Forging Ahead with Better Service and Securer Solutions

Fairyproof’s Retrospective for 2022 and Wishes for 2023

2022 was a year full of hardships and challenges

Although the crypto space was still struggling in a bear market, hackers run rampant, ravaging users without mercy.

Numerous crypto users were exploited. They arrived expectant to a new world full of hopes and dreams, but left with tears and despair, away from the “wild west” crypto wasteland.

The positive side is that the crypto space witnessed numerous countries adopting blockchain technology, connecting every corner of the world and forming a seemingly endless new one.

As a blockchain security company, Fairyproof’s mission is to safeguard the blockchain applications and crypto assets of our clients. 2022 may not be a good year for the crypto space, but we were still firmly grounded in fulfilling our mission and striving to provide the best for everyone.

We feel the need to fulfill greater responsibilities, meet higher expectations, and overcome more challenges after experiencing these incidents and observing these losses.

A Retrospective of 2022

Increased Coverage of Fairyproof’s Products and Services

– Fairyproof’s automatic scanning system can scan and detect vulnerabilities in not just smart contracts, but also blockchain mainnets, sidechains, and more.

– Fairyproof’s audit service not only covers technical implementations, but also tokenomical models and governance models.

– Fairyproof’s intelligent system made great strides in big data’s purging, collection and processing, and machine learning particularly algorithm’s self-evolution.

Fairyproof Explored Broader Areas

– For Zero Knowledge (zk) technologies, Fairyproof developed an optimized system which combined the advantages of both Stark and Snark technologies. Fairyproof also greatly improved system efficiency with less resources. We have built a solid ground in zk system’s analysis, auditing and development.

– In Multi-Party Computation (MPC) technologies, Fairyproof has conducted extensive research in TSS signature applications and developed our own solutions which optimized conventional TSS signature technologies. We have also achieved significant efficiency with new features and advantages.

Fairyproof Dived Deeper Into Research

– Fairyproof applied for 3 Chinese patents and 1 US patent

– Fairyproof established a new and systematic model/pattern to describe and detect hacks and attacks from multiple dimensions including locked liquidity, transaction behavior, hacking pattern and more

– Fairyproof studied a series of EIPs including EIP-3475, EIP-4844, EIP-3525 and EIP-4626 and published research articles.

Fairyproof Covered Crypto Incidents More Closely and Timely

– Fairyproof published weekly and quarterly security reports.

– Fairyproof released detailed analysis and updates for various incidents.

Fairyproof Established Broader Social Connections

– Fairyproof actively participated in events held in Singapore, Miami, New York, London, Berlin, and Lisbon, and established close connection with popular projects including Aptos, zkSync, Mina, and more.

– Fairyproof actively participated in events and activities in the Ethereum community and had established a great connection with ECF.

– Fairyproof was interviewed and reported by famous media including Newsfilecorp, Yahoo, PANews and institutions including blockchain organizations from the National University of Singapore.

Fairyproof was Active in Blockchain Education and Non-Profit Events

– Fairyproof audited projects for a blockchain game Hackathon from South Korea.

– Fairyproof recorded videos for an organization in Singapore involving the education of security issues in Web 3 development.

– Fairyproof actively joined AMA events including Ethereum New Era by BlockBeat, Blockchain game-related NFTs and GameFi AMAs, and hosted an AMA for NFT Security during the World Cup.

Looking Forward to 2023

Fairyproof Will Extend its Research into New Applications, New Technologies, and New Regulation Patterns

– Fairyproof will conduct research into new applications including Digital Twin and AR/VR, their trends and security issues.

– Fairyproof will conduct research into Quantum Cryptography and its applications in blockchain.

– Fairyproof will conduct research into new trends and developments in crypto regulations, and how these regulations will be applied to crypto assets and transactions.

Fairyproof Will Build its Products and Services for the Whole Web 3 Architecture

– Fairyproof will build products and services that cover the whole Web 3 ecosystem

– Fairyproof will build products and services for each component of Web 3 architecture.

Fairyproof Will Release More Powerful and Intelligent Products

– Fairyproof is developing a comprehensive and high-level security monitoring system

– Fairyproof will develop products that monitor targets comprehensively from multiple angles

– Fairyproof will develop products that intelligently recognize and detect hackers’ behaviors and patterns

– Fairyproof will provide mutiple-leveled solutions to prevent attacks

– Fairyproof will develop products that detect a project’s risks that arise from correlated products.

Fairyproof Will Serve Customers More Efficiently with Better Services and Products

– Fairyproof will develop customized products and services dedicated to enterprise customers.

– Fairyproof will provide multi-leveled, multi-faceted services for customers.

– Fairyproof will develop products and provide services that cover a project’s entire life-cyle, and meet the different demands for different phases of a project’s life-cycle.

