Security Monthly Report | More than 17 typical security incidents occurred in March, the prospects and risks of Ethereum Defi coexist

According to the data monitoring of Chengdu Lian'an "Blockchain Security Situation Awareness System" (Beosin-Eagle Eye), various security incidents have occurred in the past three months. Chengdu Lian'an security personnel counted more than 17 typical security incidents in March, which involved Ethereum Defi security, exchange security, fraud and road issues, and other security incidents. From another perspective, it includes virtual currency asset security issues and user data security issues.

In terms of Defi, "3" more typical security incidents occurred:

In recent months, as Defi Finance continues to heat up, the security issues that have emerged have become increasingly prominent. The bZx lightning loan attack not far from us has already reminded us of the gradual prosperity of Defi, is there a huge security risk hidden?

1) On February 28th, a user made a very large exchange under the premise that Curve V4 was not liquid enough. Although the team discovered the incident and immediately remedied it, this user eventually lost 140,000 Dollar assets.

The specific event process is:

User A hopes to transfer the funds in the Curve V3 capital pool to the V4 capital pool, and has conducted multiple stable currency exchanges. Due to the serious shortage of funds in the stable currency USDC in the VE fund pool, users have exchanged insufficient amounts of USDC, which ultimately resulted in the loss of US $ 460,000 in assets.

Due to the operation of user A, the amount of 4 stable coins in the V4 capital pool was unbalanced, which instantly increased the V4's fee return rate; after user B observed the increased fee rate, he tried to carry out arbitrage and used 33,000 US dollars Exchanged 90,000 BUSD, all arbitrage operations made a profit of 3,527 US dollars.

After the Curve team discovered the problem, it immediately made up the funds in the Curve V4 capital pool. Due to the large and extremely unbalanced transactions between the parties, each person incurred a handling fee of up to 140,000 USD in the operation process; ultimately, User A lost 140,000 USD.

The cause of this security incident is the insufficient liquidity of the Curve capital pool, and because Curve is built on many projects, the risk is accumulated from the bottom up.

2) The currency circle plunged on March 12th, and ETH once fell by 58%. The settlement mechanism of the MakerDao decentralized Defi project, which uses ETH as a collateral asset, almost collapsed. The liquidated ETH assets are auctioned, and the higher the price. However, in the 3994 auctions conducted by MakerDao, 1462 auctions were sold with 0dai, resulting in a total loss of 62,893 ETH, worth 7.8 million US dollars, on the MakerDao platform.

The cause and effect of the incident are:

MakerDao's minimum mortgage rate is 150%, users mortgage 150ETH, and can lend 100dai. In the original design of MakerDAO's clearing mechanism, when the price of ETH plummeted, the user's mortgaged ETH will be liquidated to ensure the continued safe operation of MakerDao; however, when ETH fell to 166 US dollars, the MakerDao predictor malfunctioned, causing the system to believe The price of ETH remains at $ 166, leaving many assets uncleared.

The reason for the crash of the MakerDao oracle machine is that the oracle machine fetches the exchange quotes of ETH in real time. However, due to the sharp drop in ETH that night, the number of transactions on the Ethereum chain increased sharply, which worsened the already congested Ethereum network, and eventually caused the prediction machine to collapse.

All cleared ETH has entered the auction stage, and two issues have not been considered in the original design mechanism of MakerDao: first, the absenteeism fee cannot be adjusted according to the dynamics of network congestion; second, the number of people participating in the auction is not considered extreme Insufficient circumstances make it difficult to set an auction floor price.

Because of the above two reasons, users who normally participate in the auction cannot bid because of the congested network. Users with ulterior motives increase the absenteeism fee and participate in the auction with 0dai bid, which is finally successfully captured.

3) The Defi project Synthetix disclosed a contract vulnerability, but the contract has not been activated and therefore no losses have been incurred.

The vulnerability exists in the liquidation interface of the Synthetix contract. Under normal circumstances, users pledge ETH to obtain SETH, liquidate assets after the mortgage period, and call the clearing interface to return SETH to obtain ETH; however, this vulnerability can cause any user to directly burn SETH mortgaged by other users to obtain ETH.

However, because the function is still in the trial period, it has not caused the user's actual asset loss.

Beosin commented:

The Defi project is developing rapidly. According to statistics, by 2020, the assets locked in the Ethereum Defi application have reached 1 billion US dollars. The popularity of the Defi project is mainly due to its high income. Defi is also known as "decentralized finance". The foundation of open finance is that a return rate of up to 8% -10% is bound to be accompanied by huge risks.

This is an area of ​​rapid iteration, so the Defi teams of all parties are free to develop their contract products; but there is no unified and standard security program to comply with, or it must pass a strict security audit, which leads to Various contract vulnerabilities and related security issues are emerging one after another.

