2024 End of Year BSC Security Report

Table of contents​

• Overview
• Disclaimer
• Executive Summary
• Notable developments
  • Developments in the Wallet Drainer Scams
  • Continued rise of DPRK Scams
  • Continued rise of Spoofing Scams
• Year-over-Year (YoY)
  • General
  • Type of attack vectors
  • Type of projects
  • Chain comparison
• 2024 in focus
  • General
  • Wallet Drainer Analysis
  • Spoofing Analysis
  • Quarter-over-Quarter (QoQ)
  • Month-over-Month (MoM)
  • Type of attack vectors
  • Type of projects
• Conclusion
• Appendix
  • HashDit
  • Top 10 Incidents
  • 2024 highlights

Overview​

This report focuses on security events that happened on BSC in 2024, analyzing the type of projects targeted and sharing the common attack techniques used in 2024, with respect to the financial loss of the incidents.

Disclaimer​

The financial data provided here is accurate based on our own monitoring system and based on the $USD amount of the cryptocurrency involved at the time of the incident. Due to the fluctuating price nature of cryptocurrencies, the total amount loss might differ with the current token valuations.

Furthermore, the financial data might not fully reflect the true “exploited amount” of the incident. This is especially true for scams where the total scammed amount is usually mixed with an initial base amount injected by the scam project party.

Executive Summary​

1. A total of $62,895,059 was lost across 149 security incidents in 2024
2. This represents a decline of 61% from 2023 total of $162,214,631
3. May saw the most loss, with $20,624,200 across 9 incidents
4. Q4 was the most costly quarter, at $31,399,100 from 88 incidents
5. The most financially damaging attack vector belongs to Hot Wallet Compromise, with $27,040,000 in 6 incidents.
6. BSC ranks 6th in total losses across chains, representing 3% of total loss in Web3. This gave an average loss of $422,114 per incident. The 1st place went to Ethereum, representing 53% of total loss, with $1,075,000,000 in losses in 326 incidents. This resulted in an average loss of $3,297,546 per incident.

Notable developments​

Developments in the Wallet Drainer Scams​

Wallet Drainers are a sophisticated form of fraud that preys on users with low security awareness. These scams often operate under a "Scam-as-a-Service" model, allowing individuals to purchase malicious scripts to conduct their own scam campaigns. The primary method involves tricking users into visiting phishing websites and signing scam transactions with their crypto wallets, leading to the theft of their funds. This technique is not limited to a single blockchain but follows the flow of money across various chains. In 2024, Wallet Drainers continue to run wild, spreading havoc across ordinary users who are not careful in the space. Some of the notable instances include:

• Wallet Drainers have extended their reach beyond EVM chains to include networks like TON and Cardano.
• Scammers continue to focus on high-profile events, such as the Pudgy’s PENGU airdrop, to maximize their impact.
• Compromised data from breaches like MailerLite and LastPass have been used to spread phishing scams.
• Drainers have created fake channels and social media accounts on platforms like Telegram and Discord to mislead users.
• Scammers have developed fake meeting software and used social engineering to trick users into downloading malware.
• Targeting commonly used npm packages in crypto projects, such as Solana/Web3.js and LottieFiles, to compromise multiple projects' front ends.
• DNS hijacking incidents, including the major compromise of Squarespace, resulted in significant impacts on many hosted sites, such as Compound and Celer.

Continued rise of DPRK Scams​

DPRK-affiliated personnel continue to target trending protocols and high-net-worth individuals in the Web3 space. Their tactics include impersonating legitimate employees to compromise projects, exfiltrate sensitive data, and steal funds over time. Notable incidents include the compromises of DMM Bitcoin and WazirX exchanges. Additionally, they exploit non-technical vulnerabilities to compromise large Total Value Locked (TVL) Web3 methods.

Continued rise of Spoofing Scams​

Scammers have adopted a new tactic of sending small amounts of real money to unsuspecting victims. This involves creating addresses with similar endings to those that users normally interact with and sending a few pennies. They monitor the mempool and quickly generate these addresses to follow up on original transactions. This spoofing technique has been observed on multiple non-EVM chains, including Solana (with over $3 million in losses) and Tron. The largest recorded damage was $68 million on Ethereum in May.

Year-over-Year (YoY)​

General​

In 2024, HashDit monitored $62,895,059 funds loss on BSC. The amounts lost to exploits have continued to drop significantly since 2022, continuing the downward trend of 2023, with a YoY 61% decrease in damages, as seen from the figure below.

Figure 1: Total amount stolen funds (in dollars) on BSC over the last 5 years

In total, there were 149 security incidents on BSC, representing a 64% year-over-year decrease from 2023, dropping even lower than the 2022 incident count of 286. The average number of incidents per month decreased from 34 to 12. Figure 2 shows that the increasing trend of security incidents has finally been broken in 2024 on BSC, which could signify a positive sign and turnaround in the space.

Figure 2: Number of incidents on BSC over the last 5 years

Type of attack vectors​

Analyzing the attack vectors trends based on Financial losses, both Hacks and Scams have dropped significantly from 2023, with Hacks accounting for $50.6m (31% decrease) and Scams accounting for $12.1m (86% decrease) in 2024.

Figure 3: Financial losses per attack vector over the last 5 years

In terms of incident count, both Hacks and Scams have also shown a positive reversal trend from 2023, with 123 Hacks (41% decrease) and 25 Scams (87% decrease) in 2024.

Figure 4: Number of incidents per attack vector over the last 5 years

A comparative analysis of the decrease in percentages reveals a significant reduction in both hacks and scams. This positive trend can be attributed to several key factors. Enhanced security measures on the BSC have played a crucial role in mitigating these threats. The implementation of advanced security protocols and continuous monitoring has made it more difficult for malicious actors to exploit vulnerabilities.

Additionally, users are becoming more vigilant and knowledgeable about potential scams. There is a growing awareness among the community about the importance of conducting thorough due diligence (DD) before investing in new projects. This proactive approach by users, combined with the robust security efforts on BSC, has contributed to a safer and more secure environment in the crypto space.

Type of projects​

This chart represents the type of projects that were exploited since 2020.

Figure 5: Security Incidents per type of project over the last 5 years

It is clear that DeFi projects are still the main targets for crypto hackers, with 104 in 2024, still a noticeable drop from 70% decrease from 2023. Many of these projects are relatively obscure and are generally categorized under decentralized finance (DeFi). They typically involve staking or rewards mechanics, which attract users looking for high returns on their investments. Despite their potential for profitability, the lack of visibility and recognition makes these projects more susceptible to risks and scams. As a result, it is crucial for investors to exercise caution and conduct thorough research before engaging with such DeFi projects.

Chain comparison​

The figure below shows the comparison between the chains with the top funds losses to exploits over the last 4 years.

BSC (in green) has shown positive steps, figures dropping significantly since 2021.

On the other hand, Ethereum (in blue) has continued to be the largest hitting chain since 2021, maintaining its lead at the forefront. At the same time, other chains like BTC (in yellow), Blast (in dark blue) and XRP (in light purple) have shown large increases from 2023.

Figure 6: Biggest financial losses across chains over the last 5 years

2024 in focus​

General​

In total, roughly $62.8 million were lost to 149 security incidents on BSC.

Interestingly, when removing the top 3 largest incidents, the total financial loss drops down to just above $30m, a large 52% drop from the total amount loss of 2024. This signifies that most of the damage is still attributed to 1 or 2 large hitting cases.

Figure 7: Amount of stolen funds in dollars excluding the 3 largest incidents

By observing the quarterly and monthly trends below, there are some interesting observations to be made.

Wallet Drainer Analysis​

In 2024, we closely monitored Drainer operations, observing over 500,000 drainer transactions on BNB Chain, resulting in a total loss exceeding $20 million USD.

The most significant incident occurred on December 11, 2024, when a user lost $8.3 million worth of SolvBTC.BBN and SolvBTC tokens to an Angel Drainer address on BNB Chain. Other incidents did not surpass the $1 million mark, with the second-largest being an $833,000 loss in January and another $830,000 loss in July.

For comparison, on Ethereum, the total drainer amount is much more staggering, exceeding $500 million USD combined. The highest single incident involved $55 million worth of DAI tokens stolen in August 2024, with these funds still residing in the scammer's wallets to date.

This highlights the growing need to educate users on security awareness when signing transactions and to adopt more security tools to aid in understanding what they are signing.

Spoofing Analysis​

In 2024, spoofing and address poisoning scams continued to proliferate. We monitored over 30 groups conducting these scams on Ethereum and BNB Chain, resulting in more than $80 million in losses across all chains. Our analysis revealed that most of these groups have a lifespan of less than one month, with the largest groups (those with the most scam funds invested) operating for more than half a year.

These groups employed various tactics, including:

• Using fake tokens that mimic actual funds transferred.
• Sending 0 amounts of the actual funds transferred.
• Sending small amounts of the actual funds being transferred.

These measures were used to deceive victims and execute scams effectively.

Some of the scam profits were exited through non-KYC platforms like Exch and FixedFloat, or they were bridged to other less traceable chains such as Litecoin or Tron.

Quarter-over-Quarter (QoQ)​

1. On BNB Chain, Q4 sees significant increase in fiat losses compared to the rest of the quarters

Fiat losses surged by 121%, rising from $14.2 million in Q3 to $31.4 million in Q4. In fact, it represented nearly half of the total incident losses in 2024. This significant increase was primarily driven by two major incidents in Q4 2024. The first was the Radiant case, which resulted in losses amounting to $17.8 million. The second involved an individual who fell victim to a Drainer incident, suffering losses of $7.8 million. These two events were among the most damaging losses of the year, contributing substantially to the overall increase in fiat losses.

Figure 8: Financial losses across chains over the last 4 quarters in 2024

2. Across all chains in Web3, the overall losses dropped in Q4 as compared to other quarters. This is likely due to increased security education and awareness among users, even though threat actors continue to proliferate in the Web3 space. Enhanced knowledge and vigilance have empowered users to better protect their assets and avoid scams, contributing to the reduction in overall losses.

Figure 9: Chain comparison fund losses in Q4

Month-over-Month (MoM)​

The average monthly loss is calculated to be ~$5.2m, with 9 out of the 12 months being below this average reference line.

Figure 10: Amount of stolen funds in dollars per month in 2024

In those months above the reference line, the significant increase in fiat loss was due to one or two singular, abnormally large security events. For example, in September, there were two major incidents: the BingXOfficial hot wallet compromise for approximately $6.8 million and the CUT2024CUT price manipulation vulnerability for around $1.45 million. This indicates that, on average, losses per incident are relatively small.

Analyzing the trend in the number of security incidents, the chart shows that the number of cases largely peaked in April, September, and November, with the average being around 12 incidents per month.

Figure 11: Number of projects impacted by security exploits

Interestingly, even though April has the one of the highest number of security incidents at 17, the financial loss only stands at $2.7m which is more than half of September’s data. With a nearly similar count at 18, September’s financial loss is more than double, at $9.4m.

Type of attack vectors​

Out of the 149 security incidents, the majority were attributed to hacks, accounting for 82.55%. Scams made up 16.78%, and improper management (operational issues caused by the team's mismanagement) accounted for 0.67%.