Fairyproof Will Deliver Updates and Reports of Crypto Incidents in a More Timely Manner

– Fairyproof will release updates and reports on security incidents timelier.

– Fairyproof will develop more methods and solutions to trace and track exploited assets, and restore them.

Fairyproof Will Conduct Deeper and Broader Research

– Fairyproof will release more research reports for more specific areas and fields in the crypto space.

– Fairyproof will conduct more research on the security situations of big institutions and organizations by studying both on-chain and off-chain information

Fairyproof Will Actively Establish Connections in the Crypto Space More

– Fairyproof will establish more connections with builders including teams behind blockchain infrastructure projects, mainnets, layer 2 solutions, and more.

– Fairyproof will build more connections with teams behind applications including DeFi, blockchain games, DAOs, NFTs, and more.

Closing Thoughts

We have entered a new year. Fairyproof will soon turn two years old. We are new players in the crypto space and still have a long way to go. We still have a lot to learn from our peers and pioneers. All-in-all, we still cherish our dreams and bear our mission in mind.

No matter what is ahead of us – storm, rain or shine, we will firmly forge ahead, do our best, stand with the crypto space, closely collaborate with our clients, and build a new chapter for us and for all.

Weekly Blockchain Security Watch (Dec 26 to Jan 1)

From 26 December 2022 to 1 January 2023, all security incidents that have occurred were all Security Hacks.

SECURITY HACKS:

  1. BitKeeps Client Gets Hacked

On 26 Dec, the team behind BitKeep, a popular wallet claimed that some of its wallet’s downloan links were hijacked by hackers and the normal links were replaced by malware.

It was reported that a lot of BitKeep users suffered from this hack and crypto assets worth around US $3 million were exploited.

The attacker’s address was 0xC6f70B2bC123936B486Bc89110243108FF93B21e on the BNB chain.  

  • Hacker Attacks PECO and DFI

On 26 Dec, Amun, an index product provider claimed that two of this applications PECO and DFI deployed on Polygon were attacked.

The attacker was identified to be 0xf8b17Df4da32FAfDdA970aE1f76D2DbfF7091913 on Polygon. The attacker exploited a vulnerability to take full control of the “relalance” manager, mint 80 billion tokens and dump all these tokens on all available DEXs. The hacker repeated this attack on the DFI token as well.

Right after the Amun team detected this incident, the team promptly rebalanced the contract manager such that it was controlled by the company’s multi-sigs.

The team would compensate all the affected token holders for their loss and will announce a repayment schedule soon.

After this incident happened, PECO’s price crashed to near zero.

Crypto assets worth around US $300,000 were exploited in this incident.

  • Hacker Attacks BTC.com

On 26 Dec, BIT Mining Limited announced that its child company BTC.com was attacked on December 3 and some crypto assets were exploited.

At the time of writing BTC.com had been back to work. BIT Mining Limited had reported this case to a local police office in Shenzhen, CHINA. This case had been under investigation. The company would do every effort to restore the exploited assets.

Crypto assets worth around US $700,000 were exploited in this incident.

  • Hacker Attacks Jaypeggerz

On 29 Dec, a hacker attacked Jaypeggerz, a dApp deployed on Ethereum.

The root cause was that the JAY contract allowed users to pass any ERC-21 token to the buyJay function. The hacker exploited this vulnerability to re-enter the JAY contract.

Basically the hacker flash-loaned 72.5 ETHs, bought JAYs with 22 ETHs and then called the buyJay function by passing a fake ERC-721 token with the remaining 50.5 ETHs. With this fake ERC-721 token, the hacker called the sell function to re-enter the JAY contract, manipulated the JAY’s price and sold all JAYs.

The hacker repeated this process and eventually exploited 15.32 ETHs worth around US $18,000 in this incident.

All exploited assets were cashed out via Tornado Cash.

Additional Details:

– Attacker’s Address: 0x0348d20b74ddc0ac9bfc3626e06d30bb6fac213b on Ethereum

– Attacking Contract: 0xed42cb11b9d03c807ed1ba9c2ed1d3ba5bf37340 on Ethereum

– Attacked Contract: 0xf2919d1d80aff2940274014bef534f7791906ff2 on Ethereum

– Hash Value of Attack Transaction: 

0xd4fafa1261f6e4f9c8543228a67caf9d02811e4ad3058a2714323964a8db61f6

  • Hacker Attacks Gummys Discord Server

On 29 Dec, a hacker attacked Gummys’ discord server. Gummys is a Web 3 steaming platform.

  • Hacker Attacks PartisiansNFTs Discord Server

On 30 Dec, a hacker attacked PartisiansNFT ’s discord server. PartisiansNFT is an NFT project.

  • Hacker Attacks Kenomis Discord Server

On 31 Dec, a hacker attacked Kenomi’s discord server. Kenomi is an NFT project.

