foreword

Since June, security incidents have been emerging one after another. Even though the price of the currency has fallen, the attackers have not stopped attacking. It is known that the data from the Chuangyu Blockchain Security Laboratory [Hacked Event Archives] shows that there were more than 46 security incidents in this month, of which the runaway scam became more serious, and the cross-chain bridge Harmony Bridge was due to the verifier node. The loss of private key leakage is as high as 100 million US dollars. The total amount of damages from security incidents this month totaled approximately $121,000,000.

The following is a summary of various types of security information in June by Knownsec Blockchain Lab, and discusses the problems exposed by it.

DeFi Security Type Events

• On June 2, the project CoFiXProtocol on BNB Chian suffered a price manipulation attack, and the attackers made a profit of about $140,000.
• On June 4th, the fomo-dao project was attacked, and the attackers have now made a profit of $110,000, which has been transferred to Tornado.cash.
• On June 7, Equalizer Finance suffered a flash loan attack. The main reason for this attack is that the FlashLoanProvider contract of the Equalizer Finance protocol is not compatible with the Vault contract. The loss was about $831.
• On June 9, Pool 678, deployed on the Osmosis blockchain, was attacked, possibly involving $5 million. By exploiting this vulnerability, users can exit the pool and get an additional 50% of the assets originally deposited in the pool.
• On June 14, Fswap officially stated that it was attacked by hackers at 22:08 on June 13. This attack was a vulnerability incident of a non-attacked project and a malicious loan attack incident. Lost 1751 BNB worth about $390,000.
• On June 21, the whaleswap.finance project was attacked, losing at least 5,946 BUSD and 5,964 USDT, worth about $11,910.
• On June 23, the pandorachainDAO project suffered a flash loan attack, resulting in a loss of assets worth about $128,000.
• On June 24, Horizon, an asset cross-chain bridge between Ethereum and Harmony developed by the Layer1 public chain Harmony, was attacked, with a loss of about $100 million.
• On June 26, the NFT lending protocol XCarnival was attacked, and the hacker made a profit of 3,087 ETH (about $3.8 million), while the protocol loss may be higher.
• On June 28, the SeniorPool contract of the Goldfinch project was attacked. The attacker gained 28,523 USDC through arbitrage, and the project side lost 541,158 USDC.

Scam Security Type Event

• On June 1, a Rug Pull occurred on the project ArmadilloCoin on BNB Chian, and scammers have transferred 663.4 BNB to Tornado Cash. The loss was worth approximately $210,000.
• On June 3, a Rug Pull occurred in StarMan, the price of the currency dropped by 99.5%, and the scammers have transferred about 640.4 BNB to Tornado Cash. Losses were valued at approximately $196,000.
• On June 6, the ACC token plummeted by more than 70%, and 7 of the recent transactions were identified as suspicious Rug Pulls, with a loss of $120,000.
• On June 8, a Rug Pull occurred on the project BabyElon on BNB Chian, and the token dropped by 98%. The scammers have transferred 623 BNB to Tornado Cash, with a loss of about $180,000.
• On June 12, HEGE Coin has been confirmed as a Rug Pull runaway project, and the price of HEGE tokens plummeted by more than 97%. The current loss is around 430,000 USC-USD (~$430,000).
• On June 13, a Rug Pull occurred on the ElonMVP token, the token price fell by 99%, and over 622 BNBs were transferred to Tornado.Cash, with a loss of about $130,000.
• On June 14, the blockchain cloud infrastructure Chain (XCN) may have a Rug Pull, and the price of Token fell by 96.28% in 24 hours.
• On June 20, the Move To Earn application StepUp Games experienced a Rug Pull, the token price dropped 84%, and the deployer minted a large amount of STP and sold it.
• On June 21, a Rug Pull occurred in the DHE project, causing the DHE token price to drop by more than 91%. Total losses are currently around $142,000.
• On June 22, the LV PLUS (token LVP) project has been confirmed as a runaway project. On June 21, 2022, Beijing time, the project lost about $1.5 million to the Rug Pull attack.
• On June 29, the LV Metaverse (token LVP) project had another Rug Pull, and the contract deployer took another $50,000 worth of tokens.

Phishing Security Type Incident

• On June 4th, the Discord of Homeless Friends NFT was attacked, homelessfriends[.]net is a phishing website.
• On June 4, the Discord of the NFT project Not Bored Apes was attacked, and a mod account appeared to be hacked, and phishing links began to be posted frequently. Please be wary of the official unannounced Mint.
• On June 4, the Discord server of the NFT project Wibin Wolves was attacked, community users were kicked, and all server invitation links were closed.
• On June 5, the Discord server of the NFT project “Boring Ape” was briefly attacked, and NFTs worth about 200 ETH were stolen. On June 6, the Discord of the NFT project Aiternate has been attacked. Users are requested not to click on any Discord private messages or links.
• On June 7th, the Elrond network was recently hacked, and more than $1.65 million EGLD was stolen, some of which have been sold through the decentralized trading platform Maiar, causing Maiar to shut down for maintenance, and part of it was sent to Binance.
• On June 7th, the Discord of the NFT series Boss Beauties, which focuses on women’s empowerment, was attacked. Up to now, NFTs are still frequently transferred in and out, with a total of more than 40 pieces.
• On June 8, the Discord of the NFT project Dapper Dinos was attacked, and dapperdrop.com was a phishing website.
• On June 9, mint-samsung.com was a phishing site. The phishing site impersonates a Samsung minting site to steal the VeeFriends Series 2 #44451 NFT.
• On June 9, the Discord of the NFT project Alpha Kongs Club was attacked. alphakongsclubnft.org is a phishing website, and users should not interact with any links sent by the project’s Discord.
• On June 12, the Discord of NFT project Gooniez Gang was attacked and posted a phishing link.
• On June 12, the sci-fi NFT card game Parallel tweeted that its Discord was attacked and the team was recovering. Users are asked not to click on any Mint links.
• On June 14th, the Discord of KnownOrigin, an NFT discovery and trading platform, has been attacked. KnownOrigin is a phishing website, please do not click on any Discord private messages or links.
• On June 21, the official Twitter of the NFT project Neo Hunters said that its official Discord was hacked and reminded users not to click any links.
• On June 22, rrbayc.art is a phishing website, beware of being deceived. The real RR/BAYC project page has been taken down by OpenSea.
• On June 23, the punkcomics.net website was identified as a scam site, and the scammers have obtained more than 100 NFTs such as Otherdeed, The Sandbox LAND, etc. for $0.
• On June 26, the Discord of Ugly Bros, an NFT project on the Cardano chain, was attacked and published an announcement that included a phishing link. Community users are asked not to click any links to interact with them.
• On June 26, Serpent, a Web3 security analyst, said that a form of attack that disguised malicious files that steal NFTs in wallets as PDF files has been discovered, and the artist whose Twitter ID is u/RabbitinM has suffered losses.
• On June 27, encrypted KOL ZachXBT posted on its social networking site that Nouns’ official Twitter account (@nounsdao) was stolen, and hackers took the opportunity to publish information on phishing websites, reminding users to click on relevant links carefully.