Figure 12: Proportion of different type of exploits

This is synchronous with the financial loss of these security incidents. As shown in Figure 12, hacks resulted in a financial loss of $50.6 million, which is significantly more than the $12.1 million loss from scams.

Figure 13: Financial impact measured in dollars comparing different types of incidents

For further analysis of the specific attack vectors, this figure below displays this against the financial loss in 2024.

Figure 14: Proportion of the funds lost comparing the different type of vulnerabilities

A worrying 49.01% of incidents were attributed to Hot Wallet Compromise, where CEXs or protocols were careless with managing security around their privileged accounts or lacked security awareness. This led to threat actors breaching their infrastructure and obtaining keys to drain funds.

The second largest contributor was Phishing among regular users, who might store substantial amounts of funds in hot wallets without being aware of the threats. Clicking on fake sites can lead to fake signatures being generated, resulting in stolen funds.

The third largest contributor was Private Key Compromise within other entities, highlighting the importance of securing keys properly and following proper security guidelines in both Web2 and Web3 environments.

Type of projects​

When focusing on the project type versus financial loss, 48.64% of financial losses are attributed to DeFi projects. The trend of DeFi continues to lead across all major chains, including BSC. However, some developers might not be well-versed in security when writing their smart contracts, leading to investors bearing the brunt of the compromises.

The second most targeted type were individuals at 14.66%, followed by CEX platforms at 13.51%. Individuals continue to be a main target for scammers, especially with the rise in the crypto market bringing in a new wave of investors whose security awareness may not be strong. Wallets and security extensions play a vital role in protecting these users.

CEX platforms also continue to be targets since they hold large amounts of funds. If the keys are not managed and stored safely, they become easy targets for hackers.

Figure 15: Proportion of funds lost comparing the type of project

Conclusion​

In 2024, we observed a notable shift in the landscape of security incidents. While the number and amount of hacks have dropped, scams are on the rise, highlighting the need for users to be more security aware. Phishing remains a persistent threat, and it is crucial for users to stay vigilant against such tactics.

Our HashDit user products, such as the Chrome extension and Snaps, could have potentially prevented over $25 million in losses. We highly recommend these free products to enhance user security. Additionally, our B2B products, including monitoring, auditing, and prevention tools, will continue to serve the top protocols on BNB Chain, protecting them from threat actors.

Malicious actors will continue to lurk in the background, and we are committed to staying ahead of them for the sake of the Web3 community. BSC remains a strong competitor, outperforming Ethereum in terms of daily active users and transactions. Although 2023 showed better performance in terms of total funds lost to exploits, it is undeniable that scammers and hackers will continue to evolve their methods until stricter measures are in place to hold them accountable.

Within HashDit, we will keep improving by:

• Implementing a comprehensive set of stringent audit guidelines that all top TVL projects must meet before deploying significant features on-chain.
• Collaborating promptly with key stakeholders to conduct in-depth root cause analyses on all major incidents, ensuring similar issues are not present in the top TVL projects.
• Working closely and sharing intel within members to identify potentially fraudulent projects at an early stage, particularly those amassing substantial liquidity.
• Monitoring any malicious activities related to hacks and scams vigilantly and transmitting alerts via numerous channels such as Twitter and Telegram to rapidly inform the community.
• Continually extending HashDit’s influence to the community by regularly publishing articles and reports related to hack and scam techniques, strengthening users' knowledge regarding security awareness in the crypto space.

We remain dedicated to protecting the Web3 community and ensuring a safer environment for all users and protocols.

Appendix​

HashDit​

User-Facing Products​

1. HashDit Chrome Extension: The HashDit Chrome Extension provides an extra layer of protection when interacting with websites involving digital assets. It operates between websites and extension-based wallets like TrustWallet and MetaMask, analyzing transactions, identifying risk factors, and alerting users to potential threats.

2. HashDit MetaMask Snaps: The HashDit MetaMask Snaps offers similar protective features as the Chrome Extension, focusing on showing risks when users are on phishing sites or signing risky transactions. While it has fewer functions compared to the Chrome Extension, it still provides essential security alerts to help users avoid scams.

Business-Facing Products

1. Novel Prevention Product: Our novel prevention product can stop hacks in real-time once any previously set invariants are broken. This proactive approach ensures that any deviations from expected behavior are immediately addressed, preventing potential exploits and safeguarding assets.

2. Monitoring: Our monitoring service detects risky events both on-chain and off-chain. On-chain monitoring includes tracking sensitive events such as ownership changes or malicious upgrades, while off-chain monitoring covers social media compromises and DNS hijacks. This comprehensive monitoring allows for quick responses to minimize financial losses, with alerts shared via multiple channels like Twitter and Telegram.

3. Threat Intelligence Product API: The Threat Intelligence Product API provides a wholesale, all-in-one solution that flags risks associated with addresses or URLs in real-time. By gathering and detecting various types of information, this API offers accurate and timely detection of scam/exploit risks, helping businesses stay ahead of potential threats.

Commitment to Security​

HashDit remains dedicated to improving security for both users and businesses in the Web3 community. By implementing stringent audit guidelines, collaborating with key stakeholders, and sharing intelligence, we aim to create a safer environment for all. Our educational efforts continue to equip builders, investors, and users with the knowledge needed to adopt a security-first mindset, ensuring the Web3 ecosystem becomes a safer place for everyone.

Top 10 Incidents​

1. Radiant

   • Attack Vector: Hot Wallet Compromise
   • Damage: $17,800,000
   • Description: Hacker gained signatures of three owners of an 11-threshold multisig. The attacker deployed a malicious contract (0xf0fc) to drain Radiant's lending pool. Devices were compromised with malware, affecting at least three contributors. The malicious implementation continues to drain funds from users who have approved it.

2. User

   • Attack Vector: Phishing
   • Damage: $8,300,000
   • Description: A user (@0xYuanbo) lost ~$8.3m worth of SolvBTC.BBN & SolvBTC tokens to an Angel Drainer address on BSC due to two transfer transactions signed to scam Create2 addresses. Most funds sent to the Drainer Customer were burned by the Solv Protocol.

3. BingXOfficial

   • Attack Vector: Hot Wallet Compromise
   • Damage: $6,840,000
   • Description: On September 20, BingX's technical team detected abnormal network access, suspecting a hacker attack on their hot wallet. Emergency measures were taken, including asset transfer and withdrawal suspension.

4. ALEXLabBTC

   • Attack Vector: Private Key Compromise
   • Damage: $4,300,000
   • Description: Hacker compromised a key and made a malicious proxy upgrade. The Alex deployer account performed five identical upgrades to the “Bridge Endpoint” contract on BNB Smart Chain, resulting in the removal of approximately $4.3 million.

5. BullcoinBSC

   • Attack Vector: Hot Wallet Compromise
   • Damage: $2,400,000
   • Description: Multisig transferred ownership to a compromised address, which later upgraded the contract with a backdoor. At least three of the project's multisig signer addresses were compromised, likely due to centralization of the keys.

6. MEV bot

   • Attack Vector: Lack of Validation
   • Damage: $2,200,000
   • Description: Hacker invoked the fallback function logic with a specific function selector. Funds were bridged to ETH within nine hours of deployment. Executors included the hacker.

7. NFPrompt

   • Attack Vector: Private Key Compromise
   • Damage: $1,500,000
   • Description: Hackers compromised wallets, including those of NFP’s contract administrators, gaining control of victims' funds, including a portion of NFP treasury and ecosystem fund.

8. CUT2024CUT

   • Attack Vector: Price Manipulation
   • Damage: $1,450,000
   • Description: The $CUT token's price protection mechanism was vulnerable to price manipulation. The exploiter gained extra $CUT tokens and sold them, profiting ~$1.4m from the BUSD-CUT pancake pair.

9. Duelbits

   • Attack Vector: Hot Wallet Compromise
   • Damage: $1,100,000
   • Description: The Duelbits crypto casino and sports betting website was drained. The thief accessed a Duelbits wallet, likely through a private key compromise.

10. CoinsPaid

    • Attack Vector: Hot Wallet Compromise
    • Damage: $1,000,000
    • Description: On July 22, CoinsPaid experienced a hacker attack, likely by the Lazarus group from DPRK.

2024 highlights​

• Our Chrome Extension user base grew exponentially, reaching almost 1,000 users, which is a growth of more than 300% from the start of the year.

• We joined partnerships with critical infrastructure platforms in the space, such as 48Club and Token Pocket, to reduce scams and frauds on BNB Chain.

• Released countless tweets to raise user security awareness, covering topics such as spotting fake Pig Butchering sites, identifying phishing scams like Drainers and Spoofers, and numerous other scam warnings. These tweets amassed over 788,000 views and attracted more than 2,400 new followers to our HashDit X account.

Overview​

This report focuses on security events that occurred on BNB Smart Chain (BSC) in Q3 of 2024. It analyzes the types of projects targeted, the common attack techniques used and the financial losses that resulted from the incidents.

Disclaimer​

The financial data provided here is accurate based on our own monitoring system and based on the $USD amount of the cryptocurrency involved at the time of the incident. Due to the fluctuating price nature of cryptocurrencies, the total amount loss might differ with the current token valuations.

Furthermore, the financial data might not fully reflect the true “exploited amount” of the incident. This is especially true for scams where the total scammed amount is usually mixed with an initial base amount injected by the scam project party.

TL;DR​

1. Q3 sees increase in fiat losses compared to Q2

Fiat losses increased by approximately 50%, rising from $9.1 million in Q2 to $14.2 million in Q3. Interestingly, this increase in losses was observed despite a decrease in the number of hacks, with Q3 experiencing 34 hacks compared to 46 in Q2.

2. BSC ranks second in Q3 fiat losses when compared to other chains

In Q3, BSC (Binance Smart Chain) accounted for 2.8% of the total fiat losses across all chains, ranking second. Ethereum took first place, representing 88% of the total fiat losses. In terms of incident count, BSC also ranked second with 27%, trailing behind Ethereum.

3. Price Manipulation and Lack of Validation bugs were the two most substantial types of exploit, with DeFi type of projects being the most targeted

32% of total fund losses were due to price manipulation attacks, often caused by poorly designed smart contracts relying on liquidity pool prices. The second leading attack vector was lack of validation, accounting for 23.53%, due to developers not checking input validation in smart contracts, leading to compromised contracts. Other issues included reentrancy, spoofing, and rug pulls.

Q3 Comparisons​

BSC Comparisons​

YoY Comparison​

When we compare the data with Q3 of previous years, there is a decreasing trend. Q3 financial losses dropped by a large 68% between 2023 and 2024.

This suggests that the security of the BNB Chain has improved significantly over the years.

Figure 1: Q3 financial losses from 2021 - 2024

2024 Q3 vs 2024 other quarters​

Fiat Losses​

Figure 2: Financial losses across the first 3 quarters in 2024

• Q3 have the highest financial losses in a quarter in 2024

• ~50% increase in amount lost to exploits from Q2 to Q3

Number of Incidents​

Figure 3: Number of incidents across the 3 quarters in 2024

In terms of incident count, that number dropped by 26% from Q2 to Q3 to 34 incidents this quarter.

