AvengerDAO Q3 Security Report

Overview

This report focuses on security events that occurred on BNB Smart Chain (BSC) in Q3 of 2023. It analyzes the types of projects targeted, the common attack techniques used and the financial losses that resulted from the incidents.

TL;DR

1. Q3 sees significant reduction in fiat losses compared to Q2

Fiat losses dropped by 37% from $69m in Q2 to $43.5m in Q3. This was largely due to the lesser number of hacks seen, with Q3 demonstrating 45 compared to 79 in Q2.

2. BSC ranks fourth in Q3 fiat losses when compared to other chainsBSC saw 4% of the total fiat losses across all chains in Q3. It ranks fourth as compared to other chains. Third place goes to Fantom, representing 15%. Second place goes to Tron, representing 32%. First place goes to Ethereum, representing 36% for the total fiat loss across all chains.

3. Rugpulls, reserves manipulation and price manipulation were the three most commons types of exploit

Rugpulls remain the most common exploit vector, representing 67% of fiat losses on BSC. In second and third place, reserve manipulation and price manipulation combine to constitute roughly 12% of exploits. 

Other common attack types include lack of validation (3.36%), access control issue (2.52%) and private keys being compromised (1.68%).

Disclaimer

The financial data provided here is accurate based on our own monitoring system and based on the $USD amount of the cryptocurrency involved at the time of the incident. Due to the fluctuating price of cryptocurrencies, the total amount lost may vary based on changes in token valuations.

Furthermore, the financial data included here may not fully reflect the true “amount exploited” during the incident. This is especially true for scams where the total loss is mixed with an initial base amount injected by the project.

Q3 comparisons

BSC Comparisons 

YoY Comparison

When we compare the data with Q3 of previous years, there is a decreasing trend. Q3 financial losses dropped by 27% between 2022 and 2023.This suggests that the security of BNB Chain has improved over the years.

Figure 1: Q3 financial losses in 2021, 2022 and 2023

2023 Q3 vs 2023 Q2 

Fiat Losses

Figure 2: Financial losses from previous quarters in 2023

A handful of projects were responsible for inflated losses in Q2 and Q3.

• Q2: 45% of losses were due to the Fintoch exploit
• Q3: 55% of losses were due to the CoinEx and Stake exploits 

Number of Incidents

Figure 3: Number of incidents across previous quarters in 2023

Interestingly, the number of incidents remained relatively consistent from Q2 to Q3.

Notable Trends

1. 75% drop in amount lost to exploits between Q2 and Q3

Figure 4: Amount lost to exploits across the previous quarters in 2023

As seen in Figure 4, the amount lost due to exploits dropped significantly between Q2 and Q3 of 2023. This can be attributed to several factors.

• Overall improvement in security awareness in the crypto space. Users have greater awareness of security issues thanks to countless education tweets and blogs about how to recognize a scam.
• Uptrend in Web3 security products geared towards reducing scams which can flag a malicious website, project or address early, safeguarding users.
• Early detection and warning. Scam projects are being identified quickly, before the amount invested grows too large, therefore the overall loss for each scam is progressively smaller. This is especially true for ponzi schemes.

2. 43% drop in number of hacks from Q2 to Q3 of 2023

Figure 5: Number of incidents due to hacks across the previous quarters of 2023

This can be attributed to the fact that Web3 security companies and on-chain sleuths are monitoring transactions very closely. Hence, hackers are deterred from blackhat activities for fear that they might be traced back to their real identity. 

Chain Comparisons

Q3 Comparison to Other Blockchains

Fiat Losses

Figure 6: Proportion of funds loss across all chains in Q3

As seen in Figure 6, 70% of the total losses in Q3 of 2023 occurred on Ethereum and Tron.

QoQ Analysis

Fiat Losses

Figure 7: Proportion of incidents across all chains from Q1-Q3

Ethereum still had the highest number of financial losses in each quarter of 2023 thus far. Losses on Ethereum constituted 85% and 36% of total losses in Q1 and Q3 respectively.

