Bit Jungle: Blockchain Security Analysis Report for the First Half of 2023

Preface

With the continuous deepening of the digitalization process, blockchain technology has become an important driving force in many fields. It not only brings disruptive changes to traditional industries such as finance, medical care, and logistics, but also brings more openness to participants. and transparent experience. However, with the widespread application of blockchain technology, the security issues associated with it have become increasingly severe. In recent years, blockchain security incidents have occurred frequently, which not only caused huge losses to individuals and enterprises, but also brought challenges to the development of blockchain technology.

This report sorts out and analyzes the blockchain security incidents in the first half of 2023, aiming to explore the hidden dangers of blockchain security, analyze the causes of blockchain security incidents, and propose corresponding solutions and suggestions. Through this report, we hope to draw the attention of all parties to blockchain security issues, jointly promote the safe development of blockchain technology, and lay a solid foundation for the future of the digital world.

Overview of economic losses of security incidents

In the first half of 2023, a total of 192 major attacks occurred, with a total loss of approximately US$920 million.

• A total of 4 security incidents with a loss of more than 100 million US dollars:

Euler Finance flash loan attack lost $197 million

Blockchain for dog nose wrinkles scam project causes $127 million in losses

BonqDAO & AllianceBlock manipulated prices and caused losses of 120 million US dollars

Atomic Wallet stolen and lost $100 million

• 12 incidents in which the loss amount was in the range of US$10 million to US$100 million
• There were 40 incidents with losses ranging from US$1 million to US$10 million.

Analysis overview of attack methods

According to the analysis of attack methods used in security incidents, the most frequent attack methods are Rug Pull and Contract Vulnerabilities, both with 32 attacks. This was followed by flash loan attacks, which occurred 20 times, accounting for 14.93% of all incidents.

Among the attack methods with the highest number of occurrences, the flash loan lost the most amount, causing a total loss of 250 million US dollars. It was followed by the blockchain scam, which only occurred seven times and caused losses of $230 million.

Although the total number of contract vulnerabilities and Rug Pull is relatively large, accounting for 47.76% of all attack methods, the losses caused by them are far less than the former two, with only a loss of 66.49 million US dollars. The high incidence of these attacks and the huge amount of losses once again highlight the risks in the cryptocurrency market. Although blockchain technology has great potential and application prospects, it still faces security risks and technical challenges.

Rug Pull incidents occur frequently, of which 75% of the project runaway amount is less than 10 million US dollars, and 28% of the project runaway amount is less than 1 million US$. Such projects usually lack official website, Twitter, Telegram, Github and other information, there is no Roadmap or white paper, and the information of team members is suspicious. The period from the project launch to the final run does not exceed three months.

The losses caused by such security incidents cannot be ignored. It is necessary to strengthen the investigation of the project background, increase the awareness of prevention of unfamiliar information, and improve the prevention ability through early prevention to avoid losses.

An overview of the types of security events attacked

1 Chain Application

On-chain Application, also known as Decentralized Application (DApp), is an application built on blockchain or distributed ledger technology. Use the features and functions of the blockchain for data storage, transaction processing, and smart contract execution.

• In the first half of 2023, a total of 157 security incidents occurred in on-chain applications, accounting for 81% of the total number of incidents. The total loss amount of on-chain applications reached 740 million US dollars, accounting for 79% of the total loss amount. On-chain applications were the type with the highest attack frequency and the largest amount of losses in the past six months.
• The frequency of on-chain application security incidents in the six months of the first half of the year was almost the same. The top three causes of security incidents were Rug Pull, contract loopholes, and Twitter being hacked.

suggestion:

• The project party fully considers the security of the project when designing and building the project. When implementing the function, it also considers whether the verification function will be bypassed and whether there are defects, and fully conducts a security audit before the project goes online.
• Before users invest in the application on the chain, they should investigate as much as possible, make careful decisions, and invest cautiously.

2 Exchange

Exchange (Exchange) refers to a platform or institution that provides digital asset trading and trading services. It allows users to exchange one digital asset (such as Bitcoin, Ethereum, etc.) for another, or to buy or sell digital assets with fiat currencies (such as USD, EUR, etc.).

• In the first half of 2023, exchanges ranked second in the number of security incidents. In the first half of the year, there were 11 security incidents in the field of exchanges, causing a total loss of 73.18 million US dollars. The main reason for the attack is the contract loophole.
• Security incidents related to exchanges occur every month. And the amount of money lost due to security incidents is not a small number.

suggestion:

*Users beware of phishing and malicious links: Avoid clicking on untrusted links, especially those received via email or social media.

• Regularly check account activity; not store all funds centrally; update and secure equipment; choose a trustworthy security company for early audit.

3 Public Chain/Side Chain

Public Blockchain, referred to as the public chain, refers to a consensus blockchain that anyone in the world can access and read at any time, and anyone can send transactions and obtain effective confirmation. A sidechain is a blockchain parallel to the main chain, which can be understood as an extension protocol of the blockchain. To meet specific business needs, such as cross-chain asset exchange, private chain expansion, and industry-specific blockchain solutions.

