Weekly Blockchain Security Watch

Apr 10 to Apr 16

From April 10, 2023 to April 16, 2023, all security incidents that had occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

  1. Terraport Finances Liquidity Wallet Breached

On April 10, Terraport Finance’s team announced that they had a breach of their liquidity wallet. At the time of writing, the Terraport team was still investigating the breach.

No specific amout of loss was reported.

Terraport Finance is a DeFi application deployed on the Terra Classic blockchain.

  • Meta Skyer Suffers Flash-loan Attack

On April 10, Meta Skyer (SKYER), a project deployed on the BNB chain suffered a flash-loan attack.

Its token SKYER is deployed at 0x6B77C9202d6E91B8f7B8F0372280db98406005E3 on the BNB chain.

Crypto assets worth around US $20,000 were exploited in this incident.

  • South Korean Exchange GDAC Suffers Wallet Compromise

On April 10, South Korean exchange GDAC experienced a private key compromise.

At the time of writing crypto assets worth around US $13,000,000 were exploited.

  • South Korean Exchange GDAC Suffers Wallet Compromise

On April 11, South Korean exchange GDAC experienced a private key compromise.

Crypto assets worth around US $13M were exploited in this incident.

  • Paribus Suffers Re-entrancy Attack

On April 11, Paribus, a project deployed on Cardano experienced an re-entrancy attack.

Crypto assets worth around US $67,000 were exploited in this incident.

  • Mean DAOs Discord Server Compromised

On April 11, the discord server of Mean DAO(@meanfinance) was compromised. Mean DAO is a DeFi application deployed on Solana.

  • MetaPoint Suffers Exploit

On April 12, MetaPoint, a project deployed on the BNB chain suffered an exploit.

The root cause of this issue was that it gave the caller of the function access to the $META tokens without any restriction.

2513 BNBs worth around US $811,000 were exploited in this incident.

  • Chimps Discord Server Compromised

On April 13, the discord server of Chimps(@chimpsverse) was compromised and a phishing link was sent in the discord server. Chimps is a project deployed on Solana.

  • Suteki – SAISEIs Discord Server Compromised

On April 13, the discord server of Suteki-SAISEI(@Suteki_NFT) was compromised. Suteki is an NFT project deployed on Solana.

  1. Saved Souls Discord Server Compromised

On April 14, the discord server of Saved Souls(@SavedSoulsNFT) was compromised. Saved Souls is an NFT project deployed on Ethereum.

  1. Bitrue Suffers Exploit

On April 14, Bitrue, a centralized crypto exchange suffered an exploit.

Actually, one of the exchange’s hot wallets was breached. Crypto assets including ETH, QNT, GALA, SHIB, HOT and MATIC were stolen.

The Bitrue’s team claimed that the affected hot wallet only held less than 5% of its overall funds and the rest of its wallets remained secure and had not been compromised.

Crypto assets worth around US $23,000,000 were exploited in this incident.

  1. Walker Worlds Twitter Account Compromised

On April 15, the twitter account of Walker World(@walkerworld_) was compromised and a phishing link was sent in the twitter account. Walker World is a project deployed on Ethereum.

  1. Hundred Finance Suffers Exploit

On April 15, Hundred Finance, a DeFi application deployed on Optimism suffered an exploit.

The team announced on their Twitter account that they had been hacked on Optimism. The exchange rate formula was manipulated through Cash value. The attacker exploited it to borrow a large amount of tokens and then got back the amount after the exchange rate was manipulated through redeeming 1 hToken.

Crypto assets worth around US $7,400,000 were exploited in this incident.

  1. Hundred Finance Suffers Exploit

On April 16, Swapos V2, a DeFi application deployed on Ethereum suffered an exploit.

Crypto assets worth around US $468,000 were exploited in this incident.

RUG-PULLS:

  1. SyncDexOG Confirmed to Be Rug-pull

On April 12, SyncDex(@SyncDex_Finance), a project deployed on zkSync was confirmed to be a rug-pull.

200 ETHs worth around US $ 383,000 were exploited in this incident.

CONCLUSION-

15 notable security incidents have occurred in the past week. 14 were security attacks and 1 was a rug-pull.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch

Apr 3 to Apr 9

From April 3, 2023 to April 9, 2023, all security incidents that had occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

  1. Sentiment Suffers Re-entrancy Attack

On April 4, Sentiment, a project deployed on Arbitrum suffered a re-entrancy attack.

At the time of writing, the Sentiment team had pushed a fix that remediated the vulnerability.

Crypto assets worth around US $1 million were exploited in this incident.

  • MOM Suffers Exploit

On April 8, MOM, a token deployed on Polygon suffered an exploit.

The root cause of this issue was that its claim function didn’t have a proper check for its parameter.

For more details please refer to the link:

Crypto assets worth around US $185,000 were exploited in this incident.

  • SushiSwap Suffers Exploit

On April 9, SushiSwap, a famous DeFi application deployed on multiple blockchains including Ethereum, Polygon, BNB Chain, Fantom etc was exploited.

The root cause of this incident was that its RouteProcess02 contract had a vulnerability in approval of token spending.

This vulnerability was exploited to steal crypto assets worth around US $3.3 million.

Users who have interacted with SushiSwap on Ethereum, BNB chain, Polygon, Fantom and AVAX during the last four to five days should revoke their approval as soon as possible.

RUG-PULLS:

  1. OG Fan Token Suspected to Be Rug-pull

On April 9, OG Fan token, a project deployed on the BNB chain was suspected to be a rug-pull.

For more details please refer to the link:

CONCLUSION-

4 notable security incidents have occurred in the past week. 3 were security attacks and 1 was a rug-pull.

It is worth noting that SushiSwap suffered an exploit due to an approval bug that should have been detected if it had been professionally audited. 

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch (Mar 27 to Apr 2)

From March 27, 2023 to April 2, 2023, all security incidents that had occurred are all Security Hacks.

SECURITY HACKS:

  1. SafeMoon Suffers From Flash-loan Attack

On March 29, SafeMoon, a project deployed on the BNB chain suffered from a flash-loan attack.

The root cause was the contracts were upgraded such that anyone could burn tokens from any address that held the token.

