Source: Beosin
Translation: LianGuaiBitpushNews Yanan
Foreword
In the rapidly developing field of Web3 blockchain technology, security and regulation have always been the focus of industry attention. In view of this, it is crucial to have a comprehensive understanding of the security landscape of Web3 blockchain and the regulatory framework of the cryptocurrency industry to ensure the security and stability of blockchain applications. This research report is a collaborative result of the Blockchain Security Alliance initiated by Beosin and SUSS NiFT, aiming to delve into the global blockchain security situation in the third quarter of 2023, highlight major Web3 events, and key regulatory policies in the cryptocurrency industry.
In this report, we will analyze in depth the global blockchain security landscape in the third quarter of 2023, covering security vulnerabilities, attack events, and noteworthy Web3 events. At the same time, we will review and summarize key regulatory policies in the cryptocurrency industry, helping readers understand the legislative and regulatory dynamics at the government and regulatory agency levels in the global blockchain field, and elucidate their impact on industry progress.
By publishing this report, we hope to provide valuable analysis and insights to readers, enabling them to better understand the dynamic evolution of the Web3 blockchain security landscape and the significant characteristics of cryptocurrency industry regulatory policies.
Global Web3 Security Statistics and Anti-Money Laundering Analysis in the Third Quarter of 2023
Author: Beosin Research Team – Mario & Donny
Data source (as of September 25): Footprint Analysis: Cryptocurrency Analysis Table
1. Overview of Web3 Security in the Third Quarter
According to statistics from Beosin EagleEye, in the third quarter of 2023, the total losses caused by hacker attacks, phishing scams, and rug pulls in Web3 amounted to 889.26 million US dollars. Among them, 43 major attacks resulted in approximately 540.16 million US dollars in losses. Phishing scams accounted for a total loss of approximately 6.615 million US dollars. There were 81 rug pulls, with a total loss of approximately 282.96 million US dollars.
The losses in the third quarter of 2023 exceeded the total losses in the first half of 2023. The losses in the first quarter of 2023 were approximately 330 million US dollars, and in the second quarter of 2023, it was 333 million US dollars, while in the third quarter, it reached 889.26 million US dollars.
In terms of project types, DeFi remains the most frequently targeted area. There were a total of 29 attack events involving DeFi, accounting for 67.4% of the total events. At the same time, among all projects, public chains suffered the greatest losses.
In terms of blockchain types, Ethereum suffered the most losses, reaching 227 million US dollars, and also experienced the highest number of attacks, totaling 16.
In terms of attack types, there were a total of 9 incidents of private key leakage this quarter, resulting in losses of 223 million US dollars, ranking first among all attack types.
In terms of stolen funds flow, hackers still hold 360 million US dollars (67%), and only 10% of the stolen funds have been recovered.
In terms of audit status, the proportion of audited projects and unaudited projects is roughly equal, accounting for 48.8% and 46.5%, respectively.
2. Hacker Attack Situation
43 major attacks resulting in a loss of 540.16 million US dollars
In the third quarter of 2023, Beosin EagleEye monitored a total of 43 major Web3 attack incidents, with a total loss of 540.16 million US dollars. Among them, there was 1 security incident with a loss of more than 100 million US dollars, 7 incidents with losses between 10 million US dollars and 100 million US dollars, and 9 incidents with losses between 1 million US dollars and 10 million US dollars.
Here are the attack events with losses exceeding 10 million US dollars (sorted by amount):
-
Mixin Network – 200 million US dollars
On September 25th, Mixin officially announced that its cloud service provider’s database was hacked, resulting in a loss of approximately 200 million US dollars in assets on the main network.
-
Curve/Vyper – 73 million US dollars
On July 30th, multiple Curve mining pools were attacked due to a re-entry vulnerability in the old version of the Vyper compiler, resulting in a loss of up to 73 million US dollars, of which approximately 52.3 million US dollars were returned by the hacker.
-
CoinEx – 70 million US dollars
On September 12th, due to the leakage of private keys, the hot wallet of the cryptocurrency exchange CoinEx was stolen, involving 211 chains and a total loss of 70 million US dollars. This attack was launched by the Lazarus Group from North Korea.
-
Alphapo – 60 million US dollars
On July 23rd, the hot wallet of the cryptocurrency payment service provider Alphapo was stolen, with a total loss of 60 million US dollars. This attack was also launched by the Lazarus Group from North Korea.
