Hackers attack same-origin vulnerability "group destroy" Fork protocol

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

Hackers attack same-origin vulnerability "group destroy" Fork protocol

蜂巢财经News

2021-06-01 06:11

本文约3236字，阅读全文需要约13分钟

Repeated security incidents once again reminded protocol developers that the security of the underlying code should not be ignored when innovating the DeFi model.

In May 2021, the encrypted asset market was quite turbulent. BTC fell from a minimum of above US$50,000 to US$29,000, which was almost cut in half. The maximum decline of most encrypted assets exceeded 50%.

Under the huge shock of the secondary market, the ecology on the chain is not peaceful. In May, at least 13 hacking incidents occurred in the DeFi market, most of which were concentrated on the Binance Smart Chain (BSC), and the loss of funds reached 270 million US dollars, exceeding the asset losses of all DeFi security incidents in 2020. BSC officials believe that an organized hacker team is eyeing BSC.

Why are the projects on the BSC chain stolen? How can hackers quickly capture project vulnerabilities? PeckShield, a blockchain security company, found that many of the attacked projects had same-origin vulnerabilities.

For example, after the BSC income aggregator PancakeBunny was attacked, Fork (forked) from PancakeBunny's AutoShark and Merlin Labs were stolen in the next week; and BurgerSwap and JulSwap that were attacked, the codes were both Fork from Uniswap, but they It seems that a bug was created while making the change.

The relevant security director of PeckShield told Honeycomb Finance that these forked protocols were attacked mainly because of micro-innovation without fully understanding the logic behind the original protocol, resulting in a small update or small combination that may cause loopholes.

secondary title

12 projects were attacked and $270 million was lost

House seemingly endless rain. When the encrypted asset market continues to decline, security incidents of on-chain protocols occur frequently.

On May 30, Belt Finance, a stablecoin exchange protocol on BSC, suffered a flash loan attack and lost $6.2 million. According to the tracking of the blockchain security company PeckShield, the attack originated from the fact that the attacker repeatedly bought and sold BUSD after completing 8 flash loans on PancakaSwap, and exploited the loophole in the bEllipsisBUSD strategy balance calculation to manipulate the price of beltBUSD to make a profit.

After being attacked, Belt Finance tweeted an apology for the flash loan attack and issued a report. It said it would conduct further audits and release a user compensation plan within 48 hours.

Affected by this, BELT, the governance token of Belt Finance, fell sharply from a high of $58 on the 28th to $27, a short-term drop of 53.44%.

image description

List of BSC attacked projects

The $270 million in asset losses has surpassed the losses of all DeFi security incidents in 2020. According to previous data released by PeckShield, there will be 60 DeFi security incidents in 2020, with a loss of more than 250 million US dollars.

In just one month, the BSC chain has been patronized by hackers one after another, which seems quite strange. Under pressure, BSC officials posted on social platforms not long ago that there have been more than 8 flash loan attacks against projects on the BSC chain recently. "We believe that an organized hacker team is now targeting BSC."

The BSC official calls on all DApps to prevent risks. It is recommended that projects on the chain cooperate with auditing companies to conduct health checks. If it is a forked project, it is necessary to repeatedly check the changes made to the original version; take necessary risk control measures and actively monitor abnormalities in real time. Suspend the agreement in time if there is an abnormality; formulate a contingency plan to prevent the worst from happening; if conditions permit, a bug bounty program can be set up.

Indeed, in the review of 12 security incidents, flash loan attacks are the most common means used by hackers. Projects such as Spartan Protocol, PancakeBunny, Bogged Finance, BurgerSwap, JulSwap, and others were victims of flash loan attacks.

It needs to be clear that flash loan itself is not an attack method, it is just an efficient lending model that can amplify anyone's principal. As Chainlink CMO Adelyn Zhou puts it, “Flashloans don’t create vulnerabilities within DeFi — it just reveals vulnerabilities that already exist.”

secondary title

Hidden dangers of Fork broke out and many projects were attacked by the same source

Since the beginning of this year, BSC has emerged as a new force. As a side chain of Ethereum, it has attracted a large number of projects and players on the chain due to its more efficient transaction processing efficiency and low handling fees. At its peak, the total locked position value on the chain exceeded 344 billion, making it the second largest gathering place for DeFi after Ethereum.