Other security event types

• On June 9, the decentralized trading platform ApolloX issued its latest statement on the hacking incident, “A hacker exploited a vulnerability in ApolloX’s transaction reward contract to accumulate 255 signatures, and then used these signatures to steal from the withdrawal contract. 53 million APX Tokens were taken.
• On June 16th, at least 10 browser plug-in wallets, including MetaMask and Phantom, may have the possibility of exposing login information due to a problem in the Javascript language, which allows the mnemonic phrase to be stored in memory for a period of time thus exploited by attackers. Currently MetaMask and Phantom have fixed this vulnerability.
• On June 24, Ribbon Finance tweeted that a user suffered a DNS attack and lost 16.5 WBTC.

Summarize

Judging from the Defi security situation, flash loan attacks and oracle manipulations are still frequent visitors in security incidents this month, and the project side needs to pay more attention to the security of these aspects. At the same time, the cross-chain bridge Harmony Bridge security incident also reminds us to protect our private keys and how to do better security protection against private key leakage. Knowing Chuangyu Blockchain Security Lab hereby reminds that it is necessary to conduct regular audits and composite audits for contract security to protect contracts from other attacks.

Judging from the increasing frequency of phishing and scams, users’ ability to identify projects is weak, and they are easily deceived by the project’s high returns. Similarly, phishing incidents will also use various free pies to lure users into the full set of their settings. . In the process of investing, users should also learn more about blockchain-related knowledge to reduce their potential losses as much as possible.

Preface

On June 16, 2022, Beijing time, Knownsec Blockchain Lab detected that the lending project Inverse Finance on the Ethereum chain was attacked due to the design of the oracle machine, and lost about 77BTC ($152W USD). ), Knownsec Blockchain Lab tracked and analyzed this incident for the first time.

Basic information

Attacked oracle contract: 0xe8b3bc58774857732c6c1147bfc9b9e5fb6f427c

Attacker address: 0x7b792e49f640676b3706d666075e903b3a4deec6

Attack contract: 0xf508c58ce37ce40a40997c715075172691f92e2d

tx: 0x958236266991bc3fe3b77feaacea120f172c0708ad01c7a715b255f218f9313c

Vulnerability Analysis

As with most oracle events, the project party is overly dependent on the price in a certain pool for pricing in the process of oracle implementation. As a result, attackers can manipulate the proportion of tokens in the distributed pool, resulting in price control and attacking the protocol.

In this incident, the attacker used the project’s price oracle code as follows:

The price feed function uses the token balance in the BTC/ETH/USDT pool in the Crv3 pool as part of the price source, resulting in a huge price increase after the attacker used a large amount of BTC to exchange USDT in the Crv3CRYPTO pool.

Attack Process

1.The attacker first used a flash loan to borrow 27,000 WBTC from AAVE, and then deposited 225 WBTC into Curve, for which the protocol minted corresponding pledge credentials (crv3crypto) ;

2. Use crv3crypto to deposit yvCurve-3Crypto, and the protocol mints the corresponding credentials anYvCrv3Crypto for it ;

3. Use the remaining WBTC to exchange, and then control the balance ratio in the Curve pool obtained in the latestAnswer. (26,775 WBTC exchanged for 75403376 USDT);

Before the conversion in the third step, the latestAnswer of the oracle machine returns 979*1e18;

After price manipulation latestAnswer returns 2831*1e18;

4. The attacker was then able to use the collateral to lend 10,133,949 DOLA (worth $1011W), while the original 225 BTC was worth $466W ;

5. Then use USDT to exchange for WBTC and DOLA for 3Crv;

6. Remove 3Crv liquidity in exchange for stable currency USDT

7. Swap for BTC and repay the flash loan;

Summarize

The wrong use of balanceOf in the oracle contract allows the attacker to manipulate the data source and lead to being attacked. This attack method has occurred many times before, such as [Definer oracle attack event](https://mp.weixin.qq. com/s/YokbbrGD-G_cbMKoMWyJtw), the project party should not ignore security considerations during the development process, and it is recommended to do audit work before going online.

Preface

On June 5, 2022, Beijing time, Knownsec Blockchain Lab detected that the Discord community of the famous NFT project (Boring Ape) suffered a phishing attack again, resulting in the loss of about 200 ETH. . Prior to this, the famous singer Jay Chou suffered a phishing attack on April Fool’s Day, causing the Boring Ape NFT in his inventory to be transferred by hackers.

In recent years, we have found that phishing incidents occur frequently in the web3 world, resulting in heavy losses for project parties and users. So today we will talk about what phishing is and how to prevent it.

What is Phishing

Phishing means that hackers gain the victim’s trust through various social means and enable them to visit phishing websites that are faked by hackers that are very similar to the official website. When the phishing attack is successful, the victim will cause irreparable losses. From the disclosure of personal information and the theft of accounts, it can lead to huge economic losses.

Phishing is essentially a form of social engineering, and more and more hackers use phishing attacks because it is easier and less expensive to deceive people than to break into an organization’s computer network.

At the same time, it often takes advantage of the weakness of human nature, and by revealing some information related to the victim’s vital interests, it catches the victim’s panic and seeks medical attention, thereby disturbing the victim’s thinking and achieving the purpose of phishing attacks.

Phishing Attacks

The essence of phishing attacks is deception. This article summarizes the following common phishing attacks in blockchains.

Clone Attact

The attacker creates the official website of the project party by cloning, and the cloned website has a similar name and domain name and front-end page of the official website, making it extremely difficult for users to distinguish the authenticity from the fake. It also conducts project advertising campaigns in the network, tricking users into accessing its clone address and logging in to the account, in order to steal the victim’s login credentials, private key, etc., thereby transferring the assets in the account.

Social Phishing

With the popularity of various social software, social phishing attacks have also become very common. Such attacks are extremely common on social software commonly used by project parties such as Twitter, Facebook, Discord, and Telegram. Hackers hack into the accounts of well-known people and use their accounts to publish posts containing phishing links, or create phishing posts such as airdrops and pre-sale on the homepage of cloned accounts of well-known people, communities, etc., and the names of these cloned accounts are very similar to those of the project party. Similar enough to confuse the real.

Fake blockchain app

With the development of the blockchain network, various blockchain applications have emerged as the times require. Wallet applications are our most common applications. Attackers often drop malicious blockchain applications with background programs in the network. Once the user downloads and installs this type of application and logs in to his account in the application, the background program will record the account private key and password and send it to the attacker.

How to prevent phishing

Phishing attacks are so rampant, how can we prevent them? The core of phishing attacks is deception. First of all, based on the user level, as an ordinary Internet user, we should learn how to identify phishing attacks. As a project party, we should actively remind users to guard against phishing attacks.

Watch out for unknown letters

Be wary of inexplicably sent messages that appear to be from official accounts, alerting you that there is some problem with your account, and urging you to click on the link provided to verify your login. Or claiming that you have won the lottery, and you need to perform login verification on the website provided in the information, etc.

Caution clicking links

Usually there will be a phishing link in the phishing information we receive. This kind of link is usually a generated short link or a fake official website link. It looks very similar to the official website link. We only need to compare it carefully with the official website link. Find clues.

Carefully check the transaction information

Be wary of asset-related operations. The ultimate goal of a phishing attack is to obtain assets. The phishing message will create a panic mood, claiming that the victim’s assets will be damaged and need to be transferred immediately, and will request the victim to transfer assets to a secure account or authorize transaction requests. operate.

