Today Wirtschafts und Infrastrukturbank Hessen (WIBank), the Helaba owned German development bank, issued a registered bond on a public blockchain. It was settled in a delivery versus payment transaction (DvP) using the Bundesbank’s Trigger solution, which initiates settlement on the TARGET2 payment system. The €5 million transaction was part of the Eurosystem’s wholesale DLT settlement trials.

The simultaneous exchange of the digital bond and cash eliminates counterparty risk, and the use of central bank money reduces the credit risk.

“The experience gained from this project opens up new possibilities for the further development of existing financial products in conjunction with innovative technologies. This minimizes risks and optimizes processes for both us and our investors,” said Christian Forma, Head of Treasury at WIBank.

Cashlink provided the tokenization and settlement infrastructure, with Helaba acting as cash settlement agent. Bankhaus Metzler was the investor, with Deloitte helping with the implementation and Annerton providing legal advice.

As with many Cashlink issuances, 👉the transaction used the Polygon public blockchain.

The ECB’s wholesale DLT settlement trials offer three settlement solutions. They include Germany’s Trigger solution, Italy’s TIPS Hashlink solution which settles on the TIPS payment system, and France’s wholesale CBDC.

Yesterday a director of the ECB announced plans for a European Ledger and confirmed the central bank is considering plans for after the wholesale DLT settlement trials end next month.

Link

In July Bloomberg reported that State Street was exploring tokenized deposits and a stablecoin. However, Donna Milrod the firm’s head of product, told the Financial News that the bank is not currently planning either of these, although she doesn’t rule them out in the future. However, it is working on tokenizing a bond and tokenizing money market funds (MMFs) for use as collateral.

Using MMFs as collateral means the funds don’t need to be liquidated in order to be used for margin calls. Tokenization also usually supports instant settlement rather than having to wait for redemption.

Collateral mobility is one of the killer use cases for institutional DLT. Onyx by JP Morgan has its Tokenized Collateral Network with BlackRock tokenizing the shares of one of its money market funds late last year. It then pledged them as collateral for a derivatives contract with Barclays.

Margin calls are not the only application. Any use cases requiring intraday transactions are a good fit for DLT. Collateral mobility enables swaps of high quality liquid assets (HQLA) amongst banks so they can ensure they hold appropriate assets on their balance sheet for compliance. For this reason, many of the big banks are backers of Europe’s HQLAᵡ.

Once the collateral is tokenized it can be used for intraday repo. JP Morgan has a repo solution for its clients, and Broadridge has its DLR repo offering. HQLAᵡ is readying for its client’s collateral to be used for repo through a collaboration with Fnality, the UK-based payment infrastructure that tokenizes deposits held in an omnibus central bank account. State Street is one of Fnality’s twenty institutional backers.

Until last month Ms Milrod was the leader of Digital Asset Solutions at State Street, but has now passed the baton to Vanessa Fernandes who reports to Ms Milrod.

Link

Phish of the week: Symbiotic X account is compromised

According to a report from PeckShield, the X account for the staking protocol Symbiotic was hacked on Oct. 5. The team’s official website said the account was still compromised as of Oct. 7.

The compromised account promotes a “points” checklist and asks users to click on a link to check how many points they have. However, the link leads to the wrong URL, network-symbiotic[.]fi, instead of the correct one, symbiotic.fi.

When users connect to the fake phishing site with a wallet, they are presented with a page that claims they have earned thousands of points, even if they have never interacted with the Symbiotic protocol.

The page urges users to redeem their points immediately and claims they will be lost if they do not click a large, green, “redeem” button in the middle of the screen.

Pushing the “Redeem Points” button with an empty wallet results in an error message stating that the user should try a different wallet, with a standard error message found on phishing sites asking for message signatures.

If a user’s wallet contains Symbiotic tokens, the site likely asks the user to sign a message, which is then used to drain the user’s tokens. Cointelegraph did not test the app with a wallet that had funds in it.

From its official website, the Symbiotic team is currently warning users that its X has been compromised and that users should not interact with any sites linked to the account.

X account hacks have become a routine problem in the crypto space. Users should consider bookmarking the URL for apps they frequently use, as this is generally a more reliable way of getting to the correct website than relying on X links, although it is not 100% foolproof either. Users should be especially cautious when asked to sign a message written in code, as this is often, but not always, a sign of a phishing attack.

Malware corner: Attackers now using SVG files to lure victims

Attackers are now using SVG image files to infect victims’ computers, according to a September report from HP’s Wolf Security team.

