Since the advent of Bitcoin, theft cases have exceeded 1 million, worth about $7 billion.
According to Beosin (Chengdu LianAn), there have been nearly 100 security incidents in the global blockchain field in 2018, with losses exceeding $2 billion. The security attacks are endless and hard to prevent. “Blockchain”, the underlying technology of Bitcoin, faces many security risks from layers of data、network、consensus、incentive、contract and application.
While 2018 is the key year for the development of blockchain, the security issue has become the core key to restrict its development. There are nearly one hundred security incidents in the year, increased by 538% compared with 2017. Blockchain security attacks mainly occurs in the application layer, especially in the smart contracts.
Influential security incidents in the blockchain industry in 2018:
In January 2018, a large Japanese digital currency exchange called Coincheck was hacked, with NEM (New Economy Movement) worth more than $534 millio illegally transferred.
In January 2018, the imToken wallet was hacked, resulting in the theft of BTM with a user value of more than 2.5 million yuan. The victim had no idea how such incident happened, because both his mobile phone and the computer had a private key. At the same time, imToken also took active part in helping the user to investigate, but no information about the hacker has been found yet.
On February 11, 2018, BitGrail , the Italian cryptocurrency exchange was attacked and $170 cryptocurrency called Nano was stolen.
On April 22, 2018, a major loophole appeared in the BeautyChain contract, and the hacker generated unlimited tokens by batch transfer, rendering the value of BEC almost going to zero.
On April 25, 2018, SmartMesh experienced a major security loophole similar to BEC, with a loss of $140 million.
On July 25, 2018, the “overflow” vulnerability occurred in the Werewolf Game (EOS version of Fomo 3D), causing a loss of 60,686 EOS. After the arbitration of the hacker’s behaviour by EOS Core Arbitration Forum (ECAF), it issued a new arbitration order to freeze the hacker’s EOS account: eosfomoplay1.
On September 20, 2018, a Japanese digital currency exchange Zaif announced that it had suffered a hacker attack and lost $59.67 million, among which $19.59 million belong to the exchange’s own funds, and the remaining $40.07 million belong to the client’s funds.
On December 3, 2018, Dice3D suffered a hacker attack and lost 10,569 EOS, which have been transferred to Huobi. Therefore, DICE3D officially decided to take out some EOS at its own expense to compensate the players.
According to Beosin (Chengdu Lianan), the blockchain attack points in 2018 are mainly trading platforms, smart contracts and ordinary users.
Among them, the trading platforms accounted for 36%, the smart contracts 22%, the average users 17%, the miners 9%, the consensus mechanism 5%, and the other 11%. The following are the blockchain security incidents and losses in 2018 according to our statistics.
Ⅰ. Review of the Security Incidents in Digital Currency Exchanges
In 2018, more than half of the exchanges kept the user’s key, thus having become regular targets of hacking. The global digital currency trading platforms successively experienced security incidents such as hacker attacks and account stealing. It is not just an economic loss, in some severe cases, it’s also a cause to directly bankrupt the plantform .
For digital currency exchanges, it is capital and information security that they are based on. Only security can win the trust of users and stabilize the market. Therefore, the technical capabilities and business experience of the exchange platform are particularly important.
For users, before choosing an exchange, they should consider the platform security, user experience, traffic, capital reserves, technical capabilities, financial productization capabilities. Here are the requirements a good exchange should possess:
· Secure funding and information;
· Good mobility;
· Low transaction costs;
· Fast transaction speed and good user experience;
· Plenty of transaction pairs ;
· Funding without limitations (restricting the withdrawal/ slowing down the speed);
· Multiple derivatives supported;
· Available API interface.
Ⅱ. Review of the Security Incidents in Smart Contracts
Smart contracts are easy to leave hidden dangers if the creation process is not rigorous enough because the commitments are defined in digital form. The common smart contract security vulnerabilities in 2018 mainly include integer overflow, unauthorized access, denial of service, logical errors, information disclosure and function misuse. Although the smart contract incidents are relatively few, the economic losses are quite a lot.
In dealing with smart contract security vulnerabilities, we recommend that the project parties and developers should have some safety consciousness and submit the smart contracts to professional teams to conduct a comprehensive and in-depth code security audit, set up emergency response, develop verification tools and issue vulnerability reward mechanisms before they go online.
III. Review of Security Incidents in Digital Money Wallet
In 2018, most blockchain wallets have security risks, including forgery vulnerabilities of wallet APP, transaction passwords without detecting weak passwords, core code without being hardened, undetected system operating environment, hidden dangers in operation such as screen captures and screen recording records.
On the one hand, service providers of digital currency wallet should strengthen the security audit of wallets, on the other hand, they should conduct a series of security verification audits including domain name system , home instance and server application, as well as monitoring the security of private keys,mnemonics, transaction processes and data storage.
IV. Review of Security Incidents in DApp
The number of DApps has gradually increased in 2018. According to relevant data, over 1,900 are already running on the public blockchain such as Ethereum, EOS, and Tron by the end of 2018. In the second half of 2018, more than 20 large and small hacking attacks happened.
Most of the attacks in DApp in 2018 were mainly random number attacks instead of the bugs of EOS itself. In the development process, on one hand, the project side should increase the guessing difficulty by complicating the rules of generating random numbers; on the other hand, security awareness should be increased to avoid security vulnerabilities in the written code.
V. Review of Security Incidents in the pools
The risks of the pools in 2018 mainly lie in DDoS attacks and block attacks. As the upstream link of the digital currency, the pool provides stable mining revenue for the majority of individual miners. The importance of its safety is self-evident.
VI.Security of Users
In addition to professional hacking incidents, there were also security incidents of common users in 2018, causing great losses of assets.
To address the blockchain security issues, the Beosin (Chengdu Lianan) team analyzes and summarizes both regular and high-risk vulnerabilities in Ethereum and EOS smart contracts by eighteen series in 2018. Throughout the history of Ethereum and EOS safety ecological development, there are too many lessons and pains worthy of our attention.