-
Stake – 41.3 million US dollars
On September 4th, the hot wallet of the cryptocurrency gambling platform Stake was attacked by hackers, resulting in a loss of 41.3 million US dollars. This attack was also launched by the Lazarus Group from North Korea.
-
CoinsLianGuaiid – 37.3 million US dollars
On July 22nd, the cryptocurrency payment platform CoinsLianGuaiid was attacked by hackers, and 37.3 million US dollars in assets were stolen. The hacker spent six months tracking and studying the system of CoinsLianGuaiid, attempting various forms of attacks including social engineering, DDoS, brute force cracking, and phishing. This attack was still launched by the Lazarus Group from North Korea.
-
Fortress IO – 15 million US dollars
On August 29th, the blockchain infrastructure provider Fortress IO suffered a loss of 15 million US dollars due to a hacker attack on a third-party cloud provider.
-
Polynetwork – 10.1 million US dollars
On July 2nd, the cross-chain bridge PolyNetwork was attacked due to private key leakage, and the hacker made a profit of 10.1 million US dollars.
3. Types of Attacked Projects
Public chain projects suffer the most losses
In this quarter, the Mixin Network hack accounted for 37% of the total losses, resulting in the most severe losses for public chain projects. Among the 43 attacks, there were 29 in the DeFi sector, accounting for 67.4% and causing approximately $98.23 million in losses, making it the second largest type of project in terms of losses.
Payment platforms ranked third in terms of losses, with two security incidents causing a total of $97.3 million in losses (Alphapo $60 million, CoinsLianGuaiid $37.3 million).
In addition to DeFi, attacked projects also include exchanges, casinos, infrastructure, cross-chain bridges, and unverified contracts. Hackers mainly target public chains, payment platforms, and casinos with large amounts of funds.
4. Involved Chains
ETH-based projects suffer the most losses and have the most security incidents
In this quarter, ETH suffered losses of up to $227 million, ranking first among all chain platforms. It also had the most number of security incidents, a total of 16.
Ranked second is Mixin Network, with a single security incident resulting in $200 million in losses.
The total losses of Ethereum and Mixin account for 79% of all projects.
According to the ranking of attack frequency, the top five chains with the most security incidents are ETH (16 times), BNB Chain (10 times), Arbitrum (3 times), BTC (2 times), and Base (2 times).
5. Losses by Attack Type
9 incidents of private key leaks resulting in $223 million in losses
In this quarter, there were a total of 9 incidents of private key leaks, resulting in losses of $223 million. Private key leaks have become the type of attack with the largest losses. Among the 8 security incidents that caused losses of over $10 million this quarter, 5 were caused by private key leaks: CoinEx ($70 million), Alphapo ($60 million), Stake.com ($41.3 million), CoinsLianGuaiid ($37.3 million), Polynetwork ($10.1 million).
The second-ranked type is cloud database attacks, which resulted in $200 million in losses in the Mixin Network incident.
The third-ranked type is contract vulnerability exploitation. The total losses from 22 contract vulnerabilities amounted to approximately $93.27 million.
In terms of vulnerability types, reentrancy vulnerabilities caused the largest losses in smart contract incidents, accounting for approximately 82.8% of the total losses. Business logic vulnerabilities occurred most frequently, appearing in 13 out of 22 contract vulnerabilities.
6. Analysis of Attack Types
6.1 Exactly Protocol
On August 18, 2023, the DeFi lending protocol Exactly Protocol on the Optimism chain was attacked, resulting in a loss of $7 million.
Vulnerability Analysis
Multiple market address parameters in the vulnerable contract can be manipulated. By passing a malicious market contract address, the attacker successfully bypassed permission checks, executed malicious deposit functionality, stole users’ USDC collateral, liquidated user assets, and ultimately profited.
Recommendations
It is recommended to add whitelist functionality for contract addresses used as LP tokens to prevent malicious manipulation.
6.2 Vyper/Curve
On July 31, the Ethereum programming language Vyper tweeted that there were vulnerabilities in the reentrancy lock in versions 0.2.15, 0.2.16, and 0.3.0. Curve stated that several stablecoin pools using Vyper 0.2.15 (CRV/alETH/msETH/pETH) were attacked, resulting in a total loss of $73 million, of which approximately $52.3 million has been returned by the hacker.
