Pioneering Blockchain Security Company Presents Annual Report on Blockchain Security for Year 2022
Singapore, January 30, 2023 – Global pioneering blockchain security company Fairyproof released their annual Review of Blockchain Security in 2022 (Hereafter referred to as “Report”). The Report showed data gathered through the year 2022 and presented a total of 378 prominent, publicly reported blockchain security incidents along with statistics and analysis based on targets who have suffered, and their root causes.
The Report revealed that the entire blockchain ecosystem had witnessed an accumulated loss of US$2.52 billion, highlighting attacks against cross-chain bridges becoming prominent issues accounting for about 40% (US$1.01 billion) of the total losses. The report also accounted for the remaining losses to be caused by cyberattacks against smart contracts (US$571.34 million), leaked private keys (US$999.79 million), and attacks against layer 2 solutions (US$35 million).
Fairyproof CEO Mr. Tan Yuefei noted his awareness that the attacks on cross-chain bridges and its losses in 2022 far surpassed those of 2021. “No doubt, this is a big concern for the entire crypto space. Many project teams are exploring new solutions to improve the security of existing cross-chain bridges. I would gather that MPC technology would be a mature, sustainable base to develop such solutions.”.
Tan proceeded to deliberate on the future of the blockchain ecosystem. “Although most attacks were on cross-chain bridges through 2022, there is a shift in focus to Zero Knowledge (zk) related applications. This would mean that we would soon witness zk-related attacks. That said, I am proud to say that Fairyproof is well-equipped for the rising demand for zk-related audits and are making good progress in developing security solutions for these applications.”
The Report also presented findings on attacks leveraging on different attack types ranked in increasing order involving Price Manipulations, Flash-Loans, and exploiting Logic Vulnerabilities. This led to a conclusion for both Blockchain Developers and Users to practice the following:
Blockchain Developers: Ensure security solutions for cross-chain bridges to be capable of handling off-chain activities safely and securely and increase awareness of security for layer 2 solutions in light of emerging attack trends against layer 2 platforms.
Users: Thoroughly investigate security conditions for cross-chain bridges before interacting with them, pay attention to security of UIs in dApps, and check for audit reports for projects.
“The overall crypto market is experiencing a bear market. However, our findings show that cyberattacks stay relentless. Everyone should focus on keeping their projects and assets safe.” Mr Tan concluded.
To read the annual Review of Blockchain Security in 2022, click here.
About Fairyproof:
Fairyproof is a pioneering blockchain security company established in 2021 with the slogan “Make IT a Safer Place”. They have been actively developing blockchain security solutions and Ethereum standards and have meaningfully contributed to established Web3.0 projects like Ethereum, BNB Smart Chain, and HECO.
For more information, consult the following channels:
For the Year 2022, Presented by Fairyproof on 2023
Executive Summary
The overall crypto market entered a bear market through 2022. However, attacks against the crypto ecosystem were still active.
– Crypto assets worth around US $2.52 billion were exploited in 378 prominent security incidents.
– 11 attacks against cross-chain bridges totaled a loss of US $1.01 billion accounting for 39.94% of the overall total loss in 378 incidents. The security of cross-chain bridges has become a prominent issue.
– Attacks that exploited logic vulnerabilities, flash-loans, price manipulation, governance vulnerabilities and re-entrancy vulnerabilities resulted in a loss of US $571.34 million and this loss accounted for 69.64% of the total loss in the attacks against smart contracts alone. These vulnerabilities could have been uncovered and the loss could have been prevented if these attacked contracts had been professionally audited.
– The loss (US $999.79 million) caused by leaked private keys accounted for 42.18% of the total loss in attacks from hackers. Managing private keys safely and securely should always be the number 1 factor all crypto users should keep in mind.
– The loss (US $35 million) caused by attacks against layer 2 solutions far surpassed the loss (US $5.95 million) caused by attacks against blockchain mainnets. This shows the rise of the need for security of layer 2 solutions to be more severe than for the security of blockchain mainnets.
– In 2022, Fairyproof had extensively researched the ZK (zero-knowledge proof [1]) related technologies and has been familiar with the existing mainstream solutions in the industry. Fairyproof has established its own development process and model, and can promptly deliver solutions based on application requirements. With regards to ZK-related audits, Fairyproof has rich experience and is proficient in converting a problem to ZK circuits, auditing circuits, proof generation, proof verification, and more. In addition, Fairyproof has been actively working on optimizing ZK-related implementation and improving its security such as using MPC technology to decentralize the initial setup in ZK-Snark implementations.
– In 2022, Fairyproof had established strong technical strength in MPC [2] related technologies, and has established its own development process and model. Fairyproof was also capable of promptly delivering solutions for popular applications likeusing MPC to conduct omnichain transactions.
BACKGROUND
Before proceeding, the following terms and technologies are introduced in this report:
CCBS
CCBS stands for “Centralized Crypto or Blockchain Service”. A CCBS refers to a platform or service that provides crypto or blockchain related products or services, and is run by a conventional / centralized organization, entity or company such as conventional crypto exchanges (eg. Binance or Tether).
FLASHLOAN
Flash loans are a popular feature that hackers utilize when attacking EVM-Compatible smart contracts. Flash loans were developed by the team behind the famous DeFi application AAVE [3]. This feature “allows users to borrow any available amount of assets without putting up any collateral, as long as the liquidity is returned to the protocol within one block transaction” [4]. Flash loans are quite often used to borrow ERC-20 tokens [5] and attack DeFi applications. To initiate a flash loan, users will need to write a contract that borrows an available amount of assets and pay back the loan + interest + necessary fees all within the same transaction.
CROSS-CHAIN BRIDGE
A cross-chain bridge is an infrastructure that connects multiple independent blockchains and enables an exchange of cryptos, data or information from one blockchain to another.
As more blockchains have their own ecosystems, cryptos and dApps, the need for exchanging cryptos or data across different blockchains becomes increasingly high while the volume of cross-chain transactions dramatically increase. This causes cross-chain bridges to suffer more attacks.
FOCUS OF THIS REPORT
In this report we list our statistics collected from typical security incidents that happened in the blockchain industry in 2022, give an in-depth analysis of their root causes, and present our recommended best practices.
STATISTICS AND ANALYSIS OF SECURITY INCIDENTS OF 2022
We studied 378 prominent security incidents that occurred in 2022 and present our statistics and analysis based on the targets and root causes.
In 2022 the total value of the exploited assets was US $2.52 billion and the overall market cap of cryptocurrencies according to Tradingview was US $756.15 billion. The value of the exploited assets accounted for 0.33% of the total market cap of cryptocurrencies.