Protect sensitive information

Be wary of account passwords, mnemonics, and private key requests. Phishing attacks will inadvertently ask victims to provide sensitive information such as account passwords and private keys on phishing websites. Victims are often confused on websites that look similar to the official website.

In addition to preventing phishing attacks by raising awareness, we can also identify and block phishing addresses by using some tools to better protect the interests of users. For example, the FishAlert plug-in has its own website security detection, which can identify and intercept fraudulent addresses and phishing addresses with security problems, and remind users that they are accessing risky domain names, so as not to give phishing attacks an opportunity.

When we visit the phishing link, FishAlert automatically pops up a risk alert window:

When we visit an unknown link, we can actively open the plugin to detect the website:

Security Advice

According to statistics, the asset loss caused by phishing attacks in the blockchain network in 2021 has exceeded 6.4 billion US dollars. It is the common responsibility of every project party and even every member of the web3 world to protect users’ assets from loss. A tool to defend against phishing attacks, each of us should raise awareness of prevention and jointly resist phishing attacks. Here Knownsec Blockchain Lab gives the following security advice:

- Be alert to asset transfer, transaction authorization information

- Observe the network environment when entering the password and private key, and carefully confirm the official website address

- Avoid downloading blockchain applications from third parties, choose to download from the official website or official application store

- Be wary of messages from strangers and do not click on links or download attachments in suspicious emails.

Preface

On June 8, 2022, Beijing time, Knownsec Blockchain Lab automatic data monitoring tool detected that the NFT project GYM Network on the BSC chain was attacked due to the “Public depositFromOtherContract” permission control problem. The loss includes 7475 BNB, totaling about 216W USD. Currently, the ETH exchanged for 70W USD through DEX has been cross-chained to Ethereum through Celer, 2000 BNB was mixed with BSC-Tornado, and the remaining 3000 BNB was used by the attacker. address.

Knownsec Blockchain Lab tracked and analyzed this incident for the first time.

Basic information

Attacked contract: 0x0288fba0bf19072d30490a0f3c81cd9b0634258a

Attacker address: 0xB2C035eee03b821cBe78644E5dA8B8eaA711D2e5

Attack contract: 0xcD337b920678cF35143322Ab31ab8977C3463a45, 0x68b5f1635522ec0e3402b7e2446e985958777c22

tx: 0xfffd3aca0f53715f4c76c4ff1417ec8e8d00928fe0dbc20c89d875a893c29d89

GymSinglePool proxy contract: 0xa8987285e100a8b557f06a7889f79e0064b359f2

Vulnerability Analysis

The project party lacks permission control for the `0x0288fba0bf19072d30490a0f3c81cd9b0634258a#depositFromOtherContract` function during the implementation of the GymSinglePool contract, which allows attackers to call the internal _autoDeposit function to achieve zero consumption pledge.

The staking internal function that should be open to users is the _deposit function, which implements the approval and input of tokens, as shown in the following figure:

The corresponding _autoDeposit function implements “privileged” pledge, that is, it does not need to transfer Token for pledge. At the same time, the function is directly exposed to the user. The function comparison is as follows:

Attack Process

In order to prevent the on-chain MEV and preemptive robots, the attacker deploys and executes the contract step by step, and deploys/calls it multiple times to complete the complete separation of the GYMNET Token in the GymNetwork contract (0x3a0d9d7764FAE860A659eb96A500F1323b411e68), and use one of the deployment calls for example:

1.After deploying the contract, call depositFromOtherContract to implement “privilege” pledge, corresponding to the `0xfd4a2266` method：

The internal call details are as follows:

2. Call `0x30649e15` to implement the Token withdrawal of the privilege pledge in the previous step:

3. Use the `0x1d111d13` function to sell the acquired GYM-Token

After repeating the “privilege” pledge — retraction — sell steps, the attacker finally obtained 7475 BNB:

In order to suppress the preemption, the attacker separates the steps of adding pledge and withdrawal. Both steps are core operations. At the same time, the Gas Price of the additional steps is deliberately increased to 15/20gwei. It can be seen that the attacker did it on purpose.

Traceability Disposal

The reason for this attack is that the project party implemented the privileged function permission control improperly. One hour after the attack was discovered, the project party modified the logic contract of the GymSinglePool proxy contract several times and added permission control to it.

And added an emergency account disposal function to the logic contract after 20 minutes：

As for the address analysis of the project’s Deployer, according to the tracking of multiple GymSinglePool contracts deployed by the project, there are loopholes in the GymSinglePool contract deployed only two days ago, and the contract 4 days ago does not have this function.

At the same time, the event that the logic contract corresponding to the proxy contract was upgraded to a vulnerability contract occurred 2 days 13 hrs ago：

The attacker’s financial preparation (From Tornado) was about 6 hours ago, and the identity of the attacker is also worth thinking about.

Summarize

It was only a small control flaw that resulted in millions of dollars in damages. Although the disposal of the project party is relatively timely, the losses caused by the loopholes are difficult to recover. Vulnerabilities of this type are easily discovered during the audit process and can be attributed to logical defects/unsafe external calls. Project parties should not be careless in the development and audit process.

Introduction

Since May, although the currency price has been declining, the number of security incidents that have occurred has increased significantly. There were more than 37 security incidents, among which runaway scams and phishing incidents occurred frequently, while Terra Eco’s native algorithm stablecoin UST was seriously de-anchored due to capital hunting and debt crisis, causing Luna to plummet and a loss of up to 41 billion US dollars. The total amount of security incidents involved in security incidents this month, excluding Luna, totaled approximately $30 million.

The following is a summary of various types of security information in May by Knownsec Blockchain Lab , and discusses the problems exposed by it.

DeFi security type events

• On May 5th, Cronos ecological DEX MM.Finance was attacked by a front-end attack. Hackers used DNS vulnerabilities to steal more than $2 million in CRO Tokens from users. The stolen funds have been transferred to Tornado Cash.
• On May 14, Venus, the lending protocol on BNBChain, issued a supplementary announcement on the LUNA oracle event, saying that at around 09:20 UTC on May 12, Chainlink’s price feedback for LUNA reached the lower price limit and was suspended at a price of $0.107. , while Venus’s LUNA market continued to run, but the spot price continued to fall. 4 hours later, when the spot price was about $0.01, the team found a problem and suspended the agreement, with a capital loss gap of about $14.2 million.
• On May 16, the Feminist Metaverse (FM_Token) project on the BNB Chain was attacked. The attacker made a profit of 1838 BNB, about $540,000, after which the attacker transferred the BNB to tornado.cash. — On May 16, the multi-chain DeFi protocol FEG was attacked, losing a total of 144 Ethereum and 3280 BNB, or about $1.3 million.
• On May 17, the multi-chain DeFi protocol FEG was attacked again, with a loss of about $1.9 million (including $1.3 million in BNB Chain and $600,000 in Ethereum).
• -On May 21st, the bDollar project was attacked by price manipulation, and the attackers made a profit of 2381 WBNB (worth about $730,000).
• On May 24th, the hackerDao project was attacked by price manipulation. The attackers carried out two attacks, with a total profit of about 200 BNB (worth about 66,000), which has been transferred to Tornado.cash.
• On May 25th, the MVE bot on Ethereum was suspected of being attacked, losing 8.18 ETH, or about $15,971.72.
• On May 29, after the launch of the new Terra chain, the price of the LUNC (Luna Classic) oracle reached $5, while the actual price was much lower than $5. An Anchor platform user noticed the vulnerability and deposited about 20 million Lido Bonded Luna Token, and successfully lent 40 million UST, and finally withdrawn and made a profit of about 800,000 US dollars.
• On May 30, the DeFi project Novo was suspected of being attacked, and hackers had transferred 280 BNB (about $89,600) to Tornado.cash.

