A Security Analysis for Blockchain, September-October 2018
Hello community,
The August analysis post focused on vulnerabilities within cryptocurrency infrastructures such as Monero and Bitcoin Cash. Once again, these incidents emphasize the need for collaboration within security issued within the community.
This post summarizes the incidents of September and October. It consists of several hacks of smart contracts in Ethereum and EOS and hacking to exchanges.
I’ve also attached interesting related stories from the last two months.
Enjoy
Zaif (September 19, 2018)
Zaif is a Japanese crypto-exchange.
Damage scale: $60 million (in Bitcoin, Bitcoin Cash and MonaCoin)
Attack vector: Undisclosed
What Happened
- Since September 14, deposit and withdrawal services have been unavailable for the exchange users.
- According to Zaif, unauthorized access to a hot wallet caused the loss of 5,900 BTC, as well as Bitcoin Cash and MonaCoin
- Zaif’s team has not released more details because it asked the Japanese authorities to help with the investigation of the robbery
- It turns out that several months before this breach, Japan’s Financial Services Agency (FSA) issued a warning to Zaif about its internal management system and security measures
- The exchange did not react to the FSA recommendations
- Zaif told authorities that an employee’s PC had been hacked
Our Thoughts
- We assume the hack of an employee computer was probably a successful phishing attempt. October was the national cybersecurity awareness month in the US, but it would be a good time to remind even non-American blockchain-based projects to invest time in cybersecurity training for their employees
- A good resource we recommend for basic cybersecurity training is PagerDuty Security Training for Anyone
References: PRTimes, CryptoGlobalist
Related Attacks
- It is mentioned that the same method was used at the Bithumb hack in July 2017, several millions of USD in cryptocurrency was stolen and customers’ data has been compromised
SpankChain (October 9, 2018)
SpankChain is an adult entertainment blockchain project on top of the Ethereum blockchain.
Damage scale: Over $40K (in ETH and BOOTY tokens)
Attack vector: Smart contract vulnerability
What Happened
- An attacker took advantage of reentrancy bug in the SpankChain smart contract, similar to the bug at the famous DAO
- The technical team realized it has been hacked only 24 hours after the breach, and immediately took down the site
- The company said it was working on Airdrop of ETH and BOOTY to reimbursement users who lost their funds in the hack
- In the official report, SpankChain stated they had not performed a security audit for the specific contract which has been hacked, considering it “quite expensive”
- A few days after the hack, the CEO of SpankChain was contacted by the attacker, who then sent him the private key to the stolen funds! In return, SpankChain offered him a small reward
Our Thoughts
- This kind of incident affects, not in a positive way, on the blockchain technology and community and by investing a few thousands of dollars on a good security audit for the hacked smart contract would have avoided it
- It isn’t the first time the attacker returns the stolen funds, it also happened at CoinDash ICO hack, only back then the hacker returned Ether which was worth millions of dollars. It is still unclear why hackers return the stolen funds, but it can be a comfort to the victims
References: Official report by SpankChain, TechCrunch, Coindesk
Related Attacks
- The DAO Hack — One of the most notorious events in the Ethereum blockchain history, an event that caused the hard fork of the Ethereum blockchain, to Ethereum and Ethereum classic
DEOSgames (September 9, 2018)
DEOS Games is a decentralized games application running on top of the EOS blockchain
Damage scale: About $24,000 worth of EOS
Attack vector: Smart contract vulnerability
What Happened
- In less than hour, the DEOS app made 24 payments to an EOS account interacting with the DEOS Games contract, an account which had been created less than a day before
- According to the transaction on EOS, every time the malicious account deposited 10 EOS, it received about 20 times that amount back from DEOS Games contract
- DEOS Games stated in a tweet, “It is a good stress test and we got significant improvements on contract level.”
- It is unclear which vulnerability was exploited at the DEOS Games contract, or if there is perhaps another vulnerability in the EOS core
Our Thoughts
- It wasn’t mentioned how DEOS Games found out about the hack, but as we suggested at June-July post at the Bithumb hack, a simple monitoring script can detect such anomalies. We assume DEOS games have such tools and probably are very experienced with such frauds attempts.
References: Report on TheNextWeb, DEOS Games twit about the hack
NewDex (September 18, 2018)
NewDex is a decentralized exchange based on EOS blockchain.