OVERALL TREND OF BLOCKCHAIN SECURITY INCIDENTS OF 2022
We studied each quarter’s blockchain security incidents and derived with the following trend graph:
From this graph we can see that the number of incidents throughout the year had been increasing except Q4 and the amount of loss had been increasing as well except Q3.
INCIDENTS CATEGORIZED BY TARGETS
Our researched incidents can be categorized into four types of targets:
CCBS
Blockchains
DApps
Cross-chain Bridges
A CCBS-related incident is one in which a centralized crypto or blockchain service platform is attacked by hackers resulting in the failure of its services or a loss of crypto assets under its custody.
A blockchain-related incident is one where a blockchain mainnet, side chain or layer 2 is attacked by malicious actors from inside, outside, or both, resulting in its operation going out of order, or that a blockchain fails to work properly due to issues related to software, hardware, or both. Attackers will then be able to exploit the consensus for profits.
A dApp-related incident is one where a dApp’s daily operation goes out-of-order or is attacked, leaving it open for attackers to exploit users and crypto assets under the custody of the dApp.
A cross-chain bridge-related incident occurs when a cross-chain bridge is attacked resulting in a loss of crypto assets under its custody or a failure of the exchange function between multiple blockchains.
There were 378 incidents in total. Here is a figure that shows the percentage for each of these targets respectively.
The number of dApp-related incidents account for more than 84.16% of the total incidents. Out of 378 incidents, 24 were CCBS-related, 15 were blockchain-related, 11 were cross-chain bridge-related, and 328 were dApp-related.
BLOCKCHAIN-RELATED INCIDENTS
Incidents that had occurred in blockchains can be further categorized into three sub-categories:
Blockchain mainnets
Side chains
Layer 2 solutions
A blockchain mainnet, also known as layer 1, is an independent blockchain that has its own network with its own protocol, consensus, and validators. A blockchain mainnet can validate transactions, data, and blocks generated in its network by its own validators and reach a finality. Bitccoin and Ethereum are typical blockchain mainnets.
A side chain is a separate, independent blockchain which runs in parallel to a blockchain mainnet. It has its own network consensus and validators. It is connected to a blockchain mainnet (eg. by a two-way peg [6]).
A layer 2 solution refers to a protocol or network that relies on a blockchain as its base layer (layer 1) for security and finality [7]. Its main purpose is to solve scalability issues of its base layer. It processes transactions faster and costs less resources compared to its base layer. Since 2021, there has been a huge surge in the growth and development of layer 2 solutions for the Ethereum ecosystem.
Both side chains and layer 2 solutions exist to solve the scalability issues of a blockchain mainnet. The significant difference between a side chain and a layer 2 solution is that a side chain does not necessarily rely on its blockchain mainnet for security or finality whereas a layer 2 solution does.
There were 15 blockchain-related incidents in total in 2022. The figure below shows the percentages of blockchain mainnet related incidents, side-chain related incidents, and layer 2 related incidents respectively.
The number of blockchain mainnet related incidents and layer 2 related incidents account for 60% (9) and 40% (6) of the total incidents respectively. No prominent side-chain related incidents were covered in our statistics. The layer 2 solutions that were attacked included 3 Ethereum layer 4 solutions and they were Loopring [8], zkSync [9], Optimism[10] and Arbitrum[11], while the majority of the attacked blockchain mainnet were non-EVM blockchains.
DAPP RELATED INCIDENTS
Among the 328 incidents that occurred toward dApps, 35 were rug-pulls, 148 were involved in exploitations and 145 were directly attacked. An attack against a dApp can specifically target its front-end, server side, or smart contract(s). We can therefore further classify these 41 incidents into three sub-categories:
dApp’s front-end
dApp’s server side
dApp’s smart contract(s)
dApp’s front-end related incidents refers to events where vulnerabilities from the conventional client side are exploited, compromising on the account information and personal details of users which can be used to steal their crypto assets.
dApp’s server side related incidents are those where vulnerabilities present in the conventional server side are exploited, leaving on-chain and off-chain communication open for hijacking and crypto assets of users open for exploitation.
Smart contract related incidents refer to vulnerabilities in a smart contract’s design or implementation, which are leveraged to exploit crypto assets from users.
Here is a figure that shows the percentages of front-end, server-side and smart contract related incidents respectively.
The above figure shows the number of smart contract related incidents, server side related incidents, and front-end related incidents, accounting for 91.03%, 0%, and 8.97% of the total incidents respectively. Among 145 incidents, 13 were front-end related and 132 were smart contract related.
We further studied the amount of loss incurred from these sub-categories. Our study showed that the amount of losses in both front-end related incidents was US $6.06 million, and the amount of loss in smart contract related incidents was US $820.26 million.
It is clear that smart contract related incidents were the biggest issue. Typical vulnerabilities we found pertaining to smart contracts in 2022 include logic vulnerabilities, private key leaks, flash loans, re-entrancy attacks, and more.
We studied the 132 incidents in which smart contracts were directly attacked and derived the following figure based on vulnerability types:
The figure shows that the number of incidents with the highest percentages were logic vulnerabilities and followed by flashloan attacks. Logic vulnerabilities mainly include missing validations for parameters, missing validation for access control, etc. 51 projects suffered from logic vulnerabilities and 24 suffered from flashloan attacks.
The following figure illustrates the amount of loss for each vulnerability type:
The amount of loss caused by logic vulnerabilities still ranked first. 51 incidents were caused by logic vulnerabilities, totaling a loss of US $205.64 million. This loss accounting for 25.07% of the total loss. The amount of loss caused by governance attacks ranked second. 6 incidents were caused by governance attacks, totaling a loss of US $189.51 million. This loss accounted for 23.1% of the total loss. Meanwhile, 8 incidents caused by private key leaks totaled a loss of US $173.85 million and accounted for 21.19% of the total loss, ranking third.
INCIDENTS CATEGORIZED BY ROOT CAUSES
The root cause of these incidents can be categorized into the following:
Attacks from hackers
Rug-pulls
Misc.
We studied these incidents and got the following figure.
The above figure shows that the number of attacks from hackers, rug-pulls and misc. incidents accounted for 90.48% (342) and 9.52% (36) of the total incidents respectively.
We studied the amount of loss of each category of incidents based on the root cause and got the following figure:
The above figure shows that the amount of loss in the incidents that suffered from attacks and the amount of loss in rug-pull incidents each accounted for 94.13% and 5.87% of the total loss respectively. The amount of loss in the incidents that suffered from attacks was US $2.37 billion and the amount of loss in rug-pull incidents was US $0.15 billion. This reveals that attacks from hackers posed the largest threat to the whole crypto ecosystem in 2022.
