Inventory from Beosin | There are Over 17 Typical Security Incidents in March, the Prospects and Risks of Ethereum Defi Coexist & Fraud Activities Have Increased
According to the data monitoring of Beosin-Eagle Eye, various security incidents have occurred in March. Security personnel of Beosin counted there are over 17 typical security incidents in March, which involved the security of Ethereum Defi , the security of exchanges, fraud issues and other security incidents. From another perspective, it includes issues of virtual assets security and users data security.
In terms of Defi, there are 3 typical security incidents occurred in total:
In recent months, as Defi continuing to heat up, the security issues emerged have become increasingly prominent. The attack twice incident of the bZx lightning loan not far has already reminded us of under the gradual prosperity of Defi, is there a huge security risk hidden?
1) On Feb. 28th, one user made a very large exchange under the premise of insufficient liquidity in the Curve V4. Although the Curve team discovered the incident and immediately remedied it, the user eventually lost 14 ten thousand US dollars.
The specific process of the incident is:
User A wanted to transfer the funds in the Curve V3 capital pool to the V4 capital pool, and already conducted multiple stable currency exchanges. Because the amount of stable currency USDC in VE fund pool was seriously insufficient, and users have exchanged insufficient amounts of USDC, which ultimately resulted in the loss of 460,000 US dollars.
Due to the operation of user A, the amount of 4 stable currencies in the V4 capital pool was unbalanced, which instantly increased the commission rate of return of the V4; after user B observed the increased commission rate of return, he tried to carry out arbitrage and exchanged 33,000 US dollars for 90,000 BUSD. All arbitrage operations made a profit of 3,527 US dollars.
After the Curve team discovered the problem, they immediately made up the funds in the Curve V4 capital pool. Due to the seriously money and extremely unbalanced transactions between the each parties, every person incurred the handling fee of up to 140,000 US dollars in the operation process; ultimately, User A lost 140,000 US dollars.
The cause of the security incident is the insufficient liquidity of the Curve capital pool, and because the Curve is built on many projects, the risk is accumulated from the bottom to the up.
2) On Mar. 12th, the price of virtual currency plunged , and the price rate of ETH once fell down to 58%. The settlement mechanism of the MakerDao, a decentralized Defi project which uses ETH as the collateral asset, almost collapsed. The liquidated ETH assets were auctioned, the highest bidders could own them. However, in the 3994 auctions conducted by the MakerDao, 1462 auctions were sold with 0 dai, which resulted in a total loss of 62,893 ETH (worth 7.8 million US dollars) on the MakerDao platform.
The cause and the effect of the incident is:
The minimum mortgage rate of the MakerDao is 150%. When users mortgaged 150ETH, and he can lend 100 dai. In the original design of the MakerDAO’s clearing mechanism, when the price of ETH plummeted, the mortgaged ETH of users would be liquidated to ensure the continually and safely operation of the MakerDao; However, when ETH fell to 166 US dollars, the MakerDao Oracle malfunctioned, causing the system itself thought the price of ETH still remaining at 166 US dollars, which resulting many assets uncleared.
The reason for the crash of the MakerDao Oracle is that the Oracle fetches the quotes of ETH from exchanges in real time. However, due to the sharp drop of ETH at that night, the number of transactions on the Ethereum increased sharply, which worsened Ethereum network which has been already congested, and eventually caused the Oracle to collapse.
All cleared ETH has entered the auction stage, there are 2 issues have not been considered in the original design mechanism of the MakerDao: Firstly, the fee of miners cannot be adjusted according to the dynamics of network congestion; Secondly, the number of bidders participating in the auction are not considered under the extremely insufficient circumstances, which makes it difficult to set an auction floor price.
Because of the above 2 reasons, users who normally participated in the auction cannot bid owing to the congested network, and the bid was too late to shown on Blockchain. Instead, users with ulterior motives increased the fee of miners and bid in the auction with 0 dai, and finally successfully captured.
3) Synthetix, one of the Defi project, disclosed one contract vulnerability, but the contract has not been activated, so there were no practical losses of users’ assets have been incurred.
The vulnerability existed in the liquidation interface of Synthetix contract. Under normal circumstances, users pledged ETH to obtain SETH, liquidated the assets after the mortgage period, and called the clearing interface to return SETH and obtained ETH; However, the vulnerability could cause any user to directly burn SETH mortgaged by other users to obtain ETH.
However, because the function was still in the trial period, it has not caused practical losses of users’ assets.
Comments of Beosin:
Defi projects are developing rapidly. According to the statistics, by 2020, the assets locked in the Ethereum Defi have reached 1 billion US dollars. The popularity of Defi projects is mainly due to its high income. Defi is also known as “Decentralized Finance”, also is the foundation of open finance. The rate of return up to 8% -10% is bound to be accompanied by huge risks.
This is an area of rapid iteration, so the Defi teams from all parties are free to develop their contract products; But there is no unified and standard security programme to comply with, or they must pass the strict security audit, which leads to various contract vulnerabilities and related security issues are emerging one after another.
Beosin hereby recommends that any Defi project should pay attention to the security issues of contracts when developing contracts to cope with various emergencies and abnormal use about contracts, so as to avoid losses; At the same time, it is recommended to do related security audit work with the help of professional Blockchain security companies, in order to avoid potential security risks.
