022 will be the year with the heaviest losses since the rise of Web3.
Web3 has been in turmoil this month.
In early August, the star public chain Solana suffered a hacker and currency theft incident. More than 9,000 wallet addresses were attacked, resulting in a loss of more than 4 million US dollars. This triggered a wave of panic among users and plunged Solana into a credit crisis.
A few days later, cryptocurrency mixer Tornado Cash was placed on a sanctions list by the Office of Foreign Assets Control (OFAC), an agency of the U.S. Department of the Treasury, which included more than 40 Ethereum addresses related to the Tornado Cash protocol, involving value More than $400 million in assets were frozen.
is a currency mixer positioned as a privacy service. Its reputation in the encryption community has always been controversial. The "head" Tornado Cash is even known as the "dirty coin sales cave."
Tornado Cash saw its token price drop significantly after it was sanctioned by the U.S. Treasury Department. |Source: business2community.com
This sanction means that community users in the United States, whether individuals or entities, are no longer allowed to conduct economic transactions with the Tornado Cash platform and the wallet address bound to it. According to past cases, violations could result in fines of more than $300,000 and imprisonment of up to 30 years.
Immediately afterwards, foreign media revealed that the 29-year-old Tornado Cash developer was arrested in Amsterdam, the Netherlands. Local law enforcement authorities said that Tornado Cash was suspected of concealing illegal financial flows and assisting money laundering, and had been investigating it since June this year.
Tornado Cash was sanctioned, triggering a "side" in the encryption industry. Some people publicly expressed dissatisfaction, believing that the U.S. Treasury Department's supervision had overstepped its bounds and violated the privacy rights and freedoms of American citizens; others took the lead in responding to the supervision. Circle, the issuer of the stablecoin USDC, quickly froze the assets in the wallet address related to Tornado Cash.
Web3 is facing the most severe security test and review pressure since its rise. Asset losses in the Web3 space were approximately $2 billion in the first half of 2022, exceeding the total losses from hackers in all of last year. The ensuing chain reaction is that the hands of regulatory enforcement are getting longer and longer.
In people's common understanding, Web3, which emphasizes decentralized logic, should have stronger security and privacy, but now it is targeted by both hackers and regulators. The crypto world is going through a moment of turmoil that has profound implications for its future destiny.
Hackers robbed Solana: an unresolved "public case"
More than half a month has passed since Solana was hacked and stolen money, and the official still has not given the final investigation results.
An analysis by the blockchain security company SlowMist Technology team found that according to data provided by the Solana foundation, nearly 60% of stolen users used the Phantom wallet, and about 30% of the addresses used the Slope wallet, and the iOS and Android versions Every application has its victims.
Three days after the incident, Slope posted an official wallet address on twitter and publicly stated that it has been cooperating with law enforcement and intelligence companies to track the stolen assets, and if the hackers are willing to return them, a 10% bounty can be paid to them. . "After recovering these funds, we will no longer pursue it and will not take any legal action." The
Slope team gave the hacker 48 hours to return the assets, but the bounty offer did not receive a response from the hacker.
Slope Wallet officially issued a bounty offer to the hacker. |Source: twitter
hardware wallet Keystone founder Liu Lixin still remembers that on the day of the incident, he was pulled into a "war room" with more than 100 white hat hackers and . Security experts discussed the possible course of the incident.
"The initial guess was that a certain NFT project was collectively attacked." Liu Lixin recalled that judging from the number of hacked wallet addresses, the order of eight or nine thousand is usually a common number issued by a certain NFT project. The initial guess It is a certain NFT project party that has done evil, such as performing malicious authorization.
But this guess was quickly denied.Security technicians discovered that several stolen transactions occurred due to the use of private keys for signatures, rather than incorrect authorization that led to asset transfers. Next, speculations about the cause of the accident included supply chain attacks, hackers stealing random numbers, inappropriate signature methods, etc., and they were all subsequently overturned one by one.
In the afternoon of that day, an overseas researcher discovered that the Slope wallet privatization on the Solana chain deployed the third-party application monitoring service Sentry. would collect the user's private key or mnemonic phrase and other information, and then upload it to the centralized server.
Sentry is an application monitoring platform that can monitor exceptions or error log information in real-time when an application is running. If Sentry discovers a system bug, it will notify the application's technical personnel via email.
In the crypto world, Sentry services are widely used, and Slope wallet is one of them. However, there is an issue to be aware of when using Sentry. If there is a configuration error, Sentry may collect additional data, such as private keys or mnemonic phrases and other private information.
Security experts speculate that in the Solana coin theft incident, Slope mistakenly sent sensitive data such as mnemonics and private keys to Sentry when users created their wallets. This provided an opportunity for hackers to steal private keys stored on Sentry’s centralized servers.
