Skip to main content

3 posts tagged with "2022"

View All Tags

· 23 min read
Sebastian Lim

Overview

This report focuses on security events that happened on BSC in 2022, analyzing the type of projects targeted and sharing the common attack techniques used in 2022, with respect to the financial loss of the incidents.

This report also examines the trends on BSC from 2020 to 2022 to help give readers a better understanding of how the space has grown. Lastly, this report shares some of the products we at Hashdit have developed, and what risks can be covered by the capabilities that Hashdit have/are building.

Tl;DR

Security incidents on BSC have risen since 2020. In 2022 alone, nearly $1.05 billion on BSC were lost to malicious actors, where 80% was due to hacks.

In total, there were 282 security incidents, an average of roughly 23 incidents per month. Out of which, 62% were scams / rugpulls.

Disclaimer

The financial data provided here is accurate based on our own monitoring system and based on the $USD amount of the cryptocurrency involved at the time of the incident. Due to the fluctuating price nature of cryptocurrencies, the total amount loss might differ with the current token valuations.

BSC Growth

This year has been a year of building and growth on BSC. Despite the general cryptocurrency bear market and black swan events like Luna and FTX, BSC has continued to reach new milestones and surpass expectations.

Here is a list of some of BSC’s achievements in 2022: [Refer to the blog released by BNBChain for more information]

IMG-1

Figure 1: Number of BNB Smart Chain unique addresses over the year 2022

  • Peak TVL - USD 16.25b on Jan 3. TVL trend as per screenshot. Source: Defillama

IMG-2

Figure 2: Total Value Locked in the BNB Smart chain ecosystem over the year 2022

  • Transactions

    • Peak Txs: 9.78 million txs on 13th May
    • Avg Daily txs since 01 Jan: 4.34 million txs
    • More than 3.7 billion txs on BSC
  • Active Wallet Addresses (DAU)

    • Peak Daily Active Wallets (DAU): 2.16 million DAU on 12th Oct
    • Avg Daily AUs since 01 Jan: 968k DAU ( compared to 740k DAU in 2021)
      • Stabilization of daily active users, which may suggest a foundational user base of an average of ~1 million per day
    • Currently ranked no. 1 compared to other chains in terms of DAU
  • Number of Decentralized Applications (DApps)

    • ~1200 active on BSC

BSC Year-over-Year (YoY)

The on-chain metrics can signal the growing adoption of the BNB Smart Chain as the preferred chain to use and build by investors and developers respectively. However, due to BSC’s decentralization nature and its fast growth to more than 1200 DApps, more bad actors have been attracted to the space as well. As such, security incidents have generally been on a rising trend.

This section aims to describe the security incidents YoY from 2020 to 2022.

General

According to our statistics, in 2022, there were 282 security incidents on BSC which have increased by 228% YoY from 2021. In 2021, there were 86 security incidents, a 760% increase from 2020.

IMG-3

Figure 3: Number of incidents on the BNB Smart Chain over the last 3 years

Financial losses have also increased from 2020 to 2022, with damages totalling $1.81 billion over the past 3 years, as seen from the chart below. The YoY increase from 2020 to 2021 is 61,221%, while the YoY increase from 2021 to 2022 is 37%, a large decline in YoY percentage.

IMG-4

Figure 4: Total amount stolen funds in dollars in the BNB Smart Chain over the last 3 years

By analyzing the ratio of the total amount of stolen funds to the total number of incidents, we observed that the average of stolen funds per incident has decreased.

Indeed, in 2021, the average of stolen funds per incident was calculated to be $8.9m. In contrast, in 2022, this value dropped to just $3.7m - even when there were several considerable events that represent almost half of the stolen funds. This shows that the number of security exploits with high financial impact is decreasing. Such decrease could be explained by the fact that projects with important funds are better secured and are more battle-tested. As such, malicious actors seem to be focusing their efforts on projects with more modest funds, concluding in lesser value exploits.

This pie chart shows a better understanding of the financial losses over the year with 2022 accounting for 57.84% of the total financial loss across, 2021 being 42.10% and 2020 with a mere 0.07%.

IMG-5

Figure 5: Financial losses in % over the last 3 years

Type of attack vectors

According to our statistics, this is the breakdown of the general attack vectors from 2020 - 2022.

IMG-6

Figure 6: Number of incidents per attack vector over the last 3 years

It can be seen that crypto scams (in green) are a growing concern on the BSC, with 167 in 2022, a 328% increase YoY. Also, there were 2 counts of improper management incidents in 2022, which were never accounted for previously. This seems to suggest that project parties might not be following the best practices in securing user funds. When managing critical components such as team wallets’ private keys, it is important to use a secure management system.

Do stay tuned to our blogs if you are interested in best practice guides for securing your Web3 project.

