I. Overview
In the first quarter of 2024, malicious behaviors such as hacking attacks, Rugpull scams, and phishing attacks caused a total loss of US$462 million, a year-on-year increase of approximately 20.63% from the first quarter of 2023 (approximately US$383 million). This report aims to organize and analyze the security status, major events, and security trends of the global Web3 industry in the first quarter of 2024, provide readers with useful information and new ideas, and contribute to the safe and healthy development of Web3.
2. Security incident analysis
According to data from SharkTeams on-chain security analysis platform ChainAegis, a total of 280 security incidents occurred in the Web3 field in the first quarter of 2024 (Figure 1), with a cumulative loss of more than 462 million US dollars (Figure 2). Compared with the same period last year, security The frequency of events increased by approximately 32.70%, and the amount of losses increased by approximately 20.63%.
Figure 1 :Total Count of Security Incidents in 2024 Q1
Figure 2 :Total Loss of Security Incidents in 2024 Q1
A total of 60 hacker attacks occurred in Q1 of 2024, an increase of 140% compared with Q1 of 2023, and the amount of losses reached US$385 million, accounting for 83% (Figure 3), a year-on-year increase of 6.35% compared to Q1 of 2023 (362 million).
A total of 127 Rug Pull cases occurred, a 323.33% increase compared to Q1 2023 (30 cases), but the loss amount fell by 59.44%, totaling US$8.21 million, accounting for 2% of the entire Q1 loss amount.
A total of 93 phishing attacks occurred in Q1, a year-on-year increase, with losses amounting to approximately US$68.66 million, accounting for approximately 15%.
Figure 3 :Amount of Loss by Attack Type in 2024 Q1
Figure 4 :Amount of Count by Attack Type in 2024 Q1
Looking at Q1 by month (as shown in Figure 5), the losses in January were the most serious, exceeding US$250 million, which was much higher than February (US$71.42 million) and March (US$140 million). Among them, 88 security incidents occurred in January, which was slightly higher than the 72 incidents in February and slightly lower than the 120 incidents in March. It can be seen that the loss amount of a single security incident in January was the highest. The costliest attack method in January was hacking, with a total of 20 hacking attacks causing $217 million in losses. At the same time, January also saw a high incidence of phishing attacks, with a total of 39 phishing attacks, but the loss was relatively minimal, totaling $29.15 million. The overall frequency of security incidents and the amount of losses in February were at a lower level than those in January and March.
Figure 5 :Web3 Security Incidents Overview in 2024 Q1
2.1 Hacker attack
There were 60 hacking attacks in the first quarter, with losses totaling $385 million. Among them, the most serious loss was US$217 million in January. The main reason is that a total of 2 large capital losses occurred in January.
(1) On January 1, 2024, the cross-chain bridge project Orbit Chain suffered a cyber attack, resulting in the theft of approximately US$81.5 million worth of cryptocurrency. The incident involved 5 separate transactions, each directed to a different wallet address. Unauthorized fund flows included $50 million in stablecoins (which included $30 million in USDT, $10 million in DAI, and $10 million in USDC), 231 wBTC worth approximately $10 million, and approximately $21.5 million worth of of 9500 Ethereum.
(2) On January 31, 2024, four wallets of Ripple co-founder Chris Larsen were attacked, and a total of 237 million XRP, equivalent to approximately US$112.5 million, was stolen. ChainAegis on-chain analysis shows that the stolen funds have been transferred through MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC, etc. This is the largest cryptocurrency theft of 2024 so far and the 20th largest cryptocurrency theft in the crypto world so far. The price of XRP fell by approximately 4.4% in the 24 hours after the incident.
2.2 Rug Pull & Scams
As shown in the figure below (Figure 6), Rugpull Scam incidents occurred in 29 cases in January, and then increased month by month, with approximately 63 cases in March; losses in January were approximately US$4.51 million, and losses in February were approximately US$1.49 million. According to ChainAegis analysis, events are concentrated in the mainstream chains Ethereum and BNB Chain. The frequency of Rug Pull events in the BNB Chain project is much higher than that in Ethereum.
