Nibiru is about to launch its mainnet. What are its features and security development practice?
Nibiru Chain launched its airdrop incentives at the end of January 2024. After a month of airdrop activities, its community grew more than three times and the number of Twitter followers exceeded 500,000. As a new chain with over $20 million in financing, Nibiru Chain focuses on solving the security and speed of DeFi applications. Â Nibiru Chain plans to launch its mainnet this week. As a fast-growing Layer 1, what are the technical features and competitive advantages of Nibiru Chain? What safety issues need to be paid attention to in the development of projects on Nibiru Chain? Here is Beosin's analysis on it. Â Nibiru Chain Analysis Nibiru Chain mainly focuses on DeFi and trading. It has the following four components: Â 1. Nibi-Perps On-chain perpetual contract trading allows users to trade with up to 10 times leverage on crypto assets such as BTC, ETH and ATOM. $NIBI stakers will have Nibi-Perps governance rights and trading fee discounts. Â 2. Nibi-Swap Nibiru's automated market maker protocol plans to support two types of LP pools: stablecoin pools and constant product model pools. Â 3. $NUSD $NUSD is a fully collateralized stablecoin of the Nibiru ecosystem. Nibiru plans to first support users to use $USDC and $NIBI to mint $NUSD. The specific ratio between the two is determined by Collateral Ratio. If CR= 80%, which means to mint 100 $NUSD, users need to provide 80 $USDC and NIBI equivalent to 20 $NUSD. Â In the future, Nibiru Chain will support more types of collateral. Currently, $NUSD is more like $FRAX of the Cosmos ecosystem. Â 4. Â Nibi-Oracles Nibi-Oracles is its native oracle solution that allows validators to actively participate in oracle consensus voting, integrate off-chain data into the blockchain with high fidelity, and provide low-latency feeds from external APIs and smart contracts. Â In 2024, Nibiru Chain will focus on the growth of its ecosystem and its main developments include integrating with major DeFi projects on multiple chains, listing on first-tier centralized exchanges, completing parallel optimistic execution, and achieving comprehensive EVM compatibility. Â Secure Development Practices If you develop an application on Nibiru Chain, the following security guidelines can help improve the contract security of your project: Â Contract development security 1. Be prepared for attacks Similar to developing Solidity contracts, developers need to consider how to face attacks and fix vulnerabilities. Therefore, developers need consider to build upgradable smart contracts and develop risk response plans. Â 2. Pay attention to the standardization of address verification There are two valid representations of any valid Cosmos SDK address: all lowercase and all uppercase, such as: cosmos1uzwqa88hcqe5gs7u7lgjxekz7xc6sm0f7xwp6a vs. COSMOS1UZWQA88HCQE5GS7U7LGJXEKZ7XC6SM0F7XWP6A are the same address, and Nibiru is the same. When dealing with addresses in contracts, we need to consider this characteristic of addresses. Â
As shown in the above code, since dest is not standardized and the addresses commonly used are lowercase addresses, anyone can bypass BLACKLIST by providing uppercase addresses. Â 3. Pay attention to operations and overflow In the CosmWasm contract, developers need to pay attention to the risk of integer overflow or division by zero. It is recommended that developers use CosmWasm's Uint256 and Uint512 types and use the mathematical function full_mul(). Â 4. Access control issues Access control is one of the main issues in program security . There are countless security incidents caused by access control issues, which also need to be paid attention to in the Cosmwasm contract. The following is a typical case: Â
Due to the lack of checks and restrictions on the caller's address, the above code allows anyone to call update_config(), set their own address as the treasury address, and receive all rewards generated by the contract. Â 5. Beware of infinite loops CosmWasm contracts may get stuck in an infinite loop by calling itself back in the ACK handler. If developers transfer data packets between two CosmWasm contracts, they should be aware that this may cause an infinite loop and consume a lot of gas fees. Â Project safety practices 1. Smart contract audit Smart contract audit is to systematically test and review the smart contract code to discover potential security issues, eliminate security risks, and ensure that the code has no business logic vulnerabilities and conforms to the expected running process and results. Regular security audits of the project's smart contracts are crucial. Â 2. Use a multi-signature wallet Project parties need to consider using multi-signature wallets to manage project treasury and smart contracts. Multi-signature accounts need to be held by multiple entities to avoid potential access control risks and internal evil. At present, Nibiru Chain has adopted Nomos multi-signature solution, and projects can consider using Nomos for asset management. Â Summary As a new Layer 1, Nibiru Chain provides an innovative platform for DeFi, games, RWA and other fields. It aims to solve the accessibility, security and performance issues of Web3 applications and provide developers and ordinary users with comprehensive and excellent services. Â Currently, Beosin has established a strategic partnership with Nibiru Chain , aiming to significantly improve the security of the Web3 ecosystem and conduct cutting-edge joint research to create a more secure and innovative blockchain ecological environment. Â
Beosin will provide professional services in smart contract auditing and risk monitoring for projects built on Niburu Chain. Through Beosin's security solution, projects can identify and repair potential vulnerabilities and security risks to ensure the stability and security of its smart contracts and systems. This not only protects users' assets, but also provides users with a more reliable experience, further promoting the safe development of the Nibiru Chain ecosystem.
1. Support EIP-2612 ERC404 v2 has supported EIP-2612, allowing gas-less transactions through signed messages (permissions). "DOMAIN_SEPARATOR" is calculated in the constructor and can be recomputed if the chain ID changes, which improves the compatibility of its contract. constructor(string memory name_, string memory symbol_, uint8 decimals_) {    name = name_;    symbol = symbol_;if (decimals_ < 18) {      revert DecimalsTooLow();}    decimals = decimals_;    units = 10 ** decimals;// EIP-2612 initialization    INITIAL_CHAIN_ID = block.chainid;    INITIAL_DOMAIN_SEPARATOR = _computeDomainSeparator();}
2. Safe Transfer Checking The safeTransferFrom function in its contract follows onERC721Received() in the ERC721 standard and will check the recipient to ensure that the recipient can handle ERC721 tokens (for example, the recipient is a contract). function safeTransferFrom(    address from_,    address to_,    uint256 id_,    bytes memory data_) public virtual {if (id_ > minted || id == 0) {      revert InvalidId();}transferFrom(from_, to_, id_);if (      to_.code.length != 0 &&ERC721Receiver(to_).onERC721Received(msg.sender, from_, id_, data_) !=      ERC721Receiver.onERC721Received.selector) {      revert UnsafeRecipient();}}
Key Highlights of GameFi in 2024: Analyzing the Current State and Security Challenges
After experiencing the GameFi gaming craze in 2021, represented by Axie Infinity, and the subsequent burst of the bubble, GameFi started to recover in the second half of 2023. The popularity of 3A blockchain game Bigtime drew significant attention to the GameFi market. On January 9, 2024, Arbitrum Layer3 Xai game-specific chain was officially launched. On January 12, the gaming platform SkyArk Chronicles completed a $15 million funding round led by Binance Labs. The combination of new public chains and games became a focal point in the market, with many users having high expectations for the future performance of GameFi. Beosin has audited GameFi projects, including Ronin Network, SpaceRunners, WastedLands, Good Games Guild, and discovered security issues often overlooked by GameFi project teams. The current development status of the GameFi track, noteworthy projects, and the security challenges it faces will be analyzed by the Beosin team. Overall Analysis of GameFi In 2021, GameFi-related projects raised over $1.5 billion, with the total valuation of GameFi project development companies reaching nearly billions of dollars, excluding the market value of GameFi tokens. According to Blockchaingamerâs statistics, approximately 31% of GameFi projects have stopped development or are in an inactive state after the Web3 marketâs winter.
Thanks to the marketâs recovery and the popularity brought by new GameFi projects, the overall activity of GameFi has significantly increased. Top Ethereum blockchain games like Gala, Stepn, Axie, Sandbox, etc., saw record transaction volumes at the end of 2023.
In October 2023, the primary market funding in the GameFi track exceeded $100 million, with many GameFi projects raising millions of dollars for game development, testing, and promotion. In 2024, as numerous games enter public testing and official launch, the marketâs attention to GameFi is expected to increase. Key Projects in the GameFi Track (Note: The following content does not constitute investment advice.) Gaming Application Platforms 1. Ronin Network Ronin is an EVM blockchain specifically designed for gaming, launched by Sky Mavis, the development team behind the once-popular blockchain game Axie Infinity. After experiencing security incidents in 2022, Ronin Network abandoned the original Proof of Authority (PoA) consensus. In 2023, Sky Mavis decided to upgrade the consensus mechanism to DPOS on April 12, reducing centralization risks. Beosin conducted a comprehensive audit of Ronin Networkâs mainnet, smart contracts, etc., revealing security risks that were addressed with effective measures. After the consensus upgrade, Ronin Network became more decentralized, with the number of validator nodes increasing from 9 to 22, and a total of 27 candidate validators. Governance validators are determined by Sky Mavis, Yield Guild Games, NonFungible.com, Nansen, Google, DappRadar DAO, and Animoca Brands, with the remaining 15 validator slots allocated to the community. Currently, Ronin Networkâs total TVL is approximately $150 million, and its ecosystem projects are rapidly developing. In 2023, Ronin collaborated with game studios such as Directive Games, Tribes, Bali Games, and Bowled.io, launching multiple games on the Ronin Network.