The hacker exploited this vulnerability to inflate the SafeMoon token’s price and exchanged the SafeMoon tokens it held to WBNBs

Crypto assets worth around US $8.9 million were exploited in this incident.

  • Phishing Link Posted in YogaPetzs Discord Server

On April 1, a phishing link was posted in the Discord server of YogaPetz(@Yogapetz), an NFT project deployed on Ethereum.

  • Phishing Link Posted in Mark Sunsets Twitter Account

On April 1, a phishing link was posted in the Twitter account of Mark Sunset(@sunsetventurer), an influencer in Twitter.

  • Allbridge Suffers From Flash-loan Attack

On April 2, Allbridge, a project deployed on multiple blockchains including the BNB chain suffered from a flash-loan attack.

The root cause was the token price of an Allbridge pool could be manipulated.

Crypto assets worth around US $574,000 were exploited in this incident.

  • Phishing Link Posted in Raise Finances Discord Server

On April 2, a phishing link was posted in the Discord server of Raise Finance(@raise_fi), a wallet project deployed on zkSync.

CONCLUSION-

5 notable security incidents have occurred in the past week. 3 were attacks on social media and 2 were attacks on smart contracts.

It is worth noting that the unaudited contracts lead to a loss of crypto assets worth around US $8.9 million to SafeMoon. 

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch

Mar 13 to Mar 19

SECURITY HACKS:

  • Hacker Exploits Euler Finance Through Flash-Loan

On 13 Mar, a hacker attacked Euler Finance, a lending application deployed on Ethereum.

The root cause of this incident was that Euler’s donateToReserves() function did not have a proper check on collateralization status.

An attacker address started this attack with a flash-loan and created a leverage insolvent position through Euler’s mint() function and the donateToReserves() function.

The address liquidated its position in the same transaction to gain a large amount of eTokens and repeated this process on multiple Euler pools.

In this attack, the following assets were stolen:

8,877,507 DAI

8,080 WETH

846.4 WBTC

73,821 stETH

34,224,863 USDC

Eventually crypto assets worth around US $197 million were exploited in this incident.

Additional Details:

Attacker’s Address:

– 0xB2698C2D99aD2c302a95A8DB26B08D17a77cedd4 (on Ethereum)

– 0xb66cd966670d962C227B3EABA30a872DbFb995db (on Ethereum)

– 0x5F259D0b76665c337c6104145894F4D1D2758B8c (on Ethereum)

– 0xc66dFA84BC1B93df194bD964a41282da65D73c9a (on Ethereum)

Attacking Contract:

– 0x583c21631c48D442B5C0E605d624f54A0B366c72 (on Ethereum)

Attacked Contracts:

– 0xe025e3ca2be02316033184551d4d3aa22024d9dc (on Ethereum)

– 0x1b808f49add4b8c6b5117d9681cf7312fcf0dc1d (on Ethereum)

– 0x0275b156cd77c5ed82d44bcc5f9e93eecff20138 (on Ethereum)

– 0xbd1bd5c956684f7eb79da40f582cbe1373a1d593 (on Ethereum)

– 0xeb91861f8a4e1c12333f42dce8fb0ecdc28da716 (on Ethereum)

  • Hacker Exploits Poolz Finance by Exploiting Implementation’s Arithmetic Overflow

On 15 Mar, a hacker attacked a DeFi application deployed on the BNB chain Poolz Finance by exploiting on a vulnerability in an arithmetic overflow in the application’s implementation.

Hackers exploited this vulnerability to attack Poolz Finance’s token vesting protocols on both the BNB chain and Polygon.

The hacker attacked Poolz Finanace’s token vesting protocols on both the BNB chain and Polygon. Consequentially, POOLZ’s price dropped by around 99%.

Crypto assets worth around US $390,000 were exploited in this incident.

  • Echelon Announces Discord Server Compromised

On 16 Mar, a game project deployed on Ethereum Echelon (@EchelonFND) announced on Twitter that their Discord had been compromised.

In a later update by //Kalos (@templecrash) indicated that the project’s Discord server is back up and operational and that the server was undergoing a cleanup and security pass. The user urged others not to click on any links and that the project will not conduct surprise mints or drops.

  • Hacker Attacks Para Space by Exploiting Logic Vulnerability

On 17 Mar, a hacker attacked Para Space, a DeFi application deployed on Ethereum by exploited on a logic vulnerability found in the implementation’s borrow function.

The attacker attempted to borrow more than legitimate tokens as BlockSec had successfully intercepted the attack. 2900 ETHs were rescued.

However, around US$90, 000 to US$270, 000 worth of crypto assets were still exploited in this incident.

At the time of writing the project has been paused and Para Space’s patch is being audited.

RUG-PULLS:

  1. Harvest Keeper Turns Out to Be A Scam

On 19 Mar, Harvest Keeper (@Harvest_Keeper) deployed on Ethereum, BNB chain and Polygon turned out to be scam.

The contract was deployed at 0x28120471E1e42e15a71Af5E39cA9f93099F34d2d on the BNB chain.

Crypto assets worth around US $933, 000 were exploited by the team in this incident.

CONCLUSION-

5 notable security incidents have occurred in the past week. 4 were attacks on social media, smart contracts, or blockchains, and 1 was a rug-pull.

It is worth noting that the attack on Euler Finance has caused the greatest loss in 2023 so far.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch

Mar 6 to Mar 12

From 6 March 2023 to 12 March 2023, all security incidents that had occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

  • Hacker Attacks Cheers Bunny’s Discord Server

On 6 Mar, Cheers Bunny’s Discord server was attacked. Cheers Bunny (@CheersBunnyNFT) is an NFT project deployed on Ethereum.

  • zk Bored Apes Announce Scam Hit on Discord Server

On 6 Mar, NFT project deployed on zkSync zk Bored Apes (@zkboredapes) announced on Twitter that there had been a “scam hit” on one of their mod accounts on their Discord server. In the announcement, the account detailed that there was no “serious damage” due to “the intelligent and shrewd community” who have identified and kicked the scammer out of the server.

  • NFT Trader Warns Users on Twitter of Discord Phishing Attack

On 6 Mar, NFT project deployed on Ethereum NFT Trader (@NftTrader) posted a screenshot of a scammer charading as a bot in their Discord server sending phishing links. The account urged followers on Twitter not to click on any links in the server as the “bot” was sending false information.