Vulnerability Analysis
This attack was mainly due to the failure of the reentrancy lock in Vyper 0.2.15. The attacker called the remove_liquidity function to remove liquidity from the relevant pool and entered the add_liquidity function through reentrancy to increase liquidity. Due to the balance update before the reentrancy add_liquidity, the price calculation was incorrect.
Recommendations
The reentrancy locks in versions 0.2.15, 0.2.16, and 0.3.0 of Vyper are all ineffective. It is recommended for relevant projects to conduct self-inspections. After the project is launched, it is strongly recommended for the relevant team to pay attention to the vulnerability disclosure of third-party components/dependencies and promptly reduce risks.
6.3 Eralend
On July 25, 2023, the lending protocol Eralend on ZkSync was attacked, resulting in a loss of approximately $3.4 million.
Vulnerability Analysis
The main vulnerability stems from read-only reentrancy in the price oracle, which causes inconsistencies in the loan value and liquidation value calculation between Eralend’s ctoken contracts. The loan amount exceeded the repayment amount, allowing the attacker to profit after lending and liquidation. The attacker repeatedly exploited multiple contracts to obtain a large amount of USDC.
Recommendations
When relying on the real-time reserve of SyncSwap for price calculations, consider read-only reentrancy scenarios to prevent inconsistencies in price calculations within the same transaction.
7. Typical Anti-Money Laundering Security Incidents
7.1 Analysis of Beosin KYT’s Attack on Stake.com
On September 4th, Beosin EagleEye platform detected an attack on the cryptocurrency gambling platform Stake.com. After the incident, Stake.com stated that unauthorized transactions occurred in their hot wallets for ETH and BSC. Once the wallets are re-encrypted, deposit and withdrawal functions will be restored immediately.
Through analysis, the Beosin security team found that the main cause of this incident was the leakage of private keys, resulting in at least $40 million in asset losses. We used the Beosin KYT platform for encrypted asset anti-money laundering compliance and analysis to analyze this incident.
Funds flow on ETH
After the attack, the hacker sent 6,000 ETH, 3,900,000 USDC, and 9,000,000 DAI to the address 0x3130662aece32F05753D00A7B95C0444150BCd3C.
Next, the hacker exchanged DAI, USDC, and other assets for ETH, and deposited them into the following 4 addresses to prepare for subsequent fund diversification:
0xba36735021a9ccd7582ebc7f70164794154ff30e
0x94f1b9b64e2932f6a2db338f616844400cd58e8a
0x7d84d78bb9b6044a45fa08b7fe109f2c8648ab4e
0xbda83686c90314cfbaaeb18db46723d83fdf0c83
Step 3: The hacker dispersed the funds in the aforementioned 4 addresses to more than 20 addresses, and transferred funds between addresses of the same level to increase tracking difficulty.
Step 4: The hacker deposited most of the assets from hundreds of transactions into DEX Thorchain, and exchanged the remaining assets for USDT through 1inch and SSwap.
It is worth noting that the hacker also deposited a small portion of the funds into Binance wallets.
Funds flow on Polygon
The hacker’s method of transferring funds on Polygon is the same as on ETH.
The hacker sent 3,250,000 MATIC, 4,220,000 USDT, 1,780,000 USDC, and 70,000 DAI to the address 0xfe3f568d58919b14aff72bd3f14e6f55bec6c4e0.
Step 2: The hacker exchanged the assets for MATIC and deposited them into the following 4 addresses:
0x32860a05c8c5d0580de0d7eab0d4b6456c397ce2
0xa2e898180d0bc3713025d8590615a832397a8032
0xa26213638f79f2ed98d474cbcb87551da909685e
0xf835cc6c36e2ae500b33193a3fabaa2ba8a2d3dc
Step 3: The hacker dispersed the funds in the aforementioned 4 addresses to more than 20 addresses, and transferred funds between addresses of the same level.
Step 4: The hacker sent the assets dispersed in hundreds of transactions to SquidRouter for cross-chain transfers.
Funds flow on Binance Smart Chain (BSC)
Similar to ETH and Polygon, hackers sent 7,350,000 BSC-USD, 1,800,000 USDC, 1,300,000 BUSD, 300,000 MATIC, 12,000 BNB, 2,300 ETH, and 40,000 LINK from the Stake wallet to the address 0x4464e91002c63a623a8a218bd5dd1f041b61ec04 on the BNB Chain.
