It’s time for the monthly security inventory! According to Beosin EagleEye, the security risk monitoring, warning, and blocking platform under Beosin, a blockchain security audit company, the number and amount of various security incidents increased significantly in July 2023 compared to June.
In July, there were more than 31 typical security incidents, with a total amount of 415 million US dollars. Among them, the total amount of losses from attack incidents was about 180 million US dollars, an increase of 89% compared to June; the total amount of Rug Pull was 24.46 million US dollars, about 5 times that of June. There was also a MultiChain fund abnormal outflow incident involving 210 million US dollars.
This month, there were several security incidents involving tens of millions of dollars: MultiChain cross-chain bridge had an abnormal outflow of 210 million US dollars; the old version of Vyper was attacked due to vulnerabilities, resulting in a loss of 61.7 million US dollars in multiple Curve pools; Alphapo hot wallet was stolen 60 million US dollars; cryptocurrency payment service provider CoinsLianGuaiid was stolen 37.3 million US dollars; Poly Network, a cross-chain protocol, was attacked, resulting in a loss of 10.1 million US dollars. In addition, there were frequent fraud and run-away events this month, with the largest amount involved being the BALD project on the Base chain, with the deployer profiting about 9.28 million US dollars.
- Messari In-depth analysis of decentralized social protocols Lens and Cyber Connect
- Messari Fantom Q2 2023 Performance
- Bankless Analysis of the Spread Risk of Curve Attack Incident
A total of 17 typical security incidents occurred.
No.1 On July 2nd, the Aave fork project on Pulse chain suffered a governance attack, resulting in a loss of about 900,000 US dollars.
No.2 On July 2nd, the cross-chain protocol Poly Network was suspected of being attacked due to private key leakage, resulting in a loss of about 10.1 million US dollars.
No.3 Starting from July 7th, a total of 210 million US dollars flowed out from the MultiChain cross-chain bridge. On July 14th, according to the official Twitter, the funds that flowed out were transferred by the CEO’s family members, and CEO Zhao Jun has been taken away by the Chinese police. As a result, the MultiChain team was forced to cease operations.
No.4 On July 8th, the Civfund contract was attacked, resulting in a loss of about 180,000 US dollars.
No.5 On July 10th, ArcadiaFi was attacked on Ethereum and Optimism chains, resulting in a loss of about 450,000 US dollars.
No.6 On July 11th, Libertify was attacked with reentrancy on the Polygon and Ethereum chains, resulting in a loss of about 450,000 US dollars.
No.7 On July 11th, Rodeo Finance, a leverage yield protocol in the Arbitrum ecosystem, was attacked with price manipulation, resulting in a loss of about 880,000 US dollars.
No.8 On July 12th, WGPT on the BNB Chain was attacked with flash loan, resulting in a loss of about 80,000 US dollars.
No.9 On July 18th, BNO on the BNB Chain was attacked with flash loan, resulting in a loss of about 500,000 US dollars.
No.10 On July 20th, a series of airdrop() vulnerability attacks occurred on the BNB Chain, involving multiple tokens such as FFIST, AI-Doge, QX, Utopia, with a total loss of about 300,000 US dollars.
No.11 On July 21st, Conic Finance suffered a reentrancy attack, resulting in a loss of about 3.2 million US dollars.
No.12 On July 22nd, CoinsLianGuaiid, an Estonian cryptocurrency payment service provider, claimed to have been attacked, with 37.3 million US dollars worth of cryptocurrency stolen.
No.13 On July 25th, LianGuailmswap on BNB Chain was attacked, resulting in a loss of approximately $900,000.
No.14 On July 25th, the lending protocol Eralend on Zksync was attacked by a flash loan attack, resulting in a loss of approximately $3.4 million.
No.15 Cryptocurrency payment service provider Alphapo had its hot wallet stolen, resulting in a loss of $60 million.
No.16 On July 27th, Carson on BNB Chain was attacked, resulting in a loss of approximately $140,000.
