⛓ $600M Stolen, No One Noticed for 6 Days...

Axie was hacked and no one knew for 6 days, the EU is cracking down on self hosted crypto wallets, and companies are fleeing to Dubai.

Axie Infinity's Sidechain Ronin Hacked for Over $600M
Axie Infinity Characters

Axie Infinity's Sidechain Ronin Hacked for Over $600M

Axie Infinity's Ethereum sidechain, Ronin, was hacked for over $600M in ETH and USDC. Sky Mavis, Axie Infinity's developer, became aware of the hack on March 29, when a user couldn't withdraw ETH using the Ronin bridge.

Axie Infinity (AXS) is a popular NFT game in which players breed and fight NFT monsters, similar to Pokemon. The game has a $3.8B market cap, 2.6M wallets, and an ecosystem moving billions every month. In response to Ethereum's high gas fees, Sky Mavis created the Ronin sidechain. Players can bridge other cryptos onto Ronin and play the game without paying high gas fees.

According to Sky Mavis, the attacker used hacked private keys to forge withdrawals, taking the ETH and USDC in two transactions on March 23, 2022. It took almost six days for anyone to notice.

Sky Mavis's Ronin validator nodes and Axie validator nodes were hacked. The attacker used hacked private keys that Sky Mavis believes were acquired through a combination of social engineering and old school hacking.

According to Sky Mavis, the attack was possible because Sky Mavis and the Axie DAO used bad security practices to handle high player volume late last year: "Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator by using the gas-free RPC."

The Ronin sidechain was a good target for an attack like this because it only has 9 validators, and it considers 5 of 9 nodes as the consensus threshold. Following the attack, Sky Mavis says it will increase security by requiring 8 of 9 nodes to validate a transaction.

In its writeup of the hack, Sky Mavis says all AXS, RON, and SLP on the Ronin sidechain are safe at this time. Sky Mavis also halted all transactions on the Ronin bridge and its decentralized exchange, the Katana DEX. The company says it will recover or reimburse all stolen player funds, but it did not say when.

Sky Mavis is working with blockchain analysis firm, Chainalysis, to track the stolen ETH and USDC and with centralized exchanges to blacklist the tokens. Binance has also disabled its bridge to Ronin.

The European Union Votes to Crack Down on “Unhosted Wallets”
Photo by Frederic Köberl / Unsplash

The European Union Votes to Crack Down on “Unhosted Wallets”

Last week, European Union lawmakers voted in favor of passing a bill which would outlaw anonymous cryptocurrency transactions of over 1,000 EUR. In addition to this requirement, the bill would remove the minimum amount required for reporting fiat transactions – called the “travel rule eligibility” –, which effectively places all transactions under the regulatory umbrella.

These actions have been introduced under the guise of Anti-Money Laundering (AML) regulations, but the recent global push for AML laws has been largely focused on Russians trying to avoid sanctions. The use of Cryptocurrency to avoid sanctions has been a talking point since the Russian invasion of Ukraine began at the end of February.

As we’ve previously reported, there are real accounts of Russians moving their assets out of the country via cryptocurrency to places like the United Arab Emirates. The main focus of lawmakers has been the Russian government avoiding sanctions via crypto, but most experts believe this is impossible given how large the Russian economy is relative to the size of the cryptocurrency sector.

This proposal is targeting smaller users who want to host their own money in wallets and interact with the growing decentralized finance (DeFi) system.

Brian Armstrong, CEO of Coinbase, described on Twitter the consequences for how the company would have to operate if this bill were to pass.

This means before you can send or receive crypto from a self-hosted wallet, Coinbase will be required to collect, store, and verify information on the other party, which is not our customer, before the transfer is allowed.
Moreover, any time you receive 1,000 euros or more in crypto from a self-hosted wallet, Coinbase will be required to report you to the authorities. This applies even if there is no indication of suspicious activity.

The proposal must now pass through the parliament and national ministers in order to become law.

Crypto.com and Bybit are Moving to Dubai
Photo by David Rodrigo / Unsplash

Crypto.com and Bybit are Moving to Dubai

Since Russia invaded Ukraine, there has been a reshuffling and strengthening of who is, and who is not, pro-cryptocurrency. Dubai, part of the United Arab Emirates, has always leaned pro-crypto, but they are making the position official by explicitly stating their intent to become a hub for the technology. They have also stated that they’ll soon be adopting a regulatory framework.

The emirate of Dubai announced they’ll be launching a regulatory license for virtual asset companies. Shortly following this announcement, FTX Europe and Binance both received their regulatory approval from Dubai. Many current cryptocurrency firms in the emirate recently spoke about receiving about 6x the regular volume of large financial transactions per month. Much of the incoming money is believed to be in the process of conversion into more stable assets like real estate in the emirate.

Presently, two large companies are moving into Dubai: Crypto.com and Bybit.  Crypto.com has announced they’ll be opening an office and are going to be aggressively recruiting over the next few months, while Bybit (1.6M users, 2nd largest Bitcoin Futures market) has announced they’ll be moving their global headquarters from Singapore to Dubai having received full regulatory approval.

Crypto.com and Bybit both are based out of Singapore. Earlier this year, the country passed laws limiting the ability of companies to advertise digital assets, stating that they were too risky and “not suitable for the general public.”

Stablecoin Wars: Terra LUNA is Trying to Depeg Maker DAO's DAI Stablecoin

Terra (LUNA) is at war with Maker DAO (MKR) and its DAI stablecoin. Terra is starting a new Curve war with Maker DAO, and it partnered with serious Convex whales to choke out DAI's liquidity.

UST is the Terra ecosystem's stablecoin pegged to the US Dollar. Last year, UST exploded in popularity, and now the token has a $16.6B market cap. DAI is Maker DAO's US Dollar-pegged stablecoin. It has a $9.5B market cap. DAI has historically been much larger than UST, but in December 2021, UST flipped DAI.

Maker DAO's co-founder, who isn't officially in charge there anymore, accused UST and MIM of being Ponzi schemes on Twitter in January 2022.

Maker DAO's founder accuses UST and MIM of being Ponzi schemes on Twitter
Maker DAO's founder accuses UST and MIM of being Ponzi schemes on Twitter

This isn't necessarily what prompted Terra to attempt to kill Maker DAO, but in a world of crypto partnerships using pooled resources, it doesn't help to have Terra and its enormous ecosystem as an enemy.

Terra is attempting to kill Maker DAO and its DAI stablecoin by choking out DAI's liquidity on Curve Finance. Without liquidity, DAI could depeg and spiral to zero value, crashing Maker DAO's MKR token in the process.

If this sounds like a conspiracy theory, check Do Kwon's Twitter. He's the Founder and CEO of Terra, and he comes right out and says his "goal is to starve the [Curve Finance] 3pool" by drawing investors to his new Curve 4pool. DAI is the only stablecoin in the 3pool that's excluded from the 4pool.

Curve Finance (CRV) is the largest DeFi protocol, specializing in stablecoin swaps, with $21B in total value locked and a $1.4B market cap for its CRV governance token. Curve is the largest decentralized exchange (DEX) and it offers the deepest liquidity for stablecoins on the Ethereum network. Curve is a primitive protocol in the DeFi ecosystem, and its liquidity pools are used by Fantom, Yearn Finance, AAVE, SushiSwap, Synthetix, Badger DAO, Cream Finance, Compound, and many others.

From a crypto protocol's perspective, inclusion in a popular Curve pool can add a massive boost to a project's liquidity. Additionally, as more veCRV is applied to a liquidity pool, its yields increase. For individuals, this is tough to achieve, but for very large projects with huge amounts of CRV, it's possible to boost rewards by 2.5x. But if Curve is decentralized, who decides which crypto protocols get massive Curve pools?

Convex Finance (CVX) is an incentive protocol built on top of Curve Finance. Convex rewards Curve liquidity providers and CRV token holders by allowing them to stake their assets on Curve for higher yields than Curve offers. As Shrimpy Academy explains: "Essentially, everyone using Convex is pooling their assets together so the platform can acquire more CRV, convert it into veCRV, then maximize boost to all Curve LP token holders."

Inclusion in a Convex liquidity pool provides massive liquidity to a project. As Reddit user u/Set1Less explains, "If Curve is the king of DeFi, Convex can be regarded as the King maker. CRV+CVX combo can direct large portions of DeFi markets and are primitive protocols behind the DeFi infrastructure."

3pool on Curve Finance

Curve's 3pool is the largest, most used, and most important stablecoin liquidity pool in the world. The liquidity pool allows investors to swap DAI, USDC, and USDT stablecoins for each other with very low slippage and fees. Today, the 3pool has $3.2B in liquidity–45% of which is DAI tokens. Almost all stablecoins pair with the 3pool for liquidity and stability, including UST and FRAX. So if you swap UST for USDC on a random DEX, there's a good chance that DEX is using the 3pool behind the scenes for liquidity.

Average Joe Crypto explains: "The largest and most important pool on Curve has always been the 3pool. [...] 3pool is critical infrastructure for maintaining the peg between USDT, USDC, and DAI, and by extension, critical for DeFi. Additionally, in part because of 3pool, USDT, USDC, and DAI have historically been the most prominent stablecoin options."

Terra's attack on this pool will harm DAI the most, since the pool provides so much liquidity to DAI, and the USDC and USDT tokens are included in the new 4pool.

Terra has teamed up with Frax and Redacted Cartel. Frax is the largest decentralized holder of CVX tokens, and Redacted Cartel has roughly 2/3 as much CVX as Frax. Combined with Terra, the trio hold 12% of all vote-locked CVX (~25M veCRV). Using this CVX, the team behind the 4pool can direct higher rewards to investors who stake their stablecoins in the 4pool. This is expected to drive investors from the 3pool to the new 4pool.

While Do Kwon may have already claimed victory, Maker DAO feels as though the conflict has simply entered a new phase. Maker DAO believes 4pool will fail to completely kill 3pool, but that the price to bribe investors to choose 4pool will increase rapidly.

Maker DAO is characterizing the new Curve war as a “war for survival,” rather than profit. The DAO behind DAI does have a war chest, but it's unclear if they'll use it to prop up 3pool. Additionally, other large projects use Curve, and Convex's largest whale, Tetranode, teased a new venture following Terra's 4pool announcement.

How was today's email?