Inthe first quarter of 2022, according to statistics monitored by Beosin EagleEye, losses from global blockchain attack-type security incidents were up to about $1.2 billion, nearly nine times from $130 million in the same period last year (Q1 2021). It is also higher than the amount lost in any quarter of 2021.

In March 2022, the Ronin attack resulted in $625 million in stolen funds and took the top spot on the Defi hacking loss list, surpassing the $610 million attack on Poly Network in August 2021 to. Of course, not every project will be able to recover funds as Poly Network did. As of this writing (April), Ronin’s hackers are still laundering money in batches.

In terms of blockchain platforms, Ethereum and BNB Chain continue to be the two most frequently attacked blockchains. However, high frequency does not mean huge loss amount. In Q1 2022, we monitored 2 typical attacks on Solana, but the loss amount was $374 million, far more than the loss on BNB Chain.

In terms of flow of funds, in 80% of cases, the hacker will transfer the stolen funds to Tornado.Cash. And in 10% of cases, the hacker will leave the funds at their address temporarily, sometimes waiting months or even years before making a transfer of the stolen funds. A small percentage of hackers will voluntarily return the stolen funds.

In terms of hacking techniques, contract vulnerabilities exploits and flashloan attacks are the most common tactics used by hackers. 50% of the attack techniques are contract exploits.

In terms of audit status, 70% of the projects that were attacked were audited by a third-party security firm. However, in the remaining 30% of the unaudited projects, the losses suffered due to the attacks accounted for more than 60% of the overall loss amount.

In terms of project types, DEFI projects continue to be a hot spot for hackers, accounting for 60% of the total number of projects attacked. The cross-chain bridge, on the other hand, was attacked a fewer number of times, but the amount involved was huge.

Exploits ranked by losses

30 typical exploits occurred in 2022 Q1

In 2022 Q1, a total of 30 typical security incidents occurred in the blockchain field. The total amount of losses was approximately $1.2 billion, an increase of 823% compared to the 2021 Q1.

In the top 20 ranking of losses, Ronin, which had the highest amount of losses at $625 million, was about 558 times higher than Build Finance ($1.12 million), which had the lowest amount.

Ronin and Wormhole losses of $950 million, accounting for 80% of the total losses in 2022 Q1. It is worth noting that both are cross-chain bridge type projects.

Types of projects being attacked

Defi remains a key target for hackers

DeFi projects remain a key area of focus for hackers, with approximately 60% of attacks occurring in the DeFi.

Attacks against NFTs have risen in the first quarter of 2022.

Cross-chain bridge projects were attacked four times, yet caused $950 million in losses, accounting for 80% of the amount lost in Q1 2022.

Cross-chain bridge security incidents are frequent and involve significant amounts of money.

Losses by blockchain

Ethereum has the highest percentage of losses

Ethereum and Solana ranked in the top 2 for the amount of lost, at $654.48 million and $374 million respectively.

Ethereum was also attacked the most at 45% of the total frequency; in second place was BNB Chain, with 19%.

Both exploits on Solana have caused huge losses: Wormhole lost $ 326 million and Cashio lost $ 48 million. Both hacking techniques were contract vulnerability exploitations.

Some of the top TVL-ranked public blockchains did not detect major security incidents in Q1 2022, e.g. Terra, Avalanche, Tron, etc.

Hacking techniques

Contract vulnerability exploit and flash loan are the two common methods

Approximately 50% of the attacks were contract vulnerability exploits and 24% were flash loans.

12% of the attacks were caused by private key compromise, phishing attacks and social engineering attacks. These types of attacks stem from the failure of project parties to keep their private keys safe or lack of vigilance.

Among the contract vulnerabilities exploited by hackers, the most common vulnerabilities are reentrancy vulnerabilities (30%), followed by improper business logic (24%), call injection attacks (18%) and improper or insufficient validation (18%), respectively; the vast majority of these vulnerabilities can be discovered and fixed early through security audits.

Typical security incidents in 2022 Q1

TreasureDAO: NFT bought for free

Background：

On March 3, the TreasureDAO NFT trading marketplace was exposed to a vulnerability that led to the theft of more than 100 NFTs. However, a few hours after the incident, the attackers started returning the stolen NFTs.

Detail：

The transaction initiator passes the _quantity parameter with a value of 0 through the buyItem function of the contract to purchase the ERC-721 token with TokenID 5490 at no cost.

From the code, the buyItem function of the contract does not determine the token type after passing in the _quantity parameter, but directly multiplies _quantity with _pricePerItem to calculate the totalPrice, so the safeTransferFrom function can call the buyItem function of the contract to buy tokens when the ERC-20 token payment is only 0.

