A Review on Recent Incidents Caused by Private Keys Being Compromised by Fairyproof
Shockingly in November, at least two incidents that were caused by the admin’s private keys being compromised happened on DeFi…
Shockingly in November, at least two incidents that were caused by the admin’s private keys being compromised happened on DeFi applications.
Among the incidents of this kind, the most widely discussed are the ones that happened on BZX and BXH.
BZX is a decentralized protocol for margin trading, borrowing, lending and staking, which was launched in 2019. It is now deployed on Ethereum, Polygon and BSC. It is said that new blockchains will be supported in the future. At the time of writing, its total TVL is 17.376 million USDs ranked №79 in defipulse.com.
BXH is a one-stop DeFi ecological platform focusing on aggregate revenue and supplemented by decentralized trading platforms. It was launched in March 2021. It is now deployed on Ethereum, BSC, Heco ,etc. At the time of writing, its total TVL across the multiple blockchains has reached 195.838 million USDs.
These two DeFi applications both support multiple blockchains and have deployed pools on these chains. This raises a big challenge to the teams’ management and operations.
Without carefully handling the management and operations it would easily introduce issues or risks to the applications and result in unexpected consequences.
Specifically, BZX has been attacked several times since it was launched. Although BXH is a relatively new application that is deployed and run just for several months, within such a relatively short period its TVL has risen dramatically to more than 100 million USDs. This rapid development would put the relatively young team in a more challenging environment.
Unfortunately, both applications were exploited, not due to smart contract vulnerabilities but due to their private keys being compromised.
In DeFi area, in order to bootstrap an application’s development and growth in its early stage, it is quite common for the application’s team to set an admin to take full access control such that the team could manage and run the application efficiently and promptly.
But in Fairyproof’s point of view, this is just a temporary solution. If this kind of full access control is not transitioned to a multi-sig wallet or a DAO, it will eventually be a huge vulnerability to the application especially when the team’s management cannot catch up with the application’s rapid development.
For DeFi applications such as BZX and BXH, which run across multiple blockchains, their management and daily operations are much more complex than one that only runs on a single blockchain. And an admin that has full access control and exists in applications of this kind would expose these applications to potentially huge risks.
Therefore, the first lesson that should be learned from incidents of this kind is that if an application has an admin who possesses full access control, its team should transfer the access control to a multi-sig wallet or DAO as soon as possible.
The second lesson that should be learned from incidents of this kind is that all application teams should always put security with the highest priority among all other jobs or tasks.
BZX, in this case, is a veteran DeFi application which has been deployed and run for more than two years. However, it still suffered from an admin’s private key being compromised. This warns all veteran DeFi teams that in no way should security be overlooked or neglected even if they may, to some extent, have accumulated experiences in handling security issues.
In Fairy’s audit on a project, whenever we find an admin has full access control, we will list it and urge the project team to make a plan to transfer the access control to a multi-sig wallet or DAO. We have been doing this from Day one and our goal is to try every means to raise a team’s awareness to keep this issue in mind and fix this issue as soon as possible.
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.