Nibiru Chain launched its airdrop incentives at the end of January 2024. After a month of airdrop activities, its community grew more than three times and the number of Twitter followers exceeded 500,000. As a new chain with over $20 million in financing, Nibiru Chain focuses on solving the security and speed of DeFi applications.
 
Nibiru Chain plans to launch its mainnet this week. As a fast-growing Layer 1, what are the technical features and competitive advantages of Nibiru Chain? What safety issues need to be paid attention to in the development of projects on Nibiru Chain? Here is Beosin's analysis on it.
 
Nibiru Chain Analysis
Nibiru Chain mainly focuses on DeFi and trading. It has the following four components:
 
1. Nibi-Perps
On-chain perpetual contract trading allows users to trade with up to 10 times leverage on crypto assets such as BTC, ETH and ATOM. $NIBI stakers will have Nibi-Perps governance rights and trading fee discounts.
 
2. Nibi-Swap
Nibiru's automated market maker protocol plans to support two types of LP pools: stablecoin pools and constant product model pools.
 
3. $NUSD
$NUSD is a fully collateralized stablecoin of the Nibiru ecosystem. Nibiru plans to first support users to use $USDC and $NIBI to mint $NUSD. The specific ratio between the two is determined by Collateral Ratio. If CR= 80%, which means to mint 100 $NUSD, users need to provide 80 $USDC and NIBI equivalent to 20 $NUSD.
 
In the future, Nibiru Chain will support more types of collateral. Currently, $NUSD is more like $FRAX of the Cosmos ecosystem.
 
4.  Nibi-Oracles
Nibi-Oracles is its native oracle solution that allows validators to actively participate in oracle consensus voting, integrate off-chain data into the blockchain with high fidelity, and provide low-latency feeds from external APIs and smart contracts.
 
In 2024, Nibiru Chain will focus on the growth of its ecosystem and its main developments include integrating with major DeFi projects on multiple chains, listing on first-tier centralized exchanges, completing parallel optimistic execution, and achieving comprehensive EVM compatibility.
 
Secure Development Practices
If you develop an application on Nibiru Chain, the following security guidelines can help improve the contract security of your project:
 
Contract development security
1. Be prepared for attacks
Similar to developing Solidity contracts, developers need to consider how to face attacks and fix vulnerabilities. Therefore, developers need consider to build upgradable smart contracts and develop risk response plans.
 
2. Pay attention to the standardization of address verification
There are two valid representations of any valid Cosmos SDK address: all lowercase and all uppercase, such as: cosmos1uzwqa88hcqe5gs7u7lgjxekz7xc6sm0f7xwp6a vs.
COSMOS1UZWQA88HCQE5GS7U7LGJXEKZ7XC6SM0F7XWP6A are the same address, and Nibiru is the same. When dealing with addresses in contracts, we need to consider this characteristic of addresses.
 

As shown in the above code, since dest is not standardized and the addresses commonly used are lowercase addresses, anyone can bypass BLACKLIST by providing uppercase addresses.
 
3. Pay attention to operations and overflow
In the CosmWasm contract, developers need to pay attention to the risk of integer overflow or division by zero. It is recommended that developers use CosmWasm's Uint256 and Uint512 types and use the mathematical function full_mul().
 
4. Access control issues
Access control is one of the main issues in program security . There are countless security incidents caused by access control issues, which also need to be paid attention to in the Cosmwasm contract. The following is a typical case:
 

Due to the lack of checks and restrictions on the caller's address, the above code allows anyone to call update_config(), set their own address as the treasury address, and receive all rewards generated by the contract.
 
5. Beware of infinite loops
CosmWasm contracts may get stuck in an infinite loop by calling itself back in the ACK handler. If developers transfer data packets between two CosmWasm contracts, they should be aware that this may cause an infinite loop and consume a lot of gas fees.
 
Project safety practices
1. Smart contract audit
Smart contract audit is to systematically test and review the smart contract code to discover potential security issues, eliminate security risks, and ensure that the code has no business logic vulnerabilities and conforms to the expected running process and results. Regular security audits of the project's smart contracts are crucial.
 
2. Use a multi-signature wallet
Project parties need to consider using multi-signature wallets to manage project treasury and smart contracts. Multi-signature accounts need to be held by multiple entities to avoid potential access control risks and internal evil. At present, Nibiru Chain has adopted Nomos multi-signature solution, and projects can consider using Nomos for asset management.
 
Summary
As a new Layer 1, Nibiru Chain provides an innovative platform for DeFi, games, RWA and other fields. It aims to solve the accessibility, security and performance issues of Web3 applications and provide developers and ordinary users with comprehensive and excellent services.
 
Currently, Beosin has established a strategic partnership with Nibiru Chain , aiming to significantly improve the security of the Web3 ecosystem and conduct cutting-edge joint research to create a more secure and innovative blockchain ecological environment.
 

Beosin will provide professional services in smart contract auditing and risk monitoring for projects built on Niburu Chain. Through Beosin's security solution, projects can identify and repair potential vulnerabilities and security risks to ensure the stability and security of its smart contracts and systems. This not only protects users' assets, but also provides users with a more reliable experience, further promoting the safe development of the Nibiru Chain ecosystem.

According to Beosin KYT AML analysis platform platform, in February 2024, the number of various security incidents and the amount involved increased significantly compared with January. In this month, more than 19 typical security incidents occurred in February 2024 and the total losses caused by hacker attacks, phishing scams and Rug Pull reached $422 million, an increase of approximately 102% from January. Attack incidents were approximately $347 million, an increase of approximately 110%. Phishing fraud incidents were approximately $16.08 million, a decrease of approximately 52%. Rug Pull incidents were approximately $59.38 million, an increase of approximately 440%.

The biggest security incident in this month was the attack on PlayDapp, a gaming platform, which caused a loss of 290 million dollars. Other incidents with losses of more than 10 million dollars include FixedFloat, a centralized exchange, with a loss of $26.1 million and a personal address of Axie Infinity co-founder Jihoz.ron with a loss of approximately $10 million due to his compromised private keys. In addition, Bitforex, a Hong Kong exchange, is suspected of having a Rug Pull , with an abnormal outflow of $56.5 million from its hot wallet. At the same time, there are new updates on regulatory compliance policies. Let’s take a look.

Hacker Attacks
『9』Typical Security Incidents
No.1 On February 9 and February 12, PlayDapp, a gaming platform, suffered two compromised private keys. The attackers minted a total of 1.79 billion PLA tokens, worth approximately $290 million.
No.2 On February 14, Miner, an ERC-X project, was attacked due to a contract vulnerability, resulting in a loss of approximately $460,000.
No.3 On February 14, the hot wallet of Duelbits, a crypto gambling platform, was attacked, resulting in a loss of approximately $4.6 million.
No.4 On February 17, FixedFloat was attacked, losing $26.1 million worth of Bitcoin and Ethereum.
No.5 On February 22, Blueberry Protocol, a DeFi lending protocol, was attacked due to a contract vulnerability, resulting in a loss of approximately $1.35 million, of which $1.08 million has been returned by the white hat hacker who frontran the attack transaction.
No.6 On February 23, Jihoz.ron, co-founder of Axie Infinity, stated that two of his addresses were attacked due to the compromised private keys, resulting in losses of $10 million.
No.7 On February 27, $5.6 million was stolen from Serenity Shield, a blockchain data storage protocol.
No.8 On February 28, Seneca, a DeFi protocol, was attacked due to an arbitrary call vulnerability, causing losses of $6.5 million.
No.9 On February 29, Shido, a Layer1 blockchain, was suspected of being attacked. The contract was transferred to the new owner and upgraded immediately. The attacker then withdrew a large amount of SHIDO tokens and sold them, making a profit of approximately $2.3 million.

Rug Pull/Crypto Scam
『7』Typical Security Incidents
No.1 On February 4, a fraudulent address 0xe726 made a profit of $1.14 million from multiple victim addresses through phishing attacks.
No.2 On February 15, an address 0x8366 suffered a phishing attack, resulting in a loss of approximately $5.17 million.
No.3 On February 18, an address 0x03E4 suffered a phishing attack, resulting in a loss of approximately $860,000.
No.4 On February 23, an abnormal outflow of $56.5 million occurred from the Bitforex hot wallet. The CEO of the exchange resigned a month ago. At present, the official has stopped processing withdrawals and closed the official website. The X account has also stopped updating.
No.5 On February 25, a rug pull occurred in RiskOnBlast, a project on Blast, resulting in a loss of approximately $1.3 million.
No.6 On February 27, a rug pull occurred on the TRUMP token on BNB Chain and the deployer made a profit of approximately $600,000.
No.7 On February 28, an address 0x6558 suffered a phishing attack, resulting in a loss of approximately $1.54 million.

Crypto Crime
『3』Typical Security Incidents
No.1 On February 6, South Korean authorities arrested three executives of income platform Haru Invest for allegedly stealing 1.1 trillion won ($828 million) worth of cryptocurrency from approximately 16,000 customers.
No.2 On February 7, South Korea sentenced the CEO of cryptocurrency exchange Bitsonic to seven years in prison for stealing customer deposits worth 10 billion won ($7.5 million).
No.3 On February 20, the British National Crime Agency (NCA) announced that it had dismantled LockBit, the world’s largest cybercriminal organization. LockBit ransomware attacks have caused billions of pounds in losses over four years. The group generally only accepts cryptocurrency as ransom payment.

Regulatory Compliance Policy
『1』Typical Security Incidents
No.1 On February 5, the official website of the Hong Kong Securities and Futures Commission disclosed that if a virtual asset service platform operating in Hong Kong does not submit a license application to the Securities and Futures Commission on or before February 29, 2024, it must close its operations in Hong Kong on or before May 31, 2024. Investors using these unlicensed virtual asset service platforms should be careful.
No.2 On February 5, according to Bitcoin.com reports , the Spanish Ministry of Finance is seeking to control and supervise cryptocurrency assets owned by taxpayers. The agency proposed reforming current tax laws to allow state tax regulator Agencia Tributaria to seize cryptocurrencies when paying taxpayer debts. The proposal was presented to the European Union (EU) in 2021 and will be implemented soon, with local sources explaining that the government is moving quickly to create the conditions needed for the reforms to be implemented.
No.3  On February 20, the Hong Kong Monetary Authority issued a circular on the sale and distribution of tokenized products, setting out the expected regulatory standards that the HKMA will comply with when authorized institutions sell and distribute tokenized products to customers. The HKMA believes that it is time to provide guidance on activities related to tokenized products and provide the banking industry with clear regulatory requirements to support the industry in continuing to innovate and realize the benefits that tokenization can bring, while safeguarding the safety of consumers/investors.
No.4  On February 25, according to Bitcoinist reports, the U.S. Securities and Exchange Commission (SEC) has solicited public opinions on the possibility of introducing Bitcoin spot ETF options trading. The development prompted a strong reaction from financial markets, with experts predicting regulatory approval could come as early as March. 

Overall, the amount of losses caused by various blockchain security incidents continued to increase significantly in February 2024. In this month's attacks, private key leaks accounted for approximately 90% of the total attack losses ($312 million). It is recommended that projects take comprehensive private key management measures, strengthen employee security awareness training, and use third-party password management tools with caution. There have been many phishing incidents this month causing over $1 million. Users are advised to continue to increase their security awareness, not to click on links from unknown sources, and to carefully check the signature content.

As one of the first blockchain security companies in the world to engage in formal verification, Beosin focuses on the "security + compliance" full ecological business. It has established branches in more than 10 countries and regions around the world, and its business covers code security audits before projects go online. , "one-stop" blockchain compliance products + security services such as security risk monitoring and blocking during project operation, stolen recovery, virtual asset anti-money laundering (AML), and compliance assessments that meet local regulatory requirements.

Recently, Blast has become a hot topic in the crypto market. With the end of its Big Bang Competition, its TVL has exceeded $2 billion.

Blast announced that it will launch its mainnet on February 29. The anticipation of its airdrop has successfully attracted many users. However, with the development of its ecosystem, various projects emerge one after another, which also leads to the frequent occurrence of various security risks. Beosin will explain to you the security risks and potential opportunities behind Blast.

What is Blast?

Blast is a Layer2 launched by Pacman, Blur founder, on November 21, 2023 and quickly gained widespread attention in the crypto community. Within 48 hours of Blast launch, the TVL reached $570 million and attracted over 50,000 users.

Blast received $20 million in financing from major backers such as Paradigm and Standard Crypto last year, followed by another $5 million investment from Japanese cryptocurrency investment company CGV in November last year.

According to DeBank data on February 25, the total value of assets currently held by the Blast contract exceeds 2 billion dollars, of which 1.8 billion dollars worth of ETH are deposited in the Lido protocol, and more than 160 million dollars of DAI are deposited in the MakerDAO protocol.

Why is Blast so popular?

Blast is unique in that it provides native yields on ETH and stablecoins. When users transfer ETH to other Layer2, these Layer2 will only lock ETH tokens into their smart contracts and map the corresponding Layer2 ETH to users while Blast will deposit users' ETH into Lido to earn interest and introduce a new interest-bearing stablecoin called USDB (the stablecoin will be used to purchase U.S. Treasury bonds through MakerDAO) to the Blast network.

In addition, Blast is a Layer2 launched by the Blur team. Blur has previously airdropped more than 200 million dollars to their users. It already has a broad community base. In addition, Blast currently conducts airdrop incentives to attract users to participate in Blast staking.

