Why are DeFi projects on Binance Smart Chain concentrated in thefts?

This article is from Hive Finance News, original title: "Hackers Exploit Same-Origin Vulnerabilities to 'Annihilate' Fork Protocols," author: Kyle.

In May 2021, the cryptocurrency market was quite turbulent, with BTC dropping from over $50,000 to a low of $29,000, nearly halving in value, and most cryptocurrencies experiencing declines of over 50%.

Amidst the massive fluctuations in the secondary market, the on-chain ecosystem was also unsettled. In May, the DeFi market experienced at least 13 hacking incidents, primarily concentrated on the Binance Smart Chain (BSC), resulting in a loss of $270 million, surpassing the total asset losses from all DeFi security incidents in 2020. BSC officials believe that an organized hacking team has targeted BSC.

Why are projects on the BSC chain concentrated in thefts? How do hackers quickly capture project vulnerabilities? Blockchain security company PeckShield found that many of the attacked projects had same-origin vulnerabilities.

For example, after the BSC yield aggregator PancakeBunny was attacked, forks of PancakeBunny, AutoShark and Merlin Labs, were successively compromised within the following week; while the attacked BurgerSwap and JulSwap had code that was forked from Uniswap, but they seemed to have introduced vulnerabilities during modifications.

A relevant security officer from PeckShield told Hive Finance that these forked protocols were attacked mainly because they made minor innovations without fully understanding the logic behind the original protocol, leading to a small update or combination that could create vulnerabilities.

The repeated security incidents have once again reminded protocol developers that when innovating DeFi models, they should not overlook the security of the underlying code.

12 Projects Attacked, Losses of $270 Million

When it rains, it pours. As the cryptocurrency market continues to decline, security incidents involving on-chain protocols are frequent.

On May 30, the stablecoin exchange protocol Belt Finance on BSC suffered a flash loan attack, resulting in a loss of $6.2 million. According to blockchain security company PeckShield's tracking, this attack originated from the attacker completing 8 flash loans on PancakaSwap, then manipulating the price of beltBUSD for profit by repeatedly buying and selling BUSD, exploiting a vulnerability in the bEllipsisBUSD strategy balance calculation.

After the attack, Belt Finance apologized via Twitter and published a report, stating that it would conduct further audits and release a user compensation plan within 48 hours.

As a result, the governance token BELT of Belt Finance plummeted, dropping from a high of $58 on the 28th to $27, with a short-term decline of 53.44%.

This marks the 12th BSC project attacked in May. According to Hive Finance's statistics, since May 2, projects such as Spartan Protocol, Value DeFi, BearnFi, Venus, and PancakeBunny have been continuously compromised, with total losses amounting to $270 million, and Value DeFi has been attacked twice.

Overview of Attacked Projects on BSC

The $270 million in asset losses has already exceeded the losses from all DeFi security incidents in 2020. According to previous data released by PeckShield, there were 60 DeFi security incidents in 2020, resulting in losses of over $250 million.

In just one month, BSC has been continuously targeted by hackers, which seems quite strange. Under pressure, BSC officials recently stated on social media that there have been over 8 flash loan attacks targeting BSC projects recently, "We believe that an organized hacking team is now focused on BSC."

BSC officials urged all DApps to guard against risks, recommending that on-chain projects collaborate with auditing firms for health checks, and if they are forked projects, they should repeatedly check the changes made compared to the original version; take necessary risk control measures, actively monitor for anomalies in real-time, and promptly suspend protocols in case of abnormalities; develop emergency plans to prepare for the worst-case scenario; and if conditions permit, establish a bug bounty program.

Indeed, reviewing the 12 security incidents, flash loan attacks are the most commonly used method by hackers. Projects like Spartan Protocol, PancakeBunny, Bogged Finance, BurgerSwap, and JulSwap have all fallen victim to flash loan attacks.

It is important to clarify that flash loans themselves are not an attack method; they are simply an efficient lending model that can amplify anyone's capital. As Chainlink CMO Adelyn Zhou stated, "Flash loans do not create vulnerabilities within DeFi—they merely reveal existing vulnerabilities."

After rapid development in DeFi, the fact that so many projects on BSC have exposed vulnerabilities in a short time has left on-chain users feeling alarmed. One cannot help but ask, why are these security incidents concentrated on the BSC chain? And how are hackers able to quickly find vulnerabilities in so many projects and carry out attacks?