In a later update, the project announced that “the fire was put out immediately” and that their Discord “is all good and working”.

  • Valibots Announces Discord Compromised

On 6 Mar, NFT project deployed on Polygon ValiBots (@valibots) announced on Discord that one of their co-founder’s discord account had been hacked. The account detailed that the hacker had taken over the accounts, wallets, and contracts of the project and posted a drainage link in their Discord announcements.

As at the time of reporting, ValiBots have claimed that they have regained full control of everything.

  • Hacker Attacks Management of DeFi, WalletDMs and TradeDMs’ Discord Server

On 6 Mar, the Discord servers of multiple platforms for DeFi applications were attacked by hackers. These platforms include Management of DeFi, WalletDMs and Trade DMs.

  • Hacker Exploits Tender Fi

On 7 Mar, a hacker attacked Tender Fi, an application deployed on Arbitrum.

The root cause of this incident was that the project was connected to an old oracle.

The attacker exploited this vulnerability to borrow a huge amount of tokens from the contract.

At the time of writing, the team behind it had paused the borrowing function.

Crypto assets worth around US$1.58 million were exploited in this incident.

  • Hacker Exploits Phoenix Finance

On 7 Mar, a hacker attacked Phoenix Finance, an application deployed on Ethereum, Polygon and BNB chain.

The root cause of this incident was that a fake token was allowed to be used to borrow USDCs. The hacker exploited this vulnerability to use a fake OPT token to borrow USDCs. And the exploited USDCs were bridged to Ethereum and cased out via Tornado Cash.

Crypto assets worth around US $100,000 were exploited in this incident.

  • Hacker Attacks TOR’s Discord Server

On 8 Mar, TOR’s Discord server was attacked. TOR (@ToolsOfRockNFT) is an NFT project deployed on Ethereum.

  • Hacker Attacks Dumpies’ Discord Server

On 9 Mar, the Discord server for NFT project deployed on Ethereum Dumpies (@DumpiesNFT) was reportedly hacked. The project had posted on Twitter updating followers that the server has since remained secure.

  • Hacker Attacks Casual Sloths’ Discord Server

On 9 Mar, Casual Sloths’ Discord server was attacked. Casual Sloths (@CasualSloths) is an NFT project deployed on Ethereum.

  • Hacker Attacks Generative’s Discord Server

On 9 Mar, Generative’s Discord server was attacked. Generative (@generative_xyz) is an NFT platform for BTC crypto art.

  • Hacker Exploits Hedera

On 10 Mar, a hacker attacked Hedera, a blockchain system.

The root cause of this incident was that there was a vulnerability in its mainnet code that supports its Smart Contract Service.

The hacker exploited this vulnerability and targeted accounts used as liquidity pools on multiple DEXs to transfer Hedera Token Service tokens to the hacker’s account.

At the time of writing Hedera turned off its mainnet proxies to remove user access to the mainnet.

No specific details about the loss in this incident were reported by the team.

  • Theta Network Announces Hack on Admin Account in Discord Server

On 11 Mar, blockchain system Theta Network (@Theta_Network) posted on Twitter announcing that their admin account in Discord was hacked. The Twitter post also announced that the account had been removed and the issue was resolved. There was no loss of tokens or user data.

  • Hacker Attacks Danketsu’s Discord Server

On 11 Mar, a hacker had reportedly attacked Danketsu (@DanketsuNFT), formerly ADA Ninjaz, an NFT project deployed on Cardano. The project later updated users on Twitter that their Discord is back online and operational and the hackers were addressed by user @nftluxbug.

  • Fusionist Announces Hack on Discord Bot

On 12 Mar, blockchain game deployed on Ethereum Fusionist (@fusionistio) posted a screenshot containing their announcement of a hack on their Discord server’s bot. The announcement detailed that the Discord team has “implemented stricter measures” to keep the confidentiality of their API secret key. They also mentioned that even though the problem has been resolved, steps are also taken to prevent similar incidents from happening again in the future.

RUG-PULLS:

  • CryptogerClub Turns Out to Be A Scam

On 9 Mar, CryptogerClub (@CryptogerClub) deployed on the BNB chain turned out to be scam.

The token was deployed at 0x910b0Cb55121190d9E4176D449E26EE3BBbBff1F on the BNB chain. However, the contract deployer and EOA removed liquidity after it was unlocked.

105 BNBs worth around US $30.2K were exploited in this incident.

CONCLUSION-

16 notable security incidents have occurred in the past week. 15 were attacks on social media, smart contracts or blockchains , 1 was a rug-pull.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch

Feb 27 to Mar 5

From 27 February 2023 to 5 March 2023, all security incidents that had occurred were Security Hacks.

SECURITY HACKS:

  • Hacker Exploits SwapX’s Lack of Proper Validation for Access Control

On 27 Feb, a hacker attacked SwapX, an application deployed on the BNB Chain, by leveraging on a vulnerability in the implementation where it lacked proper validation for access control.

Here is how the attack was carried out:

Step 1: the attacker swapped 0.0581 BNB for 1 Million DND tokens.

Step 2: the attacker called the attacked contract’s 0x4f1f05bc function to swap the BUSDs of other users who had approved the contract’s spending for DNDs.

Step 3: the attacker repeated step 2 and swapped 1 million DNDs for 739.6 WBNBs.

The attacker repeated this process and eventually exploited crypto assets worth around US $1 million in this incident.

Additional Details:

– Attacker’s Address: 0x7d192fa3a48c307100c3e663050291fff786aa1f

– Attacking Contract: 0xc4bea60f5644b20ebb4576e34d84854f9588a7e2

– Attacked Contract: 0x6d8981847eb3cc2234179d0f0e72f6b6b2421a01

– Hash Value of Attack Transaction:

0x3ee23c1585474eaa4f976313cafbc09461abb781d263547c8397788c68a00160

  • GangstaGuys Warns of Fake Discord Server Alert on Twitter

On 28 Feb, NFT project deployed on Polygon GangstaGuys (@gangstaguysnft) warned its followers on Twitter that a fake Discord server had been created to scam users. The project urged users not to join the Discord server as it is not official and that the legitimate official Discord server could be accessed through the project’s bio on Twitter.