Notable Trends

Q3 accounted for 45.10% of amount losses in 2024 so far

Figure 4: Amount lost to exploits across the previous quarters in 2024

Chain Comparisons​

Q3 Comparison to Other Blockchains​

Figure 5: Proportion of funds loss across all chains in Q3

As seen in Figure 5, BSC accounts for 2.8% of total funds loss and 27% of total incident count. The top chain affected is Ethereum with 88% of the total losses in Q3 of 2024 and 55% of total incident count

QoQ Analysis​

Fiat Losses

Figure 6: Proportion of incidents across all chains from Q1-Q3 in 2024

Noticeably, Ethereum still had the highest number of financial losses in each quarter of 2024 thus far. Generally, Q2 has the lowest amount of losses in 2024 across all chains, although it had security incidents across all chains in that quarter.

Deep Dive on 2024 Q3 Incidents on BSC​

In total, roughly $14.2 million was lost as a result of security incidents on BSC in Q3. As demonstrated by Figure 7, the month with the greatest losses was October which stands at $9.4 million.

Figure 7: Amount of stolen funds in dollars per month in Q3 of 2024

Figure 8 shows the number of projects impacted by exploits in Q3 .

Figure 8: Number of project impacted by exploits

The highest number of security incidents took place in October. In total, there were 34 incidents on BSC in Q3 2024. Similarly in September, there was the highest number of security incidents at 18.

Attack vectors analysis​

Out of the total 34 security incidents, hacks made up 79.41%. The remaining percentage were a result of scams.

Figure 9: Proportion of types of exploits

Proportional to the attack vector count, the financial impact of hacks was greater as well. The total financial loss of hacks was $12.7m and the total financial loss from hacks was $1.4m, as shown in Figure 10.

Figure 10: Financial impact measured in dollars comparing different types of incidents

This might suggest that there is a good emphasis on scam security for general BSC users.

Specific attack vectors analysis​

Figure 11 shows the specific attack vectors and their corresponding financial losses in Q3 of 2024.

Figure 11: Proportion of funds lost across different types of exploits

In Q3, 32% of the total funds loss were attributed to Price Manipulation attacks. This could be due to poorly designed smart contracts relying on the instantaneous price of liquidity pools, making them easier to manipulate with a large swap trade or flash loans by hackers.

The second leading attack vector was Lack of Validation, which accounted for 23.53%. This is still a main cause of concern as we noticed developers not checking for input validation within poor designed smart contracts. This can result in untrusted calls that result in contracts being compromised.

Loss by Project Type​

When comparing the project type against financial loss, 61.76% of financial losses were attributed to DeFi projects.

The second most targeted type was Unknown contracts at 11.76% which are obscure and unknowing contracts, where their project name could not be identified. This is followed by Individuals at 11.76% which are likely a result of general users being scammed.

Figure 12: Proportion of funds lost against the type of project

The large proportion of fiat losses associated with DeFi projects suggests that DeFi remains the most common type of crypto project on BSC. It also shows how important it is for users to only invest in reputable and well audited projects, and for developers to take precautions for Price Manipulation and Lack of Validation issues.

At the same time, the constant trend of Individuals getting scammed should serve as a critical reminder for users to only sign transactions that they understand and use security plug-ins where suitable.

Top 10 Incidents in Q3 of 2024​

The following were the top 10 security incidents in terms of financial losses in Q3 of 2024.

Figure 13: Top exploits measured in dollars in 2024 Q3 on BNB Smart Chain

BingXOfficial - $6.8 Million Loss​

Attack type: Hot Wallet Compromise

On September 20, 2024, BingXOfficial, a centralized exchange (CEX), experienced a security breach in its hot wallet across multiple chains. On the Binance Smart Chain (BSC), the impact was approximately $6.8 million.

The root cause of the security breach at BingX was likely related to unauthorized access to the exchange's hot wallet. Since hot wallets are connected to the internet, they are inherently more vulnerable to cyberattacks.

MEV Bot - $2.2 Million Loss​

Attack type: Internal Breach

On August 22, 2024, an unknown MEV bot was compromised, resulting in a loss of approximately $2.2 million.

Typically, this MEV bot contract is designed to exploit price differences in liquidity pools. However, the vulnerability in this case was due to a lack of validation of the pool contract supplied within the victim contract. This allowed the attacker to use a fake pool contract to perform a "swap," tricking the contract into transferring funds to the attacker's contract.

Interestingly, only Executors can call the vulnerable function, and the hacker was one of the validated addresses added during the setup. This suggests that an internal breach could be a likely scenario in this case.

CUT2024CUT - $1.4 Million Loss​

Attack type: Price Manipulation

On September 10, 2024, CUT2024CUT, a token DeFi project, was exploited due to a price manipulation attack, resulting in losses exceeding $1.4 million USD on the Binance Smart Chain (BSC).

The CUT project had implemented a vulnerable reward calculation system that depended on the pool reserves. This vulnerability allowed attackers to deplete the liquidity pool (LP) reserves.

User - $1.07 Million Loss​

Attack type: Phishing

Throughout this quarter, we detected multiple instances of users falling victim to phishing attacks, resulting in total losses exceeding $1.07 million.

Two primary types of phishing transactions were observed:

1. Wallet Drainers: Scammers trick users into visiting phishing websites, where they are then deceived into signing transactions that transfer funds directly to the attackers.
2. Spoofing Cases: Users are deceived into transferring funds to a recipient that appears to be legitimate but is actually a copycat.

UPS - $0.52 Million Loss​

Attack type: Price Manipulation

On July 21, 2024, the UPS project was compromised, resulting in a loss of approximately $0.52 million worth of funds.

The root cause of the hack was a vulnerability in the UPS token's transfer mechanism. When transferring tokens to a PancakeSwap pair, the UPS token burns tokens at the pair and calls the "sync" function. The hacker exploited this mechanism to reduce the UPS reserves in the PancakeSwap pair, causing a reserves imbalance. As a result, the UPS reserve became very small, allowing the hacker to drain BUSD from the pair using only a few UPS tokens.

Unknown Token Stake - $0.35 Million Loss​

Attack type: Price Manipulation

On August 6, 2024, an unknown Token Stake contract was exploited due to a price manipulation attack, resulting in a loss of $0.35 million.

The root cause of the exploit was the Token Stake contract's reliance on an instantaneous price oracle. This made it susceptible to price oracle manipulation, allowing the attacker to profit from the Token Stake contract.

XMM - $0.29 Million Loss​

Attack type: Price Manipulation

On September 14, 2024, the XMM project was hacked, resulting in a loss of approximately $0.29 million.

The hacker exploited a flaw in the transfer function that allowed the recipient to mint tokens. This vulnerability enabled the hacker to mint a large amount of XMM tokens at the start of the attack, allowing them to profit by dumping the tokens into the liquidity pool.

Bankroll - $0.23 Million Loss​

Attack type: Business Logic Vulnerability

On September 23, 2024, the Bankroll DeFi project was attacked due to a business logic vulnerability, resulting in a loss of approximately $0.23 million.

The root cause of the attack was a flaw in the BuyFor function, which allowed the invoked contract to be used as the customerAddress. This vulnerability enabled the attacker to transfer WBNB back into the victim contract, inflating the profitPerShare_ value significantly in the distribute routine.

Truflation - $0.23 Million Loss​

Attack type: Malware Scam

On September 25, 2024, the Truflation project, a decentralized infrastructure project, was exploited for approximately $0.23 million due to a malware scam.

The project's multisig wallet had a 1 out of 1 threshold, making it highly vulnerable. The holder of the private key was easily compromised through malware as a result of social engineering. This allowed the malicious actor to scam the team into transferring funds to their account.

Unknown project - $0.2 Million Loss​

Attack type: Reentrancy

On September 25, 2024, an unknown project was exploited for approximately $0.2 million. The root cause was identified as a reentrancy vulnerability.

Interestingly, after the initial attack transaction, the deployer invoked the victim contract's emergencyWithdrawUSDT function multiple times, each for a small amount rather than withdrawing all the funds at once. This allowed the attacker to make small, repeated profits.

Conclusion​

Below we have some final tips for investors and developers:

For investors:​

1. Understand What You're Signing: Never blindly sign random signatures or transactions. Always ensure signatures are from official websites.
2. Verify Official Websites: Double-check that you are on the official website of the DApp.
3. Exercise Caution with New/Trending Projects: Be wary of projects that guarantee high APYs or use MEV bots. Always verify the project team’s authenticity.
4. Use Multiple Wallets: Utilize different wallets for various activities—hot wallets for frequent transactions and cold wallets for storing high-value funds.
5. Interact with Open-Source Contracts: Ensure you are interacting with open-source contracts and revoke approval once the interaction is complete.
6. Check Risk Warnings: Use tools like Metamask Snaps and HashDit Extension to check risk warnings of transactions.
7. Heed Warnings on Trust Wallet and PancakeSwap: Pay attention to warnings about phishing sites, malicious contracts, and dangerous tokens. If flagged as high risk, it is strongly advised to stay away.

For BNB Chain Developers:​

1. Verify & Open-Source Contracts: Ensure all relevant contracts are verified and open-sourced on-chain to maintain transparency and trust.
2. Conduct Audits: Have the project audited by at least two well-known security companies and address all identified issues, including newly added code.
3. Implement a Bug-Bounty Program: Encourage the community to help maintain the security of the code by offering rewards for identifying vulnerabilities.
4. Prioritize Security: Run sufficient testing, stress-testing, and simulations for scenarios such as adverse token price fluctuations and edge cases.
5. Prevent Centralization Risks: Use multi-signature wallets instead of a single EOA wallet for operations.
6. Minimize Contract Upgradeability: Limit contract upgradeability and apply changes only when necessary.
7. Secure Fund Storage: Ensure funds are stored securely through proper key management and fund distribution.
8. Implement Safeguards: Formulate an incident response plan and introduce time locks or pausing mechanisms within smart contracts to mitigate the impact of hacks.
9. Monitor System Parameters: Continuously monitor system parameters, such as the exchange rate of tokens.

About Hashdit​

HashDit’s core mission is to provide the essential threat intelligence for the everyday crypto investors to make informed decisions. Our methodology includes a variety of automated and manual techniques to evaluate a DApp project.

Hashdit Products:

• HashDit extension: A chrome web extension which utilizes the HashDit API to warn users for potential risky urls and risky addresses. HashDit’s pop-up warning window is displayed on the frontend to immediately alert users to take extra caution.
• Risk assessment: All-in-one collection of security rating framework, auto-scan tools, and corresponding APIs, which are able to deliver accurate detection for potential risks based on an address / dApp / transaction / signature. This is integrated with core platforms like Trust Wallet and PancakeSwap, to leverage their reach and protect more users.
• Audit service: Comprehensive code audits following extensive and detailed best practices for smart contracts and discovering code loopholes/security vulnerabilities before they are deployed on-chain, guaranteeing users’ safety on BSC.
• Monitoring: The combination of real-time on-chain monitoring, off-chain social media monitoring, and public alerts via Twitter makes this service a valuable tool for enhancing security and awareness in the blockchain space. By detecting sensitive events and compromised social media accounts early, we can quickly respond to minimize financial losses and provide immediate guidance for account recovery. This comprehensive approach ensures that both financial transactions and communication channels are protected, helping to build transparency and trust within the community.
• Prevention: Transaction Prevention Solution, a proactive defense strategy for threat detection and handling. This solution enables project teams to promptly address attacks, control fund disposal, secure user assets, and establish a robust multi-layer protection system. It currently includes four strategies that can be used in combination, aiming to provide a comprehensive risk recognition and risk disposal transaction prevention system
• Education: The goal is to share security knowledge for builders, investors and users in the Web3 community. With all the players in the industry equipped with the security knowledge needed and adopting a security-first mindset, only then will the Web3 ecosystem be a safer place for everyone.