The rapid rise of the BSC ecology has seized the first dividends on the chain, and a large number of projects have been deployed together. Since most projects on Ethereum have been open-sourced before, many developers have adopted the open-source codes of mature projects such as Uniswap and Curve, and quickly listed them on BSC after simple modifications. And this hasty Fork (fork) has become a hidden danger for projects on the BSC chain to be hacked in batches.

According to PeckShield, the codes of BurgerSwap and JulSwap, which were attacked recently, were forked from Uniswap. PeckShield pointed out, "But they don't seem to fully understand the logic behind Uniswap."

According to the BurgerSwap report after the incident, the attacker spontaneously issued “counterfeit currency” and then formed a transaction pair with the protocol’s native token BURGER, changing the price of the latter. Obviously, BurgerSwap, which was forked from Uniswap, was immature in some aspects and was exploited by hackers.

The source of the Fork protocol is not only Ethereum, but some early protocol applications on the BSC chain have also been put on the chain by the latecomer Fork. The two aggregator protocols AutoShark and Merlin Labs were both ransacked by hackers because they forked PancakeBunny. Judging from the timeline, on May 20, PancakeBunny was attacked by a flash loan. The attack stemmed from the fact that the attacker used the protocol to manipulate the prices of LP Token BNB-BUNNY and BNB-BUSDT.

After seeing PancakeBunny being attacked, AutoShark issued a document emphasizing its security, saying that it had done 4 code audits, 2 of which were in progress. But slaps followed. Only 4 days later, AutoShark suffered a flash loan attack, and its token SHARK fell by 99% instantly. According to PeckShield's analysis, the attack method is similar to that of PancakeBunny.

Merlin Labs was also slapped in the face. Before being attacked, it also issued a document saying that it had repeatedly performed code reviews and taken additional precautions for potential possibilities. But on May 26, the hackers "pursued the victory" and ransacked Merlin Labs.

PeckShield believes that this is an imitation case after the attack on PancakeBunny. The attacker does not need too high a technical and financial threshold. As long as the same-origin vulnerability is repeatedly tested on the forked protocol patiently, a considerable sum can be made. "Fork's DeFi protocol may not have become a Bunny challenger, but it has been ridiculed as a "stubborn leek" due to the same-origin vulnerability.

In addition, in the case of Belt Finance being attacked, hackers exploited a loophole in the balance calculation of the bEllipsisBUSD strategy to manipulate the price of beltBUSD, while Ellipsis forked from the well-known Ethereum protocol Curve.

The security chief of PeckShield told Honeycomb Finance that these fork protocols were attacked mainly because they did not fully understand the logic behind the original protocol and carried out micro-innovations, resulting in a small update or small combination that may produce loopholes.

The person in charge said that starting from known vulnerabilities is a common "foraging" method used by attackers in the DeFi field that is still in the development stage. For the project side, the emphasis on the security of the DeFi protocol is not just lip service, but to achieve "my day and three provincial codes": Is there a static audit before the protocol goes live? After other protocols are attacked, is there a self-check code to check whether there are similar vulnerabilities? Are there any security risks in the interactive protocol?

Judging from the above cases, a batch of projects on the BSC chain were stolen in a concentrated manner. The main reason is that the hackers found the same-origin vulnerabilities of multiple protocols. They only need to imitate the attack methods to "infer other cases from one instance" and complete the detection of multiple projects in a short period of time. plagiarism.

Repeated security incidents have also reminded protocol developers that when innovating the DeFi model, the security of the underlying code should not be ignored.

In this regard, PeckShield suggested that an audit should be conducted before the new contract goes online, and attention should also be paid to troubleshooting business logic loopholes when combining with other DeFi products. At the same time, it is necessary to design a certain risk control fuse mechanism, introduce threat perception intelligence and data situation intelligence services from third-party security companies, and improve the defense system. "All DeFi protocols have variables. Even if a protocol has been audited multiple times, a small update will render the audit useless, so even a small update will have to be re-audited."