Scam Security Type Events

• On May 11, the Diaos project suffered a Rug Pull, and the price of Diaos plummeted. The contract owner minted 1 million Diaos tokens using the mint() function and sent them to another account, and then distributed tokens to other addresses and sent them to other addresses through Pancake. Swap for sale.
• On May 16th, the TOM project had Rug Pulls, and the token fell by 99.94%. 1200 BNB has been transferred to TornadoCash so far.
• On May 17th, a Rug Pull occurred in Token ALG, a project on the BSC chain, the price dropped 99.95%, and about 581.5 BNB was transferred to Tornado Cash. — On May 18th, a Rug Pull occurred in the JJH DAO project. The price of its project token JJH fell by more than 94%.
• On May 24, the KCT token had a Rug Pull, the token price dropped 100%, and over 607 BNB were transferred to Tornado.Cash.
• On May 25th, a RugPull occurred on the project DecentraWorld on BNB Chian, the token DEWO fell by 97%, the DecentraWorld social account was cancelled, and about 3,200 BNB (about 1 million US dollars) was withdrawn from the DecentraWorld contract deployer.
• On May 25th, a Rug Pull occurred on the project Starship on BNB Chian, and its token price was almost zero, and about 715 BNB were transferred to Tornado Cash.
• On May 27, a Rug Pull occurred in Pokemoney, the BNB Chian on-chain game project, which caused the price of the token PMY to drop by 99.98%, and the scammers withdrew a total of 11,800 BNB (about 3.5 million US dollars).
• On May 27, the ecological Move to Earn application Sport on BNB Chain was a scam, and the SPORT Token fell by more than 94%.

Phishing Security Type Events

• On May 9, dozens of YouTube channels ran scams by clipping old videos of Musk and Jack Dorsey and Ark Invest in which scammers included their fake encrypted messages, including links to fraudulent crypto giveaway sites link, millions of dollars were stolen.
• On May 18th, American actor SethGreen suffered a phishing attack, causing 4 NFTs (including 1 BAYC, 2 MAYC and 1 Doodle) to be stolen. The phisher address has sold all NFTs and made a profit of nearly 160 ETH (approximately $330,000).
• On May 18, the official Discords of CyberConnect, Moonbirds, PROOF, Memeland, and RTFKT were all hacked, and phishing links were released in Discord.
• On May 20, the Flare Community tweeted to alert users to FLR pre-sale related phishing scams. So far, 96 Flare Network’s fake websites have been found targeting Discord users, publishing false information and phishing links for Flare Network’s FLR pre-sale.
• On May 22, the Twitter account of digital artist Beeple was hacked and used by attackers to promote a phishing scam, with a tweet from Beeple’s Twitter account containing a fake phishing link to a Louis Vuitton NFT collaboration lottery. The crooks also use the account to post phishing links to other series of fake NFTs.
• On May 23, the Discord of the NFT project APIENS was attacked, and 130 NFTs were transferred, including 24 Apiens and 1 ENS.
• On May 23, the Discord of the NFT project The Fracture was attacked, and the attackers have made a profit of 455 SOL.
• On May 25, a tweet by Twitter user u/CirrusNFT revealed that 29 Moonbirds NFTs were stolen in a hack that cost $1.5 million.
• On May 25, the Discord of Trait Sniper, the NFT rarity ranking tool, was hacked, and 59 NFTs have been transferred to addresses starting with 0x3E8Da, including 3 Otherdeed, 1 CloneX, 2 RTFKT-MNLTH, 1 adidasoriginals and other NFTs.
• On May 26th, the monitoring of Known Chuangyu Blockchain Security Lab showed that goblintown-claims[.]wtf is a phishing website. The site lures users to connect their wallets to steal NFTs, and the phishing site looks almost identical to the official site.
• On May 27th, the monitoring of Known Chuangyu Blockchain Security Lab showed that zed-run.info is a phishing site that may steal users’ private keys.
• On May 27, the monitoring of Known Chuangyu Blockchain Security Lab showed that gunslingersnft[.]org was a link to a phishing website, and GunslingersNFT Discord may have been attacked.

Types of public chain security events

• On May 10, Terra Ecosystem’s native algorithm stablecoin UST suffered a severe de-anchoring event due to capital hunting and debt crisis, causing the price of Luna to plummet and a loss of up to $40 billion.

Other security event types

• On May 24th, Optimism, the second-layer expansion network of Ethereum, announced the latest progress of the airdrop, saying that it will remove the empty investment space of 17,101 Sybil attacker addresses. The original airdrop of over 14 million OP Tokens from the above addresses will be proportionally redistributed to the remaining eligible users in Airdrop
• On May 26, Knowing Chuangyu Blockchain Security Lab detected that scammers sent Wrapped LUNA 2.0 to the Terra Deployer address and airdropped it to Vitalik Buterin and other related addresses in an attempt to pretend to be the official Terra Deployer airdrop.
• On May 29th, the cross-chain bridge Hop Protocol stated in Discord that due to the loophole in submitting the address form, users of the decentralized application platform Authereum need to resubmit the form to receive the address by airdrop before June 2nd. If you miss it, you can also Apply for Token through governance proposals within 6 months after Token goes live.
• On May 30, MetaMaskDAO was a honeypot scam, the MetaMaskDAO contract address (0x55e596753247efb7126a965ed07c0d51eb773f6e) issued a large number of tokens and sent them to the addresses of crypto influencers and crypto exchanges, such as Vitalik Buterin, famous NBA star Stephen Curry, Binance and Bithumb exchanges.
• On May 30th, Moonbirds issued a security bulletin stating that the Nesting contract has security issues. This security problem occurs on NFT trading platforms such as OpenSea or LooksRare. When a user sells a pending order on the platform, the seller cannot only prohibit the sale of NFT by executing the nesting function, but needs to remove the relevant NFT sale from the trading platform. order, because otherwise, buyers in a certain scenario will bypass the Moonbirds restriction that they can’t trade while nesting.

Summary

From the perspective of the Defi security situation, flash loan attacks and oracle manipulations have become frequent visitors in security incidents this month. At the same time, there have been many unexpected events such as Venus’ ChinaLink oracle accident, and Terra ecology has also collapsed due to various reasons. Knownsec Blockchain Lab hereby reminds that it is necessary to conduct regular audits and composite audits for contract security to protect contracts from other attacks. time limit.

Judging from the frequent occurrence of phishing and scams, blockchain users are very easy to be deceived. For this, users need to learn the basics of blockchain and improve their own security awareness. Links and unreasonable requests should not be messed up. Celebrity-related videos or pictures should also be verified. Only in this way can you ensure the safety of your own property.

Preface

On April 30, 2022, Beijing time, Knownsec Blockchain Lab detected that the bDollar project on the BSC chain was attacked by price manipulation, resulting in a loss of about $730,000.

