SlowMist: 2022 Blockchain Security Review.

Original Title: "SlowMist: 2022 Blockchain Security Review"

Original Author: SlowMist Technology

Looking back at the past year, we have seen many new scenarios, applications, and changes in the encryption field. The number of players is also gradually increasing, but security issues have always been a concern for the industry's development. Therefore, SlowMist has compiled the major security events that occurred in the industry in 2022 and conducted corresponding analysis and interpretation.

According to the SlowMist Hacked archive, which tracks blockchain security breaches, there were a total of 295 security incidents in 2022, resulting in losses of up to 3.728 billion USD. This represents a decrease of approximately 62% compared to the 9.795 billion USD lost in 2021, but does not include assets lost due to market volatility.

(2022 Security Incident Statistics)

Among them, there were 245 security incidents in various DeFi ecosystems, cross-chain bridges, NFTs, etc., 10 security incidents in exchanges, 11 security incidents in public chains, 5 security incidents in wallets, and 24 security incidents in other types.

From a temporal perspective, the highest number of attack incidents occurred in May and October, reaching 38 cases. The highest amount of losses occurred in March, reaching approximately 700 million US dollars.

One, Overview of Blockchain Ecological Security

Public Chain

The public chain is the most important infrastructure in the Web3 field and one of the most fiercely competitive tracks in the industry. The most surprising event in 2022 is undoubtedly the Terra incident. On May 8th, the most destructive crash in the history of the cryptocurrency market occurred. The algorithmic stablecoin UST on the Terra network experienced a massive sell-off of $285 million, triggering a series of chain reactions.

The price of Terra's native token LUNA suddenly plummeted without warning, with a continuous cliff-like drop over the course of a day. The market value of LUNA evaporated nearly $40 billion, and the total value locked (TVL) in the entire ecosystem also almost went to zero. This event may have become the death button that opens the 2022 crypto winter.

DeFi / Cross-Chain Bridge

According to DeFi Llama data, as of the end of December, the total locked value of DeFi was approximately $39.8 billion, a huge drop of 75% compared to the same period last year. Ethereum dominates with a share of 58.5% (23.3 billion US dollars) of the entire DeFi TVL, followed closely by TRON with a TVL of 4.3 billion US dollars and BNB Chain (BNB) with a TVL of 4.2 billion US dollars. Interestingly, in May 2022, Ethereum's TVL in DeFi decreased by 35%, while TRON's TVL share increased by 47%.

According to SlowMist Hacked's statistics, there were approximately 90 security incidents on BNBChain in 2022, with a total loss of about $785 million, ranking first among all chain platforms in terms of loss amount. Ethereum had about 50 security incidents, with a total loss of about $528 million, followed by Solana with about 11 security incidents and a total loss of about $196 million.

According to data from Dune Analytics, the total value locked (TVL) in Ethereum cross-chain bridges is approximately $8.39 billion, a decrease of about 31% compared to the first half of the year. Currently, Polygon Bridges has the highest TVL ($3 billion), followed by Arbitrum Bridges ($1.28 billion), and then Optimism Bridges ($850 million). Cross-chain bridges allow users to transfer crypto assets from one chain to another, mainly addressing the issue of multi-chain expansion. However, the large amount of funds in cross-chain bridge smart contracts, combined with a lack of security audits, has attracted the attention of hackers.

According to SlowMist Hacked's statistics, there were a total of 15 cross-chain bridge security incidents in 2022, resulting in a staggering loss of 1.21 billion US dollars, accounting for 32.45% of the total losses in 2022.

In short, for project parties, in order to eliminate vulnerabilities and reduce security risks as much as possible, effective efforts must be made - a comprehensive and in-depth security audit of the project must be conducted before it goes online. At the same time, it is recommended that project parties increase asset protection by introducing multi-signature mechanisms. On the other hand, when projects interact between protocols or port code from other protocols, they need to fully understand the architecture of the ported protocol and their own project's architecture design, ensure compatibility between protocols, and prevent the occurrence of fund loss. For users, as the gameplay in the blockchain field becomes more diversified, users should carefully understand the background of the project and check whether the project is open source and has been audited before investing. When participating in the project, they need to be vigilant and pay attention to project risks.

