Skip to main content

18 posts tagged with "2023"

View All Tags

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 30 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0x1bec5734b1e4559979158052dfa5c6f0156282f2Portaldot (POT)546
0x4fc75a68c38a700aac53a34784d6d9917932ea0eVCH66
0x9d173e6c594f479b4d47001f8e6a95a7adda42bcCryptoZoon41
0x902d9367a4de541926e1ed55287fac8eed959d6dASB35
0xa77346760341460b42c230ca6d21d4c8e743fa9cMicroPets33
0xadcfc6bf853a0a8ad7f9ff4244140d10cf01363cTrustPad25
0x767b04d1f1dde2a056cec1ab3bd51d1c286366dbAAToken20
0x00000065cbadead116136940b302f938284f2bdcPoop10
0xea51801b8f5b88543ddad3d1727400c15b209d8fINUKO10
0x2fb6212111dad926902febcfd8daa3eb44f1ca56YATANCAKE10

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (46%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(36%)

  3. Another theme for these contracts is that they are unverified. This means that the source code is unavailable, which could present some risks as scammers might hide malicious code in their contracts. This portion represents 6% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 9 min read
Sebastian Lim

TL;DR

This incident report aims to aggregate all the incidents that have happened on Layer 2. For context, the Layer 2 chains considered in this report are respective to Ethereum Layer 1 blockchain.

  • Optimism
  • Arbitrum
  • Avalanche
  • BASE

In total, there were a total of 57 cases, 52 incidents in 2023 and 5 incidents in 2022.

An examination of the yearly breakdown highlights that the total loss in 2022 and 2023 amounts to $149,278,400, namely 13.07% was for 2022 and 86.93% for 2023.

IMG-1

Type of projects​

When comparing the types of project with the observed financial loss, a whopping 99.8% of financial loss were attributed to DeFi projects. The second most was a GameFi project at 0.18% (TalesofElleria – Signature compromised), followed by MEV at 0.01% (an unknown MEV contract had a lack of validation bug).

IMG-2

With a large proportion of fiat loss associated with DeFi projects, this shows that DeFi projects are still the most common type of crypto project on L2 chains.

Chain comparison

According to our data, 38.82% of financial loss was from the Arbitrum chain (~$57.95m). BASE being a new chain, accounted for 22.84% (~$34m). This is followed by Optimism and lastly Avalanche.

IMG-3

On Optimism, there were 7 hacks and 1 scam cases. On Arbitrum, there were 23 hacks (including a White-hat) and 9 scam cases. On Avalanche, there were 9 hacks (including a White-hat) 2 scam cases. On BASE, there were 2 hacks and 4 scam cases.

Attack Type analysis

The next chart shows the attack type analysis for all the security incidents on L2 chains. 58.53% was because of Hacks, 40.31% was due to Scams, while 1.17% was rescued by a White hat.

IMG-4

The next chart shows the specific attack vector analysis.

IMG-5

As seen in the chart above, the highest financial loss attributed to rugpulls with $56.75m, $28.6m was due to MPC compromise (Multichain incident), and $9m was due to Internal accounting.

Further analyzing the top 3 attack vectors, Rugpulls - 13 cases (Most notably the $BALD case). MPC compromise - 3 cases (1 Multichain incident across 3 chains). Internal accounting - 2 cases (Mostly due to the Platypus case).

Top 10 incidents on L2 thus far

The following were the top 10 security incidents on L2, 3 of them were scams while the other 7 were exploit cases.

IMG-6

BALD - $25.6 Million Scam

On 1-Aug-2023, BALD, a meme token on BASE was reported to have rug pulled $25.6 million USD from investors. Method: The liquidity of the BASE tokens were held by an EOA account, hence the account could remove liquidity at any time. Although the Base network is meant to be used for developer testing, some people have tried to trade on the network before its official launch https://decrypt.co/150647/bald-coin-based-ethereum-base-layer-2-coinbase Since removing liquidity though, he has appeared to still be adding/removing small chunks of liquidity (probably still trying to garner traffic) https://basescan.org/token/0x4200000000000000000000000000000000000006?a=0xfcd3842f85ed87ba2889b4d35893403796e67ff1

Multichain - $28.6 Million Exploit

On 10-July-2023, a Bridge project, Multichain had its MPC account compromised by an unknown entity. The MPC account had authority over the bridged funds of users, and transferred all the funds to his own wallet, on 3 chains: Arbitrum, Optimism and Avalanche. Since the MPC account appears as a normal EOA on-chain, it is unclear how the MPC account was compromised on the backend.

Defrost - $12 Million Scam

The Defrost project was rugged for a total of $12 million USD on 23-Dec-2022. The incident happened on Avalanche. Method: The privileged owner was an EOA which could change the address of the oracle, in a market contract. He changed the address maliciously to one that returns fake prices, to liquidate their users and seize their funds. At that point of time, it looked pretty obvious that it was a rugpull. However, the project party claimed that they were hacked 4 days later and stated that the exploiter has returned 100% of funds to them https://medium.com/@Defrost_Finance/hacked-funds-returned-to-defrost-71b9d2d1b458 In this case, it appears that they were caught so they returned the funds back.

Platypus - $8.75 Million Exploit

On 17-Feb-2023, Platypus, a Lending/Borrowing project, was exploited, resulting in users losing more than $8.75 million USD. The incident happened on Avalanche. Root cause: The project party overlooked the EmergencyWithdraw() method and forgot to include a check for borrowed funds https://twitter.com/danielvf/status/1626340324103663617?s=61&t=gr5sMl7K7qjCB7l3zmh53w Method: The hacker deposited funds, borrowed funds and then exited his position with EmergencyWithdraw(), allowing him to keep the borrowed funds

Jimbos - $7.5 Million Exploit

On 2023-05-28, Jimbos Protocol on Abitrum was exploited, which resulted in ~$7.5m funds loss. Root cause: The protocol did not have proper measures to manage price changes during operations that shift liquidity. This oversight allows the protocol's own liquidity to be put into a distorted price range, which allows attackers to make "profit" via a reverse swap. Method: 1) The hacker initially flash loaned 10,000 WETH 2) Subsequently swaps them for $JIMBO, inflating its price 3) Called the shift() method in JimboController to manipulate reserves and imbalance the pool 4) Following the manipulation, the attacker converted the acquired Jimbo tokens back into ETH

Exactly - $7.32 Million Exploit

Exactly Protocol, a Lending/Borrowing platform was hacked on Optimism for $7.32m. Root cause: Lack of validation -> allowed the attacker to steal users’ collateral assets

IMG-7

The attacker was able to bypass the permit check in the leverage function of the DebtManager contract by directly passing a fake market address without validation

Untrusted external call done with the fake market address -> the attacker reentered the crossDeleverage function in the DebtManager contract and stole the collaterals from the _msgSender.

IMG-8 IMG-9

Secondly, the Permit calldata p can be externally controlled too, changing the _msgSender to the victim address (user EOA address).

Hundred Finance - $7 Million Exploit

Hundred Finance, a Lending/Borrowing platform was hacked on Optimism for $7m. The hack was due to a known bug in Compound V2 code.

