In the blockchain industry, security issues are the most fundamental issues. I believe you must have heard remarks such as "one line of code loses billions" and "hackers took it away overnight after working for a year", because the development of the blockchain is still in its infancy. In the early days, coupled with the characteristics that once it is on the chain, it cannot be tampered with, making it the hardest hit area for hacker attacks.
first level title
event background
event background
DEOS Games is a decentralized gambling game application platform running on the EOS blockchain. On September 9, a DEOSGames user named RunningSnail made a seemingly successful bet and paid $1,000 Dozens of times, deposit 10 EOS, and win the jackpot 30 seconds later.
Size of loss: ~$24,000 worth of EOS
Event history and security analysis
Event history and security analysis
◆ DEOS made 24 transfers to EOS accounts within less than an hour of its creation, and these accounts were all created by the contract within less than a day. According to the transaction records of EOS, each malicious account When depositing 10 EOS, it receives about 20 times the DEOS Games contract amount. In other words, the hackers exploited a loophole in the gambling game that would win the jackpot on every gamble, and the overall payoff for the attack was about 20 times the cost
◆ DEOS Games officially tweeted, "This is a good stress test, and our project has been significantly improved at the contract level."
Safe Panther's View
Safe Panther's View
◆ After the attack, the reaction of the DEOS Games team was puzzling. They did not declare to the community how they monitored hacker attacks. According to common sense, a simple monitoring script can detect this abnormal phenomenon.
◆ We assume that the DEOS game has such a detection tool, then the deep-seated reasons for this attack are worth investigating, and the suspicion that the team is playing tricks cannot be ruled out.
◆ At present, the risk of this kind of gambling game is too high, it is recommended that the majority of users invest rationally and choose carefully.
September 18, 2018 - NewDex
NewDex is the world's first decentralized exchange based on the EOS blockchain. It was launched on August 8. It claims to be able to perfectly support the performance of the platform, and the transaction speed is comparable to that of centralized exchanges. This guarantees asset safety. However, more than a month after it went online, it encountered an incident of EOS swiping counterfeit currency. Through this incident, the outside world began to question whether NewDex is a truly decentralized exchange.
loss scale:58,Event history and security analysis
Event history and security analysis
◆ Malicious account EOS account "oo1122334455" issued 1 billion fake EOS at 14:01:45 on September 14, 2018, and allocated the full amount to dapphub12345 account.
◆ Immediately transferred from dapphub12345 to the iambillgates account (the account that carried out the attack). At 14:21:37, the iambillgates account tried to buy IPOS and ADD with a fake EOS pending order several times, and successfully bought IPOS and ADD with fake EOS ADD. After successfully buying BLACK, IQ, and ADD, the iambillgates account immediately transferred the illegally obtained Tokens to the xx1234512345 and x12345x12345 accounts, and finally xx1234512345 sold some of the illegally obtained Tokens on the Newdex market price list, and sold a total of 4028 real EOS
◆ Then, the real EOS native currency is sent to Bitfinex to trade with other cryptocurrencies
◆ The fake EOS swiping event caused a total loss of 11,803 EOS to Newdex users. The NewDex team apologized for this event and decided to bear all the losses in a responsible manner. Resume normal operations.
Safe Panther's View
Safe Panther's View
◆ In this incident, hackers used EOS native currency to trade fake tokens, resulting in a serious depreciation of EOS in the NewDex system
◆ The hacker was able to succeed because NewDex did not verify the factuality of the token through its smart contract, so we can conclude that: in essence, NewDex is just a centralized off-exchange exchange that handles the account orders used by users when trading. It is not a decentralized exchange as he himself claimed!
◆ Various signs point to the fact that NewDex is pretending to be a decentralized exchange. They just do trade matching on their central server, the system doesn't even check the authenticity of the deposited tokens while processing the trade.
◆ Here, we suggest that you need to conduct detailed due diligence when choosing a digital currency exchange for trading, and not be confused by media publicity.Such as rating tokenfirst level title
Event background:
Event background:
On September 19, 2018, Bitcoin, MonaCoin and Bitcoin Cash were stolen from the Zaif exchange headquartered in Osaka-based Tech Bureau Corp. The total amount stolen was Of the $60 million worth of digital currency, about 2.2 billion yen ($19.6 million) in stolen cryptocurrency belonged to the exchange and the rest were customer funds.
Size of loss: $60 million
Event history and security analysis
Event history and security analysis
◆ After September 14, 2018, zaif exchange closed the deposit and withdrawal service for users.
◆ According to Zaif Exchange, the reason for shutting down the service is that between 17:00 and 19:00 on September 14, someone illegally hacked into its hot wallet
◆ It was verified that the hacker’s illegal behavior resulted in a loss of USD 5,900 worth of BTC, Bitcoin Cash and Monacoin
◆ Zaif did not disclose the details of the attack in the bulletin, it sought the help of Japanese authorities to investigate the theft
◆ Facts have proved that before this attack, Japan's Financial Services Agency (FSA) issued an early warning to zaif about its internal management system and security measures on March 8 and June 22 respectively.
◆ Immediately after the theft, Japan's Financial Services Agency (FSA) issued the third business improvement order this year to Tech Bureau, Zaif's parent company. But Zaif Exchange Did No Action on FSA Advice
◆ According to Zaif’s disclosure to the authorities, the cause of the incident was that the computer of an employee of the exchange was hacked
◆ On November 22, Zaif Exchange transferred the business related to virtual currency to FISCO Group, and Fisco Group will take over Zaif and compensate users for the stolen funds.
