Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?

avatar
CertiK
3 years ago
This article is approximately 1692 words,and reading the entire article takes about 3 minutes
CertiK security experts took stock of several typical blockchain projects in 2020, analyzed the reasons why they were attacked and the attack methods used by hackers, as a reference for warning of security accidents in the industry.
Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?
If that thing looks like a duck and walks like a duck, we say its a duck.
This quote from a certain politician is held up by many people.
Like each of us, many times the information we release to the outside world will feed back and affect ourselves through external evaluation.
This principle is not only applied to a particular field, on the contrary, it can find traces in all things.

Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?

The blockchain has been developing for a long time, but for many people, it is still an extrajudicial place where scams, escapes, and hackers are hidden.
It is difficult for peoples cognition to be influenced by other information. Of course, this must be attributed to the increasingly fierce attacks on blockchain projects.
In the overwhelming hacking incidents, the only way to reverse peoples anxiety and resistance to the blockchain is to improve the security standards of the blockchain and establish a safe and healthy blockchain ecosystem.
In the same way, when the entire blockchain is no longer plagued by negative news, this duck will also become a favorable one.
Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?
According to statistics, the security rate of websites and software in the traditional field reached 97.5% in 2020, and the asset with the largest loss was only close to 50,000 RMB.
In the field of blockchain, the security rate of smart contracts and related nodes is only 89%, and the losses are often between 6 million and 60 million RMB. This is a sky-high asset that cannot be transported by several large trucks.
A loss of assets from the blockchain field may be more than a thousand times the loss of assets in the traditional network.
Therefore, CertiK security experts took stock of 21 typical blockchain projects in 2020, analyzed the reasons why they were attacked and the attack methods used by hackers, as a reference for warning of security accidents in the industry.
Among the 23 blockchain projects analyzed, there were 8 attack events caused by implementation logic errors, 4 price oracle manipulation events, 3 project party fraud events, 3 re-entry attack events, and flash loan attack events. 2 cases and 1 case of wallet attack.
These security incident items are listed below:

Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?

Table 1: List of major blockchain accident projects in 2020

Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?

Figure 1: 2020 blockchain major accident project loss map
Table 1 and Figure 1 show the loss of major blockchain accident projects in 2020.

Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?

first level title

Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?

secondary title

Cover Protocol

On the evening of December 28, 2020, the CertiK security verification team discovered a vulnerability attack on Cover Protocols unlimited issuance of tokens.
The attacker repeatedly pledged and retrieved the smart contract of the project, triggering the operation of minting tokens, and infinitely issued Cover tokens, causing the price of Cover tokens to collapse.
secondary title

Warp Finance

On December 17, 2020, the attacker took advantage of the oracle used by the Warp Finance project to calculate the wrong price of the pledged LP token assets, and profited about 1,462 ETH tokens from the Warp Finance project, with a total value of about 6.15 million RMB.
In addition, the attacker also mint the DAI-ETH LP share worth about 39.9 million RMB, and the profit of about 6.5 million RMB flowed into the LP of uniswap and sushiswap.
secondary title

Compounder.Finance

At 3:00 pm on December 1, 2020, the CertiK security technology team discovered through Skynet that several transactions of a large number of tokens occurred in the smart contract of the Compounder.Finance project.
After careful verification that these transactions were internal operations, the project owner transferred a large amount of tokens to his own account.
secondary title

SushiSwap

secondary title

Compound

On November 26, 2020, the Compound project experienced an error in the price of the price oracle token.
secondary title

Pickle Finance

At 2:37 am on November 22, 2020, the CertiK security verification team discovered that the Pickle Finance project was attacked through Skynet.
The attacker exploits the loophole in the contract that does not check whether the external Jar contract is legal.
secondary title

Origin Protocol

On November 17, 2020, the Original Protocol project OUSD was attacked by a combination of flash loan and reentrancy attack.
secondary title

Cheese Bank

On November 16, 2020, the DeFi project Cheese Bank was attacked by flash loans.
Attackers attack by manipulating the number of tokens in the liquidity pool and using the reset oracle to increase the price of Uniswap LP liquidity certificates.
secondary title

Value DeFi

On November 15, 2020, the DeFi project Value Defi was attacked by flash loans.
The attacker used the Curve price oracle machine in the project to manipulate the price calculation vulnerability of the oracle machine token through flash loans to attack.
secondary title

Eminence

secondary title

GemSwap

On September 26, 2020, the DeFi project GemSwap suffered a backdoor attack from the project owner.
secondary title

Soda Finance

On September 21, 2020, the CertiK security research team discovered a smart contract security vulnerability in the soda blockchain project.
This vulnerability allows any external caller to forcibly settle the victims debt by calling the smart contract function, ignoring the number of tokens in the victims debt, and transfer the proceeds from the settlement operation to their own payment address.
secondary title

BASED

On August 14, 2020, the liquidity mining project Based had a vulnerability caused by an initialization error.
When deploying its smart contract, Base officials only declared the owner by calling the renounceOwnership function in the smart contract, but did not initialize the smart contract.
secondary title

