Buidler DAO: Web3 talent and project incubator
https://link3.to/buidlerdao
Business cooperation WeChat: w55566567
*This report is jointly produced by Beosin, Buildler DAO, LegalDAO, and Footprint Analytics. Reply " 2022 " on the official account backend to get the full version of the "2022 Global Web3 Blockchain Security Situation Report and Encryption Industry Supervision Policy Summary".
*Due to space limitations, this article first displays the global Web3 blockchain security situation in 2022. Please read the full version in the background. Data statistics are as of December 20, 2022.
Throughout 2022, the Beosin EagleEye security risk monitoring, early warning and blocking platform monitored a total of more than 167 major attacks in the Web3 field, and the total losses caused by various attacks reached US$3.6384 billion. Losses increased by 47.4%. Among them, there were 10 security incidents with a single loss exceeding US$100 million, and a total of 21 security incidents with losses ranging from US$10 million to US$100 million.
In terms of project type, 12 cross-chain bridge security incidents caused a total loss of approximately US$1.89 billion, ranking first among all project types. DeFi projects have been attacked 113 times, approximately 67.6%, making them the most frequently attacked project type.
A total of 20 public chains have experienced major security incidents in 2022. The top three in terms of loss amount are Ethereum, BNB Chain, and Solana; the top three in terms of number of attack events are BNB Chain, Ethereum, and Solana.
Vulnerability exploitation is the most frequent and costly attack method throughout the year. There were 87 attacks involving vulnerability exploitation throughout 2022, with total losses reaching US$1.458 billion.
Among the 167 major attack events monitored in 2022, audited and unaudited projects accounted for almost half, accounting for 51.5% and 48.5% respectively.
Approximately $1.396 billion in stolen funds were transferred to Tornado Cash in 2022, accounting for 38.7% of the funds lost in all attacks. Approximately $289 million of stolen funds were recovered throughout the year, accounting for only 8% of all losses.
The amount of crimes committed in the blockchain field throughout the year reached 13.76074 US dollars (financial crimes are not included for the time being). Among them, money laundering accounted for US$7.33 billion, attacks accounted for US$3.6 billion, pyramid schemes accounted for US$1.015 billion, and fraud accounted for US$830 million.
Among the fraud incidents throughout the year, there were 243 Rug pull incidents, with the total amount involved reaching US$425 million (the FTX incident is not included for the time being). About 86.4% of the project funds are concentrated in the range of several thousand to hundreds of thousands of dollars.
The market value of the global cryptocurrency market shrank significantly in 2022, with TVL at the end of the year falling by about 80% compared to the peak at the beginning of the year. The market suffered heavy losses, and a series of black swan events occurred, represented by Three Arrows Capital, Luna, and FTX.
Even with the global market value shrinking significantly, the overall crime data in the blockchain security field in 2022 still reached 13.7 billion U.S. dollars, and the number of attacks increased significantly compared with 2021. The overall global blockchain security situation in 2022 will be very severe, and it will also put forward higher and more urgent demands for the security industry in 2023. How to respond to rampant hacker attacks, how to accelerate the establishment of a global regulatory system, and how to usher in technological breakthroughs to solve existing shortcomings in the security industry, these will all be issues that need to be considered and urgently resolved in 2023.
Review of the top ten security incidents in 2022
On March 29, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that the Axie Infinity side chain Ronin was attacked, and approximately US$624 million in cryptocurrency was stolen based on the price at the time. The hacker first used the stolen private key to forge a withdrawal certificate. This withdrawal certificate requires the consent of at least 5 signers to be successful. Finally, the attacker managed to control 5 validators and successfully executed the withdrawal certificate and stole the funds on the chain. .
According to the investigation, hackers used social engineering to send fake offer letters to Sky Mavis engineers. The document allowed hackers to penetrate Ronin's system. After the attack, the attacker dispersed the stolen assets to multiple addresses and laundered them through Tornado Cash in batches. On May 20, the Ronin attacker transferred the last stolen funds to Tornado Cash, and all assets were cleaned. On June 28, Ronin announced the reopening on Twitter.
