In this 3-2-1 QnA Session 10, we will discuss some coinchange 2.0 App updates, our latest Asset Allocation Report (also called the Transparency Report) and our most recent yield index report which compares Coinchange’s yield with other industry benchmark yields. Then we will discuss two twitter threads, first one is related to the Metamask wallet privacy issue and the other one about why Coinbase wallet’s iOS users cannot send NFT’s to their wallets. Finally we analyze the Ankr Protocol hack. Here is what you will be learning about:
Question 1. Can you share the latest Coinchange APP 2.0 updates?
Question 2. Can you share our most recent Asset allocation report?
Question 3. Can you share our Yield index report that compares Coinchange yield with other benchmarks?
Twitter Thread #1: Metamask wallet privacy issue
Twitter Thread #2: Coinbase wallet’s iOS users cannot send NFT’s to their wallets
DeFi Exploit Analyzed: Ankr Protocol hack
Question 1 Coinchange App Updates
New 2.0 App:
With the latest app update, users can now enjoy a range of new features, including a new graph to monitor yield performance, quick invest options, KYC security and a modernized user interface. The interactive graph allows users to track the performance of their yields over time and make informed decisions about their investments. The quick invest options allow users to make investments with a single tap, without having to navigate through menus and long forms. Furthermore, the improved KYC security feature ensures that only verified users can access the platform and users can be sure that their funds and data are safe. Finally, the updated user interface has been designed with a focus on simplicity and ease-of-use, making the platform more accessible to users of all levels of experience.
Question 2 Asset allocation report
Coinchange’s Asset Allocation Report where we provide information on how Coinchange deploys client's assets and diversifies the investments while minimizing risks and maximizing potential earnings. The Asset Allocation Report will be published on a monthly basis to ensure we provide up to date and relevant key metrics related to the state of the client assets.
This report covers the deployed assets over broad categories of protocol types, blockchains and client invested currencies. Coinchange only deploys assets on quality, widely used, and time-tested DeFi protocols. Below is a list of protocols used in Coinchange strategies:
Stablecoin Assets under Management Breakdown:
Stablecoin Asset Allocation Breakdown per DeFi Protocol Type and Blockchain
Volatile Asset under Management Breakdown:
Want to read the full report in detail? Click here
Question 3 Yield index report; risk report upcoming
Yield farming rates have dropped by around 71% since January 2022. We conducted a research on which ones have fared well and which ones have not. We first categorized the various Yield types and created indexes for each in order to provide an accurate representation of the % yield available from the respective platforms/companies. Upon collecting the data and generating charts, we saw the following:
Below is a chart comparing Coinchange yield to other yield indexes.
We can also zoom in and filter by risk category: Minimal risk, Low risk, Medium to high risk.
For detailed information regarding the calculation method, index components, and risk considerations, please refer to our Yield Index and Benchmark Report.
Metamask Privacy Issue. There were a lot of tweets around Metamask’s updated privacy policy mentioning that: Metamask will start TRACKING and associating your IP address to every transaction. Here is a screenshot from their privacy policy:
To alleviate these concerns, Joe Lubin the founder of Consensys, which is the company that owns Metamask posted a thread as follows:
According to him, MetaMask does not collect IP addresses. @MetaMask routes information necessary for your transaction to be processed by an RPC provider. @infura_io is the default RPC provider in MetaMask, which is also developed by Consensys. Infura takes requests from MetaMask (or other software products that use it) and returns answers to those requests. Some requests ask Infura to route a user-signed transaction into the blockchain to be executed by the blockchain. After doing its work, Infura passes the results back to MetaMask for display. In order to process requests from a wallet like MetaMask, Infura needs to know the IP address of the device sending the request and the blockchain address.
Why does Infura need your IP address?
Joe says, that’s how web infrastructure works. The IP address is required in order to route the response back to the requester. The alternative is few or no usable products in web3. The direction of travel is decentralization of RPC provision. Some projects are already working on this. Infura is presently leading a major effort to decentralize itself without losing the performance that developers and their user's demand.
So it is clear that they do use IP address to carry out transactions through Metamask. But what do they do with the collected data? According to Joe, Infura does not exploit this data, nor does ConsenSys monetize it. Infura is pursuing technical solutions to minimize data collection, including anonymization techniques and complete elimination of data collected.
Coinchange Take: There is certainly lack of trust in this space even with well known thought leaders, since the 3AC collapse, Terra Luna crash and now FTX-Alameda saga. So it is quite normal for users to be suspicious of data tracking especially since Web 3.0 is built on the fundamentals of data ownership to the users. That being said, Coinchange does not use Metamask for its strategies, it uses smart contracts, nor does it use Infura as its node provider. We have set up our own blockchain node and route requests through that. Even Metamask users are free to point MetaMask to a different RPC provider than Infura or even set up their own node. Also, if any of our listeners are interested in learning how to change your RPC from Infura to Alchemy to bypass the IP address collection, here is a good tweet on it.