Type of projects

This chart represents the type of projects that were exploited since 2020. IMG-7

Figure 7: Security Incidents per type of project over the last 3 years

It is clear that DeFi projects are still the main targets for crypto hackers, with 208 in 2022, a 147% increase from 2021.

Bridge and GameFi projects were the only other projects which encountered security incidents in 2021, besides DeFi projects. In total, 9 Bridge and 19 GameFi projects were exploited, a 800% and 1800% increase respectively from 2021.

With the expansion of the BSC ecosystem, other categories of projects came into the limelight such as ExerciseFi and SocialFi, which did not exist back in 2021. Some of these projects were victims of hacks as well.

2022 in focus

General

In total, nearly $1.05 billion were lost to security incidents on BSC. By observing the monthly chart below, the months with the top amount loss were October, January followed by June.

IMG-8

Figure 8: Amount of stolen funds in dollars per month in 2022

In those months, the main contributing incidents were (1) BSC token hub exploit, (2) Qubit exploit, and lastly the (3) EvoDefi bridge mismanagement incident.

Interestingly, when removing these 3 outlier incidents from the chart, the total financial loss drops down to just $346.9m, a staggering 67% drop or one-third of total amount loss of 2022. Also, the average of stolen funds per incident falls to $1.2m, from the $3.7m value shared earlier in the report.

IMG-9

Figure 9: Amount of stolen funds in dollars excluding the 3 largest incidents

This chart is closely correlated to the number of security incidents monthly in 2022.

IMG-10

Figure 10: Number of different project impacted by exploits

For example, the highest number of security incidents took place in October which is in line with the highest amount of loss.

However, months that have a higher number of security incidents might have a low amount of loss too. For example, even though August has 29 security incidents which is above the monthly average (23), the financial loss for that month is only $8m which is the 2nd lowest throughout the year. Such data reinforces the fact that we are seeing more incidents with lesser financial impact.

Type of attack vectors

Out of the 282 security incidents, crypto scams are the most common on the BNB Chain as shown below, 62.06% of security incidents are crypto scams, followed by 37.23% being hacks and 0.71% being improper management such as mismanagement of private keys.

IMG-11

Figure 11: Proportion of different type of exploits

However, it is interesting to note that even when the number of scams are nearly double of hacks, the financial impact of scams are less significant than the ones related to the hacks. The total financial loss of scams ($190m) is less than half of the loss to hacks ($803m), as shown below in Figure 12.

IMG-12

Figure 12: Financial impact measured in dollars comparing different types of incidents

For further analysis of the specific attack vectors, this chart displays this against the financial loss in 2022.

IMG-13

Figure 13: Proportion of the funds lost comparing the different type of vulnerabilities

32.93% attributes to the BSC token hub exploit incident where there was a low level vulnerability, specifically an IAVL tree related verification bug. The 2nd largest contributor was Business Logic Vulnerabilities within smart contracts deployed on BSC, accounting for 29.45%.

It is notable here that “low-level” scams like Rugpull and Ponzi, even though they are the most common, do not take up much of the proportion as seen in the pie chart.

Type of projects

When focusing on the project type vs financial loss, without surprise, 60.38% of financial loss are attributed to Bridge projects. This is because cross-chain bridges generally lock large amounts of crypto assets on one chain to mint collateralized assets on the destination chain. Hackers took notice of this trend and targeted vulnerabilities within these cross-chain bridge smart contracts.

The 2nd most project type targeted was DeFi projects at 37.06%, followed by GameFi and Metaverse projects at 1.22% and 1.08% respectively.

IMG-14

Figure 14: Proportion of funds lost comparing the type of project

Top 10 incidents in 2022

The following were the top 10 security incidents in terms of financial loss in 2022.

IMG-15

Figure 15: Top exploits measured in dollars in 2022 on the BNB Smart Chain

Top 10 incidents in 2022

BSC Token Hub exploit - $572 Million Loss

On 6th October 2022, BSC Token hub, a bridge between the BNB Beacon Chain and the BNB Smart Chain, was exploited by an attacker resulting in the unauthorized transfer of 2M BNB.

Root cause analysis confirmed a flaw in the verification algorithm implementation developed by Cosmos, and incorporated by BSC into their contract’s proof verification process. Essentially, there was a bug in the proof verification which allowed the attacker to forge arbitrary messages and include them in a block that wouldn’t be verified. Fortunately, the attacker here only forged two messages, so the damage could have been far worse.

QubitFinance - $80 Million Loss

On 27th Jan 2022, the Qubit protocol was exploited, resulting in almost $80M loss. Qubit Bridge is essentially a platform for users to collateralize their ETH on the Ethereum chain without moving assets to BSC. The incident was due to a flawed minting functionality of qXETH on BSC where the tokens were later used for borrowing assets via Qubit lending.

