Unchained - Unconfirmed: Why Did the Poly Network Attacker Return Half the Money They Stole? - Ep.263
Episode Date: August 13, 2021Poly Network, a cross-chain DeFi protocol, recently suffered a $600M hack -- the largest DeFi exploit in crypto history. Mudit Gupta, security researcher and SushiSwap dev, breaks down the attack, exp...laining how it occurred, why the hacker is returning the funds, and what Poly Network should do next. Show highlights: how Poly Network works what specific mechanism the hacker attacked on Poly Network why many people (including myself) had never heard of Poly Network before the hack how “keepers” failed to protect Poly Network why a failed transaction was the key to pulling off the hack what SlowMist claims to have discovered about the hacker what could be motivating the hacker to return the stolen funds how the hacker is communicating with Poly Network why Tether was able to freeze funds while USDC and BSC allowed the hacker to get away with their tokens how Poly Network should handle negotiations with the hacker Thank you to our sponsors! Sorare: https://sorare.com Polymarket: https://polymarket.co/unconfirmed Crypto.com: https://crypto.onelink.me/J9Lg/unchainedcardearnfeb2021 Episode Links Mudit Gupta Twitter: https://twitter.com/Mudit__Gupta Blog: https://mudit.blog/ SushiSwap: https://twitter.com/SushiSwap Poly Network hack Poly Network response: https://twitter.com/PolyNetwork2/status/1425870262067548163 Mudit’s analysis: https://mudit.blog/poly-network-largest-crypto-hack/ Kelvin Fichter thread: https://twitter.com/kelvinfichter/status/1425217046636371969 Hacker Q&A: https://twitter.com/tomrobin/status/1425487745166753794 Tether blacklist: https://twitter.com/paoloardoino/status/1425090760609832978 ETH tip: https://twitter.com/HsakaTrades/status/1425093301691195407 The Block’s coverage: https://www.theblockcrypto.com/post/114189/poly-hack-attacker-return-funds-id-slowmist Returning funds: https://www.coindesk.com/poly-network-hacker-starts-to-return-funds Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hi, everyone. Welcome to Unconfirmed, the show that reveals how the marquee names in crypto are reacting to the week's top headlines and gets the insights given what they see on the horizon. I'm your host, Laura Shin, a journalist with over two decades of experience. I started covering crypto six years ago, and as a senior editor at Forbes was the first mainstream media reporter to cover cryptocurrency full-time. This is the August 13th, 2021 episode of Unconfirmed. The Unchanged newsletter has switched from a weekly news recap to a daily email. Each morning, you'll get four to five,
quick headlines, a crypto meme or two, and a few recommended reads.
Head to Unchainedpodcast.com and the signup for the newsletter is right on the homepage.
Polymarket is the leading information markets platform where you can trade on the most
hotly debated topics, whether it's politics, coronavirus, current events, and more, all on the
blockchain.
For a limited time, sign up with referral code, unconfirmed, to get your first trade reimbursed
up to $100.
The crypto.com app pays you up to 8.5% interest on your Bitcoin.
Get $25 when you download the crypto.com app with code Laura.
The link is in the description.
Looking for NFTs that are useful and fun?
Try So Rare, the largest NFT-based fantasy game.
You can collect, trade, and compete with officially licensed digital cards of soccer players
from over 160 clubs on So Rare.
That's S-O-R-A-R-E.com.
Today's guest is Moodipta, core developer at Sushi Swap.
Welcome, Mootid.
Here, everyone.
This week saw the largest exploit in Defi history.
In fact, it was one of the biggest hacks in all of crypto history,
in which an attacker was able to steal more than $600 million worth of coins
from the cross-chain protocol Polly Network.
Why don't you give us an overview of what happened here?
Yes, sure.
So I'll start with the basics.
The brief background about Polynetwork is that it is a cross-blockchain application.
It allows you to pass messages from one blockchain to another.
One of the main product is a bridge between different blockchains.
So if you have tokens on Ethereum, you can move them to BSC or numerous other blockchains that
Polynetwork supports.
The way this bridge works is that you lock tokens on one blockchain, and then you can
unlock them on other blockchain.
So it maintains a balance between locked and unlocked.
What the hacker eventually managed to do is break this balance and unlock their
tokens without locking any tokens in exchange.
