2018 was the year with the fastest development of the blockchain, and the total market value of global cryptocurrencies was once close to 800 billion US dollars. But the endless loopholes made 2018 the most rampant year for hackers.

The frequent occurrence of security incidents has seriously hindered the healthy development of blockchain, not only brought considerable losses to users, but also directly led to the "end" of many projects.

What security incidents happened in 2018?

overview

overview

In 2018, both the number of security incidents and the losses caused increased exponentially:

Figure 1: Trend of economic losses caused by security incidents (10,000 USD), source: bcsec

Figure 2: Statistics on the number of major security incidents, source: bcsec

According to Besec statistics, in 2018 a total of more than 2 billion US dollars was stolen, and the number of large-scale incidents exceeded 130 (an average of 3 days). Blockchain users and project parties have become "cash machines" for 300,000 hackers around the world.

Figure 3: Statistics on losses caused by security incidents in 2018, source: 31QU

Smart Contract Security

Smart Contract Security

At present, the blockchain as a whole is still in a downturn, but the development of smart contracts is very stable. According to the data of the Cheetah Blockchain Security Center, the number of smart contracts on Ethereum has grown by an average of 2,000+ per day in the past month.

Although the number of smart contract vulnerabilities is small, the losses caused are huge. This is related to the characteristics of the solidity language, and also related to the ERC20 protocol that facilitates token issuance.

The TOP10 attack types of smart contract vulnerabilities are:Reentrancy attacks, permission control, integer overflow, unchecked call return value, transaction sequence dependency, timestamp dependency, conditional competition, short address attack, predictable random processing, etc.

Among all smart contract events, the most famous one is the US chain event. On the afternoon of April 22, 2018, the BEC Meimi contract, which had only been issued for about two months, had a major overflow vulnerability. The hacker generated unlimited tokens through the batch transfer method of the contract, and a large amount of BEC was transferred from two addresses, which triggered a sell-off tide. On that day, the value of BEC was almost zero. The amount of loss exceeded 1 billion.

due to blockchain"code is everything"As a result, there is currently no effective security protection method to completely avoid the problem of smart contract security.

For the development of smart contracts, Xiaobao suggested to abandon the concept of "agile development". Instead, take a slow and methodical approach to developing smart contracts with as much care and consideration as possible when initially designing and coding them.

Development managers should not put too much pressure on developers (such as setting strict deadlines, etc.), generally speaking, there will be more or less problems with the things that are driven out.

In addition, before going to the chain, it is the most basic and necessary to find a professional blockchain security company to conduct a security audit of the smart contract.

The following are the big events of smart contracts in 2018, and some details of related events:

(1) On August 22, 2018, the GOD.GAME contract was hacked, and the total amount of Ethereum on the GOD smart contract returned to zero

(2) On April 25, 2018, a major security breach occurred in SmartMesh, resulting in a loss of $140 million

Exchange Security

Exchange Security

According to a report released by the network security company CiferTrace in October, in the first nine months of 2018, cryptocurrencies stolen through hacking exchanges reached 927 million US dollars, which is 2.5 times that of the entire 2017.

The investigation report by the South Korean Ministry of Science and Technology stated: “Most exchanges have security loopholes.”

So, why are there so many security issues with cryptocurrency exchanges?

On the one hand, the anonymity, non-tampering and non-supervisory characteristics of digital currency lead to convenient asset transfer and difficulty in traceability and retrieval. On the other hand, the digital currency trading industry has only appeared for a short time, developed very fast, and has high profits. As a result, the construction of information security is still neglected when the technology accumulation is insufficient. There are many hidden security holes, and it is relatively easy to attack. There are even some encrypted digital exchanges that have no security system at all.

Security threats faced by digital currency exchanges mainly include:Server software vulnerabilities, improper configuration, DDoS attacks, server-side web program vulnerabilities (including technical vulnerabilities and business logic flaws), office computer security issues, insider attacks, etc.

For exchanges with large scale and many users, users will also face the problem of users being defrauded by attackers to obtain authentication information through counterfeit phishing websites.

In response to these security threats, Xiaobao suggested that the exchange should conduct security services such as penetration testing and code auditing to dig out and repair the security loopholes in the system before facing users.

In addition, it is recommended that the exchange conduct necessary basic safety training for all formally hired employees.

Finally, for netizens who trade digital virtual currency, it is recommended that everyone take the initiative to learn security knowledge, and use security software on the computer and mobile terminals. Do not "run naked" with confidence to avoid falling into phishing traps and wallet thefts. .