  • Hacker Attacks Everybodys Discord Server

On 2 Jan, a hacker attacked Everybodys’ discord server. Everybodys is an NFT project on Ethereum.

CONCLUSION-

8 notable security incidents have occurred in the past week. It is worth noting that the BitKeep incident affected numerous wallet users.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations. Particularly we suggest crypto investors should have a cold wallet and put most of their crypto assets in their cold wallets.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

Weekly Blockchain Security Watch (Dec 19 to Dec 25)

From 19 December to 25 December, 2022, all security incidents that have occurred can be categorized into Security Hacks and Rug-pulls.

SECURITY HACKS:

  1. Hacker Attacks Splattercats Discord Server

On 20 Dec, a hacker attacked Splattercat’s discord server. Splattercat is a game project.

  • Hacker Attacks xHamsters Discord Server

On 20 Dec, a hacker attacked xHamster’s discord server. xHamster is an NFT project on Ethereum.

  • Hacker Attacks Sol City Poker Clubs Discord Server

On 21 Dec, a hacker attacked Sol City Poker Club’s discord server. Sol City Poker Club is an NFT project on Solana.

  • Hacker Attacks David Di Francos Discord Server and Twitter Account

On 21 Dec, a hacker attacked David Di Franco’s discord server and twitter account. David Di Franco is a social media influencer.

  • Hacker Attacks DR/VRS Discord Server

On 22 Dec, a hacker attacked DR/VRS’ discord server. DR/VRS is an NFT project on Ethereum.

  • Hacker Attacks F1 Dogs Discord Server

On 23 Dec, a hacker attacked F1 Dog’s discord server. F1 Dog is an NFT project on Aptos.

  • Hacker Attacks Rubic

On Dec 25, Rubic, a cross-chain aggregator deployed on Ethereum was attacked.

The root cause was that it suffered from an injection attack.

For more details about this attack, please refer to:

Rug-pulls:

  1. Defrost Finance Suspected to be Rug-pull

On 25 Dec, Defrost Finance, a dApp deployed on the Snow blockchain was suspected to be a rug-pull.

For more details about it please refer to :

CONCLUSION-

8 notable security incidents have occurred in the past week. Seven of them were attacks on smart contracts and social media and one was suspected to be a rug-pull.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations. Particularly we suggest crypto investors should avoid investing in projects whose admins(owners) obtained their gases from Tornado Cash. If projects of this kind turn out to be rug-pulls, it is hard to take back/recover assets from them.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at:

https://www.fairyproof.com/

Weekly Blockchain Security Watch December 12 to December 18

SECURITY HACKS:

  • Hacker Attacks Baby Apes Society’s Discord Server

On 12 Dec, a hacker attacked Baby Apes Society’s discord server. Baby Apes Society is an NFT project deployed on Polygon.

  • Hacker Attacks Elastic Swap

On 13 Dec, a hacker attacked Elastic Swap, a DeFi application deployed on both Ethereum and Snow.

The root cause of the incident was its implementation did not validate the K value in the AMM algorithm.

The algorithms for adding and removing liquidity were different in Elastic Swap. On the Snow blockchain, the attacker added liquidity and then sent USDC.E tokens to the liquidity pool of the TIC-USDC. The attacker then removed the liquidity to exploit the contract by leveraging the vulnerability. This process was repeated to exploit the AMPL-USDC pool on Ethereum.

The attacker exploited 22,454 AVAXs (US $290,328) on Snow and 445 ETHs (US $564,000) on Ethereum.

At the time of writing the exploited assets on Snow were still in 0xDd8429b85a92b35712659bd945462a41BFd60cBD and some of exploited assets on Ethereum were still in 0xbeadedbabed6a353c9caa4894aa7e5f883e32967

Crypto assets worth around US $850,000 were exploited in this incident.

Additional Details:

– Attacker’s Addresses:

– 0xbeadedbabed6a353c9caa4894aa7e5f883e32967 (Ethereum)

  – 0x3bdf01ed32f07e8e843163b5d478d4502f5743cd (Snow)

Hash Values of Attack Transactions:

  – 0xb36486f032a450782d5d2fac118ea90a6d3b08cac3409d949c59b43bcd6dbb8f (Ethereum)

  – 0x782b2410fcc9449ead554a81f78184b6f9cca89f07ea346bc50cf11887cd9b18 (Snow)

  • NFT Project 1Minute Alpha Announce Hack on Discord, Collaboration Account

On 14 Dec, NFT project 1Minute Alpha reported on Twitter that their Collaboration Account “@0x1Minute” and Discord had been hacked. The project urged users not to click on any links and await further information.

Subsequently, the account announced that its Discord ID and channel had been successfully restored while the main Twitter account “@ONEMINNFT” had not been hacked. The account went on to report that “everything had been normalized” and gave opportunities for minimal compensation to those damaged by the hacking.

