Exploits on Layerswap and Dolomite Lead to Major Losses

Over the past 24 hours alone, both Layerswap and Dolomite experienced security breaches, costing users more than $1.8 million in stolen funds.

The cryptocurrency sector recently faced multiple security incidents, with Layerswap experiencing a domain hijack leading to a $100,000 loss. The very slow response from the domain registrar GoDaddy certainly did not help the situation. Around the same time, ParaSwap's DeFi aggregator experienced a vulnerability exploitation resulting in a $24,000 loss, while Dolomite suffered a $1.8 million loss due to an exploit in an old contract. Meanwhile, Steve Wozniak won an appellate court decision against YouTube, allowing him to pursue a lawsuit for the platform's role in spreading fake Bitcoin giveaway videos using his image.

Layerswap Hit by Security Breach

Layerswap, a bridge between centralized crypto exchanges and layer-2 blockchains, experienced a major security breach. On Mar. 20, around 19:40 UTC, the company's domain, layerswap.io, was hijacked, leading users to a phishing site instead of the legitimate service.

This cyberattack caused the loss of about $100,000 in crypto assets from around 50 users. The breach was attributed to a compromise at the domain registrar level, with GoDaddy being very slow to respond, only increasing the duration of the hacker's control over the domain. Layerswap has made it very clear that they are not happy with GoDaddy's lack of immediate action but did promise to share a detailed report with its community to be as transparent as possible.

The phishing scam not only stole valuable crypto assets but also attempted to reset Layerswap’s social media account, causing even more disruptions. Despite this, Layerswap has committed to refunding the people affected fully and offered an additional 10% compensation for the inconveniences they had to deal with.

Around the same time, the decentralized finance (DeFi) aggregator ParaSwap faced its ordeal with a vulnerability in its Augustus v6 contract, which could have led to a huge financial loss. Although ParaSwap managed to mitigate the situation by rolling back the affected contract and alerting its users, a hacker was still able to exploit the vulnerability, leading to the loss of roughly $24,000 from four addresses. In total, 386 addresses were impacted.

Crypto Thieves Target Dolomite

Meanwhile, the Dolomite crypto exchange also recently faced a security breach that resulted in a loss of about $1.8 million, according to CertiK, a blockchain security platform. The incident exploited an old contract related to Dolomite, affecting users who had authorized approvals to this contract. In response, the Dolomite development team has urged users to revoke any approvals to the specific Ethereum Dolomite address starting with 0xe2466 to mitigate any further risks.

Dolomite, a decentralized exchange and money market protocol that operates on both the Arbitrum and Polygon zkEVM networks, was initially launched on Ethereum in 2019 before migrating to Arbitrum in 2022. Despite phasing out support for its Ethereum version, the immutable nature of smart contracts left the Ethereum version accessible, leading to the current vulnerability.

The exploit was carried out using a “callFunction,” which allows for arbitrary calls by a user. Although this function is typically safeguarded by a "noEntry" modifier to prevent reentrancy attacks, the attacker bypassed this protection through the TradeManager contract at address 0xe2466, which lacks a reentrancy guard. As a result of this, the attacker was able to drain funds from unsuspecting users. After the theft, all stolen funds were moved to a new address and then deposited into Tornado Cash.

Unfortunately, this attack is just one of the many security breaches that have taken place in the crypto space over the past few months, Unizen and Mozaic Finance reported losses of more than $2.1 million and $2.4 million respectively due to exploits similar to this.

Luckily, the Dolomite team started making plans to disable the compromised contract in an attempt to protect people from any more attacks.

Wozniak vs. YouTube

At least there are a few wins for the good guys as well. Steve Wozniak, Apple's co-founder, recently secured a victory in an appellate court against YouTube, over doctored videos featuring his image used in a Bitcoin scam in 2020. This latest verdict overturned a prior judgment from a lower court that had absolved YouTube of responsibility, allowing Wozniak to proceed with his lawsuit against the video streaming giant. The case revolves around fake videos that exploited Wozniak's popularity to promote a bogus Bitcoin giveaway, asking viewers to send Bitcoin to a specific address with the promise of doubling their money.

The lawsuit, which was started by Wozniak along with 17 other high-profile people including Bill Gates, Elon Musk, and Michael Dell, challenges YouTube and its parent company, Google, for allowing these scam videos to spread. The contention was that YouTube, by verifying and not removing the verification badges of hijacked channels that posted these scam videos, materially contributed to the fraud.

The San Jose appeals court ruled that YouTube cannot hide behind Section 230 of the Communications Decency Act, a federal law that has traditionally shielded video streaming platforms from liability for user-posted content. The court pointed out that YouTube's actions in providing and failing to remove verification badges for channels promoting scams were significant enough to reconsider its immunity under this law.

This decision could have a major impact on future interpretations of the legal protections given to social media and video streaming platforms.