Author: OKEx
In August, the total losses caused by on-chain security incidents across the entire network were approximately US$316 million, an increase of 9.3% month-on-month.
The losses caused by phishing scams alone accounted for 93.37% of the total losses, with losses exceeding $296 million. Phishing tweets are full of traps, so do not click on unverified links. Users need to learn to use Web3 on-chain tools to avoid risks, establish their own set of security operating procedures and strictly abide by them to ensure the safety of funds.
Click on the video to view anti-fraud tips
The loss of REKT incident accounted for 5.97%, with a total loss of approximately US$18.93 million. The loss of RugPull incident accounted for 0.19%, with a total loss of approximately US$590,000.
Biggest security incident - phishing scam
On August 19, a suspicious transfer of 4,064 BTC, equivalent to approximately US$238 million, occurred. The funds were then quickly transferred to multiple accounts including ThorChain and eXch.
As of August 27, $205,000 had been recovered.
Biggest security incident - private key leakage
On August 7, Nexera’s contract management credentials were obtained by malware, resulting in the theft of 47.2 million NXRA tokens, a loss of approximately US$1.5 million.
Biggest safety event - REKT
On August 6, the gaming blockchain Ronin was attacked because the bridge implementation contract was not properly initialized after upgrading. The attacker extracted about 4,000 ETH and 2 million USDC from the bridge, worth about 12 million US dollars.
As of August 7, the white hats had returned $12 million in assets and received an additional $500,000 in bug bounties from the project.
Biggest Security Event - RugPull
On August 16, a RugPull occurred on SIGMA on Solana, and the deployer obtained 2,381.6 SOL by selling his tokens, losing approximately US$330,000.
Case Study
On August 6, the gaming blockchain Ronin was suspected to have been attacked, and the attackers withdrew about 4,000 ETH and 2 million USDC from the bridge, worth about $12 million.
Process analysis:
1) The Ronin team mistakenly upgraded the Axie Infinity: Ronin Bridge V2 contract, upgrading its contract implementation from MainchainGatewayV3 (old) to MainchainGatewayV3 (new), and calling the initializeV4 method of MainchainGatewayV3 (new) to initialize;
2) The attacker discovered that the _totalOperatorWeight of MainchainGatewayV3 (new) was not initialized and was currently 0, which allowed him to bypass the signature verification when withdrawing funds. The attacker passed in arbitrary signature data and directly withdrew 3,996.09375 ETH;
3) In the second attack transaction, the attacker passed in an arbitrary signature and directly withdrew 1,998,046 USDC;
4) The attacker exchanged 1,998,046 USDC into 796 WETH through Uniswap.
OKLink Tips
In August, there were huge losses due to phishing scams. OKLink reminds everyone not to reveal your private key or mnemonic phrase to anyone. Think twice before connecting your wallet. Before authorization, use the OKLink token authorization management tool to prevent risks before they happen. Contract risks are under control and multiple protections are available.