Root cause: The exchange rate can be manipulated because of a rounding issue in the redeemFresh of CToken pool contract (The attacker strictly controls the input quantity every time they call the redeemUnderlying function. This leads to a situation where the calculated result becomes 1.99999999999... but is rounded down to 1 by default.)

Lodestar Financ - $6.9 Million Exploit

Lodestar Finance, a Lending/Borrowing project, was hacked on Arbitrum for $6.9m. This attack vector is 1 variation of the donation-bug vulnerability.

The attacker first manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, "an exploit that by itself would be unprofitable", said the company.

Then, the attacker supplied plvGLP collateral to Lodestar and borrowed all available liquidity, cashing out part of the funds "until the collateralization ratio mechanism prevented a full liquidation of the plvGLP."

Following the hack, "several plvGLP holders also took advantage of the opportunity and also cashed out at 1.83 glp per plvGLP." The hacker was able to burn a little over 3 million in GLP, making profit on the "stolen funds on Lodestar - minus the GLP they burned.", noted the DeFi platform.

Magnate Finance - $6.4 Million Scam

Magnate Finance, a scam project, rug pulled for $6.4m. Incident was on the BASE blockchain. Moments before the rug, it was found that its deployer address is directly linked to the Solfire $4.8M exit scam.

The project team manipulated the price oracle value, so he could drain all the locked funds in the market contract.

Deus DAO (DEI) - $5 Million Exploit

On 6-May-2023, the DeusDAO (DEI) project was hacked for slightly more than $5 million USD due to a wrong contract upgrade. The project was hacked on Arbitrum. The upgrade bug introduced a public burn vulnerability, which allowed attackers to steal funds from other wallets that have DEI tokens.

The issue was specifically in the burnFrom method, which wrongly swapped the 2 parameters of msg.sender and the account to be granted approval. The hacker essentially approved DEI tokens to a whale account with a large amount of DEI tokens, and then invoked the wrongly implemented burnFrom method with 0 tokens. This approves all the DEI tokens to the caller instead, where he can just simply call transferFrom and steal all his tokens.

Conclusion:

L2 blockchains offer several advantages over traditional L1 chains such as Increased Scalability, Lower Fees and Faster Transaction Times. However, the issues that plague L1 chains do persist on L2 chains as well.

Therefore, we advise the opBNB community to pay more attentions on the below segments.

  1. Developers' concerns
  2. Users' concerns

Developers should

  1. Pay special attention to over-centralization. Privileged roles should be transferred to a multisig or timelock.
  2. Pay attention to oracle / price manipulation attacks. Ensure the oracle is a trusted source, and use a backup oracle to check discrepancy so that prices will not deviate too much.
  3. For lending/borrowing projects, pay close attention to exchange rates to ensure the rate cannot be manipulated by forceful donation and breaking any invariants.
  4. Ensure all state-changing functions have proper checks for all parameters so there will not be a situation of having unexpected inputs not validated.
  5. Ensure all token standards are followed.
  6. Ensure contract upgrades are done after review from a trustable auditor.

Users should

  1. Invest in trustable tokens, instead of over centralization and hype meme coins as such projects are high risks and might result in it being scams.
  2. Invest in projects that have partnered with 3rd party security companies.

For further inquiries or clarifications, do drop us an email at support@hashdit.io! Stay safe!

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 41 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0xb1a1d06d42a43a8fcfdc7fdcd744f7ef03e8ad1aHongKongDAO (HKD)375
0xac68931b666e086e9de380cfdb0fb5704a35dc2dBNB Tiger INU https://bnbtiger.top/317
0x8624b3a4f29620390d06286df207f6791c243389GDPToken297
0xd9628be9ef42b75ca171128e8ce32eceecd858fdZGC (ZGC)289
0x6f9f7632cc42397a1e062db5346f2a9f9bc73e92BTR178
0x0a4e1bdfa75292a98c15870aef24bd94bffe0bd4FOTAToken117
0x57ca2436f9f54f4909a521e24768e21e322cae88JUPITER115
0x56b331c7e3d68306f26e07492125f0faa9d95343Alcazar: LEO Token78
0x000000000482aa9817645c3d56aa2230f6573532GPTChat (GPTC) - Fake_Phishing68576
0x014a087b646bd90e7dcead3993f49eb1f4b5f30aGulfCoin41

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (56%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(29%)

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 5% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 55 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0xdd63525fab69a97224962a076a642bfcf0714f2eDMD (DMD)2688
0x9a2478c4036548864d96a97fbf93f6a3341fedacZILLION AAKAR XO (ZAX)1399
0x78997aa5d48efe1c96415e0d941ba687cdc1c358MC1313
0x8d445b83bc7835d2a35a6ec681a10e2006928f73BRIToken1145
0x0566b9a8ffb8908682796751eed00722da967be0FGDTOKEN (FGD)682
0x14beb72194866e1b4d6ffad3cd5b488f76168b61BITCOINBattle378
0xa4a66d8a705260c8cb1ebb59224e018015294f48Ted (TED)327
0xb12e8eb6b1f24e14381514d2f3b75e7c61487016GSD (GSD)124
0x066cda0cca84e9c6ed0a4ecb92aa036a9582544bSonicInu121
0xcc780503e290274cfa8da085528067e259df58f0GLC121

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (56%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(25%)

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 7% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 3 min read
Sebastian Lim

Introduction

According to Hashdit, the amount of losses on BNB Smart Chain (BSC) in August 2023 have greatly decreased compared to July.

In August, there were over 27 typical security incidents, with a total loss of approximately $4.5 million, a decrease of about 60% compared to July.

In general, the data has trended downwards from July to August, which is a good sign.

The total amount involved in Hack incidents dropped to $507k from $4.7 million, a decrease of about 89% compared to July. The total amount involved in Scam incidents dropped to $4 million from $6.8 million, a decrease of about 40% compared to July.

The number of Hacks decreased to 4 from 19, a 78% decrease from July. The only data that trended upwards was the number of Scams increased from 13 to 23, a 76% increase from July.

IMG-1

Figure 1: Comparisons between July (Blue) and August (Red) in terms of Amount Loss ($$) and Number of Incidents

The largest security incident this month occurred with a fake LayerZero token, resulting in a loss of approximately $1 million. There has been an increase in exit scam incidents this month, with notable cases including a $680k rugpull by the NFT_SalesRoom (ASN) team. Additionally, there has been an increase in fake tokens that conducted a rugpull such as 2 Fake $CIRCLE tokens, 1 Fake $Zksync token and 1 Fake $X token.

Security Control Improvements in the BSC Ecosystem

  1. HashDit has integrated its security API with Prominent and Leading brands on BSC such as PancakeSwap, TrustWallet, BscScan to improve the security control across the ecosystem.
  • @PancakeSwap: Auto-scans tokens & displays risk scores

IMG-2

  • @TrustWallet: Notifies users of high risks before transactions

IMG-3

  • @bscscan: Displays risk warnings in the explorer

IMG-4

  1. New risks flagged in RedAlarm

A total of 319 dApps and 64 addresses were added to Hashdit's RedAlarm in August alone. This amounts to a total of 1679 smart contracts on RedAlarm currently.