Blast security risks

Blast has been met with criticism and skepticism since its launch. On November 23, 2023, Jarrod Watts, a developer relations engineer at Polygon Labs, tweeted that Blast’s centralization may pose serious security risks to users. He also questioned Blast’s classification as a layer2 network because Blast does not meet the L2 standard and lacks functions such as transactions, bridging, rollup, or sending transaction data to Ethereum.

How safe is Blast? What are the security risks of Blast? This time we scanned the Blast Deposit contract through the Beosin VaaS tool and combined the analysis of Beosin security experts to interpret the Blast Deposit contract code.

The Blast Deposit contract is an upgradeable contract. Its proxy contract address is 0x5F6AE08B8AeB7078cf2F96AFb089D7c9f51DA47d. Its implementation contract address is 0x0bD88b59D580549285f0A207Db5F06bf24a8e561. The main risk points are as follows:

1. Centralization risk

The most important enableTransition() of the Blast Deposit contract can only be called by the admin address of the contract. In addition, this function takes the mainnetBridge contract address as a parameter and the mainnetBridge contract can access all staked ETH and DAI.

In addition, the Blast Deposit contract can be upgraded at any time through the upgradeTo(). This is mainly used to fix contract vulnerabilities, but there is also the possibility of doing evil. At present, Polygon zkEVM has done a relatively complete job in upgrading the contract. Modifying the contract in non-emergency situations generally requires a 10-day delay and contract modifications need to be decided by the 13-member Council.

2. Multiple signature disputes

Looking at the Blast Deposit contract, we can see that the contract is controlled by a Gnosis Safe 3/5 multi-signature wallet 0x67CA7Ca75b69711cfd48B44eC3F64E469BaF608C. 

These 5 signature addresses are:
0x49d495DE356259458120bfd7bCB463CFb6D6c6BA
0xb7c719eB2649c1F03bFab68b0AAa35AD538a7cC8
0x1f97306039530ADB4173C3786e86fab5e6b90F41
0x6a356C0EAA560f00127Adf5108FfAf503b9f1e11
0x46e31F27Df5047D7Fad9b1E8DFFec635cF6efAcF

These addresses are all new addresses created 3 months ago, and their identities are unknown. Since the entire contract is actually a custody contract protected by a multi-signature wallet, Blast has been questioned by many users and developers.

Blast acknowledged this set of security risks, saying that while immutable smart contracts are considered secure, they may hide undetected vulnerabilities. Upgradeable smart contracts also bring their own risks, such as contract upgrades and easily exploitable time locks. In order to mitigate these risks, Blast will use a variety of hardware wallets for management to avoid centralization risks.

However, Blast has not yet announced whether wallet management can avoid centralization and phishing attacks, and whether there is a complete management process. In the two previous security incidents of Ronin Bridge and Multichain, although the project parties used multi-signature wallets or MPC wallets, the centralization of private key management resulted in user asset losses.

On February 19, the Blast team made an update to the Deposit contract. This update mainly adds the predeploys contract and introduces the IERC20Permit interface to prepare for the mainnet launch.

Blast ecosystem risk

On February 25, the Beosin KYT anti-money laundering analysis platform detected that Risk (@riskonblast), a GambleFi project on Blast, was suspected of having a RugRull, with the loss amounting to approximately 500 ETH. At present, its official X account does not exist.

Investors like MoonCat2878 also shared their personal losses. MoonCat2878 recounted how they initially viewed RiskOnBlast as a promising investment opportunity after seeing reputable projects and partners from within the Blast ecosystem. However, the subsequent public sale turned into an uncapped financing round, which aroused their doubts about Risk as a GameFi project. 

Beosin Trace monitoring shows that currently most of the stolen funds from the Blast ecological game Risk project have been transferred to different exchanges, and a small part of the stolen funds have cross-chained to Arbitrum and Cosmos. 

Beosin has launched audit service for the Blast ecosystem
On February 24, Blast officials also announced the list of projects selected for the Big Bang event. This list contains more than 100 projects, including lending, games, and infrastructure projects. 

At present, Beosin has launched an audit plan specifically for the Blast ecosystem. Through formal verification and security expert audits, it assists project parties in repairing security risks in the project and ensures the asset security of users and projects. The main security audit items include:

•Overflow vulnerability
•Reentrancy attack
•Random number problem
•Denial of service
•Access control
•Improper permissions
•Variable override
•Business design
•Business realization
•Arbitrage attack
•Function Call
•Gas optimization
•Upgrade security
•Centralization risk
•Security of third-party modules

Through Beosin's audit solution, projects on Blast can identify and repair potential vulnerabilities and security risks to ensure the stability and security of its smart contracts and systems. This not only protects users' assets, but also provides users with a more reliable experience, further promoting the safe development of the Blast ecosystem. Welcome the projects on Blast to come for consultation.

At the beginning of the new year, Beosin is moving forward. After obtaining SOC 2 certification, Beosin obtained ISO 27001, an important international high-standard information security certification. ISO 27001 is a high-standard information security certification unanimously recognized by international security experts. A rigorous information security management system is an important basis for various institutions and enterprises to choose blockchain security service providers. At the same time, for financial institutions and compliance exchanges, SOC 2 and ISO 27001 are two of their market access passes. This also proves that Beosin has the ability to provide first-class security compliance and trustworthy blockchain services for the Web3 ecosystem.

ISO 27001 certification is an information security management system (ISMS) certification issued by the International Organization for Standardization (ISO). It is currently an internationally rigorous, authoritative, and widely accepted and applied system certification standard in the field of information security. It is mainly used for the establishment, implementation and continuous improvement of enterprise information security management systems, which can effectively protect the confidentiality, integrity and availability of company information assets.

It is worth mentioning that Prescient Security, the audit company for Beosin, is a PCAOB-registered firm in the U.S.. Prescient Security demonstrates its high emphasis on data and information security and provides Customers are provided with a reliable guarantee. These certifications and qualifications further strengthen Beosin's professional reputation and credibility in the field of compliance, making Beosin a trusted partner in the crypto space.

Beosin KYT and Beosin Trace's ISO 27001 certification reports cover multiple key areas, further demonstrating the company's excellence in information security and commitment to customer data protection. Through ISO 27001 certification, Beosin successfully meets the international standardization organization's strict requirements for information security management. This certification proves that Beosin's information security management system has been established, implemented, operated and continuously improved, and has been verified by an independent audit agency. This certification not only proves Beosin's professionalism in information security, but also enhances its credibility and competitiveness in the field of blockchain security.

As an innovator in the field of blockchain security, Beosin has always been committed to providing the highest level of security compliance products and services to protect customers' data and assets. Beosin KYT virtual asset anti-money laundering compliance and analysis platform relies on billions of address labels and black address libraries for blockchain big data analysis technology and advanced AI technology. By analyzing massive on-chain transaction information, risky transactions can be identified, and risk assessment can be conducted using the massive entity address database of Beosin and machine learning analysis technology in the system. The platform has provided services to multiple clients around the world, helping them comply with anti-money laundering regulatory requirements. At the same time, Beosin Trace virtual asset tracking system independently developed by the Beosin team combined big data, AI and other technologies, relying on in-depth analysis by security technology experts, has successfully recovered stolen funds that entered coin mixers many times.

Beosin’s product leader said: "Obtaining ISO 27001 certification is an important milestone achieved by the company in the field of information security, and we are very proud of it. Obtaining ISO 27001 certification is just the beginning of our pursuit of excellence. We will continue to work hard to improve our technology, capabilities, and service levels. We will continue to pay attention to the latest security threats and technology trends and innovate to ensure that customers always receive the highest level of security protection."

Beosin's ISO 27001 certification will further strengthen its position in the blockchain security field and provide customers, partners and regulators with clear evidence that the company has appropriate security measures in place to protect information assets, which also lays a solid foundation for Beosin's future development, allowing it to continue to lead the innovation and development of the blockchain security industry.

On February 2, Pandora, a project focusing on NFT fragmentation, was launched. Its core feature is ERC404, a token standard that combines ERC20 and ERC721 and has the characteristics of native liquidity and NFT fragmentation. As a newly launched protocol, ERC404 has triggered extensive community discussions. The daily trading volume of its first project, Pandora, has also exceeded $50 million. More projects based on ERC404 or similar token standards are ready to be launched.

Since ERC404 was directly open sourced to the community for experiments without the discussion and review of an Ethereum Improvement Proposal (EIP) and an Ethereum Request for Comments (ERC), the protocol itself has many areas that need improvement. The Beosin security team will conduct a detailed analysis of the design mechanism and contract code of ERC404 to help crypto users understand ERC404.

What is ERC404?
ERC404 is a new experimental protocol that "fuses" two token standards, ERC20 and ERC721. To put it simply, ERC404 allows NFTs to be split and traded like ERC20 tokens. ERC404 tokens are both ERC20 tokens and NFTs, that is, one ERC404 token can be regarded as one ERC20 token or one NFT.

When a user purchases an ERC404 token, the user's wallet will automatically receive a Replicant NFT. When the user sells the token, the corresponding NFT will be automatically destroyed.

Take Pandora, the first project of ERC404, as an example. The ERC404 token of this project is PANDORA, and its corresponding Replicant NFT is Pandora Replicants. The total supply of PANDORA tokens is 10,000, so the corresponding total supply of Pandora NFTs is also 10,000.

When a user purchases PANDORA tokens on Uniswap, holding 1 PANDORA token is equivalent to holding 1 Pandora NFT at the same time. You can then choose to sell PANDORA tokens or go to NFT trading markets such as OpenSea to sell Pandora NFT. It is also possible for users to purchase Pandora NFTs first and then choose to sell PANDORA tokens on DEX.

Since ERC404 involves two characteristics of ERC20 tokens and NFTs, the following are the design features of ERC404, which are also things that users need to pay attention to:

1. 
If ERC404 tokens are traded as ERC20 tokens, decimals will be involved and considered. ERC404 stipulates that the number of tokens is rounded down to the corresponding NFT number. For example, if a user holds 2.9 PANDORA tokens, he/she only holds 2 Pandora NFT from an NFT perspective.

2. 
In ERC404 v1, if ERC404 tokens are traded as ERC20 tokens, the corresponding NFT will be destroyed and a new NFT will be generated during trading. In this way, each time a new NFT is generated, its ID number will be added from the highest ID number of the original NFT. ERC404 v2 changes this burning mechanism, which will be explained later. Since Pandora NFT is set to have a rarity, users will trade Pandora tokens to increase the rarity of Pandora NFT for arbitrage, and replace the original NFT with a rarer Pandora NFT.

3. 
In the case of ERC404 v1, if a user holds 2.9 PANDORA tokens and sells 1 PANDORA token, the token has no rarity, but the corresponding NFT has different rarity. When selling 1 token, the last Pandora NFT received by the user will be destroyed first so users need to pay attention to the rarity of the NFT corresponding to the PANDORA token. It is recommended that one address only stores one PANDORA token, corresponding to one Pandora NFT, or users can directly trade their Pandora NFTs.

ERC404 code analysis
ERC404 v1 was released on Github by Acme, a former software engineer at Coinbase, and has many spaces for improvement. With the help of the community, the ERC404 team is currently building and improving ERC404 and launched ERC404 v2 on February 15. ERC404 v2 greatly reduces the gas consumption and optimizes the mechanism for buying and selling ERC404 tokens. Its latest code repository is https://github.com/Pandora-Labs-Org/erc404.

This time we will use the Beosin VaaS tool to scan the ERC404 v2 smart contract, analyze the ERC404 v2 codes, and provide security suggestions for ERC404 projects with Beosin security experts:

The contracts of ERC404 v2 mainly include ERC404.sol, ERC721Receiver.sol and DoubleEndedQueue.sol. DoubleEndedQueue is a new data structure introduced by the ERC404 team to change the logic of trading token and burning NFT.

ERC404 v2, similar to v1, is a hybrid implementation of ERC721 and ERC20, allowing ERC721 tokens to be represented as ERC20 tokens. Among them, each ERC721 token corresponds to a fixed number of ERC20 tokens (determined by the units parameter). When transferring ERC721 tokens, the corresponding ERC20 tokens are transferred in units.

Compared to v1, ERC404 v2 has the following improvements:

1. 
Support EIP-2612
ERC404 v2 has supported EIP-2612, allowing gas-less transactions through signed messages (permissions). "DOMAIN_SEPARATOR" is calculated in the constructor and can be recomputed if the chain ID changes, which improves the compatibility of its contract.
constructor(string memory name_, string memory symbol_, uint8 decimals_) {    name = name_;    symbol = symbol_;if (decimals_ < 18) {      revert DecimalsTooLow();}    decimals = decimals_;    units = 10 ** decimals;// EIP-2612 initialization    INITIAL_CHAIN_ID = block.chainid;    INITIAL_DOMAIN_SEPARATOR = _computeDomainSeparator();}

2. 
Safe Transfer Checking
The safeTransferFrom function in its contract follows onERC721Received() in the ERC721 standard and will check the recipient to ensure that the recipient can handle ERC721 tokens (for example, the recipient is a contract).
function safeTransferFrom(    address from_,    address to_,    uint256 id_,    bytes memory data_) public virtual {if (id_ > minted || id == 0) {      revert InvalidId();}transferFrom(from_, to_, id_);if (      to_.code.length != 0 &&ERC721Receiver(to_).onERC721Received(msg.sender, from_, id_, data_) !=      ERC721Receiver.onERC721Received.selector) {      revert UnsafeRecipient();}}

3. Improved Minting and Burning Logic
Different from v1, when trading ERC404 v2 tokens, the corresponding NFT will not be destroyed. Instead, all NFT IDs are stored in a double-ended queue for reuse. In this way, the NFT corresponding to ERC404 is the same as the typical ERC721 token. Same as coins. This approach not only reduces gas consumption, but also simplifies the transfer logic of ERC404.

