Editor's Note: This article comes fromPeckShield(ID:PeckShield), reprinted by Odaily with authorization.
, reprinted by Odaily with authorization.
secondary title Who is responsible to investors for the CEX public chain DeFi "earth mine" running away? Since DeFi ignited the FOMO sentiment in 2020, the advantages of CEX (centralized exchange), which was once at the top of the food chain, have gradually weakened. Especially after changing from an incremental market to a stock market, CEX began to seek new breakthroughs. As the cornerstone of the development of the blockchain industry, the public chain is an important breakthrough point for the exchange. It can not only connect the various ecological layouts of the exchange, but also a meeting point for the connection with DeFi. In the second half of 2020, major centralized exchanges such as Binance, Huobi, and OKEx have accelerated the deployment of their own public chains to support DeFi projects, in order to seize a share of the DeFi market. Starting in 2021, DeFi projects on the CEX public chain have successively appeared to run away. According to PeckShield statistics, there were at least 4 cases of DeFi "earth mining" runaway projects on the CEX public chain in February. On February 1, the media reported that the DeFi “earth mining” projects Popcornswap and Multi Financial on the Binance Smart Chain ran away, losing about 48,000 BNB and 5,000 BNB respectively. Previously, DeFi projects such as Zap Finance, Tin Finance, and SharkYield on the Binance Smart Chain were exploded and ran away one after another. On February 8, 5.8 million HUST was suspected to have been stolen from the lending project Filda on the Huobi public chain HECO. On February 28, the media reported that the tokenlink project on the Huobi public chain HECO was suspected of running away and lost several million USDT. In this regard, the relevant person in charge of CEX once stated that the public chain built by CEX is the same as public chains such as Ethereum, and should not be responsible for projects that may have problems built on it. secondary title Fraud spreads to the DeFi field DeFi composability loopholes continue to highlight In addition to the security incidents of DeFi projects running away on the CEX public chain, according to PeckShield statistics, a total of 21 DeFi security incidents occurred in February. Fraud incidents have spread to the DeFi field, and the composability loopholes of DeFi continue to be highlighted. On February 5, the Yearn v1 yDAI vault was attacked, the vault lost $11 million and the attackers stole $2.8 million. On February 5, DeFi insurance project ArmorFi paid a $1.5 million bug bounty to white hat hackers. The hacker is understood to have discovered a "critical loophole" in the protocol that could cause all of the company's underwriting funds to be drained. On February 8, the decentralized trading protocol Curve stated that it found a problem with the new yv2 fund pool of the aggregation protocol Yearn. In order to protect liquidity providers, the fund pool has been closed. On February 9, the official Twitter of the decentralized derivatives exchange dYdX stated that it has not yet issued coins, nor has it conducted pre-sales or airdrops. Users need to be alert to related scams. On February 9, BT.Finance, a smart DeFi revenue aggregator, was hacked and lost about $1.5 million. On February 13, DeFi protocols Cream.Finance and Alpha Finance were attacked by Flash Loan and lost $37.5 million. On February 15, Primitive Finance, an options protocol on the Ethereum chain, tweeted that Primitive Finance has no protocol tokens, and users should be alert to related scams. On February 20, the Tezos-based DEX Dexter was exposed to a vulnerability in the contract, which allowed the withdrawal of funds without authorization, and the development team Nomadic Labs has rewritten the contract. On February 21, DAO Maker tweeted to remind users to be wary of scams posing as DAO Maker. On February 22, a serious vulnerability was discovered in the smart contract of Primitive Finance, an options protocol on the Ethereum chain. Since the contract cannot be upgraded or suspended, the official hacked with its own smart contract to protect user funds. On February 22, the decentralized lending protocol ForTube disclosed a security breach two weeks ago, and no users have suffered losses due to the breach. On February 24, Matter Labs, the development team of Ethereum's second-layer expansion solution, tweeted to question the security of users' funds on the decentralized exchange ZKSwap. On Feb. 25, reports emerged that there may be a security flaw in the approval mechanism used by automated market makers before trades or token swaps, a feature that the report says allows third parties to send tokens from their accounts on behalf of users. At the same time, the report found that fraudsters are using this method to defraud LINK through phishing emails. On February 26, DeFiBox monitored and found that there was a pre-mining risk in MFD, the fund investment platform of Heco, which was launched on the Huobi ecological chain.On February 27, the DAI pool of the