Editor’s note: This article from the vernacular blockchain, author: Cheetah block chain security, authorized to release the daily planet.
In the block chain industry, safety is the most fundamental problem. You may have heard of “a loss of billions of lines of code”, “a year by hackers took the night” speech. Because of the block chain development is still in the early days, and once on the chain code characteristics can not be tampered with, let it become the hardest hit by hackers.
Today, our security incidents occur on 9, 10 months of this year the blockchain industry inventory, to help you understand the blockchain problem.
The 01 exploit to win the first prize
DEOS Games is a run on the EOS block chain to the center of “game” spinach. In September 9th, named “Running Snail” DEOS Games users had a look quite successful operation: the cumulative bet $1000 worth of EOS, each in 10 EOS, then won the first prize in 30 seconds, repeated operation times.
1, the scale of losses: about $24000 worth of EOS.
2, media attack: intelligent contract loopholes.
3, after the events and safety analysis
DEOS Games just created in less than an hour, to the EOS account for 24 transfers, and these accounts are not in the contract to create a day and time. According to EOS records, 10 EOS each malicious account, you can receive the value of 20 times the amount of contracts. In other words, hackers use a loophole in the game, every time to win the jackpot, overall revenue of the attack is about 20 times the cost.
DEOS Games official comment in tweets, “this is a very good pressure test, our project has been a significant improvement in the level of contract.”
At present, it is unclear which hackers use loopholes in DEOS Games contract, or whether there are other vulnerabilities in the EOS kernel.
After the attack, the DEOS reaction is the Games team to understand. They don’t have to declare their community is how to monitor the hacker attacks, because according to common sense, a simple monitoring script can detect the abnormal phenomenon.
We assume that the DEOS Games game testing tools, such as deep-seated reasons for the attack, it is worth asking, do not rule out the team Zuozhuang “white investors” suspected harvest.
At present, this kind of “Spinach” game, the risk is too high, the majority of users recommend rational investment, careful selection.
02 EOS brush counterfeit event
Newdex is the EOS block chain to the center of the trading platform based on the on-line 8 November 8, known as the center of the exchange transaction speed comparable to, and not in contact with the user’s private key, wallet is import transactions, in order to protect the safety of assets.
But in line more than a month after the encounter “EOS brush counterfeit incidents”. Through this incident, the outside world began to question whether Newdex is true to the center of the exchange.
1, the scale of losses: $58000 (11803 EOS).
2, after the events and safety analysis
EOS account “oo1122334455” 14:01:45 in September 14, 2018 1 billion issued a false EOS, and fully assigned to the “dapphub12345” account.
Then from “dapphub12345” to “iambillgates” account (attack account), “iambillgates” account to 14:21:37 attempts to repeatedly use 1 fake EOS Guadan bid and ADD IPOS tokens, and achieved success.
The success of buying other tokens, “iambillgates” will immediately account illegally obtained Token into “xx1234512345” and “x12345x12345” account, and ultimately by the “xx1234512345” in the Newdex market to sell some hang illegally obtained Token, total sold 4028 real EOS. Then, sent to the Bitfinex and other encryption currency.
The false coin event to a total of EOS brush Newdex users caused a loss of EOS 11803, the Newdex team apologized for the incident, in a responsible manner decided to assume the total loss, and for the first time to repair and restore the normal operation of related problems.
According to further investigation on the Newdex infrastructure, Newdex did not use smart contracts to verify that the user sent Token.
This incident, hackers use EOS native currency trading fake tokens, resulting in Newdex system EOS serious devaluation.
Why hackers can succeed, because Newdex did not pass the authenticity of its intelligent contract verification Token. They are trading on a central server, in handling the transaction system without even the Token check and verify the authenticity of the deposit.
To the center of the trading platform with the most basic features of the user’s own master key. Since the user’s own master, only the user can use the purse money, not because of the trading platform of vulnerability which led to his losing money.
So, here we suggest the choice of trading platform, to carry out a detailed investigation.
03 of Japan’s trading platform is stolen
9 2018 19, Osaka based Tech Bureau Corp’s Zaif exchange occurred bitcoin, Chennai (Mona Coin) adorable coins and bitcoin cash stolen, stolen digital currency value of 6000 million dollars.
1, the scale of losses: 6000 million dollars.
2, digital currency bitcoin, steal: Adorable (Mona Coin) and net currency bitcoin cash.
3, after the events and safety analysis
After September 14, 2018, Zaif trading platform closed user access service. According to Zaif, the reason is to shut down the service in September 14th from 17:00 to 19:00, found the illegal intrusion of the thermal wallet. After verification, the illegal behavior of the hackers caused $5900 worth of BTC, bitcoin cash and coins stolen, adorable.
Zaif has not released details of the attack on the announcement, it sought the Japanese authorities to help investigate the theft case. In fact, this attack occurred before, Japan’s financial services agency (FSA) respectively in March 8th and June 22nd, sent to the Zaif about its internal management system and the safety measures of early warning.