Root cause analysis was that a legacy function (deposit) remained in the Qbridge Handler contract after it was replaced by a newer function (depositETH).

The legacy function did not check the amount of tokens, in this case WETH, supposed to be transferred in. As a result, the attacker was able to pass in the 0x0 address to fake a deposit event.

EvoDefi - $50 Million Loss

The team behind EVODeFi, a cross-chain platform offering a set of crypto products on BNB Smart Chain (BSC) & Polygon, invested users’ funds on Terra’s Anchor Protocol in order to fund their cross-platform bridge as well as sustain high APR on ValleySwap, the second project owned by the team. In a further effort to boost APR on ValleySwap, the team minted unbacked USDT, causing funds on Oasis Emerald to be unbacked, the network ValleySwap was based on.

However, due to the collapse of Terra’s ecosystem, EVODeFi lost their investment in Anchor Protocol, their unbacked USDT became worthless, and they had no liquidity to continue operations.

Thus, EVODeFi was forced to close their bridge, trapping millions of dollars worth of users’ funds on Oasis, with no way to move funds out of Oasis Network without losing a majority of their fund’s value.

StableFund - $23 Million Loss

StableFund was identified to be a Ponzi scheme. The project team can get a risk-free 3% handling fee, while it was marketed that the participants can get 1.5% rewards every day, and they can choose to get their principal back after 4 weeks.

In reality, the project does not have any profit-making method, to sustain the high 1.5% daily yield. The rewards of the first entrants need to be paid by the principal of the latter entrants, this is the standard Ponzi feature.

The project started from 2022-06-27, where >13k addresses have participated, and more than $23 million have been invested into the pools so far.

Elephant Money - $22 Million Loss

On 13th April 2022, Elephant Money was exploited, resulting in the loss of 27,416.46 BNB. The attacker first used WBNB to buy a large amount of ELEPHANT, and then used BUSD to mint the TRUNK stablecoin. During the minting process, the Elephant contract will convert BUSD to WBNB and then back to ELEPHANT to drive up the ELEPHANT price.

The root cause was that the vulnerable contract relied on the instantaneous price of ELEPHANT-WBNB liquidity pool. Since, the value of ELEPHANT was artificially inflated, the attacker could mint more TRUNK stablecoin, which he can redeem back for WBNB and BUSD.

Transit Finance - $21 Million Loss

On 1st October 2022, Transit Finance / Swap (a cross-chain protocol) was exploited for > $21m. Essentially, this attack targeted the users directly via a vulnerability in the use of the transferFrom() function. Any tokens approved for trading on Transit Swap could be transferred directly from users’ wallets to the unknown exploiter’s address.

Thankfully, > $18.9m was returned back to Transit Finance on both chains (ETH and BNB).

The root cause was that there was a lack of validation for input parameters. The hacker parsed in the Permissions management contract to the vulnerable contract and called the claimTokens function to do a transferFrom from users that have unlimited approval to this contract.

ANKR / Helio - $20 Million Loss

On 2nd December 2022, Ankr protocol was exploited for around $5m, but what was surprising was 1 of their products, Helio, was impacted as well for > $15m, bringing the total damage to > $20m. Essentially, the root cause was that the private key of the Ankr deployer was compromised. According to the team, it was an insider attack that stole the private key. As such, the exploiter introduced a backdoor function and minted a large amount of unbacked aBNBc tokens to drain the liquidity pool for BNB.

Helio was impacted because one of the ways to provide collateral on their platform was aBNBc. Since the value of aBNBc has plummeted, many users seized the opportunity to purchase it at a valuation below market value. At the same time, Helio uses Chainlink to reflect the actual value of BNB at that point of time. As such, these users had a higher collateral value than expected where they could borrow large amounts of $HAY (platform’s stablecoin) and not pay back the debt.

Racoon Network and Freedom Protocol - $20 Million Loss

On 20th July 2022, Racoon Network and Freedom Protocol performed a rugpull. More than 20 million USDT were transferred to the same EOA address, suggesting that they belong to the same party. 10% of the funds were transferred from Raccoon Network, while 90% of the funds were transferred from Freedom Protocol.

For Raccoon Network, the loophole is in the unverified token contract, Raccoon Network Token (RAC). In this token, every time a user transfers a RAC token, there is a 6% tax and the tax fees are transferred to an EOA, where the malicious project party could cash out to USDT anytime.

For the Freedom Protocol, the project party collected USDT by selling their NFTs at a price of 100 USDT. Afterwards, they did not continue their development and the funds have since been transferred out through CEXs.

$FLARE - $17 Million Loss

On 14th November 2022, $FLARE token conducted an exit scam of ~$17m. Essentially, the root cause was the victim contract (unverified) allowed the attacker to use a faketoken as input to call getUserInfo() and then set some value to the "balance" related data structure.