In addition, on February 25, the GameFi project RiskOnBlast of the Blast ecosystem experienced a Rugpull. According to ChainAegis analysis, RiskOnBlasts address 0x 1 EeB 963133 f 657 Ed 3228 d 04 b 8 CD 9 a 13280 EFC 558 raised a total of 420 ETH between the 22nd and 24th, worth approximately US$1.25 million, but was later exchanged into DAI and transfer it to the deposit address of exchanges such as ChangeNOW, MEXC, Bybit, etc. for cash out.
Figure 6 :Overview of Rugpull & Scam by Month in 2024 Q1
2.3 Phishing attack
As shown in the figure below (Figure 7), phishing attacks occurred with the highest frequency in January, totaling 39 cases, causing losses of approximately US$29.15 million; February had the lowest frequency, with 21 attacks, causing losses of approximately US$11.34 million. SharkTeam reminds everyone that in the bull market, the market is active and there are many airdrop opportunities. However, everyone must be more vigilant to avoid being attacked by active phishing groups such as Angel Drainer and Pink Drainer. Be sure to check the transaction information carefully when transferring and authorizing.
Figure 7 :Overview of Phishing by Month in 2024 Q1
3. Typical case analysis
3.1 Contract accuracy calculation vulnerability
On January 30, 2024, MIM_SPELL suffered a flash loan attack and lost $6.5 million due to a precision calculation vulnerability. The reason for the attack was that there was a loophole in the accuracy of the projects smart contract when calculating loan variables, causing the key variables elastic and base values to be manipulated and unbalanced, resulting in problems when calculating collateral and loan amounts, and ultimately over-lending of MIM tokens. currency.
The borrow function and repay function in the attacked contract (0x 7259 e 1520) both use rounding up when calculating the elastic and base variables.
The attacker (0x 87 F 58580) first sets the elastic variable and base variable to 0 and 97 respectively by repaying other users loans.
Subsequently, the borrow function and the repay function are continuously called and the parameter amount is 1. When the borrow function is called for the first time, since elastic= 0, the above if logic will be executed and returned to the add function. This results in elastic = 1, base = 98.
The attacker (0x 87 F 58580) then calls the borrow function and passes in 1. Since elastic= 1, the else logic will be executed, and the calculated return value is 98. In this way, when returning to the add function, elastic= 2, base variable to 196.
But at this time the attacker (0x 87 F 58580) calls the repay function and passes in 1. Since elastic=2, the else logic will be executed. The calculated elastic variable was originally 1* 2/98 = 0, but due to the upward fetch below This complete step results in a calculated return value of 1, so that when we return to the sub function, the elastic variable changes back to 1, and the base variable is 195.
It can be seen that after a borrow-repay loop, the elastic variable remains unchanged and the base variable nearly doubles. Taking advantage of this vulnerability, hackers frequently perform borrow-repay function loops, and finally call repay again, ultimately making elastic= 0 base = 120080183810681886665215049728.
When the ratio between elastic and Base variables is seriously imbalanced, the attacker (0x 87 F 58580) can lend a large amount of MIM tokens after adding a very small amount of collateral to complete the attack.
3.2 DeGame phishing attack and Pink Drainer fraud group
In March 2024, a Web3 user unknowingly clicked on the phishing link posted by the official account of DeGame and suffered losses.
Afterwards, the user mistakenly thought that DeGame was committing theft during the process, so he disclosed the incident on Twitter. A group of KOLs, media and a considerable number of users continued to spread the incident without knowing it, which affected DeGames brand image and The reputation of the platform has had a great impact.
After the incident, DeGame launched an emergency plan to help the victim users try to recover their assets. The story of the DeGame phishing attack is roughly as follows:
(1) From 4:00 AM to 9:30 AM on March 14, DeGame’s official A user reported that he lost about 57 PufETH after clicking the airdrop link;
(2) DeGame official Twitter operators discovered the phishing link on the platform after 9:30 AM and deleted it. At the same time, DeGame synchronized the news to all users through official social media and the community, and issued a reminder announcement.
(3) The victim user browsed the phishing website link and the explanatory text posted by the attacker during the abnormal time period of DeGame’s official Twitter account. He unknowingly believed that the link was indeed organized by DeGame official in conjunction with other project parties. In the token airdrop activity, after clicking on the link and following the attackers preset prompts, the assets were lost.