  • Hacker Attacks Wickens’ Discord Server

On 1 Mar, Wickens’ Discord server was attacked. Wickens (@WickensNFT) is an NFT project deployed on Ethereum.

  • Hacker Attacks Doge Pound’s Discord Server

On 1 Mar, Doge Pound’s Discord server was attacked. Doge Pound (@TheDogePoundNFT) is an NFT project deployed on Ethereum.

  • Aliquo Releases Post-Mortem in Light of Discord Server Attack

On 1 Mar, the Discord server of NFT project deployed on Ethereum Aliquo (@aliquoxyz) was attacked.

In a post-mortem, the project detailed how the scammer had waited in the official server for an opportune time to conduct the phishing attack. The attacker had created a phishing URL to scam users by charading the link as a “surprise ‘airdrop’”.

The project urged users to exit the Discord server as investigations are ongoing. They also assured users that there will not be plans to launch additional tokens above their flagship AQ1, and that “airdrops” to distribute royalty earnings will not be conducted.

  • Hacker Attacks Metaclub Society’s Discord Server

On 2 Mar, Metaclub Society’s Discord server was attacked. Metaclub Society (@MetaclubSociety) is an NFT project deployed on Ethereum.

  • Hacker Exploits Alexa Pro

On 5 March, a hacker had exploited Alexa Pro (@alexapro100), an application deployed on the BNB Chain.

45 BNB worth around US $13,046 were exploited in this incident.

  • NFT Project Friends in High Places Announces Discord Server Attacked

On 5 Mar, an NFT project deployed on Ethereum Friends in High Places (@FiHPnft) announced on Twitter that their Discord server had been attacked. The account urged users not to sign up for the airdrop as one of their moderator’s accounts was hacked.

On a later update, the project announced that the Discord is back in operation, and invited users who had left the server to rejoin.

  • Goofy Gophers Mining Club Announced Hack on Discord Server

On 5 Mar, an NFT project deployed on the Cardano Blockchain Goofy Gophers Mining Club (@GGMC_nft) announced on Twitter that their Discord server was breached.

The project detailed that the hacker had accessed the server over night when the team was asleep to ban the moderators, close all forms of communications and posted a few RTH airdrop scam links in the announcements channel. The links were ETH scams where Metamask wallets would be drained when accessed.

In a later update, Goofy Gophers Mining Club announced that the Discord is now fully back under the project’s control. Moving forward, they will be limiting the permissions of the teams’ ‘hot’ accounts. They have also asked users who were affected to “reach out to the team”.

CONCLUSION-

9 notable security incidents have occurred in the past week. 7 were attacks on social media or phishing attacks, 1 was on a smart contract and 1 was against an individual.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch

Feb 20 to Feb 26

From 20 February 2023 to 26 February 2023, all security incidents that have occurred can be categorized into: Security Hacks and Rug-pulls.

SECURITY HACKS:

  • Hacker Exploits Dynamic Fi

On 22 Feb, a hacker attacked Dynamic Fi, an application deployed on the BNB Chain.

For more details please refer to this link:

Additional Details:

– Attacker’s Address: 0x0C925A25fDaaC4460CAb0CC7abc90Ff71f410094

– Address That Receives Exploited Assets: 0x35596bc57c0Cab856b87854EcC142020A47f6fdF

– Hash Value of Attack Transaction:

0xc09678fec49c643a30fc8e4dec36d0507dae7e9123c270e1f073d335deab6cf0

  • Vulnerability Found in CryptoNinja World

On 22 Feb, a vulnerability was reported to be found in CryptoNinja World, a dApp deployed on Ethereum.

Its “burn(uint256 tokenId) external virtual” function defined in the contract deployed at 0xd93704f2a0eA3Db109dE194D4a51ff3e5e77CEfd did not validate whether the owner of “tokenId” was the msg.sender. This resulted in a vulnerability where any address could burn the NFTs held by any address.

  • Hacker Exploits Level DaosaurNFT’s Discord Server

On 22 Feb, DaosaurNFT’s discord server had been exploited. DaosaurNFT(@DaosaurNFT) is an NFT project deployed on Ethereum.

  • BAYCs and CLONE X Are Stolen

On 23 Feb, popular NFTs including BAYC 6396, 4587 and CLONE X 3354 were stolen. CLONE X 3354 was sold for 5 ETHs, and BAYC 6396 was sold for 67.990 ETHs on Blur.

  • Hacker Exploits Level Finance’s Discord Server

On 23 Feb, Level Finance’s discord server had been exploited. Level Finance (@Level_Finance) is a DeFi application deployed on the BNB chain.

  • Hacker Exploits Rubic’s Discord Server

On 24 Feb, Rubic’s discord server had been exploited. Rubic (@CryptoRubic) is a cross-chain aggregator.

  • Hacker Exploits MurAll’s Discord Server

On 25 Feb, MurAll’s discord server had been exploited. MurAll (@MurAll_art) is a protocol for user created art on Ethereum. In response, MurAll urged users not to click any links from the MurAll Discord server.

A later update by MurAll stated that despite regaining control of the Discord server, scammers have hijacked the MurAll Discord invite. The invite takes users to a phishing verification bot. As of the time of writing, MurAll will be updated the website.

  • Otherdeed 96085 Is Stolen and Resold on Opensea

On 26 Feb, one famous NFT Otherdeed 96085 was stolen and resold on Opensea for 2.2 ETHs in less than 6 minutes.

RUG-PULLS:

  • Hope Finance Rug-pulls

On 21 Feb, Hope Finance, an application deployed on both Ethereum and Celer had been confirmed to be a rug-pull.

The team behind the project leveraged Celer and Uniswap to move all the held ETHs to Ethereum and sent 1095 ETHs from three addresses to Tornado Cash to cash out.

1095 ETHs worth around US $2 million were exploited in this incident.

Additional Details:

– Attacker’s Addresses

0x957D354d853a1FF03dDa608F3577d24eA18fCecE

0xB83dD80d040C0AB2cd9495E748915275713120a5

0x43B89dE77189b53f93BfF1c6DF8d3d6Fb97BA688

CONCLUSION-

9 notable security incidents have occurred in the past week. 1 was a rug-pull, 8 were attacks. 2 of 8 attacks were attacks against smart contracts and the rest were on social media or phishing attacks.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

A Tentative Study in Social Engineering Attacks in Blockchain Ecosystem

Introduction

Recently, a number of users in the blockchain ecosystem have discovered that their Telegram accounts have been stolen. In some of these incidents, the victims were informed by their contacts, while others were discovered by the victims themselves.