The project has a rewards contract which rewards users who have invested USDT, in exchange they get USDT. Internally, there is this “balance” related data structure which calls the investing contract and getUserInfo() to keep track of how much tokens have been invested.

However, the lack of input validation allowed the exploiter to parse the address input of his faketoken, with the necessary getUserInfo() method and fake his amount invested.

DEGO Finance / Cocos - $15 Million Loss

On 9th February 2022, DEGO Finance / Cocos were hacked for $15m. The hacker compromised multiple private keys of the team. As a result, the hacker removed liquidity from the projects and stole all funds from their hot wallets. The funds have already been bridged to ETH chain and deposited into Tornado Cash.

Conclusion

BSC continues to be a strong competitor, outperforming Ethereum in terms of daily active users and transactions. However, it is undeniable that 2022 has proven to be a tough year for both investors and developers due to the bear market and hack incidents, which impeded trust within the cryptocurrency community. Below we have some final tips for investors and developers:

For investors:

  • Understand what you're signing, don't blindly sign random signatures/transactions (never sign signatures outside of official websites)
  • Always double check that you are on the official website of the DApp
  • Be extra wary of new/trending projects or projects that guarantee High APYs / use MEV bots, and always verify the project team’s authenticity
  • Use multiple wallets for different activities (hot wallet for frequent transactions; cold wallet to store high value funds)
  • Ensure you are interacting with an open-source contract and revoke approval once interaction is done
  • Check the security and risk scores of interacted contracts (e.g when using Trust wallet) If High Risk is flagged, we strongly advise to stay away

Feel free to reach out to our team if you have any doubts about a certain project / contract address / transaction / risk score!

For developers:

  • Verify & open-source all relevant contracts on-chain (to ensure transparency and trust within the space)
  • Ensure the project is audited by at least 2 well-known security companies and fix all issues where applicable (Including auditing newly added code)
  • Incorporate / Implement a bug-bounty program to upkeep the security posture of the project and encourage the community to ensure the code remains secure
  • Ensure security is at the core of the business: run sufficient testing / stress-testing / simulations such as (1) adverse token price fluctuations, (2) edge cases
  • Prevent centralization risks by using multi signature wallets and not a single EOA wallet to run operations
  • Minimize contract upgradeability and only apply to contracts when necessary
  • Ensure funds are stored securely (key management, fund distribution)
  • Implement safeguards in the event of a hack (formulate an Incident Response plan, introduce time lock / pausing within the smart contract)
  • Constant monitoring of system parameters e.g Exchange Rate of a token

Hashdit

HashDit’s core mission is to provide the essential threat intelligence for the everyday crypto investors to make informed decisions. Our methodology includes a variety of automated and manual techniques to evaluate a DApp project.

Thanks to our ever hardworking team, Hashdit has launched several products in 2022.

Products at Hashdit currently:

  • Risk assessment: All-in-one collection of security rating framework, auto-scan tools, and corresponding APIs, which are able to deliver accurate detection for potential rugpull/exploit risks based on a smart contract address. This is integrated with platforms like Trust Wallet and PancakeSwap, to leverage their reach and protect more users.

    It is able to detect multiple other risks, besides the usual SWC bugs, such as Tornado Cash interaction, risky functions encompassing ERC20 or ERC721 token standards (such as Migrate() or Blacklist() ), HoneyPot detection, etc. This can help users gain a better understanding of the smart contract, if it could be a scam.

  • Audit service: Comprehensive code audits following extensive and detailed best practices for smart contracts and discovering code loopholes / security vulnerabilities before they are deployed on-chain, guaranteeing users’ safety on BSC.

  • Monitoring: Detecting sensitive events / transactions that happen on-chain to quickly respond and minimize any additional financial losses. At the same time, Hashdit warns users early by sharing any information we found on our Twitter

  • Blog: Our goal is to share our security knowledge for builders, investors and users in the Web3 community. With all the players in the industry equipped with the security knowledge needed and adopting a security-first mindset, only then will the Web3 ecosystem be a safer place for everyone.

In addition, Hashdit is a major contributor to AvengerDAO, a community-run security initiative to ensure user safety on BSC. Working together with other security companies in the industry, we will aim to reduce the security incidents on BSC, and especially towards Bridge projects and Scams. We are excited to present even better products in the future and improve BSC overall security.

To a better year ahead! Happy new year to all!

Glossary

General Incident classification

The type of incidents can be generally broken down into 3 types:

  • Hacks

    • Hacks in general, is the practice of intentionally exploiting weaknesses in an organization's computer systems. In the context of blockchain, it is exploiting vulnerabilities in fundamental components of DApps and in the blockchain infrastructure. The non-exhaustive list of components can be: blockchain bridges, oracles, crypto wallets, Frontend/backend application and smart contracts which are deployed on-chain. Examples include business logic issues and lack of validation.
    • At times, it could be compromising the private keys of project teams through traditional attack vectors.
  • Scams

    • Scams are Web3 projects that do not intend to deliver promised features. Indeed, they usually entice users to invest or participate in the project with the only intent of keeping their invested money and leaving the users hanging.

