Preface
In the rapidly evolving realm of Web3 blockchain technology, security and regulation have consistently remained focal points of concern. Given this context, gaining a comprehensive understanding of the Web3 blockchain security landscape and regulatory frameworks within the cryptocurrency industry has become imperative for ensuring the security and stability of blockchain applications. This research report is a collaborative effort between the Blockchain Security Alliance, jointly initiated by Beosin and SUSS NiFT. Its aim is to provide a thorough exploration of the global blockchain security landscape, prominent Web3 events, and critical regulatory policies in the cryptocurrency industry during Q3 2023.
Within this report, we will delve deep into an extensive analysis of the global blockchain security landscape, encompassing security vulnerabilities, attack incidents, and noteworthy Web3 events from Q3 2023. Simultaneously, we will meticulously review and summarize crucial regulatory policies in the cryptocurrency industry. This endeavor is designed to facilitate readers' comprehension of legislative and regulatory dynamics, both at the governmental and regulatory body levels, across the global blockchain arena, as well as to elucidate their impacts on industry advancement.
Through the dissemination of this report, our aspiration is to provide readers with valuable references and insights, empowering them to gain a better understanding of the dynamic evolution of the Web3 blockchain security landscape and the salient aspects of regulatory policies within the cryptocurrency industry.
I. Q3 2023 Global Web3 Security Statistics & AML Analysis
Authors: Beosin research team - Mario & Donny
Data Source (As of Sept 25): Footprint Analytics: Crypto Analysis Dashboards
1 Q3 2023 Web3 Security Overview
According to statistics from Beosin EagleEye, the total losses from hacks, phishing scams, and rug pulls in Web3 reached $889.26 million in Q3 2023. Among them, 43 major attacks resulted in a total loss of approximately $540.16 million. Phishing scams accounted for a total loss of approximately $66.15 million, and there were 81 rug pulls with a total loss of approximately $282.96 million.
The losses in Q3 2023 exceeded the total for the first half of 2023. The losses were about $330 million in Q1 2023 and $333 million in Q2 2023, while reaching $889.26 million in Q3.
In terms of project types, DeFi remains the most frequently attacked type. There were 29 attacks in the DeFi field, accounting for 67.4% of the total number of incidents. Public chains suffered the highest amount of losses among project types.
In terms of blockchain types, Ethereum accounted for the most losses overall, totaling $227 million. Ethereum also saw the highest number of attacks, reaching 16 times.
In terms of attack types, there were 9 private key compromise incidents this quarter, resulting in losses reaching $223 million, the most among attack types.
In terms of stolen fund flows, $360 million (67%) still remained in hacker addresses. Only 10% of stolen funds were recovered this quarter.
In terms of audit status, the proportion of audited and non-audited projects was roughly equal, at 48.8% and 46.5% respectively.
2 Overview of Hacks
$540.16 million Lost in 43 Major Attacks
In Q3 2023, Beosin EagleEye monitored a total of 43 major attacks in Web3, with total losses reaching $540.16 million. Among them, there was 1 security incident with losses exceeding $100 million, 7 incidents with losses between $10 million to $100 million, and 9 incidents with losses between $1 million to $10 million.
Attacks with losses over $10 million (in order of amount):
● Mixin Network - $200 million
On September 25, Mixin officially tweeted that a database of Mixin Network's cloud service provider was hacked, resulting in partial mainnet asset loss of about $200 million.
● Curve/ Vyper - $73 million
On July 30, due to a reentrancy vulnerability in an old version of the Vyper compiler, multiple Curve pools were attacked with losses reaching $73 million, of which around $52.3 million was returned by the hacker afterwards.
● CoinEx - $70 million
On September 12, due to a private key compromise, the hot wallet of crypto exchange CoinEx was stolen across 211 chains, with total losses reaching $70 million. This attack was caused by North Korean's Lazarus group.
● Alphapo - $60 million
On July 23, the hot wallet of crypto payment service provider Alphapo was stolen with total losses of $60 million. This attack was caused by North Korean's Lazarus group.