Word of Advice

With the current trends in the BSC security landscape, Hashdit advices the community to:

  1. Do Your Own Research (DYOR) before participating in any trending projects to mitigate the risk of financial losses, especially when the token name and symbol is an impersonation of the real token.
  2. Place greater emphasis on security, adopt a Zero-Trust security mentality and be careful of phishing scams

Meanwhile, HashDit promises to continue to keep the BSC community and its users safe!

· 4 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

High Risk TVL protocol on PCS

In this week, there were 252 newly identified risky addresses. Trending newly identified risky addresses:

AddressContractNameWeekly Active Transactions
0xa68c9c2c39176b3ee9f6359b68e853893c6ddc5aPIG94788
0x150cbd6e82d63db545ff8904de365b9154b0b386DGTT2370
0x2266362f414bf2476c5465dc2ea953fe2a99ae1cFake ZRO2296
0xb1d4e33dd4aa6204bc8aae340b67455a662f038aLNL2262
0x3e573bf50b7625d9976fd65a8c0cdfbbc7b63a10Multi-Cultural Connect (MCC)2227
0x77087ab5df23cfb52449a188e80e9096201c2097hi Dollar (HI)1764
0x4908b8977f91e2257e5260551e7dc2950b1b3877MARS (MARS)1203
0xff71e87a2e7b818eee86f3f1c2e94a06cac85866Cat1085
0x9fbd6973f7e6e49eac8ff2eb857fdeed41d2e482QUANTIC PROTOCOL (QUANTIC)1055
0x7645444525bb2bd69ad23db57d3fc7b4fe3cda31Bitcoin Dao (BTCD)1028

Key themes on high risks:

  1. Exactly half of the newly identified risky addresses (50%) were through threat intelligence. These addresses are either confirmed rugpulls (project has already removed rugged) or scam tokens that have high risk of rugs.

  2. Red Alarm projects are manually identified by our security team for being potential scams. These are identified from a project level, for example projects that utilize fake social media marketing, or create scam meme projects. They are labeled under the DApps section of this page(17%)

  3. Another theme for these contracts is that they have a privileged role, e.g owner is an EOA, which could mean some centralization risk as the owner can mint or toggle honeypot mode at will, so there could be rugpull risk. This portion represents 15% of the total newly identified risky addresses.

Refer to this link for the full list.

Tip: Filter by Top_TVL_Risky_Pool / Trending_Risky_Pool / Trending_Risky_Tokens to retrieve the risky addresses from different sources.

Integrations with PancakeSwap

Hashdit has partnered with PancakeSwap to integrate the DappBay’s Red Alarm. The risk score level reflects how risky the interacted token is, helping users make better informed decisions.

Example: Fake Circle Token - 0x84ef2e2e977062da3cfc12c038fa3ce2d42d01b1 IMG-1

The RedAlarm keyword will link to the risk scanner as seen in the image below. IMG-2

Please take note that the risk level in Pancake & Risk Scanner might be different, because Hashdit use more conservative strategies for PancakeSwap than DappBay risk scanner.

IMG-3

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

· 23 min read
Sebastian Lim

Disclaimer

The information provided through the BNB Chain community does not constitute advice or recommendation for investment or trading. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

Contract names are there for reference only, there may be legitimate contracts which share the same name, always double check The contract addresses which are the unique identifier of any smart contract.

Overview

PancakeSwap is the most popular decentralized exchange native to BNB Chain. You can swap tokens, invest in yield farms and liquidity pools, and buy and sell collectibles. It is part of the ever-growing world of decentralized finance protocols.

PancakeSwap stands tall as the flagship DeFi platform within the BNB Smart Chain (BSC) ecosystem, however, risks exist in every DEX and blockchain ecosystem. HashDit diligently checks projects every week to identify potential threats within the PancakeSwap landscape, ensuring your trading experience is protected. Consider HashDit as a trusted guide that helps you navigate in DeFi by highlighting potential hazards and keeping your journey secure. Remember, vigilance and a proactive approach are vital for a safe and successful DeFi experience.

Stay Safe!

HashDit advises you to act with caution in general, but ask that you take particular care when dealing with the projects we highlight as risky on our weekly update. Continue enjoying the BNBChain ecosystem and most importantly, stay SAFU!

About HashDit?

HashDit is building a safe blockchain ecosystem on BNB Chain by providing threat intelligence, code auditing and instant analysis for smart contracts. In the vast and ever-evolving world of Defi investing, HashDit stands as a beacon of trust and knowledge for everyday investors. HashDit is a member of AvengerDAO, which is a community-driven initiative created to protect users and projects on BNB Chain from malicious actors and activity.