    • Scams could be executed by dumping tokens, stealing all the invested funds, through means like sending sketchy emails and websites, or creating fake accounts on social media. In the context of blockchain, scams can involve investing in a “Get-rich-quick scheme” such as a Ponzi scheme or tricking users into signing unintended transactions that will result in stolen funds.

    • Do refer to our blog article for more details on the top 6 crypto scams in 2022.

  • Improper Management

    • Improper Management is a unique situation where the project party mismanages components that associate with user funds. Some examples include application misconfiguration issues that could expose critical information about users / project funds, or when the project party mints uncollateralized funds to perform high risk trading. This will be at the expense of users’ funds being lost.

Project type classification

  • Bridge

    • A blockchain bridge is a tool that lets you port assets from one blockchain to another, solving one of the main pain points within blockchains – a lack of interoperability. Since blockchain assets are often not compatible with one another, bridges create synthetic derivatives that represent an asset from another blockchain.
  • DeFi (Decentralized Finance)

    • Decentralized finance (DeFi) is a new financial framework consisting of decentralized blockchain protocols and underlying smart contract technology. DeFi, as it is most commonly known, makes it possible for users to access different types of financial products and services without the need for a centralized authority.
  • GameFi (Play-to-Earn)

    • 'GameFi' refers to the financialisation of video gaming. It is characterized by its 'play-to-earn' (P2E) business model, and mainly refers to blockchain games that offer tokenized incentives to players while enabling frameworks for player-as-owner rather than the standard player-as-consumer.
  • Learn-to-Earn

    • 'Learn-to-Earn’ refers to the financialisation of quizzing. It is characterized by the business model, which offers tokenized incentives to players who participate in the project and answer quizzes.
  • Metaverse

    • Crypto metaverses are immersive virtual worlds with immense social and financial potential. Their use of blockchain infrastructure enables them to tap into the wider crypto economy, making virtual items exchangeable for real economic value beyond the confines of the metaverse.
  • SocialFi

    • SocialFi is the fusion of social media and Web3. It refers to social media on a blockchain with a layer of finance in it. The concept brings together the principles of decentralized finance (DeFi) and social media to create, manage, and own content generated by the users on the platforms.
  • ExerciseFi

    • ExerciseFi or Move-to-Earn as its name implies, users are rewarded for movement, whether walking, running or dancing to a rhythm.
  • Oracle

    • Oracles are complex computerized systems that connect data from the outside world (off-chain) with the blockchain world (on-chain). Most blockchains have native cryptocurrencies that are used to transfer value, enable the operations of the protocol, or facilitate governance.
  • Wallet

    • A Cryptocurrency Wallet is an application that functions as a wallet for your cryptocurrencies. It is called a wallet because it is used similarly to a wallet you put cash and cards in. Instead of holding these physical items, it stores the rivate keys you use to sign for your cryptocurrency transactions and provides the interface that lets you access and manage your cryptocurrencies.
  • DAO

    • A decentralized autonomous organization (DAO) is an emerging form of legal structure that has no central governing body and whose members share a common goal to act in the best interest of the entity.

· 5 min read

During the past years, Android strengthened its leadership among all mobile operating systems, with an average of approximately 70.96% of the market share. Most of its success is no mere temporary surge because of the developer-friendly application development process. Google offers a plethora of platforms that support the design and development, testing, and sharing of their applications. Consequently, the number of applications in the Google Play Store reached 2.6 million in 2022.

However, to put that another way, from a security standpoint, the remarkable growth of Android coupled with the fact that a large number of innocent mobile users may become potential victims of cyber attacks. One of the prevalent types of attack is something called repackaging. Repackaging refers to the practice of customizing an existing mobile app and redistributing it in the wild. Specifically, attackers modify a popular app downloaded from app markets, reverse-engineer the app, inject some malicious code, and redistribute the modified app. Because it is difficult for regular users to notice the difference between the repackaged app and the original app, victims may suffer financial loss, mainly when security-critical private and business apps they use, such as Crypto Exchange apps, are repackaged.

Repackaged Android Apps

Some may get astounded by the fact that Android app is prone to repackaging. We can say that Android is negligent in such an attack. That's because of the intrinsical relation to the structural characteristics of the app distribution process. The app requires "ANY" valid signature to be successfully installed — they do not verify the actual identity of the signer. The app developer (even including the bad actor!) does not need a legitimate public key certificate issued by a trusted authority, indicating the possibility that an actor can modify an existing app, inject some harmful codes, and re-sign it with the self-generated private key.