Deep Dive on 2023 Q3 Incidents on BSC

In total, nearly $43.58 million was lost as a result of security incidents on BSC in Q3. As demonstrated by Figure 8, the month with the greatest losses was September. 

Figure 8: Amount of stolen funds in dollars per month in Q3 of 2023

Figure 9 shows the number of projects impacted by exploits in Q3 .

Figure 9: Number of project impacted by exploits

The highest number of security incidents took place in September. In total, there were 126 incidents on BSC between July and September.

Types of Attack Vectors

Out of the total 126 security incidents, hacks made up 35.71%. The remaining 64.29% were scams. 

Figure 10: Proportion of types of exploits

Even though there were more scams than hacks, the financial impact of scams was less significant. The total financial loss of scams was $13.6m and the total financial loss from hacks was $29.8m, as shown in Figure 11.

Figure 11: Financial impact measured in dollars comparing different types of incidents

This suggests that the number of scammers in the crypto space are growing, with strategies evolving to trick users. 

Specific Attack Vectors 

Figure 12 shows the specific attack vectors and their corresponding financial losses in Q3 of 2023. 

Figure 12: Proportion of funds lost across different types of exploits

In Q3, 67.23% of losses were attributed to rugpulls. Even with multiple reports highlighting rugpulls and strategies on how to look out for them, rugpulls remain prevalent in Web3. 

The second most common attack vector was reserves manipulation, which accounted for 8.40%. This occurs when some lesser-known tokens change the transfer function to burn tokens from the Liquidity Pool upon certain conditions, which can result in an exploit. 

The third most common attack vector was price manipulation, at 4.20%. This could be due to poorly designed smart contracts relying on the instantaneous price of liquidity pools, making them easier to manipulate with a large swap trade or flash loans by hackers.

Types of Projects

When comparing the project type against financial loss, 94.96% of financial losses were attributed to DeFi projects. 

The second most targeted project type was MEV related projects at 1.66%, followed by GameFi and gambling projects at 0.84% each.

Figure 13: Proportion of funds lost against the type of project 

The large proportion of fiat losses associated with DeFi projects suggests that DeFi remains the most common type of crypto project in the Web3 space. It also shows how important it is for users to only invest in reputable and well audited projects, and to stay clear of potential rugpulls and vulnerabilities.

Top 10 Incidents in Q3 of 2023 

The following were the top 10 security incidents in terms of financial losses in Q3 of 2023. 

Figure 14: Top exploits measured in dollars in 2023 Q3 on BNB Smart Chain

Stake - $17.8 Million Loss

Stake.com, is a crypto gambling protocol, which offers a variety of casino games such as dice, blackjack, Lingo, and more. Additionally, they provide sports betting options for basketball, tennis, volleyball, and others. On 4 September, 2023, Stake.com encountered an abnormal outflow of funds, totaling approximately $41 million.

The attack transpired across multiple chains, incurring losses of around $15.7 million on Ethereum, $7.8 million on Polygon, and $17.8 million on BSC. This brought the cumulative losses to over $41 million.

One of the fraudulent transactions can be traced back to: transaction.

From the transaction details, it's evident that the funds were transferred directly from Stake.com's hot wallet: transaction to the attacker's address. Subsequently, the funds were dispersed among numerous accounts.

Stake confirmed this security breach via social media, stating, "Three hours ago, unauthorized transactions were initiated from Stake's ETH/BSC hot wallets." As a result of this security incident, Stake's operations were temporarily put on hold.

CoinExCom - $6.2 Million Loss

On 12 September 2023, CoinEx detected irregular withdrawals from several of its hot wallet addresses, which were utilized to store user assets. The unauthorized transactions affected 19 chains, including $ETH, $TRON, and $MATIC, bringing the total loss to an estimated $55 million.

One particular unauthorized transaction can be seen here: transaction. The assets were directly transferred from CoinEX's hot wallet to the hacker's address. This indicates that the culprits may have managed to seize control of CoinEX's hot wallet's private key.

Following the hacking event, CoinEx temporarily suspended crypto deposits/withdrawals, relocated assets to more secure addresses, overhauled and redeployed the wallet system, and engaged in efforts with other exchanges to freeze the attacker's assets.

