Weekly Blockchain Security Watch (Feb 6 to Feb 12)

Feb 6 to Feb 12

From 6 February 2023 to 12 February 2023, all security incidents that have occurred were all Security Hacks.

SECURITY HACKS:

  • Hacker Attacks Exoniks’ Discord Server

On 7 Feb, a hacker attacked Exoniks’ discord server. Exoniks is an NFT project.

  • Hacker Attacks CowSwap by Exploiting Inappropriate Approval of Funds Transfer

On 7 Feb, a hacker attacked CowSwap , a DeFi application deployed on Ethereum.

A contract was inappropriately approved to spend a maximum value of DAIs. The hacker had exploited this vulnerability to transfer funds to the hacker’s address.

Here is how the incident happened:

On January 27th 2023 a new solver “Barter” was allowed and moved to production. Shortly after, the Barter solver set an approval to a contract “SwapGuard”.

The SwapGuard contract was used to limit the amount of tokens that could be lost in a single transaction due to slippage.

Because of the vulnerability, the attacker leveraged the approval to transfer funds from the settlement contract to the hacker’s addresses, thus draining the contract.

Crypto assets worth around US $180,000 were exploited in this incident.

At the time of writing, all approvals for the ‘bad contract’ had been revoked, and the Barter Solver has upgraded to a new contract which has no arbitrary execution code functionality built in.

Additional Details:

– Attacker’s Address: 0xc0e82c1ed4786f8b7f806d1b8a6335ec485266ff

– Hash Value of Attack Transaction:

0x90b468608fbcc7faef46502b198471311baca3baab49242a4a85b73d4924379b

  • Hacker Attacks Toxics’ Discord Server

On 7 Feb, a hacker attacked Toxics’ discord server. Toxics is an NFT project deployed on Ethereum.

  • Wanderverse Announces on Twitter Discord Server Compromise

On 8 Feb, NFT project deployed on Ethereum Wanderverse (@TheWanderverse_) announced on Twitter that their Discord server had been compromised.

On a later update, it was revealed that several community members had “lost assets after going to a scam site and signing an illegitimate tx.”. As a response, the community managed to save about “36 Wanderers and spent ~1.5ETH”. The ETH will be doubled and donated on retrieving the stolen Wanderers to the community treasury which will be operated by an elected group of members that will create proposals to protect community members in the future.

  • Drunken Ape Announces Discord Server Hacked

On 8 Feb, NFT project deployed on Solana Drunken Ape (@DrunkenApeSC) announced on Twitter that their Discord server had been hacked. As a response, the account hosted an AMA to address questions from the community. Later, the account announced that a new Discord server had been established.

  • Owner of LGTPoo Exploits LianGoPay Through Deployment of Fake LP Pool

On 9 Feb, LianGoPay, a DeFi application deployed on the BNB chain was exploited.

The root cause of this exploit was that the owner (0xb5950375D392728076449271b305639EFD2FC558) of LGTPool had deployed a fake LP pool and deposited a huge quantity of LP tokens into it and acquired 6.14 million LGT tokens.

Crypto assets worth around US $1.6 million were exploited in this incident.

For more details, please refer to:

Additional Details:

– Attacker’s Address: 0x36d173937f3E03074246ADCFD6e4d06F3638c28a

– Hash Value of Attack Transaction:

0xd29c32ab8e43192ceea1d8c632e8c3136323215acb99936f6d85e891f69a6b34

  • WeAbove Announces Discord Server Hacked

On 10 Feb, NFT project deployed on Ethereum WeAbove (@weaboveofficial) announced on Twitter that their Discord server had been hacked. In a later update, the project announced that their team is working to refund drained money, and retrieve and purchase the WeAbove NFTs to return them to their rightful owners.

  • Hacker Attacks dForcenet in Oracle Manipulation

On 10 Feb, a hacker attacked dForcenet, a DeFi application deployed on both Optimism and Arbitrum.

The root cause of this incident was that the implementation did not have measures to prevent re-entrancy attacks, thus its Oracle was manipulated.

The hacker had managed to exploit 719,437 dForce USDs (USXs) and 1236 ETHs on Arbitrum and transferred the USXs to Optimism. Additionally, the hacker also exploited 1,037,000 USXs on Optimism. All USXs were exchanged to 1110 ETHs worth around US$ 1.75 million and all the ETHs remained in its address on Optimism.

In total, crypto assets worth around US $ 3.7 million were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xe0d551017c0111ac11108641771897aa33b2817c

– Hash Values of Attack Transactions:

0x6c19762186c9f32c81eb2a79420fc7ad4485aa916cab37ec278b216757bfba0d on Optimism

0x5db5c2400ab56db697b3cc9aa02a05deab658e1438ce2f8692ca009cc45171dd on Arbitrum

  • Hacker Attacks Sushiswap in Price Difference Leverage

On 10 Feb, a hacker attacked Sushiswap , a DeFi application on Ethereum.

The root cause of this incident was that the price fed by Chainlink did not match the latest market price in its BentoBoxv1 contract.

The hacker flashloaned 574,275 +785,560 xSUSHIs and staked them in Sushi. Later, the price for kmxSUSHI/USDT fed by Chainlink decreased by 16.9%. The hacker leveraged this price difference and called the liquidate() function to acquire 15,429 + 11,333 USDTs.

Crypto assets worth around US $ 26, 000 were exploited in this incident.

CONCLUSION-

9 notable security incidents have occurred in the past week. 5 of 9 security incidents involve social media accounts and 4 were attacks against smart contracts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch (Jan 30 to Feb 5)

Jan 30 to Feb 5

SECURITY HACKS:

  • SoDeadNFT Announces Hack on Discord

On 1 Feb, SoDeadNFT (@SoDeadNFT) announced on Twitter that their discord had encountered a hack. The account later made an announcement that their Discord server and funds were both safe and that the team has handled the situation effectively.

  • Hacker Attacks Realm Hunter’s Discord Server

On 1 Feb, a hacker attacked Realm Hunter’s discord server. Realm Hunter is a game project.

  • Squishiverse Founder Announce Discord Account Compromised

On 1 Feb, Ethereum-based NFT project Squishiverse’s founder mooney.eth (@mooneynft) announced on Twitter that their Discord had been compromised. The user apologized and expressed their hope that no one had clicked the link posted by the hacker.

The user also indicated their suspicion that tit was “a Twitter account with a Gold Badge wanting to interview” them to be the culprit.

Later, mooney.eth had reported that no one was affected by the hack and urged users to be wary of scammers.

  • Hacker Exploits TellorFlex Oracle Issue to Attack BonqDAO

On 2 Feb, a hacker attacked BonqDAO, a DeFi application deployed on Polygon.

The root cause was that its oracle TellorFlex had an issue in its price feeder(staker)’s registration.

For more details, refer to: https://twitter.com/FairyproofT/status/1622448436053430272

Crypto assets worth around US $1.7 million were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xcacf2d28b2a5309e099f0c6e8c60ec3ddf656642

– Attacking Contract: 0xed596991ac5f1aa1858da66c67f7cfa76e54b5f1

– Attacked Contract: 0x8f55D884CAD66B79e1a131f6bCB0e66f4fD84d5B

Hash Values of Attacking Transactions:

– 0x31957ecc43774d19f54d9968e95c69c882468b46860f921668f2c55fadd51b19

– 0xa02d0c3d16d6ee0e0b6a42c3cc91997c2b40c87d777136dedebe8ee0f47f32b1

  • Hacker Attacks Orion Protocol Through Re-Entrancy Vulnerability

On 3 Feb, a hacker attacked Orion Protocol, a DeFi application deployed on both Ethereum and the BNB chain.

The root cause of this issue was that the implementation had a re-entrancy vulnerability.

In its implementation, the ExchangeWithAtomic contract acted as a marketplace where users could deposit or exchange assets. However, the contract’s exchange function did not have protection to prevent re-entrancy attacks.

Crypto assets worth around US $ 3 million were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x837962b686fd5a407fb4e5f92e8be86a230484bd

– Attacking Contracts:

0x5061F7e6dfc1a867D945d0ec39Ea2A33f772380A (on Ethereum)

0x84452042cb7be650be4eb641025ac3c8a0079b67 (on BNB Chain)

– Attacked Contracts:

0xb5599f568D3f3e6113B286d010d2BCa40A7745AA (on Ethereum)

0xe9d1d2a27458378dd6c6f0b2c390807aed2217ca (on BNB Chain)

– Hash Values of Attacking Transactions:

0xa6f63fcb6bec8818864d96a5b1bb19e8bd85ee37b2cc916412e720988440b2aa (on Ethereum)

0xfb153c572e304093023b4f9694ef39135b6ed5b2515453173e81ec02df2e2104 (on BNB Chain)

  • Hacker Attacks Superordinary Friends’ Discord Server

On 3 Feb, a hacker attacked Superordinary Friends’ discord server. Superordinary Friends is an NFT project deployed on Ethereum.

