GM Digest #301 — Exploits
Gm with Valuable Alphas / Insights — Make Sure to DYOR. All of This is Not Financial Advice. Ape at Your Own Peril
Introducing Hourglass
• @hourglasshq is a protocol that provides liquidity for time-bound and semi-fungible tokens. It has two main components.
• Hourglass Boost: Allows users to time-lock their assets to earn boosted yield through time-bound tokens (TBTs)
• Hourglass RFQ: A market for buying and selling TBTs, providing liquidity for tokens that can't be pooled like traditional ones. This is done via a request-for-quote system that directly connects protocols with market makers
• In essence Hourglass provides infrastructure for semi-fungible, time-bound tokens, unlike traditional DeFi platforms focused on fungible tokens or NFTs
• Hourglass is uniquely suited for markets involving time-bound tokens. It eliminates the need for multiple liquidity pools by allowing providers to support all maturities with a single balance, enhancing capital efficiency
• They are also running a "Points Preseason" campaign that incentivizes users by offering boosted rewards during future points seasons, not immediate airdrop points though
Introducing Overload
• @overloadfinance is a new protocol on Base that allows restaking of any ERC-20 token without slashing, enhancing flexibility for restakers and Actively Validated Services (AVSs)
• It introduces onchain consensus for direct validation, only penalizing inactivity through jailing validators. This reduces risk, encourages more restaking, and attracts more AVSs. Overload also uses a many-to-many model giving users control over AVS validation
• Overload rewards users with points for restaking. Users earn 1 point per hour for each $1 restaked, updated hourly and shown daily, starting 2 hours after deposit. Points are based on the average hourly price of the token
• Additionally, there are "Bonus Points" which increase the percentage of total supply airdropped as TVL grows, up to 20% for TVL over $500 million, and "Boost Points" where early restakers get a points multiplier, decreasing as TVL increases, starting at 10x for TVL under $10 million
PumpDotFun Exploited
• @pumpdotfun’s former employee used their privileged position at the company to misappropriate ~12.3K SOL (~$1.9m)
• To make users whole, any coin that reached 100% between 15:21-17:00 UTC (when the incident happened) will go live on raydium with >= 100% of the liquidity that it previously had within the next 24 hours
• What happened was that the former employee used flash loans on a Solana lending protocol to borrow SOL and use that SOL to buy up as many coins as they can so these coins hit 100% on their respective bonding curves — Once these coins hit 100%, gain access to the bonding curve liquidity → Repay flash loans
• Luckily out of a total of $45m of liquidity in the bonding curve contracts, only ~$1.9m was affected
Spectral 2024 Roadmap
• @Spectral_Labs unveiled SYNTAX v2 — a platform where everyone can create and monetize their own agent and Inferchain, a dedicated chain for agent registry and verification
• SYNTAX, launched in March 2024 is a robust system to generate and deploy smart contracts and fully orchestrated AI agents e.g. Agents like MoonMaker, which carry out onchain operations, and TestMachine, which checks for solidity vulnerabilities
ALEX Freezes $3.9m+ of Hacked Fund
• Alex Labs has successfully frozen more than $3.9 million worth of crypto that was exploited from its BNB Smart Chain bridge
• $13.7 million worth of Stacks (STX) tokens were also exploited. Of these, the attacker made the mistake of sending “about 3 million” to centralized exchanges
• A total of $3.7 million is held at exchanges, whereas $9.6 million are held in wallets under the direct control of the attacker
• The team is working with law enforcement for their support on recovery and tracking down the exploiter. The priority for ALEX team is to recover a total of 13.7 million STX and to develop the treasury grant program to support affected users. Details of the program will be shared soon
XLinkBTC Exploited for $4.3m
• @XLinkbtc got caught in an exploit involving compromised private keys obtained through a phishing attack
• The exploiter took control of the XLink endpoints on BSC and Ethereum and upgraded them to a malicious implementation contract. This resulted in a withdrawal of ~$4.3 million worth of funds on BSC
• The fund was recovered with the help of a whitehat. Another $5 million worth of funds are locked on Ethereum, mainly LunarCrush tokens. The @LunarCrush team, in close coordination with the XLink team, has implemented measures to secure those tokens.
Misc News
• @nftperp is airdropping 4200 $vNFTP to the first 690 holders of Bitcoin Puppets & @nodemonkes
• @Ether_fi Liquid USD holders can deposit to the @swellnetworkio L2 Pre-Launch for further yield
• @hyperlockfi is giving out 260K Blast Gold in the next 14 days to @ThrusterFi LP stakers
• @Rabby_io initial points first-round claim ends on May 31st
• @TrustWallet x Merlin announced $190k prize pool requiring users to Complete 6 sub-quests, unlock 6 individual prize pools and make your way up the reward tiers
*Reminder to Size Your Entry for Degen Plays and Take Your Principal Out (Take Profits) Whenever You Hit Your Target*