Q1 Report on Global Web3 blockchain Security Situation and Key Regulatory Policies of the crypto Industry in 2023 (Part 1)

The original title: "Beosin blockbuster | 2023 Q1 global Web3 block chain security situation and encryption key regulatory policy report (on)"

原文来源： Beosin

1 Overview of Web3 security situation in the first quarter of 2023

In the first quarter of 2023, according to the Beosin EagleEye security risk monitoring, warning and blocking platform of Beosin, a blockchain security audit company, 61 major attacks in the Web3 field were detected, with a total loss of about 295 million dollars. That's down about 77% from the fourth quarter of 2022. The total amount lost in the first quarter of 2023 was lower than in any quarter in 2022.

In addition to the attacks, 41 major Rug pulls involving approximately $20.34 million were detected in the first quarter of 2023.

In March, a month with frequent attacks, the total amount of losses amounted to $235 million, accounting for 79.7 percent of the total amount of losses in the first quarter.

In terms of the types of items attacked, DeFi was the type of items attacked the most frequently and lost the most money in this quarter. The total loss of 42 security incidents reached 248 million dollars, accounting for 84 percent of the total loss.

In terms of chain platform types, 80.8% of losses have come from Ethereum, which ranks first among all chain platforms.

In terms of attack methods, the attack method with the highest amount of loss in this quarter was the Lightning Loan attack, which lost about 198 million dollars in 8 lightning loan incidents. The highest frequency of attack techniques was the use of contract vulnerability, with 27 attacks accounting for 44% of all incidents.

In terms of money flow, about $200 million in stolen assets were recovered during the quarter. This quarter was better than any quarter in 2022.

According to the audit, only 41 percent of the attacked projects have been audited.

2 Attack Events Overview

In the first quarter of 2023, the Beosin EagleEye Security Risk Monitoring, Warning and Blocking platform detected 61 major Web3 attacks with a total loss of approximately $295 million. One security incident cost more than $100 million (Euler Finance's flash loan attack cost $197 million). There were two cases of losses ranging from $10 million to $100 million, and 17 cases of losses ranging from $1 million to $10 million.

In general, the amount of loss from attacks in the first quarter showed a trend of increasing month by month. In March, the most frequent month for attacks, the total amount of losses reached $235 million, accounting for 79.7 percent of the total losses in the first quarter.

3 Type of the attacked item

Eighty-four percent of the losses came from DeFi types

The crypto market bottomed out and rebounded as a months-long downtrend and multiple black swan events deleveraged. DeFi's TVL bounced back with the currency in the first quarter.

In the first quarter of 2023, there were 42 security incidents in DEFI-type projects, accounting for 68.9% of the total number of incidents. DeFi's total losses amounted to 248 million dollars, or 84 percent of the total. DeFi is the item type that was attacked the most frequently and lost the most money this quarter.

The NFT type was the second largest loss ($18.52 million), mainly due to NFT fishing incidents. The third most common type is individual users, which are all phishing attacks. The fourth biggest loss was the wallet attack. From the perspective of type, the 2-4 digits of loss amount are closely related to user security.

In the first quarter of 2023, there was only one cross-chain bridge security incident, costing $130,000. In 2022, 12 cross-chain bridge security incidents resulted in an estimated $1.89 billion in losses, the highest of any project type. The safety of the cross-chain bridge program improved significantly this quarter after a high number of cross-chain bridge safety incidents in 2022.

4. Loss amount of each chain platform

80.8% of the losses came from Ethereum

In the first quarter of 2023, there were 17 major attacks on the Ethereum chain, costing an estimated $238 million. Ethereum chain losses rank first among all chain platforms, accounting for about 80.8%.

The BNB Chain detected the largest number of attacks, up to 31. Its total loss was $19.8 million, the second largest loss among all platforms.

The third most costly public chain was Algorand, which suffered losses from the theft of a wallet from MyAlgo. The Algorand chain had no major security incidents in 2022.

It is worth noting that the Solana chain had the third largest loss of all public chains in 2022, while no major attacks were detected during the quarter.

5 Analysis of attack methods

The most costly attack during the quarter was Flash Loan, which lost about $198 million in eight incidents, or 67 percent of all losses.

The highest frequency of attack techniques was the use of contract vulnerability, with 27 attacks accounting for 44% of all incidents. The contract breach cost $39.05 million, the second highest of all attack types.