The following are the thefts of cryptocurrency exchanges in 2018, and the specific details of related incidents.

(1) In January, Coincheck, Japan's largest digital cryptocurrency exchange, was stolen XEM worth 534 million US dollars. Coincheck is the second largest exchange in Japan. At the official press conference later, Coincheck stated that XEM was stolen because the private key of the hot wallet storing XEM was stolen by hackers, but no other currencies were stolen. Affected by this event, XEM fell by 9.8% on the day.

(2) On February 11, the Italian cryptocurrency exchange BitGrail was attacked, and the cryptocurrency NANO worth $170 million was stolen.

(3) On March 7, Binance was hacked. Hackers controlled some accounts of Binance, sold the bitcoins held by these accounts, and bought VIA coins, which caused VIA to rise against the market. Binance rolled back the abnormal transaction, but this incident still aroused fear in the market, and Bitcoin fell by more than 15% in the next few days.

(4) On April 1, Bit-Z was hacked and no funds were lost. For this reason, Bit-Z has specially set up a security fund of 10,000 ETH to reward security vulnerability submitters. The award was worth $4 million at the time.

(5) On April 13, Coinsecure, one of the three major bitcoin exchanges in India, announced on its official website that 438 BTC worth about $3.3 million were stolen from the exchange. Amitabh Saxena, the exchange's chief security officer, was named as a suspect. This is the largest cryptocurrency theft in India.

(6) On June 5, Bitfinex suffered a "denial-of-service" attack, and Bitfinex immediately suspended all transactions on the exchange.

(7) On June 10, Coinrail, a South Korean digital cryptocurrency exchange, was hacked and lost more than $50 million. 70% of Coinrail’s cryptocurrency supply is held in cold storage, and two-thirds of the stolen supply has been recovered.

(8) On June 20, South Korean cryptocurrency exchange Bithumb was hacked, and 30 million dollars worth of cryptocurrency was stolen. This is the third time Bithumb has been hacked.

Previously, the exchange had suffered two "hack attacks".

The first time: In April 2017, the computer of an employee of Bithumb was hacked, resulting in the theft of the data of more than 30,000 users, and Bithumb was fined $55,000 by the South Korean regulator.

The second time: On December 22, 2017, South Korea's MBC TV station hired a security company to conduct security tests on five South Korean exchanges including Bithumb. The security company successfully "hacked" five exchanges including Bithumb, and obtained some user data and funds. The hired "hacker" claimed to have used only "basic hacking skills".

However, the security issue did not attract enough attention from the exchange, which led to the hacking incident in June 2018.

first level title

Dapp security

Smart contracts and exchanges are the hardest-hit areas for security. DApps, which have been highly topical in 2018, have not escaped the claws of hackers. Although the loss amount is relatively low in all security incidents, frequent security incidents have seriously affected the Dapp ecosystem. landing and application.

According to the latest data from Dapp.review, the total number of DApps currently running on public chains such as Ethereum, EOS, and TRON exceeds 1,900.

EOS is in the initial development stage of DApp ecological construction, and DApp-related security issues emerge in endlessly. As of December, losses due to DApp vulnerabilities have reached as high as 395,000 EOS and 13,000 ETH. Calculated according to the highest market value of the two, the loss of wealth exceeds 27 million US dollars.

In the second half of 2018, DApp security incidents broke out intensively, and hacking incidents mainly occurred on the EOS mainnet. Attack methods are also full of tricks: random number attack, seed loophole, counterfeit currency attack...

EOS is an enterprise-level blockchain operating system with high expectations. Why are there so many hacking incidents in DApps based on it?

In May of this year, EOS founder BM once said that providing valuable vulnerabilities for the EOS main network will receive a reward of 10,000 US dollars. After the reward order was promulgated, a netizen named "Jon Bottarini" revealed that someone discovered 8 vulnerabilities in just one day and received a reward of 80,000 US dollars. This also fully shows that there are a lot of security problems in the EOS main network itself.

In fact, attacks against DApps on EOS are becoming more and more professional and team-based.

Since November, as the three major EOS quiz DApps, EOSDice, FFgame and EOS.WIN have successively suffered "random number vulnerability" attacks. According to people familiar with the matter, these attacks were committed by one person or the same team. The person familiar with the matter said that the account of the hacker exchange has been successfully locked.