NFT

NFT performed extremely well in 2022, with NFTScan data showing a total of 198 million transactions on Ethereum, significantly higher than in 2020 and 2021. On BNBChain, there were 345 million NFT transactions throughout the year, and on Polygon, there were 793 million NFT transactions.

On the other hand, according to SlowMist Hacked's incomplete statistics, there were approximately 56 security incidents in the NFT field in 2022, resulting in losses of over $65.43 million. The majority of these incidents were caused by phishing attacks, accounting for approximately 40% (22 incidents), followed by Rug Pull, accounting for approximately 21% (12 incidents).

Wallet / Trading Platform

On February 8th, the US Department of Justice (DOJ) announced that it has seized $3.6 billion worth of Bitcoin related to the 2016 hack of the cryptocurrency exchange Bitfinex. 34-year-old Ilya Lichtenstein and his 31-year-old wife Heather Morgan were arrested in New York and charged with conspiracy to commit money laundering and fraud. This is also the largest financial seizure in the history of the US Department of Justice.

On November 6th, Binance founder CZ tweeted that he had decided to liquidate all remaining FTT on the balance sheet, triggering a standoff between two major exchanges. Despite Alameda CEO and FTX CEO SBF's consecutive tweets attempting to stabilize user confidence and refute previous rumors, FTX still went bankrupt quickly after liquidity dried up. Ultimately, FTX collapsed and SBF was arrested. The opaqueness of centralized exchanges has once again sparked a crisis of trust among people, highlighting the increasingly prominent issue of lack of careful regulation. Whether it is stricter protection for consumers or clearer rules for institutions, the footsteps of regulation will become increasingly clear.

After the FTX incident, the sales of hardware wallets have increased significantly, and MetaMask, the wallet with the most users, has reached 30 million monthly active users. According to Finbold data, the download volume of cryptocurrency storage apps based on the top 21 ranking on Android and iOS devices has reached approximately 102.06 million times from January 2022 to October 2022. Although this number is lower than the 177.85 million downloads during the bull market period in 2021, it is higher than any other year except for 2021. Monthly data shows that cryptocurrency wallet downloads were declining at the beginning of the year, but have seen significant growth after the Terra/Luna crash and the FTX incident.

Other

The irreversible and anonymous features of blockchain technology not only effectively protect privacy, but also provide a "protective umbrella" for cybercrime. With the popularity of concepts such as the metaverse and NFTs, cryptocurrency theft and fraud incidents occur frequently. Many criminals issue so-called virtual assets under the banner of blockchain and commit fraud. The sophistication and professionalism of the black and gray industries have far exceeded imagination.

According to data from the Payment and Settlement Department of the People's Bank of China, in 2021, the use of cryptocurrency for fraudulent payments ranked second only to bank transfers, with a total value of up to 750 million US dollars. This is a significant increase from 2020 and 2019, which were only 130 million and 30 million US dollars, respectively. It is worth noting that the use of cryptocurrency for "pig-killing" scams has grown rapidly. In 2021, 139 million US dollars of funds from "pig-killing" scams were paid using cryptocurrency, which is five times that of 2020 and 25 times that of 2019.

According to a report released by the US Federal Trade Commission (FTC), over 46,000 people have reported falling victim to cryptocurrency scams, resulting in a total loss of over $1 billion since the beginning of 2021. The report states that investment-related fraud is the most common type of cryptocurrency scam, accounting for $575 million of the total amount lost. The most commonly used cryptocurrencies for payment to scammers are BTC (70%), USDT (10%), and ETH (9%).

二、Attack Techniques

In 295 security incidents, the attack methods can be mainly divided into three categories: attacks caused by design flaws of the project itself and various contract vulnerabilities; tactics including Rug Pull, phishing, and Scam; asset losses caused by private key leaks.

In 2022, the most common attack method is caused by design flaws in the project itself and various contract vulnerabilities, accounting for about 92%, resulting in a loss of $1.06 billion, accounting for 40.5% of the total. The most significant of these is attacks caused by flash loans, accounting for about 19%, resulting in a loss of $61.33 million. Other attacks include re-entry issues, price manipulation, verification issues, and so on.

