This article is co-published by Dilation Effect and Wu Shuo Blockchain
🧐Dilation Effect 对主流交易所和机构钱包地址的快闪点评 https://t.co/O4kpHVA1cr
— Dilation Effect (@dilationeffect) May 29, 2023
Mainstream exchanges and institutions have undoubtedly invested a lot of money and manpower in network security. Dilation Effect cannot know the security level and implementation details of these institutions internally, but out of curiosity, we want to try to use public information to do simple analysis on the wallet addresses of these institutions, and find out whether there are potential security risks and how big the potential risk exposure is from the perspective of ordinary users.
The data for this flash review comes from public services such as Etherscan and Debank.
1. Selection of analysis objects
Look at the Top 1000 Accounts on Etherscan and select the tagged institutional addresses.
2. Selection of analysis dimensions
Since we do not know the technical details of how these exchanges and institutions generate and manage wallets, how can we analyze the security of their addresses? The dimension selected by Dilation Effect this time is analyzing the contract authorization status of these addresses .
It is common for addresses to be stolen due to malicious contracts stealing authorization or vulnerabilities in authorized contracts. Limiting authorization quotas and regularly cleaning up authorizations has become the best security practice. So how do these large exchanges handle address authorization? We randomly select a few addresses for analysis.
Binance 8 (0xF977814e90dA44bFA03b6295A0616a897441aceC)
This is Binance’s wallet address with the largest balance, with a total value of 10 billion USD on the ETH chain and 16.1 billion USD on other chains. Screenshots of some assets are as follows:
Checking the contract authorization status of this address on the ETH chain, it is found that there is a risk of 3.2 billion USD. Of course, this does not mean that there is a deterministic security risk. This is only a possible description of potential risk exposure.
So let’s take a closer look at how this address is authorized, such as which currency is authorized to which contract, and what is the authorization limit. The following is an excerpt of some query results.
At this point, we will notice a strange phenomenon, that is, some currencies on this address have limited authorization quotas, while others have no limits and the authorization quota rules do not seem to be unified. We pay special attention to several currencies with large balances, including BUSD, Matic, SHIB, and SAND. The balances of these addresses are respectively 1.9 billion US dollars, 460 million US dollars, 260 million US dollars, and 140 million US dollars, and the relevant authorization records are as follows:
There are several obvious problems here:
First, there is no regular cleaning of authorizations for contracts. For example, the contract authorization for BUSD has not been cleaned for more than two years, either because it has not been noticed or because it is considered unnecessary. This shows that Binance lacks systematic coverage in internal security management. Some people may say that the related authorization contract has been analyzed and it has been found that these contracts have limited operations and are relatively safe. But what we want to say is that here, it is not purely a technical problem, but more of a security management problem. That is, how Binance should comprehensively and systematically manage the risks brought by third-party contracts. We believe that it can be stricter and deeper. In fact, if you look closely, you will find that Aave: Lending Pool V2 is an upgradable proxy contract. If (I mean if) the Aave contract is attacked, here is a loss of 1.9 billion US dollars.
Second, a large number of currency authorization quotas are unlimited. Once the corresponding contract is attacked in extreme cases, if the authorization quota is restricted, the risk will be correspondingly reduced. This also exposes that Binance lacks systematic coverage in internal security management. Of course, you may say that these are all extreme cases, but for the crypto industry, many small probability events have happened in history. We need to increase risk sensitivity, and it is necessary to maintain extreme aversion to risk.
Third, the currency authorization rules are not uniform, and some currencies limit the quota, while others have no limit on the quota, and the actions are not uniform. This shows that Binance’s internal security management operations are unclear, or that the internal team has not done a good job of division of labor and cooperation.
In addition, we are also curious, why do addresses with such a huge asset balance participate in Defi contract operations frequently? Can Binance make more granular address planning and isolation design?
Kucoin 6 (0xD6216fC19DB775Df9774a6E33526131dA7D19a2c)
This is Kucoin’s exchange address, which has $1.7 billion on the ETH chain and $1.9 billion on other chains. The asset screenshot of this address can be seen below:
Checking the authorization status of this address on the ETH chain, it is found that there is a potential risk of $1.1 billion. Similarly, this does not mean that there is necessarily a security risk, but rather a possibility of potential risk exposure.
Let’s take a closer look at the authorization status of Kucoin’s address.
Wow! We have found some interesting things again.
1. The APE currency of this address was authorized to the cross-chain Router contract of Multichain on April 2, 2022. Everyone should know that a force majeure event occurred with Multichain a few days ago, but Kucoin did not immediately cancel the authorization to the Multichain contract. This shows that Kucoin still has room for improvement in emergency risk response.
2. The large amount of currencies such as USDT ($500 million), USDC ($290 million), and KCS ($480 million) in this address were all authorized to the contract named Bridge, and the authorization amount was completely unlimited. After a simple analysis, it was found that Bridge is a cross-chain bridge contract of KuCoin’s community chain KCC, but no relevant security audit report was found on KCC’s official website, which is worrying. Do you still remember the BNB Chain’s 2 million BNB attack incident?
Jump Trading (0xf584F8728B874a6a5c7A8d4d387C9aae9172D621)
This is the address of the institution Jump Trading, which has $140 million on the ETH chain and $150 million on other chains. The asset screenshot of this address can be seen below:
Checking the authorization status of this address on the ETH chain, it is found that there is a potential risk of $25 million. Similarly, this does not mean that there is necessarily a security risk, but rather a possibility of potential risk exposure.
Let’s take a closer look at the authorization of Jump Trading’s address.
It can be seen that there are not many authorizations for the currencies on this address, and the vast majority of authorizations have been limited in terms of amounts, overall management is still good.
However, USDC currency was authorized to the Curve contract on 2021-02-04 without a limit and has not been cancelled. This needs to be reminded, and if the corresponding contract operation is not needed, it is recommended to cancel the authorization for this contract immediately.
This flash evaluation ends here. Dilation Effect randomly selected several exchanges and institutional addresses for analysis. From the results, these institutions are not doing very well in terms of contract authorization, and we hope that our analysis can provide reference for relevant institutions. Exchanges and institutions whose addresses have not been selected can also refer to the analysis process in the above text to check for similar problems.
About Dilation Effect
Dilation Effect is a newly established Web3 security community composed of network security technology enthusiasts from all over the world, dedicated to sharing objective and neutral Web3 security opinions.
Dilation Effect is the first team in the industry to propose that there is a risk of asset theft when iPhone users download wallet applications using shared Apple IDs. It also exclusively disclosed the potential risks of the Defi cross-chain lending protocol Prime Protocol invested by Jump, and the Prime Protocol team has made rapid repairs.
Dilation Effect will continue to release various Web3 security opinions, comment on the security of Web3 products and protocols in the industry, provide timely and effective security reminders to ordinary users, and gradually provide free network security assistance to Web3 users.
Follow https://twitter.com/dilationeffect for more information.