BTC0.020
ETH0.020
HTX0.020
SOL0.020
BNB0.020
BTC0.020
ETH0.020
HTX0.020
SOL0.020
BNB0.020
Chuangyu Blockchain: November Security Monthly Report
创宇区块链安全实验室
2022-12-02 02:54
本文约2484字,阅读全文需要约10分钟
The analysis and summary of blockchain security incidents in November 2022 shows that the centralized exchange has experienced a thunderstorm, and market sentiment and security awareness have declined accordingly, giving attackers an opportunity to take

first level title

The November is over, and there is only the last month left in this year. After the FTX thunderstorm and the FTX hacking incident, the market has caused a lot of turmoil, and the attack incidents have also dropped a lot. It is known that Chuangyu Blockchain Security Lab [Hacked Incident Archives] data shows that there were more than 28 security incidents in this month, of which DeFi security incidents decreased slightly compared with last month, but the total number of attacks is still a lot, of which FTX The US was hacked and lost as much as $477 million. Although there are not many scams, the Rug Pull that occurred in DeFi AI caused users to lose nearly 40 million US dollars. Total losses from security incidents this month totaled approximately $560 million.

data analysis

secondary title

Through the analysis of the proportion of various types of security incidents this month, it can be found that DeFi security is still the area where attackers are best at, accounting for 54%.

secondary title

After the sudden increase in security incidents last month, the number of various security incidents decreased this month, which should be related to the bankruptcy of FTX Thunderbolt, and the market sentiment also declined.

secondary title

Compared with the previous month, the number of security incidents dropped by almost half this month, but the amount of losses caused has not decreased. In terms of security, there are still high risks and frequent occurrences. I hope everyone will be more vigilant and cautious.

first level title

  • DeFi Security Type Events

  • On November 1st, DODO’s USDT/DAI pool was suspected of having a serious sandwich attack.

  • On November 2, the lending protocol Solend was attacked by an oracle machine, resulting in $1.26 million in bad debts.

  • On November 2, about 6947 ETH, 691 BTC and 3.4 million USDC were stolen from Deribit. Losses of approximately $28 million.

  • On November 3, Skyward Finance, an asset issuance platform on the NEAR chain, was exploited and lost 1.1 million NEAR tokens (approximately $3 million).

  • On November 4th, the pGALA contract was hacked. The hacker had converted most of the GALA into 13,000 BNB, making a profit of more than $4.3 million. The address still had 45 billion Gala, but it was unlikely to be cashed out because the funds The pool is basically drained.

  • On November 7, the MooCakeCTX project was hacked, and the hackers made a profit of about $143,921.

  • On November 10, the Brahma TopGear project on the ETH chain was attacked due to the risk of arbitrary external calls, and the attacker made a profit of about $89,879.

  • On November 11, the DFX Finance DEX pool, a decentralized foreign exchange trading startup for stablecoins, was suspected of being attacked due to lack of proper re-entry protection, and lost about 3,000 ETH, or about $4 million.

  • On November 11, a MEV robot spent 31.06 Ethereum transaction fees to launch a "sandwich attack" on a transaction of about 25 million US dollars, so that the verifier who packaged the block obtained a total of 32.09 Ethereum (worth about 4.08 million dollars) rewards.

  • On November 13, FTX US was hacked, with an estimated loss of approximately $477 million.

  • On November 16, the SheepFarm project was hacked and lost about $72,000 so far.

  • On November 21, there was a loophole in the business logic of the sDAO contract, and the attacker made more than 13,000 BUSD in profit.

  • On November 23, the AurumNodePool contract was attacked by a vulnerability, through which the attacker obtained about 50 BNB ($14, 538.04).

  • On November 29, the SEAMAN project was attacked by a flash loan, and the attacker made a profit of about 7,781 US dollars.

first level title

  • scam security type event

  • On November 1, the FITE (FTE) project was suspected of being a Rug Pull, its website fit.app was closed, and its social media was deleted. Scammers have transferred 1900 BNB into Tornado Cash.

  • On November 3, Rug Pull was suspected to have occurred in the MetFX project on the BSC chain, and MFX tokens plummeted by 97%. MetFX deployers have exchanged 10,000 MFX for 402 BNB (~$131,000).

  • On November 14, a Rug Pull occurred in the DeFi AI project, and the contract deployer made a profit of about 40 million US dollars.

first level title

  • Phishing Security Type Events

  • On November 1, the Generativemasks project Discord server was attacked. Community users please do not click, mint or approve any transactions.

  • On November 2, the NFT project Art Gobblers had a fake account and released a fake Gobblers public casting sweepstakes.

  • On November 3, the Twitter account of DigiDaigaku CEO was suspected of being stolen, beware of phishing links.

  • On November 4, the phishing fraud gang Monkey Drainer once again stole NFTs worth $800,000, including 7 Crypto Punks series NFTs and 20 Otherdeed series NFTs.

  • On November 28, the Shamanzs NFT project Discord server was attacked. Community users please do not click, mint or approve any transactions.

first level title

  • Other Security Event Types

  • On November 1, the Discord of the KUMALEON project was hacked, and 111 NFTs have been stolen, including BAYC #5313, ENS, ALIENFRENS, and Art Blocks. Users participating in the project need to revoke wallet permissions and transfer funds to a new wallet.

  • On November 6, Loopring said it was hit by a DDoS attack on November 5, and its service was down for 11 hours.

first level title

Summarize

This month, due to the thunderstorm of the centralized exchange, most users lost trust in it, and users lost trust in the centralized exchange. In order to restore the trust of users, the major centralized exchanges have started to carry out Merkle tree reserves prove. If you have doubts about your funds, it is recommended to use official documents to verify whether your funds are safe.

From the perspective of DeFi, in addition to the most common flash loan attacks, many of the security incidents involved stem from the logic problems of the contract itself, which also illustrates the necessity of contract auditing. Knowing that Chuangyu Blockchain Security Lab hereby reminds that it is necessary to conduct regular audits and compound audits for contract security to protect contracts from other attacks, and attach great importance to flash loans and contract logic issues.

Safety
创宇区块链安全实验室
作者文库
推荐文章
Gate and F1 Red Bull Racing Team Launch "Red Bull Racing Tour": Limited Spectator Seats + Up to 5,000 GT Prize Pool
20 minutes ago
Gate and F1 Red Bull Racing Team Launch "Red Bull Racing Tour": Limited Spectator Seats + Up to 5,000 GT Prize Pool
Airwallex CEO questions the value foundation of stablecoins: Are the vested interests representing the "old forces" panicking?
12 minutes ago
Airwallex CEO questions the value foundation of stablecoins: Are the vested interests representing the "old forces" panicking?
Polycule Operation Guide: Quickly Play with Polymarket's Telegram Bot
an hour ago
Polycule Operation Guide: Quickly Play with Polymarket's Telegram Bot
BitMart Market Weekly Report (6.02-6.08)
an hour ago
BitMart Market Weekly Report (6.02-6.08)
From whale to ant, has the legend of on-chain contracts James Wynn fallen?
31 minutes ago
From whale to ant, has the legend of on-chain contracts James Wynn fallen?
Coinsidings 2.0 makes every trip you take a chance to make a fortune
3 hours ago
Coinsidings 2.0 makes every trip you take a chance to make a fortune