2. Immutable X Immutable X is a zk-Rollup Layer2 focused on NFTs and GameFi, providing fast transaction confirmation, zero gas fees, and high scalability. Immutable X uses StarkEx technology to build Validium, a zk-Rollup solution similar to Plasma, where data is stored off-chain to reduce on-chain computation and increase TPS. Immutalbe Xâs ecosystem includes games like Gods Unchained, Guild of Guardians, and Illuvium, with Guild of Guardians and Illuvium issuing game tokens.
3. Xai Xai is a Layer3 built on Arbitrum Nitro, focusing on incubating GameFi projects and user experience. Xai features backend wallet integration, providing a game experience with zero transaction fees and a unique game economic design. Xai has partnered with the game team Ex Populus to develop Final Form and LAMOverse on the Xai chain. Xai has issued the XAI token, serving as the gas token and node rewards for the Xai chain. More use cases will be revealed when games go live on the network. Xai is listed on EagleEye, allowing users to monitor relevant on-chain activities.
4. Oasys Oasys is an Ethereum sidechain designed for gaming, using PoS mechanism with Layer1 and Layer2. Layer1 is used for running tokens, NFTs, cross-chain bridges, and Rollup contracts, while games run on a proprietary, gas-free Layer2. Oasys Layer2 adopts Optimistic Rollup but removes the 7-day challenge period to improve user experience. Oasys currently has 6 Layer2s with 36 games running on them, allowing players to participate and earn OAS native tokens.
5. Gala In November 2023, Gala Games announced a strategic partnership with DWF Labs to promote the widespread adoption of Galachain. Gala Games has launched multiple games and expanded its business into music and movies. Gala Games optimized its token model in January 2023, allocating Gala tokens spent on the platform to nodes to increase node earnings. Users can monitor Gala token on-chain activities through EagleEye.
6. Myria Myria is an Ethereum Layer2 developed for GameFi. Similar to Immutable X, Myria collaborates with StarkWare, using StarkWareâs STARK prover and zk-Rollup technology, with transactions ultimately confirmed by the Ethereum network. The MYRIA token lacks sufficient on-chain liquidity, primarily traded on centralized exchanges like OKX and Bitget.
Myria has released several free games, such as Metarush, Metakart, Block Royale, Starstrike Legends, and Mooville Farm, aiming to build a gaming platform similar to Gala Games. Fully Onchain Games Fully Onchain Games refer to games where all game logic and states are executed and stored on the blockchain network. In the past, due to the performance bottlenecks of blockchain networks and the lack of infrastructure, most GameFi games only put game assets on the chain. However, in 2023, there was significant progress in fully onchain games, attracting developers to participate in their development. The reasons for this progress include: Attention and support from investment institutions such as a16z and Jump Crypto, promoting the development of fully onchain games as a sub-track.Gradual popularity of AA wallets, allowing users to sign transactions after completing a round/multiple steps, improving the user experience in participating in fully onchain games.Development of game engines reducing the barrier for developers. Currently, Starknetâs Dojo game engine and the MUD game engine with OP Stack integration are popular among developers. In 2023, fully onchain games became a focal point in the GameFi track. Many of these games have entered the testnet phase and have a certain level of playability. Here are some of the currently notable fully onchain games in the market: 1. Realms World Realms World is the game ecosystem of the Loot NFT project, featuring games like Loot Survivor and Realms: Eternum. These games are based on Starknetâs Dojo. Loot Survivor is a survival adventure game with a unique Play2Die mechanism, requiring players to fight/run from monsters, upgrade character attributes, collect equipment, and compete for higher rankings. Realms: Eternum is an MMO strategy game where players build and develop their kingdoms while defending against attacks from other players. Each kingdom in Eternum is an NFT, and players can trade them on the marketplace.
2. Sky Strife Sky Strife is a fully onchain game built on the MUD game engine. It features fast-paced real-time strategy (RTS) battles and is developed by the Lattice team, the creators of the MUD engine. Sky Strifeâs gameplay is similar to other real-time strategy games, with four players starting in their respective main bases on the map. Players aim to capture more resources to produce soldiers, defend their bases, and attack other playersâ bases. Players need to allocate resources between producing soldiers, controlling map resources, defending bases, and attacking other playersâ bases to formulate a suitable strategy. Sky Strife is currently in the testnet phase, and its token is ORB, which has not been issued yet. The development team plans to iterate Sky Strife to transform it into a self-governing world with resources, logic, and a freely constructible economy, allowing the community to develop new onchain games, game rules, and game modules in the Sky Strife world. 3. Cellula Cellula is a fully onchain artificial life simulation game. In Cellula, players create artificial âlifeâ by combining and assembling the smallest units of life â cells. Players can observe the growth, reproduction, and evolution of these âlifeâ forms in a virtual space. Cellula uses Ethereum block height as âtime,â and each âlifeâ evolves with the growth of the Ethereum network. Web2.5 Games In addition to fully onchain games, most other GameFi projects can be classified as Web2.5 games, where game assets are on the chain, and most game logic is processed by centralized servers. From 2023 to 2024, many such games have started open beta testing or officially launched, including multiplayer online role-playing game Bigtime, first-person shooter games Matr1x FIRE and SHRAPNEL, and strategy game GasHero. These games have learned from the failures of blockchain games in 2021, focusing on Play & Earn, optimizing the play aspect from game graphics, gameplay, and user experience. The tokenomic design has also been optimized to attract users with free or low thresholds. GameFi Security Challenges GameFi not only provides token incentives to players but also gives players ownership of in-game assets, creating game projects with characteristics of encrypted economies and decentralization. However, the development of GameFi faces many security vulnerabilities and hacker attacks, posing serious threats to user asset security and negatively impacting the healthy development of the entire GameFi ecosystem. Beosin is highly concerned about the security of the GameFi ecosystem. After the launch of popular chain games like Fren Pet and xPet, Beosin conducted security analyses of their tokens and game contracts to avoid potential vulnerabilities and attacks. So, what are the common security issues in GameFi, and how can the security of GameFi be improved? In response, Beosin has outlined the following security risks and recommendations. Onchain Security Challenges Token Contract Vulnerabilities GameFi projects typically use one or more tokens as in-game currencies for purchasing items and rewarding players. Token contracts manage token minting, trading, and burning. Vulnerabilities in token contracts can have catastrophic effects on the entire gameâs economic system. Token contracts often have centralization risks, where the owner/administrator of the token contract has excessive permissions. The contract owner/administrator can modify token transaction fees, prevent users from buying or selling, add address blacklists, perform unlimited minting, or even reset the token balances of any address. Users can check the risks of token contract addresses through the EagleEye platform. EagleEye detects and alerts users to token contract risks, helping them avoid potential losses. Business Contract Vulnerabilities GameFi business contracts are responsible for implementing the main gameplay and reward distribution. Most developers make their business contracts upgradeable. For the security of upgradeable contracts, Beosin recommends: (1) Initialize contracts and dependencies: Developers may forget to initialize contracts and dependencies during deployment, leading to severe vulnerabilities. (2) Be aware of storage conflicts: Modifying storage during contract upgrades may result in storage conflicts between different versions of the contract, causing data errors and financial losses. (3) Pay attention to permission control: Developers need to restrict upgrade permissions for contracts to prevent attackers from gaining control of contract upgrades. Hackers may gain upgrade control through private key theft or governance attacks. NFT Vulnerabilities NFTs serve as the main player-held game assets in GameFi projects, and their quantity and rarity ensure the value of in-game assets. However, improper implementation of NFTs can introduce security risks. Implementing randomness is a critical consideration for projects. GameFi projects often introduce activities such as blind boxes and random rewards in-game tasks. In the process of minting NFTs in such events, projects might use block timestamps as the source of information for generating NFTs of different rarities. However, block timestamps can be predicted or controlled, leading to unfair game competition. Beosin recommends projects to use Chainlink VRF (Verifiable Random Function) to reduce such risks. In addition, projects need to securely store metadata, images, and IPFS hash values of their NFTs to prevent early leakage of NFT rarity data. Otherwise, hackers can locate metadata of relevant NFTs, lock the rarest NFTs during the minting process. When players trade NFTs, projects need to be aware of the difference between ERC-1155 and ERC-721 tokens. ERC-1155 is an improvement over ERC-721, supporting the creation of both fungible tokens and NFTs in a single contract. ERC-721 tokens require multiple transfers, while ERC-1155 tokens can be transferred in batches. Projects need to differentiate when implementing related token transfers. Previously, the TreasureDAO on the Arbitrum chain was attacked due to this issue. Cross-Chain Bridge Vulnerabilities Multi-chain GameFi projects and GameFi application chains use cross-chain bridges to map in-game assets across different blockchain networks. Cross-chain bridges are crucial for improving the liquidity and attracting users to the game/ecosystem. However, GameFi cross-chain bridges have two main risks: Firstly, due to contract vulnerabilities, in-game assets mapped between different networks may be inconsistent. Hackers might exploit contract vulnerabilities to inflate in-game assets on one network for profit. Secondly, there is a risk of cross-chain bridge validator nodes. The Ronin Network previously suffered a loss of $620 million due to a nodeâs private key leak. Beosin recommends GameFi application chains to increase the number of validator nodes for their cross-chain bridges, securely store private keys, and avoid malicious control of validator nodes leading to losses. Offchain Security Challenges Apart from fully onchain games, the backend logic and interfaces of most GameFi projects still rely on offchain centralized servers. These servers store crucial information, including some game logic, game data, and player account information. These servers are susceptible to malicious attacks. Tampering with NFT Data As emphasized earlier, NFT metadata is crucial. However, many GameFi projects store their NFT metadata on centralized servers rather than decentralized infrastructure like Arweave. This increases the risk of attackers or internal project members tampering with metadata, infringing on player ownership and interests in their in-game assets. Phishing Attacks Attackers can obtain sensitive information from project teams through phishing attacks, such as wallet private keys managing the game treasury and GitHub accounts. Hackers can then expand the attack scale through supply chain attacks or phishing attacks, causing more significant losses. Conclusion After three years of exploration, GameFi has seen the emergence of more proprietary gaming blockchains and higher-quality gaming projects. Fully onchain games represent a more Web3-native narrative, but they are still in the very early stages, and the entire track requires time for iteration. When participating in the construction of the GameFi track, developers need to pay attention to avoiding the security risks mentioned above to build more reliable GameFi projects. Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
Cryptocurrency Soars 800% Created by Top Hacker â What is Celestia (TIA)?