Knownsec Blockchain Lab tracked and analyzed this incident for the first time.

Basic information

Attacker address: 0x9dadbd8c507c6acbf1c555ff270d8d6ea855178e

Attack contract: 0x6877f0d7815b0389396454c58b2118acd0abb79a

tx: 0x9b16b1b3bf587db1257c06bebd810b4ae364aab42510d0d2eb560c2565bbe7b4

CommunityFund Contract: 0xEca7fC4c554086198dEEbCaff6C90D368dC327e0

Vulnerability Analysis

The key to the vulnerability lies in the `claimAndReinvestFromPancakePool` method in the CommunityFund contract. When using Cake tokens for token conversion, it will judge the amount of WBNB exchanged and automatically exchange half of the exchanged WBNB for BDO tokens; and then the contract will automatically Use the WBNB in ​​the contract to add liquidity to the pool. If the value of the BDO token is maliciously raised at this time, this will cause the project party to use more WBNB to add liquidity to the pool.

And most importantly, before the attackers attacked, they exchanged a large amount of BDO tokens in the WBNB/BDO, Cake/BDO, and BUSD/BDO pools, causing the price of BDO to be raised.

After analyzing the attack transaction for many times, we found that it is not that simple. The attack is most likely to be preempted by the preemptive robot. The basis is as follows:

1.The gas fee for this attack transaction is much higher than that of ordinary transactions on the BSC chain. The default gas fee for ordinary transactions on the BSC chain is 5Gwei, but this transaction is as high as 2000Gwei.

2. We found that there are multiple preemptive transactions between the attack contract and the attacker’s address

3. We found the address and transaction of the real attacker in the same block, and the transaction was rolled back.

Attack Process

1. The attacker used a flash loan to loan 670 WBNB;
2. The attacker then exchanges WBNB for a large amount of BDO tokens in various pools ;
3. The attacker then used the flash loan again to loan 30,516 Cake tokens;
4. Swap the loaned Cake tokens in exchange for 400 WBNB, of which 200 are automatically exchanged for BDO tokens by the protocol;
5. The attacker exchanges WBNB for Cake tokens to repay the flash loan;
6. Finally, the attacker exchanged the appreciated 3,228,234 BDO tokens for 3,020 WBNB, repaid 671 flash loans, and successfully arbitraged 2,381 WBNB worth about $730,000.

Summarize

The core of this attack is that the contract will automatically replenish liquidity for the liquidity pool, without considering whether the token price is out of balance, so that the project party may supplement the liquidity at a high price and take over the order at a high price.

It is recommended that the project party pay more attention to the logic implementation of the function when writing the project, and consider the various attack situations that may be encountered.

It is hereby reminded that the project party must keep the private key closely after the project is released, and beware of phishing. In addition, recently, various contract loopholes and security incidents have occurred frequently, and contract audits, risk control measures, emergency plans, etc. must be effectively implemented.

Preface

Communication technology has made the world more connected, and each of us is affected and benefited by this connection. At the same time, this connection also produces more convenience for monitoring needs. The privacy or freedom of many people may be inadvertently affected, and this has created a need for privacy protection. Usually, due to the existence of centralized servers, it is difficult for us to achieve complete privacy protection, and technologies such as distributed storage make it possible.

Countless developers have joined the development and implementation of WEB3, building one great Dapp after another, and they play an important intermediary role between ordinary users and the underlying technology of the blockchain. At the same time, the security between web-ui and IPFS, which is most contacted by ordinary people, is also worth exploring.

Web-interface and IPFS

What is Web-interface

In WEB3.0, the distributed public chain technology facilities provide various interfaces for users to call, but these interfaces cannot be directly used by ordinary users. For the user, the Web-interface is the bridge between the user and the software running on the Web server. The user uses the browser to connect to the Web-interface to display and interact, and at the same time, the wallet is used for identification. For the underlying blockchain infrastructure, Web-interface is a layer of encapsulation of the public chain/smart contract, and it is packaged into a friendly page that can directly display the functions available to users. Its structure and function are similar to the following pictures:

What is IPFS

The Interplanetary File System (IPFS) is a network transmission protocol for distributed storage and sharing of files, which combines the existing successful system distributed hash table, version control system Git, BitTorrent, self-certified file system and blockchain files Storage and Content Delivery Network Protocol. It is the combined advantages of these systems that give IPFS the following salient features:

1.Permanent, decentralized storage and sharing of files

2.Peer-to-peer hypermedia: P2P saves various types of data

3.Versioning: Traceable file modification history

4.Content-addressable: Identify files by generating a separate hash value from the file content, not by where the file is saved

When a user adds a file to IPFS, the file is split into smaller chunks, cryptographically hashed and given a content identifier CID as a unique fingerprint; when other nodes look for the file, nodes ask peers Whoever stores the content referenced by the file’s CID will cache a copy when viewing and downloading the file — and become another provider of that content until their cache is cleared.

IPFS usage example

The website https://ipfs.io provides a client with UI interface. After installation and running, the IPFS service will be started, and the current node ID, gateway and API address will be displayed:

We import the file we want to upload, and after the file is uploaded successfully, the CID information of the file will be generated, and we can also find the specified file through QmHash (CID):

Since IPFS is a network transmission protocol for distributed storage and sharing of files, after a successfully uploaded file is copied to other nodes, even if our local node actively deletes it, the file can still be queried on the IPFS network:

The collision between traditional security and IPFS

According to the use case of 0X02, we know that IPFS allows uploading of files of any type. Due to the characteristics of allowing WEB to access downloaded files, attackers can use HTML or SVG files to achieve phishing like traditional security:

Taking the https://IPFS.io gateway as an example, upload a Metamask phishing website. Since it is stored in a trusted domain name, the victim is likely to succeed in accessing the file:

However, because IPFS can only query files through CID, the use of phishing attacks is very narrow, and there is no way to implement targeted attacks. Since CID is the key to launching a targeted attack, let’s go back and study CID.

IPLD is the data layer for building IPFS. It defines three data types: Merkle-Links, Merkle-DAG and Merkle-Paths. The data sent by IPLD to IPFS is stored on-chain, and the user will receive a CID to access the data.