Compared to the EOS network, Ethereum has slightly fewer hacking incidents.

The following are the hacking incidents that have occurred on DApp since 2018, and the specific details of related incidents:

(1) On July 25, an "overflow" vulnerability occurred in the werewolf game (EOS version of Fomo 3D), resulting in a loss of 60,686 EOS in the game. After arbitrating the hacker's behavior, the EOS Core Arbitration Forum (EACF) issued a new arbitration order to freeze the hacker's EOS account: eosfomoplay1.

(2) On August 22, Fomo 3D (Last Winner) was hacked and lost 10,469 ETH (worth about $3 million). The SECBIT laboratory announced for the first time that the winner of the Fomo3D award had adopted some "special attack techniques". The attacker used high fees to attract miners to prioritize packaging, and finally blocked blocks at a lower cost to speed up the end of the game. Improve your chances of winning.

On September 24, after the second round of the Fomo 3D game started, hackers used similar attack methods and got 3264.668 Ethereum rewards.

(3) On August 27, the rock-paper-scissors game under Luckyos was hacked, and the loss is unknown.

(4) On September 2, EOS.win "random number" was hacked, resulting in a loss of 2000ESO.

(5) On September 10, EOSBet was attacked by hackers and lost a total of 4,000 EOS; 4 days later, EOSBet was again attacked by hackers with "false notifications" and lost 145,321 EOS. The loss has been recovered.

(6) On September 12, LuckyGo was forced to go offline by the attacker iloveloveeos (malicious contract). That night, iloveloveeos quickly attacked the newly launched game LuckyGo. These two attacks belong to the "random number defect attack".

(7) On September 12, EOS Happy Slot was replayed by hackers and lost 5,000 EOS. A hacker with an account of imeosmainnet used a "replay attack", causing the project party to lose 5,000 EOS.

(8) On September 14, the decentralized exchange Newdex was hacked. The hacker used the counterfeit currency to exchange the real currency in the exchange area, making a total profit of 11,803 EOS.

The attack process is as follows: the attacker created a brand new token with a circulation of 1 billion (EOS circulation is 1 billion), and named it "EOS". The attacker used a special method to exchange 11,800 fake EOS for a large number of equivalent real coins on Newdex.

(9) On September 15, EOS.Win was attacked by hackers with counterfeit coins, and a total of more than 4,000 EOS was lost.

On November 11, EOS.Win also suffered a second attack on November 11. In this attack, hackers launched a total of 10 attacks on the EOS.WIN game contract (eosluckydice) within one minute, earning more than 9180 EOS.

(10) On October 16, World Conquest was attacked by hackers with "tax payment rules" and refused other players to participate, thus making a profit of 4555 EOS;

(11) On October 26, EOS Royale suffered a "random number" attack by hackers and lost 10,800 EOS. The process is as follows: the hacker calculates the information of the previous block by calling the random number generator, and then obtains the random number of the game, thereby cracking the EosRoyale wallet and stealing EOS tokens worth 60,000 US dollars.

(12) On October 28, EOS Poker was attacked by hackers with a "seed vulnerability" and lost 1374 EOS.

(13) On October 31, EOSCast was attacked by hackers with counterfeit coins, resulting in 72,912 EOS being transferred by hackers. According to the rules of the game, hackers use 100, 1,000, and 10,000 fake EOS tokens to attack, and each attack can get 198, 9,800, and 19,600 EOS. During the last attack, the game party noticed the abnormal attack and transferred away the remaining 8,000 EOS in the bonus pool in time.

ECAF (EOS Core Arbitration Committee, which has arbitration authority for smart contracts) responded immediately to this incident and issued an arbitration order to freeze the accounts involved.

(14) On November 4, EOSDice announced that the smart contract was attacked, but because of its automatic detection function, after the attack, the contract automatically transferred the remaining funds to a safe address. This event caused EOSDice to lose 2545 EOS.

(15) On November 8, FFgame suffered a hacker attack. The hacker account jk2uslllkjfd launched as many as 304 attacks on the FFgame game contract (eoswallet415), earning a total of 1331.2922 EOS.

(16) On November 10, hackers launched more than 700 attacks on the MyEosVegas game contract (eosvegasjack), earning more than 9,000 EOS.

(17) On November 26, competitive DApps encountered an unprecedented new type of rollback attack.

first level title

wallet security

Digital currency wallets can be divided into hot wallets and cold wallets. Cold wallets are relatively safe because the private key does not touch the network. However, with the rapid iteration of technology, both hot wallets and cold wallets have been attacked by hackers one after another.