The improvements of ERC404 v2 make ERC404 more scalable and sustainable, but there are still some security risks worthy of attention:

1. 
Whitelist Function
ERC404 allows certain whitelist addresses to transfer ERC721 tokens internally, which can be used to optimize the gas usage of specific contracts or addresses. However, this may also bring about centralization issues or the potential for abuse.
abstract contract ERC404 is IERC404 {.......mapping(address => bool) public erc721TransferExempt;......// Handles ERC-721 exemptions.function _transferERC20WithERC721(//save gas by internally trading}}

2. 
Transfer Function Problem
The transferFrom function handles ERC20 and ERC721 transfers, and distinguishes the logic of the two token standards based on the valueOrId_ parameter. Developers or users may make errors when calling this function, because this function has a presumption that if the value of the transfer is greater than the value of the minting count, the transfer is about a transfer of ERC20 tokens.
function transferFrom(    address from_,    address to_,    uint256 valueOrId_) public virtual returns (bool) {......if (valueOrId_ <= _minted) {// Intention is to transfer as ERC-721 token (id).      uint256 id = valueOrId_;......}

3. 
Gas optimization
Although ERC404 v2 has significantly reduced the gas fee required for user interaction compared to v1, there is still a lot of space for improvement. For example, the ERC404 v2 contract uses a custom error revert NotFound() instead of the require statement with an error message, which increases its gas consumption.

4. 
Lack of emergency pause function
As a newly born protocol, ERC404 may have potential contract vulnerabilities that cannot be ignored. Therefore, when the team develops the contract, an emergency pause function should be considered to set up in the contract and a risk response plan should be formulated to quickly respond and fix vulnerabilities when risks arise.

Previously, Beosin mentioned the above security suggestions to the project team when completing the audit of Avatar, an innovative project based on ERC404, which helped the Avatar team improve the security of its smart contracts and ensure the safe operation of the Avatar project. This audit includes formal verification and manual audit by security experts to ensure that the code has no logical vulnerabilities:

Overall, ERC404 attempts to solve the problems of NFT indivisibility and insufficient liquidity from a new perspective. Compared with the previous NFT fragmentation projects, it starts from native token standards, which is simpler and more effective to implement and provides new methods for trading NFT. However, ERC404 is a relatively complex contract among token contracts. Developers need to pay attention to the characteristics of ERC20 and ERC721 and the risks that may be introduced by adding new functions. Security teams need to carefully examine the interaction between ERC20 and ERC721 functions during audits, as well as the impact of various gas optimization and centralization risks in the ERC404 contracts.

Beosin is a leading global blockchain security company. It has offices in Singapore, Korea, Japan, and other 10+ countries. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All in one" blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts and ERC404 projects are welcome to ask for our consultation and audits.

On February 1st, Binance Web3 Wallet officially launched its inscription market, supporting various inscription protocols such as BRC20 and Ethscription. A few days ago, OKX also announced its support for inscription protocols such as ARC20, Runes, Doginals, etc., which triggered the entire market's attention to inscriptions. During the wave of inscription, various security issues arise frequently due to the complexity and novelty of inscription protocols. This not only threatens users’ asset security, but also has a negative impact on the healthy development of the entire Inscription ecosystem.

In response to this, Beosin security team will analyze the mainstream inscription protocols to help users understand the purpose and implementation of the inscription protocols and how to protect inscription assets.

Introduction to inscriptions
The inscription on the blockchain is to record some specific and meaningful information on the blockchain through certain characteristics of the blockchain. Once this information is recorded on the blockchain, it will be permanently stored on the blockchain and difficult to tamper with. The information recorded to the blockchain can be of many types, such as simple text information, complex codes, images, etc. can be written to the blockchain . In this way, we can use a set of standards to implement the functions of digital assets.
Current status of inscriptions
From the initial emergence of Bitcoin Inscriptions such as BRC-20, to the current Inscription ecology, there are endless new Inscription protocols and new projects emerging almost every day. The development of Inscription can be said to be advancing by leaps and bounds. Various common public chains have also joined the inscription ecosystem, such as the Ethscription protocol on the ETH public chain, the ARC-20 protocol on the BTC public chain, BSC-20 and other protocols on the BSC public chain, and the PRC- on the Polygon public chain. 20 etc agreement …. These protocols are all generated for the purpose of publishing inscriptions on their public chains. In the following content, we will introduce the implementation methods and use cases of various protocols.

Detailed explanation of inscription
Let’s introduce the protocols that currently attract a lot of attention in the market, and compare the commonalities and differences between the inscription protocols of various public chains.

1. BRC-20
To explain BRC-20 clearly, we must first introduce UTXO and Ordinals.

BTC uses the UTXO model, and transactions are transferred in UTXO units. UTXO is the abbreviation of Unspent Transaction Output, which means unspent transaction output. The UTXO model is different from the account model of public chains such as Ethereum in that it records transaction events but not the final status. To calculate how many Bitcoins a user has, you need to sum up all the UTXOs of his address, and the result is the number of coins held by the user.

Ordinals is a systematic protocol for numbering Satoshis (sats), the smallest unit of Bitcoin. It can assign a unique number to each Satoshi in each UTXO (including several Satoshis). Ordinals also supports the function of writing text, pictures, audio, video, etc. to satoshis, making each satoshi unique, similar to the familiar Ethereum non-fungible token NFT, which we call Bitcoin NFT. 

The founder of BRC20 came up with another concept based on the Ordinals protocol. Since the Ordinals protocol can create Bitcoin NFTs by giving each Satoshi different "attributes", it can also create Bitcoin FTs by giving a unified "format" and "attributes", that is, homogeneous tokens.

BRC20 writes unified JSON format text data into Satoshi through the Ordinals protocol. This text data is the accounting book of BRC-20 tokens. Based on this text data, token holdings and transfers can be parsed, which mainly includes the following contents:
{
“p”:”brc-20”,
“op”:”deploy”,
“tick”:”ordi”,
“max”:”21000000”,
“lim”:”1000”
}

{
“p”:”brc-20”,
“op”:”mint”,
“tick”:”ordi”,
“amt”:”1000”
}

{
“p”:”brc-20”,
“op”:”transfer”,
“tick”:”ordi”,
“amt”:”1000”,
}
The above are the three standards of BRC20. Among them, the op field represents the operation that needs to be performed, including deploy (deployment), mint (minting) and transfer (transfer). The tick represents the name of the token that needs to be performed. max represents the total amount of tokens issued, lim represents the maximum number of coins minted per token, amt represents the number of tokens that need to be operated. In the transfer standard, there are also fields such as "to", but this is not necessary. Transfer is done by The inscription is sent to the target address to implement the balance change.

2. ARC-20
ARC-20 is still the inscription protocol on the Bitcoin public chain. Like the BRC-20 protocol, it is implemented by writing standard data in UTXO, but the difference is that the ARC-20 protocol does not need to specify ARC-20 in the data. Instead, the number of ARC-20 tokens is represented by sats (satoshi, the smallest unit of Bitcoin) in the UTXO. The rule is 1 sat=1 ARC-20 token.

The ARC20 protocol, like the BRC20 protocol, is also divided into three steps: deployment, minting, and transfer. In the deployment phase, the standard token name, total amount of tokens, casting restrictions, and block information need to be filled in the UTXO. , image information, etc.; in the minting stage, the user needs to fill in the name of the token into the UTXO, and the number of sats of the UTXO is the minting amount of the ARC20 token , and is not filled in the UTXO together with the token name; when the user mints ARC20 tokens can be sent to other addresses. When sending tokens, users do not need to fill in any data in the UTXO, but directly transfer the UTXO holding the token to other addresses.

When querying ARC20 tokens, only one index is needed. The offline index server can read the token registration information and minting and transfer transactions. There is no need for the server to calculate the fund transfer relationship and query the ARC20 tokens owned by the address. The quantity can be obtained by directly reading the sats quantity of the UTXO holding the token.

After understanding BRC20 and ARC20, you should know why some people mistakenly transfer inscribed assets to other addresses or "burn" them.

Since BTC inscription protocols such as BRC20 and ARC20 are based on UTXO transactions, inscription transactions are actually appended to BTC transactions, and users may perform ordinary BTC transfer operations without fully understanding the inscription. Its current UTXO is merged and split with other UTXOs and then sent to unintended addresses, causing the inscribed assets to be mistransferred or "burned", causing irreversible losses.

3. Ethscription
Ethscription is a protocol for creating and sharing data on Ethereum. Some inscriptions use this protocol to replace smart contracts to implement token issuance. Using inscriptions can reduce user costs to extremely low levels.

When Ethereum sends a transaction, it provides a calldata data block. Generally, this data block will be left blank for ordinary ETH transfers. If a smart contract is called, the data block will be designated as the signature of the calling function and each parameter data. The Ethscription protocol uses the calldata data block to add some standard data to give relevant meaning when sending ordinary ETH transfers.

How does Ethscription specify these standard data?

First, if you want to create an Ethscription whose content is image data, you need to convert the image (image size is limited to 96KB) into a URI of Base64-encoded data in the format (data:image/png;base64,...); next Convert the URI to a hexadecimal string; send an ordinary transfer transaction to the target address through Ethereum, and fill in the above hexadecimal string into calldata, as shown below:

In this way, the 0xf1bf address owns the Ethscription, and any Ethscription created later with the same calldata will be considered invalid.

If you want to transfer the Ethscription, you need the Ethscription owner to send an ordinary transfer to the receiving address, and fill in the transaction hash that created the Ethscription in the calldata, then the receiving address will own the Ethscription, as shown below:

4. Inscription of EVM Blockchain
For EVM blockchains such as BSC Chain, Ethereum, and polygon, there is a common method of burning inscriptions, which is to use the calldata data block to store fixed format data . Different from the above-mentioned saving of image data, this method is to write a standard format into the calldata. text data.

When inscriptions are burned on the BSC Chain, the inscription format is similar to the BRC20 inscription format. For example, the inscription format is: data:,{"p":"_","op":"_","tick":"_"," amt":"_"}, then the p field represents the protocol name, such as bsc-20, bnbs-20, ltc-20, bep-20, drc-20, nrc-20, src-20, etc.; The op field represents the operation, usually "mint"; the tick field represents the token name; the amt field represents the number of tokens.

Taking the bnbs token as an example, we can see that as long as an ordinary transfer is sent to the target address, fill in data:,{"p":"bsc-20","op":"mint" in the calldata ,"tick":"bnbs","amt":"1000"} then completes the bnbs token minting operation, as shown below. At this time, the 0x22ef address has 1,000 bnbs tokens.

Next, you need to transfer the token. As above, you need to send an ordinary transfer to the receiving address, and fill in the transaction hash that created the bnbs token into the calldata. Then the receiving address will own the bnbs token, as shown below:

It is basically the same on Ethereum, Polygon and other chains, but it should be noted that the content of the above BSC Chain is not the only situation where inscriptions are created on the evm chain. There may be differences in the text data fields filled in between different evm chains or different protocols. There may also be differences in how tokens are transferred. But for this type of method, they are all implemented using the calldata attribute in the EVM chain, so they appear to be similar.
Summary
In this article we discuss the implementation principles of inscriptions on multiple chains. In summary, the inscriptions introduced are all processes that utilize some public chain system features to save offline information in the blockchain in accordance with prescribed standards, and then identify and display it through offline servers. None of the inscriptions introduced use smart contracts. Users can reduce a large amount of additional transaction costs when participating. However, users need to fully understand the implementation of the inscription protocol to avoid mistaken transfers or accidental burning of inscriptions, resulting in asset losses.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

It’s time for our monthly security report! According to Beosin KYT platform, in January 2024, the number of various security incidents and the amount involved increased significantly compared with February. In this month, more than 28 typical security incidents occurred and the total loss of various security incidents was about $209 million, which is up about 97% compared with last month. The loss of attacks was about $165 million and the loss of phishing was $33.31 million. $11 million were lost because of rug pulls.  

Note: The attack of $81.5 million Orbit Bridge cross-chain bridge is counted as a loss in December 2023. The attack amount of December 2023 is corrected to $93.95 million. Total loss due to hacking, phishing scams and Rug pulls is corrected to $106 million.

Attacks with a loss of more than $10 million this month include the theft of $112 million from the personal account of Chris Larsen, Ripple co-founder, the attack of $11.58 million on SOMESING, a South Korean Web3 social music project. In addition, phishing fraud incidents increased significantly. Users need to take more precautions as there were a number of personal addresses with losses of more than $1 million due to phishing in January.

