SlowMist: A Review on the Security of Blockchain

This article is an original Web3 annual review by Coinlive and SlowMist; please cite the source if you intend to reproduce the content.

According to SlowMist Hacked’s archival repository on the number of hacking incidents, there are a total of 295 security incidents in 2022 and up to US$3.728 billion were lost. Compared to US$9.795 billion in 2021, there is a 62% drop. However, that is excluding lost assets due to market turbulence.

There are at least 245 security incidents in various DeFi ecosystems, cross-chain bridges and NFTs. On top of that, there are over 10, 11, 5 and 24 security incidents pertaining to exchanges, public blockchains, wallets and others respectively.

Timewise, attacks occur most frequently in May and October, reaching as high as 38 incidents. March sees the greatest amount lost at around US$700 million.

1) Overview of the security of the blockchain ecosystem

Public Blockchains

Public blockchains are the most basic infrastructure in the Web3 field, and also one of the most competitive in the industry. The most surprising incident in 2022 is none other than the Terra incident. On 8 May 2022, the cryptocurrency market appeared the most destructive collapse in history. A dump of an enormous amount of US$285 million of Terra network’s algorithmic stablecoin, UST occurred. This triggered a series of chain reaction, where the price of Terra’s native token, LUNA experienced a sudden meteoric crash without warning. In just a day, the market value of LUNA fell by almost US$40 billion, and the TVL ecosystem is reduced to almost nothing. This incident may have been the trigger for the 2022 crypto winter.

DeFi/Cross-chain Bridges

According to DeFi Llama’s statistics, up till end December, the total value locked of DeFi is at US$39.8 billion. That is a 75% year-on-year drop. Ethereum takes the lead, taking up 58.5% (US$23.3 billion) of DeFi TVL. TRON follows closely behind with a TVL of US$4.3 billion, and BNB Chain (BNB) takes up US$4.2 billion. Interestingly, in May 2022, the proportion of Ethereum’s TVL in DeFi was lesser by 35%, whereas the proportion of TRON’s TVL increased by 47%.

According to SlowMist Hacked’s statistics, there are at least 90 security incidents that occurred on BNBChain in 2022. The total amount lost totals about US$785 million, ranking first in the amount of losses on separate platforms. Conversely, there are over 50 security incidents that happened on Ethereum, where total losses amount to US$528 million. There is also Solana which had around 11 security incidents, losing a total of US$196 million.

According to Dune Analytics’ statistics, the TVL of Ethereum’s cross-chain bridges amount to US$8.39 billion, which in comparison to the earlier half of the year, fell by 31%. Currently, Polygon Bridges has the highest TVL (US$3 billion). Ranked second is Arbitrum Bridges (US$1.28 billion), followed by Optimism Bridges (US$850 million). Cross-chain bridges allow users to move their crypto assets from one chain to another, mainly solving the issue of multichain scaling. However, the smart contracts of cross-chain bridge attracts the attention of hackers due to its big amount of funds as well as its lack of security audits.

In 2022, security incidents in cross-chain bridges make up 15 cases according to SlowMist Hacked’s statistics. Losses amount to US$1.21 billion, taking up 32.45% of total losses in 2022.

In conclusion, for projects, if they wish to eliminate vulnerabilities and reduce security risks as much as possible, they need to effectively work towards it – Before the project goes live, conduct comprehensive and in-depth security audits. At the same time, it is advised that projects strengthen their asset protection through a multi-signature mechanism. When interacting between protocols or porting codes over, projects need to sufficiently understand the framework of the ported contract as well as the design of their own project’s framework. If both protocols are compatible, it will be sufficient to prevent any occurrence of situations resulting in financial losses. For the users, as the ways to play around with blockchain diversify, users ought to carefully understand on the background of the project before proceeding to invest. Before participating in any project, be vigilant and take note of the project’s risks, check if the project is open source and audited.

NFT

The performance of NFTs in 2022 are very eye-catching. According to NFTScan’s statistics, the total number of trades this year for Ethereum’s NFTs are at a whopping 198 million. That is evidently higher than 2020 and 2021’s data. The number of NFT trades on the BNBChain amount to 345 million in a year, while Polygon’s NFT trades are at 793 billion.

