Blockchain Security and Regulation Monthly Recap of April: BTC and ETH spot ETF listed in HK and $101M lost in attacks

It’s time for the monthly security and regulation report! According to Beosin Alert, in April 2024 , the amount of losses from various security incidents continued to decrease compared with March. More than 23 typical security incidents occurred in April 2024 , and the total losses caused by hacker attacks, phishing scams and Rug Pull reached $101 million, a decrease of approximately 36% from March. Among them, attack incidents amounted to approximately $52.56 million , a decrease of approximately 55%. Phishing fraud incidents amounted to approximately $11.4 million, a decrease of approximately 69%. Rug Pull incidents amounted to approximately $37.05 million, an increase of approximately 624%.

The largest security incident this month was the Hedgey Finance attack due to a contract vulnerability, resulting in a loss of approximately $44.7 million. ZKasino transferred approximately $33 million in user assets to make a rugpull. The number of crypto crime cases has increased in this month.

In terms of policy, on April 30, Hong Kong Exchanges and Clearing Limited (HKEX) stated that it welcomes the listing of the first batch of virtual asset spot ETFs in Asia, increasing the product types in the Hong Kong market and providing investors with richer choices, and consolidating Hong Kong’s role as an Asia's leading ETF market position.

Attacks

『11』Typical Security Incidents

No.1 On April 1, the DeFi protocol OpenLeverage was attacked due to a contract vulnerability, resulting in a loss of approximately $230,000.

No.2 On April 1, the ATM token on the BNB Chain chain was attacked due to a contract vulnerability, resulting in a loss of approximately $180,000.

No.3 On April 2, the decentralized exchange FixedFloat was attacked again, resulting in a loss of approximately $2.8 million. FixedFloat said hackers exploited vulnerabilities in its third-party services.

No.4 On April 12, the BASE ecological project SumerMoney was attacked due to a contract vulnerability, resulting in a loss of approximately $350,000.

No.5 On April 12, the Zest Protocol project on the Stacks chain suffered a price manipulation attack, resulting in a loss of approximately $1 million.

No.6 On April 15, Grand Base, the BASE ecological RWA project, lost approximately $2 million due to the leak of the deployer’s private key.

No.7 On April 19, the Hedgey Finance project was attacked due to contract vulnerabilities on both Ethereum and Arbitrum chains, resulting in losses of $44.7 million.

No.8 On April 24, the YIEDL project on the BNB Chain chain was attacked due to a contract vulnerability, resulting in a loss of approximately $300,000.

No.9 On April 24, Saita Chain’s cross-chain bridge project Xbridge was attacked due to a contract vulnerability, resulting in a loss of at least $200,000.

No.10 On April 25, the NGFS token on the BNB Chain chain was attacked due to a contract vulnerability, resulting in a loss of approximately $190,000.

No.11 On April 26, the cross-chain lending protocol Pike Finance was attacked, resulting in a loss of approximately $300,000. Hackers drained USDC on Ethereum, Arbitrum and Optimism chains via fake CCTP messages.

Rug Pull/Crypto Scam

『6』Typical Security Incidents

No.1 On April 2, a rug pull occurred in Solareum on the Solana chain, and the deployer made a profit of $520,000.

No.2 On April 4, a rug pull occurred on CondomSOL on the Solana chain, and the deployer made a profit of $920,000.

No.3 On April 11, an address starting with 0x5ea8 lost approximately $840,000 on the Base chain due to phishing scams.

No.4 On April 11, an address starting with 0x05f4 lost approximately $1.2 million on the Base chain due to phishing scams.

No.5 On April 19, an address starting with 0x5789 lost approximately $770,000 due to phishing fraud.

No.6 On April 20, a Rug pull occurred on the decentralized betting platform ZKasino. Users were unable to withdraw funds, and the project party deposited $33 million in user funds into Lido.

Crypto Crime

『4』Typical Security Incidents

No.1 According to news on April 6, Beijing police uncovered a series of money laundering cases involving virtual currencies, involving more than 2 billion yuan.

No.2 On April 12, the United States convicted hackers for attacking smart contracts for the first time. SHAKEEB AHMED has been sentenced to three years in prison for attacking Nirvana Finance and Crema Finance and stealing more than $12 million worth of cryptocurrency.

