Inventory from Beosin | There are Over 12 Typical Security Incidents in April, Ethereum Defi Have Collapsed Continuously and All Kinds of Scams Are Still Active
According to the data monitoring of Beosin-Eagle Eye, various security incidents have occurred in April. Security personnel of Beosin counted there are over 12 typical security incidents in April, and the security issues of Defi still remain prominent.
In terms of Defi, there are 3 typical security incidents occurred in total:
1) On April 18, the imBTC pool on Uniswap was reentrancy attacked by hackers. The hackers took advantage of the compatibility of Uniswap and ERC777 when the ETH-imBTC transaction is under progress, and they used multiple iterations of ERC777 to call tokensToSend to achieve reentrancy attack. The hackers obtained 1278 ETH and a part of imBTC in this attack, with a total loss of more than 300,000 US dollars.
2) On April 19, Lendf.me, the decentralized lending platform, suffered a reentrancy attack which is similar to the Uniswap incident. The attacker repeatedly called the supply () function and called the withdraw function of Lendf.me when the supply () function is under call for the second time. They just directly withdrew the previously deposited imBTC, and when the supply () function conducted return, the account balance had not been reset. The attacker continued to modify and increase his own imBTC mortgage amount, and eventually lent out all loanable currencies and funds from the transaction pair. In this attack, the hackers obtained more than 24 million US dollars of various currencies and funds. However, the hackers eventually returned all the funds of various currencies under the pressure of all parties.
3) On April 23, the option trading agreement Hegic, which had just been launched shortly, locked user funds which were worth 28,000 US dollars in an expired option contract due to a bug in the code, which was permanently inaccessible.
Comments of Beosin:
The BZX incident in February is still not far away, the MakerDao incident in March is still vivid, and the turbulent market of Ethereum Defi is still hard to escape from the adversity in April. Both Lendf.me and Uniswap have suffered reentrancy attack and caused the heavy losses. Nowadays, the Defi protocols of various platforms in the Defi market are emerging one after another. And there is no guide standard in the Defi protocols, which leads to the Defi projects tending to prosperity. The phenomenon is just like a piece of Lego bricks which are patchworks and getting bigger and taller. Once there is a problem in a certain segment of the Lego bricks, it will lead to a great impact.
Here are some suggestions from Beosin:
1. The contract code of projects must not only be complete in function, concise and clear, but also abide by the security regulations. Some non-standard code logic may cause security problems.
2. Before the projects are launched, the contract code should be fully and professionally audited by themselves or with the help of the third-party security company to repair the problems as much as possible and avoid risks.
3. When the projects are in operation, the emergency plan or the risk control mechanism should be established, which can be blocked in a timely manner when encountering abnormal conditions to avoid further losses.
In terms of Exchange, there is 1 typical security incident occurred in total:
On April 29, the Binance Exchange was attacked and caused a large range of contract pages stuck, or even unable to open the pages since noon.
In terms of Dark Net, there are 3 typical security incidents occurred in total:
1) On April 9, Email.it, the email service provider, was hacked, and 600,000 user data was uploaded to the Dark Net.
2) On April 23, 267 million Facebook account information was sold on the Dark Net at a price of 600 US dollars. The account information included names, email addresses, telephones, social status, gender and etc.
3) On April 29, a hacker sold the detection technology and data of Novel Coronavirus Pneumonia from Huiying Medical Company on the Dark Net for 4 bitcoins.
In terms of Crypto Frauds/ Crypto Scams, there are 4 typical security incidents occurred in total:
1) On April 19, EOS Ecology, one of the capital market projects, which had been in operation for more than one and half year ran away, and its deposit currency address of w.io frequently transferred assets to other addresses, which was revealing the intention of transferring assets to convert into cash. As of April 22, the account balance of w.io was only 1682 EOS. According to the tracking data on Blockchain, the funds of EOS Ecology were finally pooled into 4 main EOS addresses, totaling more than 20 million EOS, and the amount of money was more than 360 million yuan involving in the incident.
2) The scam of converting assets into cash on Telegram is still popular. Recently, plenty of users have been cheated more than 900 ETH. Although both Huobi and imtoken have already issued official statements, such scams still happen sometimes and some users are often deceived in this scams.
3) The fake official telegram group of imtoken created by the phishing accounts acted as the identity of the official technical staff, guiding users to converting assets into cash. The deceived users conducted the operation of Transaction Rollback by inputting the private key on the designated website, which caused the secondary fraud. And the deceived users’ funds have partially flowed into exchanges.
4) There are some scams of pretending to be the official account of Voice to trick users into recharging on the main network of EOS recently. At present, the deposit currency address of the 2 scams have exceed 9000 EOS per month.
In terms of Others, there is 1 typical security incident occurred in total:
PegNet, one of the stable-coin networks, suffered 51% attack this week. The 4 attackers together accounted for the hash rate of up to 70%. After submitting false price data, the balance in their wallets was changed from 11 US dollars to 6.7 million US dollars.
In view of the current new situation in the field of Blockchain security, Beosin hereby summarizes:
In general, compared with security incidents that occurred in March, the number of security incidents that occurred in April has decreased. But in individual terms, which is showing an upward trend. With regard to Ethereum Defi, the situation is still grim and there are still 3 security incidents that occurred in April. In the case of the theft of Lendf.me, although the hackers returned all the stolen funds, such a huge fund theft incident should still sound a wake-up call to all parties: Even just one tiny and unremarkable error, it is very possible to become a fuse for stealing all the capital pool of project parties.
In addition, we remind here that for all Defi project parties on the market, when the security risks are exposed, the project parties should conduct a self-test in a timely manner, and it is a very worthwhile and necessary measure of identifying potential security vulnerabilities and security risks. Of course, with the help of the professional Blockchain security companies, conducting a comprehensive and meticulous investigation is more preventive.
Also, it should be noted that the relevant intelligence of crypto scams that occurred in April has increased. Whether the scams of converting assets into cash that are familiar with Telegram, or a series of derivative investment scams and fake Voice scams on public Blockchain of EOS, all of them take advantage of the mentality of gaining petty advantages of human beings. As a user, as long as we don’t have the mentality of being greedy for small profits, we can avoid being cheated.
In the face of the increasingly acute behaviors of illegal crimes that take advantage of various virtual assets and the frequent occurrence of various security incidents, Beosin, the global leader who is devoting to the construction in Blockchain security ecosystem, is about to launch the Anti-Money Laundering and Investigation & Evidence Collection System (Beosin-AML) of VASP version to meet the various regulatory requirements put forward by FATF and jurisdictions of various countries, help VASP reduce operational risks, prevent losses due to security risks, and make Blockchain ecosystem more secure!