  • Hacker Leverages Flash-Loan to Attack Nimbus Platform

On 14 Dec, a hacker leveraged a flash-loan to attack Nimbus Platform, a dApp deployed on the BNB chain.

The platform had a flaw in its reward computation, allowing the hacker to exploit 278 BNBs, worth approximately US $76,000.

Additional Details:

– Attacker’s Address: 0x86aa1c46f2ae35ba1b228dc69fb726813d95b597 (BNB chain)

– Hash Value of Attack Transaction:

 0x42f56d3e86fb47e1edffa59222b33b73e7407d4b5bb05e23b83cb1771790f6c1

  • Hacker Exploits Vulnerability in FRP LP’s Wallet in Attack Against FRP Token

On 15 Dec, an attacker exploited a vulnerability in FRP LP’s wallet to attack the FRP token deployed at 0xA9c7ec037797DC6E3F9255fFDe422DA6bF96024d. FRP is a dApp deployed on the BNB chain.

The attacker managed to exploit crypto assets worth around US $30,000.

  • Raydium Announces Compromise of Private Keys Leading to Attack

On 16 Dec, Raydium, a dApp deployed on Solana, had announced the compromise of the private keys of the owner of several liquidity pools, leading to an attack. The attacker accessed the owner’s wallet and called the withdrawalPNL function to withdraw the fees earned in transactions. Liquidity pools including SOL-USDC, SOL-USDT, RAY-USDC, and RAY-USDT were exploited.

Crypto assets worth around US$4.395million were exploited.

  • Hacker Attacks Mekawaii’s Discord Server

On 16 Dec, a hacker had attacked Mekawaii’s discord server. Mekawaii is an NFT project deployed on Ethereum.

  • Hacker Attacks Neo Tokyo’s Discord Server

On 18 Dec, a hacker had attacked Neo Tokyo’s discord server. Neo Tokyo is an NFT project deployed on Ethereum.

CONCLUSION-

8 notable security incidents have occurred in the past week. Four of them were attacks on smart contracts and the other four were attacks on social media.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at https://www.fairyproof.com/

Fairyproof Hosts First Ever Twitter Space with Guests from DfDunkNFT and Kraze Web3 Football, Discuss NFTs and Security Amidst World Cup

Blockchain Security Company Facilitates Healthy Discussion on NFT and their Safety as Football Season Reveals Rising Trend of Sports NFT Adoption.

Singapore, September 15, 2022 – Pioneering Blockchain Security Company Fairyproof hosted a live AMA on Twitter in light of the rising trend for sports NFT adoption amidst the world cup. The Twitter Space, titled “The World Cup is coming with NFTS! Fans please calm down”, was joined by DfDunkNFT[1] Community Manager Giselle, and Kraze Web3 Football[2] Founder and Sport8 International Ltd[3] CEO Bai Qiang. Hosting the session was Fairyproof’s CEO Tan Yuefei. The turnout was a healthy 52 participants.

In the discussion, Tan gathered useful and interesting insight from both engaging guests on how NFTs should be kept safe. Of which, keeping them on cold hardware wallets and looking for signs of pump-and-dump were among the many points that were raised.

Giselle emphasised users to adopt a “DYOR[4]” attitude, and being alert in discerning potential scams in the form of phishing links and impersonators of NFT technical teams. She also mentioned the stealing of IPs to be an emerging concern. Additionally, she agreed on the importance of projects to involve cybersecurity companies to improve security through triage and audits.

Meanwhile, Bai Qiang brought to light the matter of NFT utility to be an area of concern for adopters even though prominent football players have endorsed NFTs – Cristiano Ronaldo having launched his first NFT collection on Binance as one of the many emergent cases for adoption.

“Hearing from our two gracious guests, it is comforting to know that NFT security is an area that adopters will need to pay attention to. I am thankful that we have the privilege to host our guests at the time,” Tan comments post-discussion. “It was a productive, interesting Twitter Space discussion. I am positive that our users will find something they can learn from the one-and-a-half-or-so hours of our session.”.

Tan also expressed great enthusiasm and positivity for future Twitter Spaces that Fairyproof will host, “We are thinking of hosting AMAs like these at least once a month, or in the best-case scenario, once bi-weekly. Sessions like these not only help projects connect with one another and for us to get to know people better; but also help crypto users increase their knowledge on crypto security, in turn, strengthening the global NFT and crypto community.”.

To listen to the Twitter Space session: https://twitter.com/FairyproofT/status/1602996314047860737?s=20&t=TdwTbTAP-Scw7vb4NJJm-Q

About Fairyproof:

Fairyproof is a pioneering blockchain security company established in 2021 with the slogan “Make IT a Safer Place”. They have been actively developing blockchain security solutions and Ethereum standards, and have meaningfully contributed to established Web3.0 projects like Ethereum, BNB Smart Chain, and HECO.