So they basically broke this balance and withdrew all tokens without having to lock their
own tokens.
Wow.
that that is
quite a simple
actually attack
to extract a huge amount of
tokens. So as you mentioned,
Polly Network is a cross-chain network
but I did see a lot of crypto people
and I myself also had not heard of Polly Network
before this moment. So
can you tell us kind of how it is
that it was that many of us had not heard of it?
Yes, sure. So firstly,
this hack was actually
relatively complex.
There were a lot of steps involved.
I'm just oversimplifying here
in some sort.
But it was indeed a complex act.
And the reason probably none of us
have heard about Polynetwork is that
their target audience is in China.
I'm sure most of the Chinese users
would have heard about it and probably
used it. But outside China,
I don't think anyone really
uses Polynetwork.
Yeah, yeah. And actually, when I called it simple, what I meant was it's not like they had to hack keys, right?
They ended up just kind of making their key, the one that could give themselves the money.
So in that sense, it was, I guess, sort of like almost like a, what you might call it, just kind of going around the normal route or something.
Yes, sure. It was indeed a unique attack. It wasn't like your previous.
hacks in the D5 space which usually use something like flash loans, price manipulation,
and stuff like that.
But it was quite different.
Honestly, Polly Network has quite a unique architecture from other protocols.
So, yes, the hack was also unique.
The attacker managed to kick out the trusted parties from the system and replace them
with their own malicious party.
They call it keeper in the system.
So once this key was replaced of the system,
keeper. The attacker was free to do anything they want. Yeah. So just to actually break down the steps a
little bit more, you know, you kind of mentioned at the end, but, and I mean, you did give us the
overview, but why don't you just walk a step by step what they did without obviously going into
such technical details people won't be able to follow? Yes, sure. So I can start with some
background about Polyne Network. Firstly, they have a system, they have a concept of keepers.
Keep of our trusted entities that sign messages that are then validated by the blockchain.
So as we know, Ethereum can't directly talk to other blockchains like BSC.
So we need an intermediary source that can validate messages that happened on Ethereum and tell BAC that it actually happened.
And similarly, if something happens on BAC, these guys validate it and tell Ethereum that this actually happened.
This is the basic job of keepers.
Now, as long as these keepers are trusted entities and they are not behaving maliciously,
they will only verify actions that only actually happened.
So if they sign a transaction of Ethereum, then that transaction must have already happened on Ethereum.
They won't sign any transaction that hasn't yet happened.
So with some background, the way Poly network passes messages around is that they have a manager contract on every blockchain,
that once it receives signed data from the keepers, it verifies that the signature is correct.
If the signature is correct, it assumes that the transaction actually happened on a different blockchain.
it does not, it has no way to verify it apart from those signatures that this transaction
has already happened or not.
When the signature is given to it, it assumes that the transaction has happened and
it rebroadcasts that transaction on the target chain on which the code is now running.
So now the transaction, this is the complete cycle of message passing.
Transaction first happens on a source blockchain.
the keepers sign it and then pass the data to the destination blockchain
and then the destination blockchain rebroadcast this transaction
this means that anyone can make the manager contract on the destination blockchain
basically rebroadcast almost any transaction they just do that transaction on a source
blockchain the keepers will verify it because the transaction has happened
and then the destination blockchain will also execute it
manager and the destination blockchain will also execute it because this has happened.
The security concern with this approach is that since anyone can make the destination
chain, the destination manager contract do anything, we should make sure that this contract has
no special permission on anything.
It does not hold any tokens.
It is not an admin of any contract or anything like that.
Otherwise, what can happen is let's say I do a transaction on source blockchain.
which is an admin action.
Obviously, I don't have those admin permissions,
so it will fail on the source blockchain.
But on the destination blockchain,
since the transaction is done by the manager contract,
not me,
if the manager contract has these admin permissions,
this transaction will actually go through rather than failing.
And this is a problem.
The transaction which was supposed to fail is not going through.
And this is what the hacker exploited.
They did a transaction on one of the blockchings that failed on that blockchain because they didn't have enough permissions.
But it actually went fine on the destination blockchain because there it was executed by the manager rather than the user directly.
They used this transaction to replace the keepers in the system.
Now once the keepers were replaced, you could make the destination blockchain do any transaction you want.
You don't even need to do that transaction on the source blockchain.