The asset loss caused by private key theft has a occurrence rate of about 6%, but the amount of loss reached 746 million US dollars, second only to contract vulnerability exploitation. Among the incidents caused by private key theft, the largest loss came from the Ronin incident, followed by Harmony, both of which were from cross-chain bridges.

In the Web3 world, users' security awareness is often uneven, which also leads to various and frequent phishing attacks against users. For example, attackers use malicious means to take over official media platforms of various projects (such as Discord, Twitter) or forge official media accounts and publish phishing Mint, AirDrop links, and occasionally forward the content of the real official account to confuse the audience. For example, using false websites promoted by advertisements on search engines or domains and content highly similar to official domains to deceive people; for example, attracting people to participate in false activities through forged emails or attractive gifts; or using false APP download links to take advantage of new users' information gap. In any case, improving security awareness is the most necessary, and once you find yourself being tricked, you should transfer your assets as soon as possible, stop loss in time and keep evidence, and seek help from industry security institutions if necessary.

Secondly, the most detestable thing is Rug Pull. Rug Pull usually refers to the project developers abandoning the project and running away with the funds, and more often than not, the project party actively commits wrongdoing. It can happen in many ways: for example, when developers launch initial liquidity, push up prices, and then withdraw liquidity. The project party first creates a cryptocurrency project, attracts cryptocurrency users to invest through various marketing methods, and then suddenly takes away the users' investment funds at an appropriate time, sells cryptocurrency assets, and finally disappears without a trace. Another example is launching a website, but closing it after attracting hundreds of thousands of deposits. In 2022, there were 50 Rug Pull incidents, resulting in a loss of approximately 188 million US dollars, which often occur in the BSC ecosystem and NFT field.

In 2022, other relatively new methods include front-end malicious attacks, DNS attacks, and BGP hijacking; the most bizarre is asset loss caused by human configuration errors.

Three, Phishing/Scamming Techniques

This section only selects some of the phishing/scam techniques previously disclosed by SlowMist.

Browser Malicious Bookmarks Steal Discord Token

Nowadays, most browsers have built-in bookmark managers, which provide convenience but also make it easy for attackers to exploit. By carefully crafting a malicious phishing page, attackers can insert a JavaScript code into your bookmark collection, which can do almost anything, including information gathering through the webpackChunkdiscord_app frontend package provided by Discord. When a Discord user clicks on it, the malicious JavaScript code will execute within the Discord domain where the user is located, stealing the Discord Token. Once the attacker obtains the project's Discord Token, they can directly automate the takeover of the project's Discord account-related permissions. Having the Token is equivalent to logging into the Discord account, allowing the attacker to perform any equivalent operation, such as creating a Discord webhook bot and posting fake messages in channels for phishing. The following is a demonstration of a victim clicking on a phishing bookmark:

Below is a demonstration of JavaScript code written by an attacker to obtain personal information such as Token, which is then received through a webhook on a Discord Server.

You can see that, assuming the victim added a malicious bookmark under the guidance of a phishing page while logged in to the Discord web client, when the victim logs in to the Discord web client and clicks on the bookmark, the malicious code will be triggered and the victim's personal information, such as their token, will be sent to the attacker's channel via the Discord webhook that the attacker has set up.

"Zero-Cost Purchase" NFT Phishing

For example, the phishing website shown below has a signature that reads:

Maker: User Address

Taker：0xde6135b63decc47d5a5d47834a7dd241fe61945a

Exchange: 0x7f268357A8c2552623316e2562D90e642bB538E5 (OpenSea V2 contract address)

This is a common NFT phishing method where scammers can purchase all of your authorized NFTs for 0 ETH (or any token). In other words, this is a scam that tricks users into signing a sales order for their NFTs, which are held by the user. Once the user signs the order, the scammer can directly purchase the user's NFT through OpenSea, but the price is determined by the scammer, meaning they can "buy" the user's NFT without spending any money.