As the fervor around Bitcoin ETFs subsides, investors are seeking the next hot project. Prior to the market turbulence caused by the Bitcoin halving event, many cryptocurrency enthusiasts had their eyes on Celestia. Recently, Celestiaâs token TIA has demonstrated remarkable performance, reaching new highs and capturing widespread attention from investors and the cryptocurrency community. Mustafa Al-Bassam, the co-founder of Celestia, was once a formidable top-tier hacker. This upward trend has made Celestia a hot topic in the community. However, the projectâs popularity in the cryptocurrency ecosystem is also fueled by the controversial background of its founder. CEO Mustafa Al-Bassam was once a core member of the hacker group LulzSec, operating under the hacker alias âtFlow.â During that time, LulzSec conducted high-profile cyber attacks on significant targets such as the Central Intelligence Agency and Sony. Despite his early involvement in hacking activities, Al-Bassam later pursued a degree in computer science at university, marking the beginning of his transformation. Today, he is dedicated to building Celestia, a novel modular blockchain system. His technical expertise and passion for blockchain have positioned Celestia as a noteworthy project. While Al-Bassam has openly acknowledged his hacking past, some remain skeptical, fearing that his background might negatively impact the development and security of Celestia. However, others appreciate his technical talent and understanding of blockchain, believing that his experiences bring valuable insights and innovative thinking to the project. Key Features of Modular Layer1 Blockchain Celestia Celestia is a modular Layer1 blockchain that focuses on sorting transactions and verifying the availability of published data. The core concept of Celestia is to achieve a modular blockchain architecture, allowing developers to break free from the limitations of a single architecture during the blockchain development process, enabling flexible development based on their needs. The modularity of Celestia consists of the Execution Layer, Settlement Layer, and Consensus & Data Availability Layer: 1. Execution Layer Composed of Rollups responsible for executing transactions. Celestia utilizes Rollups to provide diverse options for the Execution Layer. In addition to supporting Optimistic Rollup and zkRollup, Rollup solutions like dYmension, Eclipse, and Fuel, built around Celestia, make it possible to connect the public chain with Cosmos and Solana ecosystem projects. 2. Settlement Layer Notably, Celestia collaborates with Evmos to develop the Cevmos settlement layer. It will be based on Evmos and construct EVMâs recursive Rollup. Each Rollup built on Cevmos will have a bidirectional bridge with Cevmos, allowing the redeployment of existing Rollup contracts and applications from Ethereum, reducing the effort required for application migration. 3. Consensus & Data Availability Layer Responsible for data availability and consensus mechanisms. All types of data are transmitted to the Data Availability Layer, where nodes store data in the same format they receive from the Settlement Layer. The system incentivizes nodes to store data using $TIA , and nodes use Reed-Solomon encoding and specialized Namespaced Merkle Trees data structures to ensure data availability. Promising Projects on Celestia 1. Manta Network A modular blockchain focused on building ZK applications, providing a scalable and low gas fee environment for ZK Dapps. Manta Network is the first Ethereum L2 adopting Celestiaâs modular data availability solution, significantly reducing user transaction costs and developer barriers. 2. Dymension A modular blockchain network developed using Cosmos SDK and Celestia solution, ensuring the security and interoperability of RollApps. Dymensionâs modular design includes Execution, Settlement, Consensus, and Data layers, providing flexibility for developers. Celestia serves as the data availability provider for Dymension. 3. Ancient8 Chain An Ethereum Optimistic rollups gaming chain utilizing Celestiaâs data availability solution for high scalability, low transaction costs, and fast transaction confirmation. Ancient8 evolved from a gaming guild to a Layer2 focused on gaming, attracting more gaming applications and users to the OP Chain ecosystem. 4. AltLayer Supports existing Rollup solutions like OP Stack, Arbitrum Orbit, ZKStack, and Polygon CDK, defaulting to EVM and WASM. As a modular extension solution, AltLayer enables developers to quickly launch scalable blockchain networks with three-step transaction processing. In Conclusion Built using Cosmos SDK, Celestia stands as a powerful and flexible blockchain application platform. Beosin, a leading global blockchain security team, focuses on providing comprehensive security audits for EVM and Cosmos ecosystem applications, contributing to the overall security of the blockchain ecosystem. Regardless, Celestia, as an emerging cryptocurrency project, attracts attention due to its intriguing architecture and its controversial leader. Investors will continue to closely monitor Celestiaâs development, anticipating its potential to stand out in the competitive cryptocurrency market and bring returns to investors. Beosin is currently capable of providing comprehensive security services for the Celestia ecosystem, establishing best security practices for Celestia ecosystem applications, and enhancing project security measures. Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
Surging Sui Gains Momentum, Ready to Ignite the First Spark in the Move Ecosystem in 2024?
In 2024, the surging momentum of Sui has ignited the first spark in the Move ecosystem. Firstly, a nearly 70% surge in the past week has brought attention back to this shining star in the Move ecosystem. According to DefiLlama data, Suiâs Total Value Locked (TVL) has reached $327 million, with a 6.76% increase in the last 24 hours and a remarkable 73.19% surge in the past 7 days. The current top three protocols by on-chain TVL are Cetus ($62.44 million), NAVI Protocol ($61.42 million), and Scallop Lend ($54.96 million).
As a key player in the Move ecosystem, Sui is committed to promoting the security, interoperability, and sustainable development of digital assets. The Beosin research team will once again explore the opportunities for Sui in 2024 from a security perspective. Is the Strong Momentum of Sui a Solana Killer or ETH Killer? Sui, created by Mysten Labs, is a high-performance blockchain that enables developers to build low-latency, high-throughput applications on Sui. Mysten Labs, founded by Evan Cheng, former head of Facebookâs Novi project, raised $36 million in December 2021 and secured a valuation of over $2 billion with a $300 million funding round in September 2022. Suiâs distinctive feature is its object-centric data model. Each object stores a global, unique ID, metadata of the owner, a version number (increments with each object call), and Binary Canonical Serialization data, as shown in the diagram below:
Due to the object-based data model, Sui can group transactions based on the interdependence of objects in different transactions. This allows for parallel processing of multiple transactions on different nodes. Sui categorizes objects into owned objects and shared objects. For transactions containing only owned objects (e.g., tokens and NFTs), Sui uses the Byzantine Consistent Broadcast (BCB) consensus algorithm to confirm transactions. The BCB consensus algorithm involves validators voting on whether to package transactions, with the transaction initiator then tallying the votes. Validators subsequently verify the tally to decide whether to package the transactions. This algorithmâs advantage lies in the tally process being executed on the client side, reducing communication time between validator nodes and quickly confirming transactions. For transactions involving shared objects, used in applications like DeFi, NFT trading markets, and games that require frequent user interactions, Sui utilizes the Narwhal and Bullshark protocols for sorting and verification. Narwhal serves as Suiâs transaction memory pool, responsible for checking pending transactions and generating a directed acyclic graph path traversal for these transactions. Bullshark reaches consensus on a specific directed acyclic graph traversal, thereby confirming the specific order of these transactions.
Based on this design, Sui has achieved a maximum tested Transactions Per Second (TPS) of 297,000, with transaction confirmation taking approximately 480 milliseconds, demonstrating excellent performance. Advantages of Sui Compared to Solana and Ethereum 1. Safer Underlying Design Sui supports Move smart contracts, which undergo byte verification before execution. Move language features a built-in bytecode verifier to check resource, type, and memory safety, helping prevent common errors and malicious code attacks before contract execution. 2. Native Resource Safety Suiâs object-centric data model allows developers to set permissions and program resources using keywords like copy, drop, store, and key. In contrast, Solana lacks native resource safety, requiring individual contracts to implement resource safety. 3. Greater Emphasis on User Security Sui provides transaction pre-execution services, allowing wallet service providers to inform users of contract execution results and permissions before transaction signing. This helps users clearly understand the potential consequences of transactions when interacting with dApps, significantly reducing fraud risks. What Opportunities are there for the Top Three Projects on Sui to Participate? Cetus Cetus aims to develop a flexible and powerful primary liquidity network, facilitating asset trading for Aptos and Sui. The protocol focuses on liquidity with incentives and a range of interoperable operational modules to provide the best trading experience and efficiency for consumers in the DeFi ecosystem. Some liquidity pools in Cetus receive official liquidity incentives from Sui, offering CETUS rewards alongside SUI token rewards.
2. NAVI Protocol NAVI Protocol offers lending services for mainstream tokens, stablecoins, and CETUS tokens. Innovative features like automatic leverage vaults and isolation mode enable users to leverage their assets with minimal risk for new trading opportunities. NAVI supports digital assets at different risk levels, and its advanced security features ensure fund protection and mitigate systemic risks. NAVI has collaborated with OKX DeFi to launch an additional yield service, offering users up to 35% APY for USDC deposits, with a total pool of 50,000 USDC and 100,000 CETUS.
3. Scallop Lend Scallop Lend is the largest lending protocol in the Sui ecosystem and the first DeFi protocol officially funded by the Sui Foundation. Similar to NAVI Protocol, Scallop Lend provides lending services for eight tokens and offers an SDK for professional traders. Scallop Lend completed its airdrop snapshot on January 1, 2024, initiating the first phase of the airdrop.
Users who missed the first phase of the airdrop can continue using Scallop Lendâs lending services to receive rewards in the second phase of the airdrop. Beosin Launches Security Audit Services for Move Smart Contracts Beosinâs collaboration with Sui began last year, and the Beosin security team discovered vulnerabilities in multiple public chains. One particularly interesting vulnerability, discovered in Suiâs p2p protocol, causing denial-of-service issues leading to node crashes due to memory exhaustion. This denial-of-service vulnerability, caused by an ancient attack method known as a âmemory bomb,â is detailed in Beosinâs discovery of a severe-level vulnerability in Move VM. Potential Vulnerabilities in Move Contracts Supply Chain Security Awareness: Developers using Aptos, Sui, or other frameworks based on Move should maintain a certain level of security awareness to ensure supply chain security.Function Permission Issues: Careful delineation of permissions for function calls is crucial, especially for critical functions related to governance, as improper authorization can impact fund security.Logic Issues in Design and Implementation: Attention should be paid to logical issues in business logic during design and code implementation. For example, Beosin conducted research on Moveâs version of flash loans, as detailed in Web3 Technical Research | Differences between Solidity Flash Loan Implementation and Move and Rust Flash Loan Implementation.Module Upgrades: Move projects should be cautious when upgrading modules, as the code owner remains unchangeable after initial deployment, and the deployerâs address permanently holds upgrade permissions. Move Contract Audit Service and Audit Items Beosinâs security team launched a security audit service for Move smart contracts at the end of 2022, aiming to proactively identify and assist project teams in addressing security risks within their projects, ensuring the safety of both users and project assets. The main security audit items include: Overflow vulnerabilitiesReplay attacksInsecure random number generationTransaction order dependenciesDenial-of-service vulnerabilitiesAccess control issuesImproper permissionsBusiness design flawsBusiness implementation issuesManipulable token pricesArbitrage attacksGas optimizationSecurity of third-party modulesCapability securityResource securityUpgrade securityCentralization risks For detailed information on Beosinâs Move smart contract security audit service, you can refer to âBeosin | Official Launch of Security Audit Service for Move Smart Contracts, Examining Move Language from a Security Perspective (Part 1)â. In addition, Beosin introduced the Move Lint static analysis tool in 2023, aiding developers in automating the discovery of potential security vulnerabilities within contracts, pinpointing the origin of vulnerabilities, and enhancing the overall security of contracts. For more details, you can refer to âBeosin launched the Move Lint static detection tool to improve the security of Sui smart contract development through best practicesâ. Will Sui Achieve Faster Growth in 2024? The Move smart contract language is designed to be secure and reliable, aiming to avoid vulnerabilities and security risks present in traditional smart contract languages like Solidity. This design choice makes Suiâs contracts more trustworthy and secure, providing users with better assurance. Sui is gearing up for growth in 2024, emphasizing ecosystem development as one of its strategies. With a Total Value Locked (TVL) of $327 million, Sui demonstrates user trust and engagement, indicating rapid growth in its ecosystem and a continuous increase in users. Additionally, Sui ranks among the top three in on-chain TVL for non-EVM chains, alongside protocols like Cetus, NAVI Protocol, and Scallop Lend, collectively propelling the development of the Move ecosystem. Letâs eagerly anticipate Suiâs development in 2024. Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
Socket Protocol Falls Victim to Hackerâs Call Injection Attack, Resulting in Approximately $3.3 Mill
On January 17, 2024, according to monitoring data from Beosinâs EagleEye security risk platform, Socket Protocol suffered a call injection attack, leading to a significant theft of funds from authorized users. Currently, the attacker has converted the stolen funds to ETH and stored them in the attackerâs address. After the attack, Socketâs official confirmation acknowledged the security breach and promptly suspended the affected contracts.
Simultaneously, MetaMask posted on the X platform, stating that MetaMask Bridge users are not affected by the Socket vulnerability. MetaMask emphasized their unique architecture in designing cross-chain bridge contracts to mitigate such attacks.
Vulnerability Analysis The primary cause of this incident is an insecure call invocation in the performAction function of the Socket contract. Despite the absence of checks on fromToken and toToken parameters, the function effectively restricts token addresses to WETH, excluding other ERC20 addresses, preventing the forgery of these parameters indirectly.
However, a critical flaw in the function lies in the lack of restrictions on the amount parameter. If the caller provides an amount of 0, the functionâs check condition will always pass without the need to call WETHâs deposit and withdraw functions. This allows injecting abnormal data through the call, leading to the exploitation of the vulnerability. Attack Process Understanding the vulnerability, letâs explore how the attacker executed the attack: Creation of Malicious Contract: The attacker initially created a malicious contract to initiate the attack.2. Queries and Authorization Checks:Subsequently, the attacker conducted multiple queries on WETH balances from different addresses.Additionally, the attacker checked the authorized quantity for the Socket: Gateway contract associated with each address.Following this, the attacker called the Socket: Gateway contract.3. PerformAction Function Call with transferfrom Signature:In the call to the performAction function, the attacker specified the swapExtraData parameter as 0x23b872ddâŠThis data corresponds to the function signature of transferfrom, indicating a direct invocation of the tokenâs transferfrom function.
4. PerformAction Function Call with transferfrom Signature: In the call to the performAction function, the attacker specified the swapExtraData parameter as 0x23b872ddâŠThis data corresponds to the function signature of transferfrom, indicating a direct invocation of the tokenâs transferfrom function.
5. WETH Transfer by the Attacker: Through numerous operations, the attacker transferred WETH from countless users to their own address.
6. Transfer of Authorized USDT in a Similar Manner: The attacker employed a similar method to transfer USDT authorized to the contract to their own address.
7. Involvement of Other Tokens: The attack extended to include other tokens such as WBTC, DAI, and MATIC.
As of the time of writing, approximately $3.3 million has been stolen, with some funds exchanged for ETH and stored in the hackerâs address. Beosin Trace continues to monitor the stolen funds.
