foreword
The number of security incidents that have occurred since March and the amount of money involved is so high that it is silent. According to the data of Chuangyu Blockchain Security Lab [Hacked Event Archives], there were more than 34 security incidents in this month, among which the amount involved in the cross-chain bridge Ronin attack was comparable to last year’s cross-chain bridge ploy network attack Incident, the loss exceeded 620 million U.S. dollars, and the total amount involved in this month's security incidents was as high as 700 million U.S. dollars.
The following is a summary of various types of security information in March by the Known Chuangyu Blockchain Security Lab , and a discussion on the problems exposed by it.
Defi security type event
On March 5, BaconProtocol suffered a hacker attack and lost about $958,166. This attack exploited the reentrancy vulnerability and expanded its revenue with flash loans.
On March 16, the Agave contract on the xDai Chain was attacked due to an untrusted external call. The hacker obtained about raluni and made a profit of more than 1.7 million US dollars, about 1/3 of which has flowed into Tornado.
On March 16, the Agave contract on xDai Chain was attacked due to an untrusted external call, and the hacker obtained a profit of about 5.4 million US dollars.
On March 16, the multi-chain derivatives protocol DeusFinance was monitored and hacked on the Fantom network. The hackers stole a total of 200,000 DAI and 1,101.8 ETH, with a total value of about 3 million US dollars.
On March 21, the reward pool of BNB Chain and Umbrella Network on Ethereum was withdrawn due to an integer overflow problem in the contract, and the hacker made a profit of 700,000 US dollars.
On March 22, Li.Finance, a cross-chain DEX aggregation protocol, tweeted that the attacker used Li.Finance's smart contract, and about $600,000 was stolen from 29 wallets. The error has been fixed and redeployed.
On March 24, Cashio, a stablecoin project on Solana, was hacked. Hackers took advantage of the infinite casting loophole in the protocol and illegally issued 2 billion CASH tokens by bypassing an unverified account, with a total profit value of about
On March 24, Cashio, a stablecoin project on Solana, was hacked. Hackers took advantage of the infinite casting loophole in the protocol and illegally issued 2 billion CASH tokens by bypassing an unverified account, with a total profit value of about 50 million US dollars.
On March 29, Ronin, the Axie Infinity sidechain, issued a document stating that the verifier node was hacked, and 173,600 ETH and 25.5 million USDC were stolen, with a total amount of about 620 million US dollars.
On March 30, the ACOWriter contract of the decentralized options protocol Acutus had an external call risk, and attackers could make arbitrary external calls through this vulnerability. At present, the attacker has used this method to steal about 726,000 US dollars in assets of some users who have authorized the contract.
On March 31, BasketDAO was hacked, causing users to lose approximately $1.2 million. Most of the stolen funds were found to be deposited into TornadoCash.
On March 31, Ola Finance, a decentralized lending network, was hacked and lost about $4.7 million.
On March 31, the Voltage Finance lending platform of the Fuse chain lending agreement was attacked, and the loss was about 4 million US dollars.
On March 31, Castle Finance developers discovered a major vulnerability in Jet Protocol, Solana's ecological DeFi lending protocol, which allows attackers to withdraw tokens from any account.
scam security type event
On March 10, $DAOKing-Lucky DAO was detected as a fraudulent project. Its administrator had deposited 505 BNB into Tornado.cash, and performed a false smart contract upgrade in advance.
On March 15th, the NFT project NFTflow had a Rug Pull, and its official social account (@NftflowStarkNet) has been canceled.
On March 22, a Rug Pull occurred on the NFT project WW3Apes, and its social media account has been deleted. Another related project, GodZape, also suffered a Rug Pull, losing about 20 ETH, and deleted its social media account a few days ago.
On March 28, a Rug Pull occurred in the DeFi project Buccaneer Finance. At present, its official social account has been canceled, and the scammer has transferred 841 BNB to TornadoCash mixed currency.
On March 29, a Rug Pull occurred on BNB DEFI, and the DEFI token fell by 68% in a short period of time. At present, the project has closed its social media group, and lost 255 BNB.
On March 31, @BinanceNFT_BFT, a fake Binance NFT Twitter account, was promoting the "Pixiu Pan" scam. Follow @TheBinanceNFT for the official Binance NFT Twitter account.
Phishing Security Type Events
On March 7th, there were several authorized phishing incidents on Solana. The attacker airdrops NFT to users in batches. The user enters the target website through the link in the description content of the airdrop NFT, connects to the wallet, and all the original assets in the wallet will be transferred after clicking Approve.
On March 15, scammers invaded the NFT project Wizard Pass community, and the stolen NFTs included BAYC, Doodles, etc.
On March 18, the official Discord of the NFT project Rare Bears was attacked. Users are reminded not to click on any phishing links or connect to wallets at will, and pay attention to asset security.
On March 24, Gundam Elements NFT project MekaVerse tweeted that the official Discord was hacked, and other users in the community reported that hundreds of thousands of robot wallets were suspected to have been stolen, and there seemed to be no real user impact.
On March 28, an attacker pretended to be the official Cryptovoxel phishing attack, induced users to authorize, stole multiple NFTs and then sold them on opensea.
On March 29, the intelligent metaverse project Alethea AI tweeted that its Discord was hacked and is currently evaluating the situation.
On March 29, TheDronesNFT project discord was attacked by hackers. The hacker posted a fake mint link in the discord. The project party issued an announcement willing to compensate investors for the losses caused by mint.
On March 31, at least 35 NFTs were stolen as a result of a widespread phishing attack involving hacked Twitter accounts. Including Bored Ape, Mutant Ape, and Bored Ape Kennel Club NFT, worth more than $900,000.
Other Security Event Types
On March 4, hours after a bug in TreasureDAO's code resulted in the theft of more than 100 NFTs from its NFT marketplace, developers confirmed that hackers had begun returning stolen "Smol Brains" and other NFTs.
On March 23, a hot wallet of “Arthur_0x,” the founder of major crypto investment firm DeFiance Capital, was hacked, losing more than $1.6 million in non-fungible tokens (NFTs) and cryptocurrencies.
On March 25, Lido DAO destroyed the stolen Lido Tokens worth $13.3 million stolen by the founder of DeFiance Capital and minted them into a new wallet controlled by DeFiance Capital.
On March 28, Google researchers discovered that two North Korean hacking groups had exploited a remote code execution zero-day vulnerability in the Chrome browser for more than a month to attack news media, IT companies, cryptocurrency and financial technology institutions.
On March 31, Nomadic Labs, the Tezos development team, tweeted early this morning that it has released a new version v12.1 of the Tezos Octez suite, which fixes a bug that may cause a crash in the Ithaca 2 Baker software.
Summarize
From the perspective of DeFi security situation, re-entrancy vulnerabilities and external dangerous calls have become frequent visitors, and the Solana ecology has also been coveted by hackers. Of course, the most important thing is still the security of cross-chain bridges.
Knowing that Chuangyu Blockchain Security Lab hereby reminds that it is necessary to perform regular audits and compound audits for contract security to protect contracts from other attacks. At the same time, it attaches great importance to authorization issues, and there must be a clear time limit for authorization.
Judging from the frequent occurrence of phishing and scams, hackers and scammers are more fond of blockchain users. For this, users need to remind themselves of their security awareness, reject unfamiliar links and unreasonable requests, and not blindly convince others. To ensure the safety of your property.