No.3 According to news on April 16, the Jiangsu court sentenced Wang for organizing a pyramid scheme. Wang was sentenced for allegedly conducting online pyramid schemes through a virtual currency platform called moom, involving a total amount of more than 100 million yuan.

No.4 On April 20, an Indian man pleaded guilty in the United States to creating a fake Coinbase website and stealing more than $9.5 million in cryptocurrency.

No.5 On April 24, the co-founder of Samourai Wallet, a cryptocurrency mixing service, was arrested on suspicion of laundering $100 million from Silk Road and other illegal markets.

No.6 On April 27, 32 people including the founder of Taiwan’s crypto exchange ACE Exchange were indicted on suspicion of fraud and money laundering, involving an estimated amount of NT$800 million ($24.56 million).

Compliance and Regulation

No.1 On April 30, six of the first batch of virtual asset spot ETFs issued in Hong Kong were officially listed on the Hong Kong Stock Exchange and opened for trading. Hong Kong Exchanges and Clearing Limited (HKEX) welcomed Asia’s first batch of virtual asset spot ETFs. The listing of ETFs will increase the product variety in the Hong Kong market and provide investors with richer choices, consolidating Hong Kong's position as Asia's leading ETF market.

No.2 Last week, the Bank of Japan released a mid-term report on its central bank digital currency work. It revealed that the CBDC API sandbox was launched this month. The Bank of Japan has previously conducted two proof-of-concepts (PoC) for the digital yen, the most recent of which ended a year ago. The Bank of Japan has not yet decided to launch a CBDC. Given the extremely low awareness of the concept among Japanese consumers, promotion may be difficult. The Bank of Japan is also involved in Project Agora, the Bank for International Settlements’ project to use tokenization for cross-border payments. Meanwhile, DCJPY, the first Japanese tokenized deposit solution is expected to launch in the coming months.

No.3 On April 22, the Hong Kong Securities and Futures Association published a letter to the Hong Kong Treasury Bureau on its official website, "Recommending the establishment of an independent self-regulatory organization for the development of the securities industry, futures industry, asset management industry and virtual asset industry" , which pointed out that based on the situation in Hong Kong, the Commission recommended that the Securities and Futures Commission still retain the power to supervise market conduct (such as prohibiting insider trading, fraud, and market manipulation transactions, etc.), but split the licensing power into a pure A self-regulatory institution composed of the securities industry, futures industry, asset management industry and virtual asset industry (and generally refers to licensed intermediaries with regulated activities currently defined by the Hong Kong Securities and Futures Commission).

No.4 Recently, Thai authorities have decided to block “unauthorized” cryptocurrency platforms to improve the efficiency of law enforcement in solving cybercrime problems. Following a meeting of the Technology Crime Prevention and Suppression Committee, the Securities and Exchange Commission of Thailand, or SEC, was ordered to submit information about unauthorized digital asset service providers to the Ministry of Digital Economy and Society in order to block access to these platforms.

No.5 On April 17, members of the British Parliament unanimously called on the government to invest in developing skills to meet employment needs in the cryptocurrency, blockchain and artificial intelligence (AI) industries. Lisa Cameron MP, who chaired a debate on the topic on Tuesday, urged the government to ensure digital skills are taught from the early stages of education and even in the workplace. “While the UK is well placed to take advantage of the opportunities presented by the growth of the digital economy, significant preparation and investment in education, training and skills is required to make the most of these opportunities and ensure the UK has the necessary talent.”

Overall, the amount of losses from various blockchain security incidents continued to decline for two consecutive months in April 2024. In this month’s attacks, 88% of the losses still came from the use of contract vulnerabilities, involving business logic vulnerabilities, reentrancy vulnerabilities, input verification vulnerabilities and other issues. It is recommended that the project party find a professional security company to conduct an audit before the project goes online. . There have been many Rug pull incidents involving large amounts of money this month. Users are advised to conduct background checks on the project. For example, ZKasino had multiple warnings from the security community before the Rug pull occurred, exposing the founder team's historical deception and unethical behavior.