For more information, consult the following channels:

Website – https://www.fairyproof.com
Telegram – https://t.me/Fairyproof_tech
Twitter – https://twitter.com/FairyproofT
Medium- https://medium.com/@FairyproofT

Contact:
Joey Leong
Fairyproof
Social Media Manager
+65 9663 5630
https://www.fairyproof.com


[1] DfDunkNFT is an NFT project created by the Hiroshima Dragonflies, a basketball team under Japanese men’s profesionall basketball “B League”. (Twitter: @DFDunk)

[2] Kraze Football is a Web3 platform for football fans, integrating real games and virtual experience. (Twitter: @KrazeFootball)

[3] Sport8 International Ltd is an International Sports Industry Platform (Twitter: @Sports8China)

[4] Do Your Own Research

Solutions for Avoiding Bearing Burden of Debt for Lending Apps — — — Some Tentative Thoughts on Ankr’s Exploitation

On December 2, Ankr’s contract deployed on the BNB chain was attacked.

Basically the hacker managed to deploy a malicious implementation contract, minted 10,000,000,000,000 aBNBc tokens, dumped these tokens on a DEX and exchanged them to other crypto assets.

Dumping this huge number of aBNBc tokens dramatically crashed the token’s price which shortly went from $300 before the incident to less than $2 after the dumping.

The hacker exploited crypto assets worth around US $5 million in this incident.

While this action is for sure considered as illegitimate, another actor “legitimately” made a profit of around US $15 million from this incident.

Here is what this actor did:

After this incident happened it deposited 10 BNBs in exchange for 180,000 aBNBc tokens, used the aBNBc tokens as collateral to borrow a huge number of Hay stablecoins from the lending platform Helio and eventually exchanged all the Hay tokens to BUSDs.

The whole process was perfectly and legitimately organized and executed such that it was suspected that this actor was very likely the hacker itself.

The reason why the actor had successfully made this profit is that Helio’s oracle didn’t act promptly to the price’s sudden dip thus still using the lagged price as aBNBc’s valid price. This vulnerability was leveraged by the actor to borrow extraordinary assets and make a huge profit.

Actually this is not the first time that such an issue happened. Early this year, when the price of Luna crashed, there were quite a few cases in which actors borrowed less volatile crypto assets by using Luna as collateral in lending applications in which their oracles’ didn’t update Luna’s price promptly.

Apparently this is an oracle issue, however if we dive deep into this issue we think this is more or less a tokenomics issue as well.

Among all these existing issues, ERC-20 tokens on Ethereum or fungible tokens deployed on EVM blockchains are often the exploited assets.

These tokens can be minted in either of the following two ways depending on their contract designs:

Either a token’s total supply or max supply is all minted on deployment and after the token’s contract is deployed, no subsequent minting is allowed any more.

Or the token can still be minted after its contract is deployed.

For the latter, whenever the access control to the token’s mint function is compromised, malicious minting could happen. And when this happens the additionally minted tokens will very likely either be dumped in DEXs or CEXs, or used as collateral to borrow less volatile crypto assets such as stable coins in particular from lending applications.

Compared to dumping tokens on DEXs or CEXs, using them as collateral to borrow stable coins from lending applications causes a devastating damage to these lending applications. Quite often a lending application that lent assets in this case was drained shortly and bore a huge burden of debt.

So how can we avoid this issue?

A quick idea is to improve the responsiveness and promptness of the oracles these lending applications use.

This is good but this is not enough because it may greatly increase their operation costs and in addition no matter how responsive an oracle is it can hardly respond in real-time.

Therefore we propose the following solutions:

The first one is a carefully designed collateral ratio could be applied to collateral tokens which can be subsequently minted after their contracts are deployed.

Yes, many lending applications apply a collateral ratio to a token that is used as collateral however quite often the setting of such a ratio doesn’t take into account the risk that the token might be maliciously minted. Therefore the setting may not be that resilient or fault-tolerant to this risk.

The second is a lending application should not only trace a token’s price but also monitor a token’s mint activity especially those tokens that can be minted subsequently after their contracts are deployed.

When an abnormal mint activity such as a large number of tokens being minted happens for a token, a lending application could suspend its lending service for those that use this token as collateral. After this abnormal mint activity is confirmed fixed or normal could this lending service be resumed again.

The third is a lending application could charge relatively more service fees for collateral tokens that can be minted subsequently after their contracts are deployed.

This is to hedge the risk economically.

These are some tentative thoughts we got after learning the big lessons from these incidents.

When tackling a cyber-security risk or issue Fairyproof always tries to find solutions not just from a purely technical point of view, but from multiple facets including tokenomics, governance and more.

Hope these thoughts could be of some assistance to mitigate this issue in the future.

Weekly Blockchain Security Watch November 28 to Dec 4

From November 28 to December 4, 2022, all security incidents that have occurred are all Security Hacks.