  • OogaVerse Announces Discord Server Attacked

On 3 Feb, Ethereum-based NFT project OogaVerse (@OogaVerse) announced on Twitter that their Discord server had been hacked. The account later made an announcement that their Discord server had been “thoroughly cleaned and is now working as usual”. The project also offered users who had “missing Oogas” to approach support in their Discord server.

  • Attacker Exploits SperaxUSD Through Token Balance Manipulation

On 4 Feb, a hacker attacked SperaxUSD, a DeFi application deployed on Arbitrum.

An exploiter had increased the token balance for their address to 9.7 billion tokens without providing required collateral and liquidated them before the operation was stopped by joint actions of the Sperax team and Arbitrum ecosystem partners.

All $USDs transactions and the smart contract were blocked on Feb 4, 03:11 AM UTC. The liquidated amount will be recapitalized by the Sperax team before relaunching the protocol.

Crypto assets worth around US $300,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x4AfcD19bB978Eaf4F993814298504eD285df1181

– Hash Value of Attacking Transaction:

0xe74641b4b7e9c9eb7ab46082f322efbc510b8d39af609d934f41c41d7057fe49

  • Hacker Attacks Live Crypto Party by Exploiting Validation Vulnerability

On 5 Feb, a hacker attacked Live Crypto Party, a DeFi application deployed on the BNB Chain.

The _transferOwnership function had a vulnerability in its validation and this was exploited by the hacker to steal 10 BNBs worth around US $3000.

Additional Details:

– Attacker’s Address: 0x52D65a9F6d6CC83143B83b4E692Cc338325b4d60

– Attacked Contracts:

Proxy Contract: 0x38b0EF754Aec7aCB1d180eeA902a71B14e34b352

Implementation Contract: 0xFB2A9B3EEE6376F7095663B4D6ea8c39B634132A

– Hash Value of Attacking Transaction:

0x7ca8b3f04ba3947acbfccf21c6394e5f90d66e7141134fa6d2d3ca7c7d3f2b34

CONCLUSION-

9 notable security incidents have occurred in the past week. 5 of 9 security incidents involve social media accounts and 4 were attacks against smart contracts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch (Jan 23 to Jan 29)

Jan 23 to Jan 29

SECURITY HACKS:

  • Attacker Hacks GOL TV’s Twitter Account, Propagates XRP Scam Project

On 23 Jan, a hacker attacked GOL TV’s twitter (@GOLTV) account. The hacker used the account to propagate an XRP scam project that promised extremely high returns to investors.

  • Hacker Attacks Killabearsnft’s Discord Server

On 24 Jan, a hacker attacked Killabearsnft’s discord server. Killabearsnft is an NFT project deployed on Ethereum.

  • Hacker Attacks CatsYardNFT’s Discord Server

On 24 Jan, a hacker attacked CatsYardNFT’s discord server. CatsYardNFT is an NFT project deployed on Solana.

  • Hacker Exploits Moonbirds’ Founder’s Wallet

On 26 Jan, found of Moonbirds Kevin Rose (@kevinrose) announced on Twitter that his wallet was exploited in case of phishing. Kevin Rose had signed “a malicious signature that allowed the hacker to transfer a large number of high-value tokens”.

Crypto assets including 25 Chromie Squiggles and other NFTs totalling around US$1.5 million were exploited in this incident.

He later urged users not to buy and Chromie Squiggles before his stolen ones were marked by OpenSea.

  • Hacker Attacks Robinhood’s Twitter, Propagates Token Scam Through Phishing Link

On 26 Jan, a hacker attacked Robinhood’s Twitter (@RobinhoodApp) account and used the account to propagate a scam token $RBH through a phishing link. Around 10 people bought this token and lost around US $1000. 

  • Fairyproof Detects New Telegram Phishing Scheme

On 27 Jan, Fairyproof, a pioneering blocking security company detected a new phishing scheme in which hackers would use compromised Telegram user accounts to trick users to send assets to the hackers’ addresses.

For more details: https://twitter.com/FairyproofT/status/1618856301039321088?s=20&t=VdHTeQBaXPTTuBR1vsfL-Q

  • EtherOrcs Announces Discord Server Compromised

On 28 Jan, on-chain Ethereum-deployed game EtherOrcs (@EtherOrcs) announced on Twitter that their Discord server has been compromised – A member of the team has been hacked. In a follow-up Tweet, they announced that they had regained control of the server through “Wick”, compromised accounts were removed “within 60 seconds”, and that an audit would be done.

  • Azuki Announces Compromise of Twitter Account

On 28 Jan, Azuki (@AzukiOfficial) announced on Twitter that their account had been compromised. They detailed that “a series of malicious tweets were posted during the morning of Friday, Jan 27th (Pacific Time)”.

Azuki also announced that while the team has regained control of their Twitter account, investigations into the Twitter breach is still ongoing and that their account has been secured with a 2FA. All malicious tweets and links had also been taken down.

Finally, they had urged users to approach the Azuki mod team on discord should users be in doubt of future announcements by Azuki’s social media channels.

  • Hacker Attacks MTC’s Discord Server

On 29 Jan, a hacker attacked MTC’s discord server. MTC is an NFT project deployed on Solana.

CONCLUSION-

9 notable security incidents have occurred in the past week. It was a big week for the security of various social media accounts – worth noting that 8 of 9 security incidents involve social media accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. Be alert to any anomalies happening in the various social media accounts you manage.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Fairyproof Releases Annual Review of Blockchain Security in 2022

Pioneering Blockchain Security Company Presents Annual Report on Blockchain Security for Year 2022

Singapore, January 30, 2023 – Global pioneering blockchain security company Fairyproof released their annual Review of Blockchain Security in 2022 (Hereafter referred to as “Report”). The Report showed data gathered through the year 2022 and presented a total of 378 prominent, publicly reported blockchain security incidents along with statistics and analysis based on targets who have suffered, and their root causes.

The Report revealed that the entire blockchain ecosystem had witnessed an accumulated loss of US$2.52 billion, highlighting attacks against cross-chain bridges becoming prominent issues accounting for about 40% (US$1.01 billion) of the total losses. The report also accounted for the remaining losses to be caused by cyberattacks against smart contracts (US$571.34 million), leaked private keys (US$999.79 million), and attacks against layer 2 solutions (US$35 million).

Fairyproof CEO Mr. Tan Yuefei noted his awareness that the attacks on cross-chain bridges and its losses in 2022 far surpassed those of 2021. “No doubt, this is a big concern for the entire crypto space. Many project teams are exploring new solutions to improve the security of existing cross-chain bridges. I would gather that MPC technology would be a mature, sustainable base to develop such solutions.”.

Tan proceeded to deliberate on the future of the blockchain ecosystem. “Although most attacks were on cross-chain bridges through 2022, there is a shift in focus to Zero Knowledge (zk) related applications. This would mean that we would soon witness zk-related attacks. That said, I am proud to say that Fairyproof is well-equipped for the rising demand for zk-related audits and are making good progress in developing security solutions for these applications.”

The Report also presented findings on attacks leveraging on different attack types ranked in increasing order involving Price Manipulations, Flash-Loans, and exploiting Logic Vulnerabilities. This led to a conclusion for both Blockchain Developers and Users to practice the following:

  • Blockchain Developers: Ensure security solutions for cross-chain bridges to be capable of handling off-chain activities safely and securely and increase awareness of security for layer 2 solutions in light of emerging attack trends against layer 2 platforms.

  • Users: Thoroughly investigate security conditions for cross-chain bridges before interacting with them, pay attention to security of UIs in dApps, and check for audit reports for projects.

“The overall crypto market is experiencing a bear market. However, our findings show that cyberattacks stay relentless. Everyone should focus on keeping their projects and assets safe.” Mr Tan concluded.

To read the annual Review of Blockchain Security in 2022, click here.

About Fairyproof:

Fairyproof is a pioneering blockchain security company established in 2021 with the slogan “Make IT a Safer Place”. They have been actively developing blockchain security solutions and Ethereum standards and have meaningfully contributed to established Web3.0 projects like Ethereum, BNB Smart Chain, and HECO.