GMETA - $2.3 Million Loss

On 18 July 2023, $GMETA, on the BSC rug pulled with ~$2.36M. The price dropped -96%.

The contract creator  0x9f02c29ad35fd20a51cd48250512a7b7feeb8ed1 transferred 1M $GMETA to the address 0xd33D347d8f54EC3229A771F2092A6c6b6750D695, and then used 120K $GMETAs to swap out 2,367,507 USDTs from the pair, which led to the price slippage. 

The contract creator previously minted the 1B $GMETA tokens during the deployment transaction.

Multichain - $1.7 Million Loss

Multichain, a Bridge project, was exploited due to a Private Key Compromise on 10 July 2023, resulting in users losing more than $1.7 million USD on BSC. The team made a tweet regarding the incident stating that:“The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally. 

The team is not sure what happened and is currently investigating. 

It is recommended that all users suspend the use of Multichain services and revoke all contract approvals related to Multichain.”Subsequently, the Multichain team announced that their CEO was arrested and they were unable to continue business without him and hence declared that they were winding down services.

While the exact attack vector is unclear, the behavior of transactions suggest that the attacker could control the chain addresses directly.

Defi Labs - $1.4 Million LossOn 28 July 2023, DefiLabs on BNB Chain rugged for ~$1.4M.

The staking contract is: 0xdedbd1804569f369e33e453ee311f0f97dcd0bde

The privileged address 0xee08d6c3a983eb22d7137022f0e9f5e7d4cf0be2 directly withdraws 1,427,200 BSC-USD staked in the vPoolv6 contract via the backdoor function withdrawFunds().

IEGT - $1.1 Million Loss

On 27 July 2023, the IEGT token rug pulled for $1.14 million. The IEGT token was created back on BSC on July 13. However, its creators secretly minted a large amount of tokens, displaying signs of a rug. Although the project reportedly had only 5 million tokens in supply, this allowed the team to sell 1 billion tokens, cashing out approximately $1.14 million in the USDT stablecoin.

The team tried to cash out the funds through Binance, specifically with this address. However, due to the fast action by the Binance team, the funds were eventually frozen.

Fake LayerZero - $1.0 Million Loss

On 20 August 2023, A fake LayerZero token removed liquidity, resulting in a removal of 4,827.99 WBNB (~$1M).

The scammer removed all of the liquidity in 1 transaction. 

Funds have then been swapped to BUSD and transferred to this wallet https://bscscan.com/address/0xa792a4ad2f1f120a63821b6ff20fac154ead4d84.

PalmSwap - $0.9 Million Loss

On 25 July 2023, PalmSwap, a DeFi platform was exploited for ~$900k on BSC. 

Palmswap v2 provides a highly liquid, powerful and user-friendly decentralized leveraged trading platform. Among them, PLP is the liquidity provider token of Palmswap trading platform, which is composed of USDT asset index for leveraged trading. 

PLP can be minted with USDT and then burned back with USDT. The minted and reburned prices are calculated by dividing the total value of assets in the index (including profit and loss on open positions) by the PLP supply. 

The “White-Hat” has returned 80% of funds.

CRN - $0.85 Million Loss

On 19 July 2023, there was an Access Control hack related to CRN-DEX

The hack transaction is as follows:

https://bscscan.com/tx/0xd8d4d19995bebc0e5cf3e18c432bfb7bc04d85b6a16bea2937683bc5045ba05dThe hacker was able to invoke a privileged function 0x80cad990 of the victim contract 0xb454bf72b2398dae86234b9e023bc1ac8d3f14af to steal ~$850k worth of funds.

NFT_SalesRoom (SASN) - $0.68 Million Loss

On 3 August 2023, NFT_SalesRoom ($ASN) on BSC experienced a substantial loss, with ~670k worth of tokens rugged. The ASN contract dropped ~98% in value afterwards.

A significant transfer of tokens was transferred to the rugpull address from the deployer.

Once received, this address went on to sell 1M $ASN for ~$670k BSC-USD.

The USDT funds were then washed and transferred to different CEXs.

