Annual Blockchain Security Theme for 2021

创宇区块链安全实验室 view 44474 2022-1-5 16:01
share to
Scan QR code with WeChat

2021 is an important milestone for the blockchain in terms of the acquisition of consumption and housing. This proportion of assets adopted is far higher than at any time in history.

At the same time, a lot has happened like the global meta known as the future, GameFi where you make money playing and the unification of chains of trust. Many existing Defi Dapps have also been ramped up and received upgrades such as Uniswap V3, Aave V3 and other new contract additions.

All of this not only revitalized the blockchain ecosystem, but also brought new security challenges. Please follow meGet to Know Chuangyu Blockchain Security LabFrom the perspective of the blockchain security ecosystem in 2021 and the monthly security representative.

A Brief Overview of the Blockchain Security Ecosystem in 2021

According toChuangyu Blockchain Lab [Hacking Event Archives]Incomplete Statistics As of this writing, the potential security issues that may be called into question on the blockchain in 2021 are:312 up to uc, the most direct loss10 billion dollars.

Compared to last year, it is still beating. The booming multi-channel system, the inter-chain demand for unified reliability and the beautiful disc imitation of the new channels have made a unique "know-how" for this staggering number.

2021年区块链安全年度总结

In the case of security situations, six latitudes, such as trade, DeFi, race, wallets and public channels, were used for statistics. Among them, DeFi Security stood out in 141 cases.

The main reason is that although the core blockchain technology has matured, the commitment to use the information has yet to be fulfilled, and the monitoring is insufficient. In particular, contracts can serve as a carrier of funds and operate directly on the logic of the operation, which attracts more and more hackers in this area.

On the other hand, protesters have become more adept at using flash loans and chain surveillance. At the same time, there are significant differences in the execution of contracts between different parts of the project, all of which lead to more and more attacks.

2021年区块链安全年度总结

In terms of financial loss, the evasion / fraud was particularly heavy, with the total loss amounting to over US $ 6.4 billion. The financial loss due to racing / fraud is greater than the outcome of DeFi security.

The evacuation was unsuccessful due to excessive owner power, renewed contracts, administration by DAO, etc. At the same time, blockchain skepticism is reducing the risk of these activities, and even some project actors directly declare their group achievements, resulting in loss of confidence of many users.

Various attacks such as exchange deletion scams, chain honeypots, fake wallets, and phishing scams have also brought new issues to the chain's security. Of course, this should not only depend on the security company, but should also raise the security awareness of the team.

2021年区块链安全年度总结

Monthly review of the 2021 General Safety Report

I: The start of the race

Keywords: management, cost

On January 27, SushiSwap filed a lawsuit to control the uncertainty of its trading rates, which hackers were using to control the failure of business partner DIGG / WETH to adjust the performance of business partner WBTC / DIGG. .

Monthly safety rating: low

Monthly measurement:It's the start of a new year, but it shouldn't be the start of a new era.

Ⅱ: The first signs of wind and rain

Tags: Lightning Loan, Unlimited Authentication

Yearn Finance hackers stopped using flash loans to manage 3pool token balance and increase the spread with the Dai vault, making $ 2.8 million when the vault lost over 11 million of dollars.

The requested approval for the Furucombo smart contract, the Ethereum protocol assembly tools, has been found to be too high. A hijacker can add counterattacks to a Furucombo agent to gain unauthorized access to a user's account. This disadvantage affects more than $ 14 million. .

Monthly Safety Rating: Medium

Monthly measurement:A security alert is required because the same type of conflict has occurred one after another.

III: Danger fantasy

Key points: double spending, defective parts, governance

Exchange DODO does not control init rules, so hackers use the init function to bypass authentication by exchanging tokens to return unwanted tokens before adding them to the pool when the loan is repaid. And the sub-rates, well, lost over US $ 2 million.

The coin-operated payment network benefits were flawed and were used to advertise over 60 million PAID tokens.

Filecoin has a "dual use" disadvantage due to its status.

Monthly Safety Rating: High

Monthly measurement:There are many drawbacks, but the most important is financial security.

