Produced|Okey Cloud Chain Research Institute
Author|Matthew Lee
On July 31, Curve stated on the platform that the stablecoin pool of Vyper 0.2.15 was attacked due to a vulnerability in the compiler. Specifically, because of the failure of the re-entry lock function , hackers can easily launch re-entry attacks, which allow attackers to perform certain functions in a single transaction . Some of the fund pools on Curve use an old version of the compiler, which provides opportunities for hackers.
(Re-entrancy attack is a kind of vulnerability caused by the characteristics of Vyper and the improper writing of smart contracts. It has happened many times before. The security team of Okey Cloud Chain has made a detailed analysis of such cases before. Click " Read the original text" to view, so this article will not show the details of the attack )
Immediately afterwards, many other projects announced that they had been attacked. The NFT pledge protocol JPEG'd, the lending project AlchemixFi and the DeFi protocol MetronomeDAO, the cross-chain bridge deBridge, and the DEX Ellipsis using the Curve mechanism all suffered huge losses.
However, on July 30, some project parties already knew the potential attack threat. Taking Alchemix as an example, it has already started to transfer out assets on the 30th, and has successfully transferred out 8000ETH , but in the process of transferring assets, the remaining 5000ETH in the AMO contract was still stolen by the attacker.
Image source: OKLink Explorer
Other project parties have also taken some measures, such as AAVE prohibiting Curve from lending; Alchemix also removed the liquidity controlled by AMO from the curve pool; Metronome directly suspended the mainnet function.
How to attack and defend from both ends
Protection from hackers?
This is not the first time that Curve has been hacked. As a top Defi project, it is not immune to hacker attacks. Ordinary project parties should pay more attention to hacker attacks and contract defenses.
So for the offensive end, what preparations can the project party make?
The OKLink team recommends that project parties use the on-chain labeling system to identify wallets with black history in advance to prevent interactions with addresses with abnormal behavior. One of Curve’s attacker’s addresses had a bad record and was recorded by OKLink, as shown in the figure below:
Image source : OKLink Chainelligence Pro
Its behavior pattern is also beyond common sense to a certain extent, as shown in the figure below, there are three days with more than one hundred transactions.
Image source: OKLink Onchain AML
How does the project party defend on the defensive end?
Based on the analysis of the above incidents, we found that the project party has two problems in dealing with such incidents.
1. Inadequate maintenance . Most projects pay great attention to code writing and auditing, but maintenance work has not been taken seriously. This vulnerability in the Vyper compiler was discovered two years ago, but the pool under attack still uses an old version of the compiler.
2. The code test scenario is too single . Many test codes can't really test the problem. More complex testing methods such as fuzz testing should be added, and testing should be carried out in multiple dimensions such as hacker attack path, attack complexity, confidentiality, and integrity.
How can stolen funds be recovered?
In reality, most of the stolen funds are difficult to recover. The figure below shows the whereabouts of the funds transferred by the hacker. It can be seen that the stolen ETH has not been transferred out, and the address has not been associated with an entity.
Image source: OKLink Chainelligence Pro
Some addresses are associated with entities, such as address 0xb752DeF3a1fDEd45d6c4b9F4A8F18E645b41b324 (2,879.54 ETH has been returned), and similar addresses are associated with entities, we can recover the funds by calling the police and negotiating with entities.
Image source : OKLink Chainelligence Pro
The correct way to deal with this incident is to use the early warning and tracking functions of OKLink or other technical service providers, wait for the subsequent fund movement of the precipitation address, and take further actions. However, the best way is for the industry to work together to develop a response mechanism based on security incidents, which can better crack down on abnormal behavior.
warning to us
Security incidents such as re-entrancy attacks will definitely occur, so in addition to the above-mentioned efforts we need to make on both ends of the offense and defense, the project team needs to make contingency plans , so that it can respond in the most timely manner when it is attacked by hackers, reducing the number of and user losses. Vyper contributors also suggested that for public products such as Vyper, we should strengthen public incentives to find critical vulnerabilities. OKLink calls for a set of security response standards to be established as soon as possible to make it easier to track funds from black/grey addresses.
Just as OKLink products play a role in preventing hackers and tracing funds at the offensive and defensive ends of such incidents, the project party should consider the additional value that third-party technical service providers can bring when building the security module of the platform, faster and better Build a fortress of security for the project.
Raymond Lei and Mengxuan Ren of Okey Cloud Chain also contributed to this article.