Hacker Attacks
『13』Typical Security Incidents
No.1 On January 2, Radiant Capital, a lending protocol on Arbitrum, was attacked due to a contract vulnerability, resulting in a loss of approximately $4.5 million.
No.2 On January 4, Gamma Strategies built on Arbitrum was attacked due to a contract vulnerability, resulting in a total loss of $6.18 million.
No.3 On January 6, CoinsPaid was hacked, resulting in a loss of approximately $7.5 million.
No.4 On January 6, Narwhal was suspected of being attacked due to the theft of the signer's private key, resulting in a loss of approximately $1.5 million.
No.5 On January 16, Socket was attacked due to a contract vulnerability, resulting in a loss of approximately $3.3 million. Approximately $2.3 million has been recovered.
No.6 On January 22, the GAMEE game project on Polygon was attacked. The attacker accessed the project's GitLab through a vulnerability and obtained the old repository containing the private key. The project lost 200 million GMEE tokens (approximately $7 million).
No.7 On January 22, Concentric.fi suffered a social engineering attack, resulting in a loss of approximately US$1.7 million.
No.8 On January 25, Nebula Revelation on Optimism was attacked by a re-entrancy vulnerability, resulting in a loss of approximately $180,000.
No.9 On January 27, SOMESING, a South Korea’s Web3 social music project, was attacked and lost 730 million its native tokens SSX worth $11.58 million.
No.10 On January 28, Goledo Finance on Conflux was attacked by a flash loan, resulting in a loss of approximately $1.7 million.
No.11 On January 29, Barley Finance on Ethereum was attacked by a reentrancy vulnerability, resulting in a loss of approximately $130,000.
No.12 On January 30, the MIM_Spell project on Ethereum was attacked due to a contract vulnerability, causing losses of $6.5 million.
No.13 On January 30, Chris Larsen, Ripple co-founder, claimed that 213 million XRP, equivalent to approximately $112 million, was stolen from his personal account.

Phishing Scam/Rug Pull
『11』Typical Security Incidents
No.1 On January 1, approximately $1.3 million was stolen from a certain 0x3605 address for signing a malicious ERC20 Permit.
No.2 On January 2, approximately $2.47 million was stolen from a certain 0xd9b7 address for signing a malicious 'increaseAllowance' transaction.
No.3 On January 3, a certain 0x01be address suffered an address poisoning attack, resulting in a loss of approximately $4.4 million.
No.4 On January 7, MangoFarm had a rug pull on Solana, and the deployer made a profit of approximately $2 million.
No.5 On January 7, XKING had a a rug pull on Arbitrum, and the deployer made a profit of approximately $1.24 million.
No.6 On January 9, the SEC’s official twitter account was hacked and published a fake news about the approval of BTC ETF. 
No.7 On January 15, Hector Network project on Fantom had a rug pull, and the deployer made a profit of approximately $2.7 million.
No.8 On January 21, a certain address 0x1749 suffered a phishing scam, resulting in a loss of $4.7 million.
No.9 On January 24, a certain 0xf8EB address lost approximately $1.3 million in assets due to a phishing attack.
No.10 On January 25, a certain 0x0c00 address suffered a phishing scam, resulting in a loss of approximately $2.66 million.
No.11 On January 27, a certain 0xc9f3 address suffered a phishing scam, resulting in a loss of approximately $2.34 million.

Crypto Crime
『4』Typical Security Incidents
No.1 On January 19, U.S. federal prosecutors filed an indictment against a German businessman, accusing him of defrauding investors of more than $150 million through a cryptocurrency fraud scheme.
No.2 According to news on January 26, an Indian national pleaded guilty in the U.S. District Court to darknet drug trafficking charges and had $150 million in cryptocurrency confiscated.
No.3 On January 29, the U.S. Securities and Exchange Commission (SEC) filed a lawsuit against HyperFund, a crypto Ponzi scheme involving $1.7 billion.
No.4 According to news on January 30, German police seized 50,000 Bitcoins worth nearly US$2.2 billion during an operation to combat online piracy.

In view of the current new situation in the field of blockchain security, Beosin concludes:

Generally, in January 2024, the number of various security incidents and the amount involved increased significantly compared with last month. The total loss of various security incidents was about $209 million, which is up about 93% compared with last month.

The number of rug pulls and the amount of loss have increased significantly compared with last month. Users are advised to be more careful and conduct a detailed background investigation of projects. Phishing attacks are still the main reason for security incidents this month. Users are advised to check carefully before signing or authorizing and verify the entire address of the receiver before transferring money. 60% of the attacks this month were due to the exploitation of smart contract vulnerabilities. It is recommended that the project teams must seek a professional security company for audit before launching their projects. Users should also carefully check the audit report before interacting with a project to avoid potential loss.

Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs in the team. It has offices in Singapore, Korea, Japan, and other 10+ countries. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All-in-one" blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts and protected more than $500 billion funds of our clients. You are welcome to contact us by visiting the links below.

After experiencing the GameFi gaming craze in 2021, represented by Axie Infinity, and the subsequent burst of the bubble, GameFi started to recover in the second half of 2023. The popularity of 3A blockchain game Bigtime drew significant attention to the GameFi market. On January 9, 2024, Arbitrum Layer3 Xai game-specific chain was officially launched. On January 12, the gaming platform SkyArk Chronicles completed a $15 million funding round led by Binance Labs. The combination of new public chains and games became a focal point in the market, with many users having high expectations for the future performance of GameFi.
Beosin has audited GameFi projects, including Ronin Network, SpaceRunners, WastedLands, Good Games Guild, and discovered security issues often overlooked by GameFi project teams. The current development status of the GameFi track, noteworthy projects, and the security challenges it faces will be analyzed by the Beosin team.
Overall Analysis of GameFi
In 2021, GameFi-related projects raised over $1.5 billion, with the total valuation of GameFi project development companies reaching nearly billions of dollars, excluding the market value of GameFi tokens. According to Blockchaingamer’s statistics, approximately 31% of GameFi projects have stopped development or are in an inactive state after the Web3 market’s winter.

Thanks to the market’s recovery and the popularity brought by new GameFi projects, the overall activity of GameFi has significantly increased. Top Ethereum blockchain games like Gala, Stepn, Axie, Sandbox, etc., saw record transaction volumes at the end of 2023.

In October 2023, the primary market funding in the GameFi track exceeded $100 million, with many GameFi projects raising millions of dollars for game development, testing, and promotion. In 2024, as numerous games enter public testing and official launch, the market’s attention to GameFi is expected to increase.
Key Projects in the GameFi Track
(Note: The following content does not constitute investment advice.)
Gaming Application Platforms
1. Ronin Network
Ronin is an EVM blockchain specifically designed for gaming, launched by Sky Mavis, the development team behind the once-popular blockchain game Axie Infinity. After experiencing security incidents in 2022, Ronin Network abandoned the original Proof of Authority (PoA) consensus. In 2023, Sky Mavis decided to upgrade the consensus mechanism to DPOS on April 12, reducing centralization risks. Beosin conducted a comprehensive audit of Ronin Network’s mainnet, smart contracts, etc., revealing security risks that were addressed with effective measures.
After the consensus upgrade, Ronin Network became more decentralized, with the number of validator nodes increasing from 9 to 22, and a total of 27 candidate validators. Governance validators are determined by Sky Mavis, Yield Guild Games, NonFungible.com, Nansen, Google, DappRadar DAO, and Animoca Brands, with the remaining 15 validator slots allocated to the community.
Currently, Ronin Network’s total TVL is approximately $150 million, and its ecosystem projects are rapidly developing. In 2023, Ronin collaborated with game studios such as Directive Games, Tribes, Bali Games, and Bowled.io, launching multiple games on the Ronin Network.

2. Immutable X
Immutable X is a zk-Rollup Layer2 focused on NFTs and GameFi, providing fast transaction confirmation, zero gas fees, and high scalability. Immutable X uses StarkEx technology to build Validium, a zk-Rollup solution similar to Plasma, where data is stored off-chain to reduce on-chain computation and increase TPS.
Immutalbe X’s ecosystem includes games like Gods Unchained, Guild of Guardians, and Illuvium, with Guild of Guardians and Illuvium issuing game tokens.

3. Xai
Xai is a Layer3 built on Arbitrum Nitro, focusing on incubating GameFi projects and user experience. Xai features backend wallet integration, providing a game experience with zero transaction fees and a unique game economic design. Xai has partnered with the game team Ex Populus to develop Final Form and LAMOverse on the Xai chain.
Xai has issued the XAI token, serving as the gas token and node rewards for the Xai chain. More use cases will be revealed when games go live on the network. Xai is listed on EagleEye, allowing users to monitor relevant on-chain activities.

4. Oasys
Oasys is an Ethereum sidechain designed for gaming, using PoS mechanism with Layer1 and Layer2. Layer1 is used for running tokens, NFTs, cross-chain bridges, and Rollup contracts, while games run on a proprietary, gas-free Layer2. Oasys Layer2 adopts Optimistic Rollup but removes the 7-day challenge period to improve user experience. Oasys currently has 6 Layer2s with 36 games running on them, allowing players to participate and earn OAS native tokens.

5. Gala
In November 2023, Gala Games announced a strategic partnership with DWF Labs to promote the widespread adoption of Galachain. Gala Games has launched multiple games and expanded its business into music and movies. Gala Games optimized its token model in January 2023, allocating Gala tokens spent on the platform to nodes to increase node earnings. Users can monitor Gala token on-chain activities through EagleEye.

6. Myria
Myria is an Ethereum Layer2 developed for GameFi. Similar to Immutable X, Myria collaborates with StarkWare, using StarkWare’s STARK prover and zk-Rollup technology, with transactions ultimately confirmed by the Ethereum network. The MYRIA token lacks sufficient on-chain liquidity, primarily traded on centralized exchanges like OKX and Bitget.

Myria has released several free games, such as Metarush, Metakart, Block Royale, Starstrike Legends, and Mooville Farm, aiming to build a gaming platform similar to Gala Games.
Fully Onchain Games
Fully Onchain Games refer to games where all game logic and states are executed and stored on the blockchain network. In the past, due to the performance bottlenecks of blockchain networks and the lack of infrastructure, most GameFi games only put game assets on the chain. However, in 2023, there was significant progress in fully onchain games, attracting developers to participate in their development. The reasons for this progress include:
Attention and support from investment institutions such as a16z and Jump Crypto, promoting the development of fully onchain games as a sub-track.Gradual popularity of AA wallets, allowing users to sign transactions after completing a round/multiple steps, improving the user experience in participating in fully onchain games.Development of game engines reducing the barrier for developers. Currently, Starknet’s Dojo game engine and the MUD game engine with OP Stack integration are popular among developers.
In 2023, fully onchain games became a focal point in the GameFi track. Many of these games have entered the testnet phase and have a certain level of playability. Here are some of the currently notable fully onchain games in the market:
1. Realms World
Realms World is the game ecosystem of the Loot NFT project, featuring games like Loot Survivor and Realms: Eternum. These games are based on Starknet’s Dojo. Loot Survivor is a survival adventure game with a unique Play2Die mechanism, requiring players to fight/run from monsters, upgrade character attributes, collect equipment, and compete for higher rankings.
Realms: Eternum is an MMO strategy game where players build and develop their kingdoms while defending against attacks from other players. Each kingdom in Eternum is an NFT, and players can trade them on the marketplace.