CID is a string consisting of Version, Codec and Multihash, and is currently divided into two versions, V0 and V1. The V0 version uses Base58 encoding to generate the CID, and the V1 version includes the codec indicating the content type, the hash algorithm MhType and the hash length MhLength: `CID::=<multibase type><cid-version><multicodec><multihash>`

We generate a set of CID tests with go-cid:

package main

import (

`"fmt"`

`mc "`[`github.com/multiformats/go-multicodec`](https://github.com/multiformats/go-multicodec)`"`

`mh "`[`github.com/multiformats/go-multihash`](https://github.com/multiformats/go-multihash)`"`

`cid "`[`github.com/ipfs/go-cid`](https://github.com/ipfs/go-cid)`"`

)

const (

`File = "./go.sum"`

)

func main() {

`pref := cid.Prefix{`

	`Version:  0,`

	`Codec:    mc.Raw,`

	`MhType:   mh.Base58,`

	`MhLength: -1,`

`}`

`c, err := pref.Sum([]byte("CIDTest"))`

`if err != nil {...}`

`fmt.Println("CID: ", c)`

}

It can be seen that in the process of CID generation, the prediction and replacement of the results cannot be achieved, and we will analyze the part of the uploaded file. The process of uploading files to IPFS and saving them to the local blockstore in blocks is located in /go-ipfs-master/core/commands/add.go:

type AddEvent struct {

`Name  string`

`Hash  string \`json:",omitempty"\``

`Bytes int64  \`json:",omitempty"\``

`Size  string \`json:",omitempty"\``

}

const (

`quietOptionName       = "quiet"`

`quieterOptionName     = "quieter"`

`silentOptionName      = "silent"`

`progressOptionName    = "progress"`

`trickleOptionName     = "trickle"`

`wrapOptionName        = "wrap-with-directory"`

`onlyHashOptionName    = "only-hash"`

`chunkerOptionName     = "chunker"`

`pinOptionName         = "pin"`

`rawLeavesOptionName   = "raw-leaves"`

`noCopyOptionName      = "nocopy"`

`fstoreCacheOptionName = "fscache"`

`cidVersionOptionName  = "cid-version"`

`hashOptionName        = "hash"`

`inlineOptionName      = "inline"`

`inlineLimitOptionName = "inline-limit"`

)

Save the uploaded file information to the AddEvent object, and then traverse the file path through the addALLAndPin and fileAdder.AddFile methods in /go-ipfs-master/core/coreunix/add.go, read the file content, and send the data into the block:

func (adder *Adder) AddAllAndPin(ctx context.Context, file files.Node) (ipld.Node, error) {

`ctx, span := tracing.Span(ctx, "CoreUnix.Adder", "AddAllAndPin")`

`defer span.End()`

`if` [`adder.Pin`](https://adder.Pin) `{		//knownsec 如果被锁定`

	`adder.unlocker = adder.gcLocker.PinLock(ctx)`

`}`

`defer func() {`

	`if adder.unlocker != nil {`

		`adder.unlocker.Unlock(ctx)`

	`}`

`}()`

`if err := adder.addFileNode(ctx, "", file, true); err != nil {`

	`return nil, err`

`}`

`mr, err := adder.mfsRoot()`

`if err != nil {`

	`return nil, err`

`}`

`var root mfs.FSNode`

`rootdir := mr.GetDirectory()		//knownsec 获取路径`

`root = rootdir`

`err = root.Flush()`

`if err != nil {`

	`return nil, err`

`}`

`_, dir := file.(`[`files.Directory`](https://files.Directory)`)`

`var name string`

`if !dir {`

	`children, err := rootdir.ListNames(adder.ctx)		//knownsec 展示当前路径文件名`

	`if err != nil {`

		`return nil, err`

	`}`

`if len(children) == 0 {`

		`return nil, fmt.Errorf("expected at least one child dir, got none")`

	`}`

`name = children[0]`

	`root, err = rootdir.Child(name)`

	`if err != nil {`

		`return nil, err`

	`}`

`}`

`err = mr.Close()`

`if err != nil {`

	`return nil, err`

`}`

`nd, err := root.GetNode()`

`if err != nil {`

	`return nil, err`

`}`

`err = adder.outputDirs(name, root)`

`if err != nil {`

	`return nil, err`

`}`

`if asyncDagService, ok := adder.dagService.(syncer); ok {`

	`err = asyncDagService.Sync()`

	`if err != nil {`

		`return nil, err`

	`}`

`}`

`if !`[`adder.Pin`](https://adder.Pin) `{`

	`return nd, nil`

`}`

`return nd, adder.PinRoot(ctx, nd)`

}

Finally, use the addFile function to complete the file upload:

func (adder *Adder) addFile(path string, file files.File) error {

`var reader io.Reader = file`

`if adder.Progress {`

	`rdr := &progressReader{file: reader, path: path, out: adder.Out}		//knonwsec 按字节读取文件`

	`if fi, ok := file.(files.FileInfo); ok {`

		`reader = &progressReader2{rdr, fi}`

	`} else {`

		`reader = rdr`

	`}`

`}`

`dagnode, err := adder.add(reader)		//knownsec 添加上传文件`

`if err != nil {`

	`return err`

`}`

`return adder.addNode(dagnode, path)`

}

The analysis code found that IPFS did not realize the possibility of hijacking in the whole process of uploading and returning the CID of the packaged file, and the content of the successfully uploaded file could not be modified, nor could it be tampered with:

postscript

Web3 is built on blockchain technology and can be maintained without a central authority. It allows users to protect their data on the Internet and allows for the decentralization of the web platform. For him, IPFS technology is like the hard disk of a computer, and web-ui is as indispensable as the display of the host computer. There are also complex and diverse security risks, which may give criminals an opportunity to understand the risks. It is the responsibility and obligation of every WEB3 practitioner to avoid problems.

Preface: What is Stablecoin?

Stablecoins are cryptoassets that attempt to anchor their value to another asset, a collection of assets including reserve currencies and highly liquid government bonds. At present, there is no unified definition of stable currency, but it is commonly understood as a group of currencies that try to be anchored with 1 US dollar.

How the largest of these reserves, Tether, was backed by dollars, or whether there were enough dollars to back it, has been a mystery. There are critics who argue that `”Despite its guarantees from Tether, Tether Holdings does not have enough assets to maintain a 1-to-1 exchange rate, which means its Coin is essentially a fraud”`, in this issue, we will Demystifying various stablecoins for readers.

START — Centralized Stablecoin

USDT

Launched in 2014, Tether is a blockchain-enabled platform designed to facilitate the digital use of fiat currencies. Tether is committed to disrupting the traditional financial system with a more modern approach to money. Tether has made progress enabling customers to transact with traditional currencies on the blockchain without the inherent volatility and complexity typically associated with digital currencies.

It has been fulfilling a promise on its website: ‘Tether is pegged 1:1 to real-world currencies, and each Tether is backed 1:1 by the traditional currency (USD) in our reserves. `

This led to its commitment to exchange with credit endorsements, and officials said its market value had exceeded $77 billion as of December 2021. Of course, a black swan event occurred a few days ago, and the USDT on the market ran against USDT due to panic, which led to the “price drop” of USDT in the market, while the prices of other currencies rose, which essentially did not affect Tether’s official 1:1 exchange. Commitment: `Verified customers (in permitted jurisdictions) can exchange USDT for 1 USD on Tether.to`, but only liquid USDT pairs are sold in the market, and everyone sells at a very low price in their psychological expectations As a result, he is also willing to exchange 0.95 BUSD for 1 USDT. Afterwards, the official document `In the past 24 hours alone, Tether has cashed in more than $300 million in redemptions, and has processed more than $2 billion today without any problems.

Of course, there are many risks. For example, the centralized TEDA institution does not have enough asset reserves as announced by it to deal with the run, or it itself deviates from its 1:1 exchange commitment.

USDC

USDC has always taken compliance as its main concept. Its ** issuers Circle and Coinbase** are both high-ranking companies in the industry. Among them, Circle is the first company in the world to obtain the Bitpcense license in New York State, and it has been successively obtained since then. In terms of payment licenses in the United Kingdom and the European Union, Coinbase is the cryptocurrency exchange with the most regulatory licenses in the world.