On the other hand, according to SlowMist Hacked’s incomplete statistics, there were 56 security incidents on the NFT side of things. The sum of losses exceed US$654.3 million, where the majority is attributed to phishing attacks that take up 40% of the cases (22 cases). Secondly, rug pulls take up 21% of the cases at 12 incidents.

Wallets/Exchanges

On 8 February, the United States Department of Justice (DOJ) announced that they have managed to recover US$3.6 billion worth of bitcoins. These bitcoins are related to the hacker incident that happened to cryptocurrency exchange, Bitfinex in 2016. 34-year-old Ilya Lichtenstein and his wife, 31-year-old Heather Morgan were caught in New York, both of them charged with conspiring to commit money laundering and fraud. It is also the largest financial seizure by the US DOJ in history.

On 6 November, Binance’s founder, CZ posted on Twitter his decision to liquidate all remaining FTT on their books, sparking a confrontation between the two major exchanges. Despite Alameda’s CEO and FTX’s CEO, SBF’s attempts to stabilise the confidence of users and to refute their previously exposed news with a series of tweets. However, it still caused FTX’s liquidity pool to dry up, resulting in their bankruptcy. FTX eventually collapsed and SBF got arrested. The lack of transparency has triggered a crisis of confidence amongst users towards centralised exchanges, highlighting the problem of a lack of prudential regulation. Regardless of whether it is being more careful of the protection of consumers or clearer rules regarding the institutions, the pace of regulations will be even clearer.

After FTX’s collapse, sale of hardware wallets skyrocketed. The wallet with most users, MetaMask’s monthly active users reached 300 million. According to Finbold’s statistics, based on the top 21 cryptocurrency storage applications, there were 102 million downloads for crypto wallets on both Android and iOS between January to October 2022. Although this data is lower than the number of downloads in 2021’s bear market at 188 million, it is still higher than any other year. The monthly statistics reveal that the number of downloads of crypto wallets at the beginning of the year are facing a decline. However, after Terra/LUNA’s crash as well as FTX’s collapse, they experienced a substantial increase.

Others

The irreversibility and anonymity of blockchain technology not only effectively protects privacy, but also provides a “protective umbrella” for cybercrimes. With the popularity of concepts like the metaverse and NFTs, theft of cryptocurrencies and frauds happens occasionally. Many criminals send out “crypto assets” disguised as blockchain to commit fraud. The advancement and professionalism of such productions are far beyond our imagination.

According to data from the Payment and Settlement Department of the People’s Bank of China, among the payment methods of fraudulent payments in 2021, the use of cryptocurrency is second only to bank transfers, amounting to US$750 million. Whereas in 2020 and 2019, it was only US$180 and US$30 million respectively. The trend in yearly growth is evident. What is noteworthy is that cryptocurrency transfers in romance scams are rapidly rising. In the total amount scammed from romance scams in 2021, US$139 million are paid via cryptocurrencies, which is 5 and 25 times that of 2020 and 2019 respectively.

According to a report from the US Federal Trade Commission (FTC), there has already been more than 46,000 people who have reported encountering a cryptocurrency scam, just over a year since the beginning of 2021. The sum of losses exceeds US$1 billion. According to the report, the most common type of cryptocurrency scam is related to investments, taking up US$575 billion out of the total US$1 billion. The most common form of payment method to the scammers include BTC (70%), USDT (10%) and ETH (9%).

2) Method of attack

In the 295 security incidents, the method of attack can be categorised into 3 main types: 1) Attacks due to the project’s own design flaws as well as various vulnerabilities in the contract, 2) Scam types such as rug pulls, phishing, and methods, 3) Asset losses due to private key leaks.

The most common method of attack in 2022 is caused by the project’s own design flaws as well as various vulnerabilities in their contract. There are roughly 92 of such cases, resulting in a total loss of US$1.06 billion and taking up 40.5% of all attacks. The main cause of such attacks is due to flash loans, taking up around 19 cases where a total of US$613.3 million was lost. Other causes include re-entrances, price manipulation, validation issues and so on.