However, when the buyItem function is called, the function only makes a judgment on the type of tokens to be purchased, and does not make a non-zero judgment on the number of tokens, resulting in an ERC-721 type token that can be purchased directly without regard to the _quantity value, thus enabling a vulnerability attack.

Recommendation：

The main reason lies in the logic confusion caused by the mix usage of ERC-1155 tokens and ERC-721 tokens. ERC-721 tokens do not have the concept of quantity, but the contract uses quantity to calculate the token purchase price, and finally there is no classification discussion when the tokens are transferred.

It is recommended that when developers develop selling contracts for multiple tokens, they need to consider different situations based on the characteristics of different tokens.

Figure: The buyItem function code of the project contract

Build Finance suffered a governance attack

Background：

On February 15, Build Finance DAO said it had suffered a malicious governance attack in which attackers managed to take control of its token contracts by gaining enough votes.

Detail：

In a transaction on September 4, 2020, the Build Finance contract creator transferred the governance authority via the setGovernance function. By looking up the internal Storage, it was found that the permission was transferred to address 0x38bce4b. Following up on the 0x38bce4b address, it was found to be a Timelock contract, and the only contract that can call the setGovernance function is the executeTransaction function.

Following up on this, we find that on January 25, 2021, address 0x38bce4b calls the executeTransaction function to transfer the authority to address 0x5a6ebe. On February 11, 2022, the governance authority of address 0x5a6ebe is changed to address 0xdcc8A38A because the proposal passes due to the low voting threshold. After gaining governance access, the attacker maliciously minted coins and drained the liquidity of the trading pool.

Recommendation：

DAO contracts should set appropriate voting thresholds to achieve true decentralized governance, so as to avoid a small number of votes to allow the proposal being successfully executed. It is recommended to refer to the implementation of the governance contract officially provided by openzeppelin.

Figure: Build Finance attack process

Ronin: the largest exploit in DeFi history

Background：

On March 23, Ronin validators were compromised, and the attackers used compromised private keys to forge fake withdrawals for a profit of about $625 million. Ronin Network did not discover it was under attack until March 29.

Detail：

“ Sky Mavis’ Ronin chain currently consists of 9 validator nodes. In order to recognize a Deposit event or a Withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis’s four Ronin Validators and a third-party validator run by Axie DAO. ” Ronin officials have since said that all evidence points to the attack being related to social engineering in 2021.

Recommendation：

1. Pay attention to the security of validators;

2. If the signature service goes offline, then update the security policy, close corresponding service modules, and consider deprecating the corresponding signature account address;

3. For multi-signature verification, the multi-signature services must be logically isolated, and the signature content must be verified independently.

4. Abnormal transactions should be monitored in real-time.

Figure: flow of funds from Ronin’s exploiter (updated to March 30)

The flow of stolen funds

Tornado.Cash has become the common method for money laundering

In 80% of the cases, hackers will transfer the stolen funds to Tornado.Cash immediately or within a few days after the attack.

In 10% of the cases, hackers will temporarily leave the stolen money at their addresses and wait months to years before transferring the funds out. For example, in AscendEX, the exchange that was stolen last December, the hackers waited until February and March of this year to start laundering money in batches. And this year’s Ronin attackers are still currently conducting frequent money laundering operations.

A small number of hackers would return the stolen funds. For example, after stealing $48 million, Cashio’s attacker left a public message stating that he would return the money to addresses worth less than $100,000, claiming, “My intention is only to take money from those who don’t need it, not from those who do”.

Tornado.cash is still the commonly used method of money laundering for hackers.

Audit status of projects

30% unaudited projects with 60% of total loss

70% of the projects attacked have conducted the third-party security audits.

30% of unaudited projects lost $720 million in total, accounting for 60% of total losses in Q1.

Audits before projects going live continue to be important. Of the unaudited projects, 50% of the hacking techniques were exploiting vulnerabilities of smart contracts.

Therefore, early auditing and timely fixing of code vulnerabilities can avoid serious losses caused by attacks on projects after going live.

2022 Q1 Summary

Losses in blockchain ecosystem increased sharply

In 2022 Q1, the losses caused by exploits in the blockchain ecosystem reaches approximately $1.2 billion, more than in any quarter of 2021. Cross-chain bridges were stolen for a huge amount of funds and DeFi projects were attacked with the highest frequency, and the two areas may also be key targets for hackers in the future.

Security audit still matters

About 50% of the attacks are vulnerability exploits from contracts, the vast majority of which can be detected and fixed early through security audits.

Anomalies of funds should be noticed in a timely manner

Project parties should pay attention to transaction anomalies in a timely manner. Beosin Eagle Eye allows project parties and users to discover risky transactions in a timely manner so that they can take quick action. For example, immediately suspend the relevant services, or inform users to revoke approval to avoid further losses.

Website Email Official Twitter Alert Telegram Linkedin