⚠️The new method allows attackers to gain control of a victim’s computer through remote access trojan (RAT) software. Once the software is installed, the attackers use it to steal the victim’s website passwords, seed words, and other personal information. If the user owns cryptocurrency, these credentials are then used in further attempts to gain access to the user’s wallet and empty it.⚠️

Researchers found that the malware was disguised as a ZIP archive that loaded when the image was opened in a browser. It also featured a .pdf file that loaded as a distraction for the victim while the malicious program was being downloaded and installed in the background.

According to Adobe, Scalable Vector Graphics (SVG) files store images “via mathematical formulas based on points and lines on a grid” instead of through pixels. This means that they can be easily resized without losing their quality. In addition, they are written in XML code, which allows them to store text inside of themselves. 

According to Mozilla, SVG files also contain a “script” element that allows developers to embed executable programs within them. It is this scripting ability that the malware developers have reportedly learned to abuse.

HP researchers found an image that produces a ZIP archive when opened in a browser. If the user clicks on the archive, it opens a File Explorer window and begins to download a shortcut file.

Clicking the shortcut causes a decoy .pdf file to load on the victim’s screen. Meanwhile, the device begins to copy various scripts and store them in the victim’s music, photos, and startup directories, allowing the program to persist over time.

⚠️After copying these scripts onto the device, it runs them. The result is that a number of dangerous malware programs, including VenomRAT, AsyncRAT, Remcos and XWORM, are installed on the user’s device. Once the malware is installed, the attacker can take full control of the victim’s computer, swiping any files held within it.⚠️

Given this new attack vector, crypto users should exercise caution when interacting with SVG image files from sources they do not entirely trust. When opened, if an image loads other types of files, users should consider rejecting these files by closing the browser window.

Fire token exploit illustrates risks of novel tokens

Buying new tokens with novel features and unaudited contracts is often risky, as is illustrated by what happened to the FIRE token on Oct. 1.

The Uniswap pool for the token was drained of nearly all of its liquidity after an attacker exploited the token’s contract to repeatedly sell it at a higher and higher price each time.

After the exploit, the token’s team immediately deleted their social accounts and vanished, implying that the project may have been a rug pull or exit scam from the start.

The token has not traded since Oct. 2, which implies that there may be so little liquidity for it that selling may be impossible.

The idea presented to FIRE investors was simple. According to its website, it was an “ultra-hyper-deflationary token.” Whenever holders sold their FIRE into the token’s Uniswap liquidity pool, it would automatically be sent to a burner address. This would cause the token supply to shrink, driving up the value of the FIRE held by those who didn’t sell.

The token was launched at 8:00 am UTC on Oct. 1. About 90 seconds after the launch, an account ending in 1e2e drained some $22,000 worth of Ether ETH$2,439.75 from the token’s liquidity pool.

To accomplish this, it first took out a flash loan of 20 ETH from the lending platform Spark Protocol. Then it created a malicious contract that swapped the ETH for FIRE, then swapped it back, destroying the newly acquired FIRE in the process and raising its price.

This process was repeated through 122 transfers through 16 different smart contracts, with each transfer being part of a single transaction. Each time FIRE was swapped for ETH, a slightly larger amount of ETH was received in return. As a result, the attacker was able to drain the pool of the $22,000 worth of ETH. In addition, this transaction destroyed 230 FIRE tokens.

The attack was repeated over and over again, with the final exploit transaction taking place on Oct. 2 at 1:14 am UTC.

Blockchain security platform TenArmor reported the attack on X. “Our system has detected that #FIRE token @Fire_TokenEth on #ETH was attacked, resulting in an approximate loss of $22.3K,” the post stated.

According to price data from tthe rading platform Apespace, the initial price of FIRE was set at approximately 33 ETH ($81,543 at current prices) or around $8 per 0.0001 FIRE. At the moment of the exploit, the price of FIRE skyrocketed, increasing to 30 billion ETH per coin or $244.6 billion per 0.0001 FIRE. It then fell to 4.7 billion ETH per coin over the next two minutes.

Note that by the time these high prices were reached, significantly less than one FIRE coin remained in circulation, as most of the token’s supply had been destroyed in the exploit.

After the exploit, the FIRE team deleted its X and Telegram accounts, which suggests that the attacker may have been affiliated with the team. The token’s Apespace page also features a warning that the FIRE contract contains a “blacklisting” feature allowing developers to blacklist any user’s account and prevent them from selling the token. The developers may have used this blacklisting feature to only allow themselves to sell.

Users should exercise caution when interacting with tokens that have novel features that may not be fully understood.

In this case, the developers explicitly stated that anyone who sells into the pool destroys tokens, reducing their supply. Still, some users may not have realized that this allows a single trader to repeatedly swap into and out of the token to artificially raise its price and drain its liquidity.

Link