Slow Mist: 2022 Blockchain Security Review

Reflecting on the past year, we have seen many new scenarios, applications, and changes in the cryptocurrency space. The number of players is gradually increasing, but security issues have always plagued the industry's development. Therefore, SlowMist has compiled significant security events that occurred in the industry in 2022 and provided corresponding analysis and interpretation.

According to the SlowMist blockchain hacking incident archive (SlowMist Hacked), there were a total of 295 security incidents in 2022, with losses reaching as high as $3.728 billion. This is a decrease of about 62% compared to the $9.795 billion in 2021, but it does not include assets lost due to market turmoil.

（Statistics of security incidents in 2022）

Among these, there were 245 security incidents in various ecosystems such as DeFi, cross-chain bridges, and NFTs, 10 incidents in exchanges, 11 incidents in public chains, 5 incidents in wallets, and 24 incidents of other types.

In terms of timing, the highest number of attacks occurred in May and October, reaching 38 incidents. March saw the highest amount of losses, totaling approximately $700 million.

1. Overview of Blockchain Ecosystem Security

Public Chains

Public chains are the most important infrastructure in the Web3 space and one of the most competitive tracks in the industry. The most surprising event in 2022 was undoubtedly the Terra incident. On May 8, the cryptocurrency market experienced the most destructive crash in history. The algorithmic stablecoin UST of the Terra network faced a massive sell-off of $285 million, triggering a series of chain reactions. The price of Terra's native token LUNA suddenly plummeted without warning, and in just one day, Luna's market cap evaporated by nearly $40 billion, with the entire ecosystem's TVL almost reaching zero. This incident may have become the death button that initiated the crypto winter of 2022.

DeFi / Cross-Chain Bridges

According to data from DeFi Llama, as of the end of December, the total locked value (TVL) in DeFi was approximately $39.8 billion, a significant drop of 75% year-on-year. Ethereum dominated with a 58.5% share of the total DeFi TVL ($23.3 billion), followed by TRON with a TVL of $4.3 billion and BNB Chain (BNB) with $4.2 billion. Interestingly, in May 2022, Ethereum's share of TVL in DeFi decreased by 35%, while TRON's share increased by 47%.

According to statistics from SlowMist Hacked, there were approximately 90 security incidents on BNB Chain in 2022, with total losses amounting to about $785 million, ranking first among all chains in terms of loss amount. Ethereum had about 50 security incidents with total losses of approximately $528 million, followed by Solana with about 11 incidents and losses of approximately $196 million.

According to data from Dune Analytics (data, the total locked value (TVL) of Ethereum cross-chain bridges was approximately $8.39 billion, a decrease of about 31% compared to the first half of the year. Currently, the highest TVL is Polygon Bridges ($3 billion), followed by Arbitrum Bridges ($1.28 billion), and then Optimism Bridges ($850 million). Cross-chain bridges allow users to transfer crypto assets from one chain to another, primarily addressing multi-chain scalability issues. However, the large amount of funds in cross-chain bridge smart contracts, combined with the lack of security audits, has attracted the attention of hackers.

According to statistics from SlowMist Hacked, there were a total of 15 security incidents involving cross-chain bridges in 2022, with losses reaching $1.21 billion, accounting for 32.45% of the total losses in 2022.

In summary, for project teams, to eliminate vulnerabilities and reduce security risks as much as possible, effective efforts must be made—conducting comprehensive and in-depth security audits before the project goes live. At the same time, it is recommended that project teams enhance asset protection by introducing multi-signature mechanisms. On the other hand, when projects interact with protocols or transplant code from other protocols, they need to fully understand the architecture of the transplanted protocol and their own project’s architecture design, ensuring compatibility between protocols to prevent asset loss. For users, as the methods in the blockchain space become increasingly diverse, it is essential to thoroughly understand the project background before investing, check whether the project is open-source and has been audited, and remain vigilant about project risks when participating.