• In the first half of 2023, the public chain/side chain is the third largest type of security incidents. The main reason for the attack is the smart contract vulnerability.

suggestion:

• Choose a reliable consensus mechanism.
• Use secure encryption algorithms to generate and store keys, and use multi-signature technology to increase transaction security.
• Conduct regular security audits, including code reviews, security testing, and vulnerability scanning to identify potential security holes and weaknesses.

4 Cross-chain bridge

Cross-Chain Bridge is a technical solution that allows the transfer of digital assets between different blockchain networks. A cross-chain bridge typically locks or burns tokens in a smart contract on the originating chain, and unlocks or mints tokens through another smart contract on the target chain. Cross-chain communication essentially requires a trade-off in three dimensions: security, trust, and flexibility. Due to the existence of these complex factors, cross-chain bridges have become the main target of attack in the Web3 field.

• In the first half of 2023, there were 8 cross-chain bridge security incidents, with a loss of US$11.37 million.
• In 2022, the 12 cross-chain bridge security incidents caused a total of about US$1.89 billion in losses, ranking first among all project types in losses. Compared with last year, there have been 7 security incidents in the cross-chain bridge in the first half of this year. In addition to the recent Poly Network and Multichain security incidents, there have been 10 security incidents. The cross-chain bridge security incidents are higher than last year. more serious developments. The main reasons for being attacked are smart contract vulnerabilities, flash loans, etc.

suggestion:

• The project party puts security first when designing the cross-chain message transmission protocol.

5 Wallets

A blockchain wallet is an important part of the blockchain, a digital currency storage and management tool that allows users to securely store, receive and send various cryptocurrencies such as Bitcoin, Ethereum and other tokens. ​Wallet security has always been a hot topic in the blockchain industry. Once the wallet is attacked, the attacker can easily steal sensitive information such as the user's private key and mnemonic, and then master the user's digital assets. The value of these digital assets can be very high, and if stolen, the loss will be very heavy. Therefore, in order to maximize the security of users' digital assets, we recommend that users take some security measures.

• In the first half of 2023, the number of security incidents where wallets were attacked was relatively small compared to other types, but when wallets were attacked, the losses were relatively large. Such as the Atomic and MyAlgo wallet incidents, the two attacks caused a loss of up to 109 million US dollars.
• The type with the third largest number of incidents is the wallet, and most of the security incidents in this category are due to the leakage of private keys and mnemonics.

suggestion:

• Choose a trusted wallet provider: Choose a wallet provider with a good reputation and a solid history. Make sure to understand their security practices, how to protect sensitive information like user data and private keys.
• Use two-factor authentication: Enable two-factor authentication to increase the security of your account. This method requires you to enter another form of authentication besides your username and password when logging in, such as a verification code or fingerprint recognition.
• DO NOT SHARE YOUR PRIVATE KEY: A private key is proof of ownership of your cryptocurrency. Do not share your private keys with anyone, including wallet providers. If someone asks you for your private key, it's most likely a scam.
• Back up your wallet regularly: Backing up your wallet regularly ensures that you can recover your cryptocurrencies if your wallet is lost or attacked. You can keep your backups in a safe place such as an offline device or hardware wallet.
• Be careful with unknown emails or messages: Do not open or download emails or messages from unknown sources. These may contain malware or links that may lead to your wallet being compromised.
• Make sure your computer and mobile devices are safe: Make sure your computer and mobile devices have the latest antivirus and security updates to protect your devices from attacks.
• Do not use unknown Wi-Fi networks in public places, as these networks may be unsafe and may be used by hackers to attack your wallet.
• Make sure your wallet software is up to date: Make sure your wallet software is up to date. New releases often contain security updates and fixes that can help you protect your wallet from attacks.
• Stay up-to-date with the latest information on wallet security: Stay informed about the latest information and events on wallet security to help you stay informed about wallet security and take appropriate precautions.

Analysis and summary of blockchain security incidents in the first half of 2023

Through the sorting out of blockchain security incidents in the first half of 2023, it was found that the application on the chain was the type of project with the highest attack frequency and the largest amount of loss in half a year. A total of 157 security incidents occurred in the on-chain application field, 32 of which were attacks based on contract vulnerabilities.

In the face of frequent security incidents, developers should further follow security coding, audit contract codes, and use mature security libraries to protect user rights; and users who use smart contracts should also choose contracts carefully, and carefully check their contracts before use. For code and security, choose a professional security company for auditing. When a security incident occurs, users can do very little. Only by continuously improving their own security awareness, discovering vulnerabilities in advance, solving vulnerabilities, and taking precautions can they avoid being attacked as much as possible.

The information provided in this report is for reference and research only. The information comes from public sources. The author has tried his best to verify the accuracy and completeness, but cannot guarantee its accuracy and completeness, and does not assume any responsibility for using or relying on the information. liability for loss or damage. This report should not be considered a recommendation or recommendation for any particular blockchain project or cryptocurrency investment, and readers should conduct their own research and decision-making. The content of this report is not a substitute for the judgment and decision-making of the reader, nor can it guarantee the persistence or realization of the situation described.