If you have any doubts or concerns about a specific project, contract address, transaction, or risk score, please do not hesitate to reach out to our team for assistance.

Hashdit 2024 BNB Smart Chain (BSC) H1 Security Report

Overview​

This report focuses on security events that happened on BSC in 2024 H1, analyzing the type of projects targeted and sharing the common attack techniques used in 2024 H1, with respect to the financial loss of the incidents.

Disclaimer​

The financial data provided here is accurate based on our own monitoring system and based on the $USD amount of the cryptocurrency involved at the time of the incident. Due to the fluctuating price nature of cryptocurrencies, the total amount loss might differ with the current token valuations.

Furthermore, the financial data might not fully reflect the true “exploited amount” of the incident. This is especially true for scams where the total scammed amount is usually mixed with an initial base amount injected by the scam project party.

2024 H1 in focus​

General​

In 2024 H1, approximately $17.29 million were lost to 73 security incidents on BSC. By observing the monthly chart below, the months with the top amount loss were May, March followed by January. The highest number of security incidents took place in April at 17.

Figure 1: Amount of stolen funds in dollars and number of incidents per month in 2024 H1

Against other chains​

Figure 2: Financial Loss and number of exploits across chains for 2024 H1 (Smaller chain incidents are grouped under “Others”)

In the first half of 2024, BSC recorded $17.29 million in losses across 73 incidents, accounting for 1.4% of the total losses. Among all blockchains, BSC ranked 8th in terms of financial losses and 2nd in the number of exploits.

In contrast, Ethereum experienced the highest losses and the greatest number of attacks. Continuing the trend from 2023, Ethereum remained the blockchain with the largest loss amount in the first half of 2024. There were 208 exploits on Ethereum, resulting in $535 million in losses, which represented 43% of the total losses.

With H1 previous years​

When we compare the data with H1 of previous years, there is a decreasing trend of financial losses (excluding 2020), which can signify that the security posture of BNB Chain has improved over the years.

Figure 3: Financial Loss across the previous H1 of 2020 - 2024

In 2021, the decentralized finance (DeFi) market experienced unprecedented growth, with numerous protocols launching without adequate security measures. This lack of security awareness allowed malicious actors to exploit vulnerabilities.

Since then, there has been a stronger emphasis on security for DeFi protocols, leading to a significant reduction in impactful exploits. As a result, financial losses in the first half of 2024 dropped by 83% compared to the same period in 2023 ($101 million), marking a substantial improvement. Attack vectors analysis

Out of the 73 security incidents, hacks take up 80.82%, while 19.18% are scams.

Figure 4: Proportion of different type of exploits

This correlates to the financial loss of hacks and scams in the first half of 2024. The total financial loss of hacks ($14.9m) is nearly 7x that of notable scams ($2.3m), as shown below in Figure 5 below.

Figure 5: Financial impact measured in dollars comparing different types of incidents

Specific attack vectors analysis​

Figure 6 displays the specific attack vectors against its number of exploits in 2024 H1.

Figure 6: Proportion of the funds lost comparing the different type of vulnerabilities

Looking at the breakdown of attack vectors, 35% of the attacks were attributed to price manipulation vulnerabilities. The second most common attack vector was due to a lack of validation, while the third most common attack vector was private key compromise, accounting for 8.15% of the attacks.

Loss by Project Type​

When focusing on the project type vs financial loss, 32.87% of financial loss are attributed to DeFi projects.

The 2nd most project type targeted was Bridge projects at 29.61%, followed by CEX or Centralized Exchanges at 9.57%.

Figure 7: Proportion of funds lost comparing the type of project

Top 10 incidents in 2024 H1​

The following were the top 10 security incidents in terms of financial loss in 2024 H1.

Figure 8: Top exploits measured in dollars in 2024 H1 on the BNB Smart Chain

The top 10 exploits resulted in a total loss of $12.98 million. Notably, 7 out of these 10 incidents were due to private key compromises, which collectively accounted for $9.91 million, representing a significant 76% of the total losses. This highlights a concerning trend in the nature of exploits, emphasizing the critical need for enhanced security measures to protect private keys.

AlexLabBTC - $4.3 Million Loss​

Attack type: Private key compromise

On May 15, the AlexLabBTC bridge on Binance Smart Chain (BSC) was compromised. The attacker gained control of the bridge upgrader role's key and executed a malicious proxy upgrade. This upgrade introduced a harmful withdrawal method, which allowed the hacker to drain the bridge's funds.

User - $1.54 Million Loss​

Attack type: Social Engineering and Phishing

In the first half of the year, users on Binance Smart Chain (BSC) have incurred losses amounting to at least $1.54 million in cryptocurrency. These losses are predominantly attributed to social engineering and phishing attacks, which have been disseminated through fake social media accounts, fraudulent websites, and phishing emails. A significant contributor to these attacks is Inferno Drainer, a malicious wallet drainer that specifically targets and steals funds from ordinary users.

NFPrompt - $1.5 Million Loss​

Attack type: Private key compromise

On March 14, NFPrompt, a DeFi protocol, experienced a security breach. The attack targeted one of its Swap contracts containing USDT and NFP. The hacker compromised the owner's private key, enabling them to invoke an owner-privileged withdrawal function. This allowed the attacker to retrieve all the funds held in the contract.

Duelbits - $1.1 Million Loss​

Attack type: Hot wallet compromise

On February 14, the gambling platform Duelbits was attacked, resulting in the theft of approximately $1.1 million worth of cryptocurrency. The stolen funds were subsequently bridged to Ethereum and deposited into Tornado Cash. The primary cause of the breach was the compromise of a Duelbits hot wallet.

CoinsPaid - $1.0 Million Loss​

Attack type: Hot wallet compromise

On January 6, the cryptocurrency exchange CoinsPaid was attacked, resulting in the theft of approximately $1 million worth of BNB funds.

XBridge - $0.82 Million Loss​

Attack type: Wrong Proxy Upgrade

On April 24, XBridge, a product of SaitaChainCoin, was attacked, resulting in a total loss of approximately $0.82 million. The breach occurred due to the project team introducing an incorrect mapping, which allowed anyone to assume a privileged role and withdraw tokens from the bridge contract.

PolyhedraZK - $0.76 Million Loss​

Attack type: Private key compromise

On March 13, PolyhedraZK, an infrastructure project, was compromised, resulting in a loss of approximately $0.76 million. The hacker gained control of the key for the bridge upgrader role and executed a malicious proxy upgrade. This upgrade introduced a malicious withdrawal method, allowing the attacker to drain the bridge funds.

FinanceChainge - $0.71 Million Loss​

Attack type: Lack of validation

On April 15, FinanceChainge was attacked, resulting in a loss of $0.71 million. The breach was primarily due to a validation bug in a contract, which allowed the hacker to steal approved funds.

BitForex - $0.66 Million Loss​

Attack type: Hot wallet compromise

On February 26, the cryptocurrency exchange BitForex was compromised, resulting in the theft of approximately $0.66 million worth of funds.

SerenityShield - $0.59 Million Loss​

Attack type: Private key compromise

On February 27, the infrastructure project SerenityShield had one of its hot wallets compromised, which resulted in approximately $0.59 million worth of funds stolen.

Conclusion​

In the first half of 2024, total losses caused by hacks, phishing scams, and rug pulls dropped to $17.2 million, compared to $101 million in the same period in 2023. This significant reduction indicates an overall improvement in the security situation on Binance Smart Chain (BSC).

In 2023, the most damaging attack vector was rug pulls. However, in 2024, the most damaging attacks have shifted to price manipulation. This change underscores the critical need for web3 projects to avoid reliance on the instantaneous price of liquidity pools and not depend solely on the balance of tokens in a contract. It is essential to consider the risks associated with flash loans and direct transfers that can impact token prices. To enhance security, projects should consider using entity oracles like Chainlink for a secure price feed.

Below we have some final tips for investors and developers:

For investors:

1. Understand What You're Signing: Never blindly sign random signatures or transactions. Always ensure signatures are from official websites.
2. Verify Official Websites: Double-check that you are on the official website of the DApp.
3. Exercise Caution with New/Trending Projects: Be wary of projects that guarantee high APYs or use MEV bots. Always verify the project team’s authenticity.
4. Use Multiple Wallets: Utilize different wallets for various activities—hot wallets for frequent transactions and cold wallets for storing high-value funds.
5. Interact with Open-Source Contracts: Ensure you are interacting with open-source contracts and revoke approval once the interaction is complete.
6. Check Risk Warnings: Use tools like Metamask Snaps and HashDit Extension to check risk warnings of transactions.
7. Heed Warnings on Trust Wallet and PancakeSwap: Pay attention to warnings about phishing sites, malicious contracts, and dangerous tokens. If flagged as high risk, it is strongly advised to stay away.

For developers:

1. Verify & Open-Source Contracts: Ensure all relevant contracts are verified and open-sourced on-chain to maintain transparency and trust.
2. Conduct Audits: Have the project audited by at least two well-known security companies and address all identified issues, including newly added code.
3. Implement a Bug-Bounty Program: Encourage the community to help maintain the security of the code by offering rewards for identifying vulnerabilities.
4. Prioritize Security: Run sufficient testing, stress-testing, and simulations for scenarios such as adverse token price fluctuations and edge cases.
5. Prevent Centralization Risks: Use multi-signature wallets instead of a single EOA wallet for operations.
6. Minimize Contract Upgradeability: Limit contract upgradeability and apply changes only when necessary.
7. Secure Fund Storage: Ensure funds are stored securely through proper key management and fund distribution.
8. Implement Safeguards: Formulate an incident response plan and introduce time locks or pausing mechanisms within smart contracts to mitigate the impact of hacks.
9. Monitor System Parameters: Continuously monitor system parameters, such as the exchange rate of tokens.

Hashdit is a leading Web3 security firm dedicated to monitoring and protecting against hacks and scams. Our mission is to deliver top-tier products that safeguard users and assist developers within the Web3 space.

If you have any doubts or concerns about a specific project, contract address, transaction, or risk score, please do not hesitate to reach out to our team for assistance.

Introduction​

Gas Mint Scams are not new on BSC. They have been documented relatively well on Web3 newsletters and by security companies in the space. However, we noticed that scammers are recently changing some of their techniques, hence we decided to write this blog to offer more understanding of this scam.