2. Sky Strife
Sky Strife is a fully onchain game built on the MUD game engine. It features fast-paced real-time strategy (RTS) battles and is developed by the Lattice team, the creators of the MUD engine. Sky Strife’s gameplay is similar to other real-time strategy games, with four players starting in their respective main bases on the map. Players aim to capture more resources to produce soldiers, defend their bases, and attack other players’ bases. Players need to allocate resources between producing soldiers, controlling map resources, defending bases, and attacking other players’ bases to formulate a suitable strategy.
Sky Strife is currently in the testnet phase, and its token is ORB, which has not been issued yet. The development team plans to iterate Sky Strife to transform it into a self-governing world with resources, logic, and a freely constructible economy, allowing the community to develop new onchain games, game rules, and game modules in the Sky Strife world.
3. Cellula
Cellula is a fully onchain artificial life simulation game. In Cellula, players create artificial “life” by combining and assembling the smallest units of life — cells. Players can observe the growth, reproduction, and evolution of these “life” forms in a virtual space. Cellula uses Ethereum block height as “time,” and each “life” evolves with the growth of the Ethereum network.
Web2.5 Games
In addition to fully onchain games, most other GameFi projects can be classified as Web2.5 games, where game assets are on the chain, and most game logic is processed by centralized servers. From 2023 to 2024, many such games have started open beta testing or officially launched, including multiplayer online role-playing game Bigtime, first-person shooter games Matr1x FIRE and SHRAPNEL, and strategy game GasHero.
These games have learned from the failures of blockchain games in 2021, focusing on Play & Earn, optimizing the play aspect from game graphics, gameplay, and user experience. The tokenomic design has also been optimized to attract users with free or low thresholds.
GameFi Security Challenges
GameFi not only provides token incentives to players but also gives players ownership of in-game assets, creating game projects with characteristics of encrypted economies and decentralization. However, the development of GameFi faces many security vulnerabilities and hacker attacks, posing serious threats to user asset security and negatively impacting the healthy development of the entire GameFi ecosystem.
Beosin is highly concerned about the security of the GameFi ecosystem. After the launch of popular chain games like Fren Pet and xPet, Beosin conducted security analyses of their tokens and game contracts to avoid potential vulnerabilities and attacks. So, what are the common security issues in GameFi, and how can the security of GameFi be improved? In response, Beosin has outlined the following security risks and recommendations.
Onchain Security Challenges
Token Contract Vulnerabilities
GameFi projects typically use one or more tokens as in-game currencies for purchasing items and rewarding players. Token contracts manage token minting, trading, and burning. Vulnerabilities in token contracts can have catastrophic effects on the entire game’s economic system.
Token contracts often have centralization risks, where the owner/administrator of the token contract has excessive permissions. The contract owner/administrator can modify token transaction fees, prevent users from buying or selling, add address blacklists, perform unlimited minting, or even reset the token balances of any address.
Users can check the risks of token contract addresses through the EagleEye platform. EagleEye detects and alerts users to token contract risks, helping them avoid potential losses.
Business Contract Vulnerabilities
GameFi business contracts are responsible for implementing the main gameplay and reward distribution. Most developers make their business contracts upgradeable. For the security of upgradeable contracts, Beosin recommends:
(1) Initialize contracts and dependencies: Developers may forget to initialize contracts and dependencies during deployment, leading to severe vulnerabilities.
(2) Be aware of storage conflicts: Modifying storage during contract upgrades may result in storage conflicts between different versions of the contract, causing data errors and financial losses.
(3) Pay attention to permission control: Developers need to restrict upgrade permissions for contracts to prevent attackers from gaining control of contract upgrades. Hackers may gain upgrade control through private key theft or governance attacks.
NFT Vulnerabilities
NFTs serve as the main player-held game assets in GameFi projects, and their quantity and rarity ensure the value of in-game assets. However, improper implementation of NFTs can introduce security risks.
Implementing randomness is a critical consideration for projects. GameFi projects often introduce activities such as blind boxes and random rewards in-game tasks. In the process of minting NFTs in such events, projects might use block timestamps as the source of information for generating NFTs of different rarities. However, block timestamps can be predicted or controlled, leading to unfair game competition. Beosin recommends projects to use Chainlink VRF (Verifiable Random Function) to reduce such risks.
In addition, projects need to securely store metadata, images, and IPFS hash values of their NFTs to prevent early leakage of NFT rarity data. Otherwise, hackers can locate metadata of relevant NFTs, lock the rarest NFTs during the minting process.
When players trade NFTs, projects need to be aware of the difference between ERC-1155 and ERC-721 tokens. ERC-1155 is an improvement over ERC-721, supporting the creation of both fungible tokens and NFTs in a single contract. ERC-721 tokens require multiple transfers, while ERC-1155 tokens can be transferred in batches. Projects need to differentiate when implementing related token transfers. Previously, the TreasureDAO on the Arbitrum chain was attacked due to this issue.
Cross-Chain Bridge Vulnerabilities
Multi-chain GameFi projects and GameFi application chains use cross-chain bridges to map in-game assets across different blockchain networks. Cross-chain bridges are crucial for improving the liquidity and attracting users to the game/ecosystem. However, GameFi cross-chain bridges have two main risks:
Firstly, due to contract vulnerabilities, in-game assets mapped between different networks may be inconsistent. Hackers might exploit contract vulnerabilities to inflate in-game assets on one network for profit.
Secondly, there is a risk of cross-chain bridge validator nodes. The Ronin Network previously suffered a loss of $620 million due to a node’s private key leak. Beosin recommends GameFi application chains to increase the number of validator nodes for their cross-chain bridges, securely store private keys, and avoid malicious control of validator nodes leading to losses.
Offchain Security Challenges
Apart from fully onchain games, the backend logic and interfaces of most GameFi projects still rely on offchain centralized servers. These servers store crucial information, including some game logic, game data, and player account information. These servers are susceptible to malicious attacks.
Tampering with NFT Data
As emphasized earlier, NFT metadata is crucial. However, many GameFi projects store their NFT metadata on centralized servers rather than decentralized infrastructure like Arweave. This increases the risk of attackers or internal project members tampering with metadata, infringing on player ownership and interests in their in-game assets.
Phishing Attacks
Attackers can obtain sensitive information from project teams through phishing attacks, such as wallet private keys managing the game treasury and GitHub accounts. Hackers can then expand the attack scale through supply chain attacks or phishing attacks, causing more significant losses.
Conclusion
After three years of exploration, GameFi has seen the emergence of more proprietary gaming blockchains and higher-quality gaming projects. Fully onchain games represent a more Web3-native narrative, but they are still in the very early stages, and the entire track requires time for iteration. When participating in the construction of the GameFi track, developers need to pay attention to avoiding the security risks mentioned above to build more reliable GameFi projects.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

As the fervor around Bitcoin ETFs subsides, investors are seeking the next hot project. Prior to the market turbulence caused by the Bitcoin halving event, many cryptocurrency enthusiasts had their eyes on Celestia.
Recently, Celestia’s token TIA has demonstrated remarkable performance, reaching new highs and capturing widespread attention from investors and the cryptocurrency community.
Mustafa Al-Bassam, the co-founder of Celestia, was once a formidable top-tier hacker.
This upward trend has made Celestia a hot topic in the community. However, the project’s popularity in the cryptocurrency ecosystem is also fueled by the controversial background of its founder. CEO Mustafa Al-Bassam was once a core member of the hacker group LulzSec, operating under the hacker alias “tFlow.” During that time, LulzSec conducted high-profile cyber attacks on significant targets such as the Central Intelligence Agency and Sony.
Despite his early involvement in hacking activities, Al-Bassam later pursued a degree in computer science at university, marking the beginning of his transformation. Today, he is dedicated to building Celestia, a novel modular blockchain system. His technical expertise and passion for blockchain have positioned Celestia as a noteworthy project.
While Al-Bassam has openly acknowledged his hacking past, some remain skeptical, fearing that his background might negatively impact the development and security of Celestia. However, others appreciate his technical talent and understanding of blockchain, believing that his experiences bring valuable insights and innovative thinking to the project.
Key Features of Modular Layer1 Blockchain Celestia
Celestia is a modular Layer1 blockchain that focuses on sorting transactions and verifying the availability of published data. The core concept of Celestia is to achieve a modular blockchain architecture, allowing developers to break free from the limitations of a single architecture during the blockchain development process, enabling flexible development based on their needs.
The modularity of Celestia consists of the Execution Layer, Settlement Layer, and Consensus & Data Availability Layer:
1. Execution Layer
Composed of Rollups responsible for executing transactions. Celestia utilizes Rollups to provide diverse options for the Execution Layer. In addition to supporting Optimistic Rollup and zkRollup, Rollup solutions like dYmension, Eclipse, and Fuel, built around Celestia, make it possible to connect the public chain with Cosmos and Solana ecosystem projects.
2. Settlement Layer
Notably, Celestia collaborates with Evmos to develop the Cevmos settlement layer. It will be based on Evmos and construct EVM’s recursive Rollup. Each Rollup built on Cevmos will have a bidirectional bridge with Cevmos, allowing the redeployment of existing Rollup contracts and applications from Ethereum, reducing the effort required for application migration.
3. Consensus & Data Availability Layer
Responsible for data availability and consensus mechanisms. All types of data are transmitted to the Data Availability Layer, where nodes store data in the same format they receive from the Settlement Layer. The system incentivizes nodes to store data using $TIA , and nodes use Reed-Solomon encoding and specialized Namespaced Merkle Trees data structures to ensure data availability.
Promising Projects on Celestia
1. Manta Network
A modular blockchain focused on building ZK applications, providing a scalable and low gas fee environment for ZK Dapps.
Manta Network is the first Ethereum L2 adopting Celestia’s modular data availability solution, significantly reducing user transaction costs and developer barriers.
2. Dymension
A modular blockchain network developed using Cosmos SDK and Celestia solution, ensuring the security and interoperability of RollApps.
Dymension’s modular design includes Execution, Settlement, Consensus, and Data layers, providing flexibility for developers. Celestia serves as the data availability provider for Dymension.
3. Ancient8 Chain
An Ethereum Optimistic rollups gaming chain utilizing Celestia’s data availability solution for high scalability, low transaction costs, and fast transaction confirmation.
Ancient8 evolved from a gaming guild to a Layer2 focused on gaming, attracting more gaming applications and users to the OP Chain ecosystem.
4. AltLayer
Supports existing Rollup solutions like OP Stack, Arbitrum Orbit, ZKStack, and Polygon CDK, defaulting to EVM and WASM.
As a modular extension solution, AltLayer enables developers to quickly launch scalable blockchain networks with three-step transaction processing.
In Conclusion
Built using Cosmos SDK, Celestia stands as a powerful and flexible blockchain application platform. Beosin, a leading global blockchain security team, focuses on providing comprehensive security audits for EVM and Cosmos ecosystem applications, contributing to the overall security of the blockchain ecosystem.
Regardless, Celestia, as an emerging cryptocurrency project, attracts attention due to its intriguing architecture and its controversial leader. Investors will continue to closely monitor Celestia’s development, anticipating its potential to stand out in the competitive cryptocurrency market and bring returns to investors. Beosin is currently capable of providing comprehensive security services for the Celestia ecosystem, establishing best security practices for Celestia ecosystem applications, and enhancing project security measures.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

In 2024, the surging momentum of Sui has ignited the first spark in the Move ecosystem.
Firstly, a nearly 70% surge in the past week has brought attention back to this shining star in the Move ecosystem. According to DefiLlama data, Sui’s Total Value Locked (TVL) has reached $327 million, with a 6.76% increase in the last 24 hours and a remarkable 73.19% surge in the past 7 days. The current top three protocols by on-chain TVL are Cetus ($62.44 million), NAVI Protocol ($61.42 million), and Scallop Lend ($54.96 million).

As a key player in the Move ecosystem, Sui is committed to promoting the security, interoperability, and sustainable development of digital assets. The Beosin research team will once again explore the opportunities for Sui in 2024 from a security perspective.
Is the Strong Momentum of Sui a Solana Killer or ETH Killer?
Sui, created by Mysten Labs, is a high-performance blockchain that enables developers to build low-latency, high-throughput applications on Sui. Mysten Labs, founded by Evan Cheng, former head of Facebook’s Novi project, raised $36 million in December 2021 and secured a valuation of over $2 billion with a $300 million funding round in September 2022.
Sui’s distinctive feature is its object-centric data model. Each object stores a global, unique ID, metadata of the owner, a version number (increments with each object call), and Binary Canonical Serialization data, as shown in the diagram below:

Due to the object-based data model, Sui can group transactions based on the interdependence of objects in different transactions. This allows for parallel processing of multiple transactions on different nodes.
Sui categorizes objects into owned objects and shared objects.
For transactions containing only owned objects (e.g., tokens and NFTs), Sui uses the Byzantine Consistent Broadcast (BCB) consensus algorithm to confirm transactions. The BCB consensus algorithm involves validators voting on whether to package transactions, with the transaction initiator then tallying the votes. Validators subsequently verify the tally to decide whether to package the transactions. This algorithm’s advantage lies in the tally process being executed on the client side, reducing communication time between validator nodes and quickly confirming transactions.
For transactions involving shared objects, used in applications like DeFi, NFT trading markets, and games that require frequent user interactions, Sui utilizes the Narwhal and Bullshark protocols for sorting and verification. Narwhal serves as Sui’s transaction memory pool, responsible for checking pending transactions and generating a directed acyclic graph path traversal for these transactions. Bullshark reaches consensus on a specific directed acyclic graph traversal, thereby confirming the specific order of these transactions.

Based on this design, Sui has achieved a maximum tested Transactions Per Second (TPS) of 297,000, with transaction confirmation taking approximately 480 milliseconds, demonstrating excellent performance.
Advantages of Sui Compared to Solana and Ethereum
1. Safer Underlying Design
Sui supports Move smart contracts, which undergo byte verification before execution. Move language features a built-in bytecode verifier to check resource, type, and memory safety, helping prevent common errors and malicious code attacks before contract execution.
2. Native Resource Safety
Sui’s object-centric data model allows developers to set permissions and program resources using keywords like copy, drop, store, and key. In contrast, Solana lacks native resource safety, requiring individual contracts to implement resource safety.
3. Greater Emphasis on User Security
Sui provides transaction pre-execution services, allowing wallet service providers to inform users of contract execution results and permissions before transaction signing. This helps users clearly understand the potential consequences of transactions when interacting with dApps, significantly reducing fraud risks.
What Opportunities are there for the Top Three Projects on Sui to Participate?
Cetus
Cetus aims to develop a flexible and powerful primary liquidity network, facilitating asset trading for Aptos and Sui. The protocol focuses on liquidity with incentives and a range of interoperable operational modules to provide the best trading experience and efficiency for consumers in the DeFi ecosystem. Some liquidity pools in Cetus receive official liquidity incentives from Sui, offering CETUS rewards alongside SUI token rewards.

2. NAVI Protocol
NAVI Protocol offers lending services for mainstream tokens, stablecoins, and CETUS tokens. Innovative features like automatic leverage vaults and isolation mode enable users to leverage their assets with minimal risk for new trading opportunities. NAVI supports digital assets at different risk levels, and its advanced security features ensure fund protection and mitigate systemic risks. NAVI has collaborated with OKX DeFi to launch an additional yield service, offering users up to 35% APY for USDC deposits, with a total pool of 50,000 USDC and 100,000 CETUS.

3. Scallop Lend
Scallop Lend is the largest lending protocol in the Sui ecosystem and the first DeFi protocol officially funded by the Sui Foundation. Similar to NAVI Protocol, Scallop Lend provides lending services for eight tokens and offers an SDK for professional traders. Scallop Lend completed its airdrop snapshot on January 1, 2024, initiating the first phase of the airdrop.

