One article reveals the reasons for frequent blockchain hacking in 2021

Blockchain is known for being censor-free. It is a hot spot for encouraging innovation and a breeding ground for crime. The Dao, which was crowdfunding more than US$150 million in the past, was stolen by hackers and carried out a hard fork operation, which gave rise to today's Ethereum. Since the creation of the blockchain, various hacker thefts of currencies against exchanges, wallets and dapps have occurred frequently. So, what kind of waves will the blockchain security field experience in 2021, and what will be the subsequent processing work?


2021 Blockchain hackers stolen currency incidents sorted out


Uranium Finance-Logic Vulnerability


On October 27, the Cream Finance oracle was manipulated. The attacker borrowed DAI from MakerDAO to create a large number of yUSD tokens, and at the same time manipulated the oracle's price for yUSD by manipulating the multi-asset liquidity pool (including yDAI, yUSDC, yUSDT, and YTUUSD). After increasing the price of yUSD, the attacker's price of yUSD was artificially increased, thereby creating a sufficient borrowing limit to borrow most of Cream Finance's funds in the Ethereum v1 lending market. And Cream.Finance was also attacked by a flash loan on August 30.


Anyswap-background signature


2) Wallet-phishing information


This is different from the fact that once an accident occurs to the project party, people can analyze it through the public transaction records on the chain; only the insiders of the exchange know what happened, and the information will not be disclosed. Generally, the exchange incident comes from these aspects: the exchange server is hacked, and the attacker has accessed the private key of the hot wallet in the server. The staff of the exchange was attacked by phishing, and then the attacker accessed the internal system through the staff's account, contacted the private key of the hot wallet and so on.


What to do after assets are stolen


The project party generally adopts these solutions:


1) Immediately suspend the token transfer and transaction services in the smart contract; for contracts that cannot be suspended, check the privileged functions that can be used in the contract and block some of the contract services to prevent the contract from being attacked again.


2) At the same time, a warning is issued to the community to prevent new investors from putting their property in a leaky contract.


3) Contact a third-party security company, ask for help analyzing the cause of the vulnerability, and cooperate to fix the vulnerability together.


4) For the whereabouts of the stolen funds, if there is a blacklist function in the contract; block hacker addresses immediately to prevent hackers from transferring funds.


5) Cooperate with security companies and law enforcement agencies to recover the stolen property, and at the same time come up with a reasonable compensation plan to reduce user losses.


So, why do security companies have been screened for vulnerabilities, and hackers can take advantage of them? The fact is that the audit work for a certain project can only last for a few weeks, and the hacker's time and energy are unlimited. Once they target a certain type of project, they will have much more time to conduct research and take action than the audit company.


Secondly, a secure open source code base will also increase the safety factor. The OpenZeppelin code base is an open source code base written by professionals, and its code quality will be relatively high and safer. The project party only needs to add some functions that they want to implement on the basis of the code library, and they can write code from scratch.


Starting from human factors, the project party needs to consider whether the financial model and business logic are worthy of scrutiny, and conduct countless tests to eliminate potential risks.


All in all, the Defi protocol and the entire blockchain security issue are the main factors that prevent mainstream funds from entering the industry. Looking at all the reasons for the Defi accident, the most important thing is that the Defi project is not yet fully decentralized, and it needs to rely on third-party external services. The Defi industry is impeccable in terms of security, which is the goal that this track project must achieve (especially for the heavily centralized cross-chain track). I look forward to the next cycle of the industry to run out of Defi products with new business logic!



About Us

DPTech is co-founded by several senior European and American security experts, and a core security R&D team with international first-line talents is committed to improving the overall security, privacy and usability of the blockchain ecosystem. By publishing industry trend reports and real-time monitoring of ecological security risks, it provides customers with visual solutions that meet international advanced security technology standards, and strengthens network security monitoring, early warning and defense capabilities. After years of accumulation of blockchain experience, DPTech has been recognized by dozens of well-known exchanges around the world.
Email: service@dpanquan.com
cache
Processed in 0.007390 Second.