ATTACKS FROM HACKERS
We studied the targets the hackers attacked and got the following figure:
The figure above shows that the number of attacks on dApps, CCBSs, blockchains and cross-chain bridges accounted for 85.42% (287), 6.85% (23), 4.46% (15) and 3.27% (11) respectively.
After we studied the amount of loss in each of them we got the following figure:
The amount of loss in attacks on cross-chain bridges, dApps, CCBSs and blockchains were 42.64%, 37.05%, 18.57% and 1.74%, resulting in a loss of US $1.01 billion, US $873.95 million, US $438.06 million and US $40.95 million respectively.
RUG-PULLS
The rug-pulls that happened in 2022 were against dApps or CCBSs. 1 was a CCBS rug-pull and 35 were dApp rug-pulls. There were 36 incidents totaling a loss of US $147.85 million which were not as severe as losses caused by attacks.
RESEARCH FINDINGS
dApps were the most prominent target for attacks in 2022 as the most number of attacks were against them. However, the amount of loss caused by cross-chain bridge attacks ranked first totaling a loss of US $1.01 billion and accounting for 42.64% of the total loss that suffered from attacks from hackers. This reveals that the overall security situation of the existing cross-chain bridges is a big concern for the whole crypto space.
Hackers proved to remain as the main threat to the crypto industry, accounting for more than 90% of all the number of incidents and more than 94% of the total loss. It far surpassed any other root causes such as rug-pulls, etc.
Both the number of attacks on layer 2 solutions and the amount of loss in these attacks increased dramatically in 2022 compared to those of 2021. We think this will be an irreversible trend because layer 2 solutions have and will keep emerging drastically in the following years.
A dApp consists of three parts: a front-end, a server-side and smart contracts. Either one or multiple parts are targeted during dApp attacks. According to our statistics, smart contract(s) accounted for an extraordinarily high percentage of attacks compared to the front-ends or server sides with regard to both attack frequencies and amount loss in 2022. This shows that attacks on smart contracts still posed as the biggest threat to dApps.
Most of the rug-pulls in 2022 were dApps accounting for 97.22% of the total number of rug-pulls and 78.36% of the total loss in rug-pulls.
Finally, for smart contract related incidents, we found the number of attack sub-categories (except misc incidents) to be ranked as the following:
Rank 1: Logic vulnerability
Rank 2: Flash-loan
Rank 3: Price manipulation.
The amount of loss in the incidents that suffered from logic vulnerabilities far surpassed any one of these ranks.
TENTATIVE THOUGHTS
In addition, more project teams rushed to or planned to jump in Zero Knowledge (zk) related applications including zk-rollup solutions for Ethereum, zk related social applications, and more. We think there will be an increasing demand for audits of zk related applications.
Both the number of attacks on cross-chain bridges and the amount of loss in these attacks in 2022 far surpassed those of 2021. This has raised a big concern to the whole crypto space. Quite a few teams have been exploring various new solutions to improve the security of the existing cross-chain bridge solutions. The MPC technology is one of the promising solutions. We think more mature and affordable solutions based on the MPC technology will emerge in the following years. And there will be an increasing demand for audits of MPC related applications and solutions.
BEST PRACTICES TO PREVENT SECURITY ISSUES
In this section we present some best practices to help both blockchain developers and users manage the risks posed by the incidents that happened in 2022, and support coordinated and efficient response to crypto security incidents. We would recommend both blockchain developers and users to apply these practices to the greatest extent possible based on the availability of their resources.
Note: “Blockchain developers” refer to both developers of blockchains and developers of dApps, and blockchains or systems pertaining to crypto currencies. Here, “blockchain users” refer to everyone that participates in activities pertaining to crypto system’s management, operation, trading, etc.
FOR BLOCKCHAIN DEVELOPERS
Developers of cross-chain bridges need to pay closer attention to the bridges’ security as cross-chain transactions become increasingly popular. Cross-chain bridge solutions include handling of operations – not only on-chain but also off-chain. Naturally, the off-chain part would be more vulnerable to attacks. Hence, security solutions for cross-chain bridges should be particularly capable of handling off-chain activities safely and securely.
Awareness of security for layer 2 solutions should still be kept even though attacks on them were few with negligible losses as more layer 2 solutions will emerge in the coming years. Research and development for solutions to tackle security challenges in this area must be prompt.
A step to transfer an admin’s access control to a multi-sig wallet or a DAO to manage access control to crypto assets or critical operations is a must-have.
Attackers would employ flash loans to maximize their exploits when they detect vulnerabilities in smart contracts, including issues of re-entrancy, missing validations for access control, incorrect token price algorithm, and more. Proper handling of these issues should have the highest priority for a smart contract developer when designing and coding a smart contract.
Our statistics show that an increasing number of hackers have been using social media tools – especially Discord – to launch phishing attacks. This persisted through the whole year of 2022 and will very likely persist in 2023. Many users have suffered huge losses. Project developers and managers are advised to prioritize safely and securely managing social media accounts and finding security solutions for them on top of project implementation.
FOR BLOCKCHAIN USERS
More users are varying their crypto portfolio across different blockchains. The demand for cross-chain transactions is rapidly increasing. Whenever a user participates in a cross-chain transaction, the user will have to interact with a cross-chain bridge – a popular target among hackers. Hence, before starting a cross-chain transaction, users are advised to investigate the bridge’s security condition and ensure they use a reliable, safe and secure bridge.
While it is necessary to pay great attention to the security for smart contracts when interacting with a dApp, the importance to also pay attention to the security of the user interface while exercising caution to detect suspicious messages, prompts, and behavior presented by the UI is increasing.
We strongly urge users to check whether a project has audit reports and read these reports before proceeding with further actions.
Use a cold wallet or a mutl-sig wallet where possible to manage crypto assets that are not for frequent trading. Be careful about using a hot wallet and make sure the hardware in which a hot wallet is installed is safe and secure.
Be cautious of a dApp where its team members are unknown or lack reputation. Such dApps may eventually be rug-pull projects. Be cautious of a centralized exchange which has not established a reputation or does not have tracked transaction data on third party media as it may also eventually prove to be rug-pull projects.
On 10 Jan, a hacker attacked NFT project based on Ethereum Chimpers’ Twitter account (@ChimpersNFT). The project later reassured followers that their Twitter account has been safely secured.
In their follow-up tweet, they reiterated that the project would “NEVER spontaneously launch a surprise mint, claim or airdrop”. They have also commenced commutations for victims of the hack.
Hacker Attacks BRA on BNB Chain
On 10 Jan, a hacker attacked BRA, a dApp deployed on the BNB chain.
