search
There's a very important fact that I want to bring to everyone's attention first and foremost: A seed phrase has never been broken.
Sure, people have been tricked into giving them away, or written them down and lost them. But so far, with Billions of dollars worth of prizes for any determined attacker, there is no record of a seed phrase ever being successfully brute-forced or guessed.
Safemoon wants to throw that security in the bin.
What they have cooking up is genuinely one of the more perplexing things they have done. You've heard the expression "A solution looking for a problem" - try this: "A problem looking for a solution" - because Safemoon's new 'feature', "SAFEMOON ORBITAL SHIELD" seeks to undo security in exchange for a pithy amount of convenience.
What is it?
The weird thing is, I don't even think Safemoon know what Orbital Shield is. There's plenty of fluff on their web documentation, but it's all light on details. At its heart it's just login protection. Their website states:
You might find a few other products similar to Safemoon Orbital Shield in that they offer login protection. However, none offer the level of protection Safemoon Orbital Shield offers. Safemoon protects you with the login system and its additional security features."
Well, that doesn't really help much does it?
I'll explain. Basically, with Orbital Shield you give it all your seed phrases, and Safemoon store them alongside your username & password in an encrypted database. Then you only need to log in on any device and you have all your wallets ready to use.
That's the main pitch.
What problems does it solve?
As far as I can see, none. It actually creates more problems. Let's say you have three BSC wallets. The seed phrase is 12 words long for each. By using Orbital Shield on a new device, it saves you the arduous task of entering.. checks notes... 36 words.
By comparison, that paragraph was 48 words and it took about 30 seconds to write. So in the most extreme case we can say that Orbital Shield would save someone with 3 wallets possibly about 3 minutes. And anyway, how many times are people loading wallets onto new devices?! I've been in Crypto for 5 years, I think I've put a seed phrase in..... four times.
What problems does it create?
The trade-off for this epic gain in productivity is a suite of serious security flaws.
1) Safemoon holds your seed phrases AND your username & password in an encrypted database
Holding information in encrypted databases is NOT standard practice. Encrypted information can be decrypted. For a famous example of this, see what Turing managed to do with the German Enigma code in WW2. An encryption key CAN be decrypted en Credentials and sensitive information should be salted and hashed. In addition, if an attacker gains access to the decryption key then then have the proverbial keys to the kingdom.
2) Relying on Username/Password
Pop quiz: What's more secure - a seed phrase or a username and password? It's the seed phrase. By design, it's something you are meant to store securely and have very limited use of. Username and password leaks are EVERYWHERE. You can look at the famous website HaveIBeenPwned to see if your email address appears in any data breaches. There's similar sites where you can input your password and see if that appears in any data breaches too. Even using 2FA is not secure as we have all seen several devastating simswap attacks that bypass 2FA.
3) Access for one, access for all
Keys to the kingdom indeed. By linking all your wallets to one set of credentials, you literally put all your eggs in one basket.
Typical Safemoon.
In very typical fashion, the Safemoon Army goes full throttle on trying to create a FOMO(untain) out of a FOM)(lehill). This Orbital Shield is nothing revolutionary, or advanced, and when you assess it you find it creates a bunch of vulnerabilities. All for the sake of a couple minutes of convenience maybe once a year.
And it's not just the supporters that are blowing smoke up everyone's assholes either. On the day of the BNB Bridge hack last month, CEO John Karony ominously tweeted: "ORBITAL SHIELD [eyes emoji]" - a not-so-subtle dog-whistle to hype his ignorant followers into thinking that somehow login protection would've prevented a bridge hack on BNB.
Other than that, Safemoon has been quiet. It's honestly gotten quite boring.
Step 1:
Go to your vault -> tap three dots at the top -> tap recovery phrase and write this down to store somewhere safe. Never share your recovery phrase with anybody or store it online in any manner or you risk losing access to your vault contents permanently.
Step 2:
Power up a new or recently wiped ledger hardware wallet. Select “restore from recovery phrase” then set your pin for the device. If you lose access to your pin you will need to use your recovery phrase from step 1 to regain access. Never share your pin with anybody or you risk losing access to your vault contents permanently.
Step 3:
After setting your pin select “recovery phrase with 12 words” and then input your recovery phrase you wrote down in step 1.
Step 4:
Connect your ledger to ledger live and go through the authenticity check in ledger manager. If there are any firmware updates available for your device then proceed to download them. Afterwards you can download the Ethereum app inside ledger manager.
Guide from ledger on installing/uninstalling/updating apps
Step 5:
Great video tutorial from ledger detailing the steps below.
Download the metamask browser extension for chrome/firefox and set up a new wallet (do not use your recovery phrase from step 1). You can store the 12 word phrase provided by metamask if you plan to use that as a hot wallet, but it’s not necessary as this is not your vault’s seed phrase.
Once it is set up connect your ledger to your computer and unlock it with your pin, then open the Ethereum app. Once the app is open click on the accounts icon at the top right and in the drop down menu select “connect to hardware wallet”, then “ledger wallet”, then in the menu that appears select your vault address to add to metamask (should be the first address on the list).