In addition, the signature itself is stored for attackers and cannot be invalidated by revoking authorization on websites such as Revoke.Cash or Etherscan. However, you can cancel your previous order authorization to avoid phishing risks from the source.

Redline Stealer Trojan Steals Cryptocurrency

This type of attack is mainly carried out by inviting users to participate in a new game project for internal testing through Discord, under the guise of "providing discounts" and other pretexts, or by sending a program through private messages in a group chat. Usually, a compressed package is sent, and once you run it on your computer, it will scan the files on your computer and filter out files containing keywords such as Wallet, and upload them to the attacker's server, in order to steal cryptocurrency. The uncompressed file is approximately 800 MB in size.

RedLine Stealer is a type of malicious Trojan software that was discovered in March 2020 and sold separately on underground forums. This malicious software collects saved credentials, autofill data, credit card information, and other information from browsers. When running on a target machine, it collects detailed information such as usernames, location data, hardware configurations, and installed security software. The new version of RedLine has added the ability to steal cryptocurrency by automatically scanning for locally installed digital currency wallet information and uploading it to a remote control machine. This malware has the ability to upload and download files, execute commands, and regularly send information about the infected computer. It often targets cryptocurrency wallet directories and wallet files for scanning.

Blank Check eth_sign Phishing

After connecting the wallet and clicking on Claim, a signature request box pops up, and MetaMask displays a red warning alert. However, it is impossible to determine from this pop-up window what content is being requested to be signed. In fact, this is a very dangerous type of signature, basically Ethereum's "blank check". Through this phishing, scammers can use your private key to sign any transaction.

This eth_sign method can sign any hash, so it can naturally sign our signed bytes32 data. Therefore, an attacker only needs to analyze and query our account by obtaining our address after we connect to the DApp, and can construct arbitrary data (such as native token transfers, contract calls) for us to sign through eth_sign.

In addition, there is another type of phishing: after you refuse the above sign, it will automatically display another signature box in your MetaMask, and deceive your signature while you are not paying attention. Looking at the signature content, the SetApprovalForAll method is used, and the target of the Approved asset is displayed as All of your NFT, which means that once you sign, the scammer can steal all your NFT without restraint.

This phishing method can be very confusing for users. In the past, we have encountered authorization phishing in MetaMask, which would intuitively display the data that the attacker wants us to sign. However, when the attacker uses the eth_sign method to make the user sign, MetaMask only displays a hash of bytes32.

Same last digits + TransferFrom zero transfer scam

There have been frequent occurrences of unfamiliar addresses transferring 0 USDT in the user's address transfer records, and these transactions were all completed by calling the TransferFrom function. The main reason for this is that the TransferFrom function of the token contract does not require authorization for transfer amounts greater than 0, so it is possible to initiate a transaction of 0 transfer from any user account to an unauthorized account without failure. Malicious attackers take advantage of this condition to continuously initiate TransferFrom operations on active users on the chain in order to trigger transfer events.

Aside from the 0USDT transfer harassment, there are also attackers who continuously airdrop small amounts of tokens (such as 0.01 USDT or 0.001 USDT) to users with high trading volumes and frequencies. The attacker's address suffix is almost identical to the user's address suffix, usually the last few digits. Users may accidentally copy the wrong address when copying from their transaction history, resulting in asset loss.

Above are just some common attack methods and scenarios. In fact, hackers always come up with new attack methods. What we can do is to constantly improve our knowledge and awareness.

For individual users, following the following security rules and principles can avoid most risks:

Two major security rules:

Zero trust. Simply put, it means to maintain suspicion, and to always maintain suspicion.

Continuous verification. If you want to believe, you must have the ability to verify the points you doubt and cultivate this ability as a habit.

Security Principles:

On the internet, knowledge should always be cross-referenced with information from at least two sources to corroborate each other and maintain a healthy level of skepticism.

Do a good job of isolation, which means not putting all your eggs in one basket.

For wallets that hold important assets, it is not recommended to update them frequently. If it works, it works. What you see is what you sign. That means the content you see is what you expect to sign. After you sign and send it out, the result should be what you expected, and not something you regret later.

Pay attention to system security updates and take immediate action when there are security updates.

Do not download programs randomly.

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia