A Security Analysis for Blockchain, September-October 2018

Image by Marina Rudinsky

Hello community,

The August analysis post focused on vulnerabilities within cryptocurrency infrastructures such as Monero and Bitcoin Cash. Once again, these incidents emphasize the need for collaboration within security issued within the community.

This post summarizes the incidents of September and October. It consists of several hacks of smart contracts in Ethereum and EOS and hacking to exchanges.

I’ve also attached interesting related stories from the last two months.

Enjoy

Zaif (September 19, 2018)

Zaif is a Japanese crypto-exchange.

Damage scale: $60 million (in Bitcoin, Bitcoin Cash and MonaCoin)

Attack vector: Undisclosed

What Happened

• Since September 14, deposit and withdrawal services have been unavailable for the exchange users.
• According to Zaif, unauthorized access to a hot wallet caused the loss of 5,900 BTC, as well as Bitcoin Cash and MonaCoin
• Zaif’s team has not released more details because it asked the Japanese authorities to help with the investigation of the robbery
• It turns out that several months before this breach, Japan’s Financial Services Agency (FSA) issued a warning to Zaif about its internal management system and security measures
• The exchange did not react to the FSA recommendations
• Zaif told authorities that an employee’s PC had been hacked

Our Thoughts

• We assume the hack of an employee computer was probably a successful phishing attempt. October was the national cybersecurity awareness month in the US, but it would be a good time to remind even non-American blockchain-based projects to invest time in cybersecurity training for their employees
• A good resource we recommend for basic cybersecurity training is PagerDuty Security Training for Anyone

References: PRTimes, CryptoGlobalist

Related Attacks

• It is mentioned that the same method was used at the Bithumb hack in July 2017, several millions of USD in cryptocurrency was stolen and customers’ data has been compromised

SpankChain (October 9, 2018)

SpankChain is an adult entertainment blockchain project on top of the Ethereum blockchain.

Damage scale: Over $40K (in ETH and BOOTY tokens)

Attack vector: Smart contract vulnerability

What Happened

• An attacker took advantage of reentrancy bug in the SpankChain smart contract, similar to the bug at the famous DAO
• The technical team realized it has been hacked only 24 hours after the breach, and immediately took down the site
• The company said it was working on Airdrop of ETH and BOOTY to reimbursement users who lost their funds in the hack
• In the official report, SpankChain stated they had not performed a security audit for the specific contract which has been hacked, considering it “quite expensive”
• A few days after the hack, the CEO of SpankChain was contacted by the attacker, who then sent him the private key to the stolen funds! In return, SpankChain offered him a small reward

Our Thoughts

• This kind of incident affects, not in a positive way, on the blockchain technology and community and by investing a few thousands of dollars on a good security audit for the hacked smart contract would have avoided it
• It isn’t the first time the attacker returns the stolen funds, it also happened at CoinDash ICO hack, only back then the hacker returned Ether which was worth millions of dollars. It is still unclear why hackers return the stolen funds, but it can be a comfort to the victims

References: Official report by SpankChain, TechCrunch, Coindesk

Related Attacks

• The DAO Hack — One of the most notorious events in the Ethereum blockchain history, an event that caused the hard fork of the Ethereum blockchain, to Ethereum and Ethereum classic

DEOSgames (September 9, 2018)

DEOS Games is a decentralized games application running on top of the EOS blockchain

Damage scale: About $24,000 worth of EOS

Attack vector: Smart contract vulnerability

What Happened

• In less than hour, the DEOS app made 24 payments to an EOS account interacting with the DEOS Games contract, an account which had been created less than a day before
• According to the transaction on EOS, every time the malicious account deposited 10 EOS, it received about 20 times that amount back from DEOS Games contract
• DEOS Games stated in a tweet, “It is a good stress test and we got significant improvements on contract level.”
• It is unclear which vulnerability was exploited at the DEOS Games contract, or if there is perhaps another vulnerability in the EOS core

Our Thoughts

• It wasn’t mentioned how DEOS Games found out about the hack, but as we suggested at June-July post at the Bithumb hack, a simple monitoring script can detect such anomalies. We assume DEOS games have such tools and probably are very experienced with such frauds attempts.

References: Report on TheNextWeb, DEOS Games twit about the hack

NewDex (September 18, 2018)

NewDex is a decentralized exchange based on EOS blockchain.

Damage scale: $58,000

Attack vector: Undisclosed

What Happened

• A malicious account created an EOS-based token with the name “EOS,” like the name of the native blockchain currency
• This account — oo1122334455 — issued 1 billion tokens with the name “EOS” and tried to deposit them as EOS native currency, a ruse that the NewDex system fell for
• The hacker traded the fake tokens for EOS native currency
• Some of the real EOS native currency were then sent to Bitfinex to be traded with other cryptocurrencies
• The NewDex team apologized for the incident but hasn’t published any plans to compensate users
• Further investigation on NewDex infrastructure revealed that Newdex doesn’t use smart contracts to verify the tokens users send

Our Thoughts

• The fact NewDex does not verify tokens via its smart contracts leads one to the conclusion that NewDex is just a user account handling the users’ trades and traders are under the impression it’s a decentralized exchange!
• This incident is very irritating for two primary reasons: Firstly, NewDex is clearly not functioning as a real decentralized exchange and only pretends to be one. They do the matching at a centralized server (look at the Reddit post). Secondly, the fact the system doesn’t even check the authenticity of deposited tokens
• When a trader is engaging with small crypto exchanges, it is critical to do due diligence, search for blog posts and opinion articles

References: Report on the hack, Newdex isn’t a decentralized exchange — post on Reddit

EOSBet Casino (14 September & 15 October 2018)

EOSBet is a gaming platform on EOS

Damage scale: $200,000 + $338,000 (both in EOS)

Attack vector: Exploiting vulnerabilities in smart contracts

What Happened

• First hack: EOSBet announced it had been hacked, stating “the bug wasn’t minor…we’re still doing forensics” and took the platform offline
• The company announced later that there was a bug in an assertion statement, and other games were also attacked using the same method
• According to TheNextWeb, “Hackers were able to call the ‘transfer’ function externally using a fake hash”
• An EOS account with a very similar name to that of the official EOSBet account sent a small amount of EOS to the attacker with a message demanding to return the stolen funds or else they will hire a team of lawyers and pursue the attacker
• The same account approached EOSBet users and tried to convince them to transfer EOS for BET tokens, the official EOSBet game token
• Back online, EOSBet has since published a detailed report on the hack, promising their contracts are now safe and the vulnerability patched
• Second hack: One month later, another vulnerability was exploited by hackers and over 142,000 EOS were stolen
• The stolen assets were moved to Bitfinex and Poloniex, crypto exchanges, and there the tokens were frozen
• The company reported they were working with these two exchanges to recover the funds

Our Thoughts

• Smart contracts on EOS are relativity new and these incidents are birth pangs for any new platform
• If the community learns from smart contract vulnerability exploits, both the platform and the platform’s reputation will ultimately benefit

References: Report on the first hack, EOSBet statement on the first hack, report on the second hack, EOSBet statement on the second hack

More Interesting Blockchain Security Stories

• Bitcoin flaw could have allowed dreaded 51% takeover — A vulnerability in Bitcoin Core could have caused a crash of numerous nodes and an attacker could have performed 51% attack at relativity low cost
• Hackers use Eternal Blue exploit to mine cryptocurrency — Hackers design and unleash crypto-mining malware which takes advantage of unpatched Microsoft Windows systems to mine Monero
• Growing pains for EOS blockchain — A summary of the EOS blockchain so far, discussing RAM costs, dApps and more
• Binance CEO says security is the most basic thing for cryptocurrency exchanges — An interview with Binance CEO from Malta’s Delta Summit
• 51% attack on minor blockchains — It’s cheap to mess up minor blockchains by renting hashing power and manipulating the chain
• Two men charged with $14 million crowd machine crypto hack — Another Sim-swap scam in the US

The Monthly Updates

The monthly security analysis delivers analysis and post-mortem on interesting blockchain security incidents and events in an executive-summary format. There are many posts on security incidents within the blockchain domain. Here, we’ll provide a high-level overview and try to focus on the essence, express our opinion and give references for further inspection.

Like what you read? Check out our GitHub projects and join the community:

orbs-network/orbs-network-go

orbs-network/orbs-spec

orbs-network/orbs-network-typescript

orbs-network/lean-helix-go

Join the Orbs community:

• GitHub: https://github.com/orbs-network
• Telegram: https://t.me/orbs_network
• Twitter: https://twitter.com/orbs_network
• Reddit: https://www.reddit.com/r/ORBS_Network/
• Read the Orbs white papers: https://www.orbs.com/white-papers
• Sign up for the Orbs newsletter