● Stake - $41.3 million
On September 4, the hot wallet of crypto casino platform Stake was hacked with losses of $41.3 million. This attack was caused by North Korean's Lazarus group.
● CoinsPaid - $37.3 million
On July 22, crypto payment platform CoinsPaid was hacked with $37.3 million assets stolen. The hacker spent six months tracking and studying CoinsPaid's systems, trying various forms of attacks including social engineering, DDoS, brute force, phishing, etc. This attack was caused by North Korean's Lazarus group.
● Fortress IO - $15 million
On August 29, blockchain infrastructure provider Fortress IO lost $15 million due to a hack on their third-party cloud vendor.
● Polynetwork - $10.1 million
On July 2, cross-chain bridge PolyNetwork was attacked due to a private key compromise, with the hacker profiting $10.1 million.
3 Attacked Project Types
Public blockchain suffered the highest losses among project types
This quarter, public blockchain accounted for the highest losses among project types, stemming from the $200 million Mixin Network hack event. This single security incident took up 37% of the total losses for the quarter.
Out of the 43 attacks, 29 occurred in the DeFi field, accounting for about 67.4%. These 29 DeFi attacks led to total losses of $98.23 million, ranking second among all project types.
The third highest losses came from payment platforms. Two security incidents at payment platforms caused combined losses of $97.3 million (Alphapo $60 million, CoinsPaid $37.3 million).
Other attacked project types also included: exchanges, casino, infrastructure, cross-chain bridges, unverified contracts. From the types, hackers targeted platforms with high funds such as public chains, payment platforms, and casino.
4 Loss By Chain
The highest losses and the most incidents are both from Ethereum
This quarter, Ethereum accounted for total losses of $227 million, ranking first among all chain platforms. Ethereum also saw the highest number of security incidents, reaching 16 times.
Ranking second in losses was Mixin Network, with a single event causing $200 million in losses, ranking it second among blockchains.
Ethereum and Mixin combined accounted for 79% of total losses.
Ranked by number of attacks, the top 5 chains with the most security incidents were: Ethereum (16 times), BNB Chain (10 times), Arbitrum (3 times), BTC (2 times), and Base (2 times).
5 Loss by Attack Type
9 private key compromise incidents caused $223 million in losses
This quarter saw 9 private key compromise incidents, resulting in losses reaching $223 million, the most among attack types. Among the 8 security incidents causing over $10 million in losses this quarter, 5 stemmed from private key compromise: CoinEx ($70 million), Alphapo ($60 million), Stake.com ($41.3 million), CoinsPaid ($37.3 million), Polynetwork ($10.1 million).
Ranking second in losses were cloud database attacks, with $200 million lost in the Mixin Network incident.
Ranking third in losses were contract vulnerability exploits. 22 contract vulnerabilities led to total losses of about $93.27 million.
In terms of vulnerability types, reentrancy vulnerabilities accounted for most of the losses in smart contract incidents, about 82.8% of the loss amount. Business logic vulnerabilities occurred the most frequently, appearing 13 times out of the 22 contract vulnerabilities.
6 Analysis of Typical Attacks
6.1 Exactly Protocol
On August 18, 2023, Exactly Protocol, a DeFi lending protocol on Optimism chain, suffered an attack with a loss of $7 million.
Vulnerability Analysis
Multiple Market address parameters in the vulnerable contract could be manipulated. By passing in a malicious Market contract address, the attacker successfully bypassed the permit check, executed the malicious deposit function, stole users' USDC collateral, liquidated user assets, and ultimately achieved the hacker's profit goals.
Recommendations
It is recommended to add a whitelist function for contract addresses used as lp tokens to prevent malicious manipulation.
6.2 Vyper/Curve
On July 31, Vyper, an Ethereum programming language, tweeted that reentrancy locks were vulnerable in Vyper versions 0.2.15, 0.2.16, and 0.3.0. Curve stated that multiple stablecoin pools using Vyper 0.2.15 (CRV/alETH/msETH/pETH) were attacked, with total losses reaching $73 million, of which about $52.3 million had been returned by the hackers afterwards.