In 2018, the amount lost due to wallet security was around $40 million. Among them, most of the hackers obtained the user's private key through various means, resulting in the theft of assets. Another part is caused by flaws in the wallet design.

Because of the decentralized nature of the blockchain, the goal of hackers is to try to get the user's private key. If the user does not store it properly, it may be attacked by phishing emails, Trojan horse viruses, etc., resulting in asset theft.

Therefore, it is recommended that the majority of users copy the private key on paper or keep it in a physical way, copy it correctly, and then put it in a place that will never be forgotten. Never store it on the Internet. Do not put the private key and wallet together; in addition, try to choose a wallet with a large user base and fewer security incidents; finally, no matter on the web or mobile terminal, you must install security software, and you must not run "naked".

Flaws in wallet design can also trigger attacks, and once it breaks out, the influence and loss will be extensive.

For example, when a foreign wallet runs for the first time, it creates a new wallet for the user by default and stores the wallet file unencrypted locally in the system. An attacker can read the stored wallet file and apply technical means such as reverse analysis to the wallet. Restore the algorithmic logic of the wallet, and thus directly recover sensitive data such as the user's mnemonic and root key.

For this part of the security issues, we can only suggest that the wallet project should find a professional security team to conduct a security audit before facing users.

The following is a list of wallet-related hacking incidents since 2018:

(1) On January 8, Reddit Tippr users were hacked and stolen thousands of BCH (Bitcoin Cash).

(2) On January 17, the XLM wallet was attacked and over $400,000 in XLM was stolen. The origin of the incident was that hackers hijacked the DNS server of BlackWallet.co. It is estimated that nearly 700,000 XLM were stolen in this attack, worth more than 400,000 US dollars.

(3) On January 22, hackers hacked into the IOTA wallet and stole IOTA worth 4 million US dollars. According to CCN, the reason is that the website used by users to generate private keys for IOTA wallets was hacked.

(4) On March 4, Titanium Alloy Blockchain (TBIS) tweeted that it had been hacked and 18.7 million BAR tokens (approximately $900,000) had been stolen from the company’s wallet.

(5) On April 17, digital currency investor and Youtube blogger Ian Balina was hacked last night while commenting on ICO projects live. The hacker transferred more than $2 million in digital currency from his Etherscan wallet.

(6) On April 25, MyEtherWallet was hijacked, and a total of about 500 ETH was lost.

(7) On June 6, the MEW wallet of the Japanese retailer Shopin was hacked and more than $10 million in cryptocurrency was lost. These include Ethereum, Level Up, Orbs and Shopin.

(8) On August 15, the police in Xi'an, Shaanxi Province arrested three high-level hacker suspects. The three had worked together to steal 600 million yuan worth of cryptocurrency.

On March 30 this year, after the theft, the victim, a man surnamed Zhang, reported to the police that his computer had been illegally attacked and virtual currency worth hundreds of millions of dollars had been looted. Then the police launched a manhunt. On August 15 this year, three hackers were arrested by the police.

(9) On September 25, the account of gm3dcnqgenes, a large EOS holder, was stolen, and a total of 2.09 million EOS (approximately US$10.8 million) was lost.

(10) On October 22, the Swiss blockchain company Trade.io stated that 50 million TIOs worth $7.5 million were stolen from its cold wallet, of which 1.3 million TIOs were transferred to two exchanges, Kucoin and Bancor. Kucoin has suspended the trading of TIO, while Bancor has permanently removed TIO.

(11) On October 25, the Reddit user account was hacked, and the hacker stole 14 bitcoins ($89,500), 22 ETH ($4,400) and about 11.7 million COSS tokens ($770,000) from his wallet. U.S. dollars), these cryptocurrencies are worth a total of 864,000 U.S. dollars.

Looking back on the security incidents throughout 2018, some people hold a pessimistic attitude and believe that blockchain is an extremely high-risk industry and should be avoided.

But there are also those who believe that the frequent occurrence of security incidents reflects the unprecedented attention to this industry from the side, because hackers only spend time attacking valuable things.

In Cheetah Blockchain Security Xiaobao’s view, although hackers were rampant in 2018, blockchain security companies around the world have also quietly risen; the entire industry will also increase security investment and construction because of paying a painful price; User safety education is also gradually being taken seriously. The vigorous development of the blockchain industry in the future is still very promising.