Q4 The loss of more than 700 million U.S. dollars due to encryption security accidents, how should project parties and users prevent and control risks?
2021 is coming to an end. To review the security incidents that occurred in the blockchain field this year, the most involved and most influential is the cross-chain interoperability protocol Poly Network was hacked in August, and the stolen funds exceeded 610 million U.S. dollars , which is also the attack involving the highest amount in the history of DeFi.
The months with more security incidents and large amounts of money are May (mostly occurred on BSC, with a loss of more than 300 million U.S. dollars) and August (except for Poly Network being hacked, Japan-based encryption Currency exchange Liquid hot wallet hacked, loss of $91.35 million) and October, November, December.
Q4 has also become the quarter with the highest incidence of security incidents this year. According to incomplete statistics, there were more than 40 security incidents in the fourth quarter, with a loss of more than 700 million US dollars, involving various fields and types.secondary title
Review nine security incidents in the encryption field with large losses
On December 5, BitMart founder and CEO Sheldon Xia tweeted that two large-scale security vulnerabilities related to hot wallets were discovered, and hackers extracted assets worth about 150 million US dollars. On the 6th, Sheldon Xia said that the security breach was mainly caused by the theft of private keys from two hot wallets. Other assets of BitMart are safe and uncompromised. BitMart will use its own funds to cover this incident and compensate affected users.
On October 27, Cream Finance, a DeFi lending protocol, was attacked again and lost more than $130 million. The stolen funds were mainly Cream LP tokens and other ERC-20 tokens. PeckShield discovered a large flash loan used to carry out this attack.(Cream Finance has been hacked 5 times in 2021, with a total loss of about 200 million US dollars.)
On October 30, the decentralized trading protocol BXH was attacked on the BSC chain and more than $130 million was stolen. The initial hacker profit address (BSC: 0x4...d79) transfers 4000 ETH from the BSC chain to the ETH chain, and then converts 300 BTCB to renBTC across the chain to the address (1Jw...Vow).
On December 3, the decentralized organization Badger DAO confirmed that it was attacked, with a loss of $120.3 million, including about 2,100 BTC and 151 ETH. BadgerDAO said the Dec. 2 phishing incident was caused by a "maliciously injected fragment" of Cloudflare, an application platform running on Badger's cloud network. Hackers are using compromised API keys created without the knowledge or authorization of Badger engineers to routinely inject malicious code affecting some of their customers.
On November 26, Compound was attacked by an oracle machine, and $90 million in assets were liquidated. The huge liquidation of Compound this time was caused by the drastic fluctuation of the DAI price of Coinbase Pro, the information source of the oracle machine. It is a typical oracle machine attack to manipulate the information source that the oracle machine relies on for a short period of time to achieve a misleading chain price.
On December 12, AscendEX's internal security audit report found that some ERC-20, BSC and Polygon tokens were abnormally transferred out of the exchange's hot wallet, and AscendEX's cold wallet was not affected by this incident. Security firm PeckShield Inc. tweeted that it is estimated that AscendEX’s losses totaled $77.7 million ($60 million on Ethereum, $9.2 million on BSC, and $8.5 million on Polygon).
On November 30, the automatic market maker agreement MonoX confirmed that it was attacked by a flash loan. The attacker exhausted the liquidity pools on Polygon and Ethereum, and made a profit of about 31 million US dollars.
On November 11, the USDM team used Convex to launch a governance attack on Curve, resulting in a loss of more than $30 million.
On October 15, the passive income protocol Indexed Finance was attacked, and the affected fund pools included DEFI5 and CC10. The official stated in Discord that the damage caused by this attack was about 16 million US dollars.
Summary of the experience after the resumption of the event
Judging from the tracks of the attacked projects, most of them are DeFi protocols such as centralized exchanges and DEXs. The main reasons are wallet vulnerabilities, flash loan attacks, and phishing incidents.
As a project party, in addition to strengthening the budget and investment in security (including technical aspects and financial mechanisms), and accepting multi-party audits, setting up risk control or disaster recovery plans (such as establishing an insurance fund pool, white hat reward plan, etc.) Can play the role of "credibility".
As a user, first of all, it is best to have a general understanding of the average level of some basic market parameters (such as yield), and be more vigilant and review the projects that are too attractive. If you do not have the ability to code, it is recommended to read through the corresponding project audit report issued by the leading security company, which often prompts specific potential risk points, and cross-check the authenticity and timeliness of the report between the project party and its audit agency , also share a small tool here:DeFi project audit database from DeFiYield, you can search and query the audit report by project name, currency name, address or audit institution.
Another thing is to maintain some prevention awareness that is also common in the Internet age, and beware of fake website phishing, telecommunications fraud, and risk of running away. Pay more attention to the latest progress of the projects you participate in, and check the official notification channels (official website, Twitter, etc.) or communities (Discord, TG, etc.) every day. Once there are technology upgrades, product updates, service suspensions, vulnerability warnings or accident disclosures, you can also Get informed and take action immediately.
recommended reading
recommended reading
Chainlink - "Project Developers Must Read: Top Ten DeFi Security Problem Solutions"
Chengdu Lianan -"Analysis When DeFi is reduced to a "cash machine" for hackers, how do we ensure its security? "
Odaily - "Dialogue with the head security company, why are the injured always cross-chain bridges?" "
Odaily - "The Dark Side of DeFi - HackFi"