High Risk Subjects this week

WAT stands for Weekly Active Transactions

Top TVL Pools

AddressContractNameWATRisk_LevelRisk_Description
0xba509bdb71a29301860800e13867b59b461747afMonSpaC (MSPC)635885The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0xabe776435f7459e2f5ba773bfb753ed19a053dd0token66695The address is blacklisted based on threat intelligence or manual analysis.
0x066aee69d93dee28b32a57febd1878a2d94f6b0cGGoose NFT: gold8 Token Ponzi50895The address is blacklisted based on threat intelligence or manual analysis.
0x83d3c2d1a55687498df6800c5f173ec6a7556089BEATS23715The address is blacklisted based on threat intelligence or manual analysis.
0x4c3145cb6285eb269c37685e05ff8c6684a70ec7FTC (FTC)4125The address is blacklisted based on threat intelligence or manual analysis.
0x9e9bef94795bfe87a11a0369b4e0c3b60a6fcf2bMBankToken3725The address is blacklisted based on threat intelligence or manual analysis.
0x6e9f02f933575cc5f7938fc55ed304f3435d3508MONO3065The address is blacklisted based on threat intelligence or manual analysis.
0x378b7a04c7cc71556319cd031cd56b1f986e20241545The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0xb12e8eb6b1f24e14381514d2f3b75e7c61487016GSD (GSD)c5The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x29c55f1b02a95f0b30e61976835a3eee2359ad92EShareV2765The address is related to a coin mixer platform such as Tornado.Cash, which could mean some potential risks, please be careful of scam risk.;The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x0f9adaaccd7caecc5019194e15ad19624fed95faThankYou685The address is blacklisted based on threat intelligence or manual analysis.
0x000000000482aa9817645c3d56aa2230f6573532GPTChat (GPTC) - Fake_Phishing685555The address is blacklisted based on threat intelligence or manual analysis.
0xa03110800894b3ccf8723d991d80875561f96777BIT GAME VERSE TOKEN445The address is blacklisted based on threat intelligence or manual analysis.
0xb1a1d06d42a43a8fcfdc7fdcd744f7ef03e8ad1aHongKongDAO (HKD)425The address is blacklisted based on threat intelligence or manual analysis.
0x8f2775e4be08055c7dd4ebf654628b183106a8e1Token305The address is blacklisted based on threat intelligence or manual analysis.
0x502435713854f5e92d048d27de95c9ce16dc380d(null)275The address is blacklisted based on threat intelligence or manual analysis.
0xd024ac1195762f6f13f8cfdf3cdd2c97b33b248bCoinToken265The address is blacklisted based on threat intelligence or manual analysis.
0x8d7674523d2ccd1d631aa1f456b319ff849dc16cToken225The address is blacklisted based on threat intelligence or manual analysis.
0x90a1e4bbade88366dc44436535f1571d95e666c7TransparentUpgradeableProxy145The address is blacklisted based on threat intelligence or manual analysis.
0x4d50e3f89bbc63d199e1bbbd04cd15bf2382592bRabbitKing125The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0xd60f15dffd3296871fcdf9e3a074e225648ae242Token95The address is blacklisted based on threat intelligence or manual analysis.
0xae493c72224c77d85032b534a44a117cbca8df06Token85The address is blacklisted based on threat intelligence or manual analysis.
0xf38d89f9ace1934d155c7a5b2c41a729b7702a09Token75The address is blacklisted based on threat intelligence or manual analysis.
0x95173a846cf2134ce5d1dc86bdfb46aa8e41f697BITCOIN65The address is blacklisted based on threat intelligence or manual analysis.
0xb695806cc5a3cd8623b92bbd221e3bec6e8e3bedNeutrinos ($NEUTR)55The address is blacklisted based on threat intelligence or manual analysis.
0x33714356e2a3e216d055440eb24d0e23458b1b85SafeZone35The address is related to a coin mixer platform such as Tornado.Cash, which could mean some potential risks, please be careful of scam risk.;The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privilegedprivileged role function which always means some centralization risk, please be careful of rugpull risk.
0x0b1ff525e092a98210ed150f8b08313f646847d6BabyMUSK35The address is related to a coin mixer platform such as Tornado.Cash, which could mean some potential risks, please be careful of scam risk.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0xc45b64cd6643a18f62a5420ddc85bff128625176Arkham (ARKM)25The address is blacklisted based on threat intelligence or manual analysis.
0xf17f7827403c166fda782ceb17b29900d1a2ad15Elron25The address is blacklisted based on threat intelligence or manual analysis.
0x231b69254d48de6e96c395100b3d9bce8d658e49PATEX15The address is blacklisted based on threat intelligence or manual analysis.
0x0c7fc02c7417bcf147a70fac98f0390f82c0ca2bToken15The address is blacklisted based on threat intelligence or manual analysis.
0xa1cda647f6d07d94ea0be2c83b9f312b977ecbc4SafeBeesQueen15The address is blacklisted based on threat intelligence or manual analysis.;The address is related to a coin mixer platform such as Tornado.Cash, which could mean some potential risks, please be careful of scam risk.;The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0x10f292a6e694c38c5d570127da445143a2d882f3Cocktail15The address is related to a coin mixer platform such as Tornado.Cash, which could mean some potential risks, please be careful of scam risk.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0xced59c3249f20ca36fba764bfdd9d94f471b3154WettokMarket15The address is blacklisted based on threat intelligence or manual analysis.
0xbdbd5a8179c9ba78327a50a8c0454c6f93bc4ce2APPLE15The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0xf8d90d089e5a422183d3a368251b2f88e634bd92Token05The address is blacklisted based on threat intelligence or manual analysis.
0x425e2ef5e72a85a676ccb022ef96979d64bb5be2Token05The address is blacklisted based on threat intelligence or manual analysis.
0x1d48fcc64a8005bd83d41af50284029cd2331a14Token05The address is blacklisted based on threat intelligence or manual analysis.
0x7918f0ba2d3ff06dec4b8fa7079df01c8a0d68f8Token05The address is blacklisted based on threat intelligence or manual analysis.
0xe0796f447d28d99ec893721e32f84ad1bf9f60da(空字符串)05The address is blacklisted based on threat intelligence or manual analysis.
0x65a7ab3332e110128283bec3c926e940a9e2a860Token05The address is blacklisted based on threat intelligence or manual analysis.
0xeb6b00f8c7e1da78fb919c810c30dde95475bddeMINERS05The address is related to a coin mixer platform such as Tornado.Cash, which could mean some potential risks, please be careful of scam risk.;The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0x079c84ce97c72c79e7402d4383c6b2d25e51a426BEP20XAI05The address is blacklisted based on threat intelligence or manual analysis.
0x6df52fc4c234600d2d1f064c33be762146964bb1SATORI05The address is blacklisted based on threat intelligence or manual analysis.
0xbdfed84a3c0735a01abc74aad54e66cd50a60b74Token05The address is blacklisted based on threat intelligence or manual analysis.
0x64b5d3f6fd5fbc4f2832c8c42315d5fdd6bc8bd2Token05The address is blacklisted based on threat intelligence or manual analysis.
0x2ffc49e7331ceb6a6831336cca3a85899fb68d40Token05The address is blacklisted based on threat intelligence or manual analysis.
0x23d7127a3f674c7bdeaa4afa3662769b13540d2fToken05The address is blacklisted based on threat intelligence or manual analysis.
0xc24796458fbea043780eea59ebba4ad40e87c29bSalary05The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0xac7ae2eca9aa162590f884efd36f29056953b49fMD05The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0xdf7ff95aa3d855a6fb21399432166a92fdcf1b1aBEP20USEA05The address is blacklisted based on threat intelligence or manual analysis.
AddressContractNameWATRisk_LevelRisk_Description
0x04f46cdfe8dd348e41902eef1aff19ace1661f4cFTC (FTC)337284The address is blacklisted based on threat intelligence or manual analysis.
0x4d1e90ab966ae26c778b2f9f365aa40abb13f53cSTA155744The address is blacklisted based on threat intelligence or manual analysis.
0xba509bdb71a29301860800e13867b59b461747afMonSpaC (MSPC)123065The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0xc9882def23bc42d53895b8361d0b1edc7570bc6aFistStandard107924The address is blacklisted based on threat intelligence or manual analysis.
0x1f1c90aeb2fd13ea972f0a71e35c0753848e3db0TransparentUpgradeableProxy40384The address is blacklisted based on threat intelligence or manual analysis.
0xabe776435f7459e2f5ba773bfb753ed19a053dd0token39115The address is blacklisted based on threat intelligence or manual analysis.
0x4d7fa587ec8e50bd0e9cd837cb4da796f47218a1SAFE(AnWang) (SAFE)20024The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.
0x83d3c2d1a55687498df6800c5f173ec6a7556089BEATS18735The address is blacklisted based on threat intelligence or manual analysis.
0x78997aa5d48efe1c96415e0d941ba687cdc1c358MC15174The address is blacklisted based on threat intelligence or manual analysis.
0x1a97b0cf1efb5228027dd782ed5d82c901694042CCToken8964The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x1e83d06e17cae34415bea30116ac755456131020Token7024The contract contains some backdoor function which always means the owner has some potentially malicious intent, please be careful of rugpull risk.
0xd983ab71a284d6371908420d8ac6407ca943f810Ultron Foundation: ULX Token6294The address is blacklisted based on threat intelligence or manual analysis.
0xff71e87a2e7b818eee86f3f1c2e94a06cac85866Cat5854The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0x051e0ac843bae1c83f2d3d44237c8eec33560b55NULL5814The contract is unverified which always indicates some potential risks, please be careful of scam or hack risk.
0x73fbd93bfda83b111ddc092aa3a4ca77fd30d380SophiaVerseToken5034The address is blacklisted based on threat intelligence or manual analysis.
0xc017d283bde7c6ec521dace9ddea1ebf90ed6f78MRKCoin4824The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x9767c8e438aa18f550208e6d1fdf5f43541cc2c8MangoMan Intelligent4414The address is blacklisted based on threat intelligence or manual analysis.
0x11ac6af070fe1991a457c56fb85c577efe57f0e4DragonKing (DragonKing)4404The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x5b6bf0c7f989de824677cfbd507d9635965e9cd3Gamium: GMM Token4324The address is blacklisted based on threat intelligence or manual analysis.
0x43f5b64b3d1a9275b460480430a027424aa17f8cToken3864The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xc632f90affec7121120275610bf17df9963f181cDEBT3744The address is blacklisted based on threat intelligence or manual analysis.