The modus operandi in all these cases was to hack into individual accounts by stealing information from Telegram accounts and then send false messages to the victims by impersonating their contacts or attacking their contacts with the victim’s account.

Using social media platforms or applications to launch attacks are reported from time to time. However, in the past, hackers often used Twitter or Discord rather than Telegram.

This shows that the trend of using social accounts to carry out attacks is growing rapidly and the scope of the attacks is expanding rapidly.

The Fairyproof research team believes that this trend and problem deserves the attention and vigilance of the entire ecosystem. In view of this, the Fairyproof research team has summarized and analyzed these attacks based on the various characteristics of hackers using social accounts, and would like to share our findings with our peers and users in the ecosystem.

Full Article

When it comes to security incidents in the blockchain ecosystem, many users usually think that most of hackers’ attacks are on smart contracts, especially on DeFi-type contracts. Because these projects often have a large amount of crypto assets locked up in their smart contracts, by attacking these smart contracts, hackers can directly prey on the crypto assets within them.

However, this approach requires a high level of skill and a significant technical threshold, as the hacker needs to be proficient in smart contracts and find vulnerabilities in them in order to find the point of attack and launch the attack. It is therefore only suitable for a small group of hackers known as “scientists”.

However, hackers will not easily “give up” in the face of the huge market value of crypto assets and the lucrative benefits of illegal operations. As a result, in addition to this high threshold attack, an increasing number of unskilled criminals are seeking to use social networking software commonly used by the crypto community to steal account information for fraudulent purposes and to steal the assets of crypto asset holders.

We refer to this type of attack as a broad social account attack (or “phishing attack”, “social engineering attack”, etc.) [1].

I. What is a social account attack

A social account attack is when a hacker

– Using social networking software (e.g. email, instant messenger, social media platforms, etc.) to commit fraud against a target user by inducing the target user to disclose their sensitive information in order to steal their assets or by tricking the target user into actively transferring the assets they hold.

– Or by implanting a Trojan horse into the target user’s device, hacking into his or her social accounts, stealing his or her social information and using the account to defraud the target user’s associated social contacts to obtain his or her assets.

According to Fairyproof 2022 Blockchain Ecosecurity Annual Report, which counted 378 typical security incidents, there were 123 cases of attacks using social media, accounting for 32.54% of the total, which is comparable to the number of hacker attacks on smart contracts (143 cases)[2].

This shows that the use of social platforms/tools to carry out attacks has become an issue that every user in the blockchain ecosystem security must pay high attention to.

This paper attempts to explore and summarize the common methods of attack on social media and defensive measures used by hackers in the blockchain ecosystem, exploring five dimensions: common social platforms/tools, users using social platforms/tools, key points where social platforms/tools are used for attacks, dangerous operations that lead to the loss of assets by users, and preventive measures against attacks.

II. Social platforms/tools commonly used in the blockchain ecosystem

In the blockchain ecosystem, people usually choose different social platforms/tools with different characteristics depending on their needs.

A common social platform used for extensive business outreach and first-hand information is Twitter [3].

Discord[4] is a popular social networking tool used to bring communities together, motivate community members and facilitate interaction between project owners and the community.

To protect privacy and facilitate communication and negotiation, Telegram [5] is the main instant messaging software used.

The above three are the most commonly used social platforms/tools in the blockchain ecosystem. Apart from these, other social tools such as WeChat [6], WhatsApp [7], Facebook [8] and Instagram [9] are also used by some projects, but not nearly as frequently as the above three tools. Therefore, the exploration in this paper mainly focuses on the above three social platforms/tools.

III. Users who use social platforms/tools

In the blockchain ecosystem, we have broadly divided users of social platforms/tools into three categories according to the purpose of their use of social platforms/tools.

– Project side: These are users who are project operators or crypto asset issuers in the ecosystem. They usually issue various types of tokens themselves or have them locked in the project contracts they operate. These are usually ERC-20 tokens[10], ERC-721 tokens[11] or ERC-1155 tokens[12], etc.

These users use social platforms/tools mainly for the purpose of posting updates on their operational projects or updates on their issued tokens.

– Crypto asset investors or project users: These are users who may conduct on-chain transactions or interact with (the project’s) smart contracts. They usually buy various types of tokens issued by the project, trade tokens or interact with the contracts of the project run by the project.

These users use social platforms/tools mainly to get the latest news on the issuance of various types of tokens, the latest news on contract deployment interactions, the latest news on token trading and to share information about themselves.

– Blockchain Industry Practitioners: This category of users are those who work in the blockchain industry and are involved in the day-to-day aspects of the business such as operations and maintenance, commerce and development.

This category covers a wide range of users who do not necessarily invest in or hold crypto assets, but whose work is directly related to the operation of crypto assets or blockchain projects and have extensive connections with their peers.

These users use social platforms/tools mainly for the purpose of accessing various types of information to facilitate their internal and external communication, work, etc. They have a wide range of contacts in the ecosystem, and they spread and exchange information.

IV. Key points of social platforms/tools being used for attacks

In the blockchain ecosystem, various categories of users use social platforms/tools for different purposes and characteristics, which gives hackers the opportunity to make full use of these characteristics to target their targets and carry out attacks. The followings are the main scenarios.

– Exploiting the trust of crypto asset investors or project users in the project owner, the social platforms/tools used by the project owner are hijacked to launch attacks and place false messages to crypto asset investors or project users.

In this scenario, the main purpose of the social platform/tool used by the project owner is to distribute information, while the investor or project user is the direct consumer of such information. Under this interaction model, investors or project users generally have a psychological default belief that the information posted by the project owner in the social platform/tool is authentic and authoritative, and will follow the addresses, links, etc. given by the information species directly.

This default trust in the authenticity and authority of the information gives hackers an opportunity to take advantage of it. If a hacker steals the project owner’s social accounts and posts links to malware, fake transfer addresses or fake token issuance links, investors or project users are likely to click on the links, transfer assets or buy fake tokens without thinking, based on this trust.