What happens when you have installed the repackaged app on your mobile device? Based on our experience,

  • Plifering cryptocurrencies
  • Stealing your credentials (Account Information, Passport Copy for KYC, ...)
  • Leaking your secret phrases
  • Or... almost everything you can imagine is possible!

2 helpful guidelines for giving the app a check

Whether you're downloading an app as a customer or as a developer NOT via the official app store such as Google Play, there are some essential guidelines and tips that you need to consider to guarantee the safety of your device. Let's check them out!

When reading a blog post, you may find they are hosting a third-party download. Clicking the button may lead to potential problems — you must validate the address beforehand. In the case of Binance, the address should be https://download.binance.com/pack/BNApp.apk, as shown in the picture below.

IMG-1

But remember, scammers are becoming more innovative and intelligent, and they can disguise the URL to make it look safe. The malicious URL can be various: https://download.b1nance.com/ or https://download.blnance.co/. Although you find the post with no apparent problem, please proceed cautiously!

Protip 2. Check the digital signature.

With a tool called apksigner, you can check the app's authenticity. The apksigner tool, available in revision 24.0.3 and higher of the Android SDK Build Tools, lets you sign APKs and confirm that an APK's signature will be verified successfully on all Android platform-supported versions by that APK. Make a comparison between the original and repackaged versions — you may immediately sense the difference.

The syntax for confirming the successful verification of an APK's signature on supported platforms is as follows:

apksigner verify [options] app-name.apk

The apksigner verify command has the following options.

--print-certs

Show information about the APK's signing certificates.

--min-sdk-version <integer>

The lowest Android framework API level that apksigner uses to confirm that the APK's signature will be verified. Higher values allow the tool to use more robust security parameters when signing the app but limit the APK's availability to devices running more recent versions of Android. By default, apksigner uses the value of the minSdkVersion attribute from the app's manifest file.

--max-sdk-version <integer>

The highest Android framework API level that apksigner uses to confirm that the APK's signature will be verified. By default, the tool uses the highest possible API level.

-v, --verbose

Use the verbose output mode.

-Werr

Treat warnings as errors.

Conclusion

You should only trust apps obtained from official app stores. Suppose you ever downloaded the Binance app from third-party markets or have already installed it. In that case, you are probably at risk — immediate action is required: change your password, factory reset your device, fresh-install it from our official host, and please contact us for assistance.

Other apps also can be a potential backdoor. Once you use the repackaged app, the lousy actor can annoy you in countless programmatically unimaginable ways. Telegram is a good example: Hashdit once ever stumbled across an unofficial Telegram app replacing crypto wallet addresses with the bad actors' ones on-the-fly.

· 13 min read
Sebastian Lim

Back in 2021, crypto scams were a growing attack vector tricking victims into investing in the crypto space. According to CNBC, more than $1 billion were lost to crypto scams in 2021, where the most common types include fake investments and romance scams.

Since then, 2022 has shown that scammers are getting more and more creative.

As a leader in securing the BNB Chain ecosystem, it is our duty to keep users in the BNB Chain ecosystem safe by making sure they are always one step ahead of these scammers. Here are the most popular scams this year:

Phishing is already a popular technique used by scammers in Web 2. This is because scammers can just create a malicious website and subsequently mass send the links to their victims. Here, we will focus mostly on ways that the scammers will try to steal your private keys.

In Web 3, scammers usually send their phishing links through different mediums where the Web3 community is, like Discord, Twitter, Telegram, and even On-Chain.

IMG-2

Phishing websites usually look like the real website, but with different url names. They can be about a new giveaway or NFT pre-mint events, basically any situation that will make the user feel excited (FOMO - Fear Of Missing Out) and not think straight. The scammer takes advantage of the user’s emotional instability.

They can blatantly be asking for the user to provide his seed phrase or private key. For example, contacting users on social media,reaching out as wallet software support and jumping in with direct messages spoofing as an Exchange Support to steal one’s private key directly.

Another way is that scammers will develop chrome extensions that look similar to legitimate ones like Metamask. By impersonating the real applications, users often are led to letting their guard down and provide their private key to use the new application.

One interesting tactic we noticed is that scammers will also try to trick users into thinking there is a new bug/vulnerability with existing applications and there is a new software upgrade. We detected a scammer trying to trick users into thinking the current Metamask version had a bug and users should upgrade to the new version. The scammer proclaimed in the message that the new upgrade is not out yet so the upgrade has to be done manually this time. He afterwards gave a set of instructions which aims to trick the user into providing his metamask password which will expose his private key to the scammer.

In this scenario, users should always wait for the official announcement from Metamask and upgrade their Metamask version from official sources.