Socket, in an update on the X platform, states that operations have been restored, affected contracts have been suspended, and the situation is under full control. Interoperability with Bungee bridging and most partner front-end bridging has been reinstated. A detailed analysis of the event and subsequent steps will be announced soon. Socket issues a reminder: âBe cautious of fake Socket accounts attempting phishing in your replies. Please carefully verify the account before taking any action.â
This incident serves as a reminder to prioritize security. As we enter 2024, numerous security events have already occurred. Beosin, a globally leading blockchain security company, offers a comprehensive range of blockchain security products and services covering code security audits before project launch, real-time security risk monitoring, alerts and prevention, cryptocurrency asset recovery, security compliance KYT/AML, and more. We are committed to the secure development of the Web3 ecosystem. If needed, feel free to contact us. Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
High-performance Layer1 and Parallel EVM: Analysis of Sei Network and Its Ecosystem
Sei Network, which launched its mainnet in August 2023, began to explode after several months of silence. Currently, Sei liquidity staking has exceeded $3.5 million and network TVL has exceeded $11 million. Previously, Sei, together with Beosin and Alibaba Cloud, successfully held the hackathon, Code Sei: Powering New Gaming and DeFi Exchanges. Beosin also completed the audit of Kryptonite, Seiâs liquidity staking project, to enhance the security of Sei ecosystem. In 2024, Sei is about to launch a very important upgrade, Sei V2, which will improve the performance of parallel processing and introduce EVM into Sei. In this article, Beosin will analyze the technical features, the code implementation, and ecosystem of Sei Network to help you understand the potential opportunities of Sei and its ecosystem. Sei Features As a Layer 1 that supports order book and focused trading, Sei provides a built-in central limit order book (CLOB) module. Developers can use Seiâs built-in order module to quickly launch and customize order book trading Dapps for spot, derivatives, options, etc. At the same time, Seiâs parallel design provides a fast, high-throughput network for its ecosystem. How does Sei improve the processing speed of transactions? 1. Support Compressed Blocks In most blockchain networks, validators propose blocks and then send hashes and blocks to other validators, which creates a certain waiting time. As shown below:
Sei allows its validators to send blocks containing only transaction hashes to its network. After other validators receive a block containing only the transaction hash, they will first construct the block based on the records in their local memory pool. If the corresponding transaction information does not exist in the memory pool, the validators will wait for subsequent blocks containing detailed transaction contents to arrive for validation. 2. Parallel Processing of Transactions For blockchain networks that execute transactions sequentially, when a block is proposed, validators need to wait for a certain length of time without actually processing the block. As shown on the left:
Sei Network processes blocks in the pre-voting and pre-commit phases in parallel through validators. Parallel processing reduces latency and increases throughput. The code implementation of Sei parallel processing is shown in the figure below. In the ProcessTxs function, Sei will process the transactions. There are two types of processing: parallel processing and sequential processing. For multiple related transactions (by judging whether the key-value pairs storing transaction information overlap), Sei will process related transactions sequentially; for non-related transactions, it will process them in parallel.
During parallel transaction processing, we see that Sei uses Golangâs goroutine to process multiple transactions in parallel. The current design cannot process too many transactions in parallel. For example, if thousands of transactions are processed in parallel by Seiâs nodes at the same time, there is a high probability that consistency problems will occur. Therefore, Sei V2 needs to upgrade in parallel processing.
Parallel EVM What is Parallel EVM? EVM is the virtual machine for Ethereum to process transactions related to smart contracts. To ensure network security, EVM transactions must be executed sequentially. The design of sequential execution avoids the complexity and conflicts of parallel execution, but also limits the performance of the associated blockchain network. As a result, the concept of parallel EVM was proposed. The design of parallel EVM will allow different transactions in EVM to be conducted simultaneously, greatly improving EVM processing speed and network throughput. The current solution is to use high-performance (itself supports parallel transactions) new blockchains such as Solana, Aptos, and Seito be compatible with EVM. Among them, Seiâs parallel EVM attracts the most market attention.
Sei V2 Upgrade Sei will implement parallel EVM in the V2 to be launched in 2024, supporting the execution and interaction of Cosmwasm smart contracts and EVM smart contracts. The following are the key points of the Sei V2 upgrade: 1. Optimistic parallelization: allows concurrent transaction processing, significantly improving throughput and efficiency. If a state conflict occurs, transactions are reprocessed sequentially to maintain data integrity. 2. EVM compatible: enables developers to deploy existing EVM smart contracts on Sei without changing any code, simplifying the transition to Sei v2 and improving interoperability. 3.Geth compatibility: Sei nodes will integrate Geth to handle transactions for EVM smart contracts in the future network and make any updates through the special interface created by Sei for EVM. 4.SeiDB: Sei will improve its storage layer, using more efficient data structures and databases to enhance IO performance, facilitate easier synchronization of new nodes and improve scalability. 5.Enhanced performance: Fast transaction processing with 390 milliseconds block time and finality, and high throughput of 28,300 batch transactions per second, with lower transaction costs. The upgrade of Sei v2 will integrate the advantages of Ethereum and looks forward to providing a super-optimized execution layer that is fully compatible with the existing EVM ecosystem to attract more users and developers into the Sei ecosystem. Sei Contract Security Advice If developers plan to build Sei ecological applications, they will use CosmWasm to build smart contracts. Beosin recommends that developers follow the following security practices to improve the contract security of their projects: 1. Be prepared for an attack. Developers need to consider how to face attacks and fix vulnerabilities. Therefore, developers need to build upgradable smart contracts and develop risk response plans. 2. Pay attention to the deserialization addr type. CosmWasmâs addr type is not validated after deserialization, indicating that the addr type has unexpected deserialization properties. Therefore, it is recommended to specify the type and verify it after deserializing addr. 3. Pay attention to overflow. In the CosmWasm contract, developers need to pay attention to the risk of integer overflow or division by zero. It is recommended that developers use CosmWasmâs Uint256 and Uint512 types and use the math function full_mul() that does not overflow. 4. Pay attention to infinite loops. The CosmWasm contract may get stuck in an infinite loop by calling itself back in the ACK handler. If developers transfer data packets between two CosmWasm contracts, they should be aware that this may lead to an infinite loop and consume a large amount of gas fees. Sei Ecosystem 1. Wallet Currently, the wallets that specifically support the Sei network include Compass Wallet and Fin Wallet. There are 14 wallets compatible with the Sei network, such as OKX Wallet and the wallets Keplr and Leap Wallet that originally supported the Cosmos ecosystem.
Safety Advice: (1) It is recommended that users avoid using wallet projects that have not been audited and have not been running for a long time. (2) To protect the assets of the wallet, the most important thing is to keep the mnemonic phrases and private keys safely. (3) When interacting with Sei projects, signature is one of the security risks that require the most attention. Users need to check whether the transaction information is correct before signing the transaction. For example, a hacker can trick users into using cosmos.bank.v1beta1.MsgSend to transfer tokens to the hackerâs address. 2. Kryptonite Kryptonite is the largest liquidity staking protocol in the Sei ecosystem. Users can stake Sei tokens on its platform to obtain stSei and earn an annualized return of 5.54%. Currently, users can also stake Seilor/Seiâs LP tokens and stSei/SEIYANâs LP tokens to obtain rewards from related tokens. Beosin has previously completed a contract audit of Kryptonite to improve the security of its staking business. In the future, Kryptonite will launch the kUSD stablecoin, and users can mint it by staking Sei, BTC, ETH and other assets, which will provide more liquidity for the Sei ecosystem. 3. Yaka Finance Yaka Finance is committed to building a multi-functional DEX and providing users with a variety of DeFi services such as trading, liquidity mining, and Launchpad. Its goal is to become the liquidity hub of the Sei ecosystem.
Previously, Yaka Finance won the first place in the DeFi track in the Code Sei: Powering New Gaming and Defi Exchanges hackathon organized by Sei, Beosin and Alibaba Cloud. Yaka Finance is currently in the test network stage and has launched an airdrop incentive program, attracting more than 15,000 users to participate in its testing.
4. Pallet Exchange Pallet Exchange is the NFT trading platform of the Sei ecosystem, with a current daily trading volume of up to 1.23 million Sei (approximately $1 million). Pallet Exchange will charge a 2% fee for NFT tradings on its platform to maintain the operation of the platform.
Currently, the NFT series that have attracted much attention in the Sei Ecosystem include WeBump, The Colony, Seiyans, Seinsei, etc. Because the Sei ecosystem is in the early stages of development, users need to pay attention to the liquidity risks of related NFTs. Conclusion As a high-performance Layer 1 focused on transactions, Sei optimizes the generation and processing of blocks. At present, Sei ecosystem is growing rapidly. As the parallel EVM narrative continues, the upgrade of Sei V2 will solve the current bottleneck of Sei, attracting more attention from the market and more developers entering the Sei ecosystem. As a leading Web3 security company, Sei and Beosin have launched further ecological cooperation to support smart contract security audits of Sei ecosystem. At present, Beosin has completed the contract audit of Kryptonite, the largest liquidity staking platform in the Sei ecosystem. In the future, Beosin will provide security services for more Sei ecosystem projects to help the safe development of the Sei ecosystem. Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
đđBeosin has successfully completed the rigorous SOC 2 attestation and secured the highly regarded SOC 2 audit report!
đȘThis attestation is a result of our continuous investment in the field of data security and information management
đĄïžAs we move forward, Beosin remains dedicated to providing excellent security solutions and high-quality customer service, empowering global customers to achieve greater success in the field of blockchain security.
How Radiant Capital Was Exploited by Hackers for a $4.5 Million Heist!