Cases of hackers using Twitter and Discord to launch attacks are particularly common in this type of attack, as these two platforms/tools are mostly used by project owners to post information.

Where it is the project owner’s social accounts that are exploited, it is the crypto asset investor or project user who may lose crypto assets.

– Exploiting the strong desire of investors or project users to invest in or interact with a project and sending false project information directly to the target user

This type of attack occurs particularly often on the Twitter platform. This is because many opinion leaders or investment gurus in the blockchain ecosystem particularly like to visibly show their desire and quest for new projects and targets in their Twitter feeds.

Hackers take advantage of this desire to tweet publicly or privately about so-called “new projects” and leave links to these projects. These links can be links to malware, fake transfer addresses or fraudulent token-along offers.

If Twitter users see these messages and links and click on them without thinking or following the instructions, they are likely to fall prey to the hackers and lose their assets.

The hackers are using Twitter as a tool and the investors or project users are the ones who may lose their crypto assets.

These two types of attacks are the most common “phishing attacks” that we encounter in the blockchain ecosystem.

– Using the blockchain practitioner’s extensive network of contacts to hijack their social platforms/tools and use them to send false information to the practitioner’s contacts

The main use of social networking platforms/tools by blockchain practitioners is to interact and exchange information internally and externally. The most common tool used for this purpose is Telegram, which is therefore also used by hackers to attack such users.

In this type of attack, the hacker first steals the account of the targeted user by setting up a trick (e.g. by obtaining a login verification code, stealing a login key, etc.), then logs into the account and copies the correspondence of the social network he or she is messaging with, and then sends a fraudulent message to the targeted user posing as the social network (e.g. asking the targeted user to send encrypted assets to an address provided by the hacker, authorizing the hacker to steal the transactions of the encrypted assets, or to send a message to the target. clicking on a link to malware sent by the hacker, etc.)

Using this method, the hacker can impersonate all of the social connections on a Telegram user’s contact list and attack the target user or even all of them.

This type of attack is much more lethal and stealthy, and less likely to be detected, as these connections have already established a stronger trust relationship with the Telegram user.

These types of attacks began to appear frequently in late January this year. It is worthwhile for all Telegram users to be on high alert.

V. Dangerous actions that lead to loss of assets for the user

In any of the typical attacks listed above, the ultimate goal of the hacker is to exploit the user’s trust and trick the user into following the links or instructions he is given, regardless of the method used to launch the attack. These actions will eventually lead to the loss of the user’s encrypted assets.

The danger is therefore quite high. These dangerous actions usually include the following.

– The targeted user clicks on a link or scans a QR code from an unknown source, etc. This could lead to the user installing a Trojan horse in the environment of their crypto wallet, which could lead to the theft of their wallet key, or to the user being tricked into following up on an impostor project website (e.g. buying an impostor token), which could lead to the loss of crypto assets.

– The targeted user enters their wallet key or key in a dialog box or interface of unknown origin. This leads directly to the hacker taking control of the user’s crypto wallet and thus transferring all crypto assets from the wallet.

– The target user clicks to authorize a transaction from an unknown source. This would give the hacker the right to transfer the crypto assets from the user’s wallet at will.

VI. Preventive measures against the attack

In view of the characteristics of the typical attacks listed above and the dangerous actions that lead to the loss of crypto assets, Fairyproof recommends the following precautions for all three types of users to avoid having their social accounts exploited by hackers on the one hand and losing their crypto assets on the other.

– Security recommendations for day-to-day operations

For project information, take multiple verifications (i.e. through multiple channels and platforms) to verify its authenticity.

Pay more attention to security information in the ecology and familiarize yourself with the features and precautions of new attacks and cases.

Be cautious of websites with odd URLs and stay highly alert to unfamiliar links and click on them with caution.

– Security advice for Twitter use

Keep your account information secure and do not share it publicly; set up multiple verification processes and verification information for your account; set up privacy and security options; handle private information with care; do not click on any suspicious links on Twitter and do not scan any suspicious QR codes.

– Security advice for using Discord

Same security tips as for Twitter; also set up permissions for message senders, block suspicious users, activate 2-Factor authentication, etc.

– Security advice for using Telegram

As social networking on Telegram is more private and relies more on trust, users should be careful not to share authentication codes and, in particular, to set up their own private information (e.g. don’t disclose phone numbers, don’t make private information visible, etc.) when using Telegram, in addition to the recommendations of Twitter and Discord. Also be vigilant about the behavior of your social contacts and use voice or other non-text communication to confirm any odd behavior immediately.

– Security advice for using crypto wallets

When we open a crypto wallet, do not under any circumstances enter your password or mnemonic on a suspicious screen.

For each transaction, read the signature message carefully before signing, check the authenticity of the website and other information in the signature message and compare it to the website you intended to access.

Refuse to sign transactions with ambiguous or oddly sourced addresses.

The advice on the secure use of wallets is not the focus of this article and is provided here only as a side note to the advice on the secure use of social platforms/tools and will not be elaborated upon.

The role of social platforms/tools in the blockchain ecosystem is to build trust between people, but the underlying technology and operational processes on which such trust relationships are based are open to various vulnerabilities and exploitation. Therefore, once people have built up trust based on these social platforms/tools, hackers can use them to commit fraud and attack with impunity once they have “stolen” this trust relationship by exploiting the loopholes in technology or operation.

All precautions against these frauds and attacks can be summarized in the following guidelines.

– Reduce psychological dependence on this relationship of trust.

– Use multiple technical means and more rigorous operational processes to challenge this trust relationship, thereby increasing the cost and raising the threshold for hacking, and ultimately protecting the project and protecting the asset.

References:

[1] Salahdine F, Kaabouch N. Social engineering attacks: A survey[J]. Future Internet, 2019, 11(4): 89.

