Hackers eye blockchain as losses exceed $20 billion in 10 years

Technology does not understand right and wrong, good and evil, and blockchain hacking incidents have never ceased.

In the blockchain world in 2021, the bright side is thriving, and the dark side is also developing steadily.

According to incomplete statistics from SlowMist Hacked, security incidents frequently occurred in the blockchain world in 2021, far exceeding previous years in terms of quantity, danger, amount involved, and scale of impact. Among them, rare "white hat hacker" incidents also occurred, sounding a security alarm for people.

The so-called "white hat hackers" specifically refer to a group of people who use the usual methods of sabotage and attack to maintain network security, as opposed to "black hat hackers". However, the most famous "white hat hacker" in 2021 did not obtain permission before carrying out the attack, and the amount involved was as high as 600 million US dollars. In the end, the hacker returned the stolen assets in full, and Poly Network also gave up pursuing its legal responsibility.

Technology does not know right from wrong, good from evil, and blockchain hacking incidents have never ceased. Exchanges, wallets, public chains, various ecological DApps, DeFi projects... Which one is the focus of hackers?

The hacker who stole $600 million in assets returned it and said he just wanted to give a warning

In August 2021, an anonymous hacker attacked Poly Network (heterogeneous cross-chain protocol) and quietly transferred US$250 million, US$270 million, and US$85 million in crypto assets on Ethereum, BSC (Binance Smart Chain), and Polygon (Ethereum side chain), with a total amount of up to US$610 million. The entire process took 34 minutes.

However, as all parties began to block the hacker, the hacker returned most of the stolen assets within the next 12 days, claiming that he was not interested in money. The label of "white hat hacker" was born.

$610 million, this is not only the largest hacking incident in the history of DeFi, but also the largest hacking incident in the history of the entire cryptocurrency, exceeding the famous Mt.Gox incident (744,408 BTC, about $400 million at the time) and the Coincheck case (523 million XEM, about $534 million at the time).

Faced with such a large-scale security incident, the "party involved" did not dare to slack off. Poly Network published a statement at 8:38 pm that day, announcing the attack it had suffered to the outside world, posting the hacker's specific addresses on different chains, and calling on miners and exchanges to lend a helping hand and block transactions initiated by the hacker's address.

(Picture from Poly Network Twitter screenshot)

Binance CEO Zhao Changpeng, OKex CEO Jay and others have expressed their support, and Paolo Ardoino, chief technology officer of Tether, the issuer of the stablecoin USDT, also stated that Tether has frozen 33 million USDT in the hacker's address.

Despite the pursuit and blockade, the hacker still used various means to quickly mix coins (that is, a transaction includes a large number of inputs and outputs, and the connection between the inputs and outputs is actually severed, making it difficult to track). On the same day, 97.06 million US dollars of USDC were exchanged for DAI through Curve, and nearly 120 million US dollars were mixed on BSC using the Curve fork project Ellipsis Finance.

According to Situation News, on the day of the incident, the Poly operating team worked all night long. In addition to the pressure of the huge amount of assets stolen, the endless speculation in the crypto community also made them feel like a thorn in their side. Security researcher Mudit Gupta, Primitive Ventures founding partner Dovey Wan and others successively published articles hinting at the possibility of an "internal attack". Some even speculated that Poly "directed and acted" the incident.

The massive siege operation aroused the onlookers’ curiosity. On the day of the incident, a “busybody” sent a transaction to the hacker’s address, leaving a message to remind him that his USDT had been blacklisted. The hacker responded with 13.5 ETH (about 42,495.84 USD).

The "road to wealth" has thus begun, and a large number of "spectators" have flocked to the site. Some talked about projects and wanted investments, some talked about dreams and asked for tuition fees, some asked hackers to "pull up" the coins they hold, and some even went so far as to directly become apprentices and recognize each other as big brothers.

But just as the onlookers were watching the excitement, events took a turn.