After investigation, Slope issued a statement stating that although the above security holes do exist, the number of Slope addresses that were attacked was only a small part of the total number of stolen wallet addresses this time. There is currently no evidence that Sentry has been officially invaded or attacked because the Sentry service used by the Slope wallet is deployed on a private server.
In addition, according to specific data, among the addresses derived from the private key and mnemonic phrase on the server, there are only 5 Ethereum addresses and 1388 Solana addresses that intersect with the victim's address. In other words, only half of the more than 2,700 wallets hacked by Slope this time had the Sentry vulnerability, which cannot explain how the remaining user wallets were hacked. According to the investigation results that
has mastered, there are 4 known attacker addresses. The stolen assets have not been further transferred on the Solana chain, but on the ETH chain, some funds have been transferred to suspected OTC personal wallet addresses. The remainder was converted into ETH and then transferred to Tornado Cash.
Web3 "Dangerous"
At the same time as Solana was attacked, the cross-chain bridge Nomad Bridge was also attacked. It is worth noting that there were hundreds of hackers involved in attacking Nomad Bridge, including “white hats”, and the loss was nearly US$200 million.
Zhang Lianfeng, Chief Information Security Officer (CISO) of Slow Mist Technology, told Geek Park that there are currently two main types of attacks on Web3:
- One is on-chain attacks, such as fake recharge, reentrancy attacks, and replay attacks , rearrangement attacks, etc. This type of attack is often more secretive and needs to be identified through professional code security audit , complete on-chain analysis, monitoring and early warning.
- The second is off-chain attacks, such as advanced long-term threat (APT), phishing, supply chain attacks, etc. These types of security issues are common in traditional Web2, but they currently have a great impact on Web3 ecological security.
In April this year, Jay Chou lost the NFT of Boring Ape No. 3738 worth over 3 million yuan because he accidentally clicked on a phishing link.
Jay Chou's stolen Boring Ape NFT. |The picture comes from the Internet
Web3 has its own financial attributes. Under the temptation of money, it is easier to be targeted by hackers. As the number of Web3 players continues to expand, cryptocurrency crimes are also on the rise.
According to statistics from the SlowMist Hacked event archive, In the first half of 2022, asset losses in the Web3 field were close to US$2 billion, which has exceeded the total losses caused by hacker attack vulnerabilities in the whole of 2021.
2022 is therefore called "the most disastrous year since the rise of Web3."Among them, cross-chain bridges with a low degree of decentralization and large amounts of liquidity were the most severely damaged.
As of June 30, a total of 7 cross-chain bridge security incidents have occurred this year, resulting in losses of more than 1 billion US dollars, accounting for more than half of the total asset losses in the first half of the year. In the first half of the year, among the four incidents with losses reaching hundreds of millions of dollars, three of them affected the cross-chain bridge.
More representative examples include the attack on the Ronin Network, the side chain of the blockchain game Axie Infinity, resulting in a loss of US$624 million, and the attack on Wormhole, the cross-chain bridge project of Solana, resulting in a loss of US$326 million.
In addition to cross-chain bridges, blockchain wallets are also the "hardest hit areas" for security incidents. The
wallet is a tool for users to manage crypto assets. It is also the account entrance for users to enter various Web3 applications. Interaction and transactions in the crypto world are conducted through the wallet. The
wallet contains addresses generated based on public and private keys, which appear to be a set of symbol strings composed of letters and numbers. The private key can be understood as the password of the Web2 payment tool. The person who masters this "password" is the real owner of the encrypted assets.
Therefore, the private key is generally the key information stolen by hackers. Generally speaking, most wallets are connected to the Internet, and the risk of private key leakage is high.
After the cryptocurrency is stolen by hackers, the main direction is the money laundering scene, with coin mixers as the representative "accomplices".
A currency mixer based on privacy protection, the original idea was to eliminate traces of users’ on-chain transactions, but it was used by hackers as a money laundering tool after transferring stolen assets. Tornado Cash, which was recently sanctioned, has "cleaned" more than $7 billion worth of virtual currency since its creation in 2019.
In May this year, the United States sanctioned the centralized currency mixing platform Blender on the grounds that Blender was suspected of helping the well-known North Korean hacker organization Lazarus Group launder some of the assets stolen from Axie Infinity.
Lazarus Group is a cyber hacker group from North Korea that stole more than $400 million worth of cryptocurrency in 2021.
Regulatory forces represented by the US government are targeting currency mixers, and hackers’ wishful thinking may not be so effective in the future. Sanctioning crimes is important, but another key issue is that the encryption world urgently needs more optimized security solutions to find a balance between property and privacy protection and criminal supervision.
Whether it is an individual player who is trying out Web3 or an All-in builder, before leading to a beautiful new world, they must first walk through a dark forest full of security traps.
