Disclaimer
The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.
Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.
Overview
In September, a number of projects suffered attacks due to the leakage of their hot wallet private keys, leading to substantial financial losses for both the projects and their users. In this article, we will analyze these types of attack incidents using several examples and finally provide some practical suggestions from a security perspective to help project teams avoid such breaches in the future.
Stake's Unanticipated $41 Million Withdrawals
stake.com, a crypto gambling protocol, offers a variety of casino games such as dice, blackjack, Lingo, and more. Additionally, they provide sports betting options for basketball, tennis, volleyball, and others. On September 4th, Stake.com encountered an abnormal outflow of funds, totaling approximately $41 million.
The attack transpired across multiple chains, incurring losses of around $15.7 million on ETH, $7.8 million on Polygon, and $17.8 million on BSC. This brought the cumulative losses to over $41 million.
One of the fraudulent transactions can be traced back to: transaction.
From the transaction details, it's evident that the funds were transferred directly from Stake.com's hot wallet: transaction to the attacker's address. Subsequently, the funds were dispersed among numerous accounts.
Stake confirmed this security breach via social media, stating, "Three hours ago, unauthorized transactions were initiated from Stake's ETH/BSC hot wallets." As a result of this security incident, Stake's operations were temporarily put on hold.
The CoinEx Fund's 6.2 Million Dollar Loss
Stake.com isn't the only entity that has fallen prey to a breach of hot wallet private keys. On September 12, 2023, CoinEx detected irregular withdrawals from several of its hot wallet addresses, which were utilized to store user assets. The unauthorized transactions affected 19 chains, including $ETH, $TRON, and $MATIC, bringing the total loss to an estimated $55 million.
One particular unauthorized transaction can be seen here: transaction. One can observe that the assets were directly transferred from CoinEX's hot wallet, transaction, to the hacker's address. This indicates that the culprits may have managed to seize control of CoinEX's hot wallet's private key.
Following the hacking event, CoinEx temporarily suspended crypto deposits/withdrawals, relocated assets to more secure addresses, overhauled and redeployed the wallet system, and engaged in efforts with other exchanges to freeze the attacker's assets.
Unauthorized Transactions Drain Over $2.7M from Remitano Exchange A mere week after CoinEx fell victim to a cyber intrusion, another exchange, Remitano, succumbed to unauthorized transactions that led to over $2.7 million being pilfered from its wallet across various chains, including #Ethereum and #TRON.
To illustrate the scenario, consider one of the unauthorized transactions on the ETH chain: transaction.
We can observe that approximately 1.3M USDT was directly shifted from Remitano's hot wallet wallet to the assailant's address wallet. Consequently, the perceived Remitano hack also appears to be a consequence of their hot wallet's private key leakage. This presumably allowed the hacker to gain direct control over the hot wallet and transfer all assets.
Gratefully, Tether responded promptly and froze two addresses allegedly utilized by the assailant on both the #Ethereum and #TRON chains, potentially preserving 2.7M $USDT.
Security Recommendations from HashDit
Since last September, numerous instances of hot wallet private key leaks have rattled various projects. Though Stake and CoinEx have stated that the affected funds comprise only a minor share of total assets, and users' funds are safeguarded, Twitter responses reveal growing public suspicion of insider activities at these projects, dramatically undermining user trust. These incidents underscore the significance of proactive risk management concerning project wallets and funds. HashDit, consistently carrying out related security tasks, offers the following recommendations based on our experience in averting hacking incidents:
- Adopt Comprehensive Address Planning and Isolation Design: For high balance addresses, refrain from frequent participation in DeFi contract operations. Replenish hot wallet balances regularly in batches to minimize balance fluctuations and risk exposure.
- Enforce Distributed Access Rights: Avoid allotting comprehensive access rights to the hot wallet to a single entity. Utilize a multisig wallet or MPC solution to necessitate multiple approvals for transactions, bolstering security measures.
- Monitor Key Management: Treat the access key to hot wallets as a critical asset and protect it with a suite of physical and digital measures. Avoid storing key duplicates on vulnerable networks, like emails or cloud storage.
- Initiate Regular Security Audits: Conduct periodic security audits on hot wallets to identify prospective threats or vulnerabilities. Regularly reinforce and upgrade security measures, including ensuring the appropriateness of hot wallet approvals.
- Institute Transfer Limits: Establish a cap for single or daily transactions to mitigate potential losses.
- Implement Ongoing Education and Training: Provide continuous security education for team members engaged in asset management, arming them with the ability to recognize and counteract potential threats.
- Craft Backup and Recovery Plans: Devise a robust plan to ensure swift recovery during unanticipated incidents.
- Maintain Secure Operations: Avoid transacting over unencrypted networks and processing in vulnerable settings, like public WiFi environments.
- Activate Two-Step Verification: Implement two-step verification for all accounts and services associated with the hot wallet.
- Leverage Audit Logs: Preserve and periodically review all hot wallet operation logs to detect and trace any suspicious activities. These are broad suggestions for hot wallet management, yet specific strategies may need tailoring based on individual projects. Don't hesitate to reach out to HashDit for any security consultation. Our mission is to secure your WEB3 journey.
Related Reading
https://hashdit.github.io/hashdit/blog/smart-wallet-migration-guide
About HashDit?
HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.