Recap​

This is how the scam typically work:

1. A user notices an unknown airdropped token in his wallet, usually it mimics a valuable or well known token like USDT. In other cases, it might be the latest trends like Friend.Tech.
2. He then proceeds to “approve” it to a DEX router such as PancakeSwap, in hopes of selling it for a profit. Subsequently, he tries to swap it on the DEX but to no avail as the transaction reverts. But didn’t he already grant approval for the DEX?
3. At the same time, he notices that the token is still in his wallet and he lost some BNB as well. He was scammed!

What actually happens is that when the user interacts with the unknown token at step 2, the token inadvertently took his gas provided in the transaction to create gas tokens. Furthermore, the gas requested in the transaction will be at unusually high costs.

1 popular instance of gas tokens on BSC is the CHI Gas token, you can refer to this link here for more information. Essentially, they are tokens that utilize the “gas refund” feature of the EVM that allows refunds when clearing storage. This allows users to mint gas tokens when fees are low, and burn them when fees are high, effectively "locking in" the lower fee.

In other words, the victim is minting CHI Gas tokens for the scammer so they can reduce their gas costs in future transactions.

New variations of the scam:

1. Other common ERC20 methods invoke the same scam. For e.g, trying to move the token using the “transfer” method will lead to users invoking the minting too.
2. Recently, we noticed that scammers now prefer to mint XEN tokens with the victim’s gas during the transaction.

For context, XEN is a social mining project based on a Proof of Participation mechanism. XEN tokens are minted using gas as well, and the tokens can only be claimed after a waiting period. XEN tokens do have value in the secondary market. Therefore, scammers can profit by gaining these XEN tokens from you and dumping them later.

3. Creating fake approvals. This is not exactly new but we would like to elaborate more on how it works.

Revoke product platforms like Bscscan or Debank naively log all approval events related to your wallet. Then, they are displayed nicely in a dashboard for you to see. However, the issue is that approval events can actually be faked by the scammers.

Let’s look at this example: BscScan approver check:

On first glance, it looks like this user has multiple unlimited allowance for their tokens. However these are all not real (the token and the approval). This is my 1 instance of a Fake approval transaction https://bscscan.com/tx/0x3c3f16b418e6dcc39f03628f288d9aaba1a3cbb2e1843d92d651b61625329a95#eventlog

There are 1000 falsified approvals in just 1 transaction!

Looking into each of them, we can see that the token address is fake!

The fake token here mimics the INJ token and might appear to be be verified contract. However, it is actually a proxy contract, which points to an unverified logic contract here: 0x54d1527668bd83f719b5414141a912cbbda55382 (This is where the scam logic is) The real INJ token address is 0xa2b726b1145a4773f68593cf171187d8ebe4d495. *Notice that the token address prefix and suffix are scarily similar to trick victims.

Current landscape of scammers’ methodologies​

Understanding when and how scammers create these scam opportunities will help us be more familiar and to better avoid them.

1. Cast a wide-net

   • By airdropping fake notable tokens like USDT or USDC to victims’ wallets

   • Then by creating fake approval transactions for fake notable tokens like USDT or USDC, which are displayed on revoke pages like Bscscan.

2. Wait for specific events

   • A hack event happened, airdrop / create fake approval transactions for the related hack project token / spender, so that users will ‘revoke’ them. For example, a particular project named "A" has been hacked, the scammers will mint and create a fake approval with a fake token "A" to the real "A" holders. As users are taught to revoke access for their "A" tokens, they see that there is an approval for the fake token "A" as well, promptly getting scammed of their gas.

For all cases, scammers ensure that the gas provided is enough to mint the scammers’ desired amount of CHI gas tokens or XEN tokens. I.e if the gas is too low, the scam transaction will likely revert.

Security Recommendations from HashDit​

1. Do not touch any new unknown tokens. These tokens might appear to have value based on a liquidity pool the scammer created. Do not fall for it!
2. Always check the token address for legitimacy. You can cross reference this with platforms like CoinMarketCap.
3. The underlying scam technique requires an unusual high gas cost, hence this is a major red flag if seen on the transaction page.
4. Use revoke.cash. The platform uses heuristics to filter out fake approvals. Keep in mind this is not 100% so you should still pay attention.

HashDit is actively tracing and blacklisting these scam addresses on our HashDit API. Do download the HashDit chrome extension to safeguard yourself in the future!

We hope that this blog helps educate you on this Gas Mint scam so that you can stay safe in this space. Final security takeaway: do not sign any transactions if you do not know what it does.

Feel free to consult us at our email support@hashdit.io if you have any other queries.

Introduction​

According to Hashdit, the amount of losses on BNB Smart Chain (BSC) in August 2023 have greatly decreased compared to July.

In August, there were over 27 typical security incidents, with a total loss of approximately $4.5 million, a decrease of about 60% compared to July.

In general, the data has trended downwards from July to August, which is a good sign.

The total amount involved in Hack incidents dropped to $507k from $4.7 million, a decrease of about 89% compared to July. The total amount involved in Scam incidents dropped to $4 million from $6.8 million, a decrease of about 40% compared to July.

The number of Hacks decreased to 4 from 19, a 78% decrease from July. The only data that trended upwards was the number of Scams increased from 13 to 23, a 76% increase from July.

Figure 1: Comparisons between July (Blue) and August (Red) in terms of Amount Loss ($$) and Number of Incidents

The largest security incident this month occurred with a fake LayerZero token, resulting in a loss of approximately $1 million. There has been an increase in exit scam incidents this month, with notable cases including a $680k rugpull by the NFT_SalesRoom (ASN) team. Additionally, there has been an increase in fake tokens that conducted a rugpull such as 2 Fake $CIRCLE tokens, 1 Fake $Zksync token and 1 Fake $X token.

Security Control Improvements in the BSC Ecosystem​

1. HashDit has integrated its security API with Prominent and Leading brands on BSC such as PancakeSwap, TrustWallet, BscScan to improve the security control across the ecosystem.

• @PancakeSwap: Auto-scans tokens & displays risk scores

• @TrustWallet: Notifies users of high risks before transactions

• @bscscan: Displays risk warnings in the explorer

2. New risks flagged in RedAlarm

A total of 319 dApps and 64 addresses were added to Hashdit's RedAlarm in August alone. This amounts to a total of 1679 smart contracts on RedAlarm currently.

Word of Advice​

With the current trends in the BSC security landscape, Hashdit advices the community to:

1. Do Your Own Research (DYOR) before participating in any trending projects to mitigate the risk of financial losses, especially when the token name and symbol is an impersonation of the real token.
2. Place greater emphasis on security, adopt a Zero-Trust security mentality and be careful of phishing scams

Meanwhile, HashDit promises to continue to keep the BSC community and its users safe!

This report delves into the security events occurring on BNB Smart Chain (BSC) during 2023 H1. It analyzes the types of projects that were targeted and whether they shared common attack techniques. Additionally, the report examines the financial implications of these occurrences.

Disclaimer​

The financial data presented in this report has undergone thorough verification through our internal monitoring system, ensuring its accuracy. The data is derived from the $USD valuation of the cryptocurrency at the time of the incident. It's important to note that due to the inherent volatility of cryptocurrency prices, there may be variations in the total amount lost based on current token valuations.

Furthermore, the financial data might not fully reflect the true “exploited amount” of the incident. This is especially true for scams where the total scammed amount is usually mixed with an initial base amount injected by the scam project party.

BSC Innovations​

The first half of 2023 has been an exciting journey for BNB Smart Chain (BSC), marked by continuous innovation and the tireless efforts of the BNB Chain team in crafting and advancing cutting-edge technologies.

Just to name a few in H1:

• The Greenfield Testnet went Live: The Greenfield testnet, is an open-source project aimed at providing a scalable and efficient data availability layer for decentralized applications (dApps).

• Reduced Transaction Costs: Following extensive discussions, BSC validators have lowered transaction costs from 5 Gwei to 3 Gwei. This reduction in fees will help drive network adoption, making BNB Chain an even more attractive platform for developers and users.

• BSC Validators Self-Stake Update: Thanks to an on-chain governance proposal, validators significantly reduced the cost to become a BNB Smart Chain validator, fostering a more diverse and robust ecosystem. This change greatly benefits the community by improving entry cost to be a BSC validator. Self-Staked moved from 10,000 BNB to 2,000 BNB.

• BNB Chain exhibited a significant rise in market share, demonstrating steady growth in the percentage of verified smart contracts. Its market share increased from 38% at the beginning of Q2 to 45% by the end of H1. This performance underscores BNB Chain's dominance and the high level of trust placed in its infrastructure by developers and users.

Figure 1: Number of contracts verified weekly across chains (Refer to the Red box for 2023 H1 data)

• opBNB and zkBNB: These dynamic layer 2 solutions are poised to revolutionize the BNB Chain ecosystem by further enhancing the capabilities of BNB Chain’s ecosystem; offering developers a boundless horizon to pioneer groundbreaking advancements.

[Refer to the blogs 1, 2 released by BNBChain for more information]

2023 H1 in focus​

General​

A comprehensive overview reveals that security incidents on BSC resulted in an aggregate loss of nearly $101.84 million. An examination of the monthly breakdown highlights notable patterns. Specifically, the months of May, March, and June emerged as pivotal periods, witnessing the highest recorded losses.

Figure 2: Amount of stolen funds in dollars per month in 2023 H1

This chart shows the number of projects impacted by exploits in 2023 H1.

Figure 3: Number of different project impacted by exploits

In total, there were 199 incidents on BSC.

As seen in Figure 3, the highest number of security incidents took place in June.

Comparison with H1 previous years​

When we compare the data with H1 of previous years, there is a decreasing trend, which can signify that the security posture of BNB Chain has improved over the years.

Figure 4: Financial Loss across the previous H1 of 2020 - 2023

Type of attack vectors​

Out of the 199 security incidents, hacks took up 66.3%, 33.2% were scams. However, 1 particular incident (0.5%) was a white-hat hack. The white-hat hack is related to a Hashflow project, where an old contract had an Open Approval, this means that any users that have approved funds to the victim contract can have his existing funds stolen.

Figure 5: Proportion of different type of exploits

However, it is interesting to note that even when the number of hacks are nearly doubled to that of scams, the financial impact of hacks were less significant than the ones related to the scams. The total financial loss of hacks ($35m) was nearly half of the loss to scams ($66m), as shown below in Figure 6 below.

Figure 6: Financial impact measured in dollars comparing different types of incidents

The observed trend potentially signifies an escalating presence of scammers within the crypto space. Their tactics continuously evolve, challenging users' vigilance. Furthermore, smaller, lesser-known projects may exhibit comparatively lower emphasis on security measures. This underscores the pressing need for heightened awareness and diligence across the ecosystem to safeguard against emerging threats.

Specific attack vectors​

Figure 7 displays the specific attack vectors against its financial loss in 2023 H1.

Figure 7: Proportion of the funds lost comparing the different type of vulnerabilities

Looking at the breakdown, the most common loss of funds was attributed to Rugpulls (25%), while the second most common attack vector was due to Reflection Vulnerability. Several token smart contracts deployed on BSC utilize the Reflection mechanism for token holders to gain dividends, however the reflection implementation might be flawed, leading to its liquidity pool being drained by malicious actors. The third most common attack vector was Price Manipulation at 8.2%. This is common as well since poorly designed smart contracts rely on the instantaneous price of liquidity pools, and hence can be easily manipulated by a large Swap trade or Flash Loan by hackers.