For more information, consult the following channels:

Website – https://www.fairyproof.com
Telegram – https://t.me/Fairyproof_tech
Twitter – https://twitter.com/FairyproofT
Medium- https://medium.com/@FairyproofT

Contact:
Joey Leong
Fairyproof
Social Media Manager
+65 9663 5630
https://www.fairyproof.com

Weekly Blockchain Security Watch Jan 16 to Jan 22

From 16 January 2023 to 22 January 2023, all security incidents that have occurred were all Security Hacks.

SECURITY HACKS:

  1. Hacker Attacks 520 on BNB Chain

On 16 Jan, 520, a dApp deployed on the BNB chain was flash-loan attacked.

The root cause was that the contract’s procBack function had a vulnerability.

Crypto assets worth around US $16000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x286e09932b8d096cba3423d12965042736b8f850

– Attacked Contract: 0x5200f3418B55E814315242a903A1d7C2d0d0B520

– Hash Value of Attack Transaction:

0xccb8c1cfef6de8a71d95886fe49914ca73689f9864286941960b4c23a5d542c6

  • Hacker Attacks OMNI Real Estate Token

On 17 Jan, the OMNI Real Estate token that was deployed on the BNB chain was attacked.

More than 236 BNBs worth around US $70705 were exploited in this incident.

For more details please refer to Fairyproof’s report at :

  • Hacker Attacks MEV Bot on BNB Chain

On 18 Jan, a hacker attacked an MEV Bot deployed on the BNB chain.

Crypto assets worth around US $ 108,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xa7F5B4A43B6AaED120f8e3C70e65B662d3352c05

– Attacking Contract: 0xF0BE9805fe8E393e8F768Fe8fE4D8b8531D2f61e

– Attacked Contract (MEV bot): 0x5f3239AA0553A5c496e1AEc831f1E41847faA3D0

– Hash Values of Attack Transactions:

0xab78dca427d84c018401873d18517027a00623b6ce20fab19c8c03b825fffb32, 0xab78dca427d84c018401873d18517027a00623b6ce20fab19c8c03b825fffb32

  • Hacker Attacks Quaternion

On 18 Jan, a hacker attacked an B2B and B2C service provider Quaternion.

The root cause was that there was a wrong conditional check in the QTN token. The hacker acquired its gas from Ankr Exploiter on the BNB chain to launch the attack.

2.546 WETHs worth around US $3800 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x88a2386e7ec97ad1e7a72176a66b6d0711ae3527

– Attacking Contract: 0xa33c965ca6d3bdc42bdb23a79081757090eb7700

  • Hacker Attacks UpSwing Finance

On 18 Jan, a hacker leveraged a flash-loan to attack UpSwing Finance, a dApp deployed on Ethereum.

The dApp had been inactive since Oct 2020.

22 ETHs worth around US $ 35500 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x8a2d94ea342cbdd6d57db614b24f20cae286cac6

– Hash Value of Attacking Transaction: 

0xd099a41830b964e93415e9a8607cd92567e40d3eeb491d52f3b66eee6b0357eb

  • Hacker Attacks Thoreum Finance

On 19 Jan, a hacker attacked Thoreum Finance, a dApp deployed on the BNB chain.

The root cause was that if a wallet sent tokens to itself the number of tokens it held would increase.

In addition it was suspected that the contract deployer’s private key was leaked allowing the hacker to deploy a new contract before upgrading the proxy contract to the malicious contract.

The attacker deposited BNBs to acquire WBNBs, leveraged the vulnerability to mint the THOREUM token and exchanged all the minted tokens on BiSwap to WBNBs and sent the assets back to himself.

2260 BNBs worth around US $580,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x1ae2dc57399b2f4597366c5bf4fe39859c006f99

– Hash Value of Attacking Transaction: 

0x5058c820fa0bb0daff2bd1b30151cf84c618dffe123546223b7089c8c2e18331

  • Kraken Freezes Solaris BTC Wallet

On 22 Jan, it was reported that a BTC wallet of Solaris was frozen by Kraken. Solaris is a darknet platform for illegal products and drugs. Before this Solaris occupied one fifth of all the darknet’s illegal transactions.

Kraken not only has frozen its BTC wallet but also has taken control of its infrastructure, Gitlab Repo and source code.

CONCLUSION-

7 notable security incidents have occurred in the past week. Most of them were attacks against smart contracts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Review of Blockchain Security in 2022

For the Year 2022, Presented by Fairyproof on 2023

Executive Summary

The overall crypto market entered a bear market through 2022. However, attacks against the crypto ecosystem were still active.

– Crypto assets worth around US $2.52 billion were exploited in 378 prominent security incidents.

– 11 attacks against cross-chain bridges totaled a loss of US $1.01 billion accounting for 39.94% of the overall total loss in 378 incidents. The security of cross-chain bridges has become a prominent issue.

– Attacks that exploited logic vulnerabilities, flash-loans, price manipulation, governance vulnerabilities and re-entrancy vulnerabilities resulted in a loss of US $571.34 million and this loss accounted for 69.64% of the total loss in the attacks against smart contracts alone. These vulnerabilities could have been uncovered and the loss could have been prevented if these attacked contracts had been professionally audited.

– The loss (US $999.79 million) caused by leaked private keys accounted for 42.18% of the total loss in attacks from hackers. Managing private keys safely and securely should always be the number 1 factor all crypto users should keep in mind.

– The loss (US $35 million) caused by attacks against layer 2 solutions far surpassed the loss (US $5.95 million) caused by attacks against blockchain mainnets. This shows the rise of the need for security of layer 2 solutions to be more severe than for the security of blockchain mainnets.

– In 2022, Fairyproof had extensively researched the ZK (zero-knowledge proof [1]) related technologies and has been familiar with the existing mainstream solutions in the industry. Fairyproof has established its own development process and model, and can promptly deliver solutions based on application requirements. With regards to ZK-related audits, Fairyproof has rich experience and is proficient in converting a problem to ZK circuits, auditing circuits, proof generation, proof verification, and more. In addition, Fairyproof has been actively working on optimizing ZK-related implementation and improving its security such as using MPC technology to decentralize the initial setup in ZK-Snark implementations.

– In 2022, Fairyproof had established strong technical strength in MPC [2] related technologies, and has established its own development process and model. Fairyproof was also capable of promptly delivering solutions for popular applications likeusing MPC to conduct omnichain transactions.

BACKGROUND

Before proceeding, the following terms and technologies are introduced in this report:

CCBS

CCBS stands for “Centralized Crypto or Blockchain Service”. A CCBS refers to a platform or service that provides crypto or blockchain related products or services, and is run by a conventional / centralized organization, entity or company such as conventional crypto exchanges (eg. Binance or Tether).

FLASHLOAN

Flash loans are a popular feature that hackers utilize when attacking EVM-Compatible smart contracts. Flash loans were developed by the team behind the famous DeFi application AAVE [3]. This feature “allows users to borrow any available amount of assets without putting up any collateral, as long as the liquidity is returned to the protocol within one block transaction” [4]. Flash loans are quite often used to borrow ERC-20 tokens [5] and attack DeFi applications. To initiate a flash loan, users will need to write a contract that borrows an available amount of assets and pay back the loan + interest + necessary fees all within the same transaction.

CROSS-CHAIN BRIDGE

A cross-chain bridge is an infrastructure that connects multiple independent blockchains and enables an exchange of cryptos, data or information from one blockchain to another.

As more blockchains have their own ecosystems, cryptos and dApps, the need for exchanging cryptos or data across different blockchains becomes increasingly high while the volume of cross-chain transactions dramatically increase. This causes cross-chain bridges to suffer more attacks.

FOCUS OF THIS REPORT

In this report we list our statistics collected from typical security incidents that happened in the blockchain industry in 2022, give an in-depth analysis of their root causes, and present our recommended best practices.

 

STATISTICS AND ANALYSIS OF SECURITY INCIDENTS OF 2022

We studied 378 prominent security incidents that occurred in 2022 and present our statistics and analysis based on the targets and root causes.

In 2022 the total value of the exploited assets was US $2.52 billion and the overall market cap of cryptocurrencies according to Tradingview was US $756.15 billion. The value of the exploited assets accounted for 0.33% of the total market cap of cryptocurrencies.

OVERALL TREND OF BLOCKCHAIN SECURITY INCIDENTS OF 2022

We studied each quarter’s blockchain security incidents and derived with the following trend graph:

From this graph we can see that the number of incidents throughout the year had been increasing except Q4 and the amount of loss had been increasing as well except Q3.

