Top Stories of the Week - 3/3
In the newsletter, we write about yuga labs, the largest NFT issuer in the world, announcing drop on bitcoin. We cover the self-exploitation of a defi app, oasis, pursuant to a court order and the questions it raises about defi immutability. And we give an update on the expected activation data for ethereum’s hotly anticipated next upgrade, shanghai. Subscribe here and receive Galaxy's Weekly Top Stories, and more, directly to your inbox.
$4bn NFT Powerhouse Is Building NFTs on Bitcoin
Yuga Labs, owner of CryptoPunks, BAYC, MAYC, Meebits, and more, is launching a 300-piece generative art collection called TwelveFold on Bitcoin. The generative art pieces will be created as ordinals, which are satoshis (smallest unit of a bitcoin) inscribed with metadata that render the image of the art. For a more detailed overview on inscriptions, read the whitepaper we released today or our the Feb. 3 edition of this newsletter. Yuga clearly expressed that Twelvefold will stand as its own entity and not have any utility benefits planned for its other Ethereum-based projects. Yuga expressed a bullish outlook on Ordinals stating that they’re “excited about Ordinal inscriptions and what the future holds for digital artifacts on Bitcoin.”
The details of the launch will be released 24 hours prior to the drop; expected to be released sometime today (Friday, Mar. 3). While Yuga mentioned that the digital collectables will be auctioned off, the auction style is still unknown. Given the complexities of purchasing and storing Inscriptions, Yuga is providing detailed explanations on wallet configurations and requesting that users have a self-custodial wallet containing Bitcoin that will be used for bidding. Potential purchasers will also need an empty Bitcoin address to receive the inscription. Designating one wallet for the inscribed sat is meant to protect users from accidently spending the sat and losing the Ordinal.
That Yuga Labs, which dominates roughly 30% of Ethereum’s NFT market cap, is already launching a collection on Bitcoin less than 3 months after inscriptions were invented is a strong signal. Despite the extremely nascent market infrastructure supporting inscribed ordinals, Yuga is nonetheless poised to be a first mover among NFT powerhouse creators. Indeed, this will be Yuga’s first foray onto a blockchain that isn’t Ethereum.
The move will surely push other major creators to consider inscribing ordinal collections of their own. If the TwelveFold auction is successful (i.e., generating significant money in primary sales), the trend is likely to accelerate. There will be a lot to learn from the drop – how quickly the auctions conclude, what price users are willing to pay, and whether users are able to figure out how to participate and then properly handle their inscribed ordinals. Given the purchasing trends witnessed with Ordinal Punks, Bitcoin Rocks, and Ordinal Loops selling for 2-10 BTC, our view is that TwelveFold won't fall far from this price range. Given Yuga’s intense following, it’s possible TwelveFold could exceed these that range.
Ethereum’s NFT ecosystem has been battling on secondary sale royalties, with marketplaces ultimately racing to zero. While technically it’s impossible to enforce secondary sale royalties on-chain on both Ethereum and Bitcoin, it’s even more impossible on Bitcoin, making successful primary sales essential for creators. In the Galaxy Research NFT royalty report, we found that Yuga Labs has been by far the largest recipient of royalties, generating +$148mn from royalties. While these royalties were paid to Yuga by marketplaces themselves, there are also no marketplaces for inscribed ordinals today that support royalties. As a result, Yuga Labs is emphasizing the primary sale for the TwelveFold drop by doing an auction for all 300-pieces to drive up prices, which compensates for the lost revenue from no royalties.
Another point we are following in relation to this drop is what license Yuga Labs will attach to TwelveFold. We wrote about problems with current NFT licenses generally and with some of Yuga Labs’ licenses specifically in our previous research report. Specifically, we criticized Yuga Labs for language in their BAYC license that appeared vague and even misleading, especially when compared to their updated license for CryptoPunks (which they acquired from Larva Labs in 2022). Yuga has thus far been silent on the TwelveFold license, but they will presumably release it when they announce the auction.