The Beosin security team gives the following suggestions for such cross-chain bridge projects: 1. Pay attention to the security of the signature server; 2. When the relevant business goes offline, the signature service should update the policy in a timely manner, close the corresponding service module, and consider abandoning it. Use the corresponding signature account address; 3. During multi-signature verification, the multi-signature services should be logically isolated and verify the signature content independently. There should not be a situation where some verifiers can directly request other verifiers to sign without verification; 4. The project party should monitor abnormal project funds in real time.
On October 7, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that the BNB Chain cross-chain bridge "Token Hub" suffered a hacker attack. The hacker first paid by calling the contract at block height 21955968 100 BNB to register as a Relayer. Starting around 2:30 in the morning, hackers obtained a total of 2 million BNB from BNB Chain's "TokenHub" system contract in two batches (2:26 and 4:43). And 900,000 BNB were mortgaged on the BNB Chain lending agreement Venus, lending 62.5 million BUSD, 50 million USDT, and 35 million USDC. Beosin security team analysis found that the Binance cross-chain bridge BSC Token Hub uses a special precompiled contract to verify the IAVL tree when verifying cross-chain transactions. This implementation has a vulnerability that could allow an attacker to forge arbitrary messages.
On October 24, Binance founder Changpeng Zhao stated that he had narrowed down the possible scope of the attacker’s identity with the help of law enforcement agencies. In addition, Zhao Changpeng also stated that he was able to freeze about 80% to 90% of the stolen funds, and the actual loss was about US$100 million.
On November 15, 2022, shortly after FTX declared bankruptcy, it was reported that it had been attacked by hackers. Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that the amount involved was approximately US$440 million. At the time, the FTX community chat administrator sent a message to the exchange’s official Telegram group stating that the bankrupt platform had been hacked and that all applications were malware. Administrators advise users to delete the app and not visit the website or open their mobile apps as there is a high chance of being infected with a Trojan. Since there are still many unknowns, many believe that this is likely an insider operation.
On February 3, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that Wormhole was hacked, resulting in a loss of approximately US$326 million. Analysis by the Beosin security team found that hackers exploited a signature verification vulnerability in the Wormhole contract, which allowed hackers to forge sysvar accounts to mint wETH. This vulnerability has been patched in Solana 1.9.4, which still needs to be reviewed before it is finally launched. Hackers took advantage of this gap to launch attacks on contracts that were still using Solana 1.8.
After the attack, Wormhole announced that it had restored its cross-chain bridge funds and was back online. Crypto investment fund Jump Crypto announced on February 4 that it had invested 120,000 Ethereums to make up for the stolen losses of the cross-chain bridge Wormhole to support the continued development of Wormhole.
On August 2, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that the cross-chain communication protocol Nomad suffered a large-scale hacker attack. More than 500 hacker addresses participated in the attack, and the project party lost 1.9 One hundred million U.S. dollars. Through transaction analysis, the Beosin security team discovered that the project party mistakenly added 0x000...000 as an acceptable root, resulting in a constant judgment, allowing the attacker to withdraw funds from the contract.
Therefore, any attacker only needs to copy the first hacker's transaction and replace it with an unused attack address, then click Send via Etherscan to steal project funds. At the same time, since the problem is the Replica contract, all its corresponding BridgeRouter-related DApps will be affected, so the stolen funds show the characteristics of multiple currencies.
On August 3, Nomad released instructions for returning stolen funds, calling on white hat hackers to return stolen funds. As of August 15, the project party has recovered US$37 million.
On April 17, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that the algorithmic stablecoin project Beanstalk Farms suffered a flash loan attack. The protocol lost US$182 million and the attacker gained approximately US$80 million (excluding the attacks). some borrowing funds required). The attacker transferred all the $80 million gained into Tornado Cash to mix coins soon after the attack.
The attacker initiated a proposal transaction the day before the attack. If the proposal is passed, the funds in the Beanstalk: Beanstalk Protocol contract will be withdrawn. Hackers exchanged large amounts of capital reserves through flash loans, and then exchanged them repeatedly. Finally, a vote is taken on the proposal, resulting in its passage. In response to this incident, the Beosin security team recommends: 1. The funds used for voting should be locked in the contract for a certain period of time, and avoid using the current fund balance of the account to count the number of votes, so as to avoid possible repeated voting and the use of flash loans to vote; 2. . The project team and the community should pay attention to all proposals. If the proposal is a malicious proposal, it is recommended to take timely measures during the proposal voting period, discard the proposal, and prohibit it from accepting voting and execution; 3. Consider banning contract addresses from participating in voting; in addition It is best to conduct a comprehensive security audit before the project goes online to avoid security risks.