0xd7791c6860a315c2ad9fcb13149f408f58f529feCCToken3604The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0xa4838122c683f732289805fc3c207febd55babddTrias: TRIAS Token3324The address is blacklisted based on threat intelligence or manual analysis.
0x43b44d4b278c43c4d3251374337e1c6aa10fa76fXCATTOKEN3074The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x4b383b52882a779817e1312894bf3f1466c660e9XProBotTOKEN3074The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x5b415df00a5276a6baf8434d1432058a62759ef1ONPAYTOKEN2914The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x668a81d1ee8e9db76e14237366362d3c4878883aWWDTOKEN2864The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x7c0e5ad65c6083f53efa1d4d0844efca34f19e2aERCXTOKEN2834The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x77087ab5df23cfb52449a188e80e9096201c2097hiDollar2754The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0xc89c57e38dcaba62501d53e5ea490945d1d8f346SeiCloudTOKEN2684The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x571e522dc7c5a75ee5f432ff9abaceb2d88d0abcDJOTOKEN2674The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x6d6ba21e4c4b29ca7bfa1c344ba1e35b8dae7205KatanaInu: KATA Token2604The address is blacklisted based on threat intelligence or manual analysis.
0xc7cba05f673cfab408a9fb0ef5fcc3c25a4abebaTradeXAI2524The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x16760310e7b83d6aac3d82ad56da3ca42fda13d8TOKEN2505The address is blacklisted based on threat intelligence or manual analysis.
0x6428177a36be2202f7cee6757498959ab9818efbTRUMPXTOKEN2464The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x05f6499cc6a62b6e2c88ad3db7376fde040c0f2dLEGOTOKEN2464The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0xb2393c1afc7a3cea1f69be5e516b9697fa5fbbbaMOTNTOKEN2374The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xa203711c7ead07a33a7a6e2f4abb6fff47229458POOTOKEN2354The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x4607618b57f0edc42c42810e3c245b49ad7338a7ShikokuTOKEN2184The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x53cf15f77f2b11ef655dccbce6699c3086eae064ETHEREUMTOKEN1874The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xbb38109575a98c8697cbc10f8836d8a9af7c9244APEBOTTOKEN1744The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xc001bbe2b87079294c63ece98bdd0a88d761434eEverGrow: EGC Token1594The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0xdb9e84cf5affca6676a5705b667e887ccdf64e8fKBLETOKEN1484The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x641d187b77f5c64b5b663bf32157661218c49740NULL1024The contract is unverified which always indicates some potential risks, please be careful of scam or hack risk.
0x18a03d80a74c669834227433703dc25ccadbcb37BABYTOKEN1014The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0xe758b7856756fa0e5d21be5412dfff8c317cc678BLOCX554The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x31342a89fb2d7856aaa32247f6b4e28b871d8e1aUST364The address is related to a coin mixer platform such as Tornado.Cash, which could mean some potential risks, please be careful of scam risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x808f1350dff684c099f4837a01d863fc61a86bc6MFI_ERC20224The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xe30400ad998f611168087c74b8969b5eda92830cPANDA194The address is blacklisted based on threat intelligence or manual analysis.
0x8d2a0757e4b39b9440c21984fb9ae54cdb6ecd75CCA44The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
AddressContractNameWATRisk_LevelRisk_Description
0xba509bdb71a29301860800e13867b59b461747afMonSpaC (MSPC)635885The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0x4238e5ccc619dcc8c00ade4cfc5d3d9020b24898AIT370624The address is blacklisted based on threat intelligence or manual analysis.
0x4d1e90ab966ae26c778b2f9f365aa40abb13f53cSTA506024The address is blacklisted based on threat intelligence or manual analysis.
0x75ca521892de7f2ecfb070cab545c250d0ceb7e3PVCMETA176194The address is blacklisted based on threat intelligence or manual analysis.
0xba509bdb71a29301860800e13867b59b461747afMonSpaC (MSPC)635885The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0xc9882def23bc42d53895b8361d0b1edc7570bc6aFistStandard191864The address is blacklisted based on threat intelligence or manual analysis.
0x20f663cea80face82acdfa3aae6862d246ce0333Drip Network85654The address is blacklisted based on threat intelligence or manual analysis.
0x1f1c90aeb2fd13ea972f0a71e35c0753848e3db0TransparentUpgradeableProxy76694The address is blacklisted based on threat intelligence or manual analysis.
0xabe776435f7459e2f5ba773bfb753ed19a053dd0token66695The address is blacklisted based on threat intelligence or manual analysis.
0x11a1764c877837921eca6f3f58cdbe9bcd4e9e5eBTCASH (METABT)42605The address is blacklisted based on threat intelligence or manual analysis.
0x4908b8977f91e2257e5260551e7dc2950b1b3877Mars31754The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x93023f1d3525e273f291b6f76d2f5027a39bf302AMGToken24814The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x4d7fa587ec8e50bd0e9cd837cb4da796f47218a1SAFE(AnWang) (SAFE)84304The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x83d3c2d1a55687498df6800c5f173ec6a7556089BEATS23715The address is blacklisted based on threat intelligence or manual analysis.
0x78997aa5d48efe1c96415e0d941ba687cdc1c358MC26224The address is blacklisted based on threat intelligence or manual analysis.
0x1a97b0cf1efb5228027dd782ed5d82c901694042CCToken10534The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x198271b868dae875bfea6e6e4045cdda5d6b9829DogsTokenV212264The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0x1e83d06e17cae34415bea30116ac755456131020Token8134The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xd983ab71a284d6371908420d8ac6407ca943f810Ultron Foundation: ULX Token18194The address is blacklisted based on threat intelligence or manual analysis.
0xff71e87a2e7b818eee86f3f1c2e94a06cac85866Cat7334The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0x051e0ac843bae1c83f2d3d44237c8eec33560b55NULL7484The contract is unverified which always indicates some potential risks, please be careful of scam or hack risk.
0x73fbd93bfda83b111ddc092aa3a4ca77fd30d380SophiaVerseToken7464The address is blacklisted based on threat intelligence or manual analysis.
0xc017d283bde7c6ec521dace9ddea1ebf90ed6f78MRKCoin5754The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x9767c8e438aa18f550208e6d1fdf5f43541cc2c8MangoMan Intelligent5854The address is blacklisted based on threat intelligence or manual analysis.
0x11ac6af070fe1991a457c56fb85c577efe57f0e4DragonKing (DragonKing)5594The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xc632f90affec7121120275610bf17df9963f181cDEBT4854The address is blacklisted based on threat intelligence or manual analysis.
0x83f41c98d028842ccc8060b4ec7738df3eb9a2e6BWJ4824The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x6d6ba21e4c4b29ca7bfa1c344ba1e35b8dae7205KatanaInu: KATA Token4074The address is blacklisted based on threat intelligence or manual analysis.
0x9e9bef94795bfe87a11a0369b4e0c3b60a6fcf2bMBankToken3725The address is blacklisted based on threat intelligence or manual analysis.
0x4b383b52882a779817e1312894bf3f1466c660e9XProBotTOKEN3354The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x808f1350dff684c099f4837a01d863fc61a86bc6MFI_ERC203344The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xc7cba05f673cfab408a9fb0ef5fcc3c25a4abebaTradeXAI3264The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x43b44d4b278c43c4d3251374337e1c6aa10fa76fXCATTOKEN3254The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x16760310e7b83d6aac3d82ad56da3ca42fda13d8TOKEN3105The address is blacklisted based on threat intelligence or manual analysis.
0x5b415df00a5276a6baf8434d1432058a62759ef1ONPAYTOKEN3074The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x7c0e5ad65c6083f53efa1d4d0844efca34f19e2aERCXTOKEN3064The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x668a81d1ee8e9db76e14237366362d3c4878883aWWDTOKEN3054The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x9a3321e1acd3b9f6debee5e042dd2411a1742002PIGS Token (AFP)2934The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0x571e522dc7c5a75ee5f432ff9abaceb2d88d0abcDJOTOKEN2844The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xc89c57e38dcaba62501d53e5ea490945d1d8f346SeiCloudTOKEN2794The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x05f6499cc6a62b6e2c88ad3db7376fde040c0f2dLEGOTOKEN2674The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x6428177a36be2202f7cee6757498959ab9818efbTRUMPXTOKEN2644The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xb2393c1afc7a3cea1f69be5e516b9697fa5fbbbaMOTNTOKEN2564The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xa203711c7ead07a33a7a6e2f4abb6fff47229458POOTOKEN2434The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x641d187b77f5c64b5b663bf32157661218c49740NULL2384The contract is unverified which always indicates some potential risks, please be careful of scam or hack risk.
0x4607618b57f0edc42c42810e3c245b49ad7338a7ShikokuTOKEN2314The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0x9fb9a33956351cf4fa040f65a13b835a3c8764e3AnyswapV5ERC202294The address is blacklisted based on threat intelligence or manual analysis.
0xc001bbe2b87079294c63ece98bdd0a88d761434eEverGrow: EGC Token2024The address is blacklisted based on threat intelligence or manual analysis.;The contract contains some privileged role function which always means some centralization risk, please be careful of rugpull risk.
0x53cf15f77f2b11ef655dccbce6699c3086eae064ETHEREUMTOKEN2024The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xbb38109575a98c8697cbc10f8836d8a9af7c9244APEBOTTOKEN1844The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xdb9e84cf5affca6676a5705b667e887ccdf64e8fKBLETOKEN1644The contract contains some backdoor function which could mean the owner has some potentially malicious intent, please be careful of rugpull risk.
0xe758b7856756fa0e5d21be5412dfff8c317cc678BLOCX1514The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x31342a89fb2d7856aaa32247f6b4e28b871d8e1aUST494The address is related to a coin mixer platform such as Tornado.Cash, which could mean some potential risks, please be careful of scam risk.;The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.
0x8d2a0757e4b39b9440c21984fb9ae54cdb6ecd75CCA44The contract has some scam features such as Ponzi, Honeypot or fake token, please be careful of scam risk.

