Chengdu Chain Security Report: In Q1 2022, global blockchain attack-related security incidents caused losses of up to $1.2 billion

1. Overview of Blockchain Security Ecosystem in Q1 2022, Losses from Security Incidents Reached Approximately $1.2 Billion

In the first quarter of 2022, according to data monitored by Chengdu Chain Security's 【Chain Biying - Blockchain Security Situation Awareness Platform】, losses from attack-related security incidents reached approximately $1.2 billion, an increase of about 9 times compared to $130 million in the same period last year (Q1 2021). This amount is also higher than any quarter in 2021.

In March 2022, the Ronin attack resulted in $625 million being stolen, surpassing the $610 million lost in the Poly Network attack in August 2021, making it the largest loss in DeFi hacking incidents. Of course, not every project can recover funds like Poly Network did. As of the writing of this report (April), the Ronin hackers are still laundering the stolen funds in batches.

Further Reading:

Over $600 Million Stolen! Analysis of the Ronin Cross-Chain Bridge Attack

Chengdu Chain Security's Comprehensive Analysis of the Poly Network Attack

From the Perspective of Blockchain Platforms

Ethereum and BNB remain the two chains with the highest frequency of attacks, but a high frequency of attacks does not necessarily mean high loss amounts. In the first quarter of 2022, we monitored two typical attack incidents on the Solana chain, with losses amounting to $37.4 million, far exceeding the losses on the BNB Chain.

From the Perspective of Fund Flow

In 80% of cases, hackers ultimately transfer the stolen funds to Tornado.Cash for mixing. In 10% of cases, hackers temporarily leave the funds in their own addresses, sometimes waiting months or even years before transferring the stolen money. A small number of hackers actively return the stolen funds.

From the Perspective of Attack Methods

Exploiting contract vulnerabilities and flash loan attacks are the most commonly used methods by hackers. 50% of attack methods involve exploiting contract vulnerabilities.

From the Perspective of Audit Status

Among the attacked projects, 70% had undergone audits by third-party security companies. However, in the remaining 30% of unaudited projects, the losses from attack incidents accounted for over 60% of the total loss amount.

From the Perspective of Project Types

DeFi projects remain a hot area for hacker attacks, accounting for 60% of the total number of attacked projects. Although cross-chain bridge projects are attacked less frequently, the amounts involved are substantial.

2. Over 30 Typical Attack Incidents Occurred in Q1, Cross-Chain Bridge Projects Suffered Heavily

In the first quarter of 2022, there were approximately 30 typical security incidents in the blockchain field. The total loss amount was approximately $1.2 billion, an 823% increase compared to the same period last year.

Among the top 20 ranked incidents, the highest loss was from Ronin, amounting to $625 million, which is 558 times the lowest amount lost by Build Finance ($1.12 million).

From the statistical chart, it can be seen that the losses from the Ronin and Wormhole projects reached $950 million, accounting for 80% of the total loss amount in Q1 2022. It is worth noting that both are cross-chain bridge projects.

3. In Terms of Attacked Project Types, DeFi Remains the Focus of Hacker Attacks

In the first quarter of 2022, in the blockchain field, DeFi projects continued to be the focus of hacker attacks, with a total of 19 security incidents, approximately 60% of attacks occurring in the DeFi sector.

Additionally, attacks targeting NFTs increased in the first quarter of 2022, with cross-chain bridge projects being attacked four times, resulting in losses of $950 million, accounting for 80% of the total loss amount in Q1 2022. Cross-chain bridge security incidents are frequent and involve substantial amounts.

4. In Terms of Loss Amounts by Chain Platform: Ethereum Had the Highest Loss Proportion

In the first quarter of 2022, Ethereum and Solana ranked first and second in attack loss amounts, at $654.48 million and $37.4 million, respectively.

Ethereum also had the highest frequency of attacks, accounting for 45% of the total frequency; the second was BNB Chain, accounting for 19%.

The two attack incidents on the Solana chain resulted in significant losses: Wormhole lost $326 million, and Cashio lost $48 million. Both attacks exploited contract vulnerabilities.

Additionally, some top-ranked public chains in terms of TVL did not detect any major security incidents in the first quarter of 2022, such as Terra, Avalanche, and Tron.

5. Analysis of Attack Methods: Contract Vulnerabilities and Flash Loans are the Most Common In the first quarter of 2022, in the blockchain security ecosystem, approximately 50% of attack methods were contract vulnerabilities, and 24% were flash loans.

12% of attacks were due to private key leaks, phishing attacks, and social engineering attacks. These attacks stem from the project parties not properly safeguarding private keys or lacking vigilance.

Among the contract vulnerabilities exploited by hackers, the most common vulnerability was reentrancy (30%), followed by improper business logic (24%), call injection attacks (18%), and improper or insufficient validation (18%); most of these vulnerabilities can be detected and fixed early through security audits.

6. Analysis of Typical Security Incidents Case 1: TreasureDAO Attack Incident Background:

On March 3, the TreasureDAO NFT marketplace was reported to have a vulnerability, resulting in over 100 NFTs being stolen. However, just a few hours after the incident, the attacker began returning the stolen NFTs.

Details:

The transaction initiator passed a _quantity parameter with a value of 0 to the contract's buyItem function, allowing them to purchase the ERC-721 token with TokenID 5490 without any fees.

From the code perspective, the contract's buyItem function did not perform a token type check after passing the _quantity parameter, directly multiplying _quantity by _pricePerItem to calculate totalPrice, allowing the safeTransferFrom function to call the buyItem function to purchase tokens even when the ERC-20 token payment amount was 0.

However, when calling the buyItem function, the function only checked the type of the token being purchased and did not check for a non-zero token quantity, allowing ERC-721 tokens to be purchased directly without considering the _quantity value, thus enabling the vulnerability attack.

Suggestions:

The main reason for this security incident was the logical confusion caused by the mixed use of ERC-1155 and ERC-721 tokens. ERC-721 tokens do not have a concept of quantity, but the contract used quantity to calculate the token purchase price, and there was no classification discussion during the token transfer.

It is recommended that developers design different business logic based on the characteristics of different tokens when developing sales contracts for multiple types of tokens.

Further Reading: Strange? Stolen and Returned? Analysis of the TreasureDAO Security Incident

Case 2: Build Finance Project Faces Governance Attack Background:

On February 15, the DAO organization Build Finance reported that it had suffered a malicious governance attack, with the attacker successfully controlling its Token contract by obtaining enough votes.

Details:

In a transaction on September 4, 2020, the creator of the Build Finance contract transferred governance rights through the setGovernance function. By examining the internal storage, it was found that the rights were transferred to the address 0x38bce4b. Further investigation revealed that 0x38bce4b was a Timelock contract, and only the executeTransaction function within the contract could call the setGovernance function.

Continuing the investigation, it was found that on January 25, 2021, the address 0x38bce4b called the executeTransaction function to transfer rights to the address 0x5a6ebe. On February 11, 2022, due to a low voting threshold, the proposal passed, and the governance rights of address 0x5a6ebe were changed to address 0xdcc8A38A. After obtaining governance rights, the attacker maliciously minted tokens and drained the liquidity of the trading pool.

Suggestions:

DAO contracts should set appropriate voting thresholds to achieve true decentralized governance, preventing proposals from passing and being executed with a minimal number of votes. It is recommended to refer to the governance contract implementations provided by OpenZeppelin.

Further Reading: Build Finance Suffers Malicious Governance Takeover, Drained Completely!

Case 3: Ronin $625 Million Theft Incident

Background:

On March 23, the Ronin validator nodes of Sky Mavis and Axie DAO were compromised, with the attacker using the hacked private keys to forge fake withdrawals, profiting approximately $625 million. The Ronin Network did not realize it had been attacked until March 29.

Details:

Sky Mavis's Ronin chain currently consists of 9 validator nodes. To identify deposit or withdrawal events, five out of the nine validators need to sign. The attacker managed to control four Ronin validators operated by Sky Mavis and a third-party validator run by Axie DAO. Subsequently, Ronin officials stated that all evidence indicated that this attack was likely related to social engineering.

Suggestions:

1. Pay attention to the security of signature servers;
2. When the signature service is offline, promptly update policies, shut down the corresponding service modules, and consider deprecating the corresponding signature account addresses;
3. During multi-signature verification, multi-signature services should be logically isolated and independently verify the signature content, preventing situations where some validators can directly request other validators for signatures without verification;
4. Project parties should monitor abnormal fund situations in real-time.

7. Analysis of the Flow of Stolen Funds: Tornado.Cash May Be the Hackers' Preferred Money Laundering Method

In 80% of cases, hackers will immediately or within a few days transfer the stolen funds to Tornado.Cash for mixing.

In 10% of cases, hackers temporarily leave the stolen funds in their own addresses, waiting months to years before transferring the money out. For example, the hacker of the exchange AscendEX, which was hacked last December, only began laundering the funds in batches in February and March of this year. Currently, the Ronin attackers are still frequently laundering the stolen funds.

A small number of hackers return the stolen funds. The attacker of Cashio, after stealing $48 million, publicly stated that they would return funds to accounts worth less than $100,000, claiming, "My goal is just to take money from those who don't need it, not from those who do."

Currently, Tornado.Cash remains a commonly used money laundering route for hackers.

8. Analysis of Project Audit Status: 30% of Unaudited Projects Account for 60% of Total Losses

Project audit status:

70% of the attacked projects had undergone audits by third-party security companies;

30% of unaudited projects suffered losses amounting to $720 million, accounting for 60% of the total loss amount in the first quarter;

Auditing before project launch remains important. Among the unaudited projects, 50% of attack methods were contract vulnerabilities. Therefore, early audits and timely fixes of code vulnerabilities can prevent severe losses from attacks after the project goes live.

9. Conclusion of Q1 2022: Frequent Security Incidents with Significantly Increased Amounts Involved

In the first quarter of 2022, losses from attack-related security incidents in the blockchain field reached approximately $1.2 billion, higher than any quarter in 2021. Cross-chain bridge projects suffered massive thefts, and DeFi projects experienced the highest frequency of attacks; these two areas may continue to be key targets for hackers in the future.

Project parties should pay close attention to abnormal fund situations. Chengdu Chain Security's 【Chain Biying - Blockchain Security Situation Awareness Platform】 can help project parties and users identify risky transactions in a timely manner, allowing for quick measures to be taken, such as immediately suspending relevant services or notifying users to revoke authorizations, thus avoiding further losses.

Project security audits remain crucial, as approximately 50% of attack methods involve contract vulnerabilities, most of which can be detected and fixed early through security audits.