Safe Panther's View
Safe Panther's View
◆ According to various indications, the cause of the incident is likely to be that the computers of Zaif employees were successfully attacked by hackers using phishing websites
◆ For digital currency exchanges, it is not very unreasonable to make such low-level mistakes.
secondary title
Other similar attacks
In July 2017, the same method was used in the Bithumb hack where millions of dollars in cryptocurrency were stolen and customer data was leaked
event background
event background
SpankChain is an adult entertainment blockchain project based on the Ethereum public chain. The team blogged on October 9 that it was hacked last Saturday (October 6) and lost 165.38 ETH (worth about $38,000 at the time). Another $4,000 worth of BOOTY coins was frozen.
loss scale: More than $40,000 (combined at the price of the lost ETH and BOOTY tokens at the time)
attack methodEvent history and security analysis
Event history and security analysis
◆ The hacker exploited the re-entrancy vulnerability in the SpankChain smart contract, which is similar to the well-known vulnerability in The DAO incident
◆ The technical team discovered that the contract was hacked 24 hours after the attack, and the SpankChain team immediately shut down its official website
◆ After the attack, the company stated that they would work on the ETH airdrop to reimburse users who lost funds in the attack
◆ On October 12, the hacker contacted the CEO of SpankChain and returned 165.38 ETH to the team. In addition, the hacker helped SpankChain recover about 4,000 BOOTY tokens that were frozen due to the attack. In return, the SpankChain team gave the hacker some rewards.
Safe Panther's View
Safe Panther's View
◆ The SpankChain blockchain community reacted fiercely to this incident, probably because it was difficult to accept hackers using the famous reentrancy vulnerability to attack.
◆ Reentrancy is actually recursion, that is, a cyclic call to a function and a cyclic call to itself. The most fundamental solution to the reentrancy vulnerability is to update all the states that should be changed before the transfer, rather than after the transfer. to update.
◆ Here, I remind everyone again of the importance of security audits in the blockchain industry. Before going to the chain, you only need to invest a small fee to conduct a security audit on the smart contract, which can well avoid this kind of thing.
◆ In the blockchain, there is no concept of deletion and modification. Once the contract is deployed to the public chain, it cannot be tampered with. Tens of thousands of hackers around the world can slowly find the above loopholes line by line. For the blockchain industry, security audits are an essential process.
◆ Fortunately, the hacker returned millions of dollars worth of Ether at the time. It's unclear why the hackers returned the stolen funds, which may come as a consolation to victims, but it doesn't happen often. But this is not the first time that hackers have returned stolen funds in the CoinDash ICO incident.
secondary title
Other similar attacks
DAO Hack - One of the most notorious events in the history of the Ethereum blockchain, which caused a hard fork of the Ethereum blockchain, splitting into Ethereum and Ethereum Classic.
EOSBet Casino (14 September and 15 October 2018)
EOSBet is a gaming platform on EOS. It was attacked by hackers twice on September 14 and October 15 respectively, with losses of 44427.4302 EOS and 138,319.7995 EOS respectively.
loss scale:200,000 USD + USD 338,000 (both lost EOS)
attack methodEvent history and security analysis
Event history and security analysis
First hack:
◆ On September 14, EOSBet was attacked by hackers. The EOSBet team officially announced: This attack is not simple. We are conducting evidence collection and piece together what happened to find clues
◆ According to TheNextWeb's analysis, "the hacker's attack method is to use a fake hash to call the 'transfer' function externally"
◆ After the attack, an EOS account with a name very similar to the official EOSBet account sent a small amount of EOS to the attacker’s address, with a message asking the other party to return the stolen funds, claiming that if they did not return, they would hire a team of lawyers Hunt down and prosecute attackers.
◆ On September 16th, EOSBet went online again, and officially released a detailed report on the hacker attack, promising that their contract has patched all loopholes and is currently very safe
Second attack:
◆ One month later, the hacker used the loopholes in the EOSBet contract when verifying the payee, forged the transfer notification, and made a total profit of 138,319.7995 EOS from eosbetdice11.
◆ Among them, 72,150 EOS flowed into Bitfinex, and 65,100 EOS flowed into Poloniex. According to the current EOS market price of 37 yuan, the EOSBet platform lost more than 5 million yuan this time.
Safe Panther's View
Safe Panther's View
epilogue
epilogue
The major security incidents in the two months of September and October mainly focused on EOS smart contract vulnerabilities and exchange-related vulnerabilities, and the amount of loss can be said to be very high. However, many of these incidents are completely avoidable. The reason why security incidents occur frequently is largely because our security awareness is too weak.
The frequent occurrence of security incidents, coupled with the sharp drop in the industry, is constantly hitting the confidence of blockchain participants, but we might as well change our perspective and look at the development of the entire industry. If industry participants can recover from these huge losses in security incidents Be vigilant, learn from the past lessons, and pay more attention to the construction of security. I believe this is very good for the thriving blockchain industry.
Cheetah blockchain security is based on the technology of Kingsoft Internet Security, combined with artificial intelligence, nlp and other technologies, to provide blockchain users with ecological security services such as contract audit and sentiment analysis. Its product Ratingtoken is dedicated to digital currency and ICO rating and ranking. The most popular blockchain rating agency.
Ratingtoken official websiteRatingtoken official website