The day after the incident, the hacker who attacked Poly Network took the initiative to show up on Etherscan and expressed his willingness to return the stolen assets through on-chain transaction notes, and asked the Poly project to provide him with a multi-signature wallet.

“Why do you want a refund?”

"I'm not very interested in money," the hacker replied. "Getting so much wealth is already a legend, and saving the world is an eternal legend."

On August 11, 2021, the hacker returned $4.7 million worth of assets, including $1 million in UCDC, $1.1 million in BTCB, and $2.6 million in other assets. Later on the same day, the hacker again returned nearly 120 million BUSD, 26,600 ETH, and 1,000 BTCB to the payment address left by the Poly Network team on Binance Smart Chain, with a total value of approximately $250 million.

In the next 12 days, the hackers gradually returned all the stolen crypto assets on BSC, Ploygon, and Ethereum. The public opinion on the matter also changed from the initial shock and criticism of the theft to the focus on the security of blockchain network.

On August 13, 2021, F2Pool co-founder, Cobo co-founder and CEO Shenyu published a blog post, calling the Poly Network attackers "white hat hackers," the defenders of network security, and stated that a monument to commemorate the Poly Network incident would be built in Cryptovoxels to thank all participants. Later, Poly Network also announced a mainnet upgrade and invited the previous attacker to be the chief security consultant of Poly Network.

Where there is money, there are hackers

Looking back, the "white hat hacker" incident occurred on the basis of the cross-chain protocol being breached. Subsequent vulnerabilities also involved the Ethereum public chain, Polygon ecology, stable currency USDT, etc. This allowed hackers to quickly mix coins and transfer stolen assets despite being blocked and besieged by leading companies such as Binance, OKEx, and Tether. The security risks revealed here are worthy of vigilance in the crypto world.

According to incomplete statistics from SlowMist Hacked, there were 236 public blockchain security incidents in the blockchain ecosystem in 2021, with losses exceeding US$9.886 billion. Among them, there were 127 security incidents involving DApps, DeFi, etc. in various ecosystems, accounting for the vast majority. In addition, there were 14 exchange security incidents, 8 public chain security incidents, 3 wallet security incidents, and 84 other types of security incidents (project parties running away, etc.).

It can be seen from the above data that DApps, DeFi projects, and exchanges in various ecosystems are the hardest hit areas for hacker security incidents in the blockchain world in 2021.

A senior security expert in the industry told Chain News that cryptocurrency exchanges concentrate a large amount of funds, have complex personnel, weak defenses, and users lack sufficient security awareness, which makes security vulnerabilities prone to occur. Whether from the perspective of weakness or profit, they are "sweet spots" that hackers cannot ignore. Stealing coins by attacking the exchange's cold/hot wallets is a prominent feature of 2021.

In February 2021, a cold wallet controlled by Grant Thornton, the liquidator of the New Zealand exchange Cryptopia, which had been dormant since January 2019, was stolen, and hackers stole about $1.96 million in Xtake by accessing the wallet. On August 19 of the same year, the hot wallet of the Japanese crypto trading platform Liquid was also stolen, with a total loss of about $91.35 million.

In addition to exchanges, wallets that pool funds are also attractive to hackers, which has led to an endless stream of wallet leakage security incidents in 2021. According to AML's November report, fake wallet apps have caused tens of thousands of thefts, with losses of up to $1.3 billion.

In addition to exchanges, it is also worth mentioning public chain attacks. Starting from August 2021, BSV was first attacked by 51%, nearly 100 blocks were reorganized, and then the ETC mainnet was forked due to a vulnerability in the Ethereum client Geth. Then the Solana mainnet Beta version also suffered a denial of service attack, and the network was offline for 17 hours.

But whether it is a public chain, wallet, or exchange, they cannot compare with DeFi, DApp, NFT and cross-chain parts in terms of the amount involved, number of attacks, and scope of impact. This part is also the area where hacker attacks occurred most frequently last year.

