Text | Edited by Peter | Produced by Tong | PANews

In the past May, the entire encryption market was shrouded in "gloom". Bitcoin once fell to the $30,000 mark, more than half of its previous high, and various tokens also fell. DeFi projects, the "vanguard" of this round of bull market, also collectively suffered setbacks.

From the perspective of lock-up data, on June 6, Debank data showed that the total lock-up volume of DeFi on the Ethereum public chain was 86.66 billion US dollars, which has dropped by 35% compared to the highest lock-up volume of 132.33 billion US dollars on May 11. %. The ecology on the BSC chain has not been spared either. Defistation data shows that the lock-up volume on the chain has dropped to 26.66 billion US dollars, which is 50% lower than the peak lock-up volume of 53.6 billion US dollars on May 10, except for the recent overall decline in the market. , The successive security incidents on the BSC chain also dealt a blow to users' confidence in BSC's DeFi projects.

first level title

DeFi flash loan attacks occur frequently, and BSC is "backed"

On June 5, the security agency PeckShield sent a shield warning that BurgerSwap, the first automatic market maker on the BSC chain, was attacked by flash loans again, and it was only a week since the last attack. On May 28, BurgerSwap was attacked by a flash loan for the first time. In the attack, 4,400 WBNB, 1.4 million USDT, 432,000 BURGER and other tokens worth 7 million US dollars were stolen. Subsequently, the official release of the compensation plan airdropped the new token cBURGER to eligible users. A week later, the same project on the BSC chain was hacked consecutively, and all of them were attacked by flash loans.

Not only BurgerSwap, PANews, according to public statistics, in May, multiple projects on the BSC chain, such as Spartan Protocol, PancakeBunny, Bogged Finance, AutoShark, JulSwap, and Belt Finance, were also attacked by flash loans to varying degrees, and the amount of losses accounted for 35% of all security incident asset losses on the BSC chain that month.

Users who are familiar with DeFi know that Flash Loan is not a tool for evil, but an innovation, an unsecured and unsecured loan method. The borrower needs to repay the loan and interest before the end of the blockchain transaction. If not repaid, the transaction will not be packaged into the block, and the borrowed funds will be returned in the same way. Then the loan will be as if it never happened. Lightning Loan uses the characteristics of the blockchain to achieve things that cannot be done in traditional finance.

For platforms that provide flash loans, such as Uniswap and Pancakeswap, they only lend funds and recover the funds plus interest, and the platform will not interfere with what the intermediate funds are used for. Since the smart contract for the loan has to be done in the same transaction that it is lent out, the borrower has to use other smart contracts that help him make an instant transaction with the loan funds before the transaction closes.

Anyone can initiate a flash loan transaction, as long as the strategy is available at the current time, they can initiate a flash loan. The sponsor’s costs include gas fees, transaction fees, slippage, etc. As long as the project party’s loopholes can be caught, the attacker will provide a large amount of funds in a short period of time. These funds can be used as attack costs for exploiting code loopholes, or to manipulate pricing To profit from the process of arbitrage.

Regarding the recent frequent flash loan attacks, BSC officials stated that they have been targeted by an organized hacker team. And call on all DApps on the chain to prevent risks. It is recommended that projects on the chain cooperate with auditing companies to conduct health checks. If it is a forked project, it is necessary to repeatedly check the changes made to the original version; and it is necessary to take necessary risk control measures to actively monitor abnormalities in real time In the event of an abnormal situation, the agreement should be suspended in time; at the same time, the project party should also formulate an emergency plan to prevent the worst from happening. If conditions permit, a bug bounty plan can be set up.

Since several DeFi security incidents have occurred on BSC, some users have also questioned BSC, and some even think that this is a security loophole of BSC.

Binance Business and Ecosystem Development Coordinator Samy Karim also responded: "BSC is a public permissionless infrastructure on which anyone can deploy projects, including malicious actors and hackers. Definitely not exclusive to BSC."

For a long time, BSC has not had any security incidents or hacking incidents. Because some dApps have been attacked, it is difficult to say that BSC is not safe. Except for BSC, other public chains will more or less encounter hacker attacks, and it is impossible to directly deny the entire public chain because of individual projects on the public chain. Moreover, the development of dApps is still in the early stages of the industry, and it needs continuous iterative updates in terms of technology, products, and security.

first level title

Hacking is profitable due to BSC ecological prosperity

At present, the BSC ecology is prosperous and profitable, so it has become a key target of hackers.

In fact, as early as 2019, Binance launched the first public chain Binance Chain (Binance Chain). Binance Chain also has the characteristics of high throughput, but lacks the support of virtual machines and smart contracts, so it is mainly used for operations. Binance DEX and some other native DApps.

The Binance Smart Chain BSC, launched in 2020, is compatible with the Ethereum Virtual Machine (EVM) and supports smart contracts. Developers can easily migrate DApps on Ethereum to BSC with minimal configuration, avoiding high transaction fees on the Ethereum chain.

