October 30, 2020
Bad Harvest | VASP Regulations, DeFi Discussed at FATF Meeting | No Cred(it) Where It’s Due | Dark Market Boom
- $25 Million Stolen from Harvest Finance DeFi Protocol in Flash Loan Exploit
- CipherTrace CEO Dave Jevans Warns of DeFi Enforcement Uncertainty During FATF Meeting
- Cryptocurrency Lender Cred Investigating Fraud – Customer Assets Frozen
- On the Blog: Record Number of Dark Markets Online as Demand for Illicit Goods and Services Continues to Grow
DeFi Protocol Harvest Finance Hacked for $25 Million
On October 25, $25 million was drained from DeFi protocol Harvest Finance’s liquidity pool, causing a 65% drop in value for FARM—the protocol’s native token. The drained tokens were swapped for renBTC, a token that represents bitcoin 1:1 on Ethereum. Beyond the loss in token value after the attack, Harvest Finance’s Total Locked Value (TLV) plummeted from $1 billion to $430 million.
Anonymous Harvest Finance developers claimed that the attacker “is well-known in the crypto community” and discoverable from “a significant amount of personally identifiable information,” including seven bitcoin wallets containing the stolen funds. Harvest Finance is “offering a $100,000 bounty for convincing the attacker to send back the funds.” While $2.5 million has been returned, the token’s price has already been impacted.
Why It Matters: This attack falls in the same category of flash loan exploits as the bZx attack in February 2020. According to CoinDesk, the attack was “executed by a series of arbitrage trades between DeFi protocols Uniswap, Curve Finance and Harvest Finance.” A lack of thorough security audits of DeFi protocol smart contracts and code is contributing to such exploits.
Read more in CoinDesk here: https://www.coindesk.com/defi-platform-harvest-finance-exploit
Dave Jevans Presents CipherTrace’s Recent Findings at FATF Meeting on VASP Regulations
On October 28, CipherTrace CEO Dave Jevans presented at the FATF Private Sector Consultative Forum meeting convened to discuss VASP regulations. Jevans highlighted the recent CipherTrace report that revealed at least half of VASPs in every jurisdiction have weak or porous KYC. This data highlights the continued need for harmonization of regulations across jurisdictions to combat regulatory arbitrage, wherein VASPs take advantage of more favorable laws, or lack thereof, in different regions.
Jevans also pointed out that the high number of US-based VASPs with weak and porous KYC is likely due to a high number of decentralized exchanges based in the country. The recent explosion of decentralized finance (DeFi) will present regulatory challenges, given the lack of clarity around who should be held responsible for compliance.
Travel Rule progress and implementation was another major point of discussion in the meeting. Jevans discussed the goals of the Travel Rule Information Sharing Alliance (TRISA.io), including the establishment of global Travel Rule standards and interoperability across jurisdictions.
Jevans predicted that within 5 years we will see full adoption of FATF standards, including implementation of the Travel Rule, but that DeFi and privacy-preserving chains will continue to present regulatory challenges. He also pointed out that questions remain about how digital ID will be deployed and whether its association with digital assets will be mandated. The meeting concluded with a promise from the FATF host to continue to enhance engagement between the public and private sectors to address ongoing issues.
For more on CipherTrace’s KYC findings, read the report: https://ciphertrace.com/2020-geo-risk-report-on-vasp-kyc/
Explore the TRISA whitepaper: https://trisa.io/trisa-whitepaper/
Cred Freezes Customer Funds While Investigating Possible Inside Job
Crypto-lender Cred froze customer accounts on October 28 due to an unspecified “fraudulent incident.”
In response to an inquiry by Decrypt, Cred support staff stated that “Cred has experienced irregularities in the handling of specific corporate funds by a perpetrator of fraudulent activity that has negatively impacted Cred’s balance sheet and precipitated a law enforcement investigation into the loss of these funds.”
The San Francisco-based company is working with law enforcement to investigate the incident. Cred has not responded to inquiries from customers about the safety of user funds; deposits are not FDIC insured, but Cred does offer private insurance on deposits.
Record Number of Dark Markets Online as Demand for Illicit Goods and Services Continues to Grow
The criminal environment of darknet markets is extremely turbulent. Numerous darknet markets are launched every year and just as many are constantly exiting, being seized, or otherwise going defunct. Despite this barrage, CipherTrace has noted more dark markets online than ever before.
CipherTrace researchers are currently monitoring over 35 active darknet markets.