INCIDENTS CATEGORIZED BY TARGETS

Our researched incidents can be categorized into four types of targets:

  1. CCBS
  2. Blockchains
  3. DApps
  4. Cross-chain Bridges

A CCBS-related incident is one in which a centralized crypto or blockchain service platform is attacked by hackers resulting in the failure of its services or a loss of crypto assets under its custody.

A blockchain-related incident is one where a blockchain mainnet, side chain or layer 2 is attacked by malicious actors from inside, outside, or both, resulting in its operation going out of order, or that a blockchain fails to work properly due to issues related to software, hardware, or both. Attackers will then be able to exploit the consensus for profits.

A dApp-related incident is one where a dApp’s daily operation goes out-of-order or is attacked, leaving it open for attackers to exploit users and crypto assets under the custody of the dApp.

A cross-chain bridge-related incident occurs when a cross-chain bridge is attacked resulting in a loss of crypto assets under its custody or a failure of the exchange function between multiple blockchains.

There were 378 incidents in total. Here is a figure that shows the percentage for each of these targets respectively.

The number of dApp-related incidents account for more than 84.16% of the total incidents. Out of 378 incidents, 24 were CCBS-related, 15 were blockchain-related, 11 were cross-chain bridge-related, and 328 were dApp-related.

BLOCKCHAIN-RELATED INCIDENTS

Incidents that had occurred in blockchains can be further categorized into three sub-categories:

  1. Blockchain mainnets
  2. Side chains
  3. Layer 2 solutions

A blockchain mainnet, also known as layer 1, is an independent blockchain that has its own network with its own protocol, consensus, and validators. A blockchain mainnet can validate transactions, data, and blocks generated in its network by its own validators and reach a finality. Bitccoin and Ethereum are typical blockchain mainnets.

A side chain is a separate, independent blockchain which runs in parallel to a blockchain mainnet. It has its own network consensus and validators. It is connected to a blockchain mainnet (eg. by a two-way peg [6]).

A layer 2 solution refers to a protocol or network that relies on a blockchain as its base layer (layer 1) for security and finality [7]. Its main purpose is to solve scalability issues of its base layer. It processes transactions faster and costs less resources compared to its base layer. Since 2021, there has been a huge surge in the growth and development of layer 2 solutions for the Ethereum ecosystem.

Both side chains and layer 2 solutions exist to solve the scalability issues of a blockchain mainnet. The significant difference between a side chain and a layer 2 solution is that a side chain does not necessarily rely on its blockchain mainnet for security or finality whereas a layer 2 solution does.

There were 15 blockchain-related incidents in total in 2022. The figure below shows the percentages of blockchain mainnet related incidents, side-chain related incidents, and layer 2 related incidents respectively.

The number of blockchain mainnet related incidents and layer 2 related incidents account for 60% (9) and 40% (6) of the total incidents respectively. No prominent side-chain related incidents were covered in our statistics. The layer 2 solutions that were attacked included 3 Ethereum layer 4 solutions and they were Loopring [8], zkSync [9], Optimism[10] and Arbitrum[11], while the majority of the attacked blockchain mainnet were non-EVM blockchains.

DAPP RELATED INCIDENTS

Among the 328 incidents that occurred toward dApps, 35 were rug-pulls, 148 were involved in exploitations and 145 were directly attacked. An attack against a dApp can specifically target its front-end, server side, or smart contract(s). We can therefore further classify these 41 incidents into three sub-categories:

  1. dApp’s front-end
  2. dApp’s server side
  3. dApp’s smart contract(s)

dApp’s front-end related incidents refers to events where vulnerabilities from the conventional client side are exploited, compromising on the account information and personal details of users which can be used to steal their crypto assets.

dApp’s server side related incidents are those where vulnerabilities present in the conventional server side are exploited, leaving on-chain and off-chain communication open for hijacking and crypto assets of users open for exploitation.

Smart contract related incidents refer to vulnerabilities in a smart contract’s design or implementation, which are leveraged to exploit crypto assets from users.

Here is a figure that shows the percentages of front-end, server-side and smart contract related incidents respectively.

The above figure shows the number of smart contract related incidents, server side related incidents, and front-end related incidents, accounting for 91.03%, 0%, and 8.97% of the total incidents respectively. Among 145 incidents, 13 were front-end related and 132 were smart contract related.

We further studied the amount of loss incurred from these sub-categories. Our study showed that the amount of losses in both front-end related incidents was US $6.06 million, and the amount of loss in smart contract related incidents was US $820.26 million.

It is clear that smart contract related incidents were the biggest issue. Typical vulnerabilities we found pertaining to smart contracts in 2022 include logic vulnerabilities, private key leaks, flash loans, re-entrancy attacks, and more.

We studied the 132 incidents in which smart contracts were directly attacked and derived the following figure based on vulnerability types:

The figure shows that the number of incidents with the highest percentages were logic vulnerabilities and followed by flashloan attacks. Logic vulnerabilities mainly include missing validations for parameters, missing validation for access control, etc. 51 projects suffered from logic vulnerabilities and 24 suffered from flashloan attacks.

The following figure illustrates the amount of loss for each vulnerability type:      

The amount of loss caused by logic vulnerabilities still ranked first. 51 incidents were caused by logic vulnerabilities, totaling a loss of US $205.64 million. This loss accounting for 25.07% of the total loss. The amount of loss caused by governance attacks ranked second. 6 incidents were caused by governance attacks, totaling a loss of US $189.51 million. This loss accounted for 23.1% of the total loss. Meanwhile, 8 incidents caused by private key leaks totaled a loss of US $173.85 million and accounted for 21.19% of the total loss, ranking third.

INCIDENTS CATEGORIZED BY ROOT CAUSES

The root cause of these incidents can be categorized into the following:

  1. Attacks from hackers
  2. Rug-pulls
  3. Misc.

We studied these incidents and got the following figure. 

The above figure shows that the number of attacks from hackers, rug-pulls and misc. incidents accounted for 90.48% (342) and 9.52% (36) of the total incidents respectively.

We studied the amount of loss of each category of incidents based on the root cause and got the following figure:        

The above figure shows that the amount of loss in the incidents that suffered from attacks and the amount of loss in rug-pull incidents each accounted for 94.13% and 5.87% of the total loss respectively. The amount of loss in the incidents that suffered from attacks was US $2.37 billion and the amount of loss in rug-pull incidents was US $0.15 billion. This reveals that attacks from hackers posed the largest threat to the whole crypto ecosystem in 2022.

ATTACKS FROM HACKERS

We studied the targets the hackers attacked and got the following figure:

The figure above shows that the number of attacks on dApps, CCBSs, blockchains and cross-chain bridges accounted for 85.42% (287), 6.85% (23), 4.46% (15) and 3.27% (11) respectively.

After we studied the amount of loss in each of them we got the following figure:

The amount of loss in attacks on cross-chain bridges, dApps, CCBSs and blockchains were 42.64%, 37.05%, 18.57% and 1.74%, resulting in a loss of US $1.01 billion, US $873.95 million, US $438.06 million and US $40.95 million respectively.

RUG-PULLS

The rug-pulls that happened in 2022 were against dApps or CCBSs. 1 was a CCBS rug-pull and 35 were dApp rug-pulls. There were 36 incidents totaling a loss of US $147.85 million which were not as severe as losses caused by attacks.

RESEARCH FINDINGS

dApps were the most prominent target for attacks in 2022 as the most number of attacks were against them. However, the amount of loss caused by cross-chain bridge attacks ranked first totaling a loss of US $1.01 billion and accounting for 42.64% of the total loss that suffered from attacks from hackers. This reveals that the overall security situation of the existing cross-chain bridges is a big concern for the whole crypto space.

Hackers proved to remain as the main threat to the crypto industry, accounting for more than 90% of all the number of incidents and more than 94% of the total loss. It far surpassed any other root causes such as rug-pulls, etc.

Both the number of attacks on layer 2 solutions and the amount of loss in these attacks increased dramatically in 2022 compared to those of 2021. We think this will be an irreversible trend because layer 2 solutions have and will keep emerging drastically in the following years.

A dApp consists of three parts: a front-end, a server-side and smart contracts. Either one or multiple parts are targeted during dApp attacks. According to our statistics, smart contract(s) accounted for an extraordinarily high percentage of attacks compared to the front-ends or server sides with regard to both attack frequencies and amount loss in 2022. This shows that attacks on smart contracts still posed as the biggest threat to dApps.

Most of the rug-pulls in 2022 were dApps accounting for 97.22% of the total number of rug-pulls and 78.36% of the total loss in rug-pulls.

Finally, for smart contract related incidents, we found the number of attack sub-categories (except misc incidents) to be ranked as the following:

Rank 1: Logic vulnerability

Rank 2: Flash-loan

Rank 3: Price manipulation.

