May 2021 was a turbulent month in the crypto asset market, with BTC dropping from above $50,000 to as low as $29,000, nearly decimated, and most crypto assets falling by more than 50%.
In May, at least 13 hacking incidents occurred in the DeFi market, mostly on the Coin Smart Chain (BSC), resulting in a loss of $270 million, more than the loss of assets from all DeFi security incidents in 2020. BSC.
Why was there a concentration of stolen items on the BSC chain? And how did hackers manage to quickly catch project vulnerabilities? Blockchain security firm PeckShield found that many of the attacked projects had homologous vulnerabilities.
For example, after the attack on PancakeBunny, a BSC revenue aggregator, AutoShark and Merlin Labs, both forked from PancakeBunny, were stolen in the following week; and BurgerSwap and JulSwap, both attacked, had code that was Fork from Uniswap, but they appear to have been changed in a way that created a vulnerability.
PeckShield’s head of security told Hive Finance that these Forked protocols were attacked mainly because they were micro-innovated without fully understanding the logic behind the original protocol, resulting in a small update or small combination that could create a vulnerability.
The repeated security incidents have once again given protocol developers a heads-up that they should not ignore the security of the underlying code when innovating the DeFi model.
12 Projects Attacked, $270 Million Lost
It’s been a long time coming. As the crypto asset market continues to tumble, security incidents with on-chain protocols are common.
On May 30, Belt Finance, a stablecoin exchange protocol on BSC, was hit by a lightning lending attack that cost $6.2 million. According to blockchain security firm PeckShield, the attack stemmed from attackers manipulating the price of beltBUSD by repeatedly buying and selling BUSD after PancakaSwap completed eight lightning loans, taking advantage of a vulnerability in the bEllipsisBUSD strategy balance calculation to make a profit.
After the attack, Belt Finance tweeted an apology and issued a report on the lightning loan attack, stating that it would conduct a further audit and would release a user compensation plan within 48 hours.
As a result, Belt Finance’s governance token BELT fell sharply, from a high of $58 on the 28th to $27, a short-term drop of 53.44%.
This is the 12th BSC on-chain project to be attacked in May. According to Hive Finance, since May 2, Spartan Protocol, Value DeFi, BearnFi, Venus, PancakeBunny and other projects have been stolen one after another, losing a total of $270 million in funds, and Value DeFi has been attacked twice.
The $270 million in lost assets is already more than the loss of all DeFi security incidents in 2020. According to previous data released by PeckShield, there were 60 DeFi security incidents in 2020, costing more than $250 million.
In just one month, the BSC chain has been continuously hacked, which seems quite strange. Under pressure, BSC officials posted on social media platforms not long ago that there have been more than 8 lightning loan attacks against BSC chain projects in a row recently, “We think there is now an organized team of hackers targeting BSC.
BSC officials call on all DApps to guard against risks, suggesting that on-chain projects cooperate with audit companies to conduct health checks, and in the case of forked projects, double-check changes made relative to the original version; take necessary risk control measures, proactively monitor anomalies in real time, and suspend the protocol in time when anomalies occur; make contingency plans to prevent the worst case scenario; and set up a vulnerability bounty program if conditions allow.
Indeed, reviewing the 12 security incidents, lightning loan attacks were the most common means used by hackers. projects such as Spartan Protocol, PancakeBunny, Bogged Finance, BurgerSwap, JulSwap, etc. were all victims of lightning loan attacks.
To be clear, lightning lending is not an attack method per se; it is simply an efficient lending model that can amplify anyone’s principal. As Adelyn Zhou, CMO of Chainlink, says, “Lightning Lending does not create vulnerabilities within DeFi – it simply reveals vulnerabilities that already exist.
After the rapid growth of DeFi, it is alarming to Chainlink users that so many projects on BSC are still exposing vulnerabilities in a short period of time. One wonders why these security incidents are concentrated on the BSC chain? And why were hackers able to find vulnerabilities in so many projects and execute attacks so quickly?
