Are big organizations really safe? Interpretation of the contract authorization risk of the main wallets of Binance, KuCoin and Jump
Original source: Jointly released by Dilation Effect and Wu Shuo Blockchain
Mainstream exchanges and institutions have undoubtedly invested a lot of money and manpower in network security protection. Dilation Effect cannot know the internal security level and implementation details of these institutions. Do a simple analysis of the address, see the micro-knowledge, and consider whether these addresses have potential security risks from the perspective of ordinary users, and how big the potential risk exposure is.
The data of this flash review comes from public services such as Etherscan and Debank.
1. Analysis object selection
Check out Etherscan's Top 1000 Accounts and pick out the addresses of institutions that are tagged there.
2. Selection of analysis dimensions
Since I don't know the technical details of these exchanges and institutions to generate and manage wallets, how to analyze the security of addresses? The dimension selected by Dilation Effect this time is to analyze the contract authorization of these addresses.
It is a very common attack to steal coins because the address is defrauded by a malicious contract or the authorized contract has loopholes. It has become the best security practice to limit the amount of authorization and periodically clear the authorization. So how are the addresses of these large exchanges doing? We randomly select a few addresses for analysis.
Case number one
address:
Binance 8 (0xF977814e90dA44bFA03b6295A0616a897441aceC)
This is the wallet address with the largest balance on Binance. The ETH chain has a balance of 10 billion U.S. dollars, and other chains add up to a total of 16.1 billion U.S. dollars. Screenshots of some assets are as follows:
Check the contract authorization of this address in the ETH chain, and find that there is a risk of $3.2 billion. Of course, this does not mean that there must be deterministic security risks, this is just a possible description of potential risk exposure.
Then let’s take a look at how this address is authorized, such as what currency is authorized to what contract, and what is the authorized amount. Some of the query results are excerpted below.
At this time, we will find a strange phenomenon, that is, some currencies on this address limit the authorization amount, while some currencies have no restrictions directly, and the authorization amount rules do not seem to be uniform. We pay special attention to BUSD, Matic, SHIB, and SAND, which have large balances. The address balances are 1.9 billion US dollars, 460 million US dollars, 260 million US dollars, and 140 million US dollars. The relevant authorization records are as follows:
There are several obvious problems here:
One is that the authorization of the contract is not cleaned up regularly. For example, the contract authorization for BUSD has not been cleaned up for more than two years, either it has not been paid attention to or it is considered unnecessary. This shows that Binance lacks systematic coverage of this area in terms of internal security management. Some people may say that after analyzing the relevant authorization contracts, it is found that the operations that these contracts can do are limited and relatively safe. But what we want to say is that this is not a purely technical issue, but more of a security management issue. That is, how does Binance comprehensively and systematically manage the risks brought by third-party contracts here? We think it can be done more strictly and in-depth. In fact, if you look carefully, you will find that Aave: Lending Pool V2 is an upgradable proxy contract. If (I mean if) the Aave contract is attacked, here is a loss of 1.9 billion US dollars.
Second, there is no limit to the authorized amount of a large number of currencies. In the event of an extreme situation where the corresponding contract is attacked, if the authorized amount is limited, the risk will be reduced accordingly. This also reveals that Binance lacks system coverage in terms of internal security management. Of course you will say that these are extreme situations, but for the Crypto industry, many small probability events have happened in history. We need to increase risk sensitivity, and it is very necessary to maintain extreme risk aversion.
The third is that the currency authorization rules are not uniform. Some currencies have limited quotas, while others have no quota restrictions at all, and the actions are not uniform. This shows that Binance's internal security management operations are not clear, or the internal teams have not done a good job of division of labor.
In addition, we are also very curious, why do addresses with such a huge asset balance frequently participate in the operation of Defi contracts? Can Binance make more fine-grained address planning and isolation design?
case two
address:
Kucoin 6 (0xD6216fC19DB775Df9774a6E33526131dA7D19a2c)
This is the address of the Kucoin exchange, which has $1.7 billion on its ETH chain and $1.9 billion on other chains combined. The screenshot of this address asset is as follows:
Check the contract authorization status of this address in the ETH chain, and find that there is a risk of 1.1 billion US dollars. Again, this does not mean that there is a certain security risk, but only a description of the possibility of a potential risk exposure.
Then let’s take a look at the authorization of the Kucoin address.
Wow! We found some interesting things again.
1. The APE currency of this address was authorized to Multichain’s cross-chain Router contract on 2022-04-02. You should know that a force majeure event occurred in Multichain a few days ago, but Kucoin did not cancel the Multichain contract immediately authorization. This shows that Kucoin still has room for improvement in risk emergency response.
2. The USDT (USD 500 million), USDC (USD 290 million), and KCS (USD 480 million) at this address are all authorized to the contract named Bridge, and the authorized amount is completely unlimited. After a simple analysis, it was found that Bridge is a cross-chain bridge contract of the KuCoin community chain KCC, but after checking and searching on KCC's official website, no relevant security audit report was found, which made people panic again. Do you still remember the 2 million BNB attack on BNB Chain?
case three
address:
Jump Trading (0xf584F8728B874a6a5c7A8d4d387C9aae9172D621)
This is the address of the agency Jump Trading, which has $140 million on its ETH chain and $150 million on other chains combined. The screenshot of this address asset is as follows:
Check the contract authorization of this address in the ETH chain, and find that there is a risk of $25 million. Again, this does not mean that there is a certain security risk, but only a description of the possibility of a potential risk exposure.
Then let’s take a look at the authorization of the address of Jump Trading
It can be found that there are not many authorizations for the currency on this address, and most of the authorizations have quota limits, and the overall management is not bad.
Summarize
Summarize
This flash review ends here. Dilation Effect randomly selected addresses of several exchanges and institutions for analysis. Judging from the results, these institutions are not perfect in terms of contract authorization. We hope that our analysis can provide reference for relevant institutions. Exchanges and institutions that have not extracted addresses can also refer to the analysis process above to check whether there are similar problems.