NFT

NFTs performed exceptionally well in 2022. According to data from NFTScan, the total number of NFT transactions on Ethereum reached 198 million throughout the year, significantly higher than in 2020 and 2021. On BNB Chain, the total number of NFT transactions reached 345 million, while on Polygon, it reached 793 million.

On the other hand, according to incomplete statistics from SlowMist Hacked, there were approximately 56 security incidents in the NFT sector in 2022, with losses exceeding $65.43 million, most of which were due to phishing attacks, accounting for about 40% (22 incidents), followed by Rug Pulls, accounting for about 21% (12 incidents).

Wallets / Trading Platforms

On February 8, the U.S. Department of Justice (DOJ) announced that it had seized $3.6 billion worth of Bitcoin related to the 2016 hacking incident of the cryptocurrency exchange Bitfinex. 34-year-old Ilya Lichtenstein and his 31-year-old wife Heather Morgan were arrested in New York and charged with conspiracy to commit money laundering and fraud. This is also the largest financial seizure in the history of the U.S. Department of Justice.

On November 6, Binance founder CZ tweeted that he decided to liquidate all remaining FTT on the books, which triggered a standoff between the two exchanges. Despite Alameda CEO and FTX CEO SBF trying to stabilize user confidence and refute previously exposed news through tweets, FTX quickly went bankrupt after liquidity dried up. Ultimately, FTX collapsed, and SBF was arrested. The lack of transparency in centralized exchanges once again triggered a crisis of trust, highlighting the issues of inadequate regulatory oversight. Whether it is stricter consumer protection or clearer rules for institutions, the footsteps of regulation will become increasingly clear.

After the FTX collapse, sales of hardware wallets surged, with the most popular wallet, MetaMask, reaching 30 million monthly active users. According to data from Finbold, based on the top 21 cryptocurrency storage app rankings, the download volume of crypto wallets on Android and iOS devices reached approximately 102.06 million from January 2022 to October 2022. Although this number is lower than the 177.85 million downloads during the bull market in 2021, it is higher than any other year except for 2021. Monthly breakdown data shows that the download volume of crypto wallets initially showed a downward trend, but there was a significant increase after the Terra/Luna crash and the FTX collapse.

Others

The irreversible and anonymous characteristics of blockchain technology effectively protect privacy while also providing a "shelter" for cybercrime. With concepts like the metaverse and NFTs gaining popularity, incidents of cryptocurrency theft and fraud occur frequently, with many criminals issuing so-called virtual assets under the banner of blockchain to commit fraud. The sophistication and professionalism of the black and gray industries have far exceeded expectations.

According to data from the Payment and Settlement Department of the People's Bank of China (data), in 2021, the payment method for fraudulent funds using cryptocurrencies ranked second after bank transfers, reaching as high as $750 million; while in 2020 and 2019, it was only $130 million and $30 million, showing a significant upward trend year by year. Notably, cryptocurrency transfers have rapidly increased in "pig-butchering" scams. In 2021, $139 million of funds from "pig-butchering" scams used cryptocurrency for payment, which is five times that of 2020 and 25 times that of 2019.

According to a report released by the Federal Trade Commission (FTC) (report), over 46,000 people reported falling victim to cryptocurrency scams, with total losses exceeding $1 billion since the beginning of 2021. According to the report, the most common type of cryptocurrency scam is investment-related fraud, which accounts for $575 million of the total $1 billion, with the most commonly paid cryptocurrencies to scammers being BTC (70%), USDT (10%), and ETH (9%).

2. Attack Methods

Among the 295 security incidents, the attack methods can be mainly divided into three categories: attacks caused by design flaws and various contract vulnerabilities of the projects themselves; methods including Rug Pulls, phishing, and scams; and asset losses caused by private key leaks.

