This article will show you why blockchain hacks are so prevalent in 2021

分布式资本 view 14 2021-12-21 12:58
share to
Scan QR code with WeChat

一文揭秘2021年区块链黑客攻击频发的原因

Known as being censorship-free, blockchain is both a hotbed of innovation and a hotbed of terrorism. After over $150 million in funding, a tough challenge arose after Dao was kidnapped by thieves, leaving Ethereum today. Since the inception of the blockchain, various hacks of exchanges, wallets, and dapps have happened repeatedly. So what wave will the blockchain security industry experience in 2021, and what will it do next?

Case of coin theft by a blockchain hacker in 2021

As the industry heats up in 2021, coins stolen by hackers have broken previous records. A total of 32 hacking incidents in the third quarter resulted in the theft of $1.5 billion in assets, up from $180 million last year.

1) DeFi Protocol

Uranium Finances - Logical Vulnerability

In April 2021, the liquid Uranium mining protocol was attacked and the smart contract was challenged as a modification of MasterChief. (MasterChief is a smart contract used to create staking pools and return staking gifts to users.) Among them is an unreasonable reason in the rules used to get "staking rewards" which makes thieves more vulnerable than others.many mining donations.The hacker emptied the RAD/sRADS pool and exchanged it for $1.3 million worth of BUSD and BNB.

Crimea Finance - Oracle Manipulation

On October 27, Oracle Financial Cream was involved. The protesters controlled the oracle price for yUSD by borrowing DAI from MakerDAO to generate multiple numbers of yUSD tokens while managing multiple assets, potentially including yDAI, yUSDC, yUSDT, and YTUUSD. After yUSD price rose, yUSD price opponent rose again, creating enough credit to lend most of the cream money on Ethereum v1 lending activity. And on August 30, Cream Finance was also launched by Flash Loan.

Badger DAO - Front End Malware Injection

The attacker receives the project host API key from the Cloudflare backend and injects the malicious procedure into the website code in front of it. Once the user enters the homepage of the website, the change is initiated for the user to identify themselves after running the malware. If the user recognizes the wrong action, the attacker is allowed to use the token. The attacker can transfer the entire amount by authorizing the escrow.

Anyswap - Signature History

This happens because the value is not applied to the background signature and the attacker determines the private key signature of both marketplaces.

Simply put, in addition to its own rules, the challenge process must be robust. Indeed, it must be configured in such a way that it can interact with other strategies, and the business logic must be similar. The most important thing is,The Defi process must rely on third-party services (external oracles, mid-cloud platforms, etc.)., andThese third-party services present a high risk of external control., which is also one of the most important hacked items.

2) Wallet - phishing information

In the Bitcoin Electrum wallet example, when a user of an old version logs in to the attacker on the node, the attacker sends a phishing message to the wallet on the node. When a user sees a phishing message and pulls out a wallet with their back, hackers can easily steal the user's private key.

3) Exchange

Unlike parties, when an incident occurs, the chain's public trading data allows people to analyze it, only insiders know when there is a trade, and no disclosure. Usually the issues with the exchange are: the exchange server is hacked and the attacker can access the private key of the server wallet. After the exchange worker received a phishing attack, the attacker gained access to internal processes through the worker's account and followed a procedure such as accessing a gold purse key.

What to do if your property is stolen

Post-theft asset possession can be identified by three considerations (project party, exchange, and third-party security company).

The parties generally use the following solutions:

1) ImmediatelySuspension of token transfer and transaction services in smart contracts; For contracts that cannot be extended, check the specifics contained in the contract, and block certain services in the contract to prevent the contract from being attacked again. .

2) to communities at the same timeWarning, to prevent new investors from placing their assets in contractual contracts.

3) Contact a third-party security company and ask for help in investigating the cause of the malfunction;Adjust the weakness .

4) If there is a blacklist in the contract regarding the location of the theftBlock hacker addresses, prevent hackers from exchanging money.

5) Work with security companies and law enforcementreturn of stolen goods, while introducing the necessary payment plans to reduce user losses.

In exchanging ideas, there are two situations.

1) If the transaction itself is stolen, it is temporaryStop all deposits and withdrawals, to reduce the loss. cashStore all files in the systemContact the security company or the police for further investigation and use and assistance in locating assets (such as logs).

2) If the project is hacked, tradeChain address monitoring for hackers, when the address is affected by the recent refund,freeze your account.

Security companies must:

1) Identify the cause of the accident after the accident,cure diseases.

2) Before the project comes back onlineSecurity monitoring services, to reduce security risks after the project resumes online.

Three)Send community alerts, see if other activities have similarities. If a project does not match, a notification may be posted through the confidential channel.

4) By on-chain technology meansFund raisingIn addition to identifying channel data (such as the hacker's IP address and device),Help the police catch the pirates..

So, if security companies have already investigated vulnerabilities by level, why do they still have the possibility of being used by hackers? Indeed, the evaluation of a project can only last a few weeks, but the client's time and efforts are not limited. Focusing on a specific project will take longer to research and do than the research company.

The cross-functional project that occurred this year was repeated due to the large number of customers closed under the project. Second, the difference between a bridge on a rope and other Defi operations is that the traditional Defi bridge is used almost 100% according to the smart contract, while the bridge is made of connections between web2 and web3, which use smart. agreements and old rules.Decentralized tracks closed with huge sums of money giving hackers room to attack.

Future prospects of blockchain security

Will there be future technological advancements to make the blockchain industry more secure? Theoretically yes. Before talking about tools, the strong language for writing smart contracts is slowly developing. Since the recent version 8.0 of Solidity, an inconsistency called integer overflow has disappeared.

Second, securing open source code also adds security.Puag code OpenZeppelinIt's open source code written by experts, and the numbers are high and secure. Parties can write numbers from scratch by simply adding certain features they want to use according to the rules.

(https://github.com/OpenZeppelin/openzeppelin-contracts)

There are many security tools out there that monitor numbers, which increase the security of your numbers by allowing parties to spot vulnerabilities without having to call the security addition service. As more and more professionals are involved in the work, the security concerns in the blockchain industry will be further heightened.

Starting with human values, organizations should consider whether their financial and business models are worth studying and conducting multiple assessments to eliminate risk.

Overall, concerns about the security of the Defi protocol and indeed the entire blockchain are key to preventing large sums of money from entering the market. Looking at all the reasons behind the Defi incident, the most important thing is that the Defi project could not complete the distribution and had to rely on third-party services. Operation Defi is beyond reproach in terms of safety, which is the objective that this track must achieve (especially for very centralized cross tracks). I look forward to the next commercialization cycle to develop Defi products with a new industry!

btcfans公众号

Scan QR code with WeChat

Link
Disclaimer:

Previous: Is the virtual human explosion in the era of the metaverse? Next: A brief overview of current events and information on US cryptocurrency regulations

Related