Vulnerability Analysis
The attack was mainly due to the failure of the reentrancy lock in Vyper 0.2.15. When the attacker called the remove_liquidity function to remove liquidity from related pools, they reentered the add_liquidity function through reentrancy to add liquidity. Since the balance update happened before reentering add_liquidity, price calculations went wrong.
Recommendations
The reentrancy locks in Vyper versions 0.2.15, 0.2.16, and 0.3.0 all have invalidation issues. Related projects are recommended to conduct self-checks. After launch, it is strongly advised that project teams still pay attention to vulnerability disclosures of third-party components/dependencies and mitigate risks in time.
6.3 Eralend
On July 25, 2023, Eralend, a lending protocol on ZkSync, suffered an attack with losses of about $3.4 million.
Vulnerability Analysis
The main vulnerability was a read-only reentrancy in price oracle, leading to inconsistent loan value and liquidation value calculations between Eralend's ctoken contracts. The loan amount was higher than the repayment amount, allowing the attacker to profit after lending and liquidating. The attacker repeatedly exploited multiple contracts to obtain a large amount of USDC.
Recommendations
When relying on SyncSwap's real-time reserves for price calculations, read-only reentrancy scenarios should be considered to prevent inconsistent price calculations within the same transaction.
7 Typical AML Security Incident
7.1 Beosin KYT Analysis of the Stake.com Attack
On September 4th, Beosin EagleEye platform monitored that crypto casino Stake.com suffered an attack.
After the incident, Stake.com stated unauthorized transactions occurred on their hot wallets on ETH and BSC. Deposits and withdrawals would resume as soon as wallets were fully re-secured.
Upon analysis, the Beosin security team discovered this incident was mainly due to a private key compromise, leading to asset losses of at least $40 million. Therefore, we analyzed this event using the Beosin KYT - the crypto asset AML compliance and analytics platform.
Fund flows on ETH
After the attack, the hacker first sent 6000 ETH, 3,900,000 USDC, and 9,000,000 DAI to address 0x3130662aece32F05753D00A7B95C0444150BCd3C.
Second step: The hacker exchanged DAI, USDC etc. into ETH and deposited it into the following 4 addresses to prepare for subsequent fund dispersion and confusion:
0xba36735021a9ccd7582ebc7f70164794154ff30e
0x94f1b9b64e2932f6a2db338f616844400cd58e8a
0x7d84d78bb9b6044a45fa08b7fe109f2c8648ab4e
0xbda83686c90314cfbaaeb18db46723d83fdf0c83
Third step: The hacker dispersed the funds in the above four addresses to over 20 addresses respectively, and also transferred between same-level addresses to increase tracking difficulty.
Fourth step: The hacker deposited most assets across hundreds of transactions into DEX Thorchain, and exchanged the remaining assets into USDT via 1inch and SSwap.
Notably, the hacker also sent a small portion of funds into Binance wallets.
Fund flows on Polygon
The hacker's fund transfer methods on Polygon were identical to those on ETH.
On Polygon, the hacker first sent 3,250,000 MATIC, 4,220,000 USDT, 1,780,000 USDC, and 70,000 DAI to address 0xfe3f568d58919b14aff72bd3f14e6f55bec6c4e0.
Second step: The hacker exchanged assets into MATIC and deposited into the following 4 addresses:
0x32860a05c8c5d0580de0d7eab0d4b6456c397ce2
0xa2e898180d0bc3713025d8590615a832397a8032
0xa26213638f79f2ed98d474cbcb87551da909685e
0xf835cc6c36e2ae500b33193a3fabaa2ba8a2d3dc
Third step: The hacker dispersed the funds in the above four addresses to over 20 addresses respectively, and also transferred between same-level addresses.
Fourth step: The hacker sent the dispersed assets across hundreds of transactions into SquidRouter for cross-chain transfers.
Fund flows on BNB Chain
Similar to ETH and Polygon, the hacker sent 7,350,000 BSC-USD, 1,800,000 USDC, 1,300,000 BUSD, 300,000 MATIC, 12,000 BNB, 2,300 ETH, and 40,000 LINK from the Stake wallet to address 0x4464e91002c63a623a8a218bd5dd1f041b61ec04 on BNB Chain .
Second step: Swap assets into BNB and deposited into the following 4 addresses:
0xff29a52a538f1591235656f71135c24019bf82e5
0x95b6656838a1d852dd1313c659581f36b2afb237
0xe03a1ae400fa54283d5a1c4f8b89d3ca74afbd62
0xbcedc4f3855148df3ea5423ce758bda9f51630aa
Third step: Dispersed the funds in the above four addresses into over 20 addresses, and transferred between same-level addresses.
Fourth step: Sent the dispersed assets across hundreds of transactions into OKX DEX, BNB tokenhub for cross-chain transfers or exchanged into BUSD for continued fund confusion.
Notably, the hacker also sent a small portion of funds into OKX wallets.
On September 5th, Stake.com issued an announcement that all platform services had resumed, with instant processing of deposits and withdrawals for all currencies. This incident resulted in $15.7 million stolen from Stake.com on Ethereum, and $25.6 million stolen across BNB Chain and Polygon networks. The lessons from this incident led Stake.com to strengthen security measures including enhancing private key management and implementing additional safeguards to ensure user asset safety.
At the same time, Beosin will continue to be committed to providing cutting-edge security auditing and risk monitoring solutions to provide reliable protection for crypto asset holders and trading platforms. This incident sounds an alarm for the entire crypto industry, underscoring the importance of security and further driving the development of security technologies and compliance measures to safeguard users' digital assets from potential threats.
7.2 Unraveling the Money Trail Behind the JPEX Controversy
On September 13, 2023, the Hong Kong Securities and Futures Commission issued a statement titled "Regarding Unregulated Virtual Asset Trading Platforms," stating that the virtual asset trading platform JPEX did not possess a license from the commission and had not applied for one. The following day, the JPEX community discovered that the platform's withdrawal limit was set at only 1000 USDT, with withdrawal fees reaching a staggering 999 USDT, effectively preventing users from withdrawing their funds. On September 19, 2023, the Hong Kong Securities and Futures Commission held a press conference, revealing that JPEX had ceased its trading operations.
On September 19, 2023, the Hong Kong Securities and Futures Commission held a press conference, revealing that JPEX had ceased its trading operations.
Currently, the investigation into the incident is still ongoing. We used Beosin KYT to trace the related addresses of JPEX. After determining the JPEX associated addresses, the Beosin research team analyzed the funds. The following is our latest analysis information.
JPEX's funds flow on the Ethereum
JPEX's deposit wallet address on the Ethereum is 0x50c85e5587d5611cf5cdfba23640bc18b3571665, where assets deposited by users on the JPEX platform are automatically stored. Ethereum-based USDT assets are transferred to the withdrawal wallet address 0x9528043B8Fc2a68380F1583C389a94dcd50d085e.
The deposit wallet address 0x50c8 showed no fund transfers or activity beyond September 19, 2023, after a transaction was completed at 01:37 AM, remaining dormant for over 24 hours.
The USDT withdrawal wallet address 0x9528 transferred 100,000 USDT to three deposit addresses of the FixedFloat exchange (which does not require KYC) around 5 PM on September 18, 2023. Since then, this address displayed no further fund transfer activity. Results for Beosin KYT:
In addition to USDT, ETH is distributed across various addresses linked to JPEX as follows:
0x50c85e5587d5611cf5cdfba23640bc18b3571665:641 ETH
0x31030a8C7E3c8fD0ba107e012d06f905CD080eD9:320 ETH
0x87E1E7D3ee90715BCE8eA12Ef810363D73dc79FB:400 ETH
0xcd19540f8d14bEbBb9885f841CA10F7bF5A71cAC:350 ETH
0x22E70793915625909E28162C8a04ffe074A5Fc98:400 ETH
0xd3528B66C3e3E6CF9C288ECC860C800D4CB12468:200 ETH
The detailed charts of ETH as well as USDT fund flows:
JPEX's funds flow on the Bitcoin
BTC on the Bitcoin blockchain is dispersed across various addresses associated with JPEX as follows:
3LJVASCfNRm9DEmHYaRbWhiKVSg14JqarS:28 BTC
32JWJvigxttRmfYYcXEsCFScibnVU3bD92:20 BTC
381agNrmetRakEsfz9oD1XGvwgR9Q6y6fa:30 BTC
3LhYzsTZadkXaf6qsYQoP65ynGiiDv5XGU:20 BTC
3KBnBZTNGkbqEaQV6jb6oGxoiMHwmVLoGM:25 BTC
3A6G8gkxY9zgkRCHorSLvcj49J6Cp5TVBx:33 BTC
The detailed charts of BTC fund flows:
As of now, JPEX has not officially responded to these allegations on public social platforms such as Twitter. The entire crypto community has condemned JPEX's actions, with many investors commenting on previous tweets, demanding reduced fees and the restoration of withdrawal limits. JPEX's actions could potentially subject them to a more rigorous investigation by the Securities and Futures Commission.