· 17 min read
Sebastian Lim

Overview

This report delves into the security events occurring on BNB Smart Chain (BSC) during 2023 H1. It analyzes the types of projects that were targeted and whether they shared common attack techniques. Additionally, the report examines the financial implications of these occurrences.

Disclaimer

The financial data presented in this report has undergone thorough verification through our internal monitoring system, ensuring its accuracy. The data is derived from the $USD valuation of the cryptocurrency at the time of the incident. It's important to note that due to the inherent volatility of cryptocurrency prices, there may be variations in the total amount lost based on current token valuations.

Furthermore, the financial data might not fully reflect the true “exploited amount” of the incident. This is especially true for scams where the total scammed amount is usually mixed with an initial base amount injected by the scam project party.

BSC Innovations

The first half of 2023 has been an exciting journey for BNB Smart Chain (BSC), marked by continuous innovation and the tireless efforts of the BNB Chain team in crafting and advancing cutting-edge technologies.

Just to name a few in H1:

  • The Greenfield Testnet went Live: The Greenfield testnet, is an open-source project aimed at providing a scalable and efficient data availability layer for decentralized applications (dApps).

IMG-1

  • Reduced Transaction Costs: Following extensive discussions, BSC validators have lowered transaction costs from 5 Gwei to 3 Gwei. This reduction in fees will help drive network adoption, making BNB Chain an even more attractive platform for developers and users.

  • BSC Validators Self-Stake Update: Thanks to an on-chain governance proposal, validators significantly reduced the cost to become a BNB Smart Chain validator, fostering a more diverse and robust ecosystem. This change greatly benefits the community by improving entry cost to be a BSC validator. Self-Staked moved from 10,000 BNB to 2,000 BNB.

  • BNB Chain exhibited a significant rise in market share, demonstrating steady growth in the percentage of verified smart contracts. Its market share increased from 38% at the beginning of Q2 to 45% by the end of H1. This performance underscores BNB Chain's dominance and the high level of trust placed in its infrastructure by developers and users.

IMG-2

Figure 1: Number of contracts verified weekly across chains (Refer to the Red box for 2023 H1 data)

  • opBNB and zkBNB: These dynamic layer 2 solutions are poised to revolutionize the BNB Chain ecosystem by further enhancing the capabilities of BNB Chain’s ecosystem; offering developers a boundless horizon to pioneer groundbreaking advancements.

IMG-3 IMG-4

[Refer to the blogs 1, 2 released by BNBChain for more information]

2023 H1 in focus

General

A comprehensive overview reveals that security incidents on BSC resulted in an aggregate loss of nearly $101.84 million. An examination of the monthly breakdown highlights notable patterns. Specifically, the months of May, March, and June emerged as pivotal periods, witnessing the highest recorded losses.

IMG-5

Figure 2: Amount of stolen funds in dollars per month in 2023 H1

This chart shows the number of projects impacted by exploits in 2023 H1.

