Research on the major wallet risks of Binance, KuCoin, and Jump: Are assets stored in large institutions 100% safe?

Research on wallet risks for Binance, KuCoin, and Jump: Are assets in large institutions completely secure?

This article is jointly published by DilationEffect and Wu Shuo Blockchain

Original link:

🧐Dilation Effect 对主流交易所和机构钱包地址的快闪点评 https://t.co/O4kpHVA1cr

— Dilation Effect (@dilationeffect) May 29, 2023

• IOSG Weekly Report: An Analysis of Full-Stack Game Engines
• Report on the Development of Zksync Ecosystem Two Months after the Mainnet Launch
• Interpretation of the 2023 DeFi Status Survey Report

Mainstream exchanges and institutions undoubtedly invest a lot of money and manpower in network security protection. Dilation Effect cannot know the security level and implementation details of these institutions internally, but out of curiosity, we want to try to use public information to do a simple analysis of these institutional wallet addresses, to discover potential security risks from the perspective of ordinary users, and to determine the potential risk exposure.

The data for this quick review comes from public services such as Etherscan and Debank.

1. Selection of Analyzed Objects

Check the Top 1000 Accounts on Etherscan and select the labeled institutional addresses.

2. Selection of Analyzed Dimensions

How to analyze the security of addresses when we do not understand the technical details of how these exchanges and institutions generate and manage wallets? The dimension selected by Dilation Effect this time is to analyze the authorization status of these addresses’ contracts.

It is common for an address to be stolen because it was maliciously authorized by a contract or because there is a vulnerability in an authorized contract. Limiting the authorized amount and regularly clearing authorization have become the best security practices. So how are the addresses of these large exchanges doing? Let’s randomly select a few addresses for analysis.

Case 1

Address:

Binance8(0xF977814e90dA44bFA03b6295A0616a897441aceC)

This is the wallet address with the largest balance on Binance, with a balance of 10 billion USD on the ETH chain, and a total of 16.1 billion USD on other chains. Some asset screenshots are as follows:

Check the contract authorization status of this address on the ETH chain and find that there is a risk of 3.2 billion USD. Of course, this does not mean that there is a deterministic security risk, but only a possible description of potential risk exposure.

So let’s take a look at how this address is authorized, such as which currency is authorized to which contract, and how much authorization is given. The following are some excerpts from the query results.

We then noticed a strange phenomenon, that is, some currencies on this address have restricted authorization quotas, while some currencies have no restrictions on authorization quotas, and the authorization quota rules do not seem to be unified. We are particularly concerned about the BUSD, Matic, SHIB, and SAND currencies, which have large balances, with address balances of US$1.9 billion, US$460 million, US$260 million, and US$140 million, respectively. The relevant authorization records are as follows:

There are several obvious problems here:

First, the authorization for the contract is not regularly cleaned up. For example, the contract authorization for BUSD has not been cleaned up for more than two years, either because it has not been noticed or because it is considered unnecessary. This shows that Binance lacks systematic coverage of this in internal security management. Someone may say that the relevant authorization contract has been analyzed and found that these contracts have limited capabilities and are relatively safe. But what we want to say is that this is not just a technical issue, but more of a security management issue. That is, how Binance should comprehensively and systematically manage the risks brought by third-party contracts. We believe that it can be stricter and more in-depth. In fact, if you look closely, you will find that Aave: Lending Pool V2 is an upgradable proxy contract. If (I mean if) the Aave contract is attacked, this will result in a loss of US$1.9 billion.

Second, a large number of currency authorization quotas are unlimited. Once the corresponding contract is attacked in an extreme situation, limiting the authorization quota will correspondingly reduce the risk. This also exposes Binance’s lack of systematic coverage in internal security management. Of course, you may say that these are all extreme situations, but in the crypto industry, many low-probability things have happened in history. We need to increase risk sensitivity, and it is necessary to maintain extreme disgust for risks.

Thirdly, the currency authorization rules are not uniform. Some currencies have limits on the amount, while others have no limit at all, and their actions are not consistent. This indicates that Binance’s internal security management operations are not clear, or that internal teams have not done a good job of division and cooperation.

Also, we are curious as to why an address with such a large asset balance would frequently participate in Defi contract operations. Can Binance make more granular address planning and isolation design?

Case 2

Address:

Kucoin6(0xD6216fC19DB775Df9774a6E33526131dA7D19a2c)

This is Kucoin exchange’s address, with $1.7 billion on the ETH chain and $1.9 billion on other chains. The asset screenshot of this address is as follows:

Checking the authorization situation of this address on the ETH chain, it is found that $1.1 billion is at risk. Similarly, this does not necessarily mean that there is a security risk, but is only a description of the possibility of a potential risk exposure.

So let’s take a closer look at the authorization situation of Kucoin’s address.

Wow! We’ve found something interesting again.

1. The APE currency of this address was authorized to Multichain’s cross-chain Router contract on April 2, 2022. As you may know, there was an event of force majeure in Multichain a few days ago, but Kucoin did not cancel the authorization to the Multichain contract in a timely manner. This shows that Kucoin still has room for improvement in emergency response to risks.

2. All of the large amount currencies of this address, such as USDT ($500 million), USDC ($290 million), and KCS ($480 million), were authorized to a contract called Bridge, and the authorization amount was completely unlimited. After a simple analysis, it was found that Bridge is KuCoin’s community chain KCC’s cross-chain bridge contract, but no security audit report was found on KCC’s official website, which is alarming. Do you still remember the 2 million BNB attack incident on the BNB chain?

Case Three

Address:

JumpTrading (0xf584F8728B874a6a5c7A8d4d387C9aae9172D621)

This is the address of the institution Jump Trading, which has $140 million on the ETH chain and $150 million on other chains. The asset screenshot of this address is as follows:

Checking the contract authorization status of this address on the ETH chain, it is found that there is a warning that $25 million is at risk. Similarly, this does not necessarily mean that there is a security risk, but only describes the possibility of a potential risk exposure.

Let’s take a closer look at the authorization status of the Jump Trading address for specific tokens.

It can be seen that there are not many authorizations for tokens on this address, and the vast majority of authorizations have quota restrictions, and overall management is still good.

However, for the USDC token, it was authorized to the Curve contract on February 4, 2021, without setting a limit, and has not been canceled ever since. This needs to be reminded, and if there is no corresponding contract operation required, it is recommended to cancel the authorization to this contract immediately.

Summary

This flash evaluation ends here. Dilation Effect randomly selected several exchange and institution addresses for analysis, and from the results, these institutions did not do very well in terms of contract authorization. We hope that our analysis can provide reference for relevant institutions. Exchanges and institutions that have not been selected can also refer to the analysis process in the previous text to check if similar problems exist.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!