It’s time for another monthly security recap! March 2022 has seen a significant increase in the number of various exploits in blockchain field compared to February, with over 30 typical security incidents reported by Beosin Alert — the blockchain situation awareness platform.
The security risks exposed in DeFi reaches a record-high since the start of 2022. The Ronin exploit is probably the largest amount of funds involved in DeFi’s history, with over $600 million in losses. Other DeFi protocols have also been repeatedly attacked, with flashloans and contract exploits being the most favored attack methods by hackers. In addition, rug pulls-related incidents were also numerous. This month has seen a increased in NFT/metaverse exploits, of which phishing attack methods need to be focused on.
DeFi
There were 13 typical security incidents
№1 On March 5, Bacon Protocol, a collateralized lending protocol, was attacked by a flashloan attack, with losses of approximately $960,000.
№2 On March 10, Fantasm Finance, an algorithmic asset protocol, was attacked due to a vulnerability in smart contract, resulting in a loss of approximately $2.62 million.
№3 On March 15, the DeFi protocols Hundred Finance and Agave were exploited by a flashloan attack. Hackers stole over $11 million by exploiting a reentrancy vulnerability in both protocols.
№4 On March 15, Deus Finance, a multi-chain derivatives platform, was exploited for more than $3 million.
№5 On March 20, Umbrella Network reward pools on BNB Chain and Ethereum were drained for about $700,000.
№6 On March 20, the cross-chain DEX aggregation protocol li.finance suffered a call injection attack with a loss of about $600,000.
№7 On March 22nd, the stablecoin yield optimizer OneRing posted that it was attacked by a flashloan and hackers stole over $1.45 million.
№8 On March 23, Cashio Dollar, an algorithmic stablecoin on the Solana chain, was hacked and lost about $48 million.
№9 On March 26, InuSaitama was suspected to have suffered an arbitrage attack with a loss of ~430 ETH.
№10 On March 29, Auctus contract reported a critical vulnerability and was later exploited by hackers to profit about $720,000 from users who did not revoked the approvals.
№11 On March 30, Axie Infinity’s sidechain Ronin was hacked. The attackers managed to control over 5 out of 9 validator nodes and used the stolen private keys to forge fake withdrawals, ultimately profiting about $620 million. This is probably the largest attack in DeFi’s history.
№12 On March 30, the BMIZapper of BasketDAO, a DeFi project on Ether, was exploited for $1.2 million due to a vulnerability.
№13 On March 31, Voltage Finance lending platform was hacked and about $4 million was stolen.
Rug pulls/crypto scams
There were 7 typical security incidents
№1 Security institutions have monitored $DAOKing-Lucky DAO as a fraudulent project whose admins have deposited 505 BNBs into Tornado.cash and performed fake smart contract upgrades beforehand.
№2 NFT project NFTflow has rugged, and its official social account (@NftflowStarkNet) has been logged off.
№3 NFT project WW3Apes is a rug Pull and has logged off its social media accounts. The GodZape project, which uses the same IP address as WW3Apes website, also rugged and transferred out about 20 $ETH.
№4 NFT project REALSWAK rugged and its official social media account (@REALSWAK) has been logged off. Scammers have transferred 1300 BNB to TornadoCash.
№5 BNB DEFI, a DeFi project on BNB Chain, has rugged and the project has closed its social media groups and transferred out about 255 BNB.
№6 @BinanceNFT_BFT is a fake Binance NFT Twitter account and is promoting scams.
№7 BuccaneerFi, a project on BNB Chain, is a rug pull. The project’s social media accounts and community have been deleted and about 841 $BNBs have been transferred to Tornado.Cash.
NFT/Metaverse
There were 6 typical security incidents
№1 On March 13, Paraluni, a metaverse financial project on the BNB Chain, was hacked and the hackers made over $1.7 million in profit. About 1/3 of the stolen funds (230 ETH) have flowed into Tornado.
№2 The Arbitrum-based TreasureDAO NFT trading marketplace was exploited, and hackers managed to gain more than 100 NFTs at almost zero cost.
№3 On March 14, the Discord community of the NFT project Wizard Pass was compromised by fraudsters who sent fake messages to gain full access to users’ NFTs, resulting in the theft of multiple NFTs.
№4 On March 27, the financial NFT project Revest Finance was attacked and hackers stole a large number of related tokens and profited about $2 million.
№5 APECoin airdrop suffered a flashloan attack, leading to a profit of about $820,000 for the hacker.
№6 Defiance Capital’s founder Arthur claimed his hot wallet was stolen and 60 NFTs worth about $690,000 were transferred out. This theft may be an email phishing attack.
Others
There were 4 typical security incidents
№1 Convex Finance released a blog stating that its CVX (vlCVX) contract is vulnerable and user’s deposits are safe from any risk.
№2 On March 7, a South Korean executive was sentenced to five years in prison for illegally transferring cryptocurrency invested with business funds to his own private account.
№3 Three men were sued by the U.S. Department of Justice for alleged $40 million cryptocurrency investment fraud.
№4 Police in Shanghai, China cracked a pyramid scheme crime case in cryptocurrency involving over 100 million yuan and arrested more than 10 suspects.
In light of the current situation in blockchain security, Beosin hereby summarizes:
In general, blockchain security incidents rose significantly in March 2022 compared to February. The total amount of stolen funds caused by hacking exceeded $700 million. In response to the endless attacks, Beosin has also provided the following security recommendations for developers in the previous analysis articles.
Ronin’s exploit: 1. pay attention to the security of the validators; 2.If the signature service goes offline, then update the security policy, close corresponding service modules; 3. For multi-signature verification, the multi-signature services must be logically isolated, and the signature content must be verified independently. It must be made impossible for a subset of validators to directly request signature from other validators.
Revest Finance incident: It is recommended to design the contract strictly in accordance with the checks-effects-interactions model and add the function of anti-reentrancy in the ERC1155 token-related DeFi project.
Paraluni exploit: Contract developers to conduct complete testing as well as third-party audits during development and use ReentrancyGuard contract from the Openzeppelin library for prevention of reentrancy attacks.
TreasureDAO incident: It is recommended that devs developing contracts for multiple tokens for different situations according to business needs based on the characteristics of the different tokens.
Contact
Website: https://beosin.com/
Email:contact@beosin.com
Twitter: https://twitter.com/Beosin_com
Telegram: https://t.me/beosin
Medium:https://medium.com/@Beosin