IMG-6

Figure 3: Number of different project impacted by exploits

In total, there were 199 incidents on BSC.

As seen in Figure 3, the highest number of security incidents took place in June.

Comparison with H1 previous years

When we compare the data with H1 of previous years, there is a decreasing trend, which can signify that the security posture of BNB Chain has improved over the years.

IMG-7

Figure 4: Financial Loss across the previous H1 of 2020 - 2023

Type of attack vectors

Out of the 199 security incidents, hacks took up 66.3%, 33.2% were scams. However, 1 particular incident (0.5%) was a white-hat hack. The white-hat hack is related to a Hashflow project, where an old contract had an Open Approval, this means that any users that have approved funds to the victim contract can have his existing funds stolen.

IMG-8

Figure 5: Proportion of different type of exploits

However, it is interesting to note that even when the number of hacks are nearly doubled to that of scams, the financial impact of hacks were less significant than the ones related to the scams. The total financial loss of hacks ($35m) was nearly half of the loss to scams ($66m), as shown below in Figure 6 below.

IMG-9

Figure 6: Financial impact measured in dollars comparing different types of incidents

Looking at the comparison with 2022 H1, we observed that this trend was actually reversed! In 2022, the number of scam incidents was double that of hack cases, with the financial loss of hacks being double that of scams. You can refer to our previous [report]((https://hashdit.github.io/hashdit/blog/bsc-2022-end-of-year-report/)) for more information.

The observed trend potentially signifies an escalating presence of scammers within the crypto space. Their tactics continuously evolve, challenging users' vigilance. Furthermore, smaller, lesser-known projects may exhibit comparatively lower emphasis on security measures. This underscores the pressing need for heightened awareness and diligence across the ecosystem to safeguard against emerging threats.

Specific attack vectors

Figure 7 displays the specific attack vectors against its financial loss in 2023 H1.

IMG-10

Figure 7: Proportion of the funds lost comparing the different type of vulnerabilities

Looking at the breakdown, the most common loss of funds was attributed to Rugpulls (25%), while the second most common attack vector was due to Reflection Vulnerability. Several token smart contracts deployed on BSC utilize the Reflection mechanism for token holders to gain dividends, however the reflection implementation might be flawed, leading to its liquidity pool being drained by malicious actors. The third most common attack vector was Price Manipulation at 8.2%. This is common as well since poorly designed smart contracts rely on the instantaneous price of liquidity pools, and hence can be easily manipulated by a large Swap trade or Flash Loan by hackers.

Type of projects

When comparing the types of project with the observed financial loss, a whopping 98.8% of financial loss were attributed to DeFi projects. The second most common type of projects that were targeted wasBridge projects at 0.6%, followed by GameFi and Metaverse projects at 0.3% and 0.2% respectively.

IMG-11

Figure 8: Proportion of funds lost comparing the type of project

With a large proportion of fiat loss associated with DeFi projects, this that DeFi projects are still the most common type of crypto project in the space. At the same time, it shows how important it is for users to only invest in reputable and well audited projects, and to stay clear of potential rugpulls and vulnerabilities.

Top 10 incidents in 2023 H1

The following were the top 10 security incidents in terms of financial loss in 2023 H1.

IMG-12

Figure 9: Top exploits measured in dollars in 2023 H1 on the BNB Smart Chain

Fintoch - $31.6 Million Loss

On 25-May-2023, Fintoch, a Ponzi platform was reported to have rugpulled $31.6 million USD. The funds were since bridged to multiple addresses on Tron and Ethereum. Its users reported that they could not withdraw their funds.

Fintoch advertises themselves as a blockchain financial platform built by Morgan Stanley, and users can get 1% return on investment every day. The team’s page on the Fintoch website refers "Bobby Lambert'' as their CEO, when in fact he did not exist and was, in fact, a paid actor. Earlier, the Singaporean government and Morgan Stanley both issued warnings about this “investment plan”.

ippswap - $14.5 Million Loss

On 26-May-2023, a scam project, ippswap was found to have rugpulled $14.5 million USD. The ippswap project executed a concerning action by exploiting a privileged backdoor method, takeToken(), within the staking contract. This unauthorized maneuver allowed the project party to transfer IPPSwap LP Tokens, which had been staked by users, directly to their own account. Liquidity was then subsequently removed using the above LP tokens to gain $14,535,741.86 USDT.

Some of the USDT funds flowed onto Binance exchange where the funds have been frozen by the Binance team.

Safemoon - $8.9 Million Loss

The Safemoon project was exploited for $8.9 million USD on 29-Mar-2023. The Safemoon liquidity pool was compromised after a code upgrade introduced a bug, a public burn() function. The hacker was able to burn the SFM tokens in the liquidity pool, artificially inflating the price of the SFM tokens, and then sold sufficient tokens to wipe out all the WBNB in the pool.

On April 20, the SafeMoon attacker returned 80% of the stolen funds, and transferred 21,804 BNB (approximately $7.2 million) to the SafeMoon vault wallet, taxing the remaining 20% as a bounty.

SwapX - $7.3 Million Loss

SwapX, a DeFi project, faced an Open Approval issue starting from 27-Feb-2023, resulting in users losing more than $7.3 million USD. Users of BSCex / SwapX, a DEX on BNB Chain, had their funds stolen from their wallets. Vulnerabilities were found in four old contracts (deployed on Jan. 2021, May. 2021, July 2021, and Oct. 2021) belonging to the DEX. Many users still have active approvals to these contracts, even though they have not used it for a long time. Affected users remain at risk as long as they have not revoked their approvals.

Atlantis Loans - $3.5 Million Loss

On 12-June-2023, Atlantis Loans faced a malicious Governance proposal takeover, coupled with the abandonment by the core team whichresulted in ~$3.5 million USD loss. On April 12, its official TG channel was deleted and a backup channel was created instead, with multiple users of the community claiming that the project had been abandoned and that they are trying to build it up again. A malicious proposal was then submitted to take over the core contracts of Atlantis Loans which was successfully shut down by the new project party.

However, a similar proposal was submitted on June 12, and was not blocked this time, which resulted in the hacker stealing funds from users that have approved the Atlantis Loans core contracts.

$FUT - $2.7 Million Loss

Early this year on 4-Jan-2023, the $FUT project team conducted a rugpull for $2.7 million USD. The project party was able to invoke the privileged function withdrawSushiReward() of the Masterchef contract to transfer all the FCS to another controlled wallet. He then subsequently swapped all his FCS for $FUT before exiting for USDT. Once again, this shows the risk of over-centralization by the project party, as they have too many privileges and can easily backdoor funds from users.

Circulate - $2.3 Million Loss

On 12-Jan-2023, the Circulate Ponzi managed to scam around $2.3 million USD from users. The CirculateBUSD and CirculateWBNB contracts promised users high APR by depositing funds with them. When users deposit funds, they invoke the startTrading() method of the contract, this in turn calls a third party dependency: SwapHelper contract which is unverified. However, upon decompiling the code, we noticed that there was a hardcoded condition that when the contract reached $2m of staked funds, the funds will be immediately transferred to a designated project team’s address.