In the first quarter of 2023, there were 42 attacks on DeFi projects, 22 of which were due to contract exploits. DeFi projects need to pay special attention to contract security.

Broken down by vulnerability type, the top three most costly are business logic/function design, permission issues, and reentrant. 17 business logic/function design bugs resulted in a total loss of $22.44 million.

6 Analysis of attack methods in typical cases

6.1 Euler Finance Security Event

Event summary

On March 13th Euler Finance, a lending project on the Ethereum chain, was hit by a flash loan attack that resulted in losses of $197m.

On March 16, the Euler Foundation offered a $1 million reward for information leading to the arrest of the hackers and the return of the stolen funds.

On March 17, Euler Labs CEO Michael Bentley tweeted that Euler "has always been a security-conscious project." From May 2021 to September 2022, Euler Finance was audited 10 times by six blockchain security companies, including Halborn, Solidified, ZK Labs, Certora, Sherlock and Omnisica.

From March 18 to April 4, the attackers began to return the money. In a message posted on the chain, the attacker apologised, saying he had "messed up other people's money, other people's jobs, and other people's lives" and asked for forgiveness.

On April 4, Euler Labs tweeted that the attackers had returned all the stolen funds after successful negotiations.

Vulnerability analysis

In this attack, the donateToReserves function of the Etoken contract did not properly check the actual amount of tokens held by the user and the health of the user's ledger after the donation. The attackers used this vulnerability to donate 100 million eDAI, when in fact only 30 million DAI were pledged by the attackers.

The loan contract is triggered because the health of the user's books meets the conditions for liquidation after the donation. In the liquidation process, eDAI and dDAI will be transferred to the settlement contract. However, because the amount of bad debt is so large, the settlement contract applies the maximum discount. After the liquidation, the settlement contract has 310.93M eDAI and 259.31M dDAI.

At this point, the health of the user's ledger has been restored and the user can withdraw funds. The amount available for withdrawal is the difference between eDAI and dDAI. But there is actually only 38.9 million DAI in the pool, so users can only withdraw that amount.

6.2 BonqDAO Security Event

Event summary

On February 1, crypto protocol BonqDAO was hit by a price-fixing attack. The attackers minted 100 million BEUR tokens and then exchanged BEUR for other tokens on Uniswap. The price of ALBT fell to almost zero, further triggering a liquidation of the ALBT Treasury. Based on the token price at the time of the hack, the loss was as high as $88 million, but the actual loss was around $1.85 million due to liquidity depletion.

Vulnerability analysis

In this attack, the attackers carried out two kinds of attacks, one is to control the price to lend a large number of tokens, the other is to control the price to liquidate other people's property for profit.

The predictor used by the BonqDAO platform uses the function "getCurrentValue" instead of "getDataBefore." The hacker became a price reporter by pledging 10 TRB tokens (worth only about $175) and modifying the price of WALBT tokens in the predictor by calling the submitValue function. After setting the price, the attacker calls the createTrove function of the Bonq contract, creates the trove contract, and borrows 0.1 WALBT tokens into the contract. Normally, the loan amount should be less than 0.1 WALBT price, so as to ensure that the mortgage rate is maintained in a safe range. However, in the loan process of this contract, the way to calculate the value of the mortgage is realized through the TellorFlex contract. In the previous step, the attacker had driven the WALBT price unusually high, resulting in the attacker lending 100 million BEUR tokens in this loan. The attacker set the WALBT price unusually low in the second transaction, thus clearing out WALBT tokens pledged by other users at a small cost.

6.3 Platypus Finance Security Event

Event summary

On February 17, Avalanche's Platypus Finance was attacked due to a problem with its function checking mechanism, resulting inan estimated $8.5 million loss. However, the attacker did not implement the withdrawal function in the contract, resulting in the attack proceeds stored in the attack contract cannot be extracted.

Platypus said on Feb. 23 that it had contacted Binance and identified the hackers, and that it would pay back at least 63% of the money.

On February 26th the French national police had arrested and summoned two suspects in connection with the attack on Platypus.

Vulnerability analysis

The reason for the attack is that an emergencyWithdraw function check mechanism in the MasterPlatypusV4 contract only detects whether a user has borrowed more than the borrowLimitUSP (borrowing limit) of the user, rather than whether the user has returned the debt. The attackers first lent 44 million USdcs into Pool contracts through AAVE contract lightning loans, and then mint 44 million LP-USdcs. The attacker then called the borrow function to withdraw 41.79 million USPs, followed by EmergencyWithdraw.