IV: Classic reproduction

Keywords: re-entry stop, compatibility protocol

Uniswap's imBTC pool has been attacked by hackers. The negative is caused by a relationship issue between the Uniswap and ERC777 protocols. When a trade occurs, you can use a counterattack to call back tokensToSend on ERC777, causing the crash. Over $ 300,000.

Monthly safety rating: low

Monthly measurement:Classic vulnerabilities are used in an entirely new way, indicating that the concept of security does not exist and must be constantly updated.

Ⅴ: Wind and rain everywhere

Keywords: back-to-school strike, contractual dispute, failure, loan contract

Synthetic Assets Protocol Spartan Protocol Affected by Flash Loan Attack, Arbitrage and $ 30.5 Million Loss Due to Differences in Slip Correction Mechanism Add / Remove Liquidity

The Pool DeFi, fired by a gun, was hit and lost $ 10 million due to the risk of collision hidden in its contract, and was hit again two days later and lost $ 11 million.

PancakeBunny was struck by lightning which sparked controversy over the issue of LP tokens, resulting in a loss of approximately $ 45 million.

BurgerSwap suffered around $ 3.3 million from a controversial lending crisis due to poor reentry and setup issues.

Monthly Safety Rating: High

Monthly measurement:This month is a frequent credit lending month, and the catastrophic damage the contents can have must be overlooked to avoid a negative outcome.

: Wind and rain remain the same.

Keywords: wool, error variable, address (here), lightning theory

The PancakeBunny program, which is based on the PancakeHunny disk plan, has been attacked by hackers, and the main reason for the downside is that the mintFor function does not use the equivalent contract as a measure and allows arbitrage by swapping those not used by HunnyToken.

Ethereum DeFi Project Alchemix's alETH contract has security concerns forcing users to overpay due to shipments resulting in inaccurate rates and incorrect metrics in calls.

BSC's DeFi xWin Financial protocol was challenged by Lightning Loan, and the gift to the reviewer was written on the same site because the contract did not identify the address of the giver of the gifts.

Monthly Safety Rating: Medium

High Monthly Notes:Lightning strikes are also frequent this month to warn that the differences in management deserve to be reconsidered.

VII: Logic

Keywords: private key, dual-use attack, tx.origin, logical vulnerability

Anyswap, a classification of interconnected strings, has been criticized. The downside is that there are two v3 router companies in the V3 router MPC account. These two transactions have the same R sign value. The attacker can return the private key. The loss of the MPC account is approximately $ 8 million.

The BSV network was hit hard by the attacks, resulting in a number of blockchain developments, which were used by insurgents as a two-pronged attack.

THORChain, a cross-platform trading process, has been repeatedly attacked and lost up to $ 25 million because a working token, tx.origin, can be used for phishing.

PolyYeld Financial, contract farm income, has been criticized, and due to the fact that the amount received at the time of payout is less than payout, hackers have used the method to earn excess money by managing tokens on the contract MasterChef.

Monthly Safety Rating: Medium to High

Monthly measurement:This month must be more decisive because there are more and more types of communications related to privacy keys, transport, etc.

Ⅷ: the most dangerous

Keywords: more depressing for a year, re-entry attack, homogeneous recommended attack, flash library

Ethereum's DeFi protocol, Popsicle Financial, was affected by the lightning strike, which resulted in an error in the payment terms of the PLP contract, resulting in a loss of $ 20.7 million.

A network connection, Poly Network, was attacked and the malfunction allowed the administrator to fix it.

The DeFi scheme of the BSC Dot.Finance channel was struck by lightning. This strike is part of the PancakeBunny stop protocol and costs nearly $ 430,000. Over $ 50 million in losses to date as a result of these attacks;

Ethereum's DeFi protocol, Cream Money, suffered a bad comeback and lost over $ 18 million.

Monthly Safety Rating: High

Monthly measurement:The drop in various strikes this month is huge, and there's also the poly network strike, which is called the weakest drop this year. These implications govern the entire blockchain security ecosystem.

IX: The problem is the same

Key points: automatic shutdown, regular product validation, oracle management, quick recovery

The DeRac equestrian NFT has been attacked, the downside principle is that the Vesting contract does not start the protective defense, allowing the intruder to trigger the accident, get in and finally remove the pledge by emergency withdrawal. not found. Lose $ 4 million.

As the current swap swap has been attacked by hackers and the mismatch of swap operations has not changed, Flash Proof of Loan products are regularly illegal. , thus realizing that the resistance and loss is over $ 1 million.

The Vee.Finance loan deal, an investment of over $ 35 million in stolen assets, can often lead to oracle costs due to incorrect math numbers and authentication issues. .

Compound, a decentralized lending protocol, had a different problem, sending multiple COMP tokens and losing up to 280,000 COMP tokens due to this failure.

Monthly Safety Rating: High

Monthly measurement:The loss caused by various protests this month is still huge, but compared to the new kind of negative, the negative is often the incredible that has already happened.

Ⅹ: various rivers

Keywords: description, patch plan, multi-attacks

Ethereum's passive income protocol, Indexed Finance, has been challenged because the token process, which includes the cost of the entire mining pool, resulted in a loss of around $ 16 million.

Compound, a decentralized lending protocol, attempted to correct the loophole in the community strategy liquidity extraction token distribution contract, but easily added 200,000 comp tokens to the contract because it is an appeal. drop function (). The deal faces a loss for the United States. $ 158 million.

Ethereum's DeFi loan protocol, Cream Financial, was again challenged, with major strike rights costing up to $ 130 million in losses as the lower PerShare price was dynamically discounted by Immediately Easy Ownership. I wear it.

Monthly Safety Rating: High

Monthly measurement:There are many adverse events that occur depending on the situation, and there can be pool issues, job changes, and parts issues.

: a lot of problems

Keywords: oracle control, attack control, private key leak

Ethereum's VesperFi Fianance DeFi protocol has been attacked by oracle, costing more than $ 3 million.

Curve.Finance has lost over $ 30 million in "regulatory oversight" of USDM Mochi Stabilitycoin group.

More than $ 55 million in assets have been stolen from chains Polygon and BSC due to the leak of a private key from the DeFi bZx lending protocol.

Monthly Safety Rating: High

Monthly measurement:The problem was serious even that month. This includes the security issues Oracle has always encountered, critical privacy concerns, and even the plight of minors.

Ⅻ: The resurrection of the classics

Keywords: flashlon, back to school

GrimFinance, the most revenue-generating platform in the Fantom chain, is hit by lightning, and attackers use the depoistFor function to detect if a token is not present and set the token address accordingly as they go. as the contract stops to recognize re-entry. . attack, causing casualties. over $ 30 million.

Definer was challenged by the manipulation of oracle The problem is that there is an issue with the use of oracles from the OEC chain, at some point when using the balance token by a price pool.

Monthly Safety Rating: Medium

Monthly measurement:There are Oracle security issues and re-entry security issues, but the death rate is still high.

concludes

Everything in the past is a prologue.

2021 will be a special year. In the context of blockchain, a lot of new things are constantly appearing, but at the same time it has created a lot of security problems and at the same time brought new security problems.

The most eye-catching moment in many of these security situations is the need not to borrow money. In the classic struggle mentioned above, flash loaner devices have been used many times. On the other hand, attacks and low cost gains and frauds have also occurred more frequently. The decline in blockchain security continues to increase year on year, and no difference has been delayed.

Among these attacks, DeFi remains the most significant impact on blockchain security, and the diversity of different plans and multiple markets is lost due to differences in understanding through the use of the return code. It is not a question of any particular individual or organization, but of promoting public awareness of safety throughout the economy.

Finally, in the new year, I hope everyone will use this as a lesson and move on.

btcfans公众号

Scan QR code with WeChat

Link
Disclaimer:

Previous: What is the new face of the first round of the Polkadot game project? Next: Admit it or not, the era of Web3 has arrived.

Related