The amount of loss in the incidents that suffered from logic vulnerabilities far surpassed any one of these ranks.

TENTATIVE THOUGHTS

In addition, more project teams rushed to or planned to jump in Zero Knowledge (zk) related applications including zk-rollup solutions for Ethereum, zk related social applications, and more. We think there will be an increasing demand for audits of zk related applications.

Both the number of attacks on cross-chain bridges and the amount of loss in these attacks in 2022 far surpassed those of 2021. This has raised a big concern to the whole crypto space. Quite a few teams have been exploring various new solutions to improve the security of the existing cross-chain bridge solutions. The MPC technology is one of the promising solutions. We think more mature and affordable solutions based on the MPC technology will emerge in the following years. And there will be an increasing demand for audits of MPC related applications and solutions. 

BEST PRACTICES TO PREVENT SECURITY ISSUES

In this section we present some best practices to help both blockchain developers and users manage the risks posed by the incidents that happened in 2022, and support coordinated and efficient response to crypto security incidents. We would recommend both blockchain developers and users to apply these practices to the greatest extent possible based on the availability of their resources.

Note: “Blockchain developers” refer to both developers of blockchains and developers of dApps, and blockchains or systems pertaining to crypto currencies. Here, “blockchain users” refer to everyone that participates in activities pertaining to crypto system’s management, operation, trading, etc.

FOR BLOCKCHAIN DEVELOPERS

Developers of cross-chain bridges need to pay closer attention to the bridges’ security as cross-chain transactions become increasingly popular. Cross-chain bridge solutions include handling of operations – not only on-chain but also off-chain. Naturally, the off-chain part would be more vulnerable to attacks. Hence, security solutions for cross-chain bridges should be particularly capable of handling off-chain activities safely and securely.

Awareness of security for layer 2 solutions should still be kept even though attacks on them were few with negligible losses as more layer 2 solutions will emerge in the coming years. Research and development for solutions to tackle security challenges in this area must be prompt.

A step to transfer an admin’s access control to a multi-sig wallet or a DAO to manage access control to crypto assets or critical operations is a must-have.

Attackers would employ flash loans to maximize their exploits when they detect vulnerabilities in smart contracts, including issues of re-entrancy, missing validations for access control, incorrect token price algorithm, and more. Proper handling of these issues should have the highest priority for a smart contract developer when designing and coding a smart contract.

Our statistics show that an increasing number of hackers have been using social media tools – especially Discord – to launch phishing attacks. This persisted through the whole year of 2022 and will very likely persist in 2023. Many users have suffered huge losses. Project developers and managers are advised to prioritize safely and securely managing social media accounts and finding security solutions for them on top of project implementation.   

FOR BLOCKCHAIN USERS

More users are varying their crypto portfolio across different blockchains. The demand for cross-chain transactions is rapidly increasing. Whenever a user participates in a cross-chain transaction, the user will have to interact with a cross-chain bridge – a popular target among hackers. Hence, before starting a cross-chain transaction, users are advised to investigate the bridge’s security condition and ensure they use a reliable, safe and secure bridge.

While it is necessary to pay great attention to the security for smart contracts when interacting with a dApp, the importance to also pay attention to the security of the user interface while exercising caution to detect suspicious messages, prompts, and behavior presented by the UI is increasing.

We strongly urge users to check whether a project has audit reports and read these reports before proceeding with further actions.

Use a cold wallet or a mutl-sig wallet where possible to manage crypto assets that are not for frequent trading. Be careful about using a hot wallet and make sure the hardware in which a hot wallet is installed is safe and secure.

Be cautious of a dApp where its team members are unknown or lack reputation. Such dApps may eventually be rug-pull projects. Be cautious of a centralized exchange which has not established a reputation or does not have tracked transaction data on third party media as it may also eventually prove to be rug-pull projects.

REFERENCES

[1] zero-knowledge proof. https://en.wikipedia.org/wiki/Zero-knowledge_proof

[2] MPC. https://en.wikipedia.org/wiki/Secure_multi-party_computation

[3] Aave. https://aave.com/

[4] Flash-loans.. https://aave.com/flash-loans/

[5] ERC-20 TOKEN STANDARD. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/

[6] Sidechains. https://ethereum.org/en/developers/docs/scaling/sidechains/

[7] Layer-2. https://academy.binance.com/en/glossary/layer-2

[8] Loopring. https://loopring.org/#/

[9] zkSync. https://zksync.io/

[10] Optimism. https://www.optimism.io/

[11] Arbitrum. https://arbitrum.io/

Weekly Blockchain Security Watch (Jan 9 to Jan 15)

Jan 9 to Jan 15

SECURITY HACKS:

  • Hacker Attacks Chimpers’ Twitter Account

On 10 Jan, a hacker attacked NFT project based on Ethereum Chimpers’ Twitter account (@ChimpersNFT). The project later reassured followers that their Twitter account has been safely secured.

In their follow-up tweet, they reiterated that the project would “NEVER spontaneously launch a surprise mint, claim or airdrop”. They have also commenced commutations for victims of the hack.

  • Hacker Attacks BRA on BNB Chain

On 10 Jan, a hacker attacked BRA, a dApp deployed on the BNB chain.

For more details please refer to:

820 BNBs worth around US $ 240,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0xE2Ba15be8C6Fb0d7C1F7bEA9106eb8232248FB8B (on BNB chain)

– Attacked Contract: 0x449FEA37d339a11EfE1B181e5D5462464bBa3752 (on BNB chain)

– Hash Values of Attach Transactions:

0x6759db55a4edec4f6bedb5691fc42cf024be3a1a534ddcc7edd471ef205d4047

0x4e5b2efa90c62f2b62925ebd7c10c953dc73c710ef06695eac3f36fe0f6b9348

  • Sui Name Service Announce Discord Server Attacked

On 10 Jan, a name service deployed on the Sui blockchain Sui Name Service (@snsstork) announced on Twitter that their Discord server was attacked by “a staff member who was paid off” and impersonating an admin.

The account also informed that they are “working on restoring roles” and offered support for those who need it.

  • Hacker Manipulates ROE Finance Oracle in Attack

On 11 Jan, ROE Finance (@RoeFinance), a DeFi application deployed on Ethereum was attacked.

The root cause of this incident was that the oracle was manipulated.

ROE Finance was built on top of AAVE. The hacker carried out this attack by following the steps below:

Step 1: the attacker-controlled address initially borrowed 5,673,090 USDCs from Balancer, and deposited them to the roeUSDC pool.

Step 2: The same address borrowed 2,953,841,283 UNI-V2s from the pool, left the debt to the contract creator, and deposited the borrowed assets to the pool.

Step 3: The hacker repeated the previous step roughly 49 times, burned 0.295 UNI-V2 and earned 2.96 WBTCs and 51,661 USDCs.

Step 4: The hacker gave 26,024 USDCs to UNI-V2 and called the Uniswap V2 sync function. This manipulated the price of the UNI-V2 obtained from the oracle.

Step 5: The hacker borrowed back 5,673,090 USDCs that had been put into the roeUSDC pool earlier, exchanged 14,345 USDCs to 0.66 WBTCs, and repaid the USDCs back to Balancer.

Crypto assets including 2.29 WBTCs and 39,982 USDCs worth around US $80,000 were exploited in this incident.

Additional Details:

– Attacker’s Address: 0x67a909f2953fb1138bea4b60894b51291d2d0795

– Hash Value of Attack Transaction:

0x927b784148b60d5233e57287671cdf67d38e3e69e5b6d0ecacc7c1aeaa98985b

  • Lendhub Announces Attack on 12 Jan

On 13 Jan, Lendhub (@LendHubDefi), a dApp deployed on HECO, announced on Twitter that their project had been attacked on 12 Jan.

The root cause was both the old and new IBSV tokens existed simultaneously in the market and both took their price feeds from the new IBSV.

The hacker leveraged the vulnerability to obtain old IBSV tokens by depositing HBSV tokens and borrowed assets from the new market, then redeemed HBSV back in the old market.

The attack resulted in Lendhub’s TVL decreasing from US $ 6 million to US $ 90,305.

Additional Details:

– Attacker’s Address: 0x9d0163e76bbcf776001e639d65f573949a53ab03

CONCLUSION-

5 notable security incidents have occurred in the past week. Most of them were attacks against smart contracts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Review of Blockchain Security in Q4 2022

Q4 2022, Presented by Fairyproof on 2023

OVERVIEW

Overall, the crypto market witnessed a bear market through Q4 2022. Despite the bear market, attacks against the crypto ecosystem were still active. Crypto assets worth around US$587.57 million were exploited from October 2022 to December 2022.

