One article reveals the reasons for frequent blockchain hacking in 2021

Blockchain is a hot spot that encourages innovation, and to some extent, it has become a breeding ground for crime due to its security risks.

After the crowdfunding of The DAO, which had a crowdfunding of more than US$150 million, was stolen by hackers, it carried out a hard fork operation, which gave rise to today’s Ethereum.

Since the creation of the blockchain, there have been frequent instances of hacker stealing money against exchanges, wallets, and Dapps.

So, what kind of waves will the blockchain security field experience in 2021, and what will be the subsequent processing work?

2021 Blockchain hackers stolen currency incidents sorted out

Due to the enthusiastic market sentiment in 2021, the amount of money stolen by hackers broke the historical record of previous years.

As of the third quarter, a total of 32 hacking incidents resulted in the theft of 1.5 billion U.S. dollars in assets, compared with 180 million U.S. dollars for the entire year of last year.

DeFi protocol

Uranium Finance-Logic Vulnerability

In April 2021, the liquidity mining protocol Uranium was attacked. The attacked smart contract was a modified version of MasterChief (MasterChief is a smart contract used to create a pledge pool and return pledge rewards to users).

Among them, the code used to execute the “staking reward” has a logic loophole, allowing hackers to obtain more mining rewards than others. The hacker drained the RAD/sRADS pool and replaced it with BUSD and BNB worth 1.3 million U.S. dollars.

Cream Finance-oracle manipulation

On October 27, the Cream Finance oracle was manipulated. The attacker borrowed DAI from MakerDAO to create a large number of yUSD tokens, and at the same time manipulated the oracle’s price for yUSD by manipulating the multi-asset liquidity pool (including yDAI, yUSDC, yUSDT, and YTUUSD).

After increasing the price of yUSD, the attacker’s price of yUSD was artificially increased, thereby creating a sufficient borrowing limit to borrow most of Cream Finance’s funds in the Ethereum v1 lending market. And Cream.Finance was also attacked by a flash loan on August 30.

Badger DAO-front-end malicious code injection

The attacker obtained the API Key of the project party in the Cloudflare backend to inject a series of malicious codes into the front-end code of the website.

When a user visits a front-end website, a transaction will be initiated after the malicious code is triggered for the user to confirm. If the user confirms the malicious transaction, the right to use the token will be given to the attacker. The attacker can then transfer all the money away through the escrow.

Anyswap-background signature

The accident happened because an inappropriate value was used in the background signature, and the attacker derives the private key for its signature through two transactions.

Wallet-Phishing Information

Take an example of the Bitcoin wallet Electrum. When the user’s old version is connected to the attacker’s node, the attacker sends phishing information to the wallet through the node. When the user sees the phishing information and downloads the wallet with the backdoor, the hacker can easily grasp the user’s private key.

Exchange

It is different from the fact that once an accident occurs to the project party, people can analyze it through the public transaction records on the chain. Only the insiders of the exchange will know what happened, and the information will not be disclosed.

Generally, the exchange incident comes from these aspects: the exchange server is hacked, and the attacker has accessed the private key of the hot wallet in the server. The staff of the exchange was attacked by phishing, and then the attacker accessed the internal system through the staff’s account, contacted the private key of the hot wallet and so on.

What to do after assets are stolen

Regarding the handling of assets after theft, it can be analyzed from three perspectives-the project party, the exchange, and the third-party security agency.

The project party generally adopts these solutions

  1. Suspend the token transfer and transaction services in the smart contract in time. For contracts that cannot be suspended, check the privileged functions that can be used in the contract and block some of the contract services to prevent the contract from being attacked again.
  2. At the same time, a warning was issued to the community to prevent new investors from putting their property in a leaky contract.
  3. Contact a third-party security agency, request help analyzing the cause of the vulnerability, and cooperate to fix the vulnerability.
  4. For the destination of the stolen funds-if there is a blacklist function in the contract, the hacker address will be blocked for the first time to prevent the hacker from transferring funds.
  5. Cooperate with security agencies and law enforcement agencies to recover stolen property, and propose reasonable compensation plans to reduce user losses.

