Blockchain is known for being censor-free. It is a hot spot for encouraging innovation and a breeding ground for crime. The Dao, which was crowdfunding more than US$150 million in the past, was stolen by hackers and carried out a hard fork operation, which gave rise to today’s Ethereum. Since the creation of the blockchain, various hacker thefts of currencies against exchanges, wallets and dapps have occurred frequently. So, what kind of waves will the blockchain security field experience in 2021, and what will be the subsequent processing work?
(This article was originally created by Fenbushi Capital, and the consultant CertiK senior security engineer Wang Peiyu, the author is a bandit.)
2021 Blockchain hackers stolen currency incidents sorted out
Uranium Finance-Logic Vulnerability
On October 27, the Cream Finance oracle was manipulated. The attacker borrowed DAI from MakerDAO to create a large number of yUSD tokens, and at the same time manipulated the oracle’s price for yUSD by manipulating the multi-asset liquidity pool (including yDAI, yUSDC, yUSDT, and YTUUSD). After increasing the price of yUSD, the attacker’s price of yUSD was artificially increased, thereby creating a sufficient borrowing limit to borrow most of Cream Finance’s funds in the Ethereum v1 lending market. And Cream.Finance was also attacked by a flash loan on August 30.
2) Wallet-phishing information
This is different from the fact that once an accident occurs to the project party, people can analyze it through the public transaction records on the chain; only the insiders of the exchange know what happened, and the information will not be disclosed. Generally, the exchange incident comes from these aspects: the exchange server is hacked, and the attacker has accessed the private key of the hot wallet in the server. The staff of the exchange was attacked by phishing, and then the attacker accessed the internal system through the staff’s account, contacted the private key of the hot wallet and so on.
What to do after assets are stolen
The project party generally adopts these solutions:
1) Immediately suspend the token transfer and transaction services in the smart contract ; for contracts that cannot be suspended, check the privileged functions that can be used in the contract and block some of the contract services to prevent the contract from being attacked again.
2) At the same time, a warning is issued to the community to prevent new investors from putting their property in a leaky contract.
3) Contact a third-party security company, ask for help analyzing the cause of the vulnerability, and cooperate to fix the vulnerability together .
4) For the whereabouts of the stolen funds, if there is a blacklist function in the contract; block hacker addresses immediately to prevent hackers from transferring funds.
5) Cooperate with security companies and law enforcement agencies to recover the stolen property , and at the same time come up with a reasonable compensation plan to reduce user losses.
So, why do security companies have been screened for vulnerabilities, and hackers can take advantage of them? The fact is that the audit work for a certain project can only last for a few weeks, and the hacker’s time and energy are unlimited. Once they target a certain type of project, they will have much more time to conduct research and take action than the audit company.
Secondly, a secure open source code base will also increase the safety factor. The OpenZeppelin code base is an open source code base written by professionals, and its code quality will be relatively high and safer. The project party only needs to add some functions that they want to implement on the basis of the code library, and they can write code from scratch.
Starting from human factors, the project party needs to consider whether the financial model and business logic are worthy of scrutiny, and conduct countless tests to eliminate potential risks.
All in all, the Defi protocol and the entire blockchain security issue are the main factors that prevent mainstream funds from entering the industry. Looking at all the reasons for the Defi accident, the most important thing is that the Defi project is not yet fully decentralized, and it needs to rely on third-party external services. The Defi industry is impeccable in terms of security, which is the goal that this track project must achieve (especially for the heavily centralized cross-chain track). Looking forward to the next cycle of the industry to run out of Defi products with new business logic!
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/one-article-reveals-the-reasons-for-frequent-blockchain-hacking-in-2021/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.