On January 3, 2024, according to Beosin EagleEye, the Radiant Capital project fell victim to a flash loan attack by an attacker. Through three transactions, the attacker stole over 1900 ETH, valued at over $4.5 million. The stolen funds are currently held in the attackerâs address, and Beosin security team promptly analyzed the incident. Vulnerability Analysis The root cause of this incident lies in the Radiant Capital projectâs calculation of token quantity, which involves precision expansion and rounding. The attacker exploited the ability to control precision and, combined with rounding, expanded profit margins for the attack.
In the observed code, the rayDiv function takes two uint256 data, a and b. The entire process can be simplified as (a RAY + b/2) / b, where RAY is precision expansion data, equal to 10ÂČâ·. This results in a RAY / b + 0.5, achieving rounding functionality. The main source of error in this calculation comes from b. If b is significantly smaller than a, the error becomes negligible. However, if b is of a similar magnitude to a, the error may be substantial. For example, if a RAY = 10000 and b = 3, the calculated result is 3333, which is 1/10000 less than the actual value. If a RAY = 10000 and b = 3000, the calculated result is 3, which is 1/10 less than the actual value. In this incident, the attacker manipulated the value of b to have a similar magnitude to a, causing the calculation to be equivalent to 3/2.0001 = 1. The calculated value is 1/3 less than the actual value. Attack Process The attacker initially borrowed 3 million USDC through an AAVE flash loan as the startup capital for the attack.
2. 2 million USDC was pledged to the Radiant contract, and the attacker obtained 2 million rUSDCn token certificates.
3. The attacker used a flash loan through the Radiant contract to borrow 2 million USDC. In the callback function, 2 million USDC was repaid, simultaneously extracting the pledged USDC from the second step. The flash loan function called the transferfrom function, transferring the attackerâs USDC into the contract, with a 9/10000 fee collected as liquidity for the pool.
4. By repeating step 3, the attacker controlled the liquidityIndex to a large extent, reaching liquidityIndex=271800000000999999999999998631966035920.
5. Subsequently, the attacker created a new contract and deposited 543,600 USDC into it. This amount corresponds to twice the liquidityIndex value from step 4, facilitating rounding control.
6. The attacker pledged all 543,600 USDC into the Radiant contract, obtaining an equivalent amount of rUSDCn.
7. The attacker withdrew 407,700 USDC. Although 407,700 rUSDCn should have been burned, as mentioned above, the burn function involved precision expansion and rounding calculations. 407700000000000000000000000000000000000/271800000000999999999999998631966035920 = 1.49999999, but rounding results in 1, causing the result to be 1/3 smaller than the actual value. As shown below, instead of burning 407,700, only 271,800 was burned, allowing the attacker to withdraw 407,700 USDC.
8. Exploiting the vulnerability from step 7, the attacker repeated the pledging and withdrawal operations, consistently withdrawing 1/3 more than the pledged amount, ultimately exchanging all USDC from the pool.
Funds Tracking As of the time of writing, the stolen 1902 ETH remains in the hackerâs address without movement. Beosin Trace will continue monitoring the funds.
As 2024 begins, we have witnessed two high-value theft cases. (Review of yesterdayâs security incident: What happened in the first case of the year, the $80 million theft of Orbit Chain?) This series of events serves as a reminder that in the Web3 ecosystem, security precautions remain crucial! Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
The Orbit Chain Incident: Unraveling the Story Behind the $80 Million Heist â First Case of 2024
On January 1, 2024, according to monitoring data from Beosin EagleEye, the Orbit Chain project suffered an attack resulting in a loss of at least $80 million. Beosin Trace analysis reveals that the hackerâs address (0x27e2cc59a64d705a6c3d3d306186c2a55dcd5710) initiated a small-scale attack a day prior, using the stolen ETH as the transaction fee source for the remaining five addresses involved in the attack. Orbit Chain is a cross-chain bridge platform, allowing users to use various encrypted assets from different blockchains on a single chain. The project has temporarily suspended the cross-chain bridge contract and is in communication with the hacker. Beosinâs security team conducted an immediate analysis of this security incident. Event Analysis The main aspect of this incident involved the attacker directly calling the withdraw function of the Orbit Chain: Bridge contract to transfer assets. Further analysis of the withdraw functionâs code reveals that the function uses a signature verification method to ensure the security and legitimacy of the loan. In blockchain transactions, signature verification is a common security mechanism used to confirm whether the initiator of a transaction has sufficient permissions and control. In the withdraw function, the signature verification method ensures that only authorized users or contracts can successfully call the function and transfer assets.
Upon entering the signature verification function (_validate), it can be observed that the function returns the number of owner signatures, crucial information for verifying the legitimacy and security of the transaction. By returning the number of owner signatures, the compliance and authenticity of the transaction can be verified to some extent. Depending on the specific implementation, the number of owner signatures may be compared to a pre-set threshold to determine whether the conditions for executing the transaction are met.
The subsequent step involves checking whether this quantity is greater than or equal to the required value. If the conditions are met, the withdrawal is executed. According to on-chain data, there are a total of 10 addresses managing this contract. The required value is 7, indicating that 70% of administrator signatures are required to execute the withdrawal transaction.
In summary, the cause of the incident appears to be a compromise of the server holding the administratorâs private keys. Attack Process According to on-chain data, the hacker initiated attacks on the Orbit Chain project progressively starting from December 30, 2023, 03:39:35 PM +UTC. The amount of ETH stolen by the hacker was relatively small, and the stolen ETH was sent to several other hacker addresses as transaction fees.
Several other hacker addresses subsequently attacked Orbit Chainâs DAI, WBTC, ETH, USDC, and USDT on December 31, 2023, 9:00 PM +UTC.
Funds Tracking As of the time of writing, the stolen funds were transferred to the five addresses mentioned earlier after the formal initiation of the attack. In five separate transactions, each sent to a new wallet, Orbit Bridge sent $50 million in stablecoins (30 million Tether, 10 million DAI, and 10 million USDC), 231 wBTC (approximately $10 million), and 9,500 ETH (approximately $21.5 million).
This cross-chain bridge security incident serves as a security reminder, emphasizing that security should always be a top consideration in designing and implementing blockchain systems. Firstly, attention should be given to code security. Contract code is a core component of blockchain systems, and therefore, best practices and security standards should be followed when writing and reviewing contract code to avoid common security vulnerabilities and attack vectors. Secondly, authentication and identity verification are crucial. In blockchain systems, ensuring that only authorized users or contracts can perform key operations is critical to preventing unauthorized access and asset loss. Adopting robust identity verification mechanisms, multi-signatures, and permission management measures can effectively restrict access and ensure that only authorized entities can perform sensitive operations. Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
Blockchain Security Recap of December: $24.94M Lost in Attacks
According to data from Beosin EagleEye, a blockchain security auditing company, the total amount of losses from various security incidents in December 2023 significantly decreased compared to November. In December, there were more than 21 typical security incidents, resulting in a total loss of approximately $24.94 million, a decrease of about 93% from November. Among them, attack incidents accounted for about $12.45 million, phishing scams about $9.6 million, and Rug Pull incidents about $2.89 million. There were no large-scale hacking events with losses exceeding $10 million this month. Two significant security incidents occurred: a security vulnerability in the Web3 development platform Thirdweb affecting multiple smart contracts, and a supply chain attack on the Ledger Connect Kit, a commonly used code library for Web3 projects. Fortunately, the losses from these two incidents did not exceed one million dollars each. Additionally, phishing scams continued to occur this month, with several cases of individual addresses being stolen for amounts exceeding one million dollars, emphasizing the need for increased vigilance among users. Hacker Attacks ă12ăNotable Security Incidents On December 5th, a security vulnerability was identified in the Web3 development platform Thirdweb, affecting multiple smart contracts. At least three projects were attacked due to the vulnerability, resulting in a loss of approximately $210,000.On December 6th, the DeFi protocol BEARNDAO was attacked, with the attacker profiting over $700,000.On December 10th, the DeFi protocol Venus Protocol was attacked due to an oracle issue, resulting in a loss of approximately $200,000.On December 12th, the abandoned DEX market maker contract management authority on OKX was stolen, resulting in a loss of approximately $2.7 million.On December 14th, the commonly used code library Ledger Connect Kit for Web3 projects suffered a supply chain attack, with the attacker profiting approximately $600,000.On December 17th, NFT Trader was attacked due to a reentrancy vulnerability, resulting in a loss of approximately $3 million. The stolen assets were returned by the attacker, who kept 10% as a bounty.On December 17th, the NFT trading market Flooring Protocol was attacked by hackers, resulting in a loss of approximately $1.6 million.On December 22nd, the DeFi protocol Transit Finance was attacked by hackers, resulting in a loss of approximately $110,000.On December 23rd, the DEX project Paraluni was subjected to a price manipulation attack, resulting in a loss of approximately $330,000.The perpetual trading protocol Levana Protocol on the Osmosis blockchain was attacked between December 13th and 26th, resulting in a loss exceeding $1.1 million.On December 26th, the Telcoin wallet was attacked, resulting in a loss of approximately $1.2 million.On December 30th, Channels Finance on the BSC was attacked by hackers, resulting in a loss exceeding $320,000. Phishing Scam / Rug Pull ă4ăNotable Security Incidents On December 5th, a rug pull occurred with the CKD token on the BNB Chain, resulting in the deployer profiting approximately $540,000.On December 26th, MegabotETH experienced a rug pull, with the deployer making approximately $740,000 in profit.On December 26th, two victims lost assets totaling over $1.5 million due to a phishing scam.On December 29th, an address starting with 0xea696 suffered a loss of $4.4 million worth of LINK tokens due to a phishing scam. Cryptocurrency Crimes / Regulatory Cases ă5ăNotable Security Incidents On December 5th, the Henan Prosecutorâs Office revealed a large-scale virtual currency pyramid scheme case, involving an amount exceeding 120 million Chinese Yuan.On December 6th, Bitzlato, a crypto exchange co-founder, admitted to a money laundering offense totaling 700 million USD.On December 10th, the Hong Kong police cracked down on a criminal gang involved in laundering 30 million Hong Kong dollars through virtual currencies.On December 13th, the U.S. Department of Justice charged two individuals with operating a 25 million USD cryptocurrency Ponzi scheme.On December 15th, the U.S. Department of Justice disclosed charges against four individuals for cryptocurrency fraud and money laundering, resulting in losses exceeding 80 million USD. Conclusion Overall, in December 2023, the total losses from various blockchain security incidents significantly decreased compared to November. In comparison to November, this month saw new types of attacked projects, including development tools, code libraries, NFTs, indicating that hackers are expanding their target range. The entire Web3 ecosystem should enhance security awareness to actively counter this trend. This month, 50% of the attack incidents still originated from contract vulnerabilities exploitation, such as reentrancy vulnerabilities. It is advisable for project teams to seek professional security audits before launching to mitigate such risks. Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
đBeosin has just dropped the much-anticipated "2023 Global Web3 Security Statistics ReportđĄïž"! Dive into key insights and gain a unique perspective on the latest happenings in the Web3 security landscapeđĄ
đ In a nutshell: 1. Web3 witnessed total losses of $2.02 billion in 2023. 2. 68% of attacks targeted DeFi projects, resulting in $408 million in losses. 3. Attack types diversified, incorporating Web2 tactics. 4. Increased blockchain diversity driven by CEX incidents; top 5 chains affected: Ethereum, Mixin, HECO, BNB Chain, and TRON. 5. 51.8% of stolen funds ($723 million) remained in hacker addresses, employing intricate cross-chain transfers for money laundering. 6. 267 Web3 rug pulls in 2023, with losses of $388 million, showing an 8.7% decrease from 2022.