For more details please refer to:
According to Fairyproof's detection system, a BNB chain deployed token BRA's price (https://t.co/kwf4t8ZHUH) crashed to zero. Holders of this token should be aware of this
Fairyproof is investigating this issue and will release more details asap
On 10 Jan, a name service deployed on the Sui blockchain Sui Name Service (@snsstork) announced on Twitter that their Discord server was attacked by “a staff member who was paid off” and impersonating an admin.
The account also informed that they are “working on restoring roles” and offered support for those who need it.
Hacker Manipulates ROE Finance Oracle in Attack
On 11 Jan, ROE Finance (@RoeFinance), a DeFi application deployed on Ethereum was attacked.
The root cause of this incident was that the oracle was manipulated.
ROE Finance was built on top of AAVE. The hacker carried out this attack by following the steps below:
Step 1: the attacker-controlled address initially borrowed 5,673,090 USDCs from Balancer, and deposited them to the roeUSDC pool.
Step 2: The same address borrowed 2,953,841,283 UNI-V2s from the pool, left the debt to the contract creator, and deposited the borrowed assets to the pool.
Step 3: The hacker repeated the previous step roughly 49 times, burned 0.295 UNI-V2 and earned 2.96 WBTCs and 51,661 USDCs.
Step 4: The hacker gave 26,024 USDCs to UNI-V2 and called the Uniswap V2 sync function. This manipulated the price of the UNI-V2 obtained from the oracle.
Step 5: The hacker borrowed back 5,673,090 USDCs that had been put into the roeUSDC pool earlier, exchanged 14,345 USDCs to 0.66 WBTCs, and repaid the USDCs back to Balancer.
Crypto assets including 2.29 WBTCs and 39,982 USDCs worth around US $80,000 were exploited in this incident.
On 13 Jan, Lendhub (@LendHubDefi), a dApp deployed on HECO, announced on Twitter that their project had been attacked on 12 Jan.
The root cause was both the old and new IBSV tokens existed simultaneously in the market and both took their price feeds from the new IBSV.
The hacker leveraged the vulnerability to obtain old IBSV tokens by depositing HBSV tokens and borrowed assets from the new market, then redeemed HBSV back in the old market.
The attack resulted in Lendhub’s TVL decreasing from US $ 6 million to US $ 90,305.
Overall, the crypto market witnessed a bear market through Q4 2022. Despite the bear market, attacks against the crypto ecosystem were still active. Crypto assets worth around US$587.57 million were exploited from October 2022 to December 2022.
Before proceeding, the following terms and technologies are introduced in this report:
CCBS
CCBS stands for “Centralized Crypto or Blockchain Service”. A CCBS refers to a platform or service that provides crypto or blockchain related products or services, and is run by a conventional / centralized organization, entity or company such as conventional crypto exchanges (eg. Binance or Tether).
FLASHLOAN
Flash loans are a popular feature that hackers utilize when attacking EVM-Compatible smart contracts. Flash loans were developed by the team behind the famous DeFi application AAVE [1]. This feature “allows users to borrow any available amount of assets without putting up any collateral, as long as the liquidity is returned to the protocol within one block transaction” [2]. Flash loans are quite often used to borrow ERC-20 tokens [3] and attack DeFi applications. To initiate a flash loan, users will need to write a contract that borrows an available amount of assets and pay back the loan + interest + necessary fees all within the same transaction.
CROSS-CHAIN BRIDGE
A cross-chain bridge is an infrastructure that connects multiple independent blockchains and enables an exchange of cryptos, data or information from one blockchain to another.
As more blockchains have their own ecosystems, cryptos and dApps, the need for exchanging cryptos or data across different blockchains becomes increasingly high while the volume of cross-chain transactions dramatically increase. This causes cross-chain bridges to suffer more attacks.
FOCUS OF THIS REPORT
In this report we list our statistics collected from typical security incidents that happened in the blockchain industry in Q4 2022, give an in-depth analysis of their root causes, and present our recommended best practices.
STATISTICS AND ANALYSIS OF SECURITY INCIDENTS OF Q4 2022
We studied 101 publicly reported security incidents that occurred in Q4 2022 and present our statistics and analysis based on the targets and root causes.
In Q4, 2022 the total value of the exploited assets was US $587.57 million and the overall market cap of the cryptocurrency according to Tradingview was US $756.15 billion. The value of the exploited assets accounted for 0.08% of the total market cap of the cryptocurrency.
INCIDENTS CATEGORIZED BY TARGETS
Our researched incidents can be categorized into four types of targets:
CCBS
Blockchains
DApps
Cross-chain Bridges
A CCBS-related incident is one in which a centralized crypto or blockchain service platform is attacked by hackers resulting in the failure of its services or a loss of crypto assets under its custody.
A blockchain-related incident is one where a blockchain mainnet, side chain or layer 2 is attacked by malicious actors from inside, outside, or both, resulting in its operation going out of order, or that a blockchain fails to work properly due to issues related to software, hardware, or both. Attackers will then be able to exploit the consensus for profits.
A dApp-related incident is one where a dApp’s daily operation goes out-of-order or is attacked, leaving it open for attackers to exploit users and crypto assets under the custody of the dApp.
A cross-chain bridge-related incident occurs when a cross-chain bridge is attacked resulting in a loss of crypto assets under its custody or a failure of the exchange function between multiple blockchains.
There were 101 incidents in total. Here is a figure that shows the percentage for each of these targets respectively.
The number of dApp-related incidents account for more than 84.16% of the total incidents. Out of 101 incidents, 9 were CCBS-related, 3 were blockchain-related, 4 were cross-chain bridge-related, and 85 were dApp-related.
BLOCKCHAIN-RELATED INCIDENTS
Incidents that had occurred in blockchains can be further categorized into three sub-categories:
Blockchain mainnets
Side chains
Layer 2 solutions
A blockchain mainnet, also known as layer 1, is an independent blockchain that has its own network with its own protocol, consensus, and validators. A blockchain mainnet can validate transactions, data, and blocks generated in its network by its own validators and reach a finality. Bitccoin and Ethereum are typical blockchain mainnets.
A side chain is a separate, independent blockchain which runs in parallel to a blockchain mainnet. It has its own network consensus and validators. It is connected to a blockchain mainnet (eg. by a two-way peg [4]).
A layer 2 solution refers to a protocol or network that relies on a blockchain as its base layer (layer 1) for security and finality [5]. Its main purpose is to solve scalability issues of its base layer. It processes transactions faster and costs less resources compared to its base layer. Since 2021, there has been a huge surge in the growth and development of layer 2 solutions for the Ethereum ecosystem.
Both side chains and layer 2 solutions exist to solve the scalability issues of a blockchain mainnet. The significant difference between a side chain and a layer 2 solution is that a side chain does not necessarily rely on its blockchain mainnet for security or finality whereas a layer 2 solution does.