The probability of asset losses due to private key leaks is at roughly 6%, but total losses amount up to US$746 billion. Second only to exploitations due to contract vulnerabilities, the biggest losses due to theft of private keys came from the Ronin incident, then followed by Harmony. They were all from cross-chain bridges.

In the Web3 world, users’ security awareness often differs, resulting in the plethora of various and frequent phishing attacks against users. For example, attackers use malicious means to take over projects’ official social media platforms (e.g. Discord, Twitter), or disguising as their official social media accounts. They will then post phishing links for mints and airdrops, sometimes even reposting the real official accounts to confuse users. For instance, using advertisements on search engines to promote fake websites or a domain name and content that are highly similar to that of the official one to make them believable. Such includes creating mimicking their emails, attractive giveaways to make users fall into their trap. Other examples include using new users’ lack of information to provide fake application download links. Whatever it is, what is most important is to increase your sense of awareness. At the same time, should you find out that you have fallen into their trap, transfer your assets out right away to prevent any losses in time, as well as to keep evidences. Seek assistance from security institutions in the industry if necessary.

The worst case comes from rug pulls. Rug pulls usually refers to when a founder gives up on its projects, running away with the funds. It is more often also that it is the project has bad intentions. Rug pulls can happen in many ways. For example, when the developer begins initial liquidity, pushing up prices. Then, they will withdraw liquidity and create a crypto project. Through various marketing means, they will attract crypto users to invest, also choosing a suitable time to take away users’ investment funds without warning. They will proceed to sell away these crypto assets and eventually disappear, and users who invested in the project will then suffer huge losses. Another instance is that they release a website, but close after receiving over tens of thousands of deposits. In 2022 alone, there are 50 cases of rug pulls, resulting in a loss of US$188 billion. They are most frequent on the BSC ecosystem and amongst NFTs.

Novel methods in 2022 include front-end malicious attacks, DNS attacks and BGP hijacking. The most bizarre case is asset losses due to human configuration and operational errors.

3) Phishing/scam techniques

This segment only reveals select phishing/scam techniques that SlowMist has disclosed.

Malicious web browser bookmarks stealing Discord tokens

Browsers nowadays all have their own bookmarks manager, but while providing convenience, it is also an easy target for attackers. Through a maliciously created phishing page, it can insert a JavaScript code into your saved bookmarks. With that, it can basically do anything, including obtaining information through the webpackChunkdiscord_app front-end package by Discord. When Discord users click on it, the malicious JavaScript code will begin execution within the user’s Discord domain. It will steal your Discord token, and after that, the attacker can directly and automatically take over relevant permissions related to the Discord account to manage the projects. Receiving the Discord token is akin to having logged in to a Discord account. It can do everything a logged in account can do, such as creating a Discord webhook bot, and conduct phishing posting fake announcements in a channel. The following illustrates the victim clicking on the phishing bookmark:

The below illustrates the JavaScript code written by the attacker receiving the token and the victim’s personal information. It is received through the Discord server’s webhook.

As illustrated, given that the user has logged in to the web Discord and assuming that the victim has already saved the malicious bookmark from the phishing page, it will trigger the malicious code when they log in to Discord web and click the bookmark. Consequently, the victim’s Token and other personal information will be sent to the attacker’s channel via the Discord webhook set up by the attacker.

Fake order NFT phishing

Exemplifying the following phishing website, the signature content consists of:

Maker: User’s address

Taker: 0xde6135b63decc47d5a5d47834a7dd241fe61945a

Exchange: 0x7f268357A8c2552623316e2562D90e642bB538E5 (OpenSea V2’s contract address)

This is a commonly seen NFT phishing technique, where scammers can buy all the NFTs you possess for 0ETH (or any other currency). That means to say that this order tricks the user into signing the sale of their own NFT. Once the user signs this order, the scammer can buy their NFT directly through OpenSea. But the price that they buy at is determined by the scammer, which means that the scammer can “buy” the user’s NFTs without spending a single cent.

Additionally, the signature is essentially stored by the attacker. Its validity cannot be revoked via websites like Revoke.Cash or Etherscan, in order to deauthorise the signature. However, it can cancel your authority to list orders, which can prevent such phishing risks from its root problem.

