Security Monthly | 10 security incidents occurred in October, DeFi lending platform into a new choice for hacker money laundering

According to the PeckShield Situational Awareness Platform data, in the past month, there were 10 more prominent security incidents in the entire blockchain ecosystem. The damage rating was “intermediate” and the damage amount was tens of millions of dollars, involving 3 digital wallets and DApp2. From the start of the smart contract, as well as the funds to run, phishing and so on.

Digital wallet

There were 3 wallet security incidents in October, including 2 wallet private keys stolen.

1) The private key of the cold wallet of an investment institution in Shanghai was stolen, resulting in losses of tens of millions of yuan;

2) The decentralized hosting platform Payfair officially issued a statement stating that the private key of the platform cold wallet was cracked due to hacking;

• Joseph Lubin: Ethereum 2.0 will eliminate professional hardware that wastes resources and significantly reduce user barriers
• Bank of Korea official: China's central bank digital currency helps the internationalization of the renminbi
• Chen Chun talks about blockchain: the key application space is that industrial manufacturing cannot use this name to stir up coins

3) The web version of the cryptocurrency wallet Safuwallet was hacked and hackers stole a lot of money by injecting malicious code.

PeckShield Comments: As a tool for managing private keys, digital wallets are the closest to encrypted assets. Although the cold wallet is an offline wallet that is disconnected from the network, there is also the risk of being physically attacked and stolen. For hot wallets such as web wallets, users should beware of phishing and malicious code injection.

 

DApp Ecology

There were 2 DApp security incidents in October, both of which occurred within the EOS ecosystem.

The EOS game BitDice suffered a fake EOS attack and lost 4 thousand EOS; the SKReos game suffered a trading memo attack and lost 6,000 EOS. Among them, SKReos has been repeatedly reported to suffer from transaction blocking and random number attacks.

Specifically, if the fake EOS attack is received by the attacker and the EOS is not valid, the player can create the official EOSio.token contract. The player can create a token named EOS, which triggers the transfer function of the attacked contract. , get real EOS returns. The transaction memo attack means that the hacker carefully constructs the memo of the bet transaction, causing the game server to parse the abnormality, thereby continuing the winning or abnormally large refund.

PeckShield Comments: The attacks on the above two EOS games are relatively common. DApp developers should conduct security tests before the contract goes online to defend against known attacks. If necessary, they can seek assistance from a third-party security company to help them complete the contract before they go online. Attack testing and basic security defense deployment.

Smart contract

A total of 1 smart contract security incident occurred in October, and related vulnerabilities led to it becoming the first blockchain game to perform hard forks.

On October 14th, Cheeze Wizards was on the Ethereum main online line. In less than 24 hours, the player @samczsun told the official that there is a serious loophole in the game contract, which can be used to keep the player invincible. Cheeze Wizards then decided to use a forked solution to protect the user's rights. The official later fixed this vulnerability and deployed a new smart contract, while making up for the loss suffered by users.

As shown below, this vulnerability mainly occurs in the resolveTimedOutDuel(uint256,uint256) method of the smart contract.

As a fighting game, Cheeze Wizards allows players to initiate a “unilateral revelation” transaction. When one player has revealed the move, the other player has not revealed the move until the time limit (90 minutes), the normal player can call The resolveTimedOutDuel() method is used to take away the energy that does not reveal the player. The key to the problem is who will call and how to call it.

Examples of normal calls and malicious calls by players are as follows.

Normal call: resolveTimedOutDuel(WIZARD-A, WIZARD-B)

Malicious call: resolveTimedOutDuel(WIZARD-A, WIZARD-A)

Since the contract developer defaults to the two incoming wizard ids, there is no validation, and the method is public. Any player can set the wizard id, a malicious player, by passing the same wizard id. In this way, the energy of honest players is frozen.

The way to fix this vulnerability is very simple, just add the following judgment to the body of the method.

PeckShield Comments: When implementing the relevant methods, smart contract developers should pay special attention to the relevant parameters of the open interface, and should consider various abnormal conditions and make defense restrictions.

 

Running event

In October, many media projects reported through the media involved pyramid schemes and fraud, such as the interesting steps of the investigation, the suspension of maintenance of the ICC.

The visual digital asset tracking service launched by PeckShield's CoinHolmes has also monitored the movements of running and stolen assets.

CoinHolmes monitored some of the stolen assets of Cryptopia and flowed into the Uniswap decentralized exchange and the well-known DeFi project Compound. The flow of assets is as follows:

In view of the frequent scams of funds, CoinHolmes provides the user with a news entry. Users can submit the address on the link chain (https://forms.coinholmes.com) (click the lower left corner to read the original text), and query in real time. The flow of digital assets.

PeckShield Comments: In addition to traditional centralized exchanges, hackers are constantly seeking new ways to launder money. For example, the hacker transferred funds to Compound. The main purpose is to use the DeFi lending platform to confuse money laundering, while not excluding the possibility of “financial interest”. In addition to DEX, the current DeFi lending platform with better liquidity has become a new choice for hackers to launder money.

 

Other types of security incidents such as phishing attacks

In addition to the above, there are still some security incidents in October that are equally vigilant:

1) Telegram moves arbitrage scams up to 750 ETHs within eight days;

2) MEET.ONE reminds EOS users to be wary of DApp fraud fishing.

PeckShield Comments: Various types of security hazards caused by lack of user security awareness and operational norms have been emerging, and various types of incidents such as phishing attacks and brick arbitrage are typical. It is reminded that users involved in digital asset investment should carefully keep all kinds of private information, and any small negligence may cause irreparable damage.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!