Weekly Blockchain Security Report by Fairyproof- Feb 14 to Feb 20
During the week from February 14 to February 20, 2022, security events that happened in the crypto industry can be categorized into three…
During the week from February 14 to February 20, 2022, security events that happened in the crypto industry can be categorized into three: security hacks, rug-pulls, and governance-related events.
Here is a list of the security hacks:
On Feb 15, the team behind AOTAVERSE, an NFT application, announced that its Discord was attacked. The hackers attacked the project’s discord and injected phishing links to trick users into mint on a fraudulent site. It was reported that users lost around $200,000 in this exploit.
On the same day, hackers successfully took control of Build Finance’s Token contract by launching a governance attack. In this incident, 1.1 million BUILDs were minted, its assets in the pools on Balancer and Uniswap were drained and 130,000 METRICs in its vault were sold.
On Feb 20, OpenSea, the biggest NFT trading market suffered from a phishing attack. The hackers exploited users’ signatures and used the Wyvern protocol to transfer users’ NFTs. According to OpenSea’s latest official news, 17 users were exploited, and the total loss was valued at around 1.7 million USDs.
Here is a list of the rug-pulls:
Squiggles NFT, an NFT project, was reported in a 60-page document “Squiggles Rug Alert” to release fake sales data and likely be a rug-pull. One of the team members, “The League of Sacred Devils” was revealed to be a high-school student with the real name Ali Saghi.
Here is a list of the governance-related events:
Tether announced that it had blacklisted a suspected address linked to the MultiChain (AnySwap) hack. The address was 0xd37448aD7949C4aD8Eba5aad1a0aFdD3199971d8 which holds 715,274.238377 USDTs at the time of writing.
With regard to the security hacks, in the first hack, the hackers used conventional web 2 techniques to exploit users. In the second hack, it was more like a vulnerability in the project’s governance mechanism was exploited. In the third attack, users’ signatures were exploited.
With respect to the rug-pull, it was not a technical issue but instead an execution risk that users who intended to participate in it should be aware of.
The governance event showed a clear and strong signal to hackers it is not risk-free in a decentralized world.
Closing thoughts
In summary, for developers they should carefully design and implement not only the code but the project’s operation, governance, and maintenance mechanisms; for users, they should be extremely cautious about unverified websites and be aware of a project’s execution risk; for hackers, they will face increasingly high pressure from various projects and organizations.