Because of this, coupled with the change in the attitude of the US regulatory authorities this year, USDC has been recognized by many traditional financial institutions, and the usage scenarios have increased significantly. In March, Visa said it would allow the stablecoin USDC to settle transactions on its payment network.

Therefore, it is easy for us to understand that USDC is actually a “USDT” that pursues compliance and endorsement by large enterprises, and there is no doubt that it relies on its “credit” to fulfill its 1:1 exchange commitment.

Battle — Algorithmic Stablecoins

In the stable currency market, USDT and USDC occupy a large position, and their TVL also carries a huge volume in the blockchain market. Most importantly, he can directly affect the economic orientation of the entire market, similar to the Federal Reserve’s existence in traditional finance. This big cake has also aroused the preemption of multiple leaders.

DAI

DAI is a borderless decentralized stablecoin issued by Maker DAO. Based on the over-collateralization mechanism, DAI is 1:1 soft-pegged to the US dollar. It uses a collateral and price aggregation system to ensure that 1DAI is equivalent to 1 US dollar. The biggest difference between it and TEDA is that it is decentralized, and in terms of acceptance It depends on the acceptance ratio of collateral and DAI determined by the price aggregation system**, such as `1 ETH=2000 DAI`, and its price stabilization mechanism is as follows:

Since the health of the system depends on the value ratio of the collateral, when there is a huge change in the price of the collateral such as Ethereum, it will directly affect the system, and the system relies on forced liquidation to relieve assets close to the critical value. Of course, because the design of its loan settlement is necessarily more complicated than the conventional system, and the decentralized design will inevitably lead to its ability to accept and concurrency is limited by the underlying design of the chain. Problems with the robustness and security of the system may also lead to a 1:1 commitment tilt**.

The design of maintaining such a price stability system is very complicated. MarkerDao has designed a rate module (MCD) to accumulate the stability fee of the balance of the treasury debt and the deposit interest stored by DAI. The design is as follows: For the collateral, the rate module passes the Cumulatively calculated, the interval of t is 1 second

For a Maker vault system ¹, starting from t_0, let the unit (s) stable fee of time t be F_i, and let the initial value of the rate accumulation rate be recorded as R_0

Suppose a vault is created at time t_0 with debt D_0 withdrawn immediately; normalized debt*A (system based on each vault*store) is calculated as D_0 / R_0

The cumulative value of the total debt of a Valut safe at a certain time t is calculated as the multiplication of F_t from time t_1 to t_T and the starting debt D_0 at the time of creation:

The position of VAT in the entire computing stability system architecture is shown in the figure below, and its complexity is evident:

UST

Terra is a decentralized blockchain designed for algorithmic stablecoins, with the entire ecosystem running between UST and Luna tokens. While UST is a dollar-pegged stablecoin launched in September 2020, Luna is his governance token. Its minting mechanism requires users to burn reserve assets such as Terra (Luna) to mint an equal amount of UST.

Unlike other stablecoin mechanisms, **UST is designed to burn 1 USD of LUNA to mint 1 UST, or 1 UST to mint 1 USD of Luna**, which is very similar to the titan/iron that crashed before. If UST is de-anchored, there will be two arbitrage opportunities with this setup:

*[1]Buy UST below $1 (like 0.95), sell at $1, 5% arbitrage

* [2] Buy UST (such as 0.95) below 1 USD, convert to LUNA for 1 USD, sell Luna for 1 USD USDC (extract the market value of 1 USD Luna), and repeat the operation

If UST is de-pegged in this setting, it will lead to the following negative feedback loops, and LP will not maintain price stability:

* Market volatility drives Luna price down

* The market pulled away and sold Luna when the situation in [2] occurred, further driving down the price of Luna

* Luna price drop causes Anchor collateral to be liquidated, liquidator sells after liquidation causing Luna value to continue to drop

* With the decline of Luna, the user’s UST convertible Luna has increased, and the UST’s APY20% unlocking further leads to the continued issuance of Luna and the decline in sales

* Panic spread, UST staged the above-mentioned USDT black swan event, the event of 0.8 USDT for one UST occurred, intensifying UST arbitrage in exchange for Luna and selling Luna

Then, with the negative feedback loops as above, Luna continued to fall, panic continued to increase, and the short-selling sentiment further increased.

In the early morning of May 8th, due to the withdrawal of funds from the Luna Foundation to build a 4Crv pool and the selling of users at the same time, the death spiral started. In the end, Luna almost returned to 0 in the cycle and panic, and the value of UST was seriously out of peg.

The graph of the reserves at that time in the Curve pool is as follows:

Judging from Curve’s StableSwap market making curve ², although liquidity will not be depleted, when the reserve deviates too much, it is closer to a constant product market making, that is, other UST versus other assets will be smaller:

USDD

USDD is managed by the TRON DAO Reserve USDD and guarantees its price stability. TRON DAO minted 999 billion USDD stablecoins by burning TRX. These minted USDDs are then sold to whitelisted traders and eventually put on the market. USDD does not rely entirely on a pattern of automated code execution. The issuance and destruction of USDD, as well as the key primary market arbitrage activities, have been adjusted from relying on code to be automatically completed to be approved by the Federal Reserve.

Different from UST, USDD has closed the primary market of free convertibility to ordinary currency holders, and the Federal Reserve has implemented a whitelist access mechanism in the primary market of USDD. That is to say, holders of USDD can currently only trade in the secondary market. The USDD anchored assets currently include about 260,000 USD in the Burn contract ³. From the perspective of the contract, the Burn contract is not open source and there may be unexpected redeem situations for the Owner. At the same time, the Owner has permission to use ` revokeConfirm `revokes a transaction.

Therefore, the stabilization mechanism of USDD has little to do with centralization and stablecoin algorithms. It’s more of an IEO out of acceptance mode. The biggest risk comes from the price drop of TRX, which is not enough to fully meet the redemption demand of all issued USDD (1USDD is exchanged for too many TRX). Without the guarantee of unlimited minting rights, USDD needs to have excess reserves to cope with the decline in TRX prices. At the same time, in terms of reserves, there is also a risk of insufficient liquidity of TRX reserves in the stored contract.

Postscript: Oblivion is also a new life

The Terra ecosystem with a locked value of 20 billion US dollars, its native algorithm stablecoin UST fell into a death spiral due to a large amount of capital short hunting and debt crisis, and a serious de-anchoring event occurred. It was close to zero in just 5 days, and its algorithmic stablecoin was launched. also hit hard. This game is a complete victory for the Air Force and a paradise for arbitrageurs, but it also includes how many people ⁴ have lost their assets to zero and despair. Affected by this crisis, the sentiment of the entire market has also been greatly affected, causing BTC to fall below $25,000. Whether it is investors, institutions or project parties, they need to be more cautious in the “large-scale experiment” of blockchain ecological construction.

References

[1] Maker Protocol Documentation https://docs.makerdao.com/

[2] Curve White Paper https://curve.fi/files/stableswap-paper.pdf

[3] USDD Burn contract address https://tronscan.org/#/contract/TNMcQVGPzqH9ZfMCSY4PNrukevtDgp24dK

[4] According to the data on the chain, there were 4.04 million addresses on the Terra chain on May 7, which is equivalent to 4.04 million possible “victims”. By May 14, the number of addresses on the chain increased to 4.12 million, which is equivalent to having 80,000 addresses newly entered the market to hunt for the bottom or participated in the arbitrage created by the bailout. This data does not include transactions conducted by the exchange’s internal addresses.