Forking Risks Emerge, Many Affected Projects Suffer Same-Origin Attacks

Since the beginning of this year, BSC has emerged as a strong contender. As a sidechain to Ethereum, it has attracted a large number of projects and on-chain players due to its more efficient transaction processing and low fees. At its peak, its total locked value exceeded $34.4 billion, making it the second-largest DeFi hub after Ethereum.

The rapid rise of the BSC ecosystem has seized the early mover advantage on-chain, leading to a clustering of projects. Previously, many projects on Ethereum had already been open-sourced, and many developers adopted the open-source code of mature projects like Uniswap and Curve, quickly launching them on BSC after simple modifications. This hurried forking has become a hidden risk for projects on the BSC chain, making them susceptible to mass hacking.

According to PeckShield, recently attacked BurgerSwap and JulSwap both had code that was forked from Uniswap. PeckShield pointed out, "But they seem to have not fully understood the logic behind Uniswap."

According to BurgerSwap's report after the incident, the attacker created "fake tokens," which then formed trading pairs with the protocol's native token BURGER, altering the latter's price. Clearly, BurgerSwap, forked from Uniswap, was not mature enough in certain aspects, allowing hackers to exploit vulnerabilities.

The source of forked protocols is not limited to Ethereum; some early protocol applications on the BSC chain have also been forked by later projects. The aggregator protocols AutoShark and Merlin Labs were both hacked after forking PancakeBunny. Looking at the timeline, on May 20, PancakeBunny was attacked via a flash loan, where the attacker manipulated the prices of LP Tokens BNB-BUNNY and BNB-BUSDT using the protocol.

After seeing PancakeBunny being attacked, AutoShark emphasized its security in a post, stating that it had conducted 4 code audits, with 2 ongoing. However, just 4 days later, AutoShark fell victim to a flash loan attack, with its token SHARK plummeting by 99%. According to PeckShield's analysis, the attack method was similar to that used against PancakeBunny.

Merlin Labs also faced a similar fate; before being attacked, it had stated that it had repeatedly executed code reviews and taken additional precautions for potential risks. However, on May 26, hackers "followed up" and looted Merlin Labs.

PeckShield believes this was a copycat case following the attack on PancakeBunny, where attackers do not need high technical skills or capital thresholds; they can simply patiently experiment with same-origin vulnerabilities on the forked protocols to reap considerable rewards. "Forked DeFi protocols may not yet be challengers to Bunny, but due to same-origin vulnerabilities, they have suffered heavy losses and are mocked as 'stubborn leek fields.'"

Additionally, in the case of Belt Finance being attacked, hackers exploited a vulnerability in the bEllipsisBUSD strategy balance calculation to manipulate the price of beltBUSD, while Ellipsis was forked from the well-known Ethereum protocol Curve.

A relevant security officer from PeckShield told Hive Finance that these forked protocols were attacked mainly because they made minor innovations without fully understanding the logic behind the original protocol, leading to a small update or combination that could create vulnerabilities.

The officer stated that starting from known vulnerabilities is a common "foraging" method used by attackers in the still-developing DeFi field. For project teams, the emphasis on the security of DeFi protocols is not just lip service; it should be about "self-reflecting on the code three times a day": Has static auditing been done before the protocol goes live? After other protocols have been attacked, has there been a self-check of the code to see if similar vulnerabilities exist? Are there security risks in the interacting protocols?

From the above cases, it can be seen that a batch of projects on the BSC chain suffered concentrated thefts mainly because hackers found multiple same-origin vulnerabilities in various protocols, allowing them to "learn from one to attack many" and complete the plundering of multiple projects in a short time.

The repeated security incidents have also served as a reminder to protocol developers that when innovating DeFi models, they should not overlook the security of the underlying code.

In response, PeckShield recommends that new contracts undergo audits before going live, and also pay attention to checking for business logic vulnerabilities when combining with other DeFi products. Additionally, a certain risk control mechanism should be designed, incorporating threat perception intelligence and data situational awareness services from third-party security companies to improve the defense system. "All DeFi protocols have variables; even if a protocol has undergone multiple audits, a small update can render the audit useless, so even a small update must be re-audited."