There is an isSolvent function in EmergencyWithdraw to verify that the borrowed balance has exceeded the maximum loanable value. By returning true, the transfer operation is in place, without considering whether the amount of the debt has been repaid. theSo the attacker can directly invoke the successful withdrawal of 44 million LP-USDC pledged before without paying the debt.

7 Fund flow analysis

Approximately $200,146,821 of stolen assets were recovered in the first quarter of 2023, representing 67.8% of all stolen assets. All of the $197 million stolen from Euler Finance was returned by hackers. More examples of recoveries include the return of the entire $3.65 million stolen by dForce hackers on February 13; On March 7, the white hat hacker who attacked Tender.fi returned the stolen funds and received a bounty of 62 ETH.This quarter was better than any quarter in 2022.

The Beosin KYT anti-money Laundering analysis platform found that approximately $23.13 million (7.8%) of assets were transferred to Tornado Cash, while an additional $2.54 million was transferred to other currency converters. Compared with last year, the proportion of stolen money transferred to mixers this quarter was significantly lower. In fact, since sanctions were imposed on Tornado Cash in August last year, the percentage of stolen funds transferred to Tornado Cash has shown a consistent downward trend since Q3 2022.

Meanwhile, the anti-money laundering analysis platform Beosin KYT found that about $60.2 million (20.3 percent) of assets remained at hacker addresses. About $9.32 million, or 3.1 percent, of stolen assets was transferred to exchanges. Most of the incidents that have turned up on the exchanges have been attacks involving small amounts of money, while a few have been phishing incidents that took a few days to reach the public's attention. The lack of attention, or the delay of attention, gives hackers the opportunity to transfer the stolen money to the exchanges.

8. Analysis of project audit status

Of the projects attacked in the first quarter of 2023, 28 were audited and 25 were not, excluding eight incidents that could not be measured by an audit, such as a phishing attack on some individual users.

There were 27 contract-vulnerability attacks during the quarter, including 15 audited projects (approximately $31.19 million in losses) and 12 unaudited projects (approximately $7.86 million in losses). The whole market audit quality is still not optimistic. It is suggested that the project side should make more comparison before choosing the audit company, so that the project security can be effectively guaranteed by choosing a professional audit company.

9 Rug Pull analysis

In the first quarter of 2023, 41 major Rug pulls were detected in the Web3 domain involving approximately $20.34 million.

In terms of dollar amount, 6 Rug pulls (14.6%) were worth more than $1 million, 12 rug pulls were worth between $100,000 and $1 million (29.2%), and 23 rug pulls were worth less than $100,000 (56%).

Of the 41 Rug pulls, 34 projects were deployed in the BNB Chain, accounting for 83%. Why do many fraud projects choose BNB Chain?

The reasons may be as follows:

1) The cost of BNB Chain GAS is lower and the block production interval is shorter.

2) The BNB Chain has more active users. Scam programs will give preference to public chains with a large number of active users.

3) Binance is more convenient for BNB Chain users to access cash.

10 2023 Q1 Security Situation Summary

Overall, the total amount of losses from attacks in the first quarter of 2023 was lower than in any quarter of 2022, and the recovery of funds was also better than in all quarters of 2022. Overall security in the Web3 space improved significantly this quarter after a hack-infested year in 2022.

DeFi is the item type that was attacked the most frequently and lost the most money this quarter. A total of 42 security incidents occurred in the DeFi sector, of which 22 stemmed from contract vulnerability exploitation (11 in each of 22 audited and unaudited projects). If you seek a professional security company for audit, most of the vulnerabilities can be found and fixed in the audit stage.

User safety was also a big focus this quarter. With Blur leading the NFT market back on fire this quarter, there has been a sharp increase in NFT trolling incidents. Double-checking every link to see if it's an official website, checking the content of your signature, fully checking the correct transfer address, downloading apps from official app stores, installing anti-phishing plugins -- every link must be vigilant.

Rug pulls continued this quarter, with 56 percent of rug pulls worth less than $100,000. Information on the official website, Twitter, telegram, Github and so on is usually missing. There is no Roadmap or white paper for such projects, team members' information is suspicious, and the project launch to the end of the road cycle should not exceed three months. It is recommended that users conduct more background checks on the project to avoid the loss of funds.

In the next post, we will share with you the second part of the report summary of regulatory policies for the crypto industry. Please stay tuned to Beosin official account.

Original link

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia