⛓Takeovers, Attacks, and Fraud

Hostile takeovers in crypto, active OpenSea attack, fraudsters running DAOs, and the NYSE launching an NFT platform?

Under New Management: Build Finance DAO Falls to a Hostile Takeover
Build Finance DAO taken over

Under New Management: Build Finance DAO Falls to a Hostile Takeover

Why Build Finance was a Good Target

Build Finance DAO was a "decentralized venture builder." The idea was that investors would buy BUILD tokens, then Build Finance would buy other assets to store in its treasury. In turn, the decentralized autonomous organization (DAO) would fund other projects using its BUILD tokens. MetricExchange (METRIC) is one of Build Finance's main investments.

Build Finance was not a large or active project. Before the takeover, DAO members had complained of slow progress on new development and limited communication from the core team. Despite slow product growth, Build had about $500k worth of crypto in its treasury–mostly in DAI, BUILD, and METRIC tokens.

Build Finance's DAO had an unusual governance model that allowed the owner of a single smart contract to mint BUILD tokens and control the treasury. In addition to its somewhat inactive community, this software design quirk made Build Finance a good target for a hostile takeover, because a single vector could give an attacker total control over the DAO.

“As things stand, the attacker has full control of the governance contract, minting keys and treasury. The DAO no longer has control over any part of the key infrastructure.”
- Build Finance, in the project's Discord

How Build was Taken Over

Tweet confirming hostile takeover
Tweet confirming hostile takeover

According to Build Finance, on February 9, a wallet named Suho.eth submitted a DAO proposal that would let him or her mint BUILD tokens without the DAO's approval–in effect, taking over the project. This proposal was voted down.

On February 10, Suho.eth sent tokens to another wallet and re-submitted the takeover proposal. This proposal was not picked up by Build Finance's Discord bot to alert voters, and it passed unnoticed.

After the takeover, the attacker–as Build Finance's old boss calls its new boss–disabled the project's docs and Discord bot. Build Finance's old boss believes the attacker was trying to hide his or her next steps.

Build Finance: Under New Management

Under new management
Under new management

According to Build Finance's old boss, the attacker used Build Finance DAO's permissive governance contract to empty the treasury and liquidate the BUILD token.

First, the attacker minted 1.1M BUILD tokens and used them to drain BUILD's liquidity on decentralized exchanges (DEXs) Balancer and Uniswap. Then, the attacker took 130k METRIC tokens from the Build Finance DAO's treasury and used them to drain liquidity on a couple DEXs.

Once the major liquidity was drained from BUILD, the attacker minted another 1B BUILD tokens and used them to drain all remaining liquidity in the project. The attacker then sent the funds to crypto tumbler Tornado Cash to hide their origin. Based on analysis of the attacker's transactions, it appears he or she took about 160 ETH, worth roughly $500k.

The Damage Seems to be Permanent

Before the takeover, BUILD's market cap was around $200k, and its treasury assets were worth around $500k. Today, BUILD's market cap is just $500–a 99.7% drop–and its treasury is empty. The entire process took about three days.

Chart showing BUILD token's drop from $1.50 to $.003 during the takeover
BUILD token dropped from $1.50 to $.003 during the takeover. Source: CoinGecko

The Future of Build Finance

Tweet pointing out Build Finance is under new management
Tweet pointing out Build Finance is under new management

The attacker still controls the DAO, and it's unclear what will happen to the project. MetricExchange continues to operate, and the attacker has no control over the supply of METRIC tokens.

For now, Build Finance's old boss has just one suggestion: Do not buy BUILD tokens on any platform.

Ledger Nano Wallet
In a world of hostile takeovers, why expose yourself to hacks? 6 million customers use the Ledger hardware wallet to keep their assets safe. Don't wait to be part of a hack article.

Active OpenSea Attack Takes Millions
Photo of the best pirate you've ever seen by Sergey Semin / Unsplash

Active OpenSea Attack Takes Millions

There is an ongoing attack targeting OpenSea users, resulting in the theft of millions in Ethereum and NFTs from users’ wallets.  While the method of attack on OpenSea is not yet clear, the safest course of action is to revoke your wallet access to OpenSea for now.

On Saturday night, a series of transactions were executed for 0 ETH each, which resulted in high value NFTs being exchanged from users’ wallets into the wallets of a hacker.  Many of these NFTs are currently frozen, but the hacker was able to offload roughly $3M in ETH (>1,000 ETH) before the assets were locked.  According to OpenSea, “this appears to be a phishing attack originating outside of OpenSea's website.”

@isotile tweet thread explaining OpenSea attack
@isotile tweet thread explaining OpenSea attack

Twitter user @isotile explains what appears to have happened by analyzing the etherscan record in a tweet thread.  According to @isotile, the hacker used a phishing email claiming to be OpenSea and needing users to upgrade to a new contract.  Once a user has followed the link provided and signed the transaction, they’ve fallen victim to the exploit.  Instead of upgrading to a new OpenSea contract, users are actually signing a private sale with the hacker for 0 ETH through an exchange called Wyvern.

The hacker waited until today, and synchronously purchased these NFTs before their private sale listings on Wyvern expired.  According to @isotile, the telltale sign that this was not a hacking event, but rather a phishing scam, was that each of the transactions had a user’s wallet signature.  This was consistent across all of the scam transactions on Etherescan.  Another Twitter user @Nesotual points out that Wyvern contracts are much more flexible than those of OpenSea, and thus do not have as much validation for user protection.