Users who missed the first phase of the airdrop can continue using Scallop Lend’s lending services to receive rewards in the second phase of the airdrop.
Beosin Launches Security Audit Services for Move Smart Contracts
Beosin’s collaboration with Sui began last year, and the Beosin security team discovered vulnerabilities in multiple public chains. One particularly interesting vulnerability, discovered in Sui’s p2p protocol, causing denial-of-service issues leading to node crashes due to memory exhaustion. This denial-of-service vulnerability, caused by an ancient attack method known as a “memory bomb,” is detailed in Beosin’s discovery of a severe-level vulnerability in Move VM.
Potential Vulnerabilities in Move Contracts
Supply Chain Security Awareness: Developers using Aptos, Sui, or other frameworks based on Move should maintain a certain level of security awareness to ensure supply chain security.Function Permission Issues: Careful delineation of permissions for function calls is crucial, especially for critical functions related to governance, as improper authorization can impact fund security.Logic Issues in Design and Implementation: Attention should be paid to logical issues in business logic during design and code implementation. For example, Beosin conducted research on Move’s version of flash loans, as detailed in Web3 Technical Research | Differences between Solidity Flash Loan Implementation and Move and Rust Flash Loan Implementation.Module Upgrades: Move projects should be cautious when upgrading modules, as the code owner remains unchangeable after initial deployment, and the deployer’s address permanently holds upgrade permissions.
Move Contract Audit Service and Audit Items
Beosin’s security team launched a security audit service for Move smart contracts at the end of 2022, aiming to proactively identify and assist project teams in addressing security risks within their projects, ensuring the safety of both users and project assets. The main security audit items include:
Overflow vulnerabilitiesReplay attacksInsecure random number generationTransaction order dependenciesDenial-of-service vulnerabilitiesAccess control issuesImproper permissionsBusiness design flawsBusiness implementation issuesManipulable token pricesArbitrage attacksGas optimizationSecurity of third-party modulesCapability securityResource securityUpgrade securityCentralization risks
For detailed information on Beosin’s Move smart contract security audit service, you can refer to “Beosin | Official Launch of Security Audit Service for Move Smart Contracts, Examining Move Language from a Security Perspective (Part 1)”.
In addition, Beosin introduced the Move Lint static analysis tool in 2023, aiding developers in automating the discovery of potential security vulnerabilities within contracts, pinpointing the origin of vulnerabilities, and enhancing the overall security of contracts. For more details, you can refer to “Beosin launched the Move Lint static detection tool to improve the security of Sui smart contract development through best practices”.
Will Sui Achieve Faster Growth in 2024?
The Move smart contract language is designed to be secure and reliable, aiming to avoid vulnerabilities and security risks present in traditional smart contract languages like Solidity. This design choice makes Sui’s contracts more trustworthy and secure, providing users with better assurance.
Sui is gearing up for growth in 2024, emphasizing ecosystem development as one of its strategies. With a Total Value Locked (TVL) of $327 million, Sui demonstrates user trust and engagement, indicating rapid growth in its ecosystem and a continuous increase in users. Additionally, Sui ranks among the top three in on-chain TVL for non-EVM chains, alongside protocols like Cetus, NAVI Protocol, and Scallop Lend, collectively propelling the development of the Move ecosystem.
Let’s eagerly anticipate Sui’s development in 2024.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

On January 17, 2024, according to monitoring data from Beosin’s EagleEye security risk platform, Socket Protocol suffered a call injection attack, leading to a significant theft of funds from authorized users. Currently, the attacker has converted the stolen funds to ETH and stored them in the attacker’s address.
After the attack, Socket’s official confirmation acknowledged the security breach and promptly suspended the affected contracts.

Simultaneously, MetaMask posted on the X platform, stating that MetaMask Bridge users are not affected by the Socket vulnerability. MetaMask emphasized their unique architecture in designing cross-chain bridge contracts to mitigate such attacks.

Vulnerability Analysis
The primary cause of this incident is an insecure call invocation in the performAction function of the Socket contract. Despite the absence of checks on fromToken and toToken parameters, the function effectively restricts token addresses to WETH, excluding other ERC20 addresses, preventing the forgery of these parameters indirectly.

However, a critical flaw in the function lies in the lack of restrictions on the amount parameter. If the caller provides an amount of 0, the function’s check condition will always pass without the need to call WETH’s deposit and withdraw functions. This allows injecting abnormal data through the call, leading to the exploitation of the vulnerability.
Attack Process
Understanding the vulnerability, let’s explore how the attacker executed the attack:
Creation of Malicious Contract:
The attacker initially created a malicious contract to initiate the attack.2. Queries and Authorization Checks:Subsequently, the attacker conducted multiple queries on WETH balances from different addresses.Additionally, the attacker checked the authorized quantity for the Socket: Gateway contract associated with each address.Following this, the attacker called the Socket: Gateway contract.3. PerformAction Function Call with transferfrom Signature:In the call to the performAction function, the attacker specified the swapExtraData parameter as 0x23b872dd…This data corresponds to the function signature of transferfrom, indicating a direct invocation of the token’s transferfrom function.

4. PerformAction Function Call with transferfrom Signature:
In the call to the performAction function, the attacker specified the swapExtraData parameter as 0x23b872dd…This data corresponds to the function signature of transferfrom, indicating a direct invocation of the token’s transferfrom function.

5. WETH Transfer by the Attacker:
Through numerous operations, the attacker transferred WETH from countless users to their own address.

6. Transfer of Authorized USDT in a Similar Manner:
The attacker employed a similar method to transfer USDT authorized to the contract to their own address.

7. Involvement of Other Tokens:
The attack extended to include other tokens such as WBTC, DAI, and MATIC.

As of the time of writing, approximately $3.3 million has been stolen, with some funds exchanged for ETH and stored in the hacker’s address. Beosin Trace continues to monitor the stolen funds.

Socket, in an update on the X platform, states that operations have been restored, affected contracts have been suspended, and the situation is under full control. Interoperability with Bungee bridging and most partner front-end bridging has been reinstated. A detailed analysis of the event and subsequent steps will be announced soon.
Socket issues a reminder: “Be cautious of fake Socket accounts attempting phishing in your replies. Please carefully verify the account before taking any action.”

This incident serves as a reminder to prioritize security. As we enter 2024, numerous security events have already occurred. Beosin, a globally leading blockchain security company, offers a comprehensive range of blockchain security products and services covering code security audits before project launch, real-time security risk monitoring, alerts and prevention, cryptocurrency asset recovery, security compliance KYT/AML, and more. We are committed to the secure development of the Web3 ecosystem. If needed, feel free to contact us.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

Sei Network, which launched its mainnet in August 2023, began to explode after several months of silence. Currently, Sei liquidity staking has exceeded $3.5 million and network TVL has exceeded $11 million.
Previously, Sei, together with Beosin and Alibaba Cloud, successfully held the hackathon, Code Sei: Powering New Gaming and DeFi Exchanges. Beosin also completed the audit of Kryptonite, Sei’s liquidity staking project, to enhance the security of Sei ecosystem.
In 2024, Sei is about to launch a very important upgrade, Sei V2, which will improve the performance of parallel processing and introduce EVM into Sei. In this article, Beosin will analyze the technical features, the code implementation, and ecosystem of Sei Network to help you understand the potential opportunities of Sei and its ecosystem.
Sei Features
As a Layer 1 that supports order book and focused trading, Sei provides a built-in central limit order book (CLOB) module. Developers can use Sei’s built-in order module to quickly launch and customize order book trading Dapps for spot, derivatives, options, etc. At the same time, Sei’s parallel design provides a fast, high-throughput network for its ecosystem.
How does Sei improve the processing speed of transactions?
1. Support Compressed Blocks
In most blockchain networks, validators propose blocks and then send hashes and blocks to other validators, which creates a certain waiting time. As shown below:

Sei allows its validators to send blocks containing only transaction hashes to its network. After other validators receive a block containing only the transaction hash, they will first construct the block based on the records in their local memory pool. If the corresponding transaction information does not exist in the memory pool, the validators will wait for subsequent blocks containing detailed transaction contents to arrive for validation.
2. Parallel Processing of Transactions
For blockchain networks that execute transactions sequentially, when a block is proposed, validators need to wait for a certain length of time without actually processing the block. As shown on the left:

Sei Network processes blocks in the pre-voting and pre-commit phases in parallel through validators. Parallel processing reduces latency and increases throughput.
The code implementation of Sei parallel processing is shown in the figure below. In the ProcessTxs function, Sei will process the transactions. There are two types of processing: parallel processing and sequential processing. For multiple related transactions (by judging whether the key-value pairs storing transaction information overlap), Sei will process related transactions sequentially; for non-related transactions, it will process them in parallel.

During parallel transaction processing, we see that Sei uses Golang’s goroutine to process multiple transactions in parallel. The current design cannot process too many transactions in parallel. For example, if thousands of transactions are processed in parallel by Sei’s nodes at the same time, there is a high probability that consistency problems will occur. Therefore, Sei V2 needs to upgrade in parallel processing.

Parallel EVM
What is Parallel EVM?
EVM is the virtual machine for Ethereum to process transactions related to smart contracts. To ensure network security, EVM transactions must be executed sequentially. The design of sequential execution avoids the complexity and conflicts of parallel execution, but also limits the performance of the associated blockchain network.
As a result, the concept of parallel EVM was proposed.
The design of parallel EVM will allow different transactions in EVM to be conducted simultaneously, greatly improving EVM processing speed and network throughput. The current solution is to use high-performance (itself supports parallel transactions) new blockchains such as Solana, Aptos, and Seito be compatible with EVM. Among them, Sei’s parallel EVM attracts the most market attention.

Sei V2 Upgrade
Sei will implement parallel EVM in the V2 to be launched in 2024, supporting the execution and interaction of Cosmwasm smart contracts and EVM smart contracts. The following are the key points of the Sei V2 upgrade:
1. Optimistic parallelization: allows concurrent transaction processing, significantly improving throughput and efficiency. If a state conflict occurs, transactions are reprocessed sequentially to maintain data integrity.
2. EVM compatible: enables developers to deploy existing EVM smart contracts on Sei without changing any code, simplifying the transition to Sei v2 and improving interoperability.
3.Geth compatibility: Sei nodes will integrate Geth to handle transactions for EVM smart contracts in the future network and make any updates through the special interface created by Sei for EVM.
4.SeiDB: Sei will improve its storage layer, using more efficient data structures and databases to enhance IO performance, facilitate easier synchronization of new nodes and improve scalability.
5.Enhanced performance: Fast transaction processing with 390 milliseconds block time and finality, and high throughput of 28,300 batch transactions per second, with lower transaction costs.
The upgrade of Sei v2 will integrate the advantages of Ethereum and looks forward to providing a super-optimized execution layer that is fully compatible with the existing EVM ecosystem to attract more users and developers into the Sei ecosystem.
Sei Contract Security Advice
If developers plan to build Sei ecological applications, they will use CosmWasm to build smart contracts. Beosin recommends that developers follow the following security practices to improve the contract security of their projects:
1. Be prepared for an attack. Developers need to consider how to face attacks and fix vulnerabilities. Therefore, developers need to build upgradable smart contracts and develop risk response plans.
2. Pay attention to the deserialization addr type. CosmWasm’s addr type is not validated after deserialization, indicating that the addr type has unexpected deserialization properties. Therefore, it is recommended to specify the type and verify it after deserializing addr.
3. Pay attention to overflow. In the CosmWasm contract, developers need to pay attention to the risk of integer overflow or division by zero. It is recommended that developers use CosmWasm’s Uint256 and Uint512 types and use the math function full_mul() that does not overflow.
4. Pay attention to infinite loops. The CosmWasm contract may get stuck in an infinite loop by calling itself back in the ACK handler. If developers transfer data packets between two CosmWasm contracts, they should be aware that this may lead to an infinite loop and consume a large amount of gas fees.
Sei Ecosystem
1. Wallet
Currently, the wallets that specifically support the Sei network include Compass Wallet and Fin Wallet. There are 14 wallets compatible with the Sei network, such as OKX Wallet and the wallets Keplr and Leap Wallet that originally supported the Cosmos ecosystem.

Safety Advice:
(1) It is recommended that users avoid using wallet projects that have not been audited and have not been running for a long time.
(2) To protect the assets of the wallet, the most important thing is to keep the mnemonic phrases and private keys safely.
(3) When interacting with Sei projects, signature is one of the security risks that require the most attention. Users need to check whether the transaction information is correct before signing the transaction. For example, a hacker can trick users into using cosmos.bank.v1beta1.MsgSend to transfer tokens to the hacker’s address.
2. Kryptonite
Kryptonite is the largest liquidity staking protocol in the Sei ecosystem. Users can stake Sei tokens on its platform to obtain stSei and earn an annualized return of 5.54%. Currently, users can also stake Seilor/Sei’s LP tokens and stSei/SEIYAN’s LP tokens to obtain rewards from related tokens. Beosin has previously completed a contract audit of Kryptonite to improve the security of its staking business.
In the future, Kryptonite will launch the kUSD stablecoin, and users can mint it by staking Sei, BTC, ETH and other assets, which will provide more liquidity for the Sei ecosystem.
3. Yaka Finance
Yaka Finance is committed to building a multi-functional DEX and providing users with a variety of DeFi services such as trading, liquidity mining, and Launchpad. Its goal is to become the liquidity hub of the Sei ecosystem.