On September 20, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that Wintermute lost US$160 million in DeFi hacker attacks. Beosin security team analysis found that attackers frequently use the 0x0000000fe6a... address to call the 0x00000000ae34... contract's 0x178979ae function to transfer money to the attacker's contract. By decompiling the contract, they found that calling the 0x178979ae function requires permission verification. Through function query, 0x0000000fe6a was confirmed If the address has the setCommonAdmin permission, and the address had normal interactions with the contract before the attack, it can be confirmed that the private key of 0x0000000fe6a was leaked.
On September 21, Wintermute confirmed that it used Profanity and an internal tool to create wallet addresses in June, and that the Profanity tool posed a risk of private key explosion.
On October 12, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that the Mango protocol on Solana was attacked by hackers, with the amount affected being approximately US$116 million. The hacker used two accounts with a total starting capital of 10 million USDT to leverage hundreds of millions of assets. The main reason for this attack is that the leverage contract does not limit the positions opened by Mango, allowing the attacker to increase the Mango token to make a profit.
On June 5, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that the blockchain network Elrond was attacked by hackers. The hackers "obtained" nearly 1.65 million EGLD and smashed them through the decentralized exchange Maiar. After the market closed, $EGLD plummeted by 92%, and then officials suspended DEX and related APIs and said they had evaluated countermeasures.
Elrond later issued a report stating that the attacker did not exploit any smart contract code vulnerabilities and that the problem lay in the virtual machine. The previous bugs in the Elrond ecological DEX project Maiar have been resolved and almost all stolen funds have been recovered. Any remaining missing funds due to known errors will be fully borne by the Elrond Foundation.
On June 24, 2022, Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring showed that Horizon, the cross-chain bridge between Ethereum and Harmony, was attacked, causing a loss of approximately US$100 million. The founder of Harmony said that Horizon was attacked not because of smart contract vulnerabilities, but because of the leakage of private keys. Although Harmony stored private keys encrypted, attackers were able to decrypt some of them and sign some unauthorized transactions.
Immediately after the attack, Harmony stopped the Horizon bridge to prevent further transactions. It then contacted the FBI and multiple cybersecurity and exchange partners to investigate, track and assist in retrieving the stolen assets. However, the hackers still laundered the stolen money through Tornado Cash. On July 27, Harmony released a compensation proposal.
Type of project being attacked
In 2022, 12 cross-chain bridge security incidents caused a total loss of approximately US$1.89 billion, ranking first among all project types in losses. Among the cross-chain bridge security incidents, there were five incidents in which single losses exceeded US$100 million, namely Ronin (US$624 million), BSC Token Hub (US$560 million), Wormhole (US$326 million), and Nomad (US$190 million). billion) and Harmony (USD 100 million), their attack methods mainly include social engineering, private key leakage, chain platform or contract vulnerabilities, etc.
Among the 167 major attacks throughout the year, DeFi projects were attacked 113 times, approximately 67.6%, making it the project type with the highest frequency of attacks. DeFi is the project type with the second largest loss after cross-chain bridges, with a total loss of approximately US$950 million.
A total of 21 exchange and wallet security incidents occurred throughout the year, with a total loss of approximately US$600 million. Such incidents involve high amounts of money and affect a wide range of users. The main attack methods are private key leaks, contract vulnerabilities, and supply chain attacks.
Amount of loss for each chain
A total of 20 public chains have experienced major security incidents in 2022. The top three in terms of loss amount are Ethereum, BNB Chain, and Solana; the top three in terms of number of attack events are BNB Chain, Ethereum, and Solana.
59 attacks on Ethereum caused losses of US$2.01 billion, accounting for 55.8% of the total losses throughout the year.
There have been 72 attacks on BNB Chain, and 70% of the project losses were concentrated in the range of several thousand to hundreds of thousands of dollars. It is worth noting that about 64% of the projects attacked on BNB Chain have not been audited, and 80% of the attack methods among unaudited projects are contract vulnerability exploitation.