The hacker basically created such false transactions, which did not happen on the source blockchain, but they still signed it with the keeper.
They control the keeper now, so they can sign whatever they want.
They signed these transactions, which basically said that take all money out of the system and give it to the hacker.
These wouldn't have happened on the original network because these can only be called by a specific permission contract.
and this contract is obviously not going to call these unless you lock your tokens.
But since keepers can now sign anything that the hacker wants, they did sign these transactions.
They broadcasted these on the destination chain.
The destination chain verified the signature.
The signatures were correct.
And it let the hacker take all the money, withdraw all the money by unlocking these funds.
Yeah, and ultimately it ended up being $273 million of Ethereum coins, coins, $253 million worth of finance smart chain coins, and $855 million worth of USDC.
And then Tether, it also stole $33 million in Tether, but Tether the company ended up blacklisting those USDT.
So there's a lot of twists that happened after the actual attack.
And we'll get to discussing those.
But first a quick word from the sponsors who make this show possible.
Do you love sports collectibles or fantasy sports?
So Rare is blending this together to create an entirely new gaming experience
powered by its community.
So Rare cards are officially licensed NFTs from over 160 clubs,
including Real Madrid, Paris Saint-Germont, and Liverpool, and built on Ethereum.
You truly own your collectibles.
They are productive gaming assets that will generate rewards,
if you're a good fantasy player.
Join so rare and connect with your favorite teams,
live the game with passion, and earn weekly prices.
Today's sponsor is Polymarket,
the world's leading information markets platform
where you can trade on the most pressing global questions,
all on the blockchain.
Choose from a variety of markets.
Will Cardano support smart contracts by October?
Will the U.S. again have more than 200,000 new COVID cases per day before 2022?
Will Trump run for president again?
With over $130 million,
traded on the platform, Polymarket is the go-to place to settle the biggest debates of the day.
For a limited time, sign up with referral code, unconfirmed, to get your first trade reimbursed up to $100.
Go to the description and click on the link to get started.
That's polymarket.combe, slash, unconfirmed.
Back to my conversation with Mudakupta.
So the exploit itself was, you know, pretty crazy, just especially the eye-opening amount.
but then after that, a number of twists happened.
So first let's start with a tweet from SlowMist,
which is, I guess, like a security company or an audit company or something.
So let me tell us what it is that Slow Mists discovered.
Yes, so Slow Mists has been working on finding who the hacker is
and what they did it since basically as soon as people knew that this hack,
happened. I assume they are working closely with
Poly Network and other entities. So they discovered that
one of the wallets is linked to this hacker's account
and that wallet has done transactions on an exchange
which requires users to go through KYC process.
This means that there is a chance that the hacker
messed up and actually used a KYC verified wallet, which will allow the
agencies to actually know the identity of this hacker and get him in real life.
So this was one of these slip-ups by the hacker.
The hacker later claims that this didn't slip-up.
Maybe they used fake KYC or a stolen account or something.
It's basically like we can't verify these claims.
Either thing is possible.
It's also possible it's the real identity or they are just making it.
up. So this was one of the things slow mist discovered. Then slow mist has also been working on
finding the underlying root cause of this hack. I think they did two analysis, a brief one on the
day of hack, just a few hours later, which didn't contain many details, but it did give a brief
over you. And then recently they added a more detailed analysis where they went over a bit more
details. So yes, Lomist has been working on finding who did this.
And then the attacker began returning the majority of the tokens, at least as of by Thursday,
noon, Eastern time. So how did that turn of events come about? Yes. So by now, I think about 50%
of the tokens have been returned. There are two sides to the story. One, the hacker is claiming
that they are a white hat.
They always intended to return these tokens.
The only reason they hacked them
because they didn't trust that Polly Network team,
if they disclose this bug bounty,
then the Polly Network team will take proper actions
and resolve this issue properly.
They were scared that such a big amount
might persuade the team themselves
to run away with these funds over table.
So it's their claim that they actually saved the project.
they actually saved the money of the users and now they are returning it.
And since the project now is underlying light,
the project will not run away with these funds or anything.
But the other side of the story is that it is highly likely that Slow Mists
and other teams were narrowing down on the real identity of the hacker.
This identity linked to exchange was one of the slippers that the hacker did and some other stuff.
So if these teams were getting closer and the hacker was realizing that,
so they might have changed their story.
