Cryptohack Roundup: WorldCoin Probes, Curve Finance TheftAlso: LeetSwap Hack, Digital Assets Regulatory Proposal in NDAA
Every week, Information Security Media Group rounds up cybersecurity incidents in the world of digital assets. This week, Kenya, France and Germany announced investigations into WorldCoin; July security incidents reached $415 million; hackers stole over $56 million from Curve Finance and Coinbase network LeetSwap; a crypto amendment is in the NDAA; and India faces scrutiny over its lack of crypto regulation.
OpenAI founder Sam Altman's digital identity project and new cryptocurrency WorldCoin continues to ping the global government security and privacy radar. Kenya, France and Germany have joined the United Kingdom in probing how the company stores, processes and uses sensitive data. WorldCoin aims to offer a global "digital passport" to prove the holder is a human and not an AI bot. The service, which launched July 24, stores on a blockchain iris scans made using the company's bowling ball-sized "orb." It offers free cryptocurrency in some countries as an incentive to join.
Kenya suspended activity associated with the project. The country's internal security minister, Kithure Kindiki, announced Wednesday that "relevant security, financial services and data protection agencies have commenced inquiries and investigations to establish the authenticity and legality of the aforesaid activities."
France's privacy watchdog, known as CNIL, reportedly told Reuters it had initiated an investigation in cooperation with the Bavarian data protection authority. The legality of the iris scans and their storage "seems questionable," a CNIL spokesperson said.
Bavaria's State Office for Data Protection Supervision President Michael Will told Reuters that the technology, at first sight, appears "neither established nor well analyzed for the specific core purpose of the processing in the field of transferring financial information."
In July, crypto-related security events increased significantly, resulting in a total loss of $415 million, Beosin said. Losses from attacks, which included hacks of Curve Finance, AlphaPo, CoinsPaid and Poly Network, increased 89% during the period. Rug pulls soared by five times, causing $24.46 million worth of damage. The Multichain incident added $210 million to the tally, Beosin said.
Hackers on Sunday exploited a vulnerability in projects using multiple versions of the Vyper programming language on Curve Finance to steal more than $56 million. Curve Finance on Discord said that "everything that could be drained was drained. The targeted pools are aETH/ETH, msETH/ETH, pETH/ETH and CRV/ETH. All remaining pools are safe and unaffected by the bug."
In a twist, the re-entrancy bug that led to the exploit had already been patched. "The bug was fixed many versions of Vyper ago. The actual oversight was not realizing the potential impact to projects at the time it was fixed," said Robert Chen of OtterSec, which was part of the "war room" that helped Curve Finance mitigate the hack's damage.
Vyper tweeted details of still-vulnerable versions.
Several white hat hackers also drained an undisclosed amount of funds from the platform, and PeckShield reported that at least one returned $5.4 million to Curve.
LeetSwap, operating on Coinbase's Base network, on Tuesday halted transactions on its platform over concerns of a potential exploit. In a tweet, the decentralized exchange said it is working with security experts to recover locked liquidity. Wintermute research head Igor Igamberdiev said a hacker had exploited a smart contract function to inflate the price of $630,000 worth of ETH tokens on the platform before draining them. Blockchain security firms PeckShield, Beosin, BlockSec and CertiK also shared analysis of the attack.
Crypto Legislation in the NDAA
The $886 billion legislation authorizing U.S. national defense funding passed by the Senate last week, addressed several aspects of illicit activity involving cryptocurrency. The chamber's National Defense Authorization Act includes as an amendment the Responsible Financial Innovation Act, which would require financial regulators to establish examination standards for cryptocurrency addressing reporting obligations and anti-money laundering programs as well as financial institution compliance with anti-money laundering statutes.
Court Questions India on Lack of Crypto Regulation
The Indian Supreme Court, expressing its disappointment over the lack of clear guidelines around cryptocurrencies, directed the government to present plans to set up a dedicated federal agency to address crime involving the digital assets. The court made the statement while hearing petitions related to cryptocurrency fraud cases in different states of India, the Hindustan Times said.