Reasons for frequent blockchain hacks in 2021

CertiK view 9398 2021-12-28 09:59
share to
Scan QR code with WeChat

Blockchain is a hotspot that fosters innovation, and its security risks have made it vulnerable to crime in one way or another.

Today's Ethereum was born when DAO, which had a crowd of over $ 150 million that year, was stolen by hackers and faced stiff competition.

Since the inception of the blockchain, various thefts such as money laundering for exchanges, wallets, and Dapps have occurred more frequently.

So what impact will the field of blockchain security have in 2021, and what will happen in the future?

In 2021, a blockchain hacker solves a currency heist.

The amount of money stolen by hackers due to trade speculation in 2021 broke the all-time high.

A total of 32 hacking incidents in the quarter resulted in the theft of $ 1.5 billion in assets, up from $ 180 million last year.

DeFi Protocol

Vulnerability of the financial logic of uranium

In April 2021, the Uranium Liquid Extraction Protocol came under attack, a smart contract that was modified by MasterChief (MasterChief is a smart contract used to create a contract pool and renew contract products for invisible users).

Among them, there is an unreasonable reason in the rules that supplement the "reward bet", allowing pirates to reap more mining benefits than others. The hackers took the RAD / sRADS pool and replaced it with BUSDs and BNBs worth around $ 1.3 million.

Handling of Crimean Financial Oracle

On October 27, Oracle Financial Cream was involved. Opponents control the oracle value for yUSD by borrowing DAI from MakerDAO to create multiple yUSD tokens, while also using multiple legacy assets (such as yDAI, yUSDC, yUSDT, and YTUUSD).

Following the rise in the value of the yUSD, the protesters increased the value of the yUSD, creating enough credit to lend the bulk of Cream Finance in the Ethereum v1 lending business. And Cream.Finance was also launched by Flash Star on August 30.

Injection de malware frontal Badger DAO

The attacker receives the API key from the Cloudflare backend project host and injects the malicious procedure into the website code in front of them.

When the user visits the home page of the website, the change begins after the malware appears so that the user can identify it. If the user recognizes the wrong action, the attacker is allowed to use the token. The attacker can redeem all of the escrow money.

Anyswap background sign

The incident occurred because the value was not applied to the background sign and the attacker was given a private key for signing in both marketplaces.

Wallet phishing information

Using the Bitcoin Electrum wallet as an example, when a user of the device permanently connects to the attacker on the node, the attacker sends phishing information to the wallet through the node. Once the user sees the phishing file and takes out the wallet with the back, the hacker can easily get the user's private key.

cash

When an incident occurs for a part of the project, only internal exchanges know what is going on and the data is not disclosed, unlike the public data chain which allows people to examine it.

Typically, the swap situation occurs as follows: The Exchange server is hacked and the attacker gains access to the private key of the server wallet. After an exchange employee receives a phishing attack, the attacker accesses internal processes through the employee's account and undertakes a procedure such as accessing the key to a gold purse.

What to do after your property is stolen

Regarding the retention of assets after theft, it can be identified from three angles: parties, exchanges and third-party security organizations.

Parties often use these solutions.

It's time to stop token transfer and service transactions in smart contracts, for uninterrupted contracts, check the necessary functions in the contract and block some service contracts to prevent the contract from being attacked again .

At the same time, communities have been warned to prevent the arrival of new entrants by putting equipment into the contract.

Contact a third-party security agency for assistance in identifying the root cause of the malfunction and assisting in resolving the malfunction.

Destination of stolen funds - If your contract contains a blacklist feature, we first block hacker addresses to prevent hackers from exchanging money.

Working with security and law enforcement agencies, we offer a reasonable payment plan to recover stolen goods and reduce lost users.

From an exchange of views, there are two situations.

If the exchange itself is stolen, it is necessary to temporarily suspend it and restart it to minimize losses. The exchange stores all information (such as records) in the system for identification and future use and calls security or law enforcement to assist in the search for assets.

If a special project is stolen, the exchange can monitor the thief's address, and if the address is found recently, the account will be frozen immediately.

Security guards must:

After the accident, we identify the cause of the fault and correct the fault.

To reduce the security risk after bringing a project back online, we offer a security check service before the project is brought back online.

Please alert the community and see if there are any other jobs that are having a negative impact. If your project has a vulnerability, you can post a warning via a confidential channel.

How to track accounts as an old technician means and identify the steel case (eg IPS IPE address

Then why is the useful value of the safety screen by weakness? Why do hacking?

In fact, finding a project only takes a few weeks, and the client's time and effort is not limited. Focusing on certain areas of work will take longer to research and take action than research firms.

This year, the Cross Chain Bridge project faced retaliation due to the large number of closed consumers approaching these projects.

Second, the difference between a bridge crossing and another DeFi project is that the reasons for the general functioning of DeFi are almost 100% complete in smart contracts, while the bridge is made up of connections between web2 and web3. Smart contract and always backends ...

The unaffected bugs and the huge amount of money blocked give hackers a chance to attack.

In short, DeFi should be a configurable mode that interacts with other code additions to their own code, and should be inflexible as business logic requires strict technical collaboration.

More importantly, DeFi protocol requires third party services (such as other oracles, database based platforms, etc.) and these third party services can be exposed to external influences, which is why it is important to advertise the product. I have been attacked by hackers.

Future prospects for blockchain security

Will there be future technological advancements to secure the blockchain industry?

In theory, yes.

Let's talk about the technology first below, the term Solidity for drafting smart contracts has slowly increased.

Since the recent version 8.0 of Solidity, an inconsistency called integer overflow has disappeared.

Second, the importance of security in the blockchain industry is increasing.

Finally, securing open source code will also lead to increased security.

The OpenZeppelin code base is open source code developed by experts, so the right numbers are high and secure. Parties only need to add some special features that they want to use according to their ground rules and can write the numbers starting from zero.

There are also various security measures that monitor your rights. It enhances the security of your rights as it allows team members to see potential vulnerabilities without contacting the security company.

For example, CertiK Skynet Skynet Scanning System is a 24 * 7 intelligent security machine, capable of providing real-time multidimensional transparent security monitoring and environment monitoring. warning warning.

Additionally, security ratings which, for example, publicly and transparently display information security and early warning plans, can provide an understanding of security to investors outside of the campaign. Any business owner can access the information security information he needs from the limitless information security understanding.

As technology becomes more and more involved in operations, security concerns in the blockchain industry will be further heightened.

All in all, the DeFi protocol and all the blockchain security issues are key to preventing critical funds from entering the market. The way DeFi works is flawless in terms of security, which is the goal this track needs to achieve, especially in a centralized cross-chain race.

btcfans公众号

Scan QR code with WeChat

Disclaimer:

Previous: Nansen: Avalanche (Avalanche) begins the "warm rush" in the data to see avalanche potential. Next: MetaFi: The Rise of Metaverse Financial

Related