[2] Fairyproof’s Review Of 2022 Blockchain Security,

https://fairyproof.com/doc/Fairyproof’s_Review_Of_2022_Blockchain_Security.pdf,January, 2023

[3] Twitter, https://twitter.com/home

[4] Discord, https://discord.com/

[5] Telegram, https://telegram.org/

[6] 微信, https://weixin.qq.com/

[7] WhatsApp, https://www.whatsapp.com/

[8] facebook, https://www.facebook.com/

[9] Instagram, https://www.instagram.com/

[10] ERC-20 Token Standard,

https://ethereum.org/en/developers/docs/standards/tokens/erc-20/

[11] ERC-721 Non-fungible Token Standard,

https://ethereum.org/en/developers/docs/standards/tokens/erc-721/

[12] ERC-1155 Multi Token Standard, https://eips.ethereum.org/EIPS/eip-1155

Weekly Blockchain Security Watch (Feb 13 to Feb 19)

Feb 13 to Feb 19

From 13 February 2023 to 19 February 2023, all security incidents that have occurred were Security Hacks.

SECURITY HACKS:

  • Hacker Leverages MEV Contract Front-Run in Attack Against Anyswap

On 15 Feb, a hacker attacked Anyswap, an application deployed on Ethereum.

The hacker leveraged an MEV contract to front-run a regular WETH transfer transaction by calling AnyswapV4Router’s anySwapOutUnderlyingWithPermit function to approve token spending. Although the function validated the permit signature, the transaction that exploited WETHs in this incident did not get validated. Therefore, in the subsequent function calls, the hacker could call the safeTransferFrom function to allow the _underlying address to approve spending of its WETHs by the hacker without validating signatures.

87 ETHs worth around US $130,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xfde0d1575ed8e06fbf36256bcdfa1f359281455a

– Hash Value of Attack Transaction:

0x192e2f19ab497f93ed32b2ed205c4b2frontff628c82e2f236b26bec081ac361be47f

  • Hacker Attacks Platypus Through Flash Loan

On 16 Feb, a hacker attacked Platypus, an application deployed on the Snow blockchain, by leveraging on a flash-loan.

The root cause of this incident was that the emergencyWithdraw function defined in the MasterPlatypusV4 contract did not validate whether a borrower had paid back the debt.

The attacker flash-loaned 44 million USDCs, called the Platypus Finance contract’s deposit function to mint LP-USDCs. The attacker then staked the LP-USDCs to MasterPlatypusV4’s fourth vault, called the positionView function and minted a large amount of USPs. According to normal logic the hacker should own a huge debt by staking USPs and, therefore, should not be able to withdraw his/her staked assets. However, the vulnerability in the emergencyWithdraw function allowed the hacker to withdraw his/her staked assets.

After paying back the flash-loan, the hacker acquired a profit of 41,794,533 USPs and exchanged them to stable coins worth around US $8,522,926.

Additional Details:

– Attacker’s Address: 0xeff003d64046a6f521ba31f39405cb720e953958

– Hash Value of Attack Transaction:

0x1266a937c2ccd970e5d7929021eed3ec593a95c68a99b4920c2efa226679b430

  • Hacker Attacks Dexible

On 17 Feb, a hacker attacked Dexible, an application deployed on Ethereum.

The root cause of this incident was that the one of its contracts had a vulnerability in its access control.

The hacker defined a “transferfrom” function and passed this function together with a user’s address (0x58f5f0684c381fcfc203d77b2bba468ebb29b098) and the hacker’s address (0x684083f312ac50f538cc4b634d85a2feafaab77a) to a “fill” function. This results in the user’s address to approve the hacker to spend the token. All the exploited assets were transferred to Tornado Cash.

Crypto assets worth around US $1.54 million were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x684083F312Ac50f538Cc4B634d85a2feafaAB77a

– Hash Value of Attack Transaction: 0x58f5f0684c381fcfc203d77b2bba468ebb29b098

  • Hacker Attacks Baby Doll

On 18 Feb, a hacker attacked Baby Doll, an application deployed on the BNB Chain.

25.049 BNBs worth around US $7900 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xebc58c96cef9fc91a4ae049f026f8076198e5f83

– Hash Value of Attack Transaction:

0x449cfecbc8e8469eeda869fca6cccd326ece0c04a1cdd96b23d21f3b599adee2

  • OkCat Announces Discord Server Hacked

On 18 Feb, NFT project deployed on Polygon OkCat (@OkCat_NFT) announced on Twitter that their Twitter had been hijacked.

In their most recent update, the NFT project also warned users that the current Discord server is all a scam and urged users to unsubscribe and spread the word.

  • Revert Finance Team Claims v3utils Contract Attacked

On 18 Feb, the team behind Revert Finance, an application deployed on Ethereum, claimed on Twitter that its v3utils contract had been attacked by a hacker.

90% of the exploited assets were stolen from single accounts and the exploited assets included 22983.235188 USDCs, 4106.316699 USDTs, 485.5786287699002 OPs, 0.18217977664322793 WETHs, 36.59093198260223 DAIs, 211.21463945524238 WMATICs and 22 Premias.

Most of the addresses that had approved this contract to spend their tokens had revoked their approvals. The team reminded those that had not revoked their approvals to revoke their approvals. The team planned to release a full report about this incident and compensate the victims.

Additional Details:

– Attacked Contracts:

Ethereum: 0x531110418d8591c92e9cbbfc722db8ffb604fafd

Polygon: 0x8c925768c793e00c095135b8656d6014ee2d07bb

Optimism: 0x2A017f2Fb369F4CA061B8D8A922Bb05100e8f8C3

Arbitrum: 0x95a8cc9ab71b26bdacbe6a7ccf519456edc2a164

CONCLUSION-

6 notable security incidents have occurred in the past week. 5 of 6 security incidents were attacks against smart contracts and one was on social media.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Security Checkpoints for EIP-4337 Based Account Abstraction Implementation

Fairyproof conducts a study of EIP-4337 and present findings with security checkpoints.

EIP-4337 [1] is a proposal for implementing account abstraction which allows users to use smart contract wallets instead of an Externally Owned Account (EOA) as their primary account.

The biggest motivation to create this EIP is to avoid changes in Ethereum’s consensus layer and implement account abstraction mainly in smart contracts.

A significant feature that an account abstraction solution should have is to simulate transactions that users initiate with EOAs. The biggest difference between a transaction initiated by an EOA and one initiated by a contract account is that an EOA requires a signature signed by the EOA’s private key.

To implement such a solution, five concepts are introduced in this proposal: “UserOperation”, “Bundler”, “EntryPoint”, “Paymaster” and “Aggregator”.

A “UserOperation” is a data structure that defines a transaction initiated from an EOA. In this EIP it should be implemented and sent to a separate mempool.