Since the birth of DeFi, it has been accompanied by countless risks. In recent years, the value of many DeFi projects has been exploding, and hacking incidents have intensified. Flash loan attacks, contract loopholes, compatibility or architecture issues, private key leaks or front-end attacks, internal crimes... There are endless tricks in DeFi, which are jaw-dropping.

In 2021, SushiSwap in the ETH ecosystem was attacked twice, and a high-risk vulnerability appeared in the SIL.Finance contract. In the BSC ecosystem, Cream Finance was attacked by flash loans three times, with cumulative losses exceeding $187 million. The flash loan smart contract of the EOS ecosystem, flash.sx, was attacked by "re-entry". In the Polygon ecosystem, the yield farming agreement PolyYeld Finance project contract was exploited. In addition, the DDEX code backdoor incident also occurred in the HECO ecosystem.

Security incidents frequently occur in the "DeFi, DApp, NFT and cross-chain" sections. This phenomenon not only occurs in 2021. According to Chain News, this pattern has appeared since the number of security incidents soared in 2018, and even continued into 2022.

Ten-year loss of $23.9 billion

From 2008 to 2022, hacking incidents have been growing like maggots attached to bones along with the development of blockchain.

According to SlowMist Hacked data, there have been 610 public blockchain security incidents in the global blockchain ecosystem since 2012, with a total loss of approximately US$23.878 billion. In terms of years, there has been a clear phased change since 2018, with both the number and the amount involved doubling compared to before.

According to survey data from blockchain security companies PeckShield and BCSEC, the number of blockchain security incidents in 2018 reached 138, causing economic losses of US$2.238 billion. Among them, the Ethereum public chain and EOS public chain were the hardest hit, followed by exchanges and wallets.

Among them, there were more than 54 incidents on the Ethereum public chain, such as "BEC chain was attacked by hackers, and $900 million evaporated in one day"; there were more than 49 security incidents on the EOS public chain, most of which were caused by random numbers, false notifications, transaction rollbacks and other attacks during the DApp ecosystem outbreak (August-November), with direct economic losses reaching 747,000 EOS.

In contrast, although there were more than ten attacks on exchanges, only two cases had a significant impact, namely the “Japanese Coincheck Exchange Hack” on January 26, 2018 and the “Binance Exchange Phishing by Hackers” on March 7 of the same year. There were only three BTC incidents, similar to the “BTC Over-issuance Vulnerability” in September, which were also fixed before causing any harm.

On this basis, "Chain News" found that among the nine major security accident sites represented by public chains, exchanges, wallets, ETH ecology, BSC ecology, TRON ecology, EOS ecology, Ploygon ecology, and HECO ecology, EOS ecology and ETH ecology are particularly concerned by hackers, and the number of attacks on exchanges is relatively large. There were more than 356 security incidents in these three major areas, involving a total amount of more than US$12.5 billion, accounting for more than 52.35% of the total.

The same pattern is also reflected in the "Blockchain Hacking in 2020" series of reports released by the Atlas VPN team. The Atlas VPN team pointed out that there were 47 successful attacks on ETH DApps in 2020, as well as 28 violations of cryptocurrency exchanges.

The phenomenon of hacker attacks focusing on DeFi, DApp ecosystems, and exchanges remains the same as always, and is still happening in 2022.

As of January 18, 2022, according to SlowMist Hacked statistics, there were a total of 16 blockchain security incidents in 2022 that were disclosed in the global blockchain ecosystem. Except for 6 runaway incidents, all of them were security incidents in the DeFi and DApp ecosystems and security incidents in exchanges.

Under such circumstances, many authoritative organizations have issued reports to remind the crypto world to guard against hacker attacks and strengthen blockchain security. McAfee previously issued a "Blockchain Threat Report" stating that "blockchain is the revolutionary foundation for decentralized online transactions, but it has security risks." In March 2021, the China Academy of Information and Communications Technology also released the "Blockchain Security Capability Assessment and Analysis Report", pointing out the "Ten Major Security Risks" in blockchain, repeatedly reminding the outside world to establish a sense of prevention.