Type of projects​

When comparing the types of project with the observed financial loss, a whopping 98.8% of financial loss were attributed to DeFi projects. The second most common type of projects that were targeted wasBridge projects at 0.6%, followed by GameFi and Metaverse projects at 0.3% and 0.2% respectively.

Figure 8: Proportion of funds lost comparing the type of project

With a large proportion of fiat loss associated with DeFi projects, this that DeFi projects are still the most common type of crypto project in the space. At the same time, it shows how important it is for users to only invest in reputable and well audited projects, and to stay clear of potential rugpulls and vulnerabilities.

Top 10 incidents in 2023 H1​

The following were the top 10 security incidents in terms of financial loss in 2023 H1.

Figure 9: Top exploits measured in dollars in 2023 H1 on the BNB Smart Chain

Fintoch - $31.6 Million Loss​

On 25-May-2023, Fintoch, a Ponzi platform was reported to have rugpulled $31.6 million USD. The funds were since bridged to multiple addresses on Tron and Ethereum. Its users reported that they could not withdraw their funds.

Fintoch advertises themselves as a blockchain financial platform built by Morgan Stanley, and users can get 1% return on investment every day. The team’s page on the Fintoch website refers "Bobby Lambert'' as their CEO, when in fact he did not exist and was, in fact, a paid actor. Earlier, the Singaporean government and Morgan Stanley both issued warnings about this “investment plan”.

ippswap - $14.5 Million Loss​

On 26-May-2023, a scam project, ippswap was found to have rugpulled $14.5 million USD. The ippswap project executed a concerning action by exploiting a privileged backdoor method, takeToken(), within the staking contract. This unauthorized maneuver allowed the project party to transfer IPPSwap LP Tokens, which had been staked by users, directly to their own account. Liquidity was then subsequently removed using the above LP tokens to gain $14,535,741.86 USDT.

Some of the USDT funds flowed onto Binance exchange where the funds have been frozen by the Binance team.

Safemoon - $8.9 Million Loss​

The Safemoon project was exploited for $8.9 million USD on 29-Mar-2023. The Safemoon liquidity pool was compromised after a code upgrade introduced a bug, a public burn() function. The hacker was able to burn the SFM tokens in the liquidity pool, artificially inflating the price of the SFM tokens, and then sold sufficient tokens to wipe out all the WBNB in the pool.

On April 20, the SafeMoon attacker returned 80% of the stolen funds, and transferred 21,804 BNB (approximately $7.2 million) to the SafeMoon vault wallet, taxing the remaining 20% as a bounty.

SwapX - $7.3 Million Loss​

SwapX, a DeFi project, faced an Open Approval issue starting from 27-Feb-2023, resulting in users losing more than $7.3 million USD. Users of BSCex / SwapX, a DEX on BNB Chain, had their funds stolen from their wallets. Vulnerabilities were found in four old contracts (deployed on Jan. 2021, May. 2021, July 2021, and Oct. 2021) belonging to the DEX. Many users still have active approvals to these contracts, even though they have not used it for a long time. Affected users remain at risk as long as they have not revoked their approvals.

Atlantis Loans - $3.5 Million Loss​

On 12-June-2023, Atlantis Loans faced a malicious Governance proposal takeover, coupled with the abandonment by the core team whichresulted in ~$3.5 million USD loss. On April 12, its official TG channel was deleted and a backup channel was created instead, with multiple users of the community claiming that the project had been abandoned and that they are trying to build it up again. A malicious proposal was then submitted to take over the core contracts of Atlantis Loans which was successfully shut down by the new project party.

However, a similar proposal was submitted on June 12, and was not blocked this time, which resulted in the hacker stealing funds from users that have approved the Atlantis Loans core contracts.

$FUT - $2.7 Million Loss​

Early this year on 4-Jan-2023, the $FUT project team conducted a rugpull for $2.7 million USD. The project party was able to invoke the privileged function withdrawSushiReward() of the Masterchef contract to transfer all the FCS to another controlled wallet. He then subsequently swapped all his FCS for $FUT before exiting for USDT. Once again, this shows the risk of over-centralization by the project party, as they have too many privileges and can easily backdoor funds from users.

Circulate - $2.3 Million Loss​

On 12-Jan-2023, the Circulate Ponzi managed to scam around $2.3 million USD from users. The CirculateBUSD and CirculateWBNB contracts promised users high APR by depositing funds with them. When users deposit funds, they invoke the startTrading() method of the contract, this in turn calls a third party dependency: SwapHelper contract which is unverified. However, upon decompiling the code, we noticed that there was a hardcoded condition that when the contract reached $2m of staked funds, the funds will be immediately transferred to a designated project team’s address.

Although it is currently unknown how the scammer in this incident was able to get large investment into their recently created contracts (~2 days), it is highly likely that the contracts were scams from the beginning due to design bugs in the SwapHelper contract. On the whole, third party dependencies in smart contracts present a security risk. Whilst reliance on third parties such as the use of oracles is sometimes unavoidable, developers should avoid these dependencies as much as possible.

YieldRobot - $2.1 Million Loss​

On 17-Jan-2023, YieldRobot scammed users of around $2.1 million USD. For context, YieldRobot is a De-Fi protocol which promises to give yield for users that deposit BUSD. Two days prior to the incident, the YieldRobot contract deployer wallet set the signer to a new EOA (0x3f531). The signer address is needed to approve the redemption of coupons.

In order to redeem a coupon it must pass a check to verify it has the correct signer. Once approved, the coupon is added to the user’s reward balance. In this incident, 0x8f2DB called setCoupon() which credited them 2.1m BUSD.

The new signer approved the malicious coupon redemption, as such he was able to claimRewards of the contract’s BUSD balance and drain all the BUSD funds.

LianGo Protocol - $1.6 Million Loss​

On 7-Feb-2023, the LianGo protocol was exploited for $1.6 million USD, roughly 6,148,859 LGT reward coins were stolen. For context, LianGo is a decentralized payment consumption and LGT is their main token.

The reason for the theft was that the owner administrator of LGTPool created a fake LP token pledge pool (pool 3), and then the thief put a large amount of LP tokens into the pool, pledged and obtained 6.14 million LGT reward tokens.

Based on on-chain data, the thief has been preparing for the theft for a long time. 58 days before the incident, the stealer’s address obtained the gas fee from Tornado Cash, and deployed the fake LP contract 32 days before the incident.

Then on the same day the LianGoPay project deployed the trading pair contracts of LGT tokens and WBNB on Pancake. This contract address is very similar to the address of the fake LP contract that was deployed earlier -- the 4 letters before and after are the same, which can be easily confused. As such, it is likely a private key compromise to the project’s back end system.

The administrator of the LGTPool contract initiated three consecutive transactions to create pledge pools, the first two of which also created a real one when creating two fake LP token pledge pools (pools 3 and 4). LP token pool for WBNB and LGT. Because the front and rear four digits of the real and fake LP token contract addresses are the same, it is difficult for users to detect that the first two created LP pools are fake LP pools.

Then the attacker launched an attack, first deploying an attack contract. When the contract was initialized, a huge amount of fake LP tokens was pledged for the fake No. 3 LP pledge pool - up to 614885935211982505426257800000000.

Then the attacker initiated a redemption transaction and received the rewarded LGT tokens. Because of the huge amount of pledged principal, 6.14 million LGT rewards were generated. These reward tokens were exchanged for 1.62 million BSC-USD tokens and transferred to an address starting with 0xCb65 (this address used to receive gas fees from Tornado Cash 58 days before the incident).

DeusDAO (DEI) - $1.3 Million Loss​

On 6-May-2023, the DeusDAO (DEI) project was hacked for slightly more than $1.3 million USD due to a wrong contract upgrade. The project was hacked on 3 different chains: Ethereum, Arbitrum and on the BNB Chain. The upgrade bug introduced a public burn vulnerability, which allowed attackers to steal funds from other wallets that have DEI tokens.

The issue was specifically in the burnFrom method, which wrongly swapped the 2 parameters of msg.sender and the account to be granted approval. The hacker essentially approved DEI tokens to a whale account with a large amount of DEI tokens, and then invoked the wrongly implemented burnFrom method with 0 tokens. This approves all the DEI tokens to the caller instead, where he can just simply call transferFrom and steal all his tokens.

Conclusion​

BSC continues to be a strong competitor, outperforming Ethereum in terms of daily active users and verified contracts. However, it is undeniable that 2023 H1 has proven to be a challenging year for both investors and developers due to the continued bear market trend and exploit incidents. Below we have some final advice for investors and developers:

For investors:

• Understand what you're signing, do not blindly sign random signatures/transactions (never sign signatures outside of official websites)
• Always double check that you are on the official website of the dApp
• Be wary of new/trending projects or projects that guarantee High APYs / use MEV bots, and always verify the project team’s authenticity
• Use multiple wallets for different activities (hot wallet for frequent transactions; cold wallet to store high value funds)
• Ensure you are interacting with an open-source contract and revoke approval once interaction is done
• Check the security and risk scores of interacted contracts (e.g when using Trust wallet) If High Risk is flagged, we strongly advise to stay away

Feel free to reach out to our team if you have any doubts about a certain project / contract address / transaction / risk score!

For developers:

• Verify & open-source all relevant contracts on-chain (to ensure transparency and trust within the space)
• Ensure the project is audited by at least 2 well-known security companies and fix all issues where applicable (Including auditing newly added code)
• Incorporate / Implement a bug-bounty program to upkeep the security posture of the project and encourage the community to ensure the code remains secure
• Ensure security is at the core of the business: run sufficient testing / stress-testing / simulations such as (1) adverse token price fluctuations, (2) edge cases
• Prevent centralization risks by using multi signature wallets and not a single EOA wallet to run operations
• Minimize contract upgradeability and only apply to contracts when necessary
• Ensure funds are stored securely (key management, fund distribution)
• Implement safeguards in the event of a hack (formulate an Incident Response plan, introduce time lock / pausing within the smart contract)
• Constant monitoring of system parameters e.g Exchange Rate of a token

Hashdit​

HashDit’s core mission is to provide the essential threat intelligence for the everyday crypto investors, helping them to make informed decisions. Our methodology includes a variety of automated and manual techniques to evaluate a dApp project. The team has optimized its product offerings and improved its accuracy in 2023 H1.

Products at Hashdit currently:

• Risk assessment: All-in-one collection of security rating framework, auto-scan tools, and corresponding APIs, which are able to deliver accurate detection for potential rugpull/exploit risks based on a smart contract address. This is integrated with platforms like Trust Wallet and PancakeSwap, to leverage their reach and protect more users.

  It is able to detect multiple other risks, besides the usual SWC bugs, such as Tornado Cash interaction, risky functions encompassing ERC20 or ERC721 token standards (such as Migrate() or Blacklist() ), HoneyPot detection, etc. This can help users gain a better understanding of the smart contract, if it could be a scam.

• Audit service: Comprehensive code audits following extensive and detailed best practices for smart contracts and discovering code loopholes / security vulnerabilities before they are deployed on-chain, guaranteeing users’ safety on BSC.