OpenSea statement on attack
OpenSea statement on attack

While OpenSea continues to investigate, it has put up an orange banner on the home site warning users, “We're continuing to investigate rumors of a phishing attack originating outside of OpenSea. Do not click links outside of opensea.io.“  OpenSea has been in the news frequently as of late as competitors come out of the woodwork, features are leaked, and as it receives public backlash over the company’s direction.

Composable Finance Allegedly Run By Convicted Fraudster Omar Zaki
Source: Composable Finance

Composable Finance Allegedly Run By Fraudster Omar Zaki

0xbrainjar and Composable Finance

On February 18, self-described "on-chain sleuth" @zachxbt doxxed 0xbrainjar, the Head of Product at Composable Finance. According to @zachxbt, 0xbrainjar is actually the fraudster Omar Zaki. This Morning On Chain has not been able to verify this information.

Composable Finance (LAYR) is a cross-chain crypto on the Polkadot (DOT) network with $32M in total value locked. The project won a Polkadot parachain slot at auction, using a crowdloan to raise 6M DOT, worth about $110M. Composable Finance's canary network, Picasso (PICA), has a limited product line operating on Kusama (KSM).

Omar Zaki

In 2019, the SEC accused Omar Zaki of "misleading investors in financing an unregistered hedge fund" that he ran as an undergraduate at Yale. According to the SEC, Zaki and his business partner created "investor prospectuses with false trading history, investment returns and management teams."

Zaki paid a $25k fine to settle with the SEC without admitting fault. His lawyer was a white collar defense specialist who defended Tesla and Elon Musk during the federal investigation of Musk's tweets in 2018. Zaki is believed to be legally barred from working in investments until later this year. It is entirely possible that Zaki merely took a youthful risk and has not defrauded anyone since college.

What Allegedly Happens to Zaki's Projects

0xbrainjar is the Head of Product at Composable Finance. If @zachxbt is correct in his assertion that 0xbrainjar is actually Omar Zaki, then Composable Finance may be in trouble. Zaki is tied to two crypto projects that were hacked and then died.

Warp Finance was a decentralized finance (DeFi) project run by Zaki and an anonymous team. In 2020, Warp was hacked for $8M; the project went dark soon thereafter. @zachxbt believes Composable Finance and the Picasso Network have the same team as Warp Finance.

Force DAO (FORCE) was a decentralized autonomous organization (DAO) run by Zaki and an anonymous team. In April 2021, Force DAO was hacked, losing $367k. The hacker returned the funds, but the FORCE token's value dropped 95%. According to blockchain security researcher Mudit Gupta, the Force DAO hack used a Solidity contract bug that is "well known." Gupta believes "it's almost certain that no security expert has reviewed [Force DAO's] contracts." Force DAO's developers and social media have been silent since November 2021.

@zachxbt believes all of 0xbrainjar's projects used the same auditor, although this seems to be less supported than his other claims. The auditor is a defunct auditing firm owned by German company Advanced Blockchain AG (ISIN: DE000A0M93V6). Advanced Blockchain AG appears to have invested in multiple 0xbrainjar projects, including a public investment in Composable Finance. Additionally, @zachxbt believes 0xbrainjar "holds a senior position" at Advanced Blockchain AG that is not shared with the public.

Announcement that Composable Finance has won a Polkadot parachain auction
Announcement that Composable Finance has won a Polkadot parachain auction

As the story develops, there is still no public evidence that 0xbrainjar is Omar Zaki. It is still possible that 0xbrainjar and Omar Zaki are different people. This is in contrast to the TIME Wonderland scandal in which Wonderland's public face, Daniele Sestagalli, admitted he knew his co-executive, 0xSifu, was actually QuadrigaCX co-founder and exit scammer Michael Patryn.

The New York Stock Exchange Files Patent for NFT Marketplace
Photo by Patrick Weissenberger / Unsplash

The New York Stock Exchange Files Patent for NFT Marketplace

NYSE’s history with NFTs

Over the past year, we’ve observed worlds collide with the mainstream adoption of NFTs.  From pro sports welcoming them with open arms to video games launching in-game items as NFTs, the status quo web 2 world is quickly being invaded by web 3 in the form of .jpegs.  However, a major component has thus far been absent – the white whale of the traditional world: stocks.

There have been rumors in the past of more prototypical exchanges experimenting with running the exchange on the Ethereum blockchain, but so far nothing has made it to market.  The biggest player in the traditional stock exchange market is a company called the New York Stock Exchange (NYSE).  NYSE went beyond the original rumors by minting and selling 6 NFTs related to the sale of a few popular companies' first public stocks (their site features companies like Spotify, DoorDash, and Unity).


Apparently the NYSE enjoyed the process of minting NFTs as much as the crypto community does, because they’ve just filed a patent for an NFT exchange. More specifically, this exchange will comprise metaverse items and digital currencies.  The patent includes “provision of an online marketplace for buyers, sellers, and traders of downloadable digital goods authenticated by non-fungible tokens (NFTs).”  The NYSE has also mentioned the “issuance of digital tokens” and “non-fungible tokens of value,” suggesting that it may be considering minting a token alongside its competitor OpenSea.

The NYSE is the largest traditional stock exchange in the world, clocking in at a full market cap of over $27 Trillion.  With the patent for a marketplace, NYSE mentioned the use of digital showrooms and virtual stores, indicating this may be a play to build a metaverse.

NYSE is entering a very crowded market in terms of NFT marketplaces, with OpenSea being dominant, and everyone from FTX to Shopify launching their own competitors.

How was today's email?