Fork vulnerability outbreak, most of the projects involved were attacked by the same source
As a side chain of Ether, it has attracted a large number of projects and on-chain players with its more efficient transaction processing efficiency and low fees.
The rapid rise of BSC ecology has seized the on-chain first-mover dividend, and a large number of projects have piled up for deployment. Since most of the projects on Ether have been open source, many developers have adopted the open source code of mature projects such as Uniswap and Curve, and then put them on the BSC quickly after simple modifications. This hasty fork has become a hidden problem for BSC chain projects to be hacked in bulk.
According to PeckShield, both BurgerSwap and JulSwap, which were recently attacked, were Forked from Uniswap, “but they didn’t seem to fully understand the logic behind Uniswap,” PeckShield notes.
According to BurgerSwap’s post-incident report, the attackers issued their own “fake coins” and then formed a transaction pair with the protocol’s native token, BURGER, which changed the latter’s price. Apparently, BurgerSwap, which was forked from Uniswap, was not mature enough in some respects and was exploited by the hackers.
AutoShark and Merlin Labs, two aggregator protocols, were both hacked and looted for forking PancakeBunny. In terms of timeline, on May 20, PancakeBunny was attacked by Lightning Lending, an attack that stemmed from the attackers using the protocol to manipulate the price of LP Tokens BNB-BUNNY and BNB-BUSDT.
After seeing the attack on PancakeBunny, AutoShark issued a post emphasizing its security, saying it had done 4 code audits, 2 of which were in progress. But the punch in the face followed, and just 4 days later, AutoShark suffered a lightning loan attack, and its token SHARK instantly dropped 99%. According to PeckShield’s analysis, the attack was similar to the one on PancakeBunny.
Also slapped in the face was Merlin Labs, which prior to the attack had also posted that it had repeatedly performed code reviews and taken extra precautions for potential possibilities. But on May 26, the hackers “rode the wave” and ransacked Merlin Labs.
PeckShield believes that this was a copycat case after the PancakeBunny attack, and that none of the attackers needed a high technical or financial threshold to make a significant profit by patiently repeating the homologous exploit on Fork’s out-of-the-box protocol. Fork’s DeFi protocol may have been derided as a ‘stubborn leek field’ before it became a Bunny challenger, losing a lot of money to homologous vulnerabilities.
In addition, in the case of the Belt Finance attack, hackers exploited a vulnerability in the bEllipsisBUSD strategy balance calculation to manipulate the price of beltBUSD, while Ellipsis Fork is from the well-known protocol Curve for Ether.
The head of security related to PeckShield told Hive Finance that these Fork’s protocols were attacked mainly in the absence of a full understanding of the logic behind the original protocol and micro-innovation, resulting in a small update or small combination that could create a vulnerability.
The person in charge said that starting with known vulnerabilities is a common “foraging” method used by attackers on the still-developing DeFi space. For project owners, the importance of DeFi protocol security is not just lip service, but also “three times a day, three times a day, three times a day, three times a day, three times a day, three times a day, three times a day, three times a day. After other protocols were attacked, did you check the code to see if there were similar vulnerabilities? Is there any security risk in the protocol of interaction?
From the above case, a group of projects in the BSC chain were stolen mainly because hackers found homologous vulnerabilities in multiple protocols, and simply imitated the attack methods to “counteract” and complete the plagiarism of multiple projects in a short period of time.
The repeated security incidents are a reminder to protocol developers that they should not ignore the security of the underlying code when innovating the DeFi model.
In this regard, PeckShield recommends that new contracts be audited before going live, and that attention be paid to identifying business logic vulnerabilities when combining with other DeFi products. It is also important to design a risk control fuse mechanism and introduce threat-aware intelligence and data situational intelligence services from third-party security companies to improve the defense system. All DeFi protocols have variables, and even if a protocol is audited multiple times, a small update can make the audit useless, so even a small update has to be re-audited.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/hackers-attack-homologation-vulnerability-to-destroy-fork-protocol/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.