bear market. Crypto grifters found it easier to profit off of the new investors drawn in by the bull market’s rising prices and endless hype.

  • Nevertheless, rug pulls remained a popular type of scam, perhaps because they’re the easiest to carry out. Though they fell considerably year-over-year, they rose 16% from the first quarter to the second.
  • A rug pull really only requires the ability to hype a project and some stealth in ghosting investors. Most are related to NFT projects, CertiK co-founder Ronghui Gu told Protocol, but it doesn’t help that some projects that turn out to be rug pulls are popularized by celebrity endorsements, which gives them the facade of officialism.
  • Even celebrity endorsement doesn’t guarantee results. The heavily promoted Miss Universe NFT project, which marked the pageant’s 70th anniversary last year, ended up doing less than $35,000 in volume, according to the official marketplace linked from the Miss Universe website. Some asked if it, too, might be a rug pull, though the organization, owned by talent agency Endeavor, is still promising to make a charitable contribution from the proceeds of NFT sales. Miss Universe did not respond to a request for comment.

Social engineering attacks are on the rise once more. Attacks based on tricking users or employees rose 170% from the first quarter to the second quarter of this year.

  • Earlier in the year, DeFi protocol exploits dominated hacks. But now hackers are back to phishing users.
  • Social networks popularly used in Web3 projects like Discord and Telegram have become major hot spots for phishing attacks, as hackers can easily clone accounts there, Gu said.
  • With Web3 projects getting better at monitoring their code for vulnerabilities, it may just be easier for attackers to pull off rug pulls and phishing scams rather than look for bugs in smart contracts.

Education will be key to reducing these exploits, especially the ones that rely on trickery. And regulators around the world are aiming to address scams. One key may be to shift the culture of anonymity in Web3. Already, some NFT project sponsors are voluntarily advertising themselves as doxxed. Over time, KYC and AML regulations may require the same. Wallet makers may want to consider if they’re making it too easy to connect to unscrupulous websites. And above all, consumers should get more and better disclosures about just what they’re buying into.

— Lindsey Choo (email | twitter)

On the money

On Protocol: A win for Ripple in its legal battle against the SEC arrived as a federal judge ordered the agency to release internal documents related to former director William Hinman’s 2018 speech, slamming the SEC for “hypocrisy” in resisting the move.

The U.S. Patent and Trademark Office and Copyright Office are studying NFTs. The two offices will study the impact of NFTs on intellectual property rights, including areas like licensing rights, infringement and transfer of ownership.

Also on Protocol (and someone might want to tell the government): Most U.S. gamers aren’t interested in NFTs, new survey data shows, with only 40% of survey participants indicating that both “playing” and “earning” aspects of blockchain games piqued their interest.

Polygon is joining the 2022 Disney Accelerator program. The blockchain network will join five other companies across the AR, Web3 and AI sectors in the business development program, starting this week and ending with a demo day in the fall.

The U.K. Parliament opened an inquiry into crypto assets. Following in the footsteps of the U.S. treasury’s invitation for public comment, the legislature’s Treasury Committee is also calling for evidence to figure out the role of crypto in the U.K. and potential regulation.

China’s central bank is expanding its e-CNY pilot program. The People’s Bank of China announced Wednesday that the number of test sites for the digital yuan increased from 11 to 23, after successfully testing it at the Beijing Winter Olympics.

Celsius is bankrupt

Celsius is filing for Chapter 11 bankruptcy, the company said Wednesday.

Word of its plans to seek bankruptcy, reportedly a point of contention between the company and its advisers in recent weeks, spread as it informed U.S. state regulators about its plans, CNBC reported, citing Joseph Rotunda, director of enforcement at the Texas State Securities Board, and other sources.

Celsius is among the major crypto companies that have reeled from a severe market crash that has sent the value of all cryptocurrencies falling sharply in the last seven months.

Read the full story on Protocol.com.

— Benjamin Pimentel (email | twitter)

Moves and hires

Simon Khalaf is Marqeta’s new chief product officer. In an interview with Protocol, the former Twilio and Yahoo executive didn’t hold back with his thoughts on crypto.

Goldman Sachs has hired Jared Cohen, former Google Jigsaw incubator leader, to co-lead a newly created innovation office. Goldman has raided Silicon Valley before, hiring former Amazon Web Services executive Marco Argenti as co-chief information officer in 2019 and last year bringing on Uber executive Peeyush Nahar to run its consumer banking division.

The Senate has confirmed Michael Barr as the Federal Reserve’s vice chair for supervision, the Fed’s top banking watchdog role. Barr, a former top Treasury Department official, also once served as an adviser to Ripple.

Jatin Mazalcar is no longer CFO of the crypto lender Vauld, according to The Block. Rival crypto lender Nexo has a deal to acquire Vauld, which halted customer withdrawals earlier this month.

Following a leadership exodus and whistleblower lawsuit from a former VP, Better.com has added a suite of new executives. Former LendingTree executive Sushil Sharma is the new chief growth officer; Steve Riddell is returning as head of sales and Ryan Jewison, former senior VP of national expansion at US Bank, is now leading Better’s digital homeowners insurance unit.

Rohini Pandhi has joined Block’s bitcoin wallet team. Pandhi had been product lead for Square Payments for more than two years.

Rob Morgan has been named CEO of the USDF Consortium, a network of banks working to offer a bank-minted alternative to stablecoins. Morgan was previously senior VP of innovation and strategy at the American Bankers Association.

SPONSORED CONTENT FROM GOOGLE PLAY

Android and Google Play are blank canvases. Developers are the artists who paint on them: Many people don’t realize the many ways developers benefit from Google Play and that the core DNA of Android is open. From the minute that developers get a creative idea, they have every tool they need to build the app, understand the security policies, launch the app and gain a global audience.

Read more from Google Play

Thanks for reading — see you tomorrow!