On Dec 1st Coinbase tweeted that their wallet’s iOS users might notice that they can’t send NFTs from their wallet anymore. According to Coinbase, this is because Apple requires that the gas fees to send NFTs need to be paid through their In-App Purchase system, so that they can collect 30% of the gas fee. The problem is that it is not feasible to use NFTs and blockchains with Apple's In-App Purchase system since it does not support crypto, even if Coinbase attempted to do so. It's similar to Apple attempting to collect a percentage of charges for each email that is transmitted through open Internet protocols.
The most significant effect of this policy adjustment on iPhone users who have NFTs is that transferring or gifting their NFTs to others is now more difficult due to Apple's new restrictions. In short, Apple has implemented new measures to safeguard their financial gain, regardless of the cost to consumers and developers in the crypto space who are looking to invest in NFTs and promote creativity. Tim Sweeney from Epic Games tweeted:
Coinchange Take: Recently there has been some tension around Apple’s 30% tax in general. Even elon musk questioned Apples policy on twitter. Crypto community is not happy that their apps are not able to release upgrades unless they enable in-app purchases that give 30% to Apple. But what’s strange about this whole issue is that Apple doesn’t understand how gas fees work. Either that, or they want Coinbase to pay an equivalent amount out of their pocket. If Apple started charging Coinchange users 30% to trade crypto from our iOS app, we would not be happy either. We believe that Apple needs to rethink their decision and help flourish a decentralized economy. That being said, ultimately, it is the market and consumer demand that will determine the success or failure of a company's business practices.
Ankr protocol on BNB chain tweeted this on Dec 2nd: Our aBNB token has been exploited, and we are currently working with exchanges to immediately halt trading.
So what exactly happened?
aBNBc is a reward-bearing receipt token for BNB staked via the Ankr platform on BSC. Ankr couple of hours prior the exploit was doing some smart contract update essentially sunsetting the old rebasing tokens for reward bearing tokens.
Ankr Exploiter stole the Ankr Deployer's key (Protocol’s admin key) and published a malicious version of the aBNBc token contract, which was then upgraded to replace the existing implementation. The upgraded version included a new function (0x3b3a5522) which allowed the attacker to bypass caller verification and mint tokens freely, directly to their own address. All $USDC was cross-chained to the Ethereum network through @CelerNetwork and @MultichainOrg. The aBNBc-related pool on #PancakeSwap has been emptied and Ankr Exploiter stopped dumping aBNBc. The price of $ANKR dropped sharply at the same time, leading some to short $ANKR and make a profit.
After Ankr Exploiter dumped aBNBc, another wallet address (possibly smart money or might even be the same exploiter with a different wallet) bought 183,885 aBNBc with just 10 $BNB($2,879) before the oracle had updated to reflect the crashed price. Then deposited 183,885 aBNBc into a stablecoin project @Helio_Money as collateral and borrowed 16M $HAY. In the end, sold 16M $HAY and get 15.5M $BUSD.
Later CZ, the founder of Binance confirmed the hack in a tweet.
You might wonder, was Ankr audited?
Ankr received an Audit from Peckshield less than 5 months ago, warning about 'trust issue of Admin Keys' which has privileged minting aBNB tokens.
The team 'Confirmed' the warning, but it seems they have not fixed it. See the screenshots below that show this:
What’s the solution from Ankr for those affected?
Ankr tweeted later that the team had assessed the damage to be max 5M USD worth of BNB from the liquidity pools. They have proposed the following to address the current situation:
Coinchange take:
Just because a protocol has an audit, does not make it safe to use. Read the audit yourself and check if the team has fixed the issues. In many cases, they simply "Acknowledge" or "Confirm" the audit findings. Our research team at @coinchangeio does due diligence on protocols and gives them a safety score based on a set of questions in our Risk Assessment Framework. We look for adequate invariance testing, Bug bounty programs, admin controls & governance process, oracles used, liquidity metrics, and even background checks on the team if public. We also join the project's community on discord and telegram to ask specific questions and to check the team’s responsiveness and check whether they are taking security seriously. Another important aspect we look at is whether the contracts are upgradable and if so, is there a TimeLock. In Ankr's case, if there was a 2-day TimeLock for upgrading the aBNBc contract, the team might have had enough time to stop the hack. Lastly it's important to note that improper Private Key management was the cause of the hack. Many protocols overlook traditional cybersecurity, which our upcoming report on Interoperability of Blockchains (mid Dec) discusses.
This concludes our 3-2-1 Q&A Blog. We’ll see you in the next one, two weeks from now. Meanwhile, kick back and earn passive income using Coinchange. Sign up today!
Receive monthly news and insights in your inbox. Don't miss out!