Damage scale: $58,000
Attack vector: Undisclosed
What Happened
- A malicious account created an EOS-based token with the name “EOS,” like the name of the native blockchain currency
- This account — oo1122334455 — issued 1 billion tokens with the name “EOS” and tried to deposit them as EOS native currency, a ruse that the NewDex system fell for
- The hacker traded the fake tokens for EOS native currency
- Some of the real EOS native currency were then sent to Bitfinex to be traded with other cryptocurrencies
- The NewDex team apologized for the incident but hasn’t published any plans to compensate users
- Further investigation on NewDex infrastructure revealed that Newdex doesn’t use smart contracts to verify the tokens users send
Our Thoughts
- The fact NewDex does not verify tokens via its smart contracts leads one to the conclusion that NewDex is just a user account handling the users’ trades and traders are under the impression it’s a decentralized exchange!
- This incident is very irritating for two primary reasons: Firstly, NewDex is clearly not functioning as a real decentralized exchange and only pretends to be one. They do the matching at a centralized server (look at the Reddit post). Secondly, the fact the system doesn’t even check the authenticity of deposited tokens
- When a trader is engaging with small crypto exchanges, it is critical to do due diligence, search for blog posts and opinion articles
References: Report on the hack, Newdex isn’t a decentralized exchange — post on Reddit
EOSBet Casino (14 September & 15 October 2018)
EOSBet is a gaming platform on EOS
Damage scale: $200,000 + $338,000 (both in EOS)
Attack vector: Exploiting vulnerabilities in smart contracts
What Happened
- First hack: EOSBet announced it had been hacked, stating “the bug wasn’t minor…we’re still doing forensics” and took the platform offline
- The company announced later that there was a bug in an assertion statement, and other games were also attacked using the same method
- According to TheNextWeb, “Hackers were able to call the ‘transfer’ function externally using a fake hash”
- An EOS account with a very similar name to that of the official EOSBet account sent a small amount of EOS to the attacker with a message demanding to return the stolen funds or else they will hire a team of lawyers and pursue the attacker
- The same account approached EOSBet users and tried to convince them to transfer EOS for BET tokens, the official EOSBet game token
- Back online, EOSBet has since published a detailed report on the hack, promising their contracts are now safe and the vulnerability patched
- Second hack: One month later, another vulnerability was exploited by hackers and over 142,000 EOS were stolen
- The stolen assets were moved to Bitfinex and Poloniex, crypto exchanges, and there the tokens were frozen
- The company reported they were working with these two exchanges to recover the funds
Our Thoughts
- Smart contracts on EOS are relativity new and these incidents are birth pangs for any new platform
- If the community learns from smart contract vulnerability exploits, both the platform and the platform’s reputation will ultimately benefit
References: Report on the first hack, EOSBet statement on the first hack, report on the second hack, EOSBet statement on the second hack
More Interesting Blockchain Security Stories
- Bitcoin flaw could have allowed dreaded 51% takeover — A vulnerability in Bitcoin Core could have caused a crash of numerous nodes and an attacker could have performed 51% attack at relativity low cost
- Hackers use Eternal Blue exploit to mine cryptocurrency — Hackers design and unleash crypto-mining malware which takes advantage of unpatched Microsoft Windows systems to mine Monero
- Growing pains for EOS blockchain — A summary of the EOS blockchain so far, discussing RAM costs, dApps and more
- Binance CEO says security is the most basic thing for cryptocurrency exchanges — An interview with Binance CEO from Malta’s Delta Summit
- 51% attack on minor blockchains — It’s cheap to mess up minor blockchains by renting hashing power and manipulating the chain
- Two men charged with $14 million crowd machine crypto hack — Another Sim-swap scam in the US
The Monthly Updates
The monthly security analysis delivers analysis and post-mortem on interesting blockchain security incidents and events in an executive-summary format. There are many posts on security incidents within the blockchain domain. Here, we’ll provide a high-level overview and try to focus on the essence, express our opinion and give references for further inspection.
Like what you read? Check out our GitHub projects and join the community:
Join the Orbs community:
- GitHub: https://github.com/orbs-network
- Telegram: https://t.me/orbs_network
- Twitter: https://twitter.com/orbs_network
- Reddit: https://www.reddit.com/r/ORBS_Network/
- Read the Orbs white papers: https://www.orbs.com/white-papers
- Sign up for the Orbs newsletter