There were 3 blockchain-related incidents in total in Q4 2022. The figure below shows the percentages of blockchain mainnet related incidents, side-chain related incidents, and layer 2 related incidents respectively.
The number of blockchain mainnet related incidents and layer 2 related incidents account for 33.33% (1) and 66.67% (2) of the total incidents respectively. No prominent side-chain related incidents were covered in our statistics. The layer 2 solutions that were attacked were Loopring [6] and zkSync [7], while the attacked blockchain mainnet was ZCash [8].
DAPP RELATED INCIDENTS
Among the 85 incidents that occurred toward dApps, 5 were rug-pulls, 39 were involved in exploitations and 41 were directly attacked. An attack against a dApp can specifically target its front-end, server side, or smart contract(s). We can therefore further classify these 41 incidents into three sub-categories:
dApp’s front-end
dApp’s server side
dApp’s smart contract(s)
dApp’s front-end related incidents refers to events where vulnerabilities from the conventional client side are exploited, compromising on the account information and personal details of users which can be used to steal their crypto assets.
dApp’s server side related incidents are those where vulnerabilities present in the conventional server side are exploited, leaving on-chain and off-chain communication open for hijacking and crypto assets of users open for exploitation.
Smart contract related incidents refer to vulnerabilities in a smart contract’s design or implementation, which are leveraged to exploit crypto assets from users.
Here is a figure that shows the percentages of front-end, server-side and smart contract related incidents respectively.
The above figure shows the number of smart contract related incidents, server side related incidents, and front-end related incidents, accounting for 97.56%, 0%, and 2.44% of the total incidents respectively. Among 41 incidents, 1 was front-end related and 40 were smart contract related.
We further studied the amount of loss incurred from these sub-categories. Our study showed that the amount of losses in both front-end related incidents and server-side related incidents were 0, and the amount of loss in smart contract related incidents was US $83.36 million.
It is clear that smart contract related incidents were the biggest issue. Typical vulnerabilities we found pertaining to smart contracts in Q4 2022 include logic vulnerabilities, private key leaks, flash loans, re-entrancy attacks, and more.
We studied the 40 incidents in which smart contracts were directly attacked and derived the following figure based on vulnerability types:
The figure shows that the number of incidents with the highest percentages were flashloans and logic vulnerabilities. Logic vulnerabilities mainly include missing validations for parameters, missing validation for access control, etc. 11 projects suffered from flashloan attacks and 11 suffered from logic vulnerability attacks as well.
The following figure illustrates the amount of loss for each vulnerability type:
It is interesting to note that although the number of incidents that suffered from flash loans were the most, the amount of loss it caused only ranked fifth. 11 incidents were caused by flash loans, totaling a loss of US $4.73 million. The rank comes from 11 incidents caused by logic vulnerabilities totaling a loss of US $141.42 million, accounting for 74.72% of the total loss. Meanwhile, 5 incident caused by private key leaks totaled a loss of US $11.51 million and accounted for 6.08% of the total loss, ranking third.
INCIDENTS CATEGORIZED BY ROOT CAUSES
The root cause of these incidents can be categorized into the following:
Attacks from hackers
Rug-pulls
Misc.
We studied these incidents and got the following figure.
The above figure shows that the number of attacks from hackers, rug-pulls and misc. incidents accounted for 93.07% (94), 4.95% (5) and 1.98% (2) of the total incidents respectively.
We studied the amount of loss of each category of incidents based on the root cause and got the following figure:
The above figure shows that the amount of loss in the incidents that suffered from attacks and the amount of loss in rug-pull incidents each accounted for 99.12% and 0.88% of the total loss respectively. The amount of loss in the incidents that suffered from attacks was US $582.41 million and the amount of loss in rug-pull incidents was US $5.16 million. This reveals that attacks from hackers posed the largest threat to the whole crypto ecosystem in Q4 2022.
ATTACKS FROM HACKERS
We studied the targets the hackers attacked and got the following figure:
The figure above shows that the number of attacks on dApps, CCBSs, cross-chain bridges and blockchains accounted for 84.16% (85), 8.91% (9), 3.96% (4) and 2.97% (3) respectively.
After we studied the amount of loss in each of them we got the following figure:
The amount of loss in attacks on CCBSs, cross-chain bridges, dApps and blockchains were 66.51%, 17.92%, 15.56% and 0.21%, resulting in a loss of US $390.82 million, US $105.3 million, US $91.45 million and US $1.26 million respectively.
RUG-PULLS
All rug-pulls that happened in Q4 2022 were against dApps. There were 5 incidents totaling a loss of US $5.16 million which were not as severe as losses caused by attacks.
RESEARCH FINDINGS
CCBS systems were the most prominent target for attacks in Q4 2022. Although the number of CCBS incidents only accounted for 8.91% of the total, the amount of loss in the CCBS incidents accounted for 66.51% of the total amount of loss and far surpassed the amount of loss in any other incidents. Among all the CCBS incidents the biggest one was when FTX’s crypto assets were abnormally transferred away. This incident was suspected to be closely related to FTX’s crash.
Compared to the data Fairyproof collected for Q3 2022, the number of attacks on cross-chain bridges rose a little bit. However the amount of loss in attacks on cross-chain bridges rose greatly, nearly tripling the loss in Q3. Clearly, cross-chain bridges were still a big honeypot to hackers. They still have a lot of challenges to face and issues to fix before they can show users confidence in security and safety
Hackers proved to remain as the main threat to the crypto industry, accounting for 93.07% among all incidents. It far surpassed any other root causes such as rug-pulls, etc.
A dApp consists of three parts: a front-end, a server-side and smart contracts. Either one or multiple parts are targeted during dApp attacks. According to our statistics, smart contract(s) accounted for an extraordinarily higher percentage of attacks compared to the front-ends and server sides with regard to both attack frequencies and amount loss in Q4 2022. This shows that attacks on smart contracts still posed as the biggest threat to dApps. However, it is worth noting that the number of attack against smart contracts had increased greatly compared to that in Q3 2022, nearly doubling the number of attacks and quintupling the amount of loss.
All rug-pulls in Q4 2022 were dApps.
Finally, for smart contract related incidents, we found the number of attack sub-categories (except the misc incidents) to be ranked as the following:
Rank 1: Flashloan and logic vulnerability
Rank 2: Private key leaked
Rank 3: Re-entrancy attack.
In contrast, the amount of loss in the incidents that suffered from logic vulnerabilities far surpassed any one of these ranks.
TENTATIVE THOUGHTS
Both the number of attacks on layer 2 solutions and the amount of loss in these attacks decreased dramatically compared to that of Q3 2022. However, we don’t think this means the overall security situation of layer 2 solutions improved very much in Q4.
