It’s time for the monthly security check! According to Beosin EagleEye, a security risk monitoring, warning, and blocking platform under Beosin, a blockchain security audit company, the number and amount of various security incidents in July 2023 have increased significantly compared to June. In July, there were more than 31 typical security incidents, with a total amount of 415 million US dollars. Among them, the total amount of losses from attack incidents was about 180 million US dollars, an 89% increase from June; the total amount of Rug Pull incidents was 24.46 million US dollars, about 5 times the amount in June. There was also a MultiChain abnormal fund outflow incident involving 210 million US dollars.
This month, there were several security incidents with losses of tens of millions of dollars or more: the cross-chain bridge MultiChain had an abnormal fund outflow of 210 million US dollars; the old version of Vyper was attacked due to vulnerabilities, resulting in a loss of 61.7 million US dollars across multiple Curve pools; the hot wallet of Alphapo was stolen 60 million US dollars; the encrypted payment service provider CoinsLianGuaiid was stolen 37.3 million US dollars; the cross-chain protocol Poly Network was attacked, resulting in a loss of 10.1 million US dollars. In addition, there were frequent scam and exit events this month, with the largest amount involved being the BALD project on the Base chain, with the deployer profiting about 9.28 million US dollars.
In terms of DeFi, there were a total of 17 typical security incidents
No.1 On July 2nd, the Aave fork project on Pulse chain suffered a governance attack, resulting in a loss of about 900,000 US dollars.
No.2 On July 2nd, the cross-chain protocol Poly Network was suspected to have been attacked due to private key leakage, resulting in a loss of about 10.1 million US dollars.
No.3 Starting from July 7th, a total of 210 million US dollars flowed out from the MultiChain cross-chain bridge. On July 14th, according to the official Twitter account, the funds that flowed out were transferred by the CEO’s family members, and CEO Zhao Jun has been taken away by the Chinese police. As a result, the MultiChain team was forced to cease operations.
No.4 On July 8th, the Civfund contract was attacked, resulting in a loss of about 180,000 US dollars.
No.5 On July 10th, ArcadiaFi was attacked on both Ethereum and Optimism chains, resulting in a loss of about 450,000 US dollars.
No.6 On July 11th, Libertify was attacked with reentrancy on both Polygon and Ethereum chains, resulting in a loss of about 450,000 US dollars.
No.7 On July 11th, the leveraged yield protocol Rodeo Finance on Arbitrum was attacked with price manipulation, resulting in a loss of about 880,000 US dollars.
No.8 On July 12th, WGPT on BNB Chain was attacked with flash loan, resulting in a loss of about 80,000 US dollars.
No.9 On July 18th, BNO on BNB Chain was attacked with flash loan, resulting in a loss of about 500,000 US dollars.
No.10 On July 20th, a series of airdrop() vulnerability attacks occurred on BNB Chain, involving multiple tokens such as FFIST, AI-Doge, QX, Utopia, with a total loss of about 300,000 US dollars.
No.11 On July 21st, Conic Finance suffered a reentrancy attack, resulting in a loss of about 3.2 million US dollars.
No.12 On July 22nd, Estonian encrypted payment service provider CoinsLianGuaiid claimed to have been attacked, with 37.3 million US dollars worth of cryptocurrencies stolen.
On September 25th, LianGuailmswap on BNB Chain was attacked, resulting in a loss of approximately $900,000.
On September 25th, the lending protocol Eralend on Zksync was attacked by flash loans, resulting in a loss of approximately $3.4 million.
On September 15th, the hot wallet of cryptocurrency payment service provider Alphapo was hacked, resulting in a loss of $60 million.
On September 27th, Carson on BNB Chain was attacked, resulting in a loss of approximately $140,000.
On September 30th, multiple Curve pools were attacked due to a reentrancy vulnerability in the old versions of Vyper (0.2.15, 0.2.16, and 0.3.0). The pETH/ETH, msETH/ETH, alETH/ETH, and CRV/ETH pools suffered a total loss of $61.7 million.
In terms of scam and exit scams, there were a total of 8 typical security incidents
On September 3rd, the encryption project Encryption AI experienced a rug pull, and the developers ran away with $2 million. They posted an announcement on social media claiming to be “severely addicted to gambling”.
On September 18th, GMETA on BSC experienced a rug pull, and the deployer made a profit of $3.67 million.
On September 19th, an IPO token on BSC experienced a rug pull, and the deployer made a profit of $480,000.
On September 20th, the Flashmall project on BSC experienced a rug pull, and the deployer made a profit of $550,000.
On September 22nd, the IEGT token on BSC experienced a rug pull, and the deployer made a profit of approximately $1.14 million.
On September 28th, DefiLabs on BNB Chain has exit scammed, and the scammers made a profit of $1.4 million.
DefiLabs claimed on Twitter that the platform encountered “unexpected issues” during “maintenance and updates”.
On September 29th, the yield aggregator protocol Kannagi Finance on zkSync Era experienced a rug pull, involving an amount of approximately $2.13 million.
On September 31st, the project BALD on Base chain experienced a rug pull, and the deployer made a profit of approximately 5000 ETH (about $9.28 million).
In terms of crypto crimes/case regulation, there were a total of 6 typical security incidents
On September 11th, the U.S. Department of Justice announced the first criminal case involving a smart contract attack on a decentralized exchange (DEX). Shakeeb Ahmed, a senior security engineer at an international technology company, defrauded exchanges and their users using his expertise, stealing approximately $9 million worth of cryptocurrencies.
On September 18th, the Hubei police in China cracked the “first virtual currency case” in the country, involving a flow of funds of 400 billion RMB.
On September 18th, Eddy Alexandr, the founder of the crypto trading platform EminiFX in New York, was sentenced to nine years in prison for defrauding over 25,000 investors on the EminiFX platform, with an amount exceeding $248 million.
On September 25th, the U.S. Commodity Futures Trading Commission (CFTC) filed charges against a couple, Michael and Amanda Griffis from Tennessee, who were accused of defrauding over 100 individuals and raising over $6 million through a digital asset commodity pool called “Blessings of God Thru Crypto”.
On July 25th, the Korean prosecutors sued 49 individuals who are suspected of virtual asset speculation, as they illegally obtained 390 billion Korean won (approximately 304 million US dollars) in profits through virtual asset speculation.
On July 28th, a British court sentenced two cryptocurrency fraudsters to six years in prison, with the amount involved being approximately 500,000 pounds.
In view of the new situation in the field of blockchain security, “Beosin” summarized as follows:
Overall, in July 2023, various types of blockchain security incidents and the amount of losses significantly increased. The total amount involved in various security incidents reached 415 million US dollars.
This month, there were significant losses in private key leaks incidents such as PolyNetwork and Alphapo. It is recommended that project parties establish strict private key management processes, adopt multi-signature mechanisms, and prohibit the use of private keys in networked environments. In addition, this month saw a significant increase in reentrancy attack vulnerabilities. It is recommended that project parties seek professional security companies to conduct audits before going online. The Vyper compiler version vulnerability that appeared this month requires joint efforts from the community to propose improvement plans. In addition, this month saw frequent Rug Pull incidents. It is recommended that users carefully investigate the background of projects, review relevant audit reports, and avoid asset losses.