đ Explore more data in the detailed article heređ 2023 Global Web3 Security Statistics & AML Analysis
2023 Global Web3 Security Statistics & AML Analysis
1. Beosin: 2023 Web3 Security Overview
According to statistics from Beosin EagleEye, the total losses from hacks, phishing scams, and rug pulls in Web3 reached $2.02 billion in 2023. Among them, 191 major attacks resulted in a total loss of approximately $1.397 billion; 267 rug pulls with total losses of around $388 million; and total losses from phishing scams of approximately $238 million.
In 2023, hacks, phishing scams and rug pulls all saw significant declines compared to 2022, with total losses down 53.9%. Hacks saw the biggest drop, from $3.6 billion in 2022 to $1.397 billion in 2023, a decrease of about 61.2%. Phishing losses were down 33.2% from 2022, and rug pull losses were down 8.8% from 2022.
There were 4 attacks with losses over $100 million in 2023, and 17 attacks with losses between $10â100 million. The top 10 attacks accounted for total losses of about $1 billion, representing 71.5% of total losses for the year. Compared to 2022, attacked project types were more diverse in 2023, including DeFi, CEX, DEX, public blockchains, cross-chain bridges, wallets, payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more. DeFi saw the most attacks and highest losses, with 130 DeFi attacks causing total losses of about $408 million. Attacks occurred across more public blockchain types. Ethereum remained the chain with the highest losses â 71 attacks on Ethereum caused $766 million in losses, accounting for 54.9% of total losses for the year. By attack types, 30 private key compromise incidents caused about $627 million in losses, representing 44.9% of total losses, making it the most damaging attack type. Contract vulnerability exploitation was the most frequent attack type â of the 191 attacks, 99 involved contract vulnerabilities, accounting for 51.8%. About $295 million of stolen funds were recovered during the year, representing 21.1% of losses, a significant increase from 2022. About $330 million in stolen funds were sent to mixers, representing 23.6% of total stolen funds. In contrast to the significant declines in on-chain hacks, phishing and rug pulls, 2023 saw a huge increase in offline crypto crime figures. Global crypto crime losses reached $65.68 billion in 2023, up about 377% from $13.76 billion in 2022. The top three crime types by losses were illegal gambling, money laundering and scam.
2. 2023 Web3 Top 10 Attacks In 2023 there were 4 attacks with over $100 million in losses: Mixin Network ($200 million), Euler Finance ($197 million), Poloniex ($126 million) and HTX & Heco Bridge ($110 million). The top 10 attacks accounted for total losses of about $1 billion, 71.5% of yearly losses. No.1 Mixin Network Losses: $200 million Attack type: Cloud service provider database compromise On September 23rd, Mixin Networkâs cloud provider was hacked, resulting in partial mainnet asset losses of around $200 million. Mixinâs founder later explained the stolen assets were mainly BTC, with minimal losses of BOX and XIN tokens. Details were withheld. No.2 Euler Finance Losses: $197 million Attack type: Contract vulnerability â business logic flaw On March 13th the Euler Finance DeFi lending protocol was hacked for around $197 million. The root cause was a failure to properly check usersâ actual token balances and ledger health after donations. All stolen funds have been fully returned by the attacker. No.3 Poloniex Losses: $126 million Attack type: Private key compromise / APT attack On November 10th, addresses related to Justin Sunâs Poloniex exchange started transferring out large assets, indicating a hack. Sun and Poloniex soon confirmed the breach on social media. Beosin security tracked stolen assets totaling around $126 million. No.4 HTX & Heco Bridge Losses: $110 million Attack type: Private key compromise On November 22nd, Justin Sunâs HTX exchange and Heco Bridge were hacked for $110 million total, with $86.6 million lost from Heco Bridge and $23.4 million from HTX. No.5 Curve/ Vyper Losses: $73 million Attack type: Contract vulnerability â reentrancy On July 31st Vyper announced a reentrancy bug in versions 0.2.15, 0.2.16 and 0.3.0. Combined with callback possibilities during ETH transfers, this enabled reentrancy attacks on linked ETH/stablecoin pools. Curve later tweeted multiple pools using flawed Vyper 0.2.15 were exploited due to reentrancy lock malfunction. Losses totaled around $73 million. No.6 CoinEx Losses: $70 million Attack type: Private key compromise / APT attack On September 12th exchange CoinEx stated risk control systems detected suspicious large withdrawals from temporary hot wallets storing platformâs transaction assets. A special team was formed and losses involved assets like ETH, TRON and Polygon tokens, totaling around $70 million. No.7 Atomic Wallet Losses: $67 million Attack type: Private key compromise / APT attack Beosinâs EagleEye platform detected Atomic Wallet was hacked in early June. Based on reported on-chain victim data, Beosin estimates losses of at least $67 million. No.8 Alphapo Losses: $60 million Attack type: Private key compromise / APT attack On July 23rd payments provider Alphapoâs hot wallet was hacked for $60 million. North Korean hacker group Lazarus was behind the breach. No.9 KyberSwap Losses: $54.7 million Attack type: Contract vulnerability â business logic flaw On November 22nd, DEX KyberSwap suffered a $54.7 million exploit. Kyber said it was one of DeFiâs most complex attacks, requiring precise on-chain execution for the hacker. No.10 Stake.com Losses: $41.3 million Attack type: Private key compromise / APT attack On September 4th crypto casino site Stake.com was hacked. Stake.com stated unauthorized transactions occurred from its ETH and BSC hot wallets. The breach was attributed to North Korean APT group Lazarus. 3. Loss by Project Type Compared to 2022, attacked project types were more diverse in 2023, and losses were more distributed across project types rather than concentrated on a few. In addition to common targets like DeFi, CEX, DEX, public blockchains, cross-chain bridges and wallets, attacks also occurred against payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more in 2023.
Of the 191 attacks in 2023, 130 targeted DeFi projects (about 68%), the most among all types. DeFi attacks resulted in about $408 million in losses, 29.2% of total losses, also the most of any type. CEXs (centralized exchanges) ranked 2nd in losses, with 9 attacks causing $275 million in losses. There were also 16 attacks on DEXs (decentralized exchanges), resulting in $85.68 million in losses. Overall, exchange security was a major issue behind DeFi security in 2023.