In addition, more project teams rushed to or planned to jump in the Zero Knowledge (zk) related applications including zk-rollup solutions for Ethereum, zk related social applications, and more. We think there will be an increasing demand for audits of zk related applications.
BEST PRACTICES TO PREVENT SECURITY ISSUES
In this section we present some best practices to help both blockchain developers and users manage the risks posed by the incidents that happened in Q4 2022, and support coordinated and efficient response to crypto security incidents. We would recommend both blockchain developers and users to apply these practices to the greatest extent possible based on the availability of their resources.
Note: “Blockchain developers” refers to both developers of blockchains and developers of dApps, and blockchains or systems pertaining to crypto cyrrencies. Here, “blockchain users” refer to everyone that participates in activities pertaining to crypto system’s management, operation, trading, etc.
FOR BLOCKCHAIN DEVELOPERS
Developers of cross-chain bridges need to pay closer attention to the bridges’ security as cross-chain transactions become increasingly popular. Cross-chain bridge solutions include handling of operations – not only on-chain but also off-chain. Naturally, the off-chain part would be more vulnerable to attacks. Hence, security solutions for cross-chain bridges should be particularly capable of handling off-chain activities safely and securely.
Awareness of security for layer 2 solutions should still be kept even though attacks on them were few with negligible losses as more layer 2 solutions will emerge in the coming years. Research and development for solutions to tackle security challenges in this area must be prompt.
A step to transfer an admin’s access control to a multi-sig wallet or a DAO to manage access control to crypto assets or critical operations is a must-have.
Attackers would employ flash loans to maximize their exploits when they detect vulnerabilities in smart contracts, including issues of re-entrancy, missing validations for access control, incorrect token price algorithm, and more. Proper handling of these issues should have the highest priority for a smart contract developer when designing and coding a smart contract.
Our statistics show that an increasing number of hackers have been using social media tools – especially Discord – to launch phishing attacks. This persisted through Q1, Q2, Q3 and Q4 and will very likely persist in 2023. Many users have suffered huge losses. Project developers and managers are advised to prioritize safely and securely managing social media accounts and finding security solutions for them on top of project implementation.
FOR BLOCKCHAIN USERS
More users are varying their crypto portfolio across different blockchains. The demand for cross-chain transactions is rapidly increasing. Whenever a user participates in a cross-chain transaction, the user will have to interact with a cross-chain bridge – a popular target among hackers. Hence, before starting a cross-chain transaction, users are advised to investigate the bridge’s security condition and ensure they use a reliable, safe and secure bridge.
While it is necessary to pay great attention to the security for smart contracts when interacting with a dApp, the importance to also pay attention to the security of the user interface while exercising caution to detect suspicious messages, prompts, and behavior presented by the UI is increasing.
We strongly urge users to check whether a project has audit reports and read these reports before proceeding with further actions.
Use a cold wallet or a mutl-sig wallet where possible to manage crypto assets that are not for frequent trading. Be careful about using a hot wallet and make sure the hardware in which a hot wallet is installed is safe and secure.
Be cautious of a dApp where its team members are unknown or lack reputation. Such dApps may eventually be rug-pull projects. Be cautious of a centralized exchange which has not established a reputation or does not have tracked transaction data on third party media as it may also eventually prove to be rug-pull projects.
RTFKT’s COO Nikhil Gopalani Announces He Had Suffered Phishing Attack
On 3 Jan, RTFKT’s COO Nikhil Gopalani (@Nikgopalani) announced on Twitter that he had suffered a phishing attack and that the hacker had sold all his CloneX NFTs along with others.
He lost around US$300, 000 worth of crypto assets during this incident.
Worlds Beyond Announces Discord Hacked
On 3 Jan, NFT project on Ethereum Worlds Beyond (@WorldsBeyondNFT) announced on Twitter that their Discord account had been hacked and their server was temporarily compromised. The account also reported that all staff hand been banned from the server.
The account later reminded users that they will “never stealth mint” and urged users to only use their official links to avoid potential scams or hacks.
As of the time of writing, investigations are still ongoing, and the project has opened channels in Discord to aid affected users.
Hacker Exploits Vulnerability on Function Lacking Validation for Settings in Attack Against GDS
On 3 Jan, GDS Chain’s application deployed on the BNB chain was attacked.
The root cause of this incident was its “_lpRewardAmount” function had lacked validation for its settings. The hacker leveraged a flash-loan and exploited this vulnerability to launch the attack.
After the hack, the GDS’ price crashed by 84% and crypto assets worth around US $187,000 were exploited.
Cirrus Announce Holders of CryptoPunks, BAYCs, Meebits Suffer Phishing Scams
On 4 Jan, NFT community member Cirrus (@CirrusNFT) announced on Twitter that holders of CryptoPunks, BAYCs, and Meebits suffered phishing scams. CryptoPunks 4607, 965, and BAYC 1723 were exploited.
Later, Twitter user @CryptoNovo311 claimed that 4 CryptoPunks in his possession were stolen.
CryptoPunks and BAYCs worth above 600 ETHs (US$748, 800) were exploited in these attacks.
It was also suspected that the hacker had also exploited 111 KUMALEON NFTs and used FixedFloat to cash out.
Hacker Exploits Whale Holder of GMX Through Phishing Attack
On 4 Jan, a whale holder of GMX suffered from a phishing attack on the BNB chain.
The attacker exploited 82519 GMXs worth around US $3.4 million on the BNB chain, exchanged them to 2627 ETHs and cross-chain transferred them from the BNB chain to Ethereum.
Hacker Attacks Deviants’ Discord Server
On 4 Jan, a hacker attacked Deviants’ discord server. Deviants is an NFT project on Ethereum.
Inkwork Labs Announce Discord Server Compromised
On 5 Jan, NFT project on Solana Inkwork Labs (@InkworkLabs) announced on Twitter that their Discord server had been compromised. The account later posted a follow-up thread revealing that one of their “now older mods, Krypto King#0036” had clicked on a malicious link that caused a Dyno bypass. Dyno is a Discord bot used for various purposes like moderation and user verification.
The account also reported that although the attackers had gained access to the server earlier, the attack was not conducted until everyone was away.
Inkwork Labs also reported that the accounts associated with the exploited were identified and banned. They also urged users not to click on any links unless a drops is scheduled. Moreover, they advised users to “always double check the user who’s posting the announcement. ALWAYS.”.
Relevant channels for affected users have been opened for further assistance.
Hacker Attacks Twitter User @TheViralFever
On 6 Jan, a hacker launched a phishing attack against Twitter user @TheViralFever by sending the users a fake link to ENS airdrop.