Fairyproof studied 101 publicly reported security incidents that occurred in Q4 2022. This report is composed of findings, analysis and best practices of these incidents.

BACKGROUND

Before proceeding, the following terms and technologies are introduced in this report:

CCBS

CCBS stands for “Centralized Crypto or Blockchain Service”. A CCBS refers to a platform or service that provides crypto or blockchain related products or services, and is run by a conventional / centralized organization, entity or company such as conventional crypto exchanges (eg. Binance or Tether).

FLASHLOAN

Flash loans are a popular feature that hackers utilize when attacking EVM-Compatible smart contracts. Flash loans were developed by the team behind the famous DeFi application AAVE [1]. This feature “allows users to borrow any available amount of assets without putting up any collateral, as long as the liquidity is returned to the protocol within one block transaction” [2]. Flash loans are quite often used to borrow ERC-20 tokens [3] and attack DeFi applications. To initiate a flash loan, users will need to write a contract that borrows an available amount of assets and pay back the loan + interest + necessary fees all within the same transaction.

CROSS-CHAIN BRIDGE

A cross-chain bridge is an infrastructure that connects multiple independent blockchains and enables an exchange of cryptos, data or information from one blockchain to another.

As more blockchains have their own ecosystems, cryptos and dApps, the need for exchanging cryptos or data across different blockchains becomes increasingly high while the volume of cross-chain transactions dramatically increase. This causes cross-chain bridges to suffer more attacks.

FOCUS OF THIS REPORT

In this report we list our statistics collected from typical security incidents that happened in the blockchain industry in Q4 2022, give an in-depth analysis of their root causes, and present our recommended best practices.

 

STATISTICS AND ANALYSIS OF SECURITY INCIDENTS OF Q4 2022

We studied 101 publicly reported security incidents that occurred in Q4 2022 and present our statistics and analysis based on the targets and root causes.

In Q4, 2022 the total value of the exploited assets was US $587.57 million and the overall market cap of the cryptocurrency according to Tradingview was US $756.15 billion. The value of the exploited assets accounted for 0.08% of the total market cap of the cryptocurrency.

INCIDENTS CATEGORIZED BY TARGETS

Our researched incidents can be categorized into four types of targets:

  1. CCBS
  2. Blockchains
  3. DApps
  4. Cross-chain Bridges

A CCBS-related incident is one in which a centralized crypto or blockchain service platform is attacked by hackers resulting in the failure of its services or a loss of crypto assets under its custody.

A blockchain-related incident is one where a blockchain mainnet, side chain or layer 2 is attacked by malicious actors from inside, outside, or both, resulting in its operation going out of order, or that a blockchain fails to work properly due to issues related to software, hardware, or both. Attackers will then be able to exploit the consensus for profits.

A dApp-related incident is one where a dApp’s daily operation goes out-of-order or is attacked, leaving it open for attackers to exploit users and crypto assets under the custody of the dApp.

A cross-chain bridge-related incident occurs when a cross-chain bridge is attacked resulting in a loss of crypto assets under its custody or a failure of the exchange function between multiple blockchains.

There were 101 incidents in total. Here is a figure that shows the percentage for each of these targets respectively.

The number of dApp-related incidents account for more than 84.16% of the total incidents. Out of 101 incidents, 9 were CCBS-related, 3 were blockchain-related, 4 were cross-chain bridge-related, and 85 were dApp-related.

BLOCKCHAIN-RELATED INCIDENTS

Incidents that had occurred in blockchains can be further categorized into three sub-categories:

  1. Blockchain mainnets
  2. Side chains
  3. Layer 2 solutions

A blockchain mainnet, also known as layer 1, is an independent blockchain that has its own network with its own protocol, consensus, and validators. A blockchain mainnet can validate transactions, data, and blocks generated in its network by its own validators and reach a finality. Bitccoin and Ethereum are typical blockchain mainnets.

A side chain is a separate, independent blockchain which runs in parallel to a blockchain mainnet. It has its own network consensus and validators. It is connected to a blockchain mainnet (eg. by a two-way peg [4]).

A layer 2 solution refers to a protocol or network that relies on a blockchain as its base layer (layer 1) for security and finality [5]. Its main purpose is to solve scalability issues of its base layer. It processes transactions faster and costs less resources compared to its base layer. Since 2021, there has been a huge surge in the growth and development of layer 2 solutions for the Ethereum ecosystem.

Both side chains and layer 2 solutions exist to solve the scalability issues of a blockchain mainnet. The significant difference between a side chain and a layer 2 solution is that a side chain does not necessarily rely on its blockchain mainnet for security or finality whereas a layer 2 solution does.

There were 3 blockchain-related incidents in total in Q4 2022. The figure below shows the percentages of blockchain mainnet related incidents, side-chain related incidents, and layer 2 related incidents respectively.

The number of blockchain mainnet related incidents and layer 2 related incidents account for 33.33% (1) and 66.67% (2) of the total incidents respectively. No prominent side-chain related incidents were covered in our statistics. The layer 2 solutions that were attacked were Loopring [6] and zkSync [7], while the attacked blockchain mainnet was ZCash [8].

DAPP RELATED INCIDENTS

Among the 85 incidents that occurred toward dApps, 5 were rug-pulls, 39 were involved in exploitations and 41 were directly attacked. An attack against a dApp can specifically target its front-end, server side, or smart contract(s). We can therefore further classify these 41 incidents into three sub-categories:

  1. dApp’s front-end
  2. dApp’s server side
  3. dApp’s smart contract(s)

dApp’s front-end related incidents refers to events where vulnerabilities from the conventional client side are exploited, compromising on the account information and personal details of users which can be used to steal their crypto assets.

dApp’s server side related incidents are those where vulnerabilities present in the conventional server side are exploited, leaving on-chain and off-chain communication open for hijacking and crypto assets of users open for exploitation.

Smart contract related incidents refer to vulnerabilities in a smart contract’s design or implementation, which are leveraged to exploit crypto assets from users.

Here is a figure that shows the percentages of front-end, server-side and smart contract related incidents respectively.

The above figure shows the number of smart contract related incidents, server side related incidents, and front-end related incidents, accounting for 97.56%, 0%, and 2.44% of the total incidents respectively. Among 41 incidents, 1 was front-end related and 40 were smart contract related.

We further studied the amount of loss incurred from these sub-categories. Our study showed that the amount of losses in both front-end related incidents and server-side related incidents were 0, and the amount of loss in smart contract related incidents was US $83.36 million.

It is clear that smart contract related incidents were the biggest issue. Typical vulnerabilities we found pertaining to smart contracts in Q4 2022 include logic vulnerabilities, private key leaks, flash loans, re-entrancy attacks, and more.

We studied the 40 incidents in which smart contracts were directly attacked and derived the following figure based on vulnerability types:

The figure shows that the number of incidents with the highest percentages were flashloans and logic vulnerabilities. Logic vulnerabilities mainly include missing validations for parameters, missing validation for access control, etc. 11 projects suffered from flashloan attacks and 11 suffered from logic vulnerability attacks as well.

The following figure illustrates the amount of loss for each vulnerability type:

It is interesting to note that although the number of incidents that suffered from flash loans were the most, the amount of loss it caused only ranked fifth. 11 incidents were caused by flash loans, totaling a loss of US $4.73 million. The rank comes from 11 incidents caused by logic vulnerabilities totaling a loss of US $141.42 million, accounting for 74.72% of the total loss. Meanwhile, 5 incident caused by private key leaks totaled a loss of US $11.51 million and accounted for 6.08% of the total loss, ranking third.

INCIDENTS CATEGORIZED BY ROOT CAUSES

The root cause of these incidents can be categorized into the following:

  1. Attacks from hackers
  2. Rug-pulls
  3. Misc.

We studied these incidents and got the following figure.

The above figure shows that the number of attacks from hackers, rug-pulls and misc. incidents accounted for 93.07% (94), 4.95% (5) and 1.98% (2) of the total incidents respectively.

We studied the amount of loss of each category of incidents based on the root cause and got the following figure:

The above figure shows that the amount of loss in the incidents that suffered from attacks and the amount of loss in rug-pull incidents each accounted for 99.12% and 0.88% of the total loss respectively. The amount of loss in the incidents that suffered from attacks was US $582.41 million and the amount of loss in rug-pull incidents was US $5.16 million. This reveals that attacks from hackers posed the largest threat to the whole crypto ecosystem in Q4 2022.