DeFi income aggregator Yeld.Finance was attacked by a flash loan and lost 160,000 DAI.February 28, DeFi Aggregator Furucombo Hacked , with a loss of more than $14 million. Because Cream Finance did not revoke all authorizations to external contracts from the wallet in a timely manner, it was affected by this vulnerability, resulting in a loss of approximately $1.1 million. PeckShield found that the attacks on the DeFi projects Furucombo and Primitive Finance that occurred in February were all related to the DeFi unlimited authorization model. This authorization method allows the wallet to control all its assets without any permission from the user, and is not restricted by the custody of the user's private key . PeckShield reminds users not to over-authorize. secondary title According to PeckShield statistics, a total of 6 typical exchange security incidents occurred in February, including the British cryptocurrency exchange Exmo being attacked by DDoS, and the server was suspended. secondary title Fraud & Extortion According to the statistics of CoinHolmes, an anti-fraud situational awareness system under PeckShield, a total of 10 fraud-related security incidents and 1 extortion incident occurred in February. On February 4, a Bitcoin giveaway scam appeared on the social platform Discord to collect encrypted user data. On February 5, an Australian man accused of defrauding a cryptocurrency hedge fund of $90 million has pleaded guilty. German prosecutors seized more than 50 million euros ($60 million) worth of bitcoin from a scammer on Feb. 5, but faced an embarrassing problem of not being able to crack the key to unlock the asset . On February 6, the U.S. Department of Justice (DOJ) announced that Serbian citizen Antonije Stojilkovic has been extradited to the U.S. to face charges of conspiracy to commit fraud and money laundering for allegedly defrauding cryptocurrency investors of more than $70 million. Stojilkovic and his associates allegedly established more than 20 fake trading platforms in Serbia and elsewhere. On February 8, Stephen Dediore of a Florida-based telecommunications company was charged with SIM swapping fraud to steal cryptocurrency. If convicted, Dediore faces up to five years in prison and a fine of up to $250,000. On February 10, the Twitter account of Belgian Energy Minister Tinne Van der Straeten was hacked. Its Twitter account was renamed "Ethereum Foundation" and posted an Ethereum giveaway scam to lure its followers to a fraudulent website. On February 11, EU law enforcement agencies arrested hackers who stole $100 million worth of cryptocurrency through SIM swapping. Lazarus Group On Feb. 11, Japanese prosecutors charged a group with allegedly handling $180 million worth of virtual currency stolen from the Coincheck exchange. U.S. government indicts North Korean hacking group on Feb. 17 Three members of the group are suspected of stealing more than $1.3 billion in funds and virtual currency.According to data from the PeckShield situational awareness platform, in the past month, there have been 38 prominent security incidents in the entire blockchain ecosystem. There were 21 cases related to DeFi, 6 cases related to exchange security, 1 case related to extortion, and 10 cases of fraud.
PeckShield security experts said: "From the perspective of the positioning of the public chain launched by CEX, they are committed to creating a public chain, that is, a non-permissioned chain (Permissionless Blockchain). Ideally, anyone can participate in blockchain data maintenance. and reading, easy to deploy applications, completely decentralized and not controlled by any organization. But it is worth noting that the public chain launched by CEX is still in the early stages of development, and in the process of building an ecology, there may be a need for a 'weak Centralization' transition process. From the perspective of investors, since CEX's public chain is deployed by CEX, although CEX can disclaim liability for online projects, users may regard its brand as a credit endorsement, improve and perfect the system Governance is a burning issue for CEXs.”
For protocol developers, on the basis of trying to innovate, they need to improve security awareness, locate possible problems in the combination, fully consider the business logic defects existing in the system combination when doing security audits, and then make security defense the first. Secondly, because DeFi projects are closely connected with assets, they are easy to become potential targets of attack. This requires DeFi protocol developers to improve the level of security defense, including security audits before the project goes online, abnormal data warnings during project operation, and timely warnings when crises occur. emergency response and more.
The security incident with a greater impact was that the exchange Cryptopia was hacked again on February 1, and about 62,000 New Zealand dollars (contract US$45,000) in cryptocurrency were stolen. The investigation revealed that the hackers had accessed a wallet that had been dormant since it was stolen in 2019 and was controlled by Cryptopia liquidator Grant Thornton.