SECURITY HACKS:

  1. Hacker Attacks Prometheus

On Nov 28, Prometheus, a dApp deployed on the BNB chain was attacked.

In this incident, the hacker withdrew 467,398 PHI from the project’s OTC contract and exchanged them to 124,73 BNBs.

The Prometheus team got back 112.08 BNBs and kept them in a multi sig (0x69A03128a7cb580553acf1cf287d4A5Ce0A01c1F).

The hacker exploited 12.65 BNBs (worth around US $3,654.5) in this incident.

At the time of writing, the project’s gPHI and dPHI supply had not been exploited, and all the contracts had been paused, except the dividends pool.

Additional Details:

– Attacker’s Address: 0xc7233627c65f0dd1465938212a3adaa5dea50bf6 (BNB chain)

– Hash Value of Attack Transaction:

0x15472327df1fdace59c14eba5f4069ffb65c71c5f38f00355da990b68121d160

  • Hacker Attacks Shamanzs Discord Server

On Nov 28, a hacker had attacked Shamanzs’ discord server. Shamanzs is an NFT project deployed on Ethereum.

  • Hacker Leverages Flash-loan to Attack Seaman

On Nov 29, a hacker had attacked Seaman, a dApp deployed on the BNB chain.

The root cause was that its tokenomics design would result in price manipulation.

The attacker flash-loaned 500,000 BUSDs and exchanged them to GVCs. The hacker then called Seaman’s transfer function to transfer a small number of SEAMAN tokens and triggered the SEAMAN tokens to be exchanged to GVCs. This process would call the _splitlpToken() function to distribute the GVCs to lpUser and reduce the number of GVCs in the BUSD-GVC trading pair thus increasing the GVC’s price.

The hacker repeated the process and eventually exploited 7781 BUSDs worth US $7781 in this incident.

Additional Details:

– Attacker’s Address: 0x49fac69c51a303b4597d09c18bc5e7bf38ecf89c (BNB chain)

– Attacked Contract: 0xDB95FBc5532eEb43DeEd56c8dc050c930e31017e(GVC Token on BNB chain)

  • Hacker Attacks SmallBros Discord Server

On Dec 1, a hacker had attacked SmallBros’ discord server. SmallBros is an NFT project deployed on Ethereum.

  • Hacker Attacks Brainless Spikes Discord Server

On Dec 1, a hacker had attacked Brainless Spikes’ discord server. Brainless Spikes is an NFT project deployed on Ethereum.

  • Hacker Attacks Ankr

On Dec 2, a hacker attacked Ankr, a dApp deployed on the BNB chain.

The root cause was very likely that the Ankr Deployer’s private key was compromised.

The attacker exploited crypto assets worth around US $5 million in this incident.

For more details about this incident refer to:

Additional Details:

– Attacker’s Address: 0xf3a465C9fA6663fF50794C698F600Faa4b05c777 (BNB chain)

– Malicious aBNBc Contract: 0xd99955B615EF66F9Ee1430B02538a2eA52b14Ce4 (BNB chain)

– Ankr Deployer: 0x2Ffc59d32A524611Bb891cab759112A51f9e33C0 (BNB chain)

– Attacked Contract: 0xE85aFCcDaFBE7F2B096f268e31ccE3da8dA2990A (aBNBc on BNB chain)

– Initiator of Attack Transaction: 0x71699d5BD28F5C834eEe8E365848df056915Baa6 (BNB chain)

– Hash Value of Attack Transaction:

0xd07b210b872bc952b9f2250d8272a789f89a2f7a3621112fdd73addd7bdb080b (BNB chain)

CONCLUSION-

6 notable security incidents have occurred in the past week. Four out of them were attacks on smart contracts and two were attacks on social media accounts.

A Reminder for Project Teams: Always test thoroughly. Do smart contract audits before deploying smart contracts on-chain. In addition, manage and store private keys with great care.

A Reminder for Crypto Users: Be cautious about suspicious links, emails, websites, and projects launched by teams without established reputations.

It is important for everyone in the crypto community to gain understanding and practice sufficient levels of cybersecurity.

To stay updated on notable security incidents in the world of Web3.0, subscribe to our newsletter: https://fairyproof.substack.com/

For a better understanding of all things Web3.0: https://medium.com/@FairyproofT

Looking to strengthen the security of your project or looking for an audit? Contact us at

https://www.fairyproof.com/

浅谈一下UniswapV3中NFT图像的生成

一、NFT与SVG

今年打开UniswapV3中的周边合约准备学习一下,突然发现了其中有一个NFTSVG.sol。看名字是用SVG来表示NFT,正好自己以前也有研究过NFT与SVG之间的应用联系,就打开源码大致看了一下,正是如此。