Chengdu Lian'an hereby recommends that any Defi project party should pay attention to contract security issues when developing contracts to cope with various emergencies and various abnormal use contract situations, so as to avoid losses; at the same time, it is recommended to do related security audit work , With the help of professional blockchain security companies, to avoid potential security risks.

On the exchange side, "2" more typical security incidents occurred:

1) At the beginning of March, the US Department of Justice announced sanctions against hackers Tian Yinyin and Li Jiadong suspected of assisting the North Korean hacker group Lazarus Group in laundering money, and froze all their assets.

Hackers Tian Yinyin and Li Jiadong used fake ID cards and tampered photos in several exchanges to bypass the KYC process. According to statistics, two Chinese citizens have been accused of laundering more than $ 100 million from virtual currency exchange hackers.

2) Some information shows that a new USDT fake recharge attack has appeared on the OMNI chain. The problem occurs when the exchange or wallet does not verify the propertyid in the transaction when detecting the USDT recharge. The hacker realizes the attack by issuing new other tokens on the chain and then forging the propertyid.

Beosin commented:

The problem of fake recharge is already a common problem. From the beginning of EOS, which frequently has fake recharge problems, to the later Ethereum and various tokens, and the USDT on the OMNI chain, all have encountered fake recharge problems.

The reason for the fake recharge mainly lies in two problems, the authenticity verification of the token and the success or failure of the transaction. Therefore, Chengdu Chain Security recommends that project parties such as exchanges and wallets should verify whether the transaction is successful and the token is correct when verifying the transaction to avoid fake recharge attacks.

In terms of fraudulent run / crypto scams, a total of "4" typical security incidents occurred:

1) With the outbreak of the new coronavirus (COVID-19) in the world, some criminals use people's concerns about the new coronavirus to carry out encryption scams related to the new coronavirus.

There are scams that fake the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC) to send emails and text messages to residents claiming to be able to provide a list of COVID-19 positive residents in the resident area and request Bitcoin (BTC); It is to induce users to download the fake new crown virus tracking application CovidLock, which is claimed to be used on Android devices. In fact, it is malware, which is used to lock the user's mobile phone and then ransom.

2) False QR code fraud of BTC. Some websites claim that the user's BTC address is mapped to a QR code for free, which is convenient for users to collect money and transfer money; the generated QR code is actually a hacker address. At present, the hacker address has been transferred over 0.6BTC.

3) The air coin PETH is launched on the Sprite Exchange, and it will return to zero upon opening. All the victims are pre-private placement victims, with the amount ranging from 80USDT to 1000USDT, about 228 people. The initial estimate involved an amount of about 400,000 RMB, and unfortunately some college students were involved.

4) The blockchain capital "Silicon Valley Block Chicken" is suspected to be crashing. "Silicon Valley Block Chicken" is a typical virtual pet fund disk, similar to block cats, block dogs, buy pets at a low price, and sell them at a high price after a period of time. This kind of encryption scam is actually a trumpet spreading of funds, until no one takes the order, that is, the moment when the project crashes.

In other aspects, "4" more typical security incidents occurred:

1) Crypto investment fund Trident was hacked and 266,000 user data were leaked. 2) The data of 523 million users of Weibo users was leaked and sold on the dark web. 3) The incident of Room N in South Korea. Users use Telegram and virtual currency for communication and payment. As the South Korean police decided to thoroughly investigate all users participating in the live broadcast viewing room, exchanges such as Upbit, Bithumb, Korbit, Coinone, Huobi and Kucoin expressed their willingness to cooperate with the police to investigate user information. 4) Ethereum's "one-key coin issuance" platform implants a backdoor into the developed token contract, secretly transfers coins to its account while issuing coins to the project party, and then sells the profit when the project party tokens start trading .

In view of the current new situation in the field of blockchain security, "Chengdu Chain Security" summarizes here:

In general, security incidents on the blockchain in March still occur from time to time. The number of security incidents is at a medium level, and the losses caused by the incidents are at a medium level. However, this does not mean that the severe security situation of the blockchain tends to be alleviated, but shows that the security incidents involved involve a wider range.

These include the Defi project, which continues to heat up, but the problems are becoming more apparent; the dark web market is still active; money laundering issues; crypto scams; contract vulnerabilities, etc. are all security issues that cannot be ignored in the current situation. In particular, darknet funds, crypto scams, and money laundering issues are the key issues faced by various exchanges at the current stage of compliance. For example, in the case of Tian Yinyin and Li Jiadong ’s money laundering mentioned above, the two passed only false identity. The method of fake photos easily bypassed the KYC verification of the exchange, thereby helping the North Korean hacker group Lazarus Group to launder more than 100 million US dollars.

How to continuously monitor and evaluate the transaction risks on the chain to support VASP (virtual asset service provider), regulatory departments, law enforcement departments, etc. to carry out risk management, compliance supervision, investigation and evidence collection, etc. Important task of ecological safety supervision and promotion of compliance construction.