• Monitoring: Detecting sensitive events / transactions that happen on-chain to quickly respond and minimize any additional financial losses. At the same time, Hashdit warns users early by sharing any information we found on our Twitter

• Blog: Our goal is to share our security knowledge for builders, investors and users in the Web3 community. With all the players in the industry equipped with the security knowledge needed and adopting a security-first mindset, only then will the Web3 ecosystem be a safer place for everyone.

This report focuses on security events that happened on BSC in 2022, analyzing the type of projects targeted and sharing the common attack techniques used in 2022, with respect to the financial loss of the incidents.

This report also examines the trends on BSC from 2020 to 2022 to help give readers a better understanding of how the space has grown. Lastly, this report shares some of the products we at Hashdit have developed, and what risks can be covered by the capabilities that Hashdit have/are building.

Tl;DR​

Security incidents on BSC have risen since 2020. In 2022 alone, nearly $1.05 billion on BSC were lost to malicious actors, where 80% was due to hacks.

In total, there were 282 security incidents, an average of roughly 23 incidents per month. Out of which, 62% were scams / rugpulls.

Disclaimer​

The financial data provided here is accurate based on our own monitoring system and based on the $USD amount of the cryptocurrency involved at the time of the incident. Due to the fluctuating price nature of cryptocurrencies, the total amount loss might differ with the current token valuations.

BSC Growth​

This year has been a year of building and growth on BSC. Despite the general cryptocurrency bear market and black swan events like Luna and FTX, BSC has continued to reach new milestones and surpass expectations.

Here is a list of some of BSC’s achievements in 2022: [Refer to the blog released by BNBChain for more information]

• $1 billion growth fund
• AvengerDAO Launch
• Implement Liquidity Staking on BSC and Binance Account-Based (BAB) tokens
• OpenSea incorporates BSC
• zkBNB launched on Testnet
• Unique addresses crossed 234 million. Source: BscScan

Figure 1: Number of BNB Smart Chain unique addresses over the year 2022

• Peak TVL - USD 16.25b on Jan 3. TVL trend as per screenshot. Source: Defillama

Figure 2: Total Value Locked in the BNB Smart chain ecosystem over the year 2022

• Transactions

  • Peak Txs: 9.78 million txs on 13th May
  • Avg Daily txs since 01 Jan: 4.34 million txs
  • More than 3.7 billion txs on BSC

• Active Wallet Addresses (DAU)

  • Peak Daily Active Wallets (DAU): 2.16 million DAU on 12th Oct
  • Avg Daily AUs since 01 Jan: 968k DAU ( compared to 740k DAU in 2021)
    • Stabilization of daily active users, which may suggest a foundational user base of an average of ~1 million per day
  • Currently ranked no. 1 compared to other chains in terms of DAU

• Number of Decentralized Applications (DApps)

  • ~1200 active on BSC

BSC Year-over-Year (YoY)​

The on-chain metrics can signal the growing adoption of the BNB Smart Chain as the preferred chain to use and build by investors and developers respectively. However, due to BSC’s decentralization nature and its fast growth to more than 1200 DApps, more bad actors have been attracted to the space as well. As such, security incidents have generally been on a rising trend.

This section aims to describe the security incidents YoY from 2020 to 2022.

General​

According to our statistics, in 2022, there were 282 security incidents on BSC which have increased by 228% YoY from 2021. In 2021, there were 86 security incidents, a 760% increase from 2020.

Figure 3: Number of incidents on the BNB Smart Chain over the last 3 years

Financial losses have also increased from 2020 to 2022, with damages totalling $1.81 billion over the past 3 years, as seen from the chart below. The YoY increase from 2020 to 2021 is 61,221%, while the YoY increase from 2021 to 2022 is 37%, a large decline in YoY percentage.

Figure 4: Total amount stolen funds in dollars in the BNB Smart Chain over the last 3 years

By analyzing the ratio of the total amount of stolen funds to the total number of incidents, we observed that the average of stolen funds per incident has decreased.

Indeed, in 2021, the average of stolen funds per incident was calculated to be $8.9m. In contrast, in 2022, this value dropped to just $3.7m - even when there were several considerable events that represent almost half of the stolen funds. This shows that the number of security exploits with high financial impact is decreasing. Such decrease could be explained by the fact that projects with important funds are better secured and are more battle-tested. As such, malicious actors seem to be focusing their efforts on projects with more modest funds, concluding in lesser value exploits.

This pie chart shows a better understanding of the financial losses over the year with 2022 accounting for 57.84% of the total financial loss across, 2021 being 42.10% and 2020 with a mere 0.07%.

Figure 5: Financial losses in % over the last 3 years

Type of attack vectors​

According to our statistics, this is the breakdown of the general attack vectors from 2020 - 2022.

Figure 6: Number of incidents per attack vector over the last 3 years

It can be seen that crypto scams (in green) are a growing concern on the BSC, with 167 in 2022, a 328% increase YoY. Also, there were 2 counts of improper management incidents in 2022, which were never accounted for previously. This seems to suggest that project parties might not be following the best practices in securing user funds. When managing critical components such as team wallets’ private keys, it is important to use a secure management system.

Do stay tuned to our blogs if you are interested in best practice guides for securing your Web3 project.

Type of projects​

This chart represents the type of projects that were exploited since 2020.

Figure 7: Security Incidents per type of project over the last 3 years

It is clear that DeFi projects are still the main targets for crypto hackers, with 208 in 2022, a 147% increase from 2021.

Bridge and GameFi projects were the only other projects which encountered security incidents in 2021, besides DeFi projects. In total, 9 Bridge and 19 GameFi projects were exploited, a 800% and 1800% increase respectively from 2021.

With the expansion of the BSC ecosystem, other categories of projects came into the limelight such as ExerciseFi and SocialFi, which did not exist back in 2021. Some of these projects were victims of hacks as well.

2022 in focus​

General​

In total, nearly $1.05 billion were lost to security incidents on BSC. By observing the monthly chart below, the months with the top amount loss were October, January followed by June.

Figure 8: Amount of stolen funds in dollars per month in 2022

In those months, the main contributing incidents were (1) BSC token hub exploit, (2) Qubit exploit, and lastly the (3) EvoDefi bridge mismanagement incident.

Interestingly, when removing these 3 outlier incidents from the chart, the total financial loss drops down to just $346.9m, a staggering 67% drop or one-third of total amount loss of 2022. Also, the average of stolen funds per incident falls to $1.2m, from the $3.7m value shared earlier in the report.

Figure 9: Amount of stolen funds in dollars excluding the 3 largest incidents

This chart is closely correlated to the number of security incidents monthly in 2022.

Figure 10: Number of different project impacted by exploits

For example, the highest number of security incidents took place in October which is in line with the highest amount of loss.

However, months that have a higher number of security incidents might have a low amount of loss too. For example, even though August has 29 security incidents which is above the monthly average (23), the financial loss for that month is only $8m which is the 2nd lowest throughout the year. Such data reinforces the fact that we are seeing more incidents with lesser financial impact.

Type of attack vectors​

Out of the 282 security incidents, crypto scams are the most common on the BNB Chain as shown below, 62.06% of security incidents are crypto scams, followed by 37.23% being hacks and 0.71% being improper management such as mismanagement of private keys.

Figure 11: Proportion of different type of exploits

However, it is interesting to note that even when the number of scams are nearly double of hacks, the financial impact of scams are less significant than the ones related to the hacks. The total financial loss of scams ($190m) is less than half of the loss to hacks ($803m), as shown below in Figure 12.

Figure 12: Financial impact measured in dollars comparing different types of incidents

For further analysis of the specific attack vectors, this chart displays this against the financial loss in 2022.

Figure 13: Proportion of the funds lost comparing the different type of vulnerabilities

32.93% attributes to the BSC token hub exploit incident where there was a low level vulnerability, specifically an IAVL tree related verification bug. The 2nd largest contributor was Business Logic Vulnerabilities within smart contracts deployed on BSC, accounting for 29.45%.

It is notable here that “low-level” scams like Rugpull and Ponzi, even though they are the most common, do not take up much of the proportion as seen in the pie chart.

Type of projects​

When focusing on the project type vs financial loss, without surprise, 60.38% of financial loss are attributed to Bridge projects. This is because cross-chain bridges generally lock large amounts of crypto assets on one chain to mint collateralized assets on the destination chain. Hackers took notice of this trend and targeted vulnerabilities within these cross-chain bridge smart contracts.

The 2nd most project type targeted was DeFi projects at 37.06%, followed by GameFi and Metaverse projects at 1.22% and 1.08% respectively.

Figure 14: Proportion of funds lost comparing the type of project

Top 10 incidents in 2022​

The following were the top 10 security incidents in terms of financial loss in 2022.

Figure 15: Top exploits measured in dollars in 2022 on the BNB Smart Chain

Top 10 incidents in 2022​

BSC Token Hub exploit - $572 Million Loss​

On 6th October 2022, BSC Token hub, a bridge between the BNB Beacon Chain and the BNB Smart Chain, was exploited by an attacker resulting in the unauthorized transfer of 2M BNB.

Root cause analysis confirmed a flaw in the verification algorithm implementation developed by Cosmos, and incorporated by BSC into their contract’s proof verification process. Essentially, there was a bug in the proof verification which allowed the attacker to forge arbitrary messages and include them in a block that wouldn’t be verified. Fortunately, the attacker here only forged two messages, so the damage could have been far worse.

QubitFinance - $80 Million Loss​

On 27th Jan 2022, the Qubit protocol was exploited, resulting in almost $80M loss. Qubit Bridge is essentially a platform for users to collateralize their ETH on the Ethereum chain without moving assets to BSC. The incident was due to a flawed minting functionality of qXETH on BSC where the tokens were later used for borrowing assets via Qubit lending.

Root cause analysis was that a legacy function (deposit) remained in the Qbridge Handler contract after it was replaced by a newer function (depositETH).

The legacy function did not check the amount of tokens, in this case WETH, supposed to be transferred in. As a result, the attacker was able to pass in the 0x0 address to fake a deposit event.

EvoDefi - $50 Million Loss​

The team behind EVODeFi, a cross-chain platform offering a set of crypto products on BNB Smart Chain (BSC) & Polygon, invested users’ funds on Terra’s Anchor Protocol in order to fund their cross-platform bridge as well as sustain high APR on ValleySwap, the second project owned by the team. In a further effort to boost APR on ValleySwap, the team minted unbacked USDT, causing funds on Oasis Emerald to be unbacked, the network ValleySwap was based on.

However, due to the collapse of Terra’s ecosystem, EVODeFi lost their investment in Anchor Protocol, their unbacked USDT became worthless, and they had no liquidity to continue operations.

Thus, EVODeFi was forced to close their bridge, trapping millions of dollars worth of users’ funds on Oasis, with no way to move funds out of Oasis Network without losing a majority of their fund’s value.

StableFund - $23 Million Loss​

StableFund was identified to be a Ponzi scheme. The project team can get a risk-free 3% handling fee, while it was marketed that the participants can get 1.5% rewards every day, and they can choose to get their principal back after 4 weeks.

In reality, the project does not have any profit-making method, to sustain the high 1.5% daily yield. The rewards of the first entrants need to be paid by the principal of the latter entrants, this is the standard Ponzi feature.