Public blockchains ranked 3rd in losses at about $208 million, mainly due to the $200 million Mixin Network hack. In 2023 cross-chain bridge losses ranked 4th, accounting for about 7% of total losses. In 2022, 12 cross-chain bridge attacks caused $1.89 billion in losses, 52.5% of the yearâs total. Bridge attacks significantly declined in 2023. Crypto payment platforms ranked 5th, with 2 incidents (Alphapo and CoinsPaid) totaling $97.3 million in losses. The hackers behind both attacks pointed to North Korean APT group Lazarus. 4. Loss by Chain Compared to 2022, blockchain types were also more diverse due to several CEX private key compromise incidents that caused losses across multiple chains. The top 5 by losses were Ethereum, Mixin, HECO, BNB Chain and TRON. The top 5 by attack incidents were BNB Chain, Ethereum, Arbitrum, Polygon, and a tie between Optimism and Avalanche for 5th.
As in 2022, Ethereum saw the most losses â 71 Ethereum attacks caused $766 million in losses, 54.9% of the yearly total. Mixin Network ranked 2nd with a single $200 million incident. HECO chain ranked 3rd with about $92.6 million in losses.
BNB Chain saw the most attacks at 76, about 39.8% of the total. BNB Chain losses totaled about $70.81 million, with 88% of attacks under $1 million. 5. Attack Type Analysis Compared to 2022, attack types diversified in 2023, incorporating more Web2 tactics like:Â database compromise, supply chain attacks, third party service provider attacks, man-in-the-middle attacks, DNS attacks, and front end attacks.
In 2023, 30 private key compromise incidents caused $627 million in losses, 44.9% of the total, making it the most damaging attack type. Major private key compromise incidents included: Poloniex ($126 million), HTX & Heco Bridge ($110 million), CoinEx ($70 million), Atomic Wallet ($67 million) and Alphapo ($60 million). Most were linked to North Korean APT group Lazarus.
Contract vulnerability exploitation was the most frequent attack type â 99 of 191 attacks (51.8%). Total losses from contract vulnerabilities ranked 2nd at $430 million. By subtype of contract vulnerabilities, business logic vulnerabilities were the most frequent and damaging â about 72.7% of contract vulnerability losses ($313 million) stemmed from business logic flaws. Reentrancy ranked 2nd with $93.47 million in losses across 13 incidents.
6. Stolen Fund Flow Analysis Of 2023âs total stolen funds, about $723 million remained in hacker addresses (including funds bridged to other chains), 51.8% of the total. Compared to last year, hackers favored more complex money laundering via cross-chain transfers and distribution across multiple addresses. More addresses and intricate laundering paths make investigations harder for projects and regulators.
About $295 million in stolen funds were recovered, 21.1% of losses, a major improvement from just 8% recovered in 2022. Most recovery occurred via on-chain negotiation. About $330 million in stolen funds were sent to mixers (about $71.16 million to Tornado Cash, $259 million to other mixers), accounting for 23.6% of total losses, a significant reduction from 38.7% in 2022. Since Tornado Cash was sanctioned by US OFAC in August 2022, flows to it dropped substantially, with increases to other mixers like Sinbad and FixedFloat instead. In November 2023 Sinbad was sanctioned by OFAC as âa major money laundering tool for North Korean Lazarus group.â Additionally, some stolen funds ($12.79 million) were sent to exchanges, while a small portion ($10.9 million) was frozen. 7. Audit Analysis Of the 191 attacks, 79 targeted unaudited projects while 101 had been audited. The audited project ratio was slightly higher than last year (roughly equal audited/unaudited in 2022).
47 of the 79 unaudited projects (59.5%) were exploited for contract vulnerabilities. This shows unaudited projects tend to have more latent risks. In comparison, 51 of 101 audited projects (50.5%) had contract exploits. This demonstrates audits improve security to some degree. However, the lack of standards in the Web3 market leads to inconsistent audit quality, with results falling short of expectations. To effectively safeguard assets, projects are advised to seek professional security firms for auditing before launch. As a leading global blockchain security firm devoted to ecological security, Beosin has audited over 3,000 smart contracts and public chains, including PancakeSwap, Ronin Network, OKCSwap and more. As a reputable blockchain security provider, Beosin delivers excellent audit services. 8. Rug Pull Analysis In 2023, Beosinâs EagleEye platform monitored 267 Web3 rug pulls totaling about $388 million in losses, an 8.7% decline from 2022.
By amount, 233 of 267 rug pulls (87%) involved less than $1 million, roughly even with 2022. There were 4 rug pulls above $10 million: Multichain ($210 million), Fintoch ($31.6 million), BALD ($23 million) and PEPE ($15.5 million). 92.3% of rug pulls occurred on BNB Chain (159) and Ethereum (81). Smaller quantities occurred on other chains like Arbitrum, BASE, Sui and zkSync.
9. 2023 Global Crypto Crime Data Global 2023 crypto crime losses reached a staggering $65.68 billion, up about 377% from $13.76 billion in 2022. While on-chain hacks declined sharply, crime in other crypto areas surged dramatically. Topping the list was illegal gambling at $549 billion. Other leading categories were money laundering ($4 billion), scam ($2.05 billion), pyramid schemes ($1.43 billion) and hacks ($1.39 billion).
With improving global regulation and law enforcement crackdowns, 2023 saw police globally take down multiple billion-dollar crypto crime cases. Some major examples: No.1 In July 2023, Hubei police in China busted the nationâs largest ever cryptocurrency case with transactions reaching 400 billion RMB ($54.9 billion). The online gambling operation involved over 50,000 people. Servers were overseas and key perpetrators like Qiu have been prosecuted. No.2 In August 2023, Singapore authorities uncovered the stateâs largest money laundering case at 2.8 billion SGD, mainly involving cryptocurrency. No.3 In March 2023, Jiangsu police in China prosecuted Ubankâs $1.4 billion cryptocurrency pyramid scheme. No.4 In December 2023, cryptocurrency exchange Bitzlatoâs co-founder pleaded guilty to $700 million money laundering charges per New York prosecutors. No.5 In July 2023, Brazilian federal police dismantled two drug cartels moving over $417 million in crypto money laundering. No.6 In February 2023, US prosecutors indicted Forsageâs founders for a $340 million DeFi Ponzi fraud. No.7 In November 2023, Himachal Pradesh police in India arrested 18 people regarding a $300 million cryptocurrency fraud. No.8 In August 2023, Israeli police charged businessman Moshe Hogeg and partners with a $290 million cryptocurrency investment scam. No.9 In June 2023, Thai police uncovered a potential $2.88 billion crypto fraud scheme. No.10 In October 2023, Hong Kong SAR police cumulatively arrested 66 people regarding the $205 million JPEX crypto exchange scam. 2023 saw an explosion in crypto crime cases globally. The prevalence of fraud and pyramid schemes also greatly increased average usersâ risks of losses. Thus improved regulation is imperative. While global regulators made considerable efforts this year, there is still a long way to go toward a mature, safe and developing ecosystem. 10. 2023 Web3 Security Summary In 2023, on-chain hacks, phishing and rug pulls declined notably from 2022. Hacking losses dropped 61.3%, with top attack types shifting from contract exploits in 2022 to private key compromise in 2023. Key reasons include: 1. After last yearâs rampant hacking activities, the Web3 ecosystem emphasized security in 2023 across projects and security firms. Efforts are seen in areas like real-time monitoring, auditing and learning from past hacking events. Exploiting contracts became more difficult than before. 2. Strengthening global regulation and improving anti-money laundering technologies. In 2023, 21.1% of stolen funds were recovered, far higher than 8% in 2022. As mixers like Tornado Cash and Sinbad were sanctioned by the US, money laundering grew more complex for hackers. Weâre also seeing news of hackers being arrested by local police, all of which acts as a deterrent to hackers. 3. The crypto bear marketâs impact. Lower expected profits from Web3 reduced hacking incentives. Hackers expanded beyond DeFi, cross-chain bridges and exchanges to target payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more. In contrast to plummeting on-chain hacks, less visible offline crypto crimes like gambling, money laundering and fraud spiked heavily due to the anonymity cryptos provide. However, solely attributing surging virtual currency crimes to anonymity and oversight issues is one-sided. The root cause is increasing global crime itself, with cryptocurrencies offering hidden, hard-to-trace channels. In 2023, slowing global economy growth and political instability enabled crime levels to soar. With similar 2024 economic expectations, global crime will likely remain high, posing severe challenges for authorities and regulators. Contact If you need any blockchain security services, welcome to contact us: Official Website Beosin EagleEye Twitter Telegram Linkedin
đ Beosin is currently conducting a comprehensive audit for Aeroscraper, a groundbreaking project in the DeFi realm!
đ Aeroscraper introduces a user-centric decentralized lending-borrowing protocol, transforming DeFi with its innovative interest-free approach and over-collateralized stablecoin & DeFi loansđ
Our team is diligently examining the code, ensuring the security and reliability of Aeroscraper's protocol. Stay tuned for updates on this game-changing project! đĄ