A “Bundler” is a block builder that collects UserOperations from the mempool, or a user that can send transactions to a block builder. After a Bundler collects UserOperations, it will send them  to a special contract defined as an “EntryPoint”.

An “EntryPoint” is a smart contract that validates and execute UserOperations sent by Bundlers.

A “Paymaster” is a smart contract that can help pay transaction fees on a users’ behalf. This feature is optional and can be used to allow users to pay fees with EIP-20 tokens.

An “Aggregator” is a helper contract. This feature is also optional and is used to validate aggregated signatures.

In essence, the logic proposed in this EIP are as follows:

As a blockchain security company, Fairyproof has studied this EIP and hoped to find all the security checkpoints that should be kept in mind when auditing a solution implemented based on this EIP.

We have studied these five concepts and their proposed implementation details. Here are our findings with security checkpoints:

1. Security Checkpoints for UserOperation’s Implementation

A significant security issue in the EIP’s proposed logic is that malicious actors could launch DOS attacks by sending invalid UserOperations to trick the EntryPoint into execute these operations without paying any fees.

Therefore, validating UserOperations in all the interfaces cannot be ignored.

The following sanity checks should be done for UserOperation:

– Either the sender is an existing contract, or the initCode is not empty (but not both)

– If initCode is not empty, parse its first 20 bytes as a factory address and check if the factory is staked. If the factory accesses global state, it must be staked.

– The verificationGasLimit should be sufficiently low (<= MAX_VERIFICATION_GAS) and the preVerificationGas should be sufficiently high (enough to pay for the calldata gas cost of serializing the UserOperation plus PRE_VERIFICATION_OVERHEAD_GAS)

– The paymasterAndData is either empty, or start with the paymaster address which is a contract that (i) currently has nonempty code on chain, (ii) has a sufficient deposit to pay for the UserOperation, and (iii) is not currently banned.

– The callgas is at least the cost of a CALL with non-zero value.

– The maxFeePerGas and maxPriorityFeePerGas should be above a configurable minimum value that the client is willing to accept. At the minimum, they are sufficiently high to be included with the current block.basefee.

– Only one UserOperation per sender may be included in a single batch. A sender is exempt from this rule and may have multiple UserOperations in the pool and in a batch if it is staked.

2. Security Checkpoints for EntryPoint’s Implementation

The “UserOperation” parameter in the handlOps and simulateValidation interfaces should be checked.

Particularly in the UserOperation data structure: the “sender” field should be a smart contract address rather than an EOA address, the “nonce” value should be unique to prevent replay attacks, the “initCode” should not be null if the account is not on-chain and needs to be created, the “signature” should be dependent on the chainid and the EntryPoint address to prevent replay attacks.

The “beneficiary” parameter in the handleOps and handleAggregatedOps should be a valid beneficiary address.

The EIP suggests the EntryPoint contract to be upgradable. The address that has access control to upgrade the contract should be managed with care and caution. In case it is compromised, the EntryPoint will be exposed to huge risks.

3. Security Checkpoints for IAggregatedAccount’s Implementation

The “userOp” parameter in the validateUserOp interface should be checked. The aforementioned points for “UserOperation” apply to this as well.

The “aggregator” parameter should be a valid address if an aggregator is used or can be ignored if no aggregators are used. And it should be the same as the return value of the “getAggregator” interface.

The “userOpHash” parameter should be a non-null value and be a hash over the userOp (except signature), EntryPoint and chainId.

Regarding the implementation of the validateUserOp interface, the following things should be checked:

– if its caller is a trusted EntryPoint and a smart contract address.

– If the account does not support signature aggregation, it must check if the signature is a valid hash of the userOpHash, and should return SIG_VALIDATION_FAILED (and not revert) if the signature doesn’t match. If any other error occurs, the transaction should be reverted.

– it must pay its caller (EntryPoint) at least the “missingAccountFunds” and may need to pay more to cover future transactions

The validateUserOp interface’s return value should be checked and corresponding operations should be performed according to the return value.

4. Security Checkpoints for IAggregator’s Implementation

The “userOp” parameter in the validateUserOpSignature, aggregateSignatures and validateSignatures interfaces should be checked. The aforementioned points for “UserOperation” apply to this as well.

The “signature” parameter in the validateSignatures should be a non-null value.

With regards to the Aggregator’s implementation, the following things should be specifically checked:

– validateSignatures() must validate the aggregated signature matches for all UserOperations in the array, and revert otherwise.

– An aggregator should stake to be trusted unless otherwise being exempt.

5. Security Checkpoints for Paymaster’s Implementation

The “userOp” parameter in the validatePaymasterUserOp interface should be checked. The aforementioned points for “UserOperation” apply to this as well.

The “userOpHash” parameter should be a non-null value and be a hash over the userOp (except signature), EntryPoint and chainId.

The “withdrawAddress” parameter in the withdrawStake and withdrawTo interfaces should be a valid address.

The “account” in the balanceOf and depositTo interfaces should be a non-zero valid address.

The “withdrawAmount” in the withdrawTo interface shouldn’t be greater than the return value of the balanceOf interface.

A Paymaster should be a valid smart contract address if it is introduced.

A Paymaster should have enough crypto assets to pay relevant operations if it is introduced.

A Paymaster should stake to be trusted.

Conclusion

These security checkpoints do not cover all the potential security issues that this EIP may introduce when implementing a solution. They are only what Fairyproof is specifically aware of when auditing such a solution.

Apart from these checkpoints, there are other important issues that have been extensively talked about in this EIP. These issues are mostly related to logical issues and should be seriously taken into consideration as well when auditing.

Reference:

[1] EIP-4337: Account Abstraction Using Alt Mempool, https://eips.ethereum.org/EIPS/eip-4337

Vitalik Buterin (@vbuterin), Yoav Weiss (@yoavw), Kristof Gazso (@kristofgazso), Namra Patel (@namrapatel), Dror Tirosh (@drortirosh), Shahaf Nacson (@shahafn), Tjaden Hess (@tjade273), “ERC-4337: Account Abstraction Using Alt Mempool [DRAFT],” Ethereum Improvement Proposals, no. 4337, September 2021. [Online serial]. Available: https://eips.ethereum.org/EIPS/eip-4337.