Step 2: Convert the assets to BNB and deposit them into the following four addresses:
0xff29a52a538f1591235656f71135c24019bf82e5
0x95b6656838a1d852dd1313c659581f36b2afb237
0xe03a1ae400fa54283d5a1c4f8b89d3ca74afbd62
0xbcedc4f3855148df3ea5423ce758bda9f51630aa
Step 3: Distribute the funds from the above four addresses to over 20 different addresses and transfer them between the addresses at the same level.
Step 4: Send the assets scattered in hundreds of transactions to OKX DEX, BNB tokenhub for cross-chain transfers, or exchange them for BUSD to constantly disrupt the funds.
It is worth noting that the hacker also transferred a small portion of the funds to the OKX wallet.
On September 5th, Stake.com announced that all platform services have been restored and can handle deposit and withdrawal requests for all currencies in real time. This incident resulted in a theft of $15.7 million from Ethereum Stake.com, and $25.6 million from BNB Chain and Polygon networks. This also prompted Stake.com to strengthen security measures, including strengthening private key management and implementing additional safeguards, to ensure the security of user assets.
At the same time, Beosin will continue to provide state-of-the-art security auditing and risk monitoring solutions, providing reliable protection for cryptocurrency holders and trading platforms. This incident sounded the alarm for the entire cryptocurrency industry, highlighting the importance of security. It further promotes the development of security technology and compliance measures to ensure the security of user digital assets.
7.2 Unveiling the fund flow behind the JPEX controversy
On September 13, 2023, the Hong Kong Securities and Futures Commission issued a statement entitled “Unregulated Virtual Asset Trading Platform,” stating that the virtual asset trading platform JPEX does not have a license from the Securities and Futures Commission and has not applied for a license. The next day, the JPEX community discovered that the platform’s withdrawal limit is only 1000 USDT, and the withdrawal fee is as high as 999 USDT. On September 19, 2023, the Hong Kong Securities and Futures Commission held a press conference, revealing that JPEX has stopped its trading business.
Currently, the investigation into this incident is still ongoing. We used Beosin KYT to track the relevant addresses of JPEX and analyzed the flow of funds, as follows:
Fund flow of JPEX on Ethereum
The recharge wallet address of JPEX on Ethereum is 0x50c85e5587d5611cf5cdfba23640bc18b3571665. The assets deposited by users on the JPEX platform will be automatically stored in this address. Based on Ethereum, USDT assets will be transferred to the withdrawal wallet address 0x9528043B8Fc2a68380F1583C389a94dcd50d085e.
Deposit wallet address 0x50c8, after completing the transaction at 01:37 on September 19, 2023, there is no display of any fund transfer or activity, and the dormant period exceeds 24 hours.
Around 5:00 pm on September 18, 2023, the USDT withdrawal wallet address 0x9528 transferred 100,000 USDT to three recharge addresses of the FixedFloat exchange (no KYC required). After that, there was no further fund transfer activity from this address.
In addition to USDT, the Ethereum distribution involved in JPEX is as follows:
0x50c85e5587d5611cf5cdfba23640bc18b3571665: 641 ETH
0x31030a8C7E3c8fD0ba107e012d06f905CD080eD9: 320 ETH
0x87E1E7D3ee90715BCE8eA12Ef810363D73dc79FB: 400 ETH
0xcd19540f8d14bEbBb9885f841CA10F7bF5A71cAC: 350 ETH
0x22E70793915625909E28162C8a04ffe074A5Fc98: 400 ETH
0xd3528B66C3e3E6CF9C288ECC860C800D4CB12468: 200 ETH
Detailed chart of ETH and USDT fund flow:
Bitcoin flow on JPEX
Bitcoin on the Bitcoin blockchain is distributed among various addresses related to JPEX, as follows:
3LJVASCfNRm9DEmHYaRbWhiKVSg14JqarS: 28 BTC
32JWJvigxttRmfYYcXEsCFScibnVU3bD92: 20 BTC
381agNrmetRakEsfz9oD1XGvwgR9Q6y6fa: 30 BTC
3LhYzsTZadkXaf6qsYQoP65ynGiiDv5XGU: 20 BTC
3KBnBZTNGkbqEaQV6jb6oGxoiMHwmVLoGM: 25 BTC
3A6G8gkxY9zgkRCHorSLvcj49J6Cp5TVBx: 33 BTC
Detailed chart of BTC fund flow:
As of now, JPEX has not officially responded to the allegations on public social platforms such as Twitter. The JPEX incident has been condemned by the entire crypto community, and many investors have posted comments on Twitter, demanding lower fees and the restoration of withdrawal limits. JPEX’s actions may subject itself to stricter investigations by the Hong Kong Securities and Futures Commission.