Redline Stealer Trojan

Such attacks go through Discord to invite users to participate in a new game project’s beta testing. Disguised as “providing discounts”, private chats from a group or such methods to send you a program to download. They usually will send a zip file that will extract out roughly 800mb worth of .exe files. Once you run it on your device, it will scan all the files and filter out files that consist the word “wallet” and other relevant keywords. It will then be uploaded to the attacker’s server and they will achieve their purpose of stealing cryptocurrency.

Redline Stealer is a malicious Trojan that is sold separately in underground forums, discovered in March 2020. This malware collects information such as saved credentials, auto-completed data, as well as credit cards from the browser. The new version of Redline added the ability to steal cryptocurrency, which can automatically scan the information of the already-installed cryptocurrency wallet. Then, it will be uploaded to a remotely controlled device. This malware has the ability to upload and download files, execute commands, as well as periodically sending back information about the infected device. It will often attack cryptocurrency wallet related directories, conducting scans in the wallet files:

Blank check eth_sign phishing

After connecting your wallet and clicking “claim”, a pop-up will appear to request for your signature. At the same time, MetaMask will display a red warning reminder. It is however, impossible to figure out from this pop-up what exactly this signature request is requesting for. This is actually a really dangerous type of signature, where it is essentially a “blank check” from Ethereum. Through this phishing, scammers can use your private key to conduct any transaction.

This eth_sign method can sign any hash. Naturally, it can sign the bytes32 after. Therefore, attackers only need the dApp that we connect to in order to get our address and analyse and query our account. This can create any data (E.g., native token transfers, calling a contract) simply by signing eth_sign.

Another type of phishing is that if you reject the aforementioned signing, it will automatically display another signature pop-up in your MetaMask, tricking you into signing while you let your guard down. After receiving your signature information, using the SetApprovalForAll method, it will change to “All of your NFT” under “Approved asset”. That means to say that once you sign, scammers will be able to steal all your NFTs without restrictions.

This kind of phishing method is very confusing to users. Previously, when encountering authorisation phishing, MetaMask will objectively show us data informing us that the attacker wishes us to sign. Nonetheless, when attackers use the eth_sign method to get users to sign, MetaMask only shows us a series of bytes32 hash.

Same end code + TransferFrom zero transfer scam

Under the user’s transaction history, unknown addresses transferring 0USDT will constantly appear. This transaction is also completed via the TransferFrom function. This is mainly because in the token’s contract, the TransferForm function does not mandate that the authorised transfer amount must be more than 0. Hence, a transfer of 0USDT can be conducted successfully without the user’s account authorisation. Malicious attackers exploit this condition to constantly target active on-chain users to initiate TransferFrom. Consequently, this will trigger a Transfer event.

Other than such harassment by 0USDT transfers, it is accompanied by attackers targeting users who trade frequently and on a large scale. They will constantly airdrop small amounts of tokens, such as 0.01USDT or 0.001USDT. The end of the attacker’s address will be almost identical to that of the user. Often times, when users copy the addresses from their transaction history, they will copy wrongly, resulting in loss of their funds.

The above is only an example of some commonly seen methods of attack and situations. In reality, hackers and attackers constantly find novel ways around any situation. Therefore, they will always come up with new methods, and on our end, what we have to do is always to constantly gain knowledge.

For individual users, they can avoid most risks by abiding by the following safety rules and regulations:

The 2 main safety rules:

• Zero Trust. Simply put, constantly be wary and maintain wariness all the time.
• Continuous Verification. If you want to believe, you must be able to verify your doubts and make this ability a habit.

Safety regulations:

• Knowledge on the internet should always be cross-referenced with 2 other references. Corroborate them and always remain sceptical.
• Isolate well, meaning do not put all your eggs in one basket.
• For wallets with important assets, do not update them too casually, it is enough if they are sufficient.
• What you see is what you sign. Even if what you see is what you are expected to sign, once you sign it, what happens next should be something expect.
• Pay attention to the system’s security updates. Once there are new security updates, act upon them immediately.
• Do not hastily download any program.

With that, I strongly recommend reading and mastering the Blockchain Dark Forest Selfguard Handbook by SlowMist.