Inventory From Beosin | There Were Over 44 Typical Security Incidents In September, And The Overall Risk Rating Was High.
According to the data monitoring of Beosin-Eagle Eye: In September 2020, multiple types of security incidents occurred frequently in the field of Blockchain, and the overall situation was not optimistic. According to incomplete statistics, there were over 44 typical security incidents in this month and an increase compared with the last month, which was the highest in history of this year.
The Blockchain industry has just started, and the overall technological development is in the exploratory stage. In particular, as DeFi market has become popular, various projects have sprung up, and underlying technology, logical structure and many other aspects are relatively weak, so security risk vulnerabilities are very easy to appear. Therefore, for each link of the entire Blockchain ecosystem, security issues must be put first and cannot be ignored.
In terms of Exchange, there were 6 typical security incidents occurred in total:
On Sept. 2, Seoul police conducted a search on Bithumb, the largest cryptocurrency exchange in South Korea. The exchange was accused of pre-selling its BXA tokens worth of 30 billion won, but never listed these tokens, causing investors to suffer losses.
ETERBASE, the European exchange, was stolen on Monday night, involving 6 addresses related to BTC, ETH/ERC-20, XRP, TRX, XTZ and ALGO. The exchange did not disclose the specific amount of losses caused by the attack form hackers, but according to the statistics from The Block Research, the exchange’s hot wallets lost more than $5 million. The relevant situation has been reported to law enforcement agencies, and the exchange was closely cooperating with the investigation. Follow-up tracking of funds transfer found that most of the stolen funds were currently in exchanges such as Binance.
Fisco, the Japanese cryptocurrency exchange, filed a lawsuit against Binance in US court. Fisco claimed that after Zaif (currently acquired by Fisco) was hacked and lost $63 million of cryptocurrency in 2018, Binance facilitated money laundering by hackers.
Covesting, the British crypto exchange, tweeted that in response to the security vulnerabilities of KuCoin, and protecting the affected COV token holders, the team of Covesting has frozen the COV tokens (3,126,692 in total, valued at $560,522) in the reported address.
Eterbase, the Slovak cryptocurrency exchange, was hacked and a total of $5.4 million of cryptocurrency was stolen. The exchange stated that its 6 hot wallets had been stolen and had already siphoned the funds from Bitcoin, Ethereum, Ripple, Algorand, Tezos and Tron.
According to the official announcement of Kucoin, at 03:05:37 (UTC+8) on Sept. 26, 2020, the official discovered a planned hacker attack. According to the current internal security audit results, the hacker launched the Withdrawal Attack through obtaining the backup image of Kucoin’s early hot wallets. Through this attack, some Bitcoin and ERC-20 tokens in the hot wallet were taken away, worth about 4800 Bitcoins, which accounted for 5% of the total amount of holding funds on the platform.
In terms of Defi, there were 14 typical security incidents occurred in total:
ZenGo researchers have correctly disclosed the vulnerabilities found in the Diogenes protocol certification. The certification aimed to provide the original entropy for the verifiable delay function (VDF) of the Ethereum 2.0 random beacon Blockchain.
The Ethereum account was suspected of being attacked by Gas Price and lost 115 ETH. The user withdrew 115.299 ETH from the exchange to an Ethereum account. After receiving the account, the funds was inexplicably quickly transferred to another account. The strange thing was that the other party actually only received 6.46 Ethereum, but the gas fee for the transfer was as high as 108.83 Ethereum, which was about 360,000 yuan.
YUNO Finance (YUNO) of SushiSwap and KIMCHI.finance (KIMCHI) smart contracts both existed vulnerabilities. Owners of smart contract could take advantage of the vulnerabilities to issue indefinitely token numbers corresponding to the project, which in turn led to inflation and eventually collapse.
On the evening of Sept. 3, Philippe Castonguay, the Ethereum developer, tweeted that both BaconSwap and shroom.finance of DeFi projects existed time lock vulnerability, which would allow project owners to issue indefinitely tokens without time lock.
The team of Blockstream Research announced that it has developed a solution MuSig-DN that could be used to protect users of MuSig multi-signature scheme from private key disclosure attacks caused by malicious random number generators and virtual machine reset attack.
The developers found major governance flaws in SushiSwap. SushiSwap seemed to be easy to be under vulnerability attack. And the vulnerability could multiply someone’s governance capabilities without the need to obtain new tokens.
A large amount of pledged funds of emeraldmine1, EMD contract of EOS DeFi liquidity mining project, was transferred. Among them, USDT was reselling through DeFibox currency-to-currency trading and other channels.