During the JPEX incident, we used Beosin KYT to analyze and interpret on-chain data, revealing the fund flow of the JPEX platform and how users should analyze on-chain data to improve their assets security. This incident has aroused widespread concern and vigilance and reminded users of protecting their digital assets.
8 Stolen Fund Flow
Around $360 million of stolen funds remain in hacker addresses
Of the stolen funds this quarter, $360 million (67%) still remain in hacker addresses. $99.27 million (18.4%) were sent to mixers: $9.17 million to Tornado Cash; $90.1 million to other mixers like FixedFloat, Sinbad etc.
Only $54.4 million in assets were recovered this quarter, merely 10% of the amount stolen. Compared to the first half of the year, the asset recovery rate dropped significantly this quarter. The main reason was frequent activity by North Korean's Lazarus group this quarter, stealing a total of $208 million. This group is adept at utilizing various complex money laundering techniques to launder the stolen funds, with barely any returns.
9 Audit Status Analysis
The proportion of audited and non-audited projects is roughly equal
Among the 43 attacked projects, the proportion of audited and non-audited projects was roughly equal, at 48.8% and 46.5% respectively.
Of the 22 projects attacked due to contract vulnerabilities, 14 (63.6%) had not been audited.
10 Rug Pulls
$282 million Lost in 81 Rug Pulls
In Q3 2023, a total of 81 project rug pull incidents were monitored, involving $282 million.
Rug pulls over $10 million included: Multichain ($210 million), Bald ($23 million), and Pepe ($15.5 million).
Rug pulls were mainly occurred on Ethereum (42 incidents) and BNB Chain (33 incidents). The Base chain also saw 4 rug pull incidents.
11 Summary
Compared to the first two quarters of 2023, the total losses caused by hacks, phishing scams, and rug pulls significantly increased in Q3, reaching $889.26 million. The total amount of losses in the third quarter even exceeded the combined sum of the first two quarters, indicating that the situation in Web 3 security remains concerning.
This quarter, North Korean APT group Lazarus was very active, stealing over $208 million across four attack incidents, posing the biggest threat to Web3 security this quarter. According to an investigation by CoinsPaid, one of the attacked projects, Lazarus spent half a year attempting to infiltrate CoinsPaid's systems and find vulnerabilities, trying various methods including social engineering, DDoS, brute force attacks, phishing, etc. They finally tricked an employee into downloading malware through a fake job offer, stealing private keys. Lazarus is adept at exploiting the weakest link - people - to conduct complex attacks on platforms with high funds. For major crypto service providers, it is crucial to be vigilant against such attacks, regularly conduct security training for employees, implement security practices for high-privilege employees, and establish monitoring and alert systems for all suspicious activities in infrastructure and applications.
Among the 43 attack incidents, 22 were still from smart contract exploitations. It is advisable for project teams to seek professional security auditing firms before launch.
This quarter saw a significant increase in rug pull losses. From projects' announcements, terms like "internal disputes" and "force majeure" frequently appear. Even projects with large funding and user bases carry rug pull risks. It is advisable for users to manage risks properly and pay close attention to project's latest activity in a timely manner. Users can query project security information and latest news on Beosin's EagleEye platform to invest in new projects more safely.