The most common attack method in 2022 was due to design flaws and various contract vulnerabilities of the projects themselves, with about 92 incidents causing losses of $1.06 billion, accounting for 40.5% of the total. Among these, the main attacks were those utilizing flash loans, with about 19 incidents causing losses of $6.133 million, while others included reentrancy issues, price manipulation, verification issues, etc.

The incidence of asset losses due to stolen private keys was about 6%, but the loss amount reached $746 million, second only to contract vulnerability exploitation. The largest loss from incidents involving stolen private keys came from the Ronin incident, followed by Harmony, both of which were from cross-chain bridges.

In the Web3 world, users' security awareness is often uneven, leading to frequent and varied phishing attacks targeting users. For example, attackers use malicious means to take over official media platforms of various projects (such as Discord, Twitter) or forge official media accounts to publish phishing Mint and AirDrop links, occasionally retweeting content from the real official accounts to confuse users. For instance, they may use advertisements on search engines to promote fake websites or domains and content that closely resemble official domains; or send fake emails and enticing giveaway activities to lure users in; or provide fake app download links based on the information gap of new users. Regardless, raising security awareness is the most necessary step. Once a user realizes they have been scammed, they should immediately transfer their assets, minimize losses, and preserve evidence, seeking help from industry security agencies if necessary.

Secondly, the most detestable method is the Rug Pull. Rug Pull typically refers to project developers abandoning the project and running away with the funds, often involving active wrongdoing by the project team. It can occur in various ways: for example, when developers initiate initial liquidity, inflate prices, and then withdraw liquidity. The project team first creates a crypto project, attracts crypto users to invest through various marketing means, and at the right moment, without warning, absconds with the invested funds, selling off crypto assets and ultimately disappearing, leaving users who invested in the project with significant losses. Another example is launching a website but closing it after attracting hundreds of thousands in deposits. In 2022, there were 50 Rug Pull incidents, resulting in losses of approximately $188 million, commonly occurring in the BSC ecosystem and NFT sector.

Other newer attack methods in 2022 included front-end malicious attacks, DNS attacks, and BGP hijacking; the most bizarre were asset losses caused by human configuration errors.

3. Phishing / Scam Methods

This section only selects some phishing/scam methods previously disclosed by SlowMist.

Browser Malicious Bookmark Theft of Discord Token

Modern browsers come with built-in bookmark managers, which, while convenient, can also be exploited by attackers. By carefully constructing a malicious phishing page, attackers can insert a piece of JavaScript code into your saved bookmarks. With this, they can do almost anything, including obtaining information through the webpackChunkdiscord_app front-end package wrapped by Discord. When a Discord user clicks, the malicious JavaScript code executes within the user's Discord domain, stealing the Discord Token. Once attackers obtain the project's Discord Token, they can directly automate takeover of the project's Discord account permissions. Below is a demonstration of a victim clicking on the phishing bookmark:

The following shows the JavaScript code written by the attacker to obtain the Token and other personal information, which is then received through the Discord Server's webhook.

As can be seen, assuming the victim added the malicious bookmark under the guidance of the phishing page while logged into Discord Web, clicking that bookmark would trigger the malicious code, and the victim's Token and personal information would be sent to the attacker's channel via the Discord webhook.

"Zero-Cost Purchase" NFT Phishing

For example, in the phishing website shown below, the signature content is:

Maker: User Address

Taker: 0xde6135b63decc47d5a5d47834a7dd241fe61945a

Exchange: 0x7f268357A8c2552623316e2562D90e642bB538E5 (OpenSea V2 contract address)

This is a common method of NFT phishing, where scammers can purchase all NFTs you have authorized for 0 ETH (or any token). In other words, this deceives users into signing an NFT sales order. The NFTs are held by the user, and once the user signs this order, the scammer can directly purchase the user's NFTs through OpenSea, but the purchase price is determined by the scammer, meaning the scammer can "buy" the user's NFTs without spending any funds.

Additionally, the signature itself is stored by the attacker and cannot be invalidated by revoking authorization through sites like Revoke.Cash or Etherscan, but you can cancel your previous listing authorization, which can also fundamentally avoid this phishing risk.

