_{Brought to you by:}

🐭 Tom vs. Jerry

I had more questions than answers (ah, the life of a journalist) about the Kraken and CertiK situation.

While Kraken says the funds have been returned, I picked up the phone and called someone with a vast security background.

Enter Charles Guillemet, Ledger’s chief technology officer, who had some thoughts on the whole incident and white-hat hackers in general.

Yesterday, I highlighted some takes around the use of Tornado Cash by the US-based CertiK, but that’s not the only thing that caught Guillemet's eye. He says the withdrawal of XMR — privacy coin Monero in case you’ve skipped some of David’s previous segments — is suspicious because, well, it’s a privacy coin.

Add ChangeNow, a self-styled non-custodial exchange, into the mix. In Guillemet’s experience, ChangeNow is generally one of the top picks for attackers who are trying to hide crypto. It’s often used by bad actors because it doesn’t require proper know-your-customer checks before facilitating swaps from one token to another.

It was also weird that there were video calls between CertiK and Kraken. And don’t even get him started on the millions withdrawn (he maintains you can exploit as little as $5 to prove the bug and then report it for a bounty). 

However, the five-day time period in which the researchers were testing the exploit isn’t that strange. 

Guillemet, who started off in the broader cybersecurity world before catching the crypto bug in 2017, said the “behavior that we see in blockchain and crypto when it comes to white hat [hacking] is really weird from my standpoint.”

“Sometimes you have a white hat, supposedly, who finds a vulnerability on some smart contract. It completely drains the smart contract and then gives back like 90%, choosing its reward [of] 10%. This kind of behavior, for me, is extortion. It seems to be okay. It seems to be white hat behavior,” Guillemet said.

“But I completely disagree with this. When you do security research, you don't choose your reward. You don't do extortion. What you do is report the vulnerability and hope for a reward […] This is how white hat should operate. And in crypto, it's not always the case, and it's a bit disturbing for me, and it's also disturbing for other security guys in the field,” he continued.

With the matter more-or-less resolved, we may never get satisfying answers to the many unanswered questions about what exactly happened. CertiK said it wasn’t trying to exploit or “extort” funds from the exchange, unlike claims made by Kraken’s CSO Nick Percoco.

Let’s look at the bigger picture here. In this case, Kraken has assured that user funds were safe the entire time, and the millions that were briefly missing were taken from its treasury.

But does this mean users should be keeping their crypto on exchanges?

The simple answer from Guillemet is no. 

“As a user, you shouldn’t use an exchange to store your crypto. If you need to store your crypto, you need a wallet and you need to self-custody,” he said. It may seem obvious coming from Guillemet, a CTO of a wallet company, but his point is that exchanges aren’t made to store your crypto. 

(So if you told your family about crypto at the dinner table a few years ago and they bought into it, maybe just double-check that they have it stored away safe and sound.)

The simplest way to improve the space is obviously investing in security, but the more difficult path forward is for security teams to stay humble, Guillemet said. 

“Attackers will get better and better and we as an ecosystem must be humble and always raise the bar for security because this is a cat-and-mouse game and the stakes are getting higher.”

P.S. David and I need your help. No, we’re not soliciting you for donations. Phew. We just want to get to know you better. Fill out this survey and help us produce journalism tailored to you and your interests.

— Katherine Ross

Brought to you by:

A new era of content consumption and monetization is here. 

Don’t spend on subscriptions, STAKE! Don’t lose on subscriptions, EARN! 

Access offers 150+ subscriptions from large publishers like CoinGecko, The Block, and TechFlow, along with a long tail of talented independent researchers and artists. 

Join over 260,000 active subscriptions and claim your free subscription through the link below – be sure to visit to claim your daily subscription rewards. 

Be fast! There is a limited number of subscriptions to claim! 

🪂 Don’t call it an airdrop

Airdrops have a branding problem.

LayerZero really wants you to know its token launch is not an airdrop. Its new token, ZRO, is a reward for donating $0.10 in crypto toward Ethereum layer-1 development. The LayerZero foundation says it will match all contributions up to $10 million.

The team’s intentions may have been in the right place, but the market doesn’t seem to care for it. The not-airdropped ZRO has taken a beating, down 30% since yesterday’s launch.

“Airdrops” were intended to help distribute token supplies equitably while inspiring a community to build around the protocol. 

But, as LayerZero explained in its blog post, airdrop farming and automated Sybil campaigns are now so efficient at collecting free tokens that too much supply goes to parties with little interest in the long-term success of the projects.  

Still, despite all their problems, token launches via airdrops are really common. Of the current top 200 or so cryptocurrencies by market cap, around 50 have been launched since January 2022. 

Half of those were initially distributed via an airdrop, worth between 1.5% and 20% of the total supply. And if you remove memecoins, Runes and Ordinals, seven out of the remaining 13 airdrop tokens have risen in price since they launched. Not a bad strike rate, although their median return to date is minus 30%.

It’s difficult to properly compare token airdrops as they’re usually apples to oranges, with all sorts of tokenomics quirks and utilities. 

But comparing performance of airdropped tokens against other kinds of token generation events — generally launchpads and initial coin offerings — suggests it may just be difficult to launch a token that goes up at all.

Of the 15 tokens to launch in ways other than airdrops over the past two and a half years, seven have maintained value above their initial trade price, with a median return of minus 29%. That’s practically the same as the airdrops.

Perhaps the market may fall back in love with exchange launchpads and launchpools.

Base AMM token AERO and RWA asset ONDO were both clear outliers in this very quick analysis, having both gone 10x since they first hit the market through straightforward token launches, even after their recent healthy corrections.

For what it’s worth, the Worldcoin Orb actually presents a fix for many of the woes plaguing airdrops: Allow only WorldID holders to claim the airdrop, relying on biometric-fueled “proof of humanity” to defeat the Sybil bots.

But so far there seems to be little interest. Sad.

— David Canellis

• Standard Chartered is plotting a spot crypto desk for bitcoin and ether, Bloomberg reported.

• The Winklevoss twins, Cameron and Tyler, both said on X that they’re donating $1 million each to former president Donald Trump’s campaign.

• Rep. French Hill and Rep. Chrissy Houlahan visited Binance executive Tigran Gambaryan in Nigeria where he’s being detained “wrongfully.” 

• LayerZero token claims opening led to a record daily revenue for Arbitrum, The Block reported.

• CryptoQuantCEO Ki Young Ju said the German government was selling off portions of its seized bitcoin stash.

Thank you to our sponsor:

Permissionless is paradise for onchain power users.

For only $199 you can be in the same room with crypto’s most talented founders and builders and developers.

Don’t miss this chance, ticket prices will increase to $499 soon!

Q: What should world governments do with seized crypto?

Political answer: Sell it to fund initiatives to combat addiction and homelessness.

Crypto answer: Hold it, don’t touch it. If you can stake it directly to the blockchain, do that and earn a yield.

Correct answer: Spend it on normal budget things. Use it as money. Pay salaries.

If the merchants, services, contractors or whoever else don’t accept crypto, encourage them to start or else the government takes its business elsewhere.

— David Canellis

This is one of those rare (and boring) times where I fully agree with David. 

I think there’s a lot further to go before more countries are ready to hodl any crypto, even bitcoin (sorry El Salvador). 

So, while billions worth of bitcoin being sold is gonna cause some pain, I’m in favor of countries offloading their stashes to not only allow more diamond hands to come in, but also to — hopefully — use the money raised for some sort of good. 

Even just paying salaries is enough for me. 

— Katherine Ross