Previously, Yaka Finance won the first place in the DeFi track in the Code Sei: Powering New Gaming and Defi Exchanges hackathon organized by Sei, Beosin and Alibaba Cloud.
Yaka Finance is currently in the test network stage and has launched an airdrop incentive program, attracting more than 15,000 users to participate in its testing.

4. Pallet Exchange
Pallet Exchange is the NFT trading platform of the Sei ecosystem, with a current daily trading volume of up to 1.23 million Sei (approximately $1 million). Pallet Exchange will charge a 2% fee for NFT tradings on its platform to maintain the operation of the platform.

Currently, the NFT series that have attracted much attention in the Sei Ecosystem include WeBump, The Colony, Seiyans, Seinsei, etc. Because the Sei ecosystem is in the early stages of development, users need to pay attention to the liquidity risks of related NFTs.
Conclusion
As a high-performance Layer 1 focused on transactions, Sei optimizes the generation and processing of blocks. At present, Sei ecosystem is growing rapidly. As the parallel EVM narrative continues, the upgrade of Sei V2 will solve the current bottleneck of Sei, attracting more attention from the market and more developers entering the Sei ecosystem.
As a leading Web3 security company, Sei and Beosin have launched further ecological cooperation to support smart contract security audits of Sei ecosystem. At present, Beosin has completed the contract audit of Kryptonite, the largest liquidity staking platform in the Sei ecosystem. In the future, Beosin will provide security services for more Sei ecosystem projects to help the safe development of the Sei ecosystem.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

On January 3, 2024, according to Beosin EagleEye, the Radiant Capital project fell victim to a flash loan attack by an attacker. Through three transactions, the attacker stole over 1900 ETH, valued at over $4.5 million. The stolen funds are currently held in the attacker’s address, and Beosin security team promptly analyzed the incident.
Vulnerability Analysis
The root cause of this incident lies in the Radiant Capital project’s calculation of token quantity, which involves precision expansion and rounding. The attacker exploited the ability to control precision and, combined with rounding, expanded profit margins for the attack.

In the observed code, the rayDiv function takes two uint256 data, a and b. The entire process can be simplified as (a RAY + b/2) / b, where RAY is precision expansion data, equal to 10²⁷. This results in a RAY / b + 0.5, achieving rounding functionality. The main source of error in this calculation comes from b. If b is significantly smaller than a, the error becomes negligible. However, if b is of a similar magnitude to a, the error may be substantial.
For example, if a RAY = 10000 and b = 3, the calculated result is 3333, which is 1/10000 less than the actual value. If a RAY = 10000 and b = 3000, the calculated result is 3, which is 1/10 less than the actual value.
In this incident, the attacker manipulated the value of b to have a similar magnitude to a, causing the calculation to be equivalent to 3/2.0001 = 1. The calculated value is 1/3 less than the actual value.
Attack Process
The attacker initially borrowed 3 million USDC through an AAVE flash loan as the startup capital for the attack.

2. 2 million USDC was pledged to the Radiant contract, and the attacker obtained 2 million rUSDCn token certificates.

3. The attacker used a flash loan through the Radiant contract to borrow 2 million USDC. In the callback function, 2 million USDC was repaid, simultaneously extracting the pledged USDC from the second step. The flash loan function called the transferfrom function, transferring the attacker’s USDC into the contract, with a 9/10000 fee collected as liquidity for the pool.

4. By repeating step 3, the attacker controlled the liquidityIndex to a large extent, reaching liquidityIndex=271800000000999999999999998631966035920.

5. Subsequently, the attacker created a new contract and deposited 543,600 USDC into it. This amount corresponds to twice the liquidityIndex value from step 4, facilitating rounding control.

6. The attacker pledged all 543,600 USDC into the Radiant contract, obtaining an equivalent amount of rUSDCn.

7. The attacker withdrew 407,700 USDC. Although 407,700 rUSDCn should have been burned, as mentioned above, the burn function involved precision expansion and rounding calculations. 407700000000000000000000000000000000000/271800000000999999999999998631966035920 = 1.49999999, but rounding results in 1, causing the result to be 1/3 smaller than the actual value. As shown below, instead of burning 407,700, only 271,800 was burned, allowing the attacker to withdraw 407,700 USDC.

8. Exploiting the vulnerability from step 7, the attacker repeated the pledging and withdrawal operations, consistently withdrawing 1/3 more than the pledged amount, ultimately exchanging all USDC from the pool.

Funds Tracking
As of the time of writing, the stolen 1902 ETH remains in the hacker’s address without movement. Beosin Trace will continue monitoring the funds.

As 2024 begins, we have witnessed two high-value theft cases. (Review of yesterday’s security incident: What happened in the first case of the year, the $80 million theft of Orbit Chain?) This series of events serves as a reminder that in the Web3 ecosystem, security precautions remain crucial!
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

On January 1, 2024, according to monitoring data from Beosin EagleEye, the Orbit Chain project suffered an attack resulting in a loss of at least $80 million. Beosin Trace analysis reveals that the hacker’s address (0x27e2cc59a64d705a6c3d3d306186c2a55dcd5710) initiated a small-scale attack a day prior, using the stolen ETH as the transaction fee source for the remaining five addresses involved in the attack.
Orbit Chain is a cross-chain bridge platform, allowing users to use various encrypted assets from different blockchains on a single chain. The project has temporarily suspended the cross-chain bridge contract and is in communication with the hacker. Beosin’s security team conducted an immediate analysis of this security incident.
Event Analysis
The main aspect of this incident involved the attacker directly calling the withdraw function of the Orbit Chain: Bridge contract to transfer assets.
Further analysis of the withdraw function’s code reveals that the function uses a signature verification method to ensure the security and legitimacy of the loan.
In blockchain transactions, signature verification is a common security mechanism used to confirm whether the initiator of a transaction has sufficient permissions and control. In the withdraw function, the signature verification method ensures that only authorized users or contracts can successfully call the function and transfer assets.

Upon entering the signature verification function (_validate), it can be observed that the function returns the number of owner signatures, crucial information for verifying the legitimacy and security of the transaction.
By returning the number of owner signatures, the compliance and authenticity of the transaction can be verified to some extent. Depending on the specific implementation, the number of owner signatures may be compared to a pre-set threshold to determine whether the conditions for executing the transaction are met.

The subsequent step involves checking whether this quantity is greater than or equal to the required value. If the conditions are met, the withdrawal is executed.
According to on-chain data, there are a total of 10 addresses managing this contract. The required value is 7, indicating that 70% of administrator signatures are required to execute the withdrawal transaction.

In summary, the cause of the incident appears to be a compromise of the server holding the administrator’s private keys.
Attack Process
According to on-chain data, the hacker initiated attacks on the Orbit Chain project progressively starting from December 30, 2023, 03:39:35 PM +UTC. The amount of ETH stolen by the hacker was relatively small, and the stolen ETH was sent to several other hacker addresses as transaction fees.

Several other hacker addresses subsequently attacked Orbit Chain’s DAI, WBTC, ETH, USDC, and USDT on December 31, 2023, 9:00 PM +UTC.

Funds Tracking
As of the time of writing, the stolen funds were transferred to the five addresses mentioned earlier after the formal initiation of the attack. In five separate transactions, each sent to a new wallet, Orbit Bridge sent $50 million in stablecoins (30 million Tether, 10 million DAI, and 10 million USDC), 231 wBTC (approximately $10 million), and 9,500 ETH (approximately $21.5 million).

This cross-chain bridge security incident serves as a security reminder, emphasizing that security should always be a top consideration in designing and implementing blockchain systems.
Firstly, attention should be given to code security. Contract code is a core component of blockchain systems, and therefore, best practices and security standards should be followed when writing and reviewing contract code to avoid common security vulnerabilities and attack vectors.
Secondly, authentication and identity verification are crucial. In blockchain systems, ensuring that only authorized users or contracts can perform key operations is critical to preventing unauthorized access and asset loss. Adopting robust identity verification mechanisms, multi-signatures, and permission management measures can effectively restrict access and ensure that only authorized entities can perform sensitive operations.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

According to data from Beosin EagleEye, a blockchain security auditing company, the total amount of losses from various security incidents in December 2023 significantly decreased compared to November. In December, there were more than 21 typical security incidents, resulting in a total loss of approximately $24.94 million, a decrease of about 93% from November. Among them, attack incidents accounted for about $12.45 million, phishing scams about $9.6 million, and Rug Pull incidents about $2.89 million.
There were no large-scale hacking events with losses exceeding $10 million this month. Two significant security incidents occurred: a security vulnerability in the Web3 development platform Thirdweb affecting multiple smart contracts, and a supply chain attack on the Ledger Connect Kit, a commonly used code library for Web3 projects. Fortunately, the losses from these two incidents did not exceed one million dollars each. Additionally, phishing scams continued to occur this month, with several cases of individual addresses being stolen for amounts exceeding one million dollars, emphasizing the need for increased vigilance among users.
Hacker Attacks
『12』Notable Security Incidents
On December 5th, a security vulnerability was identified in the Web3 development platform Thirdweb, affecting multiple smart contracts. At least three projects were attacked due to the vulnerability, resulting in a loss of approximately $210,000.On December 6th, the DeFi protocol BEARNDAO was attacked, with the attacker profiting over $700,000.On December 10th, the DeFi protocol Venus Protocol was attacked due to an oracle issue, resulting in a loss of approximately $200,000.On December 12th, the abandoned DEX market maker contract management authority on OKX was stolen, resulting in a loss of approximately $2.7 million.On December 14th, the commonly used code library Ledger Connect Kit for Web3 projects suffered a supply chain attack, with the attacker profiting approximately $600,000.On December 17th, NFT Trader was attacked due to a reentrancy vulnerability, resulting in a loss of approximately $3 million. The stolen assets were returned by the attacker, who kept 10% as a bounty.On December 17th, the NFT trading market Flooring Protocol was attacked by hackers, resulting in a loss of approximately $1.6 million.On December 22nd, the DeFi protocol Transit Finance was attacked by hackers, resulting in a loss of approximately $110,000.On December 23rd, the DEX project Paraluni was subjected to a price manipulation attack, resulting in a loss of approximately $330,000.The perpetual trading protocol Levana Protocol on the Osmosis blockchain was attacked between December 13th and 26th, resulting in a loss exceeding $1.1 million.On December 26th, the Telcoin wallet was attacked, resulting in a loss of approximately $1.2 million.On December 30th, Channels Finance on the BSC was attacked by hackers, resulting in a loss exceeding $320,000.
Phishing Scam / Rug Pull
『4』Notable Security Incidents
On December 5th, a rug pull occurred with the CKD token on the BNB Chain, resulting in the deployer profiting approximately $540,000.On December 26th, MegabotETH experienced a rug pull, with the deployer making approximately $740,000 in profit.On December 26th, two victims lost assets totaling over $1.5 million due to a phishing scam.On December 29th, an address starting with 0xea696 suffered a loss of $4.4 million worth of LINK tokens due to a phishing scam.
Cryptocurrency Crimes / Regulatory Cases
『5』Notable Security Incidents
On December 5th, the Henan Prosecutor’s Office revealed a large-scale virtual currency pyramid scheme case, involving an amount exceeding 120 million Chinese Yuan.On December 6th, Bitzlato, a crypto exchange co-founder, admitted to a money laundering offense totaling 700 million USD.On December 10th, the Hong Kong police cracked down on a criminal gang involved in laundering 30 million Hong Kong dollars through virtual currencies.On December 13th, the U.S. Department of Justice charged two individuals with operating a 25 million USD cryptocurrency Ponzi scheme.On December 15th, the U.S. Department of Justice disclosed charges against four individuals for cryptocurrency fraud and money laundering, resulting in losses exceeding 80 million USD.
Conclusion
Overall, in December 2023, the total losses from various blockchain security incidents significantly decreased compared to November. In comparison to November, this month saw new types of attacked projects, including development tools, code libraries, NFTs, indicating that hackers are expanding their target range. The entire Web3 ecosystem should enhance security awareness to actively counter this trend.
This month, 50% of the attack incidents still originated from contract vulnerabilities exploitation, such as reentrancy vulnerabilities. It is advisable for project teams to seek professional security audits before launching to mitigate such risks.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin

1. Beosin: 2023 Web3 Security Overview

According to statistics from Beosin EagleEye, the total losses from hacks, phishing scams, and rug pulls in Web3 reached $2.02 billion in 2023. Among them, 191 major attacks resulted in a total loss of approximately $1.397 billion; 267 rug pulls with total losses of around $388 million; and total losses from phishing scams of approximately $238 million.

In 2023, hacks, phishing scams and rug pulls all saw significant declines compared to 2022, with total losses down 53.9%. Hacks saw the biggest drop, from $3.6 billion in 2022 to $1.397 billion in 2023, a decrease of about 61.2%. Phishing losses were down 33.2% from 2022, and rug pull losses were down 8.8% from 2022.