Step 6:
Finally you’ll need to add Arbitrum nova network and import the Moon token to metamask to view & access your balance. You can do so by following the instructions here
If you’re interested in accessing your NFT avatars you can add the polygon network by navigating here then click “connect wallet” and approve the site to add the network to your wallet. You can then navigate to https://opensea.io/ and connect your ledger in metamask to view your NFT avatars
This method of accessing your vault requires more work but it is far more secure than simply importing the vault seed directly into metamask. If anybody has any issues following this guide feel free to send a PM and I will do my best to help you.
What Happened? (Hack Recap)
73,399 addresses have been sent a malicious token to target their assets, under the false impression of a $UNI airdrop based on their LP's
0xcf39b7793512f03f2893c16459fd72e65d2ed00c
The malicious contract pollutes the event data so that block explorers index the "From" as the legitimate "Uniswap V3: Positions NFT" contract.
Now that a user sees that "Uniswap V3: Positions NFT" sent them a token (without knowledge of the event pollution attack), they would get curious and check the token. The token name directs them to a website that looks similar to Uniswap, and once users connected their wallets, their cryptocurrency was drained from their wallets.
So far, they have scammed (~$9.1million) from users, from native tokens (ETH), ERC20 tokens, and NFTs (namely, Uniswap LP positions)
The stolen ETH is being laundered through Tornado Cash.
The attack might be big, as [0xSisyphus] pointed out that a large LP (0xecc6b71b294cd4e1baf87e95fb1086b835bb4eba) also seems to get phished.
How to Protect Yourself:
If you have received the Malicious Token. Do not try to burn it.
Because to burn it, you would have to interact with it. And, It's heavily advised to not interact with suspicious tokens because:
You don't want to waste gas-burning tokens
You don't want to open yourself to an attack, such as ETH_RUNE
In summary, just leave it and pretend you don't see it
honestly thought i did everything (mostly) right. use a password manager, never click on phishy shit, etc. today, someone managed to usurp my phone's SIM and was able to drain my Coinbase account.
pretty surreal, honestly. wish i'd moved shit to a wallet regularly. i'm not super technical, but it seems more like a vulnerability of my phone provider (T-Mobile) than me personally.
either way, just another reason to keep your security as tight as possible. learn from my (massive fucking) mistake.
On 30 June, Harmony team sent the last transaction asking hackers to return stolen assets. They could retain $10M in ETH. If the hackers are willing to do so, they will cease the investigation or manhunt they called.
https://twitter.com/harmonyprotocol/status/1542327331426955264
Sadly, the hackers ignored all the message from the team and laundered the very last ETH roughly 5 hours ago.
https://etherscan.io/address/0x0d043128146654c7683fbf30ac98d7b2285ded00
What does it mean?
- who deposited to the smart contract to bridge token to Harmony chain might not be able to get those assets back.
- who are holding bridged tokens such as 1ETH, 1WBTC, 1USDC are holding 'basically worthless' tokens now, because no locked tokens on Ethereum chain are backing their existence on the other side.
- who are holding ONE? I don't know, it's like a sinking ship right now.
I'm not gonna tell you what you should do. I'm not a financial advisor and this is not a financial advice. But be careful with what you are going to be told, because it is like 50/50 bet now.
- if Harmony team can retrieve stolen assets, which seems to be the case now. They are done. Some said the team could sell their ONE and buy exactly the same amount of stolen assets and deposit back to the smart contract. It is dumb. Their failure leads to $100M hack. Their market cap is $220M, 50% of which is being staked. There is just no chance they could effectively sell enough ONE and buy those stolen assets. And imagine they are going to do so, ONE would drop real real bad.
- if there is someone or a VC steps in to bail them out, they might have a chance to survive. But the chance is small since liquidity is drained from the market now (due to FED's quantitative tightening).
- Why I said it is 50/50 chance. because if they are bailed out, those worthless tokens on Harmony chain will be recovered in value, which means if you buy them now (1ETH, 1WBTC, 1USDC), you could make nearly 8x profit if they are pegged again on Ethereum chain.
To me, I'm not gonna make this bet. It is like flipping a coin right now, and if I ever decide to do that, I'm gambling and not investing.
A lot of things happen now on Harmony that a lot of projects are soon moving to other chain like Polygon.
Don't listen to anyone who told you to buy the dip, if they can't give stolen assets back to investors, they are done, so is ONE. Those who told you they are still loving ONE and buy the dip are probably in heavy loss or can't do anything since their ONE is being locked for staking.
How often do we get to see a stablecoin go to zero?
Cashio is an algorithmic stablecoin that was just exploited due to an infinite mint bug and the value crashed
The team has asked people to withdraw funds after the exploit has drained all value from the project after the infinite mint exploit.
An infinite mint allows a hacker to mint literally an infinite amount of stablecoins, thus crashing its value. It's incredible a stablecoin has this kind of exploit lurking in its code. Whats the whole purpose of a stablecoin isnt it.. to ensure its supply is controlled and pegged to USD
Anyone holding funds in the stablecoin just lost all of it. Hopefully no one here got burnt on this. Shows the risk of algorithmic stablecoin