A user of YFI on Soft Yearn received a return of $250,000 for $200 due to the rebase mechanism vulnerability.
The wRAM, the DeFi liquid mining project “Coral” of EOS ecosystem, was attacked by hackers and lost more than 120,000 EOS. As of Sept. 10, 46,000 EOS have been transferred to ChangeNOW for money laundering.
On Sept. 14, bZx officially tweeted that the vulnerabilities in iToken contract code have been fixed and the agreement has resumed normal operation.
Lien, the DeFi stable-coin protocol, issued an announcement stating that the auditors of team found a vulnerability in Lien App and decided to temporarily maintain the platform to prevent the vulnerability from being exploited.
On Sept. 23, DeFi Pulse stated on Twitter on Tuesday night that the vulnerabilities have been identified and fixed, and historical data has been corrected.
According to news on Sept. 23, the Soda protocol of DeFi project, which was previously exposed to the vulnerabilities, has recently announced the bug fix, and the newly deployed smart contract was expected to take effect at 21:00 on Sept. 22. As of Sept. 23, there were still 2,156 SoETH equivalent to ETH in the SoETH/WETH fund pool of the Soda protocol.
On Sept. 29, according to bluekirbyfi Twitter, the game project Eminence (ENM) just launched by Andre Cronje, the founder of yearn.finance, suffered the “Flash loan” attack. The hackers returned $8 million in funds to the year deploying contract.
Comments of Beosin:
Security issues of DeFi projects were frequently exposed in this month, and various aspects such as technical code and business logic were major areas of vulnerabilities where the security of DeFi could not be ignored. Beosin once again called on all project parties to do a great job of security audit before the project launched. At the same time, investors were advised to check the security audit report and carefully chose the project before investing.
In terms of Crypto Frauds/ Crypto Scams, there were 3 typical security incidents occurred in total:
On Sept. 26, GemSwap, named from SushiSwap, was exposed to absconding and LP was taken away. The inquiry found that the project had tweeted and exposed that it had been attacked by the developers of “whatitdobb”. It was understood that the developers who launched the attack obtained the relevant permission before the completion of the liquidity migration and were able to withdraw the tokens from the liquidity pool. The specific loss was not clear.
On Sept. 3, Travis J. Iles, the Texas State Securities Board (TSSB) Commissioner, issued an emergency suspension order against 2 crypto scams called Forex Birds and PEK Universe. They were accused of fraudulently issuing securities related to foreign exchange (forex) and cryptocurrencies. Forex Birds allegedly promised investors up to 11% of the return, and its deposits could reach up to $1 million.
The French Financial Market Authority (AMF) has released a list of new investment websites that were not authorized to operate within the country, including so-called digital asset service providers (DASP). It was said that the application BitcoinFrance conducted transactions on the cryptocurrency market on behalf of its clients, generating $1,000 in revenue per day without any risk. Obviously, these descriptions existed fraudulent investment characteristics.
In terms of Ransomware/ Trojan of Mining, there were 9 typical security incidents occurred in total:
Tencent Security Threat Intelligence Center detected MrbMiner, the new Trojan of Mining family. The hackers blasted in through the weak password of the SQL Server. After the successful blasting, the Trojan assm.exe written in C# language was released on the target system, then the Trojan communicated with the C2 server, and downloaded the Monero mining Trojan to maintain the mining process.
Elon Musk, the founder of Tesla, confirmed in a tweet that Russian man Egor Igorevich Kriuchkov used $1 million in Bitcoin to bribe an employee of the Tesla factory in Nevada to install ransomware on Tesla’s computer network.
Dirección Nacional de Migraciones, Argentina’s official immigration agency, was attacked by Netwalker ransomware and temporarily stopped entering and exiting the country’s borders. The hackers demanded a ransom of $4 million. The Argentine government refused to negotiate with the hackers and would not pay the ransom.
The hackers carried out ransomware attack on Tower Semiconductor Ltd (TSEM), a manufacturer of wireless chips and camera sensors listed on the Israeli Nasdaq, and demanded a ransom of hundreds of thousands of dollars in Bitcoin.
Banco Estado, one of the three largest banks in Chile, had to shut down its nationwide business on the 7th due to a cyber attack by REvil ransomware. It was reported that REvil was known for auctioning data stolen in attacks and often required Monero (XMR) to be used for the ransom.
The players of Activision Blizzard’s Call of Duty: Warzone complained that their accounts were stolen. In some cases, the hackers required Bitcoin payments to redeem game accounts. The address provided by the hackers has so far received 1.2 BTC.