The theft occurred after the first time, Japan’s financial services agency (FSA) to the Zaif parent company Tech Bureau issued third copies of this year to improve the business. But Zaif did not exchange FSA recommendations to make any action.
According to dhaif of the authorities revealed that the cause of the incident is actually an employee exchange computer is black. In November 22nd, Zaif trading platform to virtual currency related business is transferred to the FISCO group, FISCO group and Zaif will take over the payment of the money stolen user.
Needs to be emphasized is that this incident is one of the biggest loss of security incidents encryption currency history.
According to all the signs on the surface, the cause of the incident is likely to be a Zaif employee’s computer hackers successfully use phishing site attack mode. For digital currency exchange, make such a mistake is not the right thing to do.
We believe that this incident has sounded the alarm for the digital currency exchange, security awareness is the foundation of digital currency exchange, each exchange will be before the new employee work, network security training as required.
5, other similar attacks
In July 2017, Bithumb, hackers use the same method to steal millions of dollars worth of encryption currency, and lead to customer data was leaked.
04 hackers conscience, the return of stolen tokens
SpankChain is an adult entertainment block chain project workshop public chain based on ethernet. The team said in a blog on October 6th in October 9th, suffered hacker attacks, the loss of 165.38 ETH (then about $38 thousand), with another $4000 of BOOTY money has been frozen.
1, the scale of losses: more than $40000 (with a loss of ETH and BOOTY tokens when the price total).
2, through the heavy attack: vulnerability into intelligent contract.
3, after the events and safety analysis
The attack is the use of reentrant vulnerabilities SpankChain smart contracts, the vulnerability is similar to the famous The DAO in the event of vulnerability.
The technical team found contract hacking is the attack occurred after 24 hours, the SpankChain team first time closed his official website.
In October 12th, hackers should take the initiative to contact the chief executive of SpankChain, the 165.38 ETH returned to the team, in addition to help SpankChain hackers also recovered about 4000 BOOTY were frozen by the attack. In return, the SpankChain team gave the hackers reward.
The SpankChain block chain community reaction to the event is more intense, the reason is likely to be used by hackers to accept heavy loopholes into the famous attack.
Reentrancy is actually recursion, is for circulating a function call and call on their own cycle. For reentrant vulnerabilities, the most fundamental solution is in before the transfer of all state changes should be updated in advance, rather than in the transfer and update.
In fact, in the chain before the project, just put a small fee, security audit of smart contracts, can be very good to avoid such things.
In the block chain, no concept of deletion and modification of the contract, once deployed to the public can’t tamper with the chain. Tens of thousands of global hackers can slowly, a row above the hole. For the block chain industry, security audit is an essential process.
At present, is not clear why hackers will return stolen money, this may be a comfort for the victims, but these things have not always.
Hope that after this incident, the project can exchange, alert, aware of the importance of safety audit.
5 and other similar attacks
DAO Hack: one of history’s most etheric Fang blockchain notorious events caused by the etheric Fang blockchain hard bifurcation, split into Ethernet and Ethernet classic Fang Fang event.
05 suffered twice EOSBet attacks
EOSBet is on the EOS gaming platform, two hackers were suffered in September 14th and October 15th, losses were 44427.4302 EOS and 138319.7995EOS.
1, the scale of losses: $200000 + $338000 (all losses EOS).
2, attack: intelligent use of loopholes in the contract.
3, after the events and safety analysis
In September 14th, EOSBet was hacked, EOSBet team official said: this attack is not easy, we are in evidence, and what happened together to find traces.
According to the analysis of The Next Web, “the hacker attacks is the use of fake hash call outside” transmission “function”.
The attack occurred after an account with EOSBet official name is very similar to the EOS account to send the address of the attacker with a small amount of EOS, and ask for the return of stolen funds, claiming that if you do not return, they will hire a team of lawyers to hunt and prosecute attackers.
9 June 16, EOSBet back online, and the official released a detailed report on the hacker attacks, their commitment contracts have been repaired all the loopholes, at present is very safe.
A month later, hackers use EOSBet contract in the payee inspection loopholes, forged transfer notice, the total profit from the “eosbetdice11” 138319.7995EOS. One of the 72150 EOS into Bitfinex 65100 EOS into Poloniex. According to the current market price of EOS, the EOSBet platform for the loss of over 5 million yuan.
The company reports that they are about to recover the funds things with the two exchanges.
Intelligent contract development of EOS compared with ETH, is still in the early days, the frequent occurrence of security incidents is unbearable pain in the newborn.
This year, 9, 10 and two months of security events, mainly in the EOS intelligent trading platform vulnerabilities and loopholes in the contract, the amount of the loss is very high.
In these events, many can be avoided completely. The reason for the frequent occurrence of security incidents, largely because of security awareness is too weak.
The frequent security incidents, coupled with the industry slump, continue to fight against the blockchain participants’ confidence, but you can change a perspective, the development of the entire industry’s point of view. If industry participants can get alert from security incidents of these huge losses in drawing lessons from the past, pay more attention to the construction safety, believes it can thrive block chain industry, it is really useful.