Like I believe their original motive was not put it on these funds,
the actions they took after immediately getting these funds,
like they sent out a tip to a person who tried helping them
and laundered these funds.
They were talking about creating a DAO, trolling the Polynetwork team and stuff.
All of these kind of actions are usually,
not done by white hackers, but people who have malicious intentions.
That being said, it is hard to tell what the exact intentions of the hacker was,
hacker were, but I believe that they changed their motives once they realized that they can
get into trouble if their identity is released.
This is obviously a very large amount of money, and people will do their best to grab hold
of this person in real life.
Even laundering such a large amount of money is very risky.
So if they wanted to actually use these funds, they will have to go through a lot of risky hoops.
And now they are trying to get alleged bug bounty reward in exchange for returning these funds.
So they're negotiating the terms with the team right now.
But I guess in the curtains, they're saying maybe I return you 95% of the funds.
You're letting key 5% and you don't do any, like, you don't take any legal actions or anything against me.
you announce this as a reward and give me legal money that I can legally use without any troubles.
These negotiations are still going on.
I guess they are negotiating the amount and the terms, but this is where the situation is right now.
Yeah, the whole thing, just every twist and turn has been pretty crazy.
One other aspect of this is that they've been broadcasting a bunch of messages through the blockchain.
Can you talk about kind of how that conversation's been going and how that came about and why they're doing this?
Yeah, sure.
So I think at the start, it started out as something a bit cocky in some sense.
They were teasing people, trawling the team and posting such comments.
They also tipped a user who tried helping them learn the money and stuff like that.
So I think it started out as a nefarious thing, a chaotic evil loss.
some sorts. But over time, it has become a bit more military communication medium. Now they are
actually doing Q&Es on the blockchain. I think they have done four till now. People are asking
them questions by sending them messages and they are answering those questions on the blockchain.
They also use the blockchain to communicate with the Pali network team. They posted an address
and they said encrypt messages with the public key of this account. They know the private key so they can
decrypt these messages. So they have established an encrypted medium of communication between them
and the poly network team. These messages, we can't decipher. We don't know what they're talking about.
And similarly, different agencies that might be listening on will not be able to decipher these messages
unless the polynetwork team decides to disclose this. So now I believe it has, these communication
medium has become something quite useful.
This is the only medium to talk to this hacker right now.
So I think, yeah, it's a very important bit.
Yeah, one thing I wanted to add was that tip that they sent to the person who said,
you know, don't use your tether because it's blacklisted.
The tip they sent was the amount of 1337, which is like this like internet leap speak.
And so it's definitely
And what lead speak is is the way of using numbers
to spell letters and words.
And so yeah, it's just kind of like a deep
in internet culture thing.
And it sort of shows kind of maybe a little bit
of the personality of the attacker.
So I mean, this attack just raises all kinds of questions
because so obviously Tether,
which is a centralized company who is able to blacklist the Tether.
But then there were people, you know, I think that maybe also were questioning whether Binance,
because it has launched Binance smart chain or whether USTC could do anything about what happened with those coins.
So what do you, you know, think happened there and should have happened there?
Yes, sure.
So let's talk one by one.
Tater actually responded quite quickly.
after the hack, they immediately
blocked the Palin, so that's great.
USDC has similar functionality,
but I guess they were just a bit slower in reacting
and the hacker had already deposited
these tokens in curve by them.
So even if USDA wanted to blacklist them,
they wouldn't have been able to do it.
So props to Tether for reacting so quickly.
But for other folks,
I guess maybe some,
somehow they need to improve their alerting monitoring system or something.
As far as BAC goes, although BAC is relatively centralized as compared to other
blockchains, but it's not centralized in a way that any single identity or entity
can block this hacker from doing transactions.
There are still like two dozens validator on BAC and all of them will have to collude
to block this person.
And getting that sort of collusion is not easy in a short time frame.
And even if it was possible for CJ to, let's say, anyone to get that sort of arrangement on BAC,
they wouldn't really want to do it because BAC is positioned as a chain that is free,
that is censorship resistant.
And if you take an action that blocks these hackers,
it does not look good from optics point of view from BOC's users.
Yeah.
So as you mentioned at this point, the attacker is negotiating with the Polly Network team
to keep 5% of the tokens as sort of like a bounty.
What do you think the Polly Network should do at this point?
Yeah, sure.
So I think we can take a page from your traditional ransomware requests and stuff like that.
So the, like the suggested approach in these cases is to pay the ransom, whatever the demand is, get your product back, get as much of funds secured as possible.
And once that has happened, then you can continue taking all those legal actions and whatever you were originally planning on taking.
So even if right now, Polynetwork agrees to a settlement with the user, this settlement, like,
If they wanted to pursue a legal action at a later date, this settlement won't matter.
What this person did will likely be treated as illegal in most jurisdictions.
I'm not a lawyer, but these are my views.
So whatever Pauly Network agrees to right now will not really be considered as a final agreement in the codes and all.
So right now, the strategy for Pellin Network should be to secure as many funds as possible.
and then decide if they should continue pursuing other means of getting to this user.
If the amount remains, like, if the hacker agrees that they'll keep the bounty of like $100K or something
and return everything else, then I think it makes sense to not take any further actions.
The hacker probably deserved those $100K.
But if the hacker is saying that I want to keep $10 million, like I think $10 million might also be fine,
but let's say they are saying 100 million.
They have returned 50% of the funds now,
so they still have 300 million left.
If they are saying they want to keep anywhere between 100 to 300,
then I think that is not really justified.
For now, the Polynetwork team should give into these demands,
but still consider options of taking these traditional legal methods.
Yeah, but what is the typical amount for a bounty?
The traditionally accepted value for critical boards like these is 10% of the amount hacked.
So at worst, you should be giving this was a 600 million, a billion, 600 million hacks.
So you should at most be giving 60 million to the user.
But I personally feel that this amount should be taking as the hack, like amount at risk increases.
So for maybe, like if the hack amount was $1 million, then maybe 10% 100%.
and K is justified.
That for such large amounts like 600M, I don't think 10% is justified.
Even like a million dollar buck bounty is a life-changing amount,
and I think it's a fair amount for this hack.
Yeah.
Yeah.
I would agree with that, but we'll see what happens.
All right, well, this has been such a fascinating discussion.
Thank you so much for coming on Unconfirmed.
in a ways, it was a nice talking to you.
Don't forget. Next up is the weekly news recap. Stick around for this week in crypto after this short break.
With over 10 million users, crypto.com is the easiest place to buy and sell over 90 cryptocurrencies.
Grow your crypto with crypto.com earn, which pays up to 8.5% interest on your Bitcoin and 14% interest on your stable coins.
When it's time to spend your crypto, nothing beats the crypto.com visa card, which pays you up to
8% back instantly and gives you 100% rebates for your Netflix, Spotify, and Amazon Prime subscriptions.
Download the crypto.com app now and get $25 by using the code Laura. The link is in the description.
Thanks for tuning in to this week's news recap. First headline. The infrastructure bill saga
ends at the beginning. On Tuesday, the Senate passed its infrastructure bill, voting 69 to 30 to invest $1.2 trillion into the country's public.
works. To the crypto industry's chagrin, however, the bill moved out of the Senate without
changing a certain provision regarding crypto taxation, despite multiple amendments being offered.
As a refresher, the original and final language requires reporting for crypto brokers in order
to bring in $28 billion in taxes over the next few years.
The provision mandates crypto brokers report customer gains via $10.99 and any transactions over $10,000
to the Internal Revenue Service.
While the community does not object to appropriate entities being taxed, the provision received vociferous backlash over its broad definition of a crypto broker.
Kristen Smith, executive director of the Blockchain Association, interpreted the bill to encompass, quote, software wallet developers, hardware wallet manufacturers, multi-sic service providers, liquidity providers, Dow token holders, and potentially even minors, as brokers under the current iteration of the bill.
Such a requirement would force pseudonymous decentralized protocols to collect and enforce
know-your-c-customer-c-information, an impossible task.
Senators proposed multiple amendments, though none gained the support necessary.
Notably, on Monday morning, a last-ditch compromise between Senators Cynthia Lemmiss, Pat Toomey,
Mark Warner, Rob Portman, and Kirsten Sinema to amend the contentious language felt just short of
approval, courtesy of a single objection from Senator Richard Shelby.