There were 4 attacks with losses over $100 million in 2023, and 17 attacks with losses between $10–100 million. The top 10 attacks accounted for total losses of about $1 billion, representing 71.5% of total losses for the year.
Compared to 2022, attacked project types were more diverse in 2023, including DeFi, CEX, DEX, public blockchains, cross-chain bridges, wallets, payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more. DeFi saw the most attacks and highest losses, with 130 DeFi attacks causing total losses of about $408 million.
Attacks occurred across more public blockchain types. Ethereum remained the chain with the highest losses — 71 attacks on Ethereum caused $766 million in losses, accounting for 54.9% of total losses for the year.
By attack types, 30 private key compromise incidents caused about $627 million in losses, representing 44.9% of total losses, making it the most damaging attack type. Contract vulnerability exploitation was the most frequent attack type — of the 191 attacks, 99 involved contract vulnerabilities, accounting for 51.8%.
About $295 million of stolen funds were recovered during the year, representing 21.1% of losses, a significant increase from 2022. About $330 million in stolen funds were sent to mixers, representing 23.6% of total stolen funds.
In contrast to the significant declines in on-chain hacks, phishing and rug pulls, 2023 saw a huge increase in offline crypto crime figures. Global crypto crime losses reached $65.68 billion in 2023, up about 377% from $13.76 billion in 2022. The top three crime types by losses were illegal gambling, money laundering and scam.

2. 2023 Web3 Top 10 Attacks
In 2023 there were 4 attacks with over $100 million in losses: Mixin Network ($200 million), Euler Finance ($197 million), Poloniex ($126 million) and HTX & Heco Bridge ($110 million). The top 10 attacks accounted for total losses of about $1 billion, 71.5% of yearly losses.
No.1 Mixin Network
Losses: $200 million
Attack type: Cloud service provider database compromise
On September 23rd, Mixin Network’s cloud provider was hacked, resulting in partial mainnet asset losses of around $200 million. Mixin’s founder later explained the stolen assets were mainly BTC, with minimal losses of BOX and XIN tokens. Details were withheld.
No.2 Euler Finance
Losses: $197 million
Attack type: Contract vulnerability — business logic flaw
On March 13th the Euler Finance DeFi lending protocol was hacked for around $197 million. The root cause was a failure to properly check users’ actual token balances and ledger health after donations. All stolen funds have been fully returned by the attacker.
No.3 Poloniex
Losses: $126 million
Attack type: Private key compromise / APT attack
On November 10th, addresses related to Justin Sun’s Poloniex exchange started transferring out large assets, indicating a hack. Sun and Poloniex soon confirmed the breach on social media. Beosin security tracked stolen assets totaling around $126 million.
No.4 HTX & Heco Bridge
Losses: $110 million
Attack type: Private key compromise
On November 22nd, Justin Sun’s HTX exchange and Heco Bridge were hacked for $110 million total, with $86.6 million lost from Heco Bridge and $23.4 million from HTX.
No.5 Curve/ Vyper
Losses: $73 million
Attack type: Contract vulnerability — reentrancy
On July 31st Vyper announced a reentrancy bug in versions 0.2.15, 0.2.16 and 0.3.0. Combined with callback possibilities during ETH transfers, this enabled reentrancy attacks on linked ETH/stablecoin pools. Curve later tweeted multiple pools using flawed Vyper 0.2.15 were exploited due to reentrancy lock malfunction. Losses totaled around $73 million.
No.6 CoinEx
Losses: $70 million
Attack type: Private key compromise / APT attack
On September 12th exchange CoinEx stated risk control systems detected suspicious large withdrawals from temporary hot wallets storing platform’s transaction assets. A special team was formed and losses involved assets like ETH, TRON and Polygon tokens, totaling around $70 million.
No.7 Atomic Wallet
Losses: $67 million
Attack type: Private key compromise / APT attack
Beosin’s EagleEye platform detected Atomic Wallet was hacked in early June. Based on reported on-chain victim data, Beosin estimates losses of at least $67 million.
No.8 Alphapo
Losses: $60 million
Attack type: Private key compromise / APT attack
On July 23rd payments provider Alphapo’s hot wallet was hacked for $60 million. North Korean hacker group Lazarus was behind the breach.
No.9 KyberSwap
Losses: $54.7 million
Attack type: Contract vulnerability — business logic flaw
On November 22nd, DEX KyberSwap suffered a $54.7 million exploit. Kyber said it was one of DeFi’s most complex attacks, requiring precise on-chain execution for the hacker.
No.10 Stake.com
Losses: $41.3 million
Attack type: Private key compromise / APT attack
On September 4th crypto casino site Stake.com was hacked. Stake.com stated unauthorized transactions occurred from its ETH and BSC hot wallets. The breach was attributed to North Korean APT group Lazarus.
3. Loss by Project Type
Compared to 2022, attacked project types were more diverse in 2023, and losses were more distributed across project types rather than concentrated on a few. In addition to common targets like DeFi, CEX, DEX, public blockchains, cross-chain bridges and wallets, attacks also occurred against payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more in 2023.

Of the 191 attacks in 2023, 130 targeted DeFi projects (about 68%), the most among all types. DeFi attacks resulted in about $408 million in losses, 29.2% of total losses, also the most of any type.
CEXs (centralized exchanges) ranked 2nd in losses, with 9 attacks causing $275 million in losses. There were also 16 attacks on DEXs (decentralized exchanges), resulting in $85.68 million in losses. Overall, exchange security was a major issue behind DeFi security in 2023.

Public blockchains ranked 3rd in losses at about $208 million, mainly due to the $200 million Mixin Network hack.
In 2023 cross-chain bridge losses ranked 4th, accounting for about 7% of total losses. In 2022, 12 cross-chain bridge attacks caused $1.89 billion in losses, 52.5% of the year’s total. Bridge attacks significantly declined in 2023.
Crypto payment platforms ranked 5th, with 2 incidents (Alphapo and CoinsPaid) totaling $97.3 million in losses. The hackers behind both attacks pointed to North Korean APT group Lazarus.
4. Loss by Chain
Compared to 2022, blockchain types were also more diverse due to several CEX private key compromise incidents that caused losses across multiple chains. The top 5 by losses were Ethereum, Mixin, HECO, BNB Chain and TRON. The top 5 by attack incidents were BNB Chain, Ethereum, Arbitrum, Polygon, and a tie between Optimism and Avalanche for 5th.

As in 2022, Ethereum saw the most losses — 71 Ethereum attacks caused $766 million in losses, 54.9% of the yearly total.
Mixin Network ranked 2nd with a single $200 million incident. HECO chain ranked 3rd with about $92.6 million in losses.

BNB Chain saw the most attacks at 76, about 39.8% of the total. BNB Chain losses totaled about $70.81 million, with 88% of attacks under $1 million.
5. Attack Type Analysis
Compared to 2022, attack types diversified in 2023, incorporating more Web2 tactics like: database compromise, supply chain attacks, third party service provider attacks, man-in-the-middle attacks, DNS attacks, and front end attacks.

In 2023, 30 private key compromise incidents caused $627 million in losses, 44.9% of the total, making it the most damaging attack type. Major private key compromise incidents included: Poloniex ($126 million), HTX & Heco Bridge ($110 million), CoinEx ($70 million), Atomic Wallet ($67 million) and Alphapo ($60 million). Most were linked to North Korean APT group Lazarus.

Contract vulnerability exploitation was the most frequent attack type — 99 of 191 attacks (51.8%). Total losses from contract vulnerabilities ranked 2nd at $430 million.
By subtype of contract vulnerabilities, business logic vulnerabilities were the most frequent and damaging — about 72.7% of contract vulnerability losses ($313 million) stemmed from business logic flaws. Reentrancy ranked 2nd with $93.47 million in losses across 13 incidents.

6. Stolen Fund Flow Analysis
Of 2023’s total stolen funds, about $723 million remained in hacker addresses (including funds bridged to other chains), 51.8% of the total. Compared to last year, hackers favored more complex money laundering via cross-chain transfers and distribution across multiple addresses. More addresses and intricate laundering paths make investigations harder for projects and regulators.

About $295 million in stolen funds were recovered, 21.1% of losses, a major improvement from just 8% recovered in 2022. Most recovery occurred via on-chain negotiation.
About $330 million in stolen funds were sent to mixers (about $71.16 million to Tornado Cash, $259 million to other mixers), accounting for 23.6% of total losses, a significant reduction from 38.7% in 2022. Since Tornado Cash was sanctioned by US OFAC in August 2022, flows to it dropped substantially, with increases to other mixers like Sinbad and FixedFloat instead. In November 2023 Sinbad was sanctioned by OFAC as “a major money laundering tool for North Korean Lazarus group.“
Additionally, some stolen funds ($12.79 million) were sent to exchanges, while a small portion ($10.9 million) was frozen.
7. Audit Analysis
Of the 191 attacks, 79 targeted unaudited projects while 101 had been audited. The audited project ratio was slightly higher than last year (roughly equal audited/unaudited in 2022).

47 of the 79 unaudited projects (59.5%) were exploited for contract vulnerabilities. This shows unaudited projects tend to have more latent risks. In comparison, 51 of 101 audited projects (50.5%) had contract exploits. This demonstrates audits improve security to some degree.
However, the lack of standards in the Web3 market leads to inconsistent audit quality, with results falling short of expectations. To effectively safeguard assets, projects are advised to seek professional security firms for auditing before launch.
As a leading global blockchain security firm devoted to ecological security, Beosin has audited over 3,000 smart contracts and public chains, including PancakeSwap, Ronin Network, OKCSwap and more. As a reputable blockchain security provider, Beosin delivers excellent audit services.
8. Rug Pull Analysis
In 2023, Beosin’s EagleEye platform monitored 267 Web3 rug pulls totaling about $388 million in losses, an 8.7% decline from 2022.

By amount, 233 of 267 rug pulls (87%) involved less than $1 million, roughly even with 2022. There were 4 rug pulls above $10 million: Multichain ($210 million), Fintoch ($31.6 million), BALD ($23 million) and PEPE ($15.5 million).
92.3% of rug pulls occurred on BNB Chain (159) and Ethereum (81). Smaller quantities occurred on other chains like Arbitrum, BASE, Sui and zkSync.

9. 2023 Global Crypto Crime Data
Global 2023 crypto crime losses reached a staggering $65.68 billion, up about 377% from $13.76 billion in 2022. While on-chain hacks declined sharply, crime in other crypto areas surged dramatically. Topping the list was illegal gambling at $549 billion. Other leading categories were money laundering ($4 billion), scam ($2.05 billion), pyramid schemes ($1.43 billion) and hacks ($1.39 billion).

With improving global regulation and law enforcement crackdowns, 2023 saw police globally take down multiple billion-dollar crypto crime cases. Some major examples:
No.1 In July 2023, Hubei police in China busted the nation’s largest ever cryptocurrency case with transactions reaching 400 billion RMB ($54.9 billion). The online gambling operation involved over 50,000 people. Servers were overseas and key perpetrators like Qiu have been prosecuted.
No.2 In August 2023, Singapore authorities uncovered the state’s largest money laundering case at 2.8 billion SGD, mainly involving cryptocurrency.
No.3 In March 2023, Jiangsu police in China prosecuted Ubank’s $1.4 billion cryptocurrency pyramid scheme.
No.4 In December 2023, cryptocurrency exchange Bitzlato’s co-founder pleaded guilty to $700 million money laundering charges per New York prosecutors.
No.5 In July 2023, Brazilian federal police dismantled two drug cartels moving over $417 million in crypto money laundering.
No.6 In February 2023, US prosecutors indicted Forsage’s founders for a $340 million DeFi Ponzi fraud.
No.7 In November 2023, Himachal Pradesh police in India arrested 18 people regarding a $300 million cryptocurrency fraud.
No.8 In August 2023, Israeli police charged businessman Moshe Hogeg and partners with a $290 million cryptocurrency investment scam.
No.9 In June 2023, Thai police uncovered a potential $2.88 billion crypto fraud scheme.
No.10 In October 2023, Hong Kong SAR police cumulatively arrested 66 people regarding the $205 million JPEX crypto exchange scam.
2023 saw an explosion in crypto crime cases globally. The prevalence of fraud and pyramid schemes also greatly increased average users’ risks of losses. Thus improved regulation is imperative. While global regulators made considerable efforts this year, there is still a long way to go toward a mature, safe and developing ecosystem.
10. 2023 Web3 Security Summary
In 2023, on-chain hacks, phishing and rug pulls declined notably from 2022. Hacking losses dropped 61.3%, with top attack types shifting from contract exploits in 2022 to private key compromise in 2023. Key reasons include:
1. After last year’s rampant hacking activities, the Web3 ecosystem emphasized security in 2023 across projects and security firms. Efforts are seen in areas like real-time monitoring, auditing and learning from past hacking events. Exploiting contracts became more difficult than before.
2. Strengthening global regulation and improving anti-money laundering technologies. In 2023, 21.1% of stolen funds were recovered, far higher than 8% in 2022. As mixers like Tornado Cash and Sinbad were sanctioned by the US, money laundering grew more complex for hackers. We’re also seeing news of hackers being arrested by local police, all of which acts as a deterrent to hackers.
3. The crypto bear market’s impact. Lower expected profits from Web3 reduced hacking incentives. Hackers expanded beyond DeFi, cross-chain bridges and exchanges to target payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more.
In contrast to plummeting on-chain hacks, less visible offline crypto crimes like gambling, money laundering and fraud spiked heavily due to the anonymity cryptos provide. However, solely attributing surging virtual currency crimes to anonymity and oversight issues is one-sided. The root cause is increasing global crime itself, with cryptocurrencies offering hidden, hard-to-trace channels. In 2023, slowing global economy growth and political instability enabled crime levels to soar. With similar 2024 economic expectations, global crime will likely remain high, posing severe challenges for authorities and regulators.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin