Slow Fog: The 2021 blockchain security incidents resulted in losses exceeding 9.8 billion USD

Original Title: "Slow Mist: 2021 Blockchain Security Ecosystem Review, Global Loss Exceeds $9.8 Billion"

In 2021, it was a tumultuous year for the blockchain industry. Nevertheless, thanks to its decentralized, open, and transparent characteristics, blockchain achieved good results with efforts from both within and outside the industry. At the same time, following the DeFi boom, the global frenzy for NFTs and the metaverse brought blockchain to unprecedented heights. What exactly happened this year? This article will delve into the development of the blockchain market and typical security incidents to explore the details.

Blockchain Ecosystem Security Situation

1 Policy, Compliance, Regulation

From a domestic perspective, on one hand, the government has increased its emphasis on the research and application of blockchain technology, with the Ministry of Industry and Information Technology stating that by 2025, the service capabilities of blockchain and other facilities will be significantly enhanced; on the other hand, the government continues to tighten regulations on cryptocurrencies. In September, multiple departments issued the "Notice on Further Preventing and Handling Risks of Virtual Currency Trading Speculation," and the National Development and Reform Commission and other departments jointly released the "Notice on Rectifying Virtual Currency 'Mining' Activities." Relevant materials indicate that in 2021, the national level introduced policy documents related to blockchain covering areas such as university research, talent cultivation, technical application standards, intellectual property, digital agriculture, shipping and transportation, epidemic prevention and control, cybersecurity, social assistance, and the digital cultural industry.

From an international perspective, governments around the world continue to pay attention to cryptocurrencies, with regulations gradually improving and policies becoming more relaxed. The global anti-money laundering organization, the Financial Action Task Force, released the latest regulatory guidelines for cryptocurrencies; Seoul, South Korea, plans to create a public service "metaverse platform"; Texas, USA, has officially enacted a cryptocurrency bill; Bitcoin has officially become legal tender in El Salvador; and the Ukrainian parliament passed a virtual assets bill, among other developments.

It is evident that the global emphasis on blockchain by various governments has further increased, with blockchain being embraced by more and more mainstream institutions as an important component of "new infrastructure."

2 Technology, Application, Economy

China's "Blockchain + Industry" is also steadily developing, with various landing application projects continuously emerging. The country's first blockchain intellectual property protection workstation was established; Guangdong Province issued the first public data asset certificate in the country. Major companies have also joined the race: Huawei publicly disclosed patents for "security chips and processing methods," Tencent Cloud Blockchain launched three products, and Baidu added patents for "blockchain system upgrade methods, devices, equipment, and storage media"; the China Mobile Communications Association's Metaverse Industry Committee was officially established; China ranks first globally in blockchain patent applications, accounting for about 63%; and the Ministry of Commerce stated it would promote the standardized application of new technologies such as blockchain.

In 2021, significant breakthroughs were also achieved in underlying blockchain technology. Ethereum is expected to merge in Q2 2022, with Vitalik Buterin and others proposing EIP-4488 aimed at reducing gas fees for Ethereum Layer 2 scaling solutions; the Ethereum Layer 2 scaling solution Arbitrum will launch a new version based on WASM; and on August 5, Ethereum completed the London upgrade.

3 Security Incidents

Blockchain technology is a double-edged sword. While its decentralization, anonymity, and immutability promote industrial progress, the security issues associated with blockchain have also significantly increased, with various cryptocurrency crimes such as money laundering, fraud, theft, drug trafficking, and mining crimes occurring frequently.

According to incomplete statistics from Slow Mist Technology's blockchain hacking archives, as of the publication date, there were a total of 231 publicly reported blockchain security incidents in the blockchain ecosystem in 2021, with losses exceeding $9.8 billion.

(Source: hacked.slowmist.io)

Among these, there were 170 security incidents involving various ecosystem DApps and DeFi, 15 incidents involving exchanges, 8 incidents involving public chains, 3 incidents involving wallets, and 35 incidents of other types.

Since 2018, the overall trend of losses has been on the rise.

Now, let's review typical incidents, along with Slow Mist's perspectives on each type of incident. Although the incidents listed in this article are just the tip of the iceberg, they are highly representative.