Lastly, Yuga’s design choices for TwelveFold further reinforce our view that Bitcoin is well suited for small size collections and high-end generative art. Rather than compete with the 10k PFP collections common on other chains, Bitcoin’s NFT ecosystem is likely to incentivize a level of artwork more commensurate with the high fidelity of its ledger. In our new whitepaper on inscriptions and ordinals released today, we estimate that Bitcoin NFTs could reach a $5bn market cap in two years. The report gives a high-level overview on Bitcoin NFTs and highlights how this movement will positively influence Bitcoin’s ecosystem from this point forward. The entrance of the world’s largest NFT creator into the nascent ecosystem only further bolsters our projection. -GP
Court-Ordered Counter-Exploit of DeFi App Oasis Raises Concerns About Crypto ‘Backdoors'
In an unprecedented turn of events, the team behind decentralized finance (DeFi) app Oasis announced they had exploited their own protocol to comply with a court order. On Tuesday, February 21, the High Court of England and Walesordered the Oasis team to recover funds locked in the DeFi protocol by the known address of the Wormhole hacker. Wormhole is a token bridge connecting assets on Solana to several other general purpose blockchains including Ethereum and vice versa. The bridge suffered an infamous hack early last year that resulted in the loss of $326mn worth of crypto assets. At the time, the parent company behind the Wormhole bridge, Jump Crypto, said they would “make community members whole” and reimburse all affected users.
In the aftermath of the exploit, the funds stolen from the Wormhole bridge were transferred by the hacker to several DeFi apps including Oasis. The hacker deposited 120,690 wstETH and 3,210 rETH, collectively valued at $225mn, in Oasis vaults as collateral for borrowing the stablecoin DAI. On Friday, February 24, the Oasis team announced they had assisted in the recovery of these funds through the use of their multi-signature (multisig) wallet. Multisig wallets require signatures from multiple parties to sign a valid transaction, and it is commonly used by dapp developers as a method to house admin key that can be used to issue application upgrades or halt the functionality of its smart contracts. It is usually considered a precautionary measure that dapp developers rely on only for bug fixing and community-aligned upgrades. “We stress that this access was there with the sole intention to protect user assets in the event of any potential attack, and would have allowed us to move quickly to patch any vulnerability disclosed to us,” wrote the Oasis team in a blog post about the use of their admin multisig access.
However, to comply with legal authorities, the Oasis team allowed the temporary addition of a new authorized third party to their multisig. The third party then had the power to seize control of the hacker’s funds deposited into Oasis smart contracts and forcefully move them out of the hacker’s control into the Oasis multisig. Oasis stated that the design of their multisig to perform such activities was “previously unknown.” Analysis from Blockworks Research has identified the new authorized third party to likely be market maker Jump Crypto. The authorized third party who initiated the counter-exploit against the Wormhole hacker has since been removed as a signer from the Oasis multisig. The Oasis team has not made any indication as to whether they will permanently change the design of their admin multsig access in light of recent events to reduce the risk of the Oasis multsig from being accessed by new third parties again in the future.
The recovery of stolen funds from a high-profile hack is usually cause for celebration. However, the way in which these funds were recovered by the Oasis team has become a controversial issue in the Ethereum community, raising several questions about the true immutability of smart contract applications. Like many popular dapps and Layer-2 protocols built on Ethereum, such as Polygon, Arbitrum, Optimism and others, Oasis is controlled by upgradeable smart contracts, meaning the behavior of the application can be changed by smart contract owners at any time through multisig approval. We wrote at length about the costs and benefits of upgradeable smart contracts in our August report on the sanctioning of privacy dapp Tornado Cash, which does not have upgradeable contracts. On one hand, the novelty and increasing complexity of new applications and protocols being built on Ethereum creates a greater need and desire for safety nets like multisigs. On the other hand, these solutions directly undermine the fundamental trust assumptions of using smart contract-based applications. Users interacting with upgradeable smart contracts cannot be guaranteed that the way in which an application works today will be the way it works tomorrow.