Seven attacks on the Solana chain caused a total loss of US$512.76 million, with the average loss of a single incident ranking first among all chains. Major security incidents on the Solana chain include the Wormhole incident in February ($326 million), the Cashio incident in March ($48 million), and the Mango Market incident in October ($116 million).
Analysis of attack techniques
Vulnerability exploitation is the most frequent and costly attack method throughout the year. There were 87 attacks involving vulnerability exploitation throughout 2022, with total losses reaching US$1.458 billion.
The attack method with the second largest loss was social engineering, which was the Ronin incident in March, with losses reaching US$624 million.
The attack method with the third highest loss amount is private key leakage. 19 private key leaks caused a total loss of approximately US$430 million, of which 8 incidents resulted in a single loss of more than US$10 million. According to the investigation results of some incidents, team members/former members frequently steal private keys. Project parties need to pay special attention to operational security and strengthen team management. There are also cases where private keys are leaked due to the use of third-party tools. It is recommended that project parties conduct a careful security assessment before using third-party tools.
Broken down by vulnerability type, the top three causing the most losses are verification issues, chain platform vulnerabilities (BNB Chain events) and improper business logic/function design.
18 verification problems caused losses of US$619 million. The main incidents include: signature verification vulnerability in the Wormhole incident, message verification bypass in the Nomad bridge incident, etc.
The issue with the highest frequency of occurrence was improper business logic/function design, reaching 30 times. In Beosin's daily audit process, this type of vulnerability is also the problem that appears most frequently and is most easily ignored by developers.
Project audit status
Among the 167 major attack events monitored in 2022, audited and unaudited projects accounted for almost half, accounting for 51.5% and 48.5% respectively.
Among the 86 audited projects, 39 attacks (45%) still originated from vulnerability exploitation. The audit quality of the entire market is not optimistic. Beosin's review of these events found that most vulnerabilities can be discovered and repaired during the audit phase.
Among the projects attacked due to contract vulnerabilities in 2022, there were no projects audited by Beosin (data source: https://rekt.news/leaderboard/). It is recommended that before the project goes online, you must find a professional security company to conduct an audit to effectively ensure asset security.
Analysis of the flow of stolen funds
Approximately $1.396 billion in stolen funds were transferred to Tornado Cash in 2022, accounting for 38.7% of the funds lost in all attacks. Since Tornado Cash was sanctioned by OFAC in the United States in August, the funds transferred into Tornado Cash have dropped significantly compared with the first half of the year. Only $44.85 million was transferred to Tornado Cash in the fourth quarter.
Approximately $289 million of stolen funds were recovered throughout the year, accounting for only 8% of all losses. The vast majority of this comes from unsolicited returns from white hat hackers.
Approximately $18.248 million in stolen funds flowed into various exchanges. Usually some hackers with relatively small amounts involved will transfer funds to exchanges immediately after the attack. It is particularly important for exchanges to be able to identify hacker addresses and block their transactions in a timely manner when an attack occurs.
About US$443 million of stolen funds were frozen by the exchange. The main amount came from the BNB Chain incident in October. At that time, Binance immediately froze 80% to 90% of the hacker's funds, and the actual loss was about US$100 million.
Rug pull data
A total of 243 Rug pull incidents occurred throughout 2022, with the total amount involved reaching US$425 million (the FTX incident is not included for the time being).
Among the 243 rug pull incidents, a total of 8 projects with an amount of more than 10 million US dollars were involved. The amount of money lost in 210 projects (about 86.4%) ranged from several thousand to hundreds of thousands of dollars.
In 2022, the Rug pull event will have the following characteristics:
1. There are many Rug projects throughout the year. On average, a project runs away every 1.5 days.
2. Rug cycle time is short. Most projects run away within 3 months of being launched, so most of the funding is concentrated in the range of several thousand to hundreds of thousands of dollars.
3. Most projects are not audited. Some projects have backdoor functions hidden in their codes, making it difficult for ordinary investors to evaluate the security of the project.
4. Lack of social media information. At least half of rug pull projects do not have a complete official website, Twitter account, or Telegram/Discord group.