我们知道,NFT流行是从以太坊上的加密猫开始的,每个加密猫其实是一个ERC721的token,这个token又对应着一组数据结构,例如猫的主人,猫的眼睛颜色等。但是我们在前端显示的时候,这个猫眼睛到底是什么样子的,是前端图像组合的,也就是你的猫的图像其实是存于它们的网站上。后期有URL,每个token(猫)对应一个url地址,这个地址是一个猫的图像,因此,这里这个图像是存在于他们的服务器上。

这里就存在一个问题,当加密猫的前端和服务器关掉后,你还在哪能显示这只猫呢?答案是没有!那么我们能否把这个图像永存于以太坊之上呢?答案是肯定的!受制于以太坊存储限制,普通编码的图像并不方便直接保存在它的上面,并且也不方便修改。但是SVG可以,SVG虽然是矢量图像,但它更多的像是一段标准化代码,你甚至还可以在其中加入自定义标签。为此我们早些时候提出了直接将ERC20/721的token图像直接保存在以太坊上的EIP-2569提案,提案被pull的时间是2020年3月28号。这里是具体链接https://github.com/ethereum/EIPs/pull/2569 并且SVG是可交互式的,会对部分事件做出响应,例如点击,鼠标滑过等等。

UniswapV3中,也正是采用了这个方法(不能说是采用我们的方法)。将SVG的模板直接写死在代码中,然后采用abi.encodePacked函数将模板和对应位置的参数组合在一起,最后再转化为svg源码(字符串)输出。这样我们的NFT图像就可以直接在以太坊上获取了,即使Uniswap关门了也没有关系,你的token图像已经在以太坊上永存了。

二、UniswapV3中的NFT

我们先看一下UniswapV3具体的NFT图像(这里的NFT其实是代表用户添加某一个池子的流动性): 在这里插入图片描述 从上图中我们可以看出这个NFT对应的池子为DAI/WETH,手续费是1% 笔者的运气还是差了一点点,只差一位数就是6666了。当然,这里是扯远了,ID就算全部是6也并没有额外用处。

三、UniswapV3的NFT生成代码

好了,图像看完了,我们具体来看UniswapV3上截取的两段代码: 第一段,外部接口,传入相应参数生成一个NFT的SVG图像:

 function generateSVG(SVGParams memory params) internal pure returns (string memory svg) {
     /*
    address: "0xe8ab59d3bcde16a29912de83a90eb39628cfc163",
    msg: "Forged in SVG for Uniswap in 2021 by 0xe8ab59d3bcde16a29912de83a90eb39628cfc163",
    sig: "0x2df0e99d9cbfec33a705d83f75666d98b22dea7c1af412c584f7d626d83f02875993df740dc87563b9c73378f8462426da572d7989de88079a382ad96c57b68d1b",
    version: "2"
    */
     return
         string(
             abi.encodePacked(
                 generateSVGDefs(params),
                 generateSVGBorderText(
                     params.quoteToken,
                     params.baseToken,
                     params.quoteTokenSymbol,
                     params.baseTokenSymbol
                ),
                 generateSVGCardMantle(params.quoteTokenSymbol, params.baseTokenSymbol, params.feeTier),
                 generageSvgCurve(params.tickLower, params.tickUpper, params.tickSpacing, params.overRange),
                 generateSVGPositionDataAndLocationCurve(
                     params.tokenId.toString(),
                     params.tickLower,
                     params.tickUpper
                ),
                 generateSVGRareSparkle(params.tokenId, params.poolAddress),
                 '</svg>'
            )
        );
 }

可以看到,这个图像是由多个部分组成的,例如定义啊,边框文字啊, 中间内容啊,最后是SVG结束标签。我们看下面一段代码截图: 在这里插入图片描述 这段代码我只是一个简单截图,具体代码大家可以看它github上的源码。我们可以看到输出字符串的第一行就是<svg width="290" height="500" viewBox="0 0 290 500" xmlns="http://www.w3.org/2000/svg",这是SVG定义。然后它这个比较复杂,SVG中又嵌入了Base64编码,见

 Base64.encode(
     bytes(
         abi.encodePacked(
             "<svg width='290' height='500' viewBox='0 0 290 500' xmlns='http://www.w3.org/2000/svg'><rect width='290px' height='500px' fill='#",
             params.color0,
             "'/></svg>"
        )
    )
 ),

这段代码应该是画了一个宽290像素,高500像素的矩形。这个笔者对SVG并不是专业的,所以就不再研究具体怎么画的了。

余下的代码我们暂时不看了,总之一句话。它生成SVG源码的方法就是不停的使用abi.encodePacked函数将模板字符串和相应的参数值组合在一起,最后组合成一个完整的svg源码字符串。