ATTACKS FROM HACKERS

We studied the targets the hackers attacked and got the following figure:

The figure above shows that the number of attacks on dApps, CCBSs, cross-chain bridges and blockchains accounted for 84.16% (85), 8.91% (9), 3.96% (4) and 2.97% (3) respectively.

After we studied the amount of loss in each of them we got the following figure:

The amount of loss in attacks on CCBSs, cross-chain bridges, dApps and blockchains were 66.51%, 17.92%, 15.56% and 0.21%, resulting in a loss of US $390.82 million, US $105.3 million, US $91.45 million and US $1.26 million respectively.

RUG-PULLS

All rug-pulls that happened in Q4 2022 were against dApps. There were 5 incidents totaling a loss of US $5.16 million which were not as severe as losses caused by attacks.

RESEARCH FINDINGS

CCBS systems were the most prominent target for attacks in Q4 2022. Although the number of CCBS incidents only accounted for 8.91% of the total, the amount of loss in the CCBS incidents accounted for 66.51% of the total amount of loss and far surpassed the amount of loss in any other incidents. Among all the CCBS incidents the biggest one was when FTX’s crypto assets were abnormally transferred away. This incident was suspected to be closely related to FTX’s crash.

Compared to the data Fairyproof collected for Q3 2022, the number of attacks on cross-chain bridges rose a little bit. However the amount of loss in attacks on cross-chain bridges rose greatly, nearly tripling the loss in Q3. Clearly, cross-chain bridges were still a big honeypot to hackers. They still have a lot of challenges to face and issues to fix before they can show users confidence in security and safety 

Hackers proved to remain as the main threat to the crypto industry, accounting for 93.07% among all incidents. It far surpassed any other root causes such as rug-pulls, etc.

A dApp consists of three parts: a front-end, a server-side and smart contracts. Either one or multiple parts are targeted during dApp attacks. According to our statistics, smart contract(s) accounted for an extraordinarily higher percentage of attacks compared to the front-ends and server sides with regard to both attack frequencies and amount loss in Q4 2022. This shows that attacks on smart contracts still posed as the biggest threat to dApps. However, it is worth noting that the number of attack against smart contracts had increased greatly compared to that in Q3 2022, nearly doubling the number of attacks and quintupling the amount of loss.

All rug-pulls in Q4 2022 were dApps.

Finally, for smart contract related incidents, we found the number of attack sub-categories (except the misc incidents) to be ranked as the following:

Rank 1: Flashloan and logic vulnerability

Rank 2: Private key leaked

Rank 3: Re-entrancy attack.

In contrast, the amount of loss in the incidents that suffered from logic vulnerabilities far surpassed any one of these ranks.

TENTATIVE THOUGHTS

Both the number of attacks on layer 2 solutions and the amount of loss in these attacks decreased dramatically compared to that of Q3 2022. However, we don’t think this means the overall security situation of layer 2 solutions improved very much in Q4.

In addition, more project teams rushed to or planned to jump in the Zero Knowledge (zk) related applications including zk-rollup solutions for Ethereum, zk related social applications, and more. We think there will be an increasing demand for audits of zk related applications.

BEST PRACTICES TO PREVENT SECURITY ISSUES

In this section we present some best practices to help both blockchain developers and users manage the risks posed by the incidents that happened in Q4 2022, and support coordinated and efficient response to crypto security incidents. We would recommend both blockchain developers and users to apply these practices to the greatest extent possible based on the availability of their resources.

Note: “Blockchain developers” refers to both developers of blockchains and developers of dApps, and blockchains or systems pertaining to crypto cyrrencies. Here, “blockchain users” refer to everyone that participates in activities pertaining to crypto system’s management, operation, trading, etc.

FOR BLOCKCHAIN DEVELOPERS

Developers of cross-chain bridges need to pay closer attention to the bridges’ security as cross-chain transactions become increasingly popular. Cross-chain bridge solutions include handling of operations – not only on-chain but also off-chain. Naturally, the off-chain part would be more vulnerable to attacks. Hence, security solutions for cross-chain bridges should be particularly capable of handling off-chain activities safely and securely.

Awareness of security for layer 2 solutions should still be kept even though attacks on them were few with negligible losses as more layer 2 solutions will emerge in the coming years. Research and development for solutions to tackle security challenges in this area must be prompt.

A step to transfer an admin’s access control to a multi-sig wallet or a DAO to manage access control to crypto assets or critical operations is a must-have.

Attackers would employ flash loans to maximize their exploits when they detect vulnerabilities in smart contracts, including issues of re-entrancy, missing validations for access control, incorrect token price algorithm, and more. Proper handling of these issues should have the highest priority for a smart contract developer when designing and coding a smart contract.

Our statistics show that an increasing number of hackers have been using social media tools – especially Discord – to launch phishing attacks. This persisted through Q1, Q2, Q3 and Q4 and will very likely persist in 2023. Many users have suffered huge losses. Project developers and managers are advised to prioritize safely and securely managing social media accounts and finding security solutions for them on top of project implementation.   

FOR BLOCKCHAIN USERS

More users are varying their crypto portfolio across different blockchains. The demand for cross-chain transactions is rapidly increasing. Whenever a user participates in a cross-chain transaction, the user will have to interact with a cross-chain bridge – a popular target among hackers. Hence, before starting a cross-chain transaction, users are advised to investigate the bridge’s security condition and ensure they use a reliable, safe and secure bridge.

While it is necessary to pay great attention to the security for smart contracts when interacting with a dApp, the importance to also pay attention to the security of the user interface while exercising caution to detect suspicious messages, prompts, and behavior presented by the UI is increasing.

We strongly urge users to check whether a project has audit reports and read these reports before proceeding with further actions.

Use a cold wallet or a mutl-sig wallet where possible to manage crypto assets that are not for frequent trading. Be careful about using a hot wallet and make sure the hardware in which a hot wallet is installed is safe and secure.

Be cautious of a dApp where its team members are unknown or lack reputation. Such dApps may eventually be rug-pull projects. Be cautious of a centralized exchange which has not established a reputation or does not have tracked transaction data on third party media as it may also eventually prove to be rug-pull projects.

REFERENCES

[1] Aave. https://aave.com/

[2] Flash-loans.. https://aave.com/flash-loans/

[3] ERC-20 TOKEN STANDARD. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/

[4] Sidechains. https://ethereum.org/en/developers/docs/scaling/sidechains/

[5] Layer-2. https://academy.binance.com/en/glossary/layer-2

[6] Loopring. https://loopring.org/#/

[7] zkSync. https://zksync.io/

[8] ZCash. https://z.cash/

Weekly Blockchain Security Watch Jan 2 to Jan 8

From 2 January 2023 to 8 January 2023, all security incidents that have occurred were Security Hacks.

SECURITY HACKS:

1. RTFKT’s COO Nikhil Gopalani Announces He Had Suffered Phishing Attack

On 3 Jan, RTFKT’s COO Nikhil Gopalani (@Nikgopalani) announced on Twitter that he had suffered a phishing attack and that the hacker had sold all his CloneX NFTs along with others.

He lost around US$300, 000 worth of crypto assets during this incident.

2. Worlds Beyond Announces Discord Hacked

On 3 Jan, NFT project on Ethereum Worlds Beyond (@WorldsBeyondNFT) announced on Twitter that their Discord account had been hacked and their server was temporarily compromised. The account also reported that all staff hand been banned from the server.

The account later reminded users that they will “never stealth mint” and urged users to only use their official links to avoid potential scams or hacks.

As of the time of writing, investigations are still ongoing, and the project has opened channels in Discord to aid affected users.

3. Hacker Exploits Vulnerability on Function Lacking Validation for Settings in Attack Against GDS

On 3 Jan, GDS Chain’s application deployed on the BNB chain was attacked.

The root cause of this incident was its “_lpRewardAmount” function had lacked validation for its settings. The hacker leveraged a flash-loan and exploited this vulnerability to launch the attack.

After the hack, the GDS’ price crashed by 84% and crypto assets worth around US $187,000 were exploited.

Additional Details:

– Attacker’s Address: 0xcF2362B46669E04B16D0780cf9B6e61c82De36a7

– Hash Value of Attack Transaction:

 0x2bb704e0d158594f7373ec6e53dc9da6c6639f269207da8dab883fc3b5bf6694

4. Cirrus Announce Holders of CryptoPunks, BAYCs, Meebits Suffer Phishing Scams

On 4 Jan, NFT community member Cirrus (@CirrusNFT) announced on Twitter that holders of CryptoPunks, BAYCs, and Meebits suffered phishing scams. CryptoPunks 4607, 965, and BAYC 1723 were exploited.