YAM

secondary title

NUGS

On August 11, 2020, the CertiK security research team discovered that the Ethereum-based token project NUGS had security issues.
There were security flaws in its smart contracts that caused massive inflation in its token system.
secondary title

Opyn

On August 4, 2020, an attack occurred on the DeFi project Oypn.
The reason for the attack is that there is a loophole in the exercise function of Opyn in the smart contract oToken.
When the attacker sends a certain amount of ETH to the smart contract, the smart contract only checks whether the amount of ETH is consistent with the amount required to complete the futures transaction, instead of dynamically checking whether the amount of ETH sent by the attacker is within each After one transaction, it is still equal to the quantity required to complete the futures transaction.
secondary title

Cashaa

The first attack occurred at 6:57 p.m. Beijing time on July 10, when one of Cashaa’s bitcoin wallets was compromised and 1.05977049 BTC was transferred to the attacker’s account.
According to the description in the Cashaa report, the attacker controlled the victims computer, operated the victims Bitcoin wallet on Blockchain.info, and transferred BTC to the attackers account.
The second attack occurred at 8:10 am Beijing time on July 11. Cashaa’s 8 bitcoin wallets, with a total of 335.91312085 bitcoins, were transferred to the same address by the attacker through the same means.
secondary title

Balancer

At 2:03 am on June 29, 2020, the attacker used the WETH borrowed from the dYdX flash loan to buy a large amount of STA tokens, causing the exchange price of STA and other tokens to rise sharply.
Then use the minimum amount of STA (the value is 1e-18) to continuously repurchase WETH, and after each repurchase, use Balancers contract loophole to reset the number of internal STAs (the value is 1e-18), so as to stabilize STA high price.
Attackers continue to exploit the loopholes and use high-priced STA to completely buy out a certain token (WETH, WBTC, LINK, and SNX), and finally use WETH to repay the flash loan, leaving a large amount of STA, WETH, WBTC, LINK, and SNX, and Transfer the illegal gains to your own account through uniswap.
After CertiK captured the Balancer attack at 2 am on June 29, at 20:00 and 23:23 on June 29, 2020, the Balancer project was attacked again.
After the attacker borrowed and minted the tokens from the dYdX flash loan, he obtained cWBTC and cBAT tokens through the uniswap flash loan, and then traded the borrowed tokens in a large amount in the Balancer token pool, thereby triggering the airdrop mechanism of the Compound protocol. Obtain the airdropped COMP tokens, and then use Balancers vulnerable gulp() function to update the token pool quantity, then take all the tokens and return the flash loan.
The attacker is equivalent to taking advantage of the financial model of the Compound protocol, flash loans, and Balancer code vulnerabilities, creating COMP out of nothing.
secondary title

Hegic

secondary title

Lendf.Me

secondary title

Uniswap

On April 18, 2020, the DeFi project Uniswap was attacked.
Summarize

Summarize

From the statistics above, it can be seen that the total loss of these 21 major attacks was as high as about 1.3 billion RMB.
The 1.3 billion RMB was stolen by various attack methods including price oracle manipulation, re-entrancy attacks, implementation logic errors, flash loan attacks, project party fraud, and wallet attacks, making it hard to guard against.
There have been statistics in the computer field for a long time. On average, there will be 1-25 bugs in every 1000 lines of code.
In other words, this probability ranges from one in a thousand (0.1%) to two and a half percent (2.5%).
Wondering what this probability means? Click【Always afraid of the next second air crash because of the turbulence of the plane? What is the probability that we encounter a vulnerable DeFi contract every day?】Find the answer!
After getting the answer, you can leave a message in the dialog box at the bottom of the CertiK official WeChat account.
Summary of 2020 attack incidents: 90 billion RMB is missing, how can we stay away from hackers in 2021?
If you want to watch the video explanation of this article, please search [CertiK] in the upper right corner of the WeChat video account
In the field of blockchain, any small bug may cause irreparable losses to the project or investors.
To change the prejudices and stereotypes of ducks and establish a safe and secure blockchain ecosystem, it is inseparable from the persistence and dedication of every project and individual for security.
The importance of security audits for blockchain projects is beyond doubt, but projects that have undergone static audits cannot guarantee 100% static and dynamic security.
According to the statistics of CertiK security experts, the security rate of audited smart contracts and nodes in the industry is 92.6%, but the security rate after auditing by CertiK using formal verification technology can be as high as 99.6%!
The remaining 0.4% is mostly due to changes in the smart contract during the interaction process, which leads to the invalidation of the static audit.
At this time, a security situation can be monitored at any timeSecurity Oracleand compensation after the accidentDecentralized Fund PoolIt will be the strongest backing and guarantee for all projects.

Original article, author:CertiK。Reprint/Content Collaboration/For Reporting, Please Contact report@odaily.email;Illegal reprinting must be punished by law.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Recommended Reading
Editor’s Picks