To upgrade an extension, just head to chrome://extensions/

Click on the update button

IMG-3

This will update all your extensions accordingly.

A friendly reminder:

Normal application upgrades WILL NOT require a user to provide sensitive information such as login credentials.

2: Ice-Phishing

This is a tactic where the user is tricked into signing a transaction that gives an attacker control over the user’s tokens, without the leakage of his private keys. This is an extension of the Phishing technique.

For some background, when a user is using DeFi applications (e.g PancakeSwap) and interacting with the main token standards (e.g. ERC-20, ERC-721, and ERC-1155) the approval method is shown on their metamask window. This is a request for the user to delegate authority to a 3rd party to act on behalf of that user on those tokens. Afterwards, the user can perform other operations like performing a swap.

Attackers will direct users to the phishing website and induce them to sign some transactions that they didn't request. For example, the interacted contract might not even be a contract, but the attacker’s address. Once the approval transaction is done, the attacker has the authority to transfer funds out of the victim’s wallet.

Usually, the scam website has an algorithm to scan the victim’s wallet to detect the valuable assets such as an expensive BAYC NFT or cryptocurrencies like WBTC or WETH. Often, the website will continually show the metamask window to prompt users to sign another transaction even though they may have already signed once.

Another way to prevent being a victim of Ice-Phishing is to stay away from signing eth_sign transactions. They usually look something like this:

IMG-4

The method eth_sign is an open-ended signing method that allows signing an arbitrary hash, which means it can be used to sign unclear transactions, or any other data, making it a dangerous phishing risk.

An arbitrary hash here means that the usual suspects of approve or approve for all methods are not the only possible methods, the scammer can make you sign transactions like native token transfer or a contract call. Essentially, having almost full control of your account without even holding your private key!

Although MetaMask will display a risk warning when signing eth_sign requests, when combined with other phishing techniques, it can still be possible for users with no security experience to fall for these traps.

3: Event Spoofing & NFT Sleep Minting

Event Spoofing

Event spoofing is a tactic where scammers transfer random BEP20 tokens to users, and prompt users to interact with it. The catch is that even though the scammer is the one transferring the tokens, from the blockchain explorer like BscScan, it will show that the source of funds were from a separate wallet such as Binance Hot Wallet. Then, they will be enticed to interact with these new ‘free’ tokens which can lead to users to phishing websites by displaying a link in the token name or the code itself. This is an extension of the Phishing technique.

This method takes advantage of how blockchain explorers show events.

For example, this screenshot from BscScan shows CHI being sent from Null Address to the address 0x7aa3

IMG-5

From the code perspective, this means that at the line emit Transfer(...)

  • msg.sender -> Null address (_from)
  • _to -> 0x7aa3
  • _value -> 294

IMG-6

However, blockchain explorers will blindly use the parameters of the emit events. If the _from address is changed to another address for e.g 0xhashdit, then BscScan will display the CHI being sent from 0xhashdit to the receiving address. Note: this isn’t particularly a bug with blockchain explorers, but more of the flexibility to change parameters since BscScan cannot know for sure whether the parameters are accurate. As such, scammers can use this to their advantage and spoof the source of funds.

Look at our twitter post for such an example!

NFT Sleep Minting

Building on plain BEP20 event spoofing, scammers can be creative with how they execute their scam. NFT Sleep Minting is when a scammer mints an NFT directly to a famous creator’s wallet. However, the NFT code has a backdoor method where the scammer can reclaim the NFT back. This creates the appearance that (1) the famous creator authentically minted an NFT to themselves; and then (2) sent that NFT to a scammer. Based on the “on-chain” provenance, the scammer can claim they own an NFT minted by a famous creator and sell it for a higher value, faking the value in the process.

The deception of Sleep Minting comes from the fact that you can emit any piece of data in an Event log. One would expect that if the user sends a transaction to transfer an NFT, then your address should be in the Event log as the “from” field. However, that is not the case when a scammer reclaims a sleep-minted NFT from a famous creator. A scammer could artificially place the famous creator’s address in a Transfer Events “from” field, completing the illusion.

For exmaple, we can take a look at Beeple's account and observe several NFTS minted to him, and not exactly minted by him.

4: Ponzi Scams

In these scams, there is usually no real strategy to earn rewards or make profits. Essentially, the whole scheme uses the money of new investors to pay the old investors. Once there is no more new money coming in to support the scheme, the whole system will fail.

There are several telltale signs in a Crypto Ponzi Scam:

First, the project side collects tax fees and these fees keep users longer in the ecosystem.

Since every deposit/compounding action incurs some sort of fees, this means that the user has to compound for a longer period of time in order to break even. These fees are also used to pay back the dividends of the users who want to claim.

Second, there is no way to withdraw the user's initial invested funds.