The infrastructure package is now on its way to the House of Representatives with the crypto
provisions original language intact. However, the crypto industry nor the House will be taken by
surprise this time around. Coin Center's Jerry Brito is ready to make a brand new amendment
tweeting. The bad news is that the amendment did not receive consent so it will not make the bill.
The good news is we're not giving up. Next stop is the House where we can try to get a whole new
amendment from scratch that can address all our concerns. Four members of the House's
Blockchain Caucus are also prepared for another round of crypto policy debates, with representatives
Tom Emmer, Darren Soto, Bill Foster, and David Twikert, pending a letter to their colleagues, noting,
quote, we must prioritize amending this language to clearly exempt non-custodial blockchain intermediaries
and ensure that civil liberties are protected. On Thursday, Representative Anna Eschew also joined
the fray, penning a letter to House Speaker Nancy Pelosi.
encouraging an amendment to the problematic broker definition.
Next headline.
On Coinbase, ETH flipped BTC.
Coinbase announced its second quarter results on Tuesday.
Here are three things you need to know.
At $1.6 billion, Q2 profit nearly doubled that of Q1.
Total revenue also outperformed expectations coming in at $2.03 billion,
compared to the $1.88 billion predicted by the analyst consensus compiled by Bloomberg.
Second, Coinbase users were very active this quarter with monthly transacting users growing 44%
from Q1 to Q2. Its total user base also jumped climbing to 68 million verified customers.
Point three, Coinbase also saw Ethereum flip Bitcoin this quarter, at least in terms of trading volume.
In Q2, Ethereum made up 26% of the exchanges volume while Bitcoin only held a 24% share.
Additionally, in an earnings call, CEO Brian Armstrong said that 10% of the top 100 hedge funds by
assets under management are Coinbase clients. The exchange also mentioned SpaceX, Tesla, and PNC
Bank specifically as institutional clients, marking the first public acknowledgement of a Tesla
coin base relationship. Next headline. Brian Brooks resigns as CEO of Binance U.S.
Last Friday, Brian Brooks dropped a bombshell via Twitter, announcing his
resignation as CEO of Binance U.S.
after just a few months on the job.
He wrote, quote,
Greetings Crypto Community,
letting you all know that I have resigned as CEO of Binance U.S.
Despite differences over strategic direction,
I wish my former colleagues much success.
Exciting new things to come.
Before his short tenure with Binance U.S.,
Brooks was the acting head of the Office of the Controller of the Currency,
the regulator for national banks under President Trump.
He also worked as Coinbase's top lawyer in 2018.
It initially appeared that Brooks's impressive regulatory resume was a perfect match for Binance,
which has faced intense scrutiny from jurisdictions like the UK and Japan in 2021.
His hiring was even considered a steal that ruffled feathers over at Circle,
where Brooks had been on the cusp of accepting a position as president
before abruptly moving over to Binance U.S., as described by DeCripps Jeff Roberts in a July report.
In response to Brooks' departure, Binance CEO Chang Peng Zhao wished him the best in
the future and thanked him for his
invaluable work, a divergent
from the exchanges handling of Brooks's
predecessor, Catherine Coley, who
was not even mentioned after being ousted to
make room for Brooks.
Next headline. Tether reveals
reserve details. On
Monday, Tether released a new attestation,
revealing the details of its
$62.8 billion in
reserves for the world to parse.
This is Tether's second reserves report
since launching in 2014,
prompted by a settlement with a New York attorney
General's office earlier this year.
CNBC's Kate Rooney tweeted out a simple description, writing, Tether Out with New Audit on
what's backing the stable coin.
Mostly commercial paper includes other crypto money.
$31 billion worth of commercial paper.
$6 billion worth of cash.
$1 billion worth of reverse repo or reverse repurchases.
$15 billion in T bills or treasury bills.
$2.5 billion in secured loans.
$4.8 billion in corporate bonds, funds, funds, and precious metals, and $2 billion in other investments,
including digital tokens. In the new attestation dated June 30th, Tether released both the composition
of its reserves, along with the ratings and maturity of its commercial paper and commercial
deposits. Interestingly, $30.8 billion, or 48% of Tether's reserves, were held in commercial
paper and certificates of deposit, of which 93% were rated A2 and above. Only 1.3% was rated,
A3 or below. Audit firm Moor Cayman was responsible for assuring the attestation.