Redline Stealer Trojan Theft

This attack primarily involves inviting users to participate in new game project beta tests via Discord, under the guise of offering "discounts," or sending a program for you to download through private messages in the group, usually sending a compressed package that unzips to an exe file of about 800 MB. Once you run it on your computer, it will scan your files and upload those containing keywords like Wallet to the attacker's server, achieving the goal of stealing cryptocurrency.

RedLine Stealer is a type of malicious trojan software discovered in March 2020, sold separately on underground forums. This malware collects saved credentials, autocomplete data, and credit card information from browsers. When running on the target machine, it gathers detailed information such as usernames, location data, hardware configuration, and installed security software. The new version of RedLine has added the ability to steal cryptocurrencies, automatically scanning local computers for installed digital wallet information and uploading it to a remote control machine. This malware can upload and download files, execute commands, and periodically send back information about the infected computer. It often targets cryptocurrency wallet directories and wallet files:

Blank Check eth_sign Phishing

After connecting the wallet and clicking Claim, a signature request box pops up, while MetaMask displays a red warning. However, it is impossible to discern what content is being requested for signature just from this pop-up. In fact, this is a very dangerous type of signature, essentially a "blank check" for Ethereum. Through this phishing method, scammers can use your private key to sign any transaction.

This ethsign method can sign any hash, so naturally, it can sign our signed bytes32 data. Therefore, attackers only need to obtain our address after we connect to the DApp to analyze and query our account, allowing them to construct any data (e.g., native token transfers, contract calls) for us to sign via ethsign.

Additionally, there is another phishing method: after you reject the above sign request, it will automatically display another signature box in your MetaMask, tricking you into signing while you are not paying attention. Looking at the signature content, it uses the SetApprovalForAll method, with the target of Approved asset showing as All of your NFTs, meaning that once you sign, the scammer can indiscriminately steal all your NFTs.

This phishing method can be very confusing for users. In the past, we encountered authorization-related phishing that would visually display the data the attacker wanted us to sign in MetaMask. However, when attackers use the eth_sign method to get users to sign, MetaMask only displays a string of bytes32 hashes.

Same Ending + TransferFrom Zero Transfer Scam

Users' address transfer records continuously show unfamiliar addresses transferring 0 USDT, and these transactions are all completed by calling the TransferFrom function. The main reason is that the token contract's TransferFrom function does not enforce that the authorized transfer amount must be greater than 0, allowing transfers of 0 from any user account to unauthorized accounts without failure. Malicious attackers exploit this condition to continuously initiate TransferFrom operations on active users on-chain to trigger transfer events.

In addition to the 0 USDT transfer harassment, attackers continuously airdrop small amounts of tokens (e.g., 0.01 USDT or 0.001 USDT) to users who frequently conduct large transactions. The attacker's address often has the same ending digits as the user's address, usually the last few digits. When users copy addresses from historical transfer records, they may accidentally copy the wrong one, leading to asset loss.

The above examples illustrate some common attack methods and scenarios. In reality, hackers' attack methods are constantly evolving. What we can do is continuously enhance our knowledge.

For individual users, adhering to the following security rules and principles can help avoid most risks:

Two Major Security Rules:

• Zero Trust. Simply put, maintain skepticism and always remain skeptical.

• Continuous Verification. If you believe something, you must have the ability to verify your points of suspicion and make this ability a habit.

Security Principles:

• For knowledge on the internet, always reference information from at least two sources to corroborate each other, maintaining skepticism.

• Practice isolation, meaning do not put all your eggs in one basket.

• For wallets containing important assets, do not update easily; just use what is sufficient. What you see is what you sign. The content you see is what you expect to sign; once you sign and send it out, the result should be what you expect, not something you regret later.

• Pay attention to system security updates and act immediately when there are security updates.

• Do not download programs recklessly.