Hacker Attacks PanksNotDed’s Discord Server
On 7 Jan, a hacker attacked PanksNotDed’s discord server. PanksNotDed is an NFT project on Ethereum.
Hacker Attacks Cyber Kongz’s Discord Server
On 7 Jan, a hacker attacked Cyber Kongz’s discord server. Cyber Kongz is an NFT project on Ethereum.
Mycelium Announces Attack Due to Issue with Price Feed for ETH-USD
On 7 Jan, the team behind a DeFi perpetual application deployed on Arbitrum Mycelium (@mycelium_xyz) announced on its Twitter a that it was attacked.
The team also announced that the attack came due to an issue with its price feed for ETH-USD. Its MLP was exploited by 4% ~ 6% of the total assets, totaling around US$300, 000.
At the time of writing, the issue had been fixed and the application was back to work.
Hacker Attacks Yaypegs’s Discord Server
On 8 Jan, a hacker attacked Yaypegs’s discord server. Yaypegs is an NFT project on Ethereum.
Hacker Attacks Mech’s Discord Server
On 8 Jan, a hacker attacked Mech’s discord server. Mech is an NFT project on Polygon.
CONCLUSION-
13 notable security incidents have occurred in the past week. Most of them were phishing attacks against Discord or Twitter accounts.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/
Fairyproof’s Retrospective for 2022 and Wishes for 2023
2022 was a year full of hardships and challenges
Although the crypto space was still struggling in a bear market, hackers run rampant, ravaging users without mercy.
Numerous crypto users were exploited. They arrived expectant to a new world full of hopes and dreams, but left with tears and despair, away from the “wild west” crypto wasteland.
The positive side is that the crypto space witnessed numerous countries adopting blockchain technology, connecting every corner of the world and forming a seemingly endless new one.
As a blockchain security company, Fairyproof’s mission is to safeguard the blockchain applications and crypto assets of our clients. 2022 may not be a good year for the crypto space, but we were still firmly grounded in fulfilling our mission and striving to provide the best for everyone.
We feel the need to fulfill greater responsibilities, meet higher expectations, and overcome more challenges after experiencing these incidents and observing these losses.
A Retrospective of 2022
Increased Coverage of Fairyproof’s Products and Services
– Fairyproof’s automatic scanning system can scan and detect vulnerabilities in not just smart contracts, but also blockchain mainnets, sidechains, and more.
– Fairyproof’s audit service not only covers technical implementations, but also tokenomical models and governance models.
– Fairyproof’s intelligent system made great strides in big data’s purging, collection and processing, and machine learning particularly algorithm’s self-evolution.
Fairyproof Explored Broader Areas
– For Zero Knowledge (zk) technologies, Fairyproof developed an optimized system which combined the advantages of both Stark and Snark technologies. Fairyproof also greatly improved system efficiency with less resources. We have built a solid ground in zk system’s analysis, auditing and development.
– In Multi-Party Computation (MPC) technologies, Fairyproof has conducted extensive research in TSS signature applications and developed our own solutions which optimized conventional TSS signature technologies. We have also achieved significant efficiency with new features and advantages.
Fairyproof Dived Deeper Into Research
– Fairyproof applied for 3 Chinese patents and 1 US patent
– Fairyproof established a new and systematic model/pattern to describe and detect hacks and attacks from multiple dimensions including locked liquidity, transaction behavior, hacking pattern and more
– Fairyproof studied a series of EIPs including EIP-3475, EIP-4844, EIP-3525 and EIP-4626 and published research articles.
Fairyproof Covered Crypto Incidents More Closely and Timely
– Fairyproof published weekly and quarterly security reports.
– Fairyproof released detailed analysis and updates for various incidents.
Fairyproof Established Broader Social Connections
– Fairyproof actively participated in events held in Singapore, Miami, New York, London, Berlin, and Lisbon, and established close connection with popular projects including Aptos, zkSync, Mina, and more.
– Fairyproof actively participated in events and activities in the Ethereum community and had established a great connection with ECF.
– Fairyproof was interviewed and reported by famous media including Newsfilecorp, Yahoo, PANews and institutions including blockchain organizations from the National University of Singapore.
Fairyproof was Active in Blockchain Education and Non-Profit Events
– Fairyproof audited projects for a blockchain game Hackathon from South Korea.
– Fairyproof recorded videos for an organization in Singapore involving the education of security issues in Web 3 development.
– Fairyproof actively joined AMA events including Ethereum New Era by BlockBeat, Blockchain game-related NFTs and GameFi AMAs, and hosted an AMA for NFT Security during the World Cup.
Looking Forward to 2023
Fairyproof Will Extend its Research into New Applications, New Technologies, and New Regulation Patterns
– Fairyproof will conduct research into new applications including Digital Twin and AR/VR, their trends and security issues.
– Fairyproof will conduct research into Quantum Cryptography and its applications in blockchain.
– Fairyproof will conduct research into new trends and developments in crypto regulations, and how these regulations will be applied to crypto assets and transactions.
Fairyproof Will Build its Products and Services for the Whole Web 3 Architecture
– Fairyproof will build products and services that cover the whole Web 3 ecosystem
– Fairyproof will build products and services for each component of Web 3 architecture.
Fairyproof Will Release More Powerful and Intelligent Products
– Fairyproof is developing a comprehensive and high-level security monitoring system
– Fairyproof will develop products that monitor targets comprehensively from multiple angles
– Fairyproof will develop products that intelligently recognize and detect hackers’ behaviors and patterns
– Fairyproof will provide mutiple-leveled solutions to prevent attacks
– Fairyproof will develop products that detect a project’s risks that arise from correlated products.
Fairyproof Will Serve Customers More Efficiently with Better Services and Products
– Fairyproof will develop customized products and services dedicated to enterprise customers.
– Fairyproof will provide multi-leveled, multi-faceted services for customers.
– Fairyproof will develop products and provide services that cover a project’s entire life-cyle, and meet the different demands for different phases of a project’s life-cycle.
Fairyproof Will Deliver Updates and Reports of Crypto Incidents in a More Timely Manner
– Fairyproof will release updates and reports on security incidents timelier.
– Fairyproof will develop more methods and solutions to trace and track exploited assets, and restore them.
Fairyproof Will Conduct Deeper and Broader Research
– Fairyproof will release more research reports for more specific areas and fields in the crypto space.
– Fairyproof will conduct more research on the security situations of big institutions and organizations by studying both on-chain and off-chain information
Fairyproof Will Actively Establish Connections in the Crypto Space More
– Fairyproof will establish more connections with builders including teams behind blockchain infrastructure projects, mainnets, layer 2 solutions, and more.