三、UniswapV3中NFT的稀有属性

再次提醒一下,UniswapV3中的NFT其实是你添加的流动性,千万不要随便送人(卖出)哟。同时,这个NFT还分稀有的还是普通的,那么什么样的NFT才是稀有的呢?下面有判断代码:

 function isRare(uint256 tokenId, address poolAddress) internal pure returns (bool) {
     bytes32 h = keccak256(abi.encodePacked(tokenId, poolAddress));
     return uint256(h) < type(uint256).max / (1 + BitMath.mostSignificantBit(tokenId) * 2);
 }

代码的第一步是将tokenId和交易对(池)地址组合一下进行哈希运算,然后计算的结果和某个运算结果相比较,我们来按代码计算一下:

计算之前我们先要获取对应fee的Pool地址,从上图中我们可以看到,该NFT对应的交易对的两种代币及地址为:

  • DAI:0x6b175474e89094c44da98b954eedeac495271d0f
  • WETH:0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
  • fee:10000。因为我们的手续费率为1%,而分母为1000000。
  • poolAddress:0xa80964C5bBd1A0E95777094420555fead1A26c1e

我们直接在Factory合约中查询对应的池子地址,查询地址为: https://cn.etherscan.com/address/0x1f98431c8ad98523631ae4a59f267346ea31f984#readContract

点击其中的getPool按钮,输入上面的地址和费率,点击查询按钮,得到地址:0xa80964C5bBd1A0E95777094420555fead1A26c1e。这个就是我们的poolAddress了。

为了计算是否稀有,我们将上面的函数分解一下(内部的,无法直接调用),写一个合约来计算。

 // SPDX-License-Identifier: GPL-2.0-or-later
 pragma solidity >=0.7.6;
 ​
 import '@uniswap/v3-core/contracts/libraries/BitMath.sol';
 ​
 contract RareTest{
     function getBytes(uint256 tokenId, address poolAddress) public pure returns (bytes32) {
         bytes32 h = keccak256(abi.encodePacked(tokenId, poolAddress));
         return h;
    }
     
     function getUint(bytes32 h) public pure returns(uint) {
         return uint(h);
    }
     
     function getResult(uint tokenId) public pure returns(uint) {
         return type(uint256).max / (1 + BitMath.mostSignificantBit(tokenId) * 2);
    }
     
     function isRare(uint256 tokenId, address poolAddress) public pure returns (bool) {
         bytes32 h = keccak256(abi.encodePacked(tokenId, poolAddress));
         return uint256(h) < type(uint256).max / (1 + BitMath.mostSignificantBit(tokenId) * 2);
    }
 }
 ​

我们直接使用remix进行测试(部署时选JavaScript VM),分别调用上面的函数得到的结果为:

 getBytes:  0x7510738a918c5116c753b45e7b5a58aa3994cf345e426f54cd9405b1fda306f6
 getUint:   52949670273909147826988446709444914284054628203600607669243403349492999849718
 getResult: 4631683569492647816942839400347516314130799386625622561578303360316525185597
 isRare:    false

我们从上面的输出是可以验证我们的NFT不是稀有的,那么稀有的多了一个什么呢?代码如下:

 function generateSVGRareSparkle(uint256 tokenId, address poolAddress) private pure returns (string memory svg) {
     if (isRare(tokenId, poolAddress)) {
        svg = string(
            abi.encodePacked(
                 '<g style="transform:translate(226px, 392px)"><rect width="36px" height="36px" rx="8px" ry="8px" fill="none" stroke="rgba(255,255,255,0.2)" />',
                 '<g><path style="transform:translate(6px,6px)" d="M12 0L12.6522 9.56587L18 1.6077L13.7819 10.2181L22.3923 6L14.4341 ',
                 '11.3478L24 12L14.4341 12.6522L22.3923 18L13.7819 13.7819L18 22.3923L12.6522 14.4341L12 24L11.3478 14.4341L6 22.39',
                 '23L10.2181 13.7819L1.6077 18L9.56587 12.6522L0 12L9.56587 11.3478L1.6077 6L10.2181 10.2181L6 1.6077L11.3478 9.56587L12 0Z" fill="white" />',
                 '<animateTransform attributeName="transform" type="rotate" from="0 18 18" to="360 18 18" dur="10s" repeatCount="indefinite"/></g></g>'
            )
        );
    } else {
        svg = '';
    }
 }

可以看到,稀有的多了一段变形(动画),具体的效果我的不是稀有token就不知道了。也许SVG专业人员可以还原出来。

四、其它

好了,UniswapV3的NFT图像生成就简单说到这了。

这里提一下我们以前演示EIP-2569时专门做了几个漂亮的纪念币(图像也是以SVG格式存在以太坊上)。本来最后一个儿童节纪念币可以免费领取的,但由于今年4月份以太坊柏林升级改动了部分操作的gas费用,现在out of gas无法领取了(其它纪念币受此影响买也无法购买成功了),遗憾!!!。这里将地址放出来,有兴趣的朋友可以去看看。

http://toh.best/latest