When will the mass crypto drainage end?🚰

Moonbirds NFT sparks creative licensing debates, Coinbase partners with BlackRock and Solana and Nomad Bridge hacks drain over $150M.

Hey friends, GM. Welcome to the first issue of Web3 Seems Legit - the newsletter that gets you caught up on all the conversations happening on Twitter around web3 this week.

Be honest: between IRL conversations you have with coworkers and friends, and discussions you see online about crypto and NFTs, how many times have you thought to yourself…is this web3 thing actually legit?

Hate to break it to you, but we don’t have the answer to it. What we can do is send you an email every week on all the conversations happening on Twitter web3. Whether it’s good, bad or FUDgly, we tune you into what people are saying, so you can decide for yourself.

Here’s the biggest buzz this week:

• Should NFTs be public domain?

• Bullish or bearish signs for institutional crypto adoption?

• How one developer manipulated Solana’s TVL

• Hacks of the week: Solana and Nomad Bridge

Should NFTs be public domain?

One of the hottest topics of debate this week was sparked by a tweet by Moonbirds NFT founder announcing that the project would be moving to a CC0 (creative commons) license model.

To be fair, if I were to wake up and find out that the jpeg I paid upwards of 38.5 ETH (at its peak) is now public domain for anyone to use, I would be caught off guard too. We want to protect what we own and some Moonbirds holders feel duped over this switch-up.

But like most web3 debates, there isn’t really a right or wrong answer. @NFTSabeen gives examples of other NFT projects that successfully use either a licensed or CC0 model. For CC0 projects, making the NFTs public domain is an opportunity to amplify its brand to spark a greater cultural movement, while still being able to attribute the original work on-chain.

Moral of this debate is that there is no “one-size fits all” solution. We are experimenting as a community and that to me, #seemslegit.

“It’s BlackRock’s world, we’re just living in it”

The industry bulls were back last week and buzzing about the latest partnership announcement between Coinbase and BlackRock.

The pairing of the largest centralized crypto exchange with the largest global asset manager provides much needed positive reinforcement for the crypto space. Not only does it add legitimacy, but it’s also expanding institutional access to crypto with roughly $8.5 trillion in AUM under BlackRock.

At a time where Bitcoin’s value has fallen about 70% in value from its all-time-high of $69,000, this news #seemslegit.

But as we know by now, we can’t really have the good without the bad in web3. @threadoor gives a glimpse of just how much control BlackRock has over the media, corporations and politics. Now with their expansion into crypto, any potential market manipulation would be a breeze for them.

So is this partnership good or bad news? You decide.

Meet the 11x* unicorn developer that pumped Solana’s TVL

Move aside 10x developers there’s a new unicorn in town that’s taking over crypto memes. Here’s the scoop. Twenty-something year old Ian Macalinao from Texas created a whole ecosystem of fake DeFi projects that double-counted the same tokens and inflated Solana’s total-value-locked (TVL).

Under the guise of 11 different personas, Macalinao built over a dozen projects, including Sunny Aggregator and Cashio which all used his protocol Saber. At its peak, Saber made up for $7.5 billion of Solana’s $10.5 billion TVL.

Traditionally, VCs and retail investors love to use TVL as a metric to pour money into projects, but is it really a reliable metric to look at? @0xngmi at DefiLlama, a popular DeFi TVL tracker platform, gives their perspective on how they will tackle TVL moving forward by removing double-counting and improving protocol review and tagging.

Either way, this serves as a good reminder to always do-your-own-research and look beyond vanity metrics.

If you haven’t read it already, I highly recommend reading the full story on Coin Desk for some peak journalistic work.

Some perspective on the recent Solana and Nomad Bridge hacks

Lastly, we have our hacks of the week. This time, the unfortunate targets were Solana and Nomad Bridge which were both robbed over a form of negligence.

Let’s start with Nomad Bridge which was completely drained out of $150 million. It all started with the OG hacker who discovered a bug in the smart contract by simply reading through the Nomad audit report. That means that the Nomad team must have known about the bug, but chose to ignore it.

Once the first hacker made the move, a mob of people joined in for a free-for-all robbery with a simple copy-paste command. Yup, that's right, it was really that easy. Beware of the crowd you walk amongst, there are bad actors everywhere.

Check out this thread by @0xfoobar on the Nomad Bridge hack situation.

Then there was Solana that was drained out of $6 million due to an exploit with their Slope wallet. Turns out, user private keys were being stored in Sentry, an event logging tool used by Slope, leaving it open and vulnerable for access. @MiamiVice_sol gives a step-by-step walkthrough thread on how the hacker committed the crime.

Then there was Solana that was drained out of $6 million due to an exploit with their Slope wallet. Turns out, user private keys were being stored in Sentry, an event logging tool used by Slope, leaving it open and vulnerable for access. @MiamiVice_sol gives a step-by-step walkthrough thread on how the hacker committed the crime.

Once again, the Twitter sleuths solve the mystery. While some will be quick to defend or criticise the infrastructure the compromised protocols were built on, at the end of the day, all hacks on any chain or bridge are unfortunate.

See you next week!