The 3rd largest hack in DeFi history

plus Dogecoin is for boomers now.

Oct 28, 2021

In this issue:

Dogecoin is for boomers now
You should never feel safe in crypto
Reddit is getting into NFTs

Shiba Inu @ShibaInuHodler

Hey @elonmusk How Much $Shib You Are Holding!!💯💎🙌

Elon Musk @elonmusk

@ShibaInuHodler None

Dogecoin is for boomers now

We used to talk pretty regularly about Dogecoin on Something Interesting. Back then things suddenly becoming absurdly valuable for no apparent reason was confusing and new. It was a simpler time.

The very first time I wrote about Dogecoin (in January) I concluded with a note saying "I hope you all had fun with DOGE! Between writing this piece and publishing it the party seems to have concluded" and then followed it with a price chart.

This is why I don’t give financial advice.

The price of DOGE has risen ~6-7x since then so obviously I underestimated the diamond hands of Dogecoin fans. But it also did something even stranger - it seems to have stabilized. For months now DOGE has been range bound between ~$0.20/DOGE and ~$0.30/DOGE. At time of writing it is trading for ~$0.24/DOGE, which is equivalent to a market cap of ~$31.6B, roughly the size of the People’s Insurance Company of China. Not bad.

On the other hand, maybe not good? It is not totally clear what motivates someone to buy or hold DOGE but it does seem like volatility was part of the value proposition. You can’t really do anything with Dogecoin other than own it, sell it, or check the price. If the price isn’t exploding the whole game is less fun.1 Dogecoin in April was a cocaine-laced revolution! Dogecoin in October is staid.

There is also more competition now - if you like dog-based investing but you prefer tokens that are backed by assets you can buy fractionalized shares of an NFT of the original Doge meme from pleasrDAO (currently valued ~$163M). And there is a neverending slurry of new dog tokens churned out by shitcoin developers. One such dog token is SHIB, a Shiba Inu themed ERC-20 token built on Ethereum.

We talked about SHIB briefly back in May. They had given half of their supply to Vitalik as a kind of insane marketing gimmick and to discourage other projects from doing the same thing Vitalik liquidated the whole position en masse and donated the coins to various charities. I didn’t cover much detail about SHIB because I assumed it would fade away into obscurity and worthlessness. NOPE.

At time of writing SHIB is ~$0.00008/SHIB with a market cap of ~$30.8B, roughly the same market cap as Etsy. For several moments today SHIB actually overtook DOGE to become the most valuable Shiba Inu-based meme currency in the world. At the moment Dogecoin and Shiba Inu coin are the 10th and 11th largest cryptocurrencies by market cap.

Morning Brew ☕️ @MorningBrew

This wallet bought roughly $8,000 of $SHIB last August. It's now worth $5.7 billion. From $8,000 to $5.7 billion in roughly 400 days. We may actually be looking at the greatest individual trade of all time.

SHIB is dumb but it is honestly less dumb than Dogecoin. Dogecoin is a parody of Bitcoin and shares roughly Bitcoin’s featureset. SHIB on the other hand is a parody of DeFi and is in the process of building dog-themed clones of the entire Ethereum ecosystem. Unlike Dogecoin the SHIB developer community is active and engaged. Different people can have different assessments of how valuable the things they are building are, but they are building things.

There are a variety of ways to see the market’s enthusiasm for DOGE fading but I think the most interesting one is Robinhood’s revenue. In Q1 DOGE trading represented 62% of their cryptocurrency revenue and cryptocurrency represented just over half of their business. By Q2 crypto revenue was down to just ~19%. DOGE traders had moved on.

Steven @Dogetoshi

Robinhood didn't list SHIB in Q3 and this was the result. Crypto went from 51% of their transaction revenue to 19%.

You should never feel safe in crypto

In the last post I mentioned a recent rumor of people’s Ethereum wallets being hacked by rogue NFTs. Here’s what I said:

It is difficult to say with certainty what is possible with smart contract security but at the moment it looks like plain old social engineering is the more likely explanation. People would just rather believe they were hacked than that they were scammed.

Several readers reached out to push back on my dismissing the threat. Tim Copeland of The Block sent me a link to this article about an exploit of RUNE, a non-standard token contract used by Thorchain. The attacker gave away free tokens that were structured in such a way that any attempt to spend or sell them gave the attacker control of any RUNE tokens. This was a vulnerability in RUNE not in Ethereum but it was still a serious exploit.

timcopeland.eth @Timccopeland

Really good @knifefight email today on the bitcoin ETFs. On the exploit bit, there are certainly some token exploits. Particularly the Rune one where certain airdropped tokens were able to steal Rune tokens. This is because it used tx.origin.

Another reader observed this:

"I don't know much about these specific attacks, but just wanted to call out that the fact that hacked users are signing transactions with their private keys (as the tweet in the article depicts), that doesn't rule out an attack. The most likely attack of this kind is a XSS vulnerability in wallets, that could be executed by putting a malicious script inside an NFT image or metadata payload ... given how many wallets are out there, and how little regard there is for infosec yet on the crypto ecosystem, I would be not surprised at all if some of them have vulnerabilities of this kind..." — AJ

I am not aware of any code-injection attacks but it is absolutely possible and a good rule of thumb in crypto is to assume that everything is exploitable. Just today a hacker pulled off the third largest heist in DeFi history stealing ~$130M worth of ETH from DeFi lending protocol Cream Finance.2 The most interesting thing about the attack is that the vulnerability it exploited has been around for almost a year. The hacker was just the first person to notice it.

Daniel Von Fange @danielvf

1/6 Today’s 120 million C.R.E.A.M. finance attack was not a bug in the traditional sense - rather two, otherwise normal, blockchain constructs mixing together explosively. A thread:

The only real way to know the security of a crypto-economic system is to put a bunch of wealth inside and wait to see if anyone steals it. Everything in crypto is too new to have been properly battle-tested — we don’t know what we don’t know. Even Bitcoin should still be considered a dangerous experiment.

Other things in this issue:

Local hero sabotages sinister plot using artificial eyeballs:

Bobby Shell ⚡ ∞/21M @iBobbyShell

Found an engineer on @Upwork who is helping me create fake and augmented retinas so @sama and his #WorldCoin no longer can viably succeed. We are making tons of retinas by the hour. What a diabolical idea they had which I just destroyed thanks to remote work. 🤝👊🌎

Reddit just posted a job listing for a senior engineer to "Design, build and ship backend services for millions of users to create, buy, sell and use NFT-backed digital goods." For those keeping score at home that means Reddit, Coinbase, Twitter and Facebook have all started building support for NFTs.3

Decrypt @decryptmedia

Reddit is seeking a senior engineer to build out an NFT platform for millions of users, according to a recent job ad. decrypt.co/84121/reddit-b…

The WuTang album Once Upon a Time in Shaolin was recorded and sold as a single unique copy. It was bought by dime-store villain Martin Shrkeli and then seized by the US government before ultimately being sold to pleasrDAO for $4M and then converted into an NFT. The music is probably pretty good, too!

Decentralized Autonomous Organizations (DAOs) are a kind of crypto-based governance tool that allows communities of token holders to pool resources and then vote on how those resources are spent. If you are not sure what that means exactly then you and the courts are in agreement.