From the perspective of the exchange, there are two situations

  1. If the exchange itself is stolen, it is necessary to temporarily suspend all withdrawal and recharge functions to minimize the loss. The exchange keeps all the information in the system (such as logs) for future analysis and use, and contact security agencies or law enforcement agencies to assist in property tracking.
  2. If a certain project is hacked, the exchange can monitor the hacker’s related chain address, and if the latest recharge related address is detected, the account will be frozen immediately.

Security agencies need to do the following

  1. Analyze the causes of the vulnerabilities after the incident, and fix the vulnerabilities.
  2. Provide security audit services before the project goes online again to reduce the security risks after the project goes online again.
  3. Issue a community warning and check to see if there are other projects with the same vulnerabilities. If there are projects with the same loopholes, a warning can be issued through confidential channels.
  4. Use on-chain technology to track the flow of funds and analyze off-chain information (such as hackers’ IP addresses and equipment) to assist law enforcement agencies in catching hackers.

Then, why the security agencies have screened for vulnerabilities layer by layer, and hackers have the opportunity to take advantage of it?

The fact is that the audit work for a certain project can only last for a few weeks, and the hacker’s time and energy are unlimited. Once they target a certain type of project, they will have much more time to conduct research and take action than the audit company.

This year’s cross-chain bridge projects have been repeatedly attacked because of the large number of user assets locked in such projects.

Secondly, the difference between the cross-chain bridge and other DeFi projects is that almost 100% of the logic of ordinary DeFi projects is implemented on smart contracts, while the cross-chain bridge is a combination of web2 and web3, which is a combination of smart contracts and traditional backends. .

The track that is not decentralized and has huge lock-up funds gives hackers the opportunity to attack.

In short, in addition to its own code, the DeFi protocol needs to be inflexible, because it needs to be a composable type that interacts with other protocols, and its business logic must also be tightly integrated.

Most importantly, the DeFi protocol requires third-party services (such as external oracles, centralized cloud platforms, etc.), and these third-party services are likely to face the risk of external manipulation, which is also the main reason why products are attacked by hackers.

Future blockchain security outlook

With the development of technology in the future, will the blockchain industry become increasingly secure?

In theory it is.

Let’s talk about the underlying technology first. First of all, the Solidity language for writing smart contracts has gradually matured.

After the recent Solidity version 8.0, a common vulnerability called integer overflow has disappeared.

Secondly, the importance of security in the blockchain industry is increasing significantly.

Finally, a secure open source code base will also increase the safety factor.

The OpenZeppelin code base is an open source code base written by professionals, and its code quality will be relatively high and safer. The project party only needs to add some functions that they want to implement on the basis of the code library, and they can write code from scratch.

In addition, there are many security tools that will check the code-it can help the project team find some potential vulnerabilities without contacting the security company, thereby improving the security of the code.

For example, the CertiK Skynet skynet scanning system, as a 24*7 security intelligence engine, can provide multi-dimensional and real-time transparent security monitoring for the deployment of smart contracts on the chain, as well as 24-hour operation monitoring and hazard warning prompts.

In addition, for example, security rankings that openly and transparently display security data and project early warning systems can also provide security insights for investors other than the project party. All investors can query the required security data information through this unrestricted security insight database.

As more and more technical personnel join this field, the security barriers of the blockchain industry will continue to be reinforced.

All in all, the DeFi protocol and the entire blockchain security issue are the main factors that prevent mainstream funds from entering the industry. The DeFi industry is impeccable in terms of security, which is the goal that this track project must achieve-especially for the heavily centralized cross-chain track.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/one-article-reveals-the-reasons-for-frequent-blockchain-hacking-in-2021-2/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.