The project started from 2022-06-27, where >13k addresses have participated, and more than $23 million have been invested into the pools so far.

Elephant Money - $22 Million Loss​

On 13th April 2022, Elephant Money was exploited, resulting in the loss of 27,416.46 BNB. The attacker first used WBNB to buy a large amount of ELEPHANT, and then used BUSD to mint the TRUNK stablecoin. During the minting process, the Elephant contract will convert BUSD to WBNB and then back to ELEPHANT to drive up the ELEPHANT price.

The root cause was that the vulnerable contract relied on the instantaneous price of ELEPHANT-WBNB liquidity pool. Since, the value of ELEPHANT was artificially inflated, the attacker could mint more TRUNK stablecoin, which he can redeem back for WBNB and BUSD.

Transit Finance - $21 Million Loss​

On 1st October 2022, Transit Finance / Swap (a cross-chain protocol) was exploited for > $21m. Essentially, this attack targeted the users directly via a vulnerability in the use of the transferFrom() function. Any tokens approved for trading on Transit Swap could be transferred directly from users’ wallets to the unknown exploiter’s address.

Thankfully, > $18.9m was returned back to Transit Finance on both chains (ETH and BNB).

The root cause was that there was a lack of validation for input parameters. The hacker parsed in the Permissions management contract to the vulnerable contract and called the claimTokens function to do a transferFrom from users that have unlimited approval to this contract.

ANKR / Helio - $20 Million Loss​

On 2nd December 2022, Ankr protocol was exploited for around $5m, but what was surprising was 1 of their products, Helio, was impacted as well for > $15m, bringing the total damage to > $20m. Essentially, the root cause was that the private key of the Ankr deployer was compromised. According to the team, it was an insider attack that stole the private key. As such, the exploiter introduced a backdoor function and minted a large amount of unbacked aBNBc tokens to drain the liquidity pool for BNB.

Helio was impacted because one of the ways to provide collateral on their platform was aBNBc. Since the value of aBNBc has plummeted, many users seized the opportunity to purchase it at a valuation below market value. At the same time, Helio uses Chainlink to reflect the actual value of BNB at that point of time. As such, these users had a higher collateral value than expected where they could borrow large amounts of $HAY (platform’s stablecoin) and not pay back the debt.

Racoon Network and Freedom Protocol - $20 Million Loss​

On 20th July 2022, Racoon Network and Freedom Protocol performed a rugpull. More than 20 million USDT were transferred to the same EOA address, suggesting that they belong to the same party. 10% of the funds were transferred from Raccoon Network, while 90% of the funds were transferred from Freedom Protocol.

For Raccoon Network, the loophole is in the unverified token contract, Raccoon Network Token (RAC). In this token, every time a user transfers a RAC token, there is a 6% tax and the tax fees are transferred to an EOA, where the malicious project party could cash out to USDT anytime.

For the Freedom Protocol, the project party collected USDT by selling their NFTs at a price of 100 USDT. Afterwards, they did not continue their development and the funds have since been transferred out through CEXs.

$FLARE - $17 Million Loss​

On 14th November 2022, $FLARE token conducted an exit scam of ~$17m. Essentially, the root cause was the victim contract (unverified) allowed the attacker to use a faketoken as input to call getUserInfo() and then set some value to the "balance" related data structure.

The project has a rewards contract which rewards users who have invested USDT, in exchange they get USDT. Internally, there is this “balance” related data structure which calls the investing contract and getUserInfo() to keep track of how much tokens have been invested.

However, the lack of input validation allowed the exploiter to parse the address input of his faketoken, with the necessary getUserInfo() method and fake his amount invested.

DEGO Finance / Cocos - $15 Million Loss​

On 9th February 2022, DEGO Finance / Cocos were hacked for $15m. The hacker compromised multiple private keys of the team. As a result, the hacker removed liquidity from the projects and stole all funds from their hot wallets. The funds have already been bridged to ETH chain and deposited into Tornado Cash.

Conclusion​

BSC continues to be a strong competitor, outperforming Ethereum in terms of daily active users and transactions. However, it is undeniable that 2022 has proven to be a tough year for both investors and developers due to the bear market and hack incidents, which impeded trust within the cryptocurrency community. Below we have some final tips for investors and developers:

For investors:

• Understand what you're signing, don't blindly sign random signatures/transactions (never sign signatures outside of official websites)
• Always double check that you are on the official website of the DApp
• Be extra wary of new/trending projects or projects that guarantee High APYs / use MEV bots, and always verify the project team’s authenticity
• Use multiple wallets for different activities (hot wallet for frequent transactions; cold wallet to store high value funds)
• Ensure you are interacting with an open-source contract and revoke approval once interaction is done
• Check the security and risk scores of interacted contracts (e.g when using Trust wallet) If High Risk is flagged, we strongly advise to stay away

Feel free to reach out to our team if you have any doubts about a certain project / contract address / transaction / risk score!

For developers:

• Verify & open-source all relevant contracts on-chain (to ensure transparency and trust within the space)
• Ensure the project is audited by at least 2 well-known security companies and fix all issues where applicable (Including auditing newly added code)
• Incorporate / Implement a bug-bounty program to upkeep the security posture of the project and encourage the community to ensure the code remains secure
• Ensure security is at the core of the business: run sufficient testing / stress-testing / simulations such as (1) adverse token price fluctuations, (2) edge cases
• Prevent centralization risks by using multi signature wallets and not a single EOA wallet to run operations
• Minimize contract upgradeability and only apply to contracts when necessary
• Ensure funds are stored securely (key management, fund distribution)
• Implement safeguards in the event of a hack (formulate an Incident Response plan, introduce time lock / pausing within the smart contract)
• Constant monitoring of system parameters e.g Exchange Rate of a token

Hashdit​

HashDit’s core mission is to provide the essential threat intelligence for the everyday crypto investors to make informed decisions. Our methodology includes a variety of automated and manual techniques to evaluate a DApp project.

Thanks to our ever hardworking team, Hashdit has launched several products in 2022.

Products at Hashdit currently:

• Risk assessment: All-in-one collection of security rating framework, auto-scan tools, and corresponding APIs, which are able to deliver accurate detection for potential rugpull/exploit risks based on a smart contract address. This is integrated with platforms like Trust Wallet and PancakeSwap, to leverage their reach and protect more users.

  It is able to detect multiple other risks, besides the usual SWC bugs, such as Tornado Cash interaction, risky functions encompassing ERC20 or ERC721 token standards (such as Migrate() or Blacklist() ), HoneyPot detection, etc. This can help users gain a better understanding of the smart contract, if it could be a scam.

• Audit service: Comprehensive code audits following extensive and detailed best practices for smart contracts and discovering code loopholes / security vulnerabilities before they are deployed on-chain, guaranteeing users’ safety on BSC.

• Monitoring: Detecting sensitive events / transactions that happen on-chain to quickly respond and minimize any additional financial losses. At the same time, Hashdit warns users early by sharing any information we found on our Twitter

• Blog: Our goal is to share our security knowledge for builders, investors and users in the Web3 community. With all the players in the industry equipped with the security knowledge needed and adopting a security-first mindset, only then will the Web3 ecosystem be a safer place for everyone.

In addition, Hashdit is a major contributor to AvengerDAO, a community-run security initiative to ensure user safety on BSC. Working together with other security companies in the industry, we will aim to reduce the security incidents on BSC, and especially towards Bridge projects and Scams. We are excited to present even better products in the future and improve BSC overall security.

To a better year ahead! Happy new year to all!

Glossary​

General Incident classification​

The type of incidents can be generally broken down into 3 types:

• Hacks

  • Hacks in general, is the practice of intentionally exploiting weaknesses in an organization's computer systems. In the context of blockchain, it is exploiting vulnerabilities in fundamental components of DApps and in the blockchain infrastructure. The non-exhaustive list of components can be: blockchain bridges, oracles, crypto wallets, Frontend/backend application and smart contracts which are deployed on-chain. Examples include business logic issues and lack of validation.
  • At times, it could be compromising the private keys of project teams through traditional attack vectors.

• Scams

  • Scams are Web3 projects that do not intend to deliver promised features. Indeed, they usually entice users to invest or participate in the project with the only intent of keeping their invested money and leaving the users hanging.

  • Scams could be executed by dumping tokens, stealing all the invested funds, through means like sending sketchy emails and websites, or creating fake accounts on social media. In the context of blockchain, scams can involve investing in a “Get-rich-quick scheme” such as a Ponzi scheme or tricking users into signing unintended transactions that will result in stolen funds.

  • Do refer to our blog article for more details on the top 6 crypto scams in 2022.

• Improper Management

  • Improper Management is a unique situation where the project party mismanages components that associate with user funds. Some examples include application misconfiguration issues that could expose critical information about users / project funds, or when the project party mints uncollateralized funds to perform high risk trading. This will be at the expense of users’ funds being lost.

Project type classification​

• Bridge

  • A blockchain bridge is a tool that lets you port assets from one blockchain to another, solving one of the main pain points within blockchains – a lack of interoperability. Since blockchain assets are often not compatible with one another, bridges create synthetic derivatives that represent an asset from another blockchain.

• DeFi (Decentralized Finance)

  • Decentralized finance (DeFi) is a new financial framework consisting of decentralized blockchain protocols and underlying smart contract technology. DeFi, as it is most commonly known, makes it possible for users to access different types of financial products and services without the need for a centralized authority.

• GameFi (Play-to-Earn)

  • 'GameFi' refers to the financialisation of video gaming. It is characterized by its 'play-to-earn' (P2E) business model, and mainly refers to blockchain games that offer tokenized incentives to players while enabling frameworks for player-as-owner rather than the standard player-as-consumer.

• Learn-to-Earn

  • 'Learn-to-Earn’ refers to the financialisation of quizzing. It is characterized by the business model, which offers tokenized incentives to players who participate in the project and answer quizzes.

• Metaverse

  • Crypto metaverses are immersive virtual worlds with immense social and financial potential. Their use of blockchain infrastructure enables them to tap into the wider crypto economy, making virtual items exchangeable for real economic value beyond the confines of the metaverse.

• SocialFi

  • SocialFi is the fusion of social media and Web3. It refers to social media on a blockchain with a layer of finance in it. The concept brings together the principles of decentralized finance (DeFi) and social media to create, manage, and own content generated by the users on the platforms.

• ExerciseFi

  • ExerciseFi or Move-to-Earn as its name implies, users are rewarded for movement, whether walking, running or dancing to a rhythm.

• Oracle

  • Oracles are complex computerized systems that connect data from the outside world (off-chain) with the blockchain world (on-chain). Most blockchains have native cryptocurrencies that are used to transfer value, enable the operations of the protocol, or facilitate governance.

• Wallet

  • A Cryptocurrency Wallet is an application that functions as a wallet for your cryptocurrencies. It is called a wallet because it is used similarly to a wallet you put cash and cards in. Instead of holding these physical items, it stores the rivate keys you use to sign for your cryptocurrency transactions and provides the interface that lets you access and manage your cryptocurrencies.

• DAO

  • A decentralized autonomous organization (DAO) is an emerging form of legal structure that has no central governing body and whose members share a common goal to act in the best interest of the entity.