Although it is currently unknown how the scammer in this incident was able to get large investment into their recently created contracts (~2 days), it is highly likely that the contracts were scams from the beginning due to design bugs in the SwapHelper contract. On the whole, third party dependencies in smart contracts present a security risk. Whilst reliance on third parties such as the use of oracles is sometimes unavoidable, developers should avoid these dependencies as much as possible.

YieldRobot - $2.1 Million Loss

On 17-Jan-2023, YieldRobot scammed users of around $2.1 million USD. For context, YieldRobot is a De-Fi protocol which promises to give yield for users that deposit BUSD. Two days prior to the incident, the YieldRobot contract deployer wallet set the signer to a new EOA (0x3f531). The signer address is needed to approve the redemption of coupons.

In order to redeem a coupon it must pass a check to verify it has the correct signer. Once approved, the coupon is added to the user’s reward balance. In this incident, 0x8f2DB called setCoupon() which credited them 2.1m BUSD.

The new signer approved the malicious coupon redemption, as such he was able to claimRewards of the contract’s BUSD balance and drain all the BUSD funds.

LianGo Protocol - $1.6 Million Loss

On 7-Feb-2023, the LianGo protocol was exploited for $1.6 million USD, roughly 6,148,859 LGT reward coins were stolen. For context, LianGo is a decentralized payment consumption and LGT is their main token.

The reason for the theft was that the owner administrator of LGTPool created a fake LP token pledge pool (pool 3), and then the thief put a large amount of LP tokens into the pool, pledged and obtained 6.14 million LGT reward tokens.

Based on on-chain data, the thief has been preparing for the theft for a long time. 58 days before the incident, the stealer’s address obtained the gas fee from Tornado Cash, and deployed the fake LP contract 32 days before the incident.

Then on the same day the LianGoPay project deployed the trading pair contracts of LGT tokens and WBNB on Pancake. This contract address is very similar to the address of the fake LP contract that was deployed earlier -- the 4 letters before and after are the same, which can be easily confused. As such, it is likely a private key compromise to the project’s back end system.

The administrator of the LGTPool contract initiated three consecutive transactions to create pledge pools, the first two of which also created a real one when creating two fake LP token pledge pools (pools 3 and 4). LP token pool for WBNB and LGT. Because the front and rear four digits of the real and fake LP token contract addresses are the same, it is difficult for users to detect that the first two created LP pools are fake LP pools.

Then the attacker launched an attack, first deploying an attack contract. When the contract was initialized, a huge amount of fake LP tokens was pledged for the fake No. 3 LP pledge pool - up to 614885935211982505426257800000000.

Then the attacker initiated a redemption transaction and received the rewarded LGT tokens. Because of the huge amount of pledged principal, 6.14 million LGT rewards were generated. These reward tokens were exchanged for 1.62 million BSC-USD tokens and transferred to an address starting with 0xCb65 (this address used to receive gas fees from Tornado Cash 58 days before the incident).

DeusDAO (DEI) - $1.3 Million Loss

On 6-May-2023, the DeusDAO (DEI) project was hacked for slightly more than $1.3 million USD due to a wrong contract upgrade. The project was hacked on 3 different chains: Ethereum, Arbitrum and on the BNB Chain. The upgrade bug introduced a public burn vulnerability, which allowed attackers to steal funds from other wallets that have DEI tokens.

The issue was specifically in the burnFrom method, which wrongly swapped the 2 parameters of msg.sender and the account to be granted approval. The hacker essentially approved DEI tokens to a whale account with a large amount of DEI tokens, and then invoked the wrongly implemented burnFrom method with 0 tokens. This approves all the DEI tokens to the caller instead, where he can just simply call transferFrom and steal all his tokens.

Conclusion

BSC continues to be a strong competitor, outperforming Ethereum in terms of daily active users and verified contracts. However, it is undeniable that 2023 H1 has proven to be a challenging year for both investors and developers due to the continued bear market trend and exploit incidents. Below we have some final advice for investors and developers:

For investors:

  • Understand what you're signing, do not blindly sign random signatures/transactions (never sign signatures outside of official websites)
  • Always double check that you are on the official website of the dApp
  • Be wary of new/trending projects or projects that guarantee High APYs / use MEV bots, and always verify the project team’s authenticity
  • Use multiple wallets for different activities (hot wallet for frequent transactions; cold wallet to store high value funds)
  • Ensure you are interacting with an open-source contract and revoke approval once interaction is done
  • Check the security and risk scores of interacted contracts (e.g when using Trust wallet) If High Risk is flagged, we strongly advise to stay away

Feel free to reach out to our team if you have any doubts about a certain project / contract address / transaction / risk score!

For developers:

  • Verify & open-source all relevant contracts on-chain (to ensure transparency and trust within the space)
  • Ensure the project is audited by at least 2 well-known security companies and fix all issues where applicable (Including auditing newly added code)
  • Incorporate / Implement a bug-bounty program to upkeep the security posture of the project and encourage the community to ensure the code remains secure
  • Ensure security is at the core of the business: run sufficient testing / stress-testing / simulations such as (1) adverse token price fluctuations, (2) edge cases
  • Prevent centralization risks by using multi signature wallets and not a single EOA wallet to run operations
  • Minimize contract upgradeability and only apply to contracts when necessary
  • Ensure funds are stored securely (key management, fund distribution)
  • Implement safeguards in the event of a hack (formulate an Incident Response plan, introduce time lock / pausing within the smart contract)
  • Constant monitoring of system parameters e.g Exchange Rate of a token

Hashdit

HashDit’s core mission is to provide the essential threat intelligence for the everyday crypto investors, helping them to make informed decisions. Our methodology includes a variety of automated and manual techniques to evaluate a dApp project. The team has optimized its product offerings and improved its accuracy in 2023 H1.

Products at Hashdit currently:

  • Risk assessment: All-in-one collection of security rating framework, auto-scan tools, and corresponding APIs, which are able to deliver accurate detection for potential rugpull/exploit risks based on a smart contract address. This is integrated with platforms like Trust Wallet and PancakeSwap, to leverage their reach and protect more users.

    It is able to detect multiple other risks, besides the usual SWC bugs, such as Tornado Cash interaction, risky functions encompassing ERC20 or ERC721 token standards (such as Migrate() or Blacklist() ), HoneyPot detection, etc. This can help users gain a better understanding of the smart contract, if it could be a scam.

  • Audit service: Comprehensive code audits following extensive and detailed best practices for smart contracts and discovering code loopholes / security vulnerabilities before they are deployed on-chain, guaranteeing users’ safety on BSC.

  • Monitoring: Detecting sensitive events / transactions that happen on-chain to quickly respond and minimize any additional financial losses. At the same time, Hashdit warns users early by sharing any information we found on our Twitter

  • Blog: Our goal is to share our security knowledge for builders, investors and users in the Web3 community. With all the players in the industry equipped with the security knowledge needed and adopting a security-first mindset, only then will the Web3 ecosystem be a safer place for everyone.