Since the beginning of this year, BSC has achieved considerable development, and its advantages have gradually emerged in terms of the project ecology on the chain, the total number of users, and the activity of users. According to the data of bscproject, as of June 6, the BSC ecology covers many fields such as DeFi, NFT, tools and infrastructure, with 637 projects, and the number of addresses on the chain is as high as 76,468,636; in terms of the number of daily transactions on the day, BSC reached 4447 ,832 transactions, which is 392% of Ethereum, which is only 1134,526 transactions. In addition, CryptoDep data shows that 9 of the 10 most active dapps in the past 30 days were deployed on BSC.

The rapid rise of BSC is inseparable from the low gas fee and fast transfer speed, which can greatly improve the user experience. In the blockchain industry, there are actually many high-performance, low-cost public chains. BSC not only has these characteristics, but also relies on the strong support of Binance and the wealth effect brought about by it. Even FTX founder SBF is in BSC On the Internet, there are nearly 2 billion US dollars of DeFi assets.

In terms of DeFi, the amount of locked positions on the BSC chain used to account for as high as 26%, and is currently 18.6%. In terms of DEX 24-hour transaction volume, the BSC ecological project PancakeSwap has already surpassed Uniswap, SushiSwap and other top Ethereum DEXs, and its May The trading volume reached 156.48 billion US dollars, accounting for 49% of the total trading volume of DEX. Even if it jumps out of the BSC ecology, PancakeSwap's position will not be shaken.

first level title

To secure the line of defense, the project needs to control the internal logic of the "Lego combination"

The frequent flash loan attacks on the BSC chain made the community associate it with a negative word when they saw the word flash loan, and may be discouraged from developing on the BSC chain.

In fact, PeckShield believes that the recent spate of flash loan attacks is partly due to the fact that many projects do not understand the logic of the business, so they copy the code of a project, and then rush to go online with minor adjustments. For example, BurgerSwap and JulSwap, which were attacked by flash loans on BSC, are copied Uniswap codes, and the two aggregator protocols AutoShark and Merlin Labs are copied PancakeBunny codes.

PeckShield suggested that an audit should be carried out before the new contract goes online. It is necessary to pay attention to the investigation of business logic loopholes when combined with other DeFi products. At the same time, a certain risk control fuse mechanism should be designed to introduce threat perception intelligence and Data situation intelligence service, perfect defense system.

All DeFi protocols are variable. Even if a protocol has been audited multiple times, a small update will render the audit useless, so even a small update will have to be re-audited.

In addition, developers may not need to worry too much about the security performance of BSC itself. According to the official introduction, the security of BSC mainly comes from two aspects. One is the security of the code, nodes, and the blockchain itself, and the other is the security of the ecosystem.

The BSC runs open-source code that can be audited by third parties and the public. In the case of open source code, anyone with considerable technical knowledge can review the code and assess possible vulnerabilities and threats. The BSC network and its nodes are composed of 21 selected verification nodes, using the PoSA algorithm, which avoids problems such as excessive network control and abuse of power by individual verification nodes.

The BSC ecosystem is composed of multiple parts and participants, and each component faces different threats. For example, codes, algorithms, verification nodes and their hardware, as well as projects developed on BSC, and individual users who use these projects.

first level title

Ecological prosperity continues to increase, DeFi+NFT has become a new expectation in June

While the security alarm bells are ringing, ecological construction needs to continue to be strengthened. Now, NFT has become a new focus of BSC ecology besides DeFi.

In fact, as early as last year, Binance made a layout for NFT. When the popularity of DeFi was still high, Binance first launched NFT-related tokens, and then carried out NFT airdrops to users with BSC, such as the NFT airdrops of DEGO, Alpaca City, BCA, BakerySwap and Bounce at Christmas, "BSC Farmers' Day "A blind box airdrop was carried out. In addition to cooperating with artists, creators and encrypted creatives, BSC has also integrated NFT into charity and launched a series of NFT volunteer incentive programs.

In terms of NFT, BakerySwap has also achieved many outstanding results. Its NFT platform has minted 98,681 NFTs, with more than 365,000 transactions and a transaction amount of up to 625 million US dollars. In addition, BSC is further focusing on innovative applications of NFT and DeFi. Recently, the second round of the Most Valuable Developer Program (MVB II) with the theme of "NFT Big Bang" is in full swing.

In June, Binance's NFT trading platform Marketplace will be launched on the 24th, and will be deployed on BSC and Ethereum at the same time. It is understood that the platform has cooperated with many celebrities such as Brit Award winner Lewis Capaldi, visual artist Trevor Jones, e-sports team eStarPro, star Owen and Alphonso Davies, and will launch their NFT works.

As security is paid more and more attention by all parties, the DeFi attack on the BSC chain may change in the future. After the entire encryption market has been dormant for a period of time, the bad news is gradually exhausted, coupled with the gradual recovery of the NFT market and the NFT trading platforms promoted by exchanges, the encryption market and BSC may sweep away the previous haze, and users will also feel The charm of the combination of NFT and DeFi.