Quote, our most recent assurance opinion from Moore Cayman again confirms Tether is fully backed,
said Tether CEO Palo Arduino. A healthy and conservative portfolio with an emphasis on
liquidity continues to fuel our growth and confidence in our innovative offerings.
In related staple coin news, USDC issuer circle has ambitions to become a U.S. national bank,
according to an S-4 filing on Monday.
The company, which plans to go public via SPAC, told the block that it, quote, intends to become a full reserve national commercial bank,
operating under the supervision and risk management requirements of the Federal Reserve, U.S. Treasury, and OCC, and the FDIC.
In its filing, Circle cited risk reduction regarding its current reliance on third-party payment services as a motive for transitioning to a banking structure.
next headline bitmex settles with the cfTC and fincet
crypto derivatives platform bitmex is settling with the united states commodities future trading
commission or cfTC and financial crimes enforcement network or fincen the company has agreed to pay
$100 million to resolve charges with $50 million going to each of the regulators for violating the
Bank Secrecy Act commodities regulations and CFTC rules according to a consent order filed
Tuesday, the CFTC found that BitMex had offered U.S. customers leveraged and unlicensed
crypto products between 2014 and 2020. Furthermore, the platforms know-your-customer and anti-money laundering
safeguards were described as inadequate. FinCEN's deputy director, Anna Lou Tirol, said, quote,
BitMex's rapid growth into one of the largest futures commission merchants offering convertible
virtual currency derivatives without a commensurate anti-money laundering program, put the U.S. financial
system at meaningful risk. It is critical that platforms build in financial integrity from the
start so that financial innovation and opportunity are protected from vulnerabilities and
exploitation. For now, the $100 million will only settle civil charges against Bitmex.
The CFTC's criminal case against BitMex founders Arthur Hayes, Benjamin Delo, and Samuel Reed
will continue. In a blog post, Alexander Hopner, Chief Executive Officer of BitMex expressed
relief, saying, quote, today marks an important day in our company's history and we are very glad to
put this behind us. As crypto matures and enters a new era, we too have evolved into the largest
crypto derivatives platform with a fully verified user base. Comprehensive user verification,
robust compliance, and anti-money laundering capabilities are not only hallmarks of our business,
they are drivers of our long-term success. Next headline. SEC versus Ripple, recap. The Securities
and Exchange Commission or SEC is requesting Slack messages from Ripple concerning its ongoing
legal battle with the company. According to documents reviewed by DeCript, the SEC contends that
Ripple's original supply of slack messages sent over July 1st was incomplete, leading to a negative
impact on the trial with the SEC deposing over 11 Ripple witnesses based on incomplete message
data. The SEC believes that over 1 million messages are missing, which the regulator says will
help in its case against Ripple.
Relatedly, Jeff Roberts, executive editor at DeCrypt, published an article delving into SEC versus
Ripple, describing how both sides have a lot to lose in the case, with Ripple's XRP status as
a security hanging in the air and the SEC's crypto agenda needing a big win.
It goes into how the SEC likely waited as long as it did to bring the lawsuit because it
was setting precedent with its kick and telegram cases.
And because clear regulation for crypto is unlike.
likely to come anytime soon from Congress, Robert says that regulatory clarity for the industry
is likely to come in the form of a decision in SEC versus ripple, and that could come as soon as
this fall. Speaking of the SEC, its chairman Gary Gensler wrote a letter to Senator Elizabeth Warren
advocating for, quote, additional plenary authority to expand consumer protection via new roles
and guardrails for the crypto industry. Gensler believes that crypto investors, quote, are not
adequately protected.
Time for fun bits.
Ethereum pet rock
NFTs.
Call it a fad, call it a bubble.
NFTs are still here and the headlines
are not getting any less head scratching.
One caught my attention this week as especially
shall I say, interesting.
Ether rock, an early
NFT project consisting of
100 NFT images of
identical rocks
of various shades
saw two rocks from the collection sell for over $100,000 worth of ether this week.
The website, of course, specifically explains that the pet rock-inspired project,
quote, serve, and this is in all capital letters, no purpose, outside of being, well, colored rocks.
What a time to be alive.
All right, thanks for tuning in.
To learn more about Mootid and the Poly Network exploit, be sure to check the links in the show notes.
Unconfirmed is produced by me, Laura.
with help from Anthony Youne, Mark Murdoch, and Daniel Ness.
Thanks for listening.