Ribbon has announced it will cover $400,000 of the lost funds with its own assets. However, Ribbon is also offering users a lower-than-expected haircut on their assets by assuming that some of the largest affected accounts will not withdraw their assets, having been dormant for several years. While this plan may benefit active users, it seems like it could get very messy if those dormant users do wish to withdraw their assets and discover they've been used to pay others.
Ribbon Finance suffers $2.7 million exploit, plans to use "dormant" users' funds to repay active users
Ribbon Finance, which has partially rebranded to Aevo, has lost $2.7 million after attackers exploited a vulnerability in the smart contract for legacy Ribbon vaults that enabled them to manipulate oracle prices and withdraw a large amount of ETH and USDC.
Binance employee suspended after launching a token and promoting it with company accounts
Binance has announced that the company has suspended an employee who used the platform's official Twitter accounts to promote a memecoin they had launched. The token, called "year of the yellow fruit", pumped in price after official Binance accounts coaxed followers to "harvest abundantly".
Binance publicly acknowledged that an employee had been suspended for misconduct over the incident. "These actions constitute abuse of their position for personal gain and violate our policies and code of professional conduct," Binance tweeted from its BinanceFutures account. After this announcement, the memecoin token price spiked even further.
Earlier this year, Binance fired another employee after discovering they had used inside information to profit from a token sale event.
Prysm consensus client bug causes Ethereum validators to lose over $1 million
Ethereum validators running the Prysm consensus client lost around 382 ETH ($1.18 million) after a bug resulted in delays that caused validators to miss blocks and attestations. Though the bug had been introduced around a month prior, it did not affect validators until Ethereum completed its "Fusaka" network update on December 3. Around 19% of Ethereum validators use the Prysm consensus client, which is developed by Offchain Labs.
- "Fusaka Mainnet Prysm Incident", Prysm
- Client Distribution, Clientdiversity.org
Yearn Finance hacked for the third time
Yearn Finance, a defi yield protocol, has suffered another hack. The exploiter took advantage of bugs in the project's smart contract to drain assets from several of its pools by minting a huge number of yETH tokens and then withdrawing the corresponding asset in the pools.
$2.4 million of the stolen assets, which were denominated in pxETH, a liquid staking token issued by Redacted Cartel, were recovered after the issuer burned the stolen tokens and reissued them to the team's wallet — essentially, removing the tokens from the hacker's wallet. However, the hacker routed the remaining funds through the Tornado Cash cryptocurrency mixer, which makes recovery substantially more challenging.
This is the third time Yearn Finance has been hacked, following an $11 million exploit in 2023 and another $11 million exploit in 2021. Yearn also suffered around $1.4 million in losses in 2023 in connection to the Euler Finance attack.
Upbit hacked for $30 million
The Korean cryptocurrency exchange Upbit suffered a loss of around $30 million in various Solana-based assets due to a hack. Some entities have suggested that Lazarus, a North Korean state-sponsored cybercrime group, was behind the hack.
Upbit reimbursed users who had lost funds from company reserves. The exchange was able to freeze around $1.77 million of the stolen assets.
This theft occurred exactly six years after Upbit suffered a theft of 342,000 ETH (priced at around $50 million at the time).