The use of the Oasis multisig for recovering stolen funds is a clear, real-world example of how smart contract upgradeability can be exploited for ulterior motives that neither the developers or the users of the application share or have any say over. It sets an alarming precedent for any decentralized finance application that is controlled by upgradeable smart contracts and should reinvigorate serious discussions about the tradeoffs of upgradeability to code immutability within the Ethereum community. Rather than lacking foreknowledge, the Oasis team lacked foresight about the ways in which the design of their multisig could be exploited not only by black hat hackers but also law enforcement, or perhaps worse, they actively facilitated it. We suggest this could be worse because, while this particular incident involves the valid recovery of stolen funds, it doesn’t take much imagination to conceive of a scenario in which users much more legitimate than hackers have their assets frozen or stolen. The Oasis counter-exploit is a much-need wakeup call for dapp developers and end-users alike that reminds dapp developers about the risks associated with upgradeable smart contracts and encourages end-users to re-evaluate the core value proposition of the applications and protocols they interact with on Ethereum and other chains. -CK
Final testnet for Shanghai upgrade targeted for mid-March, Mainnet withdrawals to follow in April
Based on Thursday morning’s All Core Devs conference call, Ethereum plans to launch Shanghai on Goerli (the last public testnet) on March 14th. 821 days after the launch of Ethereum’s Proof-of-Stake powered Beacon Chain, stakers finally have a date for withdrawals in sight (second week in April). Should all go according to plan on Goerli, Shanghai (which is a small upgrade in terms of its scope) will release some 1 million ETH over a 4–7-day period. This has investors, traders, and enthusiast alike wondering what impact Shanghai could have on ETH’s price (and thereby, Ethereum’s security) in the near-term as well as what terminal level of stake Ethereum will hit (for context, most PoS networks realize between 50-70% staking participation rates, while Ethereum has recently hovered around 15%).
Per our research, the expectation is an already full queue for exiting the validator set will stop most nodes from exiting and then withdrawing immediately following Shanghai. It is possible withdrawals from early stakers will cause sell pressure to persist over the months following the upgrade. We published a report several weeks ago sharing our estimates for the amount of ETH that could be sold under various scenarios. It's unlikely that sell pressure is persistent past a few months as most stakers have long-term bias for ETH. Moreover, most stakers already have access to liquidity Liquid Staker Derivatives from Lido and other providers.
As most ETH liquid staking derivatives have maintained pegs since the start of the year, there is little indication from the market that stakers are pining to sell principal or earned ETH. However, some stakers have not had access to liquidity, as their providers didn’t issue a derivative token or partner with a provider. So, it’s entirely possible ETH draws down as early stakers exit the validator set. To read more on the mechanics of Shanghai, possible sell pressure, and how withdrawals and exiting the validator set works, see Galaxy’s report How Could Shanghai Unlocks Affect the Price of ETH.
The ability to withdraw ETH and possibly realize rewards from validating Ethereum is exciting for both individual operators and the community more broadly. Shanghai (should it roll out as hoped) represents the culmination of years of research and development from the Ethereum community. While not as technically intense as The Merge, Shanghai is the last large piece of the puzzle in Ethereum’s move from a Proof of Work to PoS security model.
As far as the long-term state of the network goes, we expect withdrawals to stabilize LSD pegs via arbitrage traders. In turn, this should increase staking participation, as holders of ETH can more confidently participate in PoS thanks to both direct withdrawals and more seamless withdrawals via more stable LSDs.
While work remains ongoing both on LSDs and on Ethereum’s PoS network more broadly (a stated goal of both providers and developers being to lower the 32 ETH requirement for staking), the successful integration of Shanghai should let developers hone in on upgrades related to security, performance, and user experience more broadly. In turn, this should (optimistically) help induce demand for Ethereum’s blockspace, create some certainty around its long-term security model in the community, and generally let a network effect on more a differentiated product finally take hold. -WJS
Silvergate reels as crypto clients flee following missed 10-K filing
Coinbase, Galaxy, Paxos, and others stop accepting or initiating payments with Silvergate
Polygon launches web3 identification service using zero-knowledge proofs
Coinbase CEO defends staking, calls for US to create 'clear rule book'
Robinhood rolls out wallet to iOS customers globally
NFT trading volumes hit $2B in February, highest since May 2022
Mt. Gox creditors may finally start seeing their bitcoins this month
SEC Chair Gensler says crypto exchanges may not be 'Qualified Custodians'
Scroll’s zkEVM deploys on Ethereum’s Goerli testnet