Later, Twitter user @CryptoNovo311 claimed that 4 CryptoPunks in his possession were stolen.

CryptoPunks and BAYCs worth above 600 ETHs (US$748, 800) were exploited in these attacks.

It was also suspected that the hacker had also exploited 111 KUMALEON NFTs and used FixedFloat to cash out.

Additional Details:

– Attacker’s Address: 0x8E25Ab3382ad5bde35A09E72d3b9a851A7cC8d00

– Attacked Address: 0x52aD8f3C506aA25b954276c5456060DAd6f3Fd7b

5. Hacker Exploits Whale Holder of GMX Through Phishing Attack

On 4 Jan, a whale holder of GMX suffered from a phishing attack on the BNB chain.

The attacker exploited 82519 GMXs worth around US $3.4 million on the BNB chain, exchanged them to 2627 ETHs and cross-chain transferred them from the BNB chain to Ethereum.

6. Hacker Attacks Deviants’ Discord Server

On 4 Jan, a hacker attacked Deviants’ discord server. Deviants is an NFT project on Ethereum.

7. Inkwork Labs Announce Discord Server Compromised

On 5 Jan, NFT project on Solana Inkwork Labs (@InkworkLabs) announced on Twitter that their Discord server had been compromised. The account later posted a follow-up thread revealing that one of their “now older mods, Krypto King#0036” had clicked on a malicious link that caused a Dyno bypass. Dyno is a Discord bot used for various purposes like moderation and user verification.

The account also reported that although the attackers had gained access to the server earlier, the attack was not conducted until everyone was away.

Inkwork Labs also reported that the accounts associated with the exploited were identified and banned. They also urged users not to click on any links unless a drops is scheduled. Moreover, they advised users to “always double check the user who’s posting the announcement. ALWAYS.”.

Relevant channels for affected users have been opened for further assistance.

8. Hacker Attacks Twitter User @TheViralFever

On 6 Jan, a hacker launched a phishing attack against Twitter user @TheViralFever by sending the users a fake link to ENS airdrop.

9. Hacker Attacks PanksNotDed’s Discord Server

On 7 Jan, a hacker attacked PanksNotDed’s discord server. PanksNotDed is an NFT project on Ethereum.

10. Hacker Attacks Cyber Kongz’s Discord Server

On 7 Jan, a hacker attacked Cyber Kongz’s discord server. Cyber Kongz is an NFT project on Ethereum.

11. Mycelium Announces Attack Due to Issue with Price Feed for ETH-USD

On 7 Jan, the team behind a DeFi perpetual application deployed on Arbitrum Mycelium (@mycelium_xyz) announced on its Twitter a that it was attacked.

The team also announced that the attack came due to an issue with its price feed for ETH-USD. Its MLP was exploited by 4% ~ 6% of the total assets, totaling around US$300, 000.

At the time of writing, the issue had been fixed and the application was back to work.

12. Hacker Attacks Yaypegs’s Discord Server

On 8 Jan, a hacker attacked Yaypegs’s discord server. Yaypegs is an NFT project on Ethereum.

13. Hacker Attacks Mech’s Discord Server

On 8 Jan, a hacker attacked Mech’s discord server. Mech is an NFT project on Polygon.

CONCLUSION-

13 notable security incidents have occurred in the past week. Most of them were phishing attacks against Discord or Twitter accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/

Weekly Blockchain Security Watch (Jan 2 to Jan 8)

Jan 2 to Jan 8

SECURITY HACKS:

  • RTFKT’s COO Nikhil Gopalani Announces He Had Suffered Phishing Attack

On 3 Jan, RTFKT’s COO Nikhil Gopalani (@Nikgopalani) announced on Twitter that he had suffered a phishing attack and that the hacker had sold all his CloneX NFTs along with others.

He lost around US$300, 000 worth of crypto assets during this incident.

  • Worlds Beyond Announces Discord Hacked

On 3 Jan, NFT project on Ethereum Worlds Beyond (@WorldsBeyondNFT) announced on Twitter that their Discord account had been hacked and their server was temporarily compromised. The account also reported that all staff hand been banned from the server.

The account later reminded users that they will “never stealth mint” and urged users to only use their official links to avoid potential scams or hacks.

As of the time of writing, investigations are still ongoing, and the project has opened channels in Discord to aid affected users.

  • Hacker Exploits Vulnerability on Function Lacking Validation for Settings in Attack Against GDS

On 3 Jan, GDS Chain’s application deployed on the BNB chain was attacked.

The root cause of this incident was its “_lpRewardAmount” function had lacked validation for its settings. The hacker leveraged a flash-loan and exploited this vulnerability to launch the attack.

After the hack, the GDS’ price crashed by 84% and crypto assets worth around US $187,000 were exploited.

Additional Details:

– Attacker’s Address: 0xcF2362B46669E04B16D0780cf9B6e61c82De36a7

– Hash Value of Attack Transaction:

 0x2bb704e0d158594f7373ec6e53dc9da6c6639f269207da8dab883fc3b5bf6694

  • Cirrus Announce Holders of CryptoPunks, BAYCs, Meebits Suffer Phishing Scams

On 4 Jan, NFT community member Cirrus (@CirrusNFT) announced on Twitter that holders of CryptoPunks, BAYCs, and Meebits suffered phishing scams. CryptoPunks 4607, 965, and BAYC 1723 were exploited.

Later, Twitter user @CryptoNovo311 claimed that 4 CryptoPunks in his possession were stolen.

CryptoPunks and BAYCs worth above 600 ETHs (US$748, 800) were exploited in these attacks.

It was also suspected that the hacker had also exploited 111 KUMALEON NFTs and used FixedFloat to cash out.

Additional Details:

– Attacker’s Address: 0x8E25Ab3382ad5bde35A09E72d3b9a851A7cC8d00

– Attacked Address: 0x52aD8f3C506aA25b954276c5456060DAd6f3Fd7b

  • Hacker Exploits Whale Holder of GMX Through Phishing Attack

On 4 Jan, a whale holder of GMX suffered from a phishing attack on the BNB chain.

The attacker exploited 82519 GMXs worth around US $3.4 million on the BNB chain, exchanged them to 2627 ETHs and cross-chain transferred them from the BNB chain to Ethereum.

  • Hacker Attacks Deviants’ Discord Server

On 4 Jan, a hacker attacked Deviants’ discord server. Deviants is an NFT project on Ethereum.

  • Inkwork Labs Announce Discord Server Compromised

On 5 Jan, NFT project on Solana Inkwork Labs (@InkworkLabs) announced on Twitter that their Discord server had been compromised. The account later posted a follow-up thread revealing that one of their “now older mods, Krypto King#0036” had clicked on a malicious link that caused a Dyno bypass. Dyno is a Discord bot used for various purposes like moderation and user verification.

The account also reported that although the attackers had gained access to the server earlier, the attack was not conducted until everyone was away.

Inkwork Labs also reported that the accounts associated with the exploited were identified and banned. They also urged users not to click on any links unless a drops is scheduled. Moreover, they advised users to “always double check the user who’s posting the announcement. ALWAYS.”.

Relevant channels for affected users have been opened for further assistance.

  • Hacker Attacks Twitter User @TheViralFever

On 6 Jan, a hacker launched a phishing attack against Twitter user @TheViralFever by sending the users a fake link to ENS airdrop.

  • Hacker Attacks PanksNotDed’s Discord Server

On 7 Jan, a hacker attacked PanksNotDed’s discord server. PanksNotDed is an NFT project on Ethereum.

  • Hacker Attacks Cyber Kongz’s Discord Server

On 7 Jan, a hacker attacked Cyber Kongz’s discord server. Cyber Kongz is an NFT project on Ethereum.

  • Mycelium Announces Attack Due to Issue with Price Feed for ETH-USD

On 7 Jan, the team behind a DeFi perpetual application deployed on Arbitrum Mycelium (@mycelium_xyz) announced on its Twitter a that it was attacked.

The team also announced that the attack came due to an issue with its price feed for ETH-USD. Its MLP was exploited by 4% ~ 6% of the total assets, totaling around US$300, 000.

At the time of writing, the issue had been fixed and the application was back to work.

  • Hacker Attacks Yaypegs’s Discord Server

On 8 Jan, a hacker attacked Yaypegs’s discord server. Yaypegs is an NFT project on Ethereum.

  • Hacker Attacks Mech’s Discord Server

On 8 Jan, a hacker attacked Mech’s discord server. Mech is an NFT project on Polygon.

CONCLUSION-

13 notable security incidents have occurred in the past week. Most of them were phishing attacks against Discord or Twitter accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/