It's time for a monthly security check again! According to the security public opinion monitoring data of Chengdu Lianan [Chain Bing-Blockchain Security Situational Awareness Platform]: In March 2022, various security incidents still occurred from time to time, and more than "30" more typical security incidents occurred in March.
[DeFi] The exposed security risks hit a new high since the beginning of 2022. The cross-chain bridge Ronin attack that occurred this month may be the most expensive attack in the history of DeFi, with a loss of more than 600 million US dollars.(click to read)secondary title
DeFi aspect
A total of "13" typical security incidents occurred
No.1 On March 5, Bacon Protocol, a mortgage lending agreement, suffered a flash loan attack and lost about $960,000.
No.2 On March 10, the algorithmic asset protocol Fantasm Finance was attacked due to contract loopholes, resulting in a loss of approximately US$2.62 million.
No.3 On March 15, the DeFi protocols Hundred Finance and Agave encountered flash loan attacks. Hackers have stolen over $11 million by exploiting reentrancy vulnerabilities in two protocols.
No.4 On March 15, the multi-chain derivatives platform Deus Finance was hacked in Fantom, and the loss may exceed 3 million US dollars.
No.5 On March 20, the Umbrella Network reward pool on BNB Chain and Ethereum was drawn, and the hacker made a profit of 700,000 US dollars.
No.6 On March 20, li.finance, a cross-chain DEX aggregation protocol, suffered a call injection attack and lost about $600,000.
No.7 News on March 22, OneRing, a revenue optimizer for Fantom’s ecological stablecoin, issued a post stating that it was attacked by flash loans, and hackers stole more than 1.45 million US dollars.
No.8 On March 23, Cashio Dollar, an algorithmic stablecoin on the Solana chain, was hacked and lost about $48 million.
No.9 On March 26, InuSaitama was suspected of encountering an arbitrage attack, with a total profit of about 430 ETH.
No.10 On March 29, there was a loophole in the option agreement Auctus contract, and hackers exploited the loophole to make a profit of about 720,000 US dollars from users who had not canceled their authorization.
No.11 On March 30, the Axie Infinity sidechain Ronin was hacked. The attackers took control of 5 of the 9 validation nodes and used the stolen private keys to forge fake withdrawals, ultimately making approximately $620 million. This may be the largest attack in the history of DeFi. No.12 On March 30, BMIZapper of the DeFi project BasketDAO on Ethereum was attacked due to a vulnerability, and the hackers made a profit of about 1.2 million US dollars.
secondary title
Fleeing Scams/Crypto Scams
A total of "7" typical security incidents occurred
No.1 security agency has detected that $DAOKing-Lucky DAO is a fraudulent project. Its administrator has deposited 505 BNB into Tornado.cash and performed a false smart contract upgrade in advance.
The No.2 NFT project NFTflow has run away, and its official social account (@NftflowStarkNet) has been cancelled.
No.3 NFT project WW3Apes has a Rug Pull, and its social media account has been canceled. The GodZape project, which uses the same IP address as the WW3Apes website, also had a Rug Pull and transferred about 20 ETH of funds.
The No.4 NFT project REALSWAK has run away, and its official social account (@REALSWAK) has been canceled. Scammers have transferred 1,300 BNB to TornadoCash.
The DeFi project BNB DEFI on No.5 BNB Chain has run away. The project has closed its social media group and transferred about 255 BNB.
No.6 Security agency monitoring shows that @BinanceNFT_BFT is a fake Binance NFT Twitter account that is promoting the "Pixiu Disk" scam.
secondary title
NFT/Metaverse Aspects
A total of "6" typical security incidents occurred
No.1 On March 13, the metaverse financial project Paraluni on the BNB Chain was hacked, and the hackers made a profit of more than 1.7 million US dollars. About 1/3 of the stolen funds (230 ETH) have flowed into Tornado.
No.2 The Arbitrum-based TreasureDAO NFT trading market was exposed to a vulnerability, and hackers obtained more than 100 NFTs at almost zero cost.
No.3 On March 14, the Discord community of the NFT project Wizard Pass was invaded by scammers. The scammers sent false information to gain full access to users' NFTs, resulting in the theft of multiple NFTs.
No.4 On March 27, the financial NFT project Revest Finance was attacked. Hackers stole a large number of related tokens and made a profit of about 2 million US dollars.
No.5 APECoin airdrop suffered a flash loan attack, and the attacker made a profit of about 820,000 US dollars.
other aspects
other aspects
A total of "4" typical security incidents occurred
No.1 Convex Finance posted a blog stating that there are loopholes in the vote-locked CVX (vlCVX) contract, and user deposits are safe without any risk.
No.2 On March 7th, a South Korean token developer executive was sentenced to 5 years in prison for stealing cryptocurrencies by illegally transferring cryptocurrencies invested with business funds to his own private account.
No.3 Three men have been indicted by the U.S. Department of Justice for an alleged $40 million cryptocurrency investment fraud.
secondary title
🌀Attention 🌀
In view of the new situation in the current blockchain security field, "Chengdu Lianan" summarizes here:
On the whole, blockchain security incidents in March 2022 have risen sharply compared with February, and the total amount stolen in attack security incidents exceeded 700 million US dollars. In response to the endless attacks, "Chengdu Lianan" also provides the following security suggestions for developers.
Ronin cross-chain bridge attack event: 1. Pay attention to the security of the signature server; 2. When the signature service goes offline, the policy should be updated in time, the corresponding service module should be closed, and the corresponding signature account address can be considered discarded; 3. During multi-signature verification, the multi-signature services should be logically isolated, and the signature content should be verified independently; 4. The project party should monitor the abnormality of project funds in real time.
Revest Finance was attacked: It is recommended that the design of the contract should be strictly in accordance with the inspection-validation-interaction model, and the anti-reentry function should be added to the ERC1155 token-related DeFi projects.
Paraluni security incident: Contract developers conduct complete testing and third-party audits during the development process, and develop the use of the ReentrancyGuard contract of the Openzeppelin library to prevent reentrancy attacks.
TreasureDAO security incident: It is recommended that developers design business logic for different situations according to the characteristics of different tokens when developing sales contracts for multiple tokens.