(4) After the user clicks on the phishing website to connect to the wallet, the website will automatically detect whether there are assets in the wallet address. If there are assets, the Permit Token Approval transaction signature will pop up directly. What is different from regular transaction signatures is that this signature is not uploaded to the chain at all, is completely anonymous, and is likely to be used in illegal ways. In addition, users do not need prior authorization to interact with the application contract by attaching an authorization signature (Permit).
(5) In this theft incident, the phishing hacker obtained the Permit Token Approval transaction signature authorized by the stolen user to the phishing contract address 0x d 560 b 5325 d 6669 aab 86 f 6 d 42 e 156133 c 534 cde 90, and Submit Permit in the attack transaction and call Approve to obtain token authorization and then transfer the stolen funds.
(6) The provider of phishing tools is the hacker fraud group Pink Drainer. Pink Drainer is a malware-as-a-service (MaaS) that allows attackers to quickly establish malicious websites and obtain information through the malware. illegal assets. About 25% of the stolen funds in this stolen transaction were transferred to PinkDrainer: Wallet 2, which is the wallet address No. 2 of the phishing group PinkDrainer. This is the automatic address given to PinkDrainer by the phishing implementer after using the phishing tool of the phishing group PinkDrainer. divided into.
3.3 Batch Rugpull leads to a surge in the number of events
The surge in the number of Rugpull incidents in 2024 has a lot to do with the batch creation of Rugpull tokens by the RugPull factory contract. The SharkTeam security research team conducted a detailed analysis of these Rugpull incidents. During the analysis, we found that the Rugpull factory contract on BNB Chain has initiated more than 70 Rugpulls in the past month. Batch Rugpull events usually have the following behavioral characteristics:
(1) These tokens are created by the createToken operation of the token factory contract. In the createToken function, the following parameters need to be passed in when creating a token: token name, token symbol, accuracy, supply, token owner address, factory contract address for creating the token pair, and BUSD-T stablecoin address. Among them, the factory contract that creates the token pair uses PancakeSwap’s factory contract, and each token has a different owner address.
(2) The token owner uses other addresses to buy and sell Rugpull tokens in batches. Under buy and sell operations, the liquidity of the token increases significantly and the price gradually increases.
(3) Promote through phishing and other methods to induce a large number of users to buy. As liquidity increases, the token price doubles.
(4) When the price of the token reaches a certain value, the owner of the token enters the market and performs sell operation to perform rugpull.
Behind this series of behaviors is a Web3 fraud group with a clear division of labor, forming a black industry chain, which mainly involves hotspot collection, automatic currency issuance, automatic transactions, false propaganda, phishing attacks, Rugpull harvesting and other links. The fake Rugpull tokens issued are closely related to hot industry events and are highly confusing and instigative. Users need to be vigilant at all times, remain rational, and avoid losses.
4. Summary
The total losses caused by security incidents in the first quarter of 2024 reached US$462 million. Factors such as the increase in currency prices this quarter have a certain impact on the increase in the total amount, but overall, the security situation of Web3 is not optimistic. Smart contract logic loopholes, Rugpull black industry chains, phishing attacks, etc. are the main reasons that threaten the security of users encrypted assets. We hope that Web3 users and projects can improve their security awareness as soon as possible and reduce losses.
About us
SharkTeams vision is to secure the Web3 world. The team consists of experienced security professionals and senior researchers from around the world, who are proficient in the underlying theory of blockchain and smart contracts. It provides services including risk identification and blocking, smart contract audit, KYT/AML, on-chain analysis, etc., and has created an on-chain intelligent risk identification and blocking platform ChainAegis, which can effectively combat the Advanced Persistent Threat (Advanced Persistent Threat) in the Web3 world. , APT). It has established long-term cooperative relationships with key players in various fields of the Web3 ecosystem, such as Polkadot, Moonbeam, polygon, Sui, OKX, imToken, Collab.Land, TinTinLand, etc.
Official website:https://www.sharkteam.org
Twitter:https://twitter.com/sharkteamorg
Telegram:https://t.me/sharkteamorg
Discord:https://discord.gg/jGH9xXCjD