In the JPEX incident, we used Beosin KYT to analyze and interpret on-chain data, revealing the fund flow of the JPEX platform and how users should analyze on-chain data to enhance asset security. This incident has also attracted widespread attention in the industry, reminding users to protect their digital assets.
8. Stolen fund flow
About $360 million stolen funds are still held by hacker addresses
Of the stolen funds this quarter, $360 million (67%) is still held by hacker addresses. $99.27 million (18.4%) was sent to mixer; $9.17 million was sent to Tornado Cash; $90.1 million was sent to other mixers such as FixFloat, Sinbad, etc.
Only $54.4 million assets were recovered this quarter, accounting for only 10% of the stolen amount. Compared to the first half of the year, the asset recovery rate has significantly declined this quarter, mainly due to the frequent activities of the North Korean Lazarus group, which stole $208 million in assets. This group is skilled at using various sophisticated money laundering techniques to clean stolen funds. In this case, even professional security teams are unable to trace the original source of the stolen assets or recover them.
9. Analysis of Audit Status
The proportion of audited and unaudited projects is roughly equal
Among the 43 attacked projects, the proportion of audited and unaudited projects is roughly equal, accounting for 48.8% and 46.5% respectively. Among the 22 projects attacked due to contract vulnerabilities, 14 projects (63.6%) were unaudited.
10. Pump and Dump Scams
There were 81 pump and dump scams this quarter, resulting in a total loss of $282 million.
In the third quarter of 2023, a total of 81 pump and dump scams were monitored, involving a loss of $282 million.
Projects with losses exceeding $10 million include: Multichain ($210 million), Bald ($23 million), and Pepe ($15.5 million).
Pump and dump scams mainly occurred on Ethereum (42 cases) and BNB chain (33 cases). There were also 4 cases on Base chain.
11. Summary
Compared to the first two quarters of 2023, the total losses caused by hackers, phishing scams, and pump and dump scams in the third quarter have increased significantly, reaching $889.26 million. The total loss in the third quarter even exceeded the sum of the previous two quarters. The above data shows that the security situation of Web 3 is still not optimistic.
This quarter, the North Korean APT group Lazarus was active, stealing over $208 million through four attack incidents, becoming the biggest threat to Web3 security this quarter. According to the investigation of one of the attacked projects, CoinsLianGuaiid, Lazarus spent half a year trying to penetrate the system of CoinsLianGuaiid and find vulnerabilities, using various methods including social engineering, DDoS, brute force attacks, and phishing. Finally, they used a forged job invitation to lure an employee to download malicious software and steal the private key. Lazarus is adept at attacking platforms with large amounts of funds by exploiting human weaknesses. Therefore, crypto service providers must enhance vigilance, regularly train employees, strengthen security measures, and establish comprehensive monitoring and alert systems.
In 43 attack incidents, 22 still originated from smart contract vulnerabilities. We recommend project teams to seek help from professional security audit companies before going online.
The losses from pump-and-dump scams have increased significantly this quarter. Based on project announcements, terms such as “internal disputes” and “force majeure” frequently appear. Even projects with abundant funds and a large user base are exposed to the risk of being manipulated. It is recommended that users manage risks properly and stay updated with the latest developments of the projects. Users can query the security information and latest updates of projects on Beosin’s EagleEye platform for safer investments in new projects.
Contact Us
If you need any blockchain security services, please feel free to contact us:
Official Website EagleEye KYT Twitter Telegram Linkedin
For more information, please join:
LianGuai Twitter: https://twitter.com/BitpushNewsCN
LianGuai TG Community: https://t.me/BitPushCommunity
LianGuai TG Subscription: https://t.me/bitpush
This article is from LianGuai: https://www.bitpush.news/articles/5181878, please indicate the source for reproduction.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