No.17 On July 30th, multiple Curve pools were attacked due to a reentrancy vulnerability in the old versions of Vyper (0.2.15, 0.2.16, and 0.3.0). The affected pools, pETH/ETH, msETH/ETH, alETH/ETH, and CRV/ETH, suffered a total loss of $61.7 million.
Fraud and Exit Scams
A total of 8 typical security incidents occurred
No.1 On July 3rd, the encryption project Encryption AI experienced a rug pull, with the developers making off with $2 million and posting an announcement on social media claiming to be “seriously addicted to gambling.”
No.2 On July 18th, GMETA on BSC experienced a rug pull, with the deployer profiting $3.67 million.
No.3 On July 19th, an IPO token on BSC experienced a rug pull, with the deployer profiting $480,000.
No.4 On July 20th, the Flashmall project on BSC experienced a rug pull, with the deployer profiting $550,000.
No.5 On July 22nd, the IEGT token on BSC experienced a rug pull, with the deployer profiting approximately $1.14 million.
No.6 On July 28th, DefiLabs on BNB Chain exit scammed, with the scammer profiting $1.4 million. DefiLabs claimed on Twitter that they encountered unexpected issues during “maintenance and updates.”
No.7 On July 29th, the Kannagi Finance yield aggregator protocol on zkSync Era experienced a rug pull, involving approximately $2.13 million.
No.8 On July 31st, the BALD project on Base Chain experienced a rug pull, with the deployer profiting approximately 5,000 ETH (approximately $9.28 million).
Cryptocurrency Crime/Regulatory Cases
A total of 6 typical security incidents occurred
No.1 On July 11th, the U.S. Department of Justice announced the first criminal case involving a smart contract attack on a DEX. Shakeeb Ahmed, a senior security engineer at an international technology company, fraudulently stole approximately $9 million in cryptocurrency from exchanges and their users.
No.2 On July 18th, the Hubei police in China cracked the first national “virtual currency case,” involving a transaction volume of 400 billion RMB.
No.3 On July 18th, Eddy Alexandr, the founder of the New York cryptocurrency trading platform EminiFX, was sentenced to nine years in prison for defrauding over 25,000 investors on the EminiFX platform, with an amount exceeding $248 million.
No.4 On July 25th, the U.S. Commodity Futures Trading Commission (CFTC) filed charges against Michael and Amanda Griffis, a couple from Tennessee, alleging that they defrauded over 100 individuals and raised over $6 million through a digital asset commodity pool called “Blessings of God Thru Crypto”.
No.5 On July 25th, the Korean prosecution indicted 49 individuals suspected of virtual asset speculation, as they illegally profited 390 billion Korean won (approximately $304 million) through virtual asset speculation.
No.6 On July 28th, a British court sentenced two cryptocurrency fraudsters to six years imprisonment for a case involving approximately £500,000.
Given the new situation in the field of blockchain security, “Beosin” summarizes as follows:
Overall, in July 2023, the number of blockchain security incidents and the amount of losses increased significantly. The total amount involved in various security incidents reached $415 million.
This month, the PolyNetwork, Alphapo, and other incidents of private key leaks resulted in significant losses. It is recommended that project parties establish strict private key management processes, adopt multi-signature mechanisms, and prohibit the use of private keys in networked environments. In addition, this month witnessed a significant increase in re-entry vulnerability attacks. It is recommended that project parties seek professional security companies for auditing before going live. Furthermore, the Vyper compiler version vulnerability that emerged this month requires joint efforts from the community to propose improvement solutions. Additionally, Rug Pull incidents occurred frequently this month, and it is advised that users carefully conduct background investigations on projects, review relevant audit reports, and avoid asset losses.
As a globally leading blockchain security company, Beosin has established branches in more than 10 countries and regions worldwide and offers a full range of blockchain security products and services, including code security audits before project launch, security risk monitoring, warning and prevention during project operation, recovery of stolen virtual assets, and security compliance KYT/AML. Currently, Beosin has provided security technology services to over 3,000 blockchain companies worldwide, audited over 3,000 smart contracts, and also provides security assessments for listing projects, compliance assessments that meet local regulatory requirements, VaaS automated listing audit services, exchange penetration testing services, and exchange security construction consulting services, among other security solutions.