🛡️ $10M for security

Hey frens! We’re back after a restful and super-chill long weekend. 

The Bitcoin Conference is happening in Las Vegas today until Thursday. That means the side events are gonna get wild. Think memecoin-themed events at mansions complete with stilt-walkers, mermaids, and go-go dancers — plus endless talk about crypto, of course.

Gaming tokens are largely up in the past week. SUI is one of the few that’s down in that time, and it appears to be mainly because of the Cetus exploit. 

Let’s talk about it.

— Kate Irwin

Sui vows to step it up after Cetus drain

We now know more about the bug that was exploited last week, resulting in over $220 million in frozen and stolen funds from the Sui-based DEX Cetus.

On Monday, Sui described the flaw as “a bug in a Cetus math library” and promised to commit $10 million to improving Sui’s security more broadly. That includes a bug bounty program, plus Sui-funded security audits for projects using the chain.

Blockchain security firm Dedaub explained that the attack involved intentionally misconfiguring a liquidity pool with an “extremely high value.”

“This allowed them to add massive liquidity positions with just 1 unit of token input, subsequently draining pools collectively containing hundreds of millions of dollars worth of token,” the firm wrote.

As of May 26, Cetus said that the majority of the swiped crypto (roughly $162 million) remained frozen across two Sui wallets, while the rest of the stolen funds had already been converted to ETH by the attacker.

“Cetus has been among the DeFi teams on Sui that invested the most in smart contract audits and system safeguards. Unfortunately, reality does not always unfold as we wish,” Cetus said in its disclosure. “Multiple rounds of audits on the underlying contracts and the dependent open-source libraries — combined with their widespread and successful use by ecosystem developers — gave us a sense that we had done enough. In hindsight, we realize we allowed ourselves to relax our vigilance. This painful lesson has shown us: we must do more.”

The DEX further said last week it hasn’t heard from the hacker thus far.

Sui isn’t the only one that’s recently seen crypto swiped on its chain due to an exploit. On a much smaller scale, Cardex, a game on Abstract, had a flaw that resulted in at least $500,000 being siphoned from that app’s users earlier this year.

Being permissionless means more people can build in a chain’s ecosystem with less oversight, getting closer to financial decentralization, one of the original aims of crypto.

But it also means a chain’s reputation can take a hit when some apps that use it are lacking on the security front — leading to headline-generating exploits and losses often in the millions.

“Security audits are inherently imperfect,” wrote BlockSec’s CCO, who goes by Orlando on X, in response to the incident. “In 2023, the entire crypto market spent $1 billion on security audits, yet $2 billion in assets were still stolen.”

Red Bull Racing goes crypto

Red Bull’s car racing division has launched a series of two-dozen different NFTs that use the Abstract blockchain.

The NFTs make holders eligible for future prizes. The NFTs are broken down into groups of six, with each set representing a different racing region of Monaco, Silverstone, Singapore, and Abu Dhabi, respectively. 

The NFTs exist across three tiers: Standard, Silver, and Gold. Standard-tier NFTs are free to mint during a specific claim window, while the higher tiers are not.

Collecting all 24 NFTs in the Standard tier gives holders the chance to win one of three polo shirts signed by Red Bull Racing drivers. Silver tier collectors with all 24 across that tier could win signed art. 

Gold tier collectors could get an Oracle Red Bull Racing factory tour with travel included up to $4,000, plus other perks during the experience.

• Crypto-developer-focused startup Alchemy has bought NFT launchpad startup HeyMint to integrate its “Smart Wallet” tech. HeyMint tools let creators manage allowlists for mints, plus launch NFT collections via its launchpad. Starting your own crypto project without coding knowledge continues to get easier.