1. Introduction

On May 16, 2022, Beijing time, Knownsec Blockchain Lab detected that the multi-chain DeFi protocol FEG was attacked by a flash loan. The attacker stole 144 ETH and 3280 BNB, and lost about 1.3 million US dollars.

On May 17, the multi-chain DeFi protocol FEG was attacked again. The attackers stole 291 ETH and 4,343 BNB, and lost about $1.9 million, including $1.3 million in BSC and $600,000 in the Ethereum chain.

2. Analysis

The protocol was attacked on both BSC and Ether. The following figures are the transaction hashes of the attack events on the two chains respectively. The main reason for this attack is that the `path` address in the `swapToSwap()` function can be controlled by the attacker.

2.1 Basic information

Attack contract: 0x9a843bb125a3c03f496cb44653741f2cef82f445

Attacker address: 0x73b359d5da488eb2e97990619976f2f004e9ff7c

Vulnerability contract address:

BSC: 0x818e2013dd7d9bf4547aaabf6b617c1262578bc7

Ether: 0xf2bda964ec2d2fcb1610c886ed4831bf58f64948

Attack tx:

BSC:0x77cf448ceaf8f66e06d1537ef83218725670d3a509583ea0d161533fda56c063

Ether:0x1e769a59a5a9dabec0cb7f21a3e346f55ae1972bb18ae5eeacdaa0bc3424abd2

2.2 Attack Process

1.The attacker 0x73b3 calls the pre-created attack contract 0x9a84 to borrow 915.842 WBNB from the DVM flash loan, and then converts the 116.81 WBNB into 115.65 fBNB.

2. The attacker 0x73b3 created 10 contracts by attacking the contract 0x9a84 to exploit the vulnerability later.

3. The attacker 0x73b3 mortgages the fBNB redeemed in the first step into the FEGexPRO contract 0x818e through the function `depositInternal()`.

4. The attacker 0x73b3 calls the `depositInternal()` and `swapToSwap()` functions to make the FEGexPRO contract 0x818e authorize fBNB to the contract created in the second step, and repeatedly call and authorize fBNB to the 10 contracts created.

5. Since the 10 contracts created by the attacker 0x73b3 have been authorized in the previous step, the attacker uses these authorized contracts to call the `transferFrom()` function to transfer the FEGexPRO contract 0x818e 113.452 fBNB each time.

6. The attacker 0x73b3 lent 31217683882286.007 of FEG and 423 WBNB from PancakePair’s LP trading pair 0x2aa7 and repeated the above **steps 3, 4 and 5**, and finally obtained .

7. Finally, repay the flash loan and transfer all the WBNB obtained from the above attack to the attack contract 0x9a84.

2.3 Details

Looking at the [FEGexPRO contract], we can see the specific logic of the `depositInternal()` function and the `swapToSwap()` function.

The `depositInternal()` function is used for pledge, and the user’s balance is affected by the current token balance of the contract. After the first attacker pledged normally, the `balance` also increased normally. Since the current contract token balance has not changed, the subsequent pledge Just pass the minimum value to the call.

By calling the `swapToSwap()` function with a malicious `path` address parameter, the current contract token balance will not be affected, `IERC20(address(Main)).approve(address(path), amt);` The `path` address can be authorized for the current contract fBNB. ![]

By repeatedly calling `depositInternal()` and `swapToSwap()`, the attacker can make the FEGexPRO contract repeatedly authorize fBNB to the malicious contract `path` address passed in by the attacker. The number of tokens transferred from other addresses is the number of tokens pledged by the attacker for the first time minus the number of fees. By looking at the information in the Debugger, we can find that the `path` address parameters passed in are all contract addresses created in the attack process.

 

2.4 Follow-up

After the attack on the 16th, the attackers carried out another attack the next day, but with a different attack address.

Attack contract: 0xf02b075f514c34df0c3d5cb7ebadf50d74a6fb17

Attacker address: 0xf99e5f80486426e7d3e3921269ffee9c2da258e2

Vulnerable contract: 0xa3d522c151ad654b36bdfe7a69d0c405193a22f9

Attack tx:

BSC:0xe956da324e16cb84acec1a43445fc2adbcdeb0e5635af6e40234179857858f82

Ether:0xc0031514e222bf2f9f1a57a4af652494f08ec6e401b6ae5b4761d3b41e266a59

Since the R0X vulnerability contract 0xa3d5 is not open source, we tried to analyze it from the Debugger and found that the process is similar to the first attack process, but also used `BUY()` for auxiliary storage and `SELL()` function for auxiliary extraction.

3. Summary

The main reason for this attack is that the `path` address parameter in the `swapToSwap()` function is not verified, which can be arbitrarily passed in by the attacker, making the FEGexPRO contract authorize its own tokens to all malicious `path` addresses passed in by the attacker . It is recommended that the contract should verify all incoming parameters during development, and do not trust any parameters passed in by the attacker.

Preface

On May 9, 2022, Beijing time, Knownsec Blockchain Lab detected that the lending protocol Fortress Protocol on the BSC chain was attacked due to an oracle problem, which was recently detected by the laboratory. In the third oracle attack event, the losses included 1,048 ETH and 400,000 DAI, totaling about $300W. Currently, AnySwap and Celer have been used to cross-chain to Ethereum using Tornado for currency mixing.

Knownsec Blockchain Lab tracked and analyzed this incident for the first time.

Basic information

Attacked Controller: 0x01bfa5c99326464b8a1e1d411bb4783bb91ea629

Attacked oracle address: 0xc11b687cd6061a6516e23769e4657b6efa25d78e

Attacker address: 0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad

Attack contract: 0xcD337b920678cF35143322Ab31ab8977C3463a45

tx: 0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf

Vulnerability Analysis

The project is still an imitation disk of Compound, but because the project party has annotated the original check in the implementation of the oracle machine, it does not require enough power to tamper with the price through `0xc11b687cd6061a6516e23769e4657b6efa25d78e#submit`

The attacker borrowed assets from other pools by changing the price of FTS in the protocol. The lending pools in the market are as follows:

Attack Process

1.The attacker purchased FTS tokens and voted to add FTS as collateral through a proposal, the proposal ID is 11 ;

2. Change the price of FTS by calling the oracle `submit` function

3.The attacker uses 100 FTS as collateral to call enterMarket to enter the market;

4. Because the market price has a problem with the value calculation of FTS, the attacker uses the collateral to directly call `borrow` to borrow;

Assets borrowed:

5. Since the 100 FTS has little value and does not need to be retrieved, the attacker still uses the other FTS used in the first step to fully cash out the Pancake exchange.

Summarize

The reason for this attack is that there is a problem with the compound imitation disk when the oracle is used. Recently, a large number of Compound imitation disk projects have been attacked. We urge all project parties who forked Compound to take the initiative to check themselves. The known attacks are mainly due to the following problems:

The embankment of a thousand miles was destroyed in the ant’s nest. It can be seen from the internal call that the attacker used getAllMarkets to traverse the underlying assets of all markets in turn and cash out FTS completely. It is recommended that the project party must build on a full understanding and sufficient third-party security audits for their own different implementations.