AvengerDAO Achievements

1. A 30% increase in the number of users from Q2 (700k daily) to Q3 (~1m daily). 

2. HashDit API Integration with large players in the ecosystem like PancakeSwap, BSC Scan and TrustWallet. 
3. Revamp of DappBay Red Alarm:
   1. High Risk dApps and Smart Contract updated on a weekly basis 
   2. Introduced Risk Scanner
   3. During 01 July - 30 Sep, Dappbay listed 1.909 Red dApps and 2.1919 Red contracts
4. Introduced Web3 Security Framework, as best practice and advice to all the Web3 projects. 

Conclusion

BNB Smart Chain continues to be a strong competitor, outperforming Ethereum in terms of daily active users and transactions. However, 2023 Q3 has been a tough year for both investors and developers due to the bear market and hack incidents which impeded trust within the cryptocurrency community. Below we have some final tips for investors and developers:

For BNB Chain Users:

• Understand what you're signing, don't blindly sign random signatures/transactions (never sign signatures outside of official websites)
• Always double check that you are on the official website of the DApp
• Be extra wary of new and trending projects or projects that guarantee high APYs and use MEV bots, and always verify the project team’s authenticity
• Use multiple wallets for different activities (hot wallet for frequent transactions; cold wallet to store high value funds)
• Ensure you are interacting with an open-source contract and revoke approval once interaction is done
• Check the security and risk scores of interacted contracts for example, on Trust wallet. If high risk is flagged, we strongly advise to stay away

For BNB Chain Developers:

• Verify & open-source all relevant contracts on-chain to ensure transparency and trust
• Ensure the project is audited by at least 2 well-known security companies and fix all issues where applicable (including auditing newly added code)
• Incorporate a bug-bounty program to maintain the security posture of the project and encourage the community to ensure the code remains secure
• Ensure security is at the core of the business: run sufficient testing, stress-testing, and simulations such as adverse token price fluctuations and edge cases
• Prevent centralization risks by using multi signature wallets and not a single EOA wallet to run operations
• Minimize contract upgradeability and only apply to contracts when necessary
• Ensure funds are stored securely (key management, fund distribution)
• Implement safeguards in the event of a hack (formulate an incident response plan, introduce time lock/pausing within the smart contract)
• Constant monitoring of system parameters e.g exchange rate of a token

Hashdit

HashDit’s core mission is to provide the essential threat intelligence for the everyday crypto investors to make informed decisions. Our methodology includes a variety of automated and manual techniques to evaluate a DApp project. 

Hashdit has launched several products in 2023 Q3 including: 

• HashDit extension: A chrome web extension which utilizes the HashDit API to warn users for potential risky urls and risky addresses. HashDit’s pop-up warning window is displayed on the frontend to immediately alert users to take extra caution.
• Risk assessment: All-in-one collection of security rating framework, auto-scan tools, and corresponding APIs, which are able to deliver accurate detection for potential rugpull/exploit risks based on a smart contract address. This is integrated with platforms like Trust Wallet and PancakeSwap, to leverage their reach and protect more users. It is able to detect multiple other risks, besides the usual SWC bugs, such as Tornado Cash interaction, risky functions encompassing ERC20 or ERC721 token standards (such as Migrate or Blacklist), and HoneyPot detection, etc. This can help users gain a better understanding of the smart contract, if it could be a scam.
• Audit service: Comprehensive code audits following extensive and detailed best practices for smart contracts and discovering code loopholes/security vulnerabilities before they are deployed on-chain, guaranteeing users’ safety on BSC. 
• Monitoring: Detecting sensitive events/transactions that happen on-chain to quickly respond and minimize any additional financial losses. At the same time, Hashdit warns users early by sharing any information found on its Twitter.

Blog: The goal is to share security knowledge for builders, investors and users in the Web3 community. With all the players in the industry equipped with the security knowledge needed and adopting a security-first mindset, only then will the Web3 ecosystem be a safer place for everyone. Read Hashdit's Github blog here!

Follow us to stay updated on everything BNB Chain

Website | Twitter | Telegram | Facebook | dApp Store | YouTube | Discord | LinkedIn | Build N' Build Forum