The end of 2021 is about to come to an end. The security incidents that occurred in the blockchain field this year will be reviewed. The largest amount and impact involved is the cross-chain interoperability protocol Poly Network that was hacked in August . The stolen funds exceeded US$610 million. This is also the most expensive attack in the history of DeFi .
The months with a large number of security incidents and large amounts were May (mostly on the BSC, with losses exceeding US$300 million), and August (the most influential ones except for the hacker attack on Poly Network, the Japanese-based Encryption Group) The currency exchange Liquid hot wallet was attacked and lost 91.35 million U.S. dollars) and October, November, and December.
Q4 has also become the quarter with a high incidence of security incidents this year. According to incomplete statistics, there were more than 40 security incidents in the fourth quarter, with losses exceeding 700 million U.S. dollars, and various fields and types were involved. Odaily Planet Daily compiled the important security incidents in each month of Q4, and screened out several large losses, and further introduced them to reveal the corresponding risks to the project parties and participants.
Review nine security incidents in the encryption field with large losses
On December 5th, BitMart founder and CEO Sheldon Xia tweeted that two large-scale security vulnerabilities related to hot wallets were discovered, and hackers withdrew assets worth about US$150 million. On the 6th, Sheldon Xia stated that this security breach was mainly caused by the stolen private keys of two hot wallets. Other BitMart assets are safe and have not been compromised. BitMart will use its own funds to compensate for this incident and compensate the affected users.
On October 27, Cream Finance , the DeFi lending agreement , was attacked again, with losses exceeding US$130 million. The stolen funds were mainly Cream LP tokens and other ERC-20 tokens. PeckShield discovered a large lightning loan used to carry out this attack. (Cream Finance was hacked 5 times in 2021, with a total loss of approximately US$200 million.)
On October 30th, the decentralized transaction protocol BXH was attacked on the BSC chain, stolen more than 130 million U.S. dollars. The initial hacker profit address (BSC: 0x4……d79) transfers 4000 ETH from the BSC chain to the ETH chain, and then converts 300 BTCB into renBTC to the address (1Jw……Vow).
On December 3, the decentralized organization Badger DAO confirmed that it was attacked, and the loss amounted to 120.3 million U.S. dollars, including approximately 2,100 BTC and 151 ETH. BadgerDAO stated that the phishing incident that occurred on December 2 was caused by “malicious injection fragments” of Cloudflare, an application platform running on the Badger cloud network. Hackers use compromised API keys created without the knowledge or authorization of Badger engineers to regularly inject malicious code that affects some of their customers.
On November 26, Compound was attacked by an oracle and $90 million in assets were liquidated. The huge liquidation of Compound this time was caused by the dramatic fluctuation of the DAI price of the oracle information source Coinbase Pro. It is a typical oracle attack to manipulate the information source that the oracle relies on to perform short-term price manipulation to achieve misleading prices on the chain.
On December 12, the internal security audit report of Summit AscendEX found that some ERC-20, BSC and Polygon tokens were abnormally transferred out of exchange hot wallets, and AscendEX cold wallets were not affected by this incident. Security company PeckShield Inc. tweeted that, according to estimates, Pinnacle AscendEX’s losses totaled US$77.7 million (of which US$60 million was on Ethereum, US$9.2 million was on BSC, and US$8.5 million was on Polygon).
On November 30, the automated market maker protocol MonoX confirmed that it was attacked by a flash loan. The attacker exhausted the liquidity pools on Polygon and Ethereum and made a profit of about 31 million U.S. dollars.
On November 11th, the USDM team used Convex to launch a governance attack on Curve , with losses or more than 30 million U.S. dollars.
On October 15th, Indexed Finance, a passive income agreement, was attacked. The affected fund pools included DEFI5 and CC10. Officials stated in Discord that the damage caused by this attack was about 16 million U.S. dollars.
Summary of experience after the resumption of the incident
Judging from the track of the project that was attacked, most of them were DeFi protocols such as centralized exchanges and DEX . The main reasons were wallet vulnerabilities, lightning loan attacks, and phishing incidents.
As the project party, in addition to strengthening the budget and investment in security aspects (including technical aspects and financial mechanisms), and accepting multi-party audits, it also sets up risk control or disaster recovery plans (such as the establishment of insurance pools, white hat reward programs, etc.). Can play the role of “increasing credit”.
As a user, it is best to first understand the average level of some basic market parameters (such as the rate of return), and be more vigilant and review for items that are too attractive. If you do not have the coding ability, it is recommended to read the corresponding project audit report issued by the head security company throughout the text, which often prompts specific potential risk points, and cross-check the authenticity and timeliness of the report at both the project party and its audit agency , Also share a small tool here: DeFi project audit database published by DeFiYield, you can search for audit reports by project name, currency name, address or audit agency.
Another thing is to maintain some common precautionary awareness in the Internet age, and beware of fake website phishing, telecom fraud, and running away risks. Pay more attention to the latest progress of participating projects, and check the official notification channels (official website, Twitter, etc.) or communities (Discord, TG, etc.) on a daily basis. Once there are technical upgrades, product updates, service suspensions, vulnerability warnings or accident disclosures, you can also Be informed and act immediately.
Finally, once the project involved is unfortunately recruited, do not trust the guidance of unofficial personnel and operate in a panic. Of course, if you can build experience in the step of screening the project, even if there is a safety accident, the more reliable project party will often be quick Give a reasonable compensation plan.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/%e2%80%8bq4-how-should-project-parties-and-users-prevent-and-control-risks-due-to-the-loss-of-more-than-700-million-u-s-dollars-due-to-encryption-security-incidents/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.