– Fairyproof will build more connections with teams behind applications including DeFi, blockchain games, DAOs, NFTs, and more.
Closing Thoughts
We have entered a new year. Fairyproof will soon turn two years old. We are new players in the crypto space and still have a long way to go. We still have a lot to learn from our peers and pioneers. All-in-all, we still cherish our dreams and bear our mission in mind.
No matter what is ahead of us – storm, rain or shine, we will firmly forge ahead, do our best, stand with the crypto space, closely collaborate with our clients, and build a new chapter for us and for all.
On 12 Dec, a hacker attacked Baby Apes Society’s discord server. Baby Apes Society is an NFT project deployed on Polygon.
Hacker Attacks Elastic Swap
On 13 Dec, a hacker attacked Elastic Swap, a DeFi application deployed on both Ethereum and Snow.
The root cause of the incident was its implementation did not validate the K value in the AMM algorithm.
The algorithms for adding and removing liquidity were different in Elastic Swap. On the Snow blockchain, the attacker added liquidity and then sent USDC.E tokens to the liquidity pool of the TIC-USDC. The attacker then removed the liquidity to exploit the contract by leveraging the vulnerability. This process was repeated to exploit the AMPL-USDC pool on Ethereum.
The attacker exploited 22,454 AVAXs (US $290,328) on Snow and 445 ETHs (US $564,000) on Ethereum.
At the time of writing the exploited assets on Snow were still in 0xDd8429b85a92b35712659bd945462a41BFd60cBD and some of exploited assets on Ethereum were still in 0xbeadedbabed6a353c9caa4894aa7e5f883e32967
Crypto assets worth around US $850,000 were exploited in this incident.
NFT Project 1Minute Alpha Announce Hack on Discord, Collaboration Account
On 14 Dec, NFT project 1Minute Alpha reported on Twitter that their Collaboration Account “@0x1Minute” and Discord had been hacked. The project urged users not to click on any links and await further information.
Subsequently, the account announced that its Discord ID and channel had been successfully restored while the main Twitter account “@ONEMINNFT” had not been hacked. The account went on to report that “everything had been normalized” and gave opportunities for minimal compensation to those damaged by the hacking.
Hacker Leverages Flash-Loan to Attack Nimbus Platform
On 14 Dec, a hacker leveraged a flash-loan to attack Nimbus Platform, a dApp deployed on the BNB chain.
The platform had a flaw in its reward computation, allowing the hacker to exploit 278 BNBs, worth approximately US $76,000.
Hacker Exploits Vulnerability in FRP LP’s Wallet in Attack Against FRP Token
On 15 Dec, an attacker exploited a vulnerability in FRP LP’s wallet to attack the FRP token deployed at 0xA9c7ec037797DC6E3F9255fFDe422DA6bF96024d. FRP is a dApp deployed on the BNB chain.
The attacker managed to exploit crypto assets worth around US $30,000.
Raydium Announces Compromise of Private Keys Leading to Attack
On 16 Dec, Raydium, a dApp deployed on Solana, had announced the compromise of the private keys of the owner of several liquidity pools, leading to an attack. The attacker accessed the owner’s wallet and called the withdrawalPNL function to withdraw the fees earned in transactions. Liquidity pools including SOL-USDC, SOL-USDT, RAY-USDC, and RAY-USDT were exploited.
Crypto assets worth around US$4.395million were exploited.
Hacker Attacks Mekawaii’s Discord Server
On 16 Dec, a hacker had attacked Mekawaii’s discord server. Mekawaii is an NFT project deployed on Ethereum.
Hacker Attacks Neo Tokyo’s Discord Server
On 18 Dec, a hacker had attacked Neo Tokyo’s discord server. Neo Tokyo is an NFT project deployed on Ethereum.
CONCLUSION-
8 notable security incidents have occurred in the past week. Four of them were attacks on smart contracts and the other four were attacks on social media.
A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.
A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.
It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.
To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/
Blockchain Security Company Facilitates Healthy Discussion on NFT and their Safety as Football Season Reveals Rising Trend of Sports NFT Adoption.
Singapore, September 15, 2022 – Pioneering Blockchain Security Company Fairyproof hosted a live AMA on Twitter in light of the rising trend for sports NFT adoption amidst the world cup. The Twitter Space, titled “The World Cup is coming with NFTS! Fans please calm down”, was joined by DfDunkNFT[1] Community Manager Giselle, and Kraze Web3 Football[2] Founder and Sport8 International Ltd[3] CEO Bai Qiang. Hosting the session was Fairyproof’s CEO Tan Yuefei. The turnout was a healthy 52 participants.
In the discussion, Tan gathered useful and interesting insight from both engaging guests on how NFTs should be kept safe. Of which, keeping them on cold hardware wallets and looking for signs of pump-and-dump were among the many points that were raised.
Giselle emphasised users to adopt a “DYOR[4]” attitude, and being alert in discerning potential scams in the form of phishing links and impersonators of NFT technical teams. She also mentioned the stealing of IPs to be an emerging concern. Additionally, she agreed on the importance of projects to involve cybersecurity companies to improve security through triage and audits.
Meanwhile, Bai Qiang brought to light the matter of NFT utility to be an area of concern for adopters even though prominent football players have endorsed NFTs – Cristiano Ronaldo having launched his first NFT collection on Binance as one of the many emergent cases for adoption.
“Hearing from our two gracious guests, it is comforting to know that NFT security is an area that adopters will need to pay attention to. I am thankful that we have the privilege to host our guests at the time,” Tan comments post-discussion. “It was a productive, interesting Twitter Space discussion. I am positive that our users will find something they can learn from the one-and-a-half-or-so hours of our session.”.
Tan also expressed great enthusiasm and positivity for future Twitter Spaces that Fairyproof will host, “We are thinking of hosting AMAs like these at least once a month, or in the best-case scenario, once bi-weekly. Sessions like these not only help projects connect with one another and for us to get to know people better; but also help crypto users increase their knowledge on crypto security, in turn, strengthening the global NFT and crypto community.”.
Fairyproof is a pioneering blockchain security company established in 2021 with the slogan “Make IT a Safer Place”. They have been actively developing blockchain security solutions and Ethereum standards, and have meaningfully contributed to established Web3.0 projects like Ethereum, BNB Smart Chain, and HECO.
For more information, consult the following channels:
[1] DfDunkNFT is an NFT project created by the Hiroshima Dragonflies, a basketball team under Japanese men’s profesionall basketball “B League”. (Twitter: @DFDunk)
[2] Kraze Football is a Web3 platform for football fans, integrating real games and virtual experience. (Twitter: @KrazeFootball)
[3] Sport8 International Ltd is an International Sports Industry Platform (Twitter: @Sports8China)