Security Incidents and Perspectives

1 Public Chains

BSV Suffers 51% Attack

On August 4, BSV reportedly suffered a 51% attack, resulting in nearly 100 blocks being reorganized.

ETC Mainnet Experiences Fork

On September 4, Ethereum Classic (ETC) tweeted that due to a vulnerability in the Ethereum client Geth, the ETC mainnet experienced a fork.

Solana's Mainnet Beta Version Faces DDoS Attack

On September 14, the public chain Solana's mainnet Beta version began experiencing instability at 19:52 Beijing time. On September 21, Solana officials released a preliminary overview of the network interruption: the Solana network was offline for 17 hours, with no loss of funds, and the network fully restored within 24 hours. The reason for the network stagnation was a DDoS attack. At 12:00 UTC, Grape Protocol launched an IDO on Raydium, and transactions generated by bots caused network congestion. These transactions led to memory overflow, causing many validator nodes to crash, forcing the network to slow down and eventually stop.

Slow Mist's Perspective

Although public chain security vulnerabilities result in relatively small losses, their impact on the entire chain ecosystem is significant. Therefore, public chains must undergo professional security audits before going live. It is recommended that public chain teams collaborate closely with trusted and professional security teams to deploy tailored security recommendations, minimizing the likelihood of security issues and ensuring the overall security of the public chain.

2 Exchanges

Cryptopia Hacked Again

On February 20, New Zealand exchange Cryptopia was hacked again. Investigations revealed that hackers accessed a wallet that had been dormant since a hack in January 2019. This wallet belonged to Stakenet and was controlled by Cryptopia's liquidator Grant Thornton. According to the investigation, the dormant wallet held approximately $1.96 million worth of Xtake, Stakenet's native token.

Liquid Hot Wallet Attacked

On August 19, Japanese cryptocurrency exchange Liquid reported that its hot wallet had been attacked. Slow Mist's AML team utilized its MistTrack anti-money laundering tracking system for analysis, revealing that Liquid suffered a total loss of approximately $91.35 million (based on the price on the day of the incident), with stolen assets involving over 70 types of cryptocurrencies, including BTC, ETH, ERC20 tokens, TRX, TRC20 tokens, XRP, and more.

Slow Mist's Perspective

Security issues at exchanges have become the primary concern for both exchanges and users, even becoming a key factor in determining the survival of exchanges. Especially in the fourth quarter of this year, various exchanges have been attacked in succession, resulting in significant losses.

The frequent attacks on exchanges can be attributed to the following reasons: (1) Exchanges accumulate large amounts of funds, making them prime targets for hackers; (2) Exchanges often have weak defenses, making them susceptible to security vulnerabilities that hackers can exploit; (3) Users lack sufficient security awareness; (4) Internal collusion.

For exchanges, it is recommended to improve internal management and technical mechanisms, with internal security personnel promptly addressing security-related issues. The most important and effective method is to conduct comprehensive and in-depth security audits before launching the project, minimizing the likelihood of security issues.

3 Wallets

Ledger Wallet Experiences Multiple Data Breaches

On June 18, Bitcoin hardware wallet provider Ledger warned users that a series of new scams had emerged, utilizing counterfeit Ledger hardware wallets to defraud users of their assets. Some users whose information had been leaked a year prior received packages requesting them to replace their hardware wallets, which included a forged official letter and a tampered Ledger hardware wallet.

Ledger stated that the claim in the letter about "needing to replace the existing hardware wallet to protect your funds" was a scam, and the included Ledger Nano was also fake. If users followed the instructions in the letter and entered their seed words, their crypto assets would be stolen.

Multiple Chivo Wallets Stolen

The Chivo wallet is a national digital wallet released by the Salvadoran government to promote the Bitcoin law on September 7. To incentivize users, El Salvador promised that those who downloaded and verified the Chivo wallet would receive a $30 Bitcoin reward. This initiative led to over 2 million users within a month. However, from October 9 to October 14, the Salvadoran human rights organization Cristosal received 755 reports from Salvadorans claiming their Chivo wallet identities had been stolen.

Slow Mist's Perspective

Although the number of incidents related to wallets has decreased this year, the number of thefts due to downloading fake wallet apps remains substantial. According to Slow Mist's November report, fake wallet apps have led to thousands of thefts, with losses reaching up to $1.3 billion. Establishing security awareness and mastering the correct methods are essential to truly protect your assets. First, ensure you use official websites and avoid clicking links other than those from official sources; second, back up your wallet and securely store your private key mnemonic; finally, always maintain a skeptical mindset—there's no such thing as a free lunch.

4 DApp, DeFi, NFT, Cross-chain

(1) ETH Ecosystem

SushiSwap Attacked Again

On January 27, SushiSwap was attacked again, resulting in a loss of 81 ETH. This attack was similar to the first attack on SushiSwap, profiting by manipulating the exchange rates of trading pairs. This time, the attack exploited the fact that DIGG did not have a trading pair with WETH, and the attacker created this trading pair and manipulated the initial trading price, leading to significant slippage during the fee exchange process, allowing the attacker to obtain substantial profits with a small amount of DIGG and WETH.

SIL Recovered $12.15 Million After Theft

On March 19, the DeFi aggregation financial service SIL.Finance's contract experienced a critical vulnerability. SIL.Finance later stated that this incident was caused by a smart contract permission vulnerability, which triggered a generic front-running bot to submit a series of transactions for profit. After discovering that the smart contract could not withdraw due to the critical vulnerability, Slow Mist and other parties successfully recovered $12.15 million after 36 hours of effort.

(2) BSC Ecosystem

Compound Vulnerability and Proposal

On September 30, the decentralized lending protocol Compound confirmed via Twitter that after executing Proposal 62, there was an abnormal distribution of COMP tokens in the protocol's liquidity mining. Compound Labs and community members are investigating. Compound stated that no risks were found in deposit and loan funds. Compound founder Robert Leshner indicated that the issue appeared to be due to an initial setting error in the distribution rate of COMP tokens based on Proposal 62, leading to an excessive distribution of COMP tokens. On October 4, while Compound was attempting to patch the vulnerability, an additional $68.8 million worth of COMP tokens (a total of 202,472 COMP) was injected into the already vulnerable liquidity mining token distribution contract due to the call of the drip() function.

Cream Finance Attacked Three Times

On October 27, the DeFi lending protocol Cream Finance was attacked, resulting in a loss of approximately $130 million. The stolen funds primarily consisted of Cream LP tokens and other ERC-20 tokens. This incident is noted as the third-largest DeFi hack in history. Additionally, Cream Finance had previously suffered multiple flash loan attacks, losing $37.5 million in February and another $19 million in August.

(3) EOS Ecosystem

flash.sx Smart Contract Re-Entry Attack

Starting from May 14 at 11:28 UTC, the flash.sx flash loan smart contract suffered from a "re-entry" attack vulnerability, resulting in approximately 1.2 million EOS and 462,000 USDT being stolen. According to official news, after the flash loan from EOS Nation was hacked, the project team proposed to directly change the hacker's EOS account permissions to return the assets.

PIZZA Hacked

On December 8 at 8 PM, a hacker account named itsspiderman exploited an overflow vulnerability in eCurve to create tripool market-making certificates out of thin air, borrowing and staking most of the tokens in the PIZZA protocol. Afterward, the hacker created over 1.3 million accounts and dispersed the stolen assets. The loss for the PIZZA protocol in this attack was approximately $5 million.

(4) Polygon Ecosystem

Algorithmic Stablecoin Project SafeDollar Attacked

On June 28, the algorithmic stablecoin project SafeDollar on Polygon reportedly suffered a hack, with an unverified contract seemingly draining $250,000 worth of USDC and USDT.

PolyYeld Finance Contract Exploited

The yield farming protocol PolyYeld Finance was attacked, with the project contract exploited to mint 49 trillion YELD tokens and dump them on the secondary market.

(5) HECO Ecosystem

HSO Runs Away with 30,000 HT

On March 10, the oracle project HSO on the Huobi Eco Chain (HECO) ran away with 30,000 HT after conducting an IDO, with the website and Telegram being inaccessible. Subsequently, with the full support of the HECO core code contribution team, Star Lab, HECO technical community, and HECO white hat security alliance, 24,823 HT were recovered.

XDX Swap Attacked

On July 2, the cross-chain decentralized exchange DDEX on the Heco chain was attacked, with the attacker profiting 85.17 ETH (approximately $176,000) and transferring it all to Ethereum. The DDEX code was suspected to have a backdoor. With the support and cooperation of DDEX, Star Lab, and the HECO white hat security alliance, most of the funds involved in this attack, totaling over $5 million, were gradually recovered.

(6) Other Ecosystems

NEAR Ecosystem Ref.Finance Exploited Due to Contract Error

On August 15, the NEAR ecosystem Ref.Finance team tweeted that around 2 PM UTC on August 14, they noticed abnormal behavior in the REF-NEAR trading pair and discovered an error in the patch of a recently deployed contract, which had been exploited by multiple users, affecting approximately 1 million REF and 580,000 NEAR.

Solana Ecosystem Solend Hacked

On August 19, the Solana ecosystem lending protocol Solend tweeted that the protocol was hacked at 8:40 PM Beijing time, with the attacker bypassing the unsafe identity check in the UpdateReserveConfig function, allowing them to liquidate all accounts. Additionally, the hacker set the APY for borrowed funds to 250%. During this period, five users' funds were mistakenly liquidated. Solend stated that this attack did not result in stolen funds, and they would increase the bounty for vulnerabilities and establish better monitoring and alert systems.

Polkadot Ecosystem IDO Platform Polkatrain Exploited

On April 5, the Polkadot ecosystem IDO platform Polkatrain experienced an incident. According to Slow Mist's analysis, the problematic contract was the POLT_LBP contract of the Polkatrain project, which had a swap function and a rebate mechanism. When users purchased PLOT tokens through the swap function, they received a certain amount of rebate, which would be transferred to users via the contract's _update function. Due to the lack of a maximum rebate amount set in the _update function and the absence of checks on whether the total rebate had been exhausted, malicious arbitrageurs could exploit the contract's rebate rewards by repeatedly calling the swap function for token exchanges.

Avalanche Chain Lending Protocol Vee.Finance Hacked

On September 20, the Vee.Finance team on the Avalanche chain noticed multiple abnormal transfers. After further monitoring, a total of 8,804.7 ETH and 213.93 BTC were stolen (total value exceeding $35 million). The stablecoin portion was not affected by this attack.

Fantom Chain GrimFinance Faces Flash Loan Attack

On December 19, the yield farming platform GrimFinance on the Fantom chain suffered a flash loan attack, with losses exceeding $30 million. The attacker exploited a function named "beforeDeposit()" in GrimFinance's vault strategy, inputting a malicious Token contract.

(7) Cross-chain Systems

Cross-chain Trading Protocol THORChain Attacked Three Times

On June 29, THORChain suffered a "fake recharge" attack, resulting in a loss of nearly $350,000; on July 16, THORChain was attacked again with a "fake recharge," losing nearly $8 million; on July 23, THORChain was attacked once more, with losses nearing $8 million.

Cross-chain Bridge Chainswap Hacked, Affecting Multiple Platforms

On July 11, the cross-chain bridge project Chainswap was hacked again, with over 20 project tokens deployed on the bridge's smart contract being stolen, resulting in an estimated total loss of $4 million, making it one of the most significant security incidents in DeFi history. According to Chainswap's investigation, due to an error in the token cross-chain quota code, the on-chain exchange bridge quota was automatically increased by signing nodes, aiming for greater decentralization without manual control. However, due to a logical flaw in the code, this led to a vulnerability that allowed the automatic increase of amounts from unlisted invalid addresses. Previously, on July 2, Chainswap had also suffered a hack, with some user tokens being actively withdrawn from wallets interacting with ChainSwap, resulting in an estimated total loss of $800,000.

Poly Network $610 Million Stolen and Returned

The Poly Network attack incident on August 10 may be the largest network security incident in history, with over $610 million in crypto assets stolen and returned within 15 days. The entire blockchain industry and all relevant parties experienced this rollercoaster process alongside Poly Network. Currently, all involved assets have been returned to users, and the system's functionality has been largely restored to pre-incident levels.

(8) NFT

NFT Fraud Spreads

On August 2, a scammer named "cryptopunksbot" posted on the CryptoPunk Discord server, offering NFT investors a chance to win 10 NFT avatars. The NFT project founder Stazie lost 16 CryptoPunks worth at least $1 million after accepting a fake offer. Subsequently, the fraudster sold 5 CryptoPunks for 149 ETH ($385,000).

Slow Mist's Perspective

Since the birth of DeFi, it has been accompanied by countless risks. Although many DeFi projects have seen explosive growth in value, hacking incidents have also intensified. According to Slow Mist's statistics, DeFi typically faces the following types of attacks: (1) flash loan attacks; (2) contract vulnerabilities; (3) compatibility or architectural issues; (4) private key leaks or front-end attacks; (5) internal collusion and exit scams.

For project teams, to eliminate vulnerabilities and reduce security risks as much as possible, effective efforts must be made—conducting comprehensive and in-depth security audits before launching the project. Additionally, it is recommended that DeFi project teams enhance asset protection by introducing multi-signature mechanisms. On the other hand, when conducting inter-protocol interactions, DeFi projects need to ensure compatibility between protocols. Developers must fully understand the architecture of the protocol being ported and their own project's architecture to prevent financial losses. For users, as the blockchain field becomes increasingly diverse, it is essential to thoroughly understand the project's background before investing, check whether the project is open-source and has undergone audits, and remain vigilant about project risks.

5 Other Types

Ransomware

On May 7, Colonial Pipeline, the largest oil and gas pipeline operator in the U.S., was targeted by a ransomware attack and was forced to suspend operations, later paying 75 bitcoins, over $4 million in ransom, to restore normal operations. This ransomware attack drew global attention due to its impact on national critical infrastructure. In response to this incident, U.S. Department of Justice officials stated that they had successfully recovered over $2 million of the ransom. However, U.S. government officials did not provide specific details on "how the private key was obtained and the ransom was recovered," only stating that this action demonstrated the U.S. government's commitment to combating ransomware attacks.

Fraud

On August 20, the founder of one of Russia's largest cryptocurrency scams was sentenced to prison for allegedly defrauding investors of over $1.5 billion. Finiko was established in 2019 in Kazan and posed as a legitimate BTC investment company. In December 2020, Finiko launched its native cryptocurrency FNK. According to local reports, the founder took BTC from investors and rewarded them with FNK tokens.

Phishing

On October 15, a report released by Sophos stated that the crypto fraud application CryptoRom stole $1.4 million by exploiting the "super signature service" and Apple's developer enterprise program. To date, Bitcoin addresses associated with this scam have sent over $1.39 million, and there may be more addresses linked to this scam. The report indicated that most victims were iPhone users. It also stated that CryptoRom bypassed all security checks of the App Store and remained active daily. The report further noted that Apple "should warn users about installing applications through temporary distribution or enterprise configuration systems, as these applications have not been reviewed by Apple."

Slow Mist's Perspective

As blockchain develops vigorously, various new investment scams under the guise of blockchain have emerged like mushrooms after rain. For example, the U.S. Treasury Department's Financial Crimes Enforcement Network released a report indicating that transactions related to ransomware in the first half of 2021 reached $590 million. Slow Mist reminds users not to open attachments from unknown emails, carefully identify phishing websites, and maintain a skeptical and cautious attitude while effectively utilizing antivirus software.

Conclusion

Although the market value of many cryptocurrencies represented by BTC continues to reach new highs, the overall development trend of the blockchain industry is improving. However, cryptocurrency crimes have also become more rampant. From statistical data, the months with the most frequent security incidents and significant monetary losses were primarily April, June, and August; in terms of ecosystems, Ethereum suffered the most losses, exceeding $1.3 billion, followed by the BSC ecosystem; in terms of attack areas, exchanges and DeFi were the most frequently attacked.

For project teams, it is recommended to improve internal management and technical mechanisms, with internal security personnel promptly addressing security-related issues. The most important and effective method is to conduct comprehensive and in-depth security audits before launching the project, minimizing the likelihood of security issues.

For users, it is crucial to view blockchain correctly and rationally, establish proper monetary concepts and investment philosophies, and effectively enhance risk prevention awareness. For instance, before investing, pay attention to whether the smart contract is open-source, whether the platform itself has undergone security audits, and most importantly, safeguard your private key mnemonic and never disclose it to anyone.

Finally, we look forward to the blockchain in the new year bursting with greater energy, producing more practical applications, and creating greater value.