5. The project is not standardized. Although some projects also have official websites and white papers, if you look closely, there are many spelling and grammatical errors, and some even involve large sections of plagiarism.
6. The number of hot topics increases. This year, there have been incidents of various popular currencies running away, such as Moonbird, LUNAv2, Elizabeth, TRUMP, etc., which usually come online very quickly and then quickly withdraw money.
Beosin Security Team
Outlook for the blockchain security industry in 2023
In 2022, many major events occurred in the global encryption market: the total market value of encryption shrank significantly; Terra collapsed, Three Arrows Capital (3AC) and FTX went bankrupt; Tornado Cash was sanctioned; Ethereum merged; new public chains developed rapidly. Despite the severe decline in market value, hackers stole funds in 2022 and hit a new high. The total losses caused by various attacks throughout the year reached US$3.6384 billion, an increase of approximately US$1.16 billion compared with 2021. The global Web3 security situation in 2022 will be more severe than before.
Only 8% of funds recovered from attacks throughout the year. After Tornado Cash was sanctioned in August this year, the amount of stolen funds flowing into Tornado Cash in the third and fourth quarters was indeed significantly reduced compared to the first and second quarters, but the frequency of hacker attacks and the amount stolen were not the same in the third and fourth quarters. No reduction. To truly curb the rampant activities of hackers, the entire industry needs to make multiple efforts, including the following aspects:
1. Rapidly formulate and improve the global regulatory system. What is truly a deterrent is to resort to legal sanctions for criminal acts in the encryption field itself. At present, regulatory policies in some countries have begun to take shape, and it is expected that more countries around the world will systematize regulatory policies in 2023.
2. Block hacker attacks from the source. At present, the entire security market, including Beosin, has some cases of successfully blocking hacker attacks. As the technology gradually matures, it is expected that more hacker attacks will be blocked at the source in 2023.
3. Recovery of stolen funds. Project parties, users, security companies, exchanges, and regulatory agencies need to cooperate with multiple parties to lock the address and more identity information of the hacker on the chain. With the improvement of the global regulatory system, recovering stolen funds will no longer be a small probability event.
4. Strengthen the entire infrastructure construction. New technologies or projects that address industry security from the infrastructure level may emerge in 2023. At the same time, existing blockchain head projects will also systematically optimize their own security.
5. The project party shall protect its own safety. Some projects are developed in a hurry and go online without auditing, which is a major reason why projects are attacked. In addition, any weak areas such as contract security, private key/wallet security, traditional security, and even team operation security may cause huge losses to the project side. For the project side, a solution is needed that can take into account all aspects of security issues. Next year it is expected that more mature project parties will find relatively complete solutions.
6. Safety protection for emerging circuits. In the case of a bear market, the entire market is waiting for the next narrative of Web3. Once the emerging track begins to become popular in 2023, it will surely become the primary target of hackers due to its imperfect maturity and the influx of a large number of new projects and new users. Security practitioners throughout the market must have the ability to learn quickly to respond to emerging challenges that are constantly changing in the market.
7. Improvement of individual users’ security awareness. The major trend next year is to lower the threshold for ordinary users to enter Web3. It is very necessary to popularize security knowledge for new users.
8. A more convenient and effective governance model. When individual users encounter asset theft, it often goes unsolved due to reasons such as small amounts, scattered information, low attention, and failure to report the case. At present, some DAOs have established preliminary solutions to such problems, and it is expected that a more complete system will appear next year.
9. A more open and shared security industry. As mentioned above, all aspects such as contract security, private key/wallet security, traditional security, and team operation security need to be guaranteed, and this requires the joint efforts of the entire security industry. This is also the original intention of Beosin in establishing the [Blockchain Ecological Security Alliance].
Recommended in the past
Buidler DAO
MOVE OVER HODL,
IT'S TIME TO BUIDL!
Buidler DAO gathers Web3 talents and projects from Chinese to global, and is committed to creating SocialDAO governance paradigm and DAO Tools solutions.
Five internal guilds work together: the incubation and technology guilds build a project acceleration ecosystem; the investment research and education guilds output in-depth content; and the operations guild is responsible for community governance and growth.
Official link: https://link3.to/buidlerdao
In-depth participation: https://tally.so/r/wA7LlN