K-Electric, Pakistan’s largest electricity producer, suffered a ransomware attack. The hackers demanded the Bitcoin ransom of approximately $7.7 million.
Equinix, the data center and hosting giant, was attacked by Netwalker ransomware, threatening participants demanding $4.5 million to purchase a decryptor to prevent leakage of the stolen data.
According to news on Sept. 13, not long ago, a private company in Hangzhou High-tech Zone (Binjiang) reported to the public security organ that someone maliciously attacked the company’s official website and extorted 1 Bitcoin. After receiving the report, the investigative agency quickly identified the suspect Zhong. The Binjiang District Procuratorate filed a public prosecution against Zhong for the crime of damaging computer information systems. Zhong was sentenced to 5 years and 6 months in prison by the court.
In terms of Dark Web, there were 2 typical security incidents occurred in total:
On Sept. 2, the US Department of Justice announced on Tuesday that Bryan Connor Herrell, the mediator of the dark web market AlphaBay, was sentenced to 11 years in prison. AlphaBay was a dark web contraband market that could be accessed through the Tor onion router. Offenders used cryptocurrencies such as Bitcoin, Monero and Ethereum for transactions.
More than $6.5 million in cash and cryptocurrency were confiscated in an operation against dark web crimes jointly executed by the United States Department of Justice, the Joint Drug and Dark Web Enforcement Group and EUROPOL.
In terms of Others, there were 10 typical security incidents occurred in total:
ShiftCrypto, the Swiss company that developed the BitBox hardware wallet, revealed that it has discovered a vulnerability in the Trezor and KeepKey hardware wallets that allowed attackers to hold user’s cryptocurrency for extortion without being close to the device.
Shift Crypto, the Swiss hardware wallet provider, stated that there was a vulnerability in the Trezor and KeepKey hardware wallets that might trigger a potential ransom attack. SatoshiLabs, the manufacturer of the Trezor hardware wallets, paid Shift Crypto the bounty and stated that this issue has been resolved in a recently released upgrade.
Tim Draper, the venture capitalist, previously claimed that buying BCH might be an mix-up incident. In the early morning of Sept. 5, Tim Draper suddenly tweeted that he had purchased BCH and expressed his gratitude to Roger Ver. The tweet also attracted the attention of the crypto community. But João Almeida, the co-founder of OpenNode, subsequently confirmed that Tim Draper’s Twitter account had been compromised.
On the morning of Sept. 9, the encrypted browser Brave officially tweeted that it had integrated the open source solution of the network security company PhishFort to prevent phishing attack. Brave would then detect the crypto scam and warn users about the suspicious domain names.
At present, there was a Bitcoin wallet that has become the target of many hackers. The wallet had 69,370 BTC and was worth $714 million. This wallet has not been cracked yet.
On Sept. 16, the US Department of Justice, the US Department of Homeland Security, and the US Department of Treasury’s Office of Foreign Assets Control announced that they had imposed sanctions against 2 Russian nationals who stole at least $16.8 million from the customers of 3 different cryptocurrency exchanges with sophisticated phishing methods.
On Sept. 22, Deribit, the crypto derivatives exchange, tweeted that it encountered the DDOS attack in the early morning, making the platform server difficult to access. Officials were preventing the attack. At present, the DDOS attack have been blocked, and officials have taken measures to reduce other potential problems.
The wumbo, the large-value channel of the Lightning Network, existed the vulnerability, allowing attackers to attack the payment channel with little effort and 0 cost, or causing the channel to be paralyzed for 2 weeks.
Nick Percoco, the chief security officer of the crypto exchange Kraken, announced that 4 new security enhancement functions have been released on Kraken, which would be available to all customers of the exchange starting today, including security protection, security inspection, device approval and device management, among which the “device approval” function would be particularly effective against phishing attack.
On Sept. 25, according to foreign media reports, a new Trojan virus called Alien was attacking crypto applications on Android phones. The targets included Coinbase, Blockchain.com and Luno.
In view of the current new situation in the field of Blockchain security, Beosin hereby warmly prompts:
On the whole, the number of Blockchain security incidents increased in September compared with August, and the overall number of security incidents was relatively high. The Blockchain security situation remained grim.
DeFi projects in this month was still a hot security topic, and many smart contracts of projects have been exposed to security vulnerabilities, and some have even been exploited by hackers, causing losses. Beosin hereby urges that all project parties must maintain rigorous logic when writing contract code, and seek professional security companies to do security auditing before projects launch.
In addition, there have been fewer incidents about Crypto Frauds/ Crypto Scam in this month, but users still cannot relax their vigilance. Remember to be cautious when choosing projects and pay attention to project qualifications and security audit report.