In terms of Exchange, there are 2 typical security incidents occurred in total:
1) At the beginning of Mar., the US Department of Justice announced sanctions against hackers Yinyin Tian and Jiadong Li suspected of assisting Lazarus Group, the North Korean hacker group, in laundering money, and froze all their assets.
Yinyin Tian and Jiadong Li used fake ID cards and tampered photos in several exchanges to bypass the KYC process. According to the statistics, two Chinese citizens have been accused of laundering more than 100 million US dollars from the hackers of virtual currency exchange.
2) Some information showed that a new fake recharge attack of USDT has appeared on OMNI. The problem occurred when the exchange or the wallet did not verify the propertyid in the transaction when detecting USDT recharge. Hackers realized the attack by issuing new other tokens on Blockchain and then forging the propertyid.
Comments of Beosin:
The problem of fake recharge is pretty common. From the beginning of EOS, which fake recharge problems frequently occur, to the later of Ethereum, various tokens, and USDT on OMNI, all of them have encountered fake recharge problems.
The reason for causing fake recharge mainly lies in 2 problems, the authenticity verification of tokens and the success or not verification of the transaction. Therefore, Beosin recommends that project parties such as exchanges and wallets should verify whether the transaction is successful and tokens are correct when verifying the transaction to avoid fake recharge attack.
In terms of Crypto Frauds/ Crypto Scams, there are 4 typical security incidents occurred in total:
1) With the outbreak of the New Coronavirus (COVID-19) in the world, some criminals used people’s concerns about the New Coronavirus to carry out crypto scams related to it.
There are crypto scams that faked the WHO and the CDC to send emails and text messages to residents claiming to be able to provide the list of residents with COVID-19 positive in their community and requested them to pay Bitcoin in exchange; There are also crypto scams that induced users to download the application CovidLock which is claimed to be used at tracking the New Coronavirus on Android devices. In fact, it is a malware, used to lock the user’s mobile phone and ransom them.
2) There is one crypto scam that defrauded of Bitcoin by forging false QR code. Some websites claimed to map the user’s Bitcoin address into a QR code for free, which is convenient for users to collect or transfer money; However, the generated QR code was actually hackers’ address. At present, the hacker address has been transferred over 0.6 Bitcoin.
The following is the website which can generate the malicious QR code , please note:
3) The counterfeit token PETH was launched on XueBi exchange, and it returned to zero upon opening quotation. All the victims were under pre-private placement with the sum of assets ranging from 80 USDT to 1000 USDT, and the amount of the victims were about 228. The initial estimate involved the sum of assets about 400,000 RMB, and unfortunately some college students were suffered.
4) “Crypto Chicken of Silicon Valley”, one of the Blockchain capital, was suspected to be collapsing. “Crypto Chicken of Silicon Valley” is a typical virtual pet of capital, similar to the Crypto Cats and the Crypto Dogs, bought the crypto pets at low prices, and sold them at high prices after a period of time. The truth of the kind of crypto scam is actually capital like “pass the parcel”, until no one takes the order, that means the moment of collapsing.
In terms of Others, there are 4 typical security incidents occurred in total:
1) Trident, the Crypto investment fund, was hacked and 266,000 users’ data were leaked.
2) The data of 523 million users of Weibo was leaked and sold on the dark web.
3) Users used Telegram and virtual currency for communication and payment about the incident of Room N in South Korea. As the South Korean police decided to thoroughly investigate all users participating in the live broadcast viewing room, exchanges such as Upbit, Bithumb, Korbit, Coinone, Huobi, and Kucoin expressed their willingness to cooperate with the police to investigate users information.
4) “One-Key Tokens Issuance” on Ethereum platform implanted a backdoor into the developed token contract, and secretly transferred tokens to its own account while issuing tokens to the project party, then sold and made the profit when the project party tokens started trading.
In view of the current new situation in the field of Blockchain security, Beosin hereby summarizes:
In general, the security incidents about Blockchain in Mar. still occur from time to time. The number of the security incidents is in a medium level, and the losses caused by the incidents are also in a medium level. However, this does not mean that the severe security situation of Blockchain industry tends to be alleviated, but show that the security incidents involve a wider range.
The security incidents that cannot be ignored in the current situation include Defi projects, which continues to heat up but the emerging problems are more apparent; the market of the dark web, which is still active; the issue about money laundering ; the crypto scams and the vulnerabilities of contracts, etc. In particular, the funds of the dark web, crypto scams, and money laundering problems are the key issues faced by various exchanges at the current stage of inclining to compliance. For example, in the money laundering case of Yinyin Tian and Jiadong Li’s mentioned above, the two men just easily bypassed the KYC verification of the exchange with the method of false identities and fake photos, thereby helping the Lazarus Group, North Korean hacker group, in laundering more than 100 million US dollars.
How to continuously monitor and evaluate the transaction risks on Blockchain to support related clients such as VASP (Virtual Assets Service Providers), regulatory departments, law enforcement departments to carry out businesses such as risk management, compliance supervision, investigation & evidences collection, is the most important task of Beosin to carry out the supervision of Blockchain ecological security and promote the construction of compliance.
In the near future, Beosin will launch an upgraded version of “Beosin-AML”, the system of anti-money laundering compliance of virtual assets and investigation & evidences collection, to address the pain points to be resolved. As one of the core security products of “Beosin One-Stop Blockchain Security Service Platform”, Beosin-AML will fully support the establishment of the complete protection system for the ecological application of Blockchain.