Once one user deposits their initial tokens, there is no way for him to withdraw back his initial invested funds. The only way for the user to get back any funds is to claim back dividends.

The third way is using a referral system.

The project encourages participants to actively promote and refer others through the referrer benefits. The upline will receive additional rewards whenever a downline performs certain actions. Also, in order for a user to start participating in the protocol, he has to have an upline address to start. This creates a system where each address is linked to another, similar to a pyramid scheme. There are increased bonuses for having more than 5 downline addresses too.

A common theme that one will see is a steep rise in funds locked in the contract at the start, usually driven by the initial hype through marketing by the team or funds pumped by the team themselves to generate activity. Once the contract’s balance has reached an inflection point, this means there are no new funds coming in. This will slowly result in the scheme falling apart and the new investors panicking to withdraw as much dividends as possible.

IMG-7

At the end of the day, the project party which solely earns the tax fees will be the biggest beneficiary for such Ponzi scam projects.

5: CHI Gas token farming

CHI Gas token is an initiative by 1inch project, where the Chi Gastoken is a BEP20 token that is meant to be used on 1inch exchange to pay transaction costs. Chi is pegged to the network’s gas price. When the gas price is low, the Chi price is also low, and the opposite.

How scammers make use of this is very interesting. First, they would airdrop a bunch of random BEP20 tokens. When the user approves PancakeSwap to sell these tokens, in the approve() method of these tokens it will hard coded to consume a large amount (e.g above 90%) of the user's gas limit to mint Chi Gastoken which can be used to subsidize the gas fee, the minted Chi Gastoken are the profit of the scammers.

It is recommended to pay attention to the consumed condition of gas fee in approval transactions before calling the approve() function in some airdrop tokens.

In general, don’t touch random tokens airdropped to you

Look at our twitter post for such an example!

6: MEV Scams / Scam Events

Crypto Jargon

Scammers will make use of crypto jargon like “MEV (Maximal Extractable Value)”, “Arbitrage trading bot”, “Sniper bot”, “Front-run bot” promising passive income of a few thousand dollars a day to entice users to participate. These are usually promoted on platforms like Twitter, Tiktok and Blockchain Explorers.

Usually, scammers will attach a video link to the post where victims are brought to video hosting platforms like Youtube and Vimeo.

Example:

IMG-8

Essentially, the scam video will guide the user to deploy their malicious code using the Remix IDE, they will provide the malicious code usually in a pastebin url in the video description.

IMG-9

With the code now deployed on-chain, the user will be instructed to next prepare some native funds to perform the ‘front run or arbitrage’. The scam video will prompt the user to prepare more native funds so that when you perform the ‘front run or arbitrage’ operation, you will be able to make more profits, tricking the user. Once the user injects the funds into the contract and ‘starts the front run’, instead of earning him profits like what the scammer claims to do, the funds will be directly transferred to the scammer

Another relatively new way is for scammers to provide a link for CEX (Centralized Exchange) trading bots such as the screenshot here.

IMG-10

Users will be prompted to download a malicious file and follow the instructions. Usually, users that want to trade on Binance Exchange automatically will have an API key. This scam video tricks users into using their trading bot and asking users to give up their API key and the password for it. Once the user is scammed into doing so, the scammer will be able to receive the user’s credentials on their end and trade with the user’s funds now.

Crypto Event

In such situations, scammers also use social media to spread fake information of a giveaway being done by notable players in the space such as crypto exchanges or projects.

IMG-11

Users will be prompted to enter this link and are instructed to “verify” their address first. In order to so, they have to send some BTC or BNB to the specified address and in return they will get back 10x of the amount. At the same time, the scam website shows a transaction history of the giveaway records to trick users into thinking that the giveaway is real and works. However in reality, once the crypto is sent by the user, the funds will be lost to the scammer and there will be no rewards to receive in the end.

Oftentimes, scammers might use old videos or even resort to deep faking a popular figure, to trick users into thinking that the person is endorsing and promoting a new giveaway. When in reality, this cannot be further away from the truth.

A common similarity among these cases is that there will be fake engagement in the video’s comment section. This is to psychologically trick users into thinking that this trading bot really works well.

IMG-12

Also, if this is in the description, RUN. It is a HUGE red flag.

IMG-13

Conclusion

Scams will continue to grow in a decentralized environment such as crypto so it is critical for us to each be responsible for our own security. To beef up the security and safety of users in the BNB Chain, Hashdit has been partnering with ecosystem players such as PancakeSwap and AvengerDAO to detect scams as soon as possible. Moving forward, we will strive to build a safe ecosystem for both protocol users and smart contract developers on the BNB Chain.

If you found this article useful, please share it around on Twitter and tag us! If there are any scams you would like us to cover as well, please drop us a message!

Remember the golden rule: If it is too good to be true, it probably is. Till then, stay safe!