GoPlus 2022 Annual Review: Five Major Security Risks Impacting the Cryptocurrency Industry

Author: GoPlus Community

As 2022 comes to a close, we have witnessed the global macro political and economic landscape fall into a trough, and the cryptocurrency industry continues to experience a bear market due to the collapse of the bubble. Additionally, security risks related to scams, phishing, and hacking incidents have been rampant, exacerbating an already bleak market situation.

As 2022 draws to a close, GoPlus has also conducted a review of the main risk areas concentrated in Token/NFT and other blockchain sectors, hoping that while summarizing lessons learned, we can also provide warnings to everyone, enabling better risk resistance in 2023.

1. Token Risks

1. Major Risks

According to the latest data from GoPlus Token detection, among over 2 million Tokens that GoPlus has already detected, more than 1 million have risk hazards. The main and very serious risks include the following:

2. Pixiu Tokens

(1) Significant Increase in Total Supply of Pixiu Tokens

The latest data from GoPlus Token detection shows that the total supply of Pixiu tokens in the crypto market has significantly increased to 101,267, with 64,661 new Pixiu tokens added in 2022, representing an increase of 83.39% compared to the same period in 2021.

(2) Popular Public Chains are the Main Sources of Pixiu Tokens

Among all Pixiu tokens, 92.8% come from the BNB Chain, and 6.6% come from Ethereum, making these two public chains some of the most active and with the highest number of tokens. Below is the distribution of Pixiu tokens across major public chains:

(3) Numerous New Development Trends for Pixiu Tokens

Influenced by the FTX incident at the end of the year, a large number of users transferred digital assets from centralized exchanges to decentralized wallets, leading to a surge in on-chain active users and increased activity from attackers. GoPlus data shows that within just one week of the FTX incident, over 120 new Pixiu attack methods emerged, with attack frequency increasing sixfold.

Analysis by GoPlus Security of new attack methods on Honeypots indicates that as the offense and defense of asset issuance contracts intensify, attack methods are becoming increasingly complex and dynamic. Below we outline several common attack methods:

1. Obfuscating Code

By reducing code readability, adding invalid logic or confusing call relationships, and implementing complex logic, the difficulty of analysis by security engines is increased.

2. Faking Well-Known Contracts

These types of attack contracts impersonate well-known project contracts, such as faking contract names and implementation processes, misleading engines and increasing the probability of false risk detection.

3. Using More Concealed Trigger Methods

These attack contracts bury the trigger conditions deeply, such as hiding trigger conditions within user transaction behaviors and processing these behaviors in a more complex manner (for example, triggering transaction interruptions, issuance, or transfers only after multiple nested conditional checks), thereby achieving real-time modification of contract states and theft of user assets.

4. Faking Transaction Data

To make transactions appear more legitimate, attackers may randomly trigger behaviors like airdrops or wash trading, which can both entice more users and make transaction behaviors seem more natural.

2. NFT Risks

NFT Contracts Become New Risk Concentration Areas

In addition to Tokens, NFTs also face various security risks. According to data detected by GoPlus NFT, many NFTs have certain security vulnerabilities at the contract level. As of December 30, the main types of NFT contract vulnerabilities are as follows:

3. Malicious Address Risks

In 2022, various phishing and scam incidents have emerged, and the number of related malicious addresses has significantly increased.

According to GoPlus statistics on malicious addresses in EVM public chains, dark web transactions, phishing scams, mixing services, and Pixiu-related addresses have become the main malicious behaviors.

4. Authorization Contract Risks

Currently, authorization contract scams are rampant, with many fraudulent project parties obtaining manipulation rights over user assets through authorization contracts, thereby defrauding users of their assets.

Common Risks of Authorization Contracts

5. dApp Risks

dApp risks are a vast topic, involving too many types of risks and are very complex. Here we focus on whether the main contracts of dApps exhibit malicious behavior and the current audit status of dApps.

According to GoPlus dApp security information, GoPlus currently includes over 6,000 major dApps in the market. Among these 6,000+ dApps, only 925 have publicly available audit reports, accounting for about 15.3% of the total; and 949 dApps have main contracts that are not open-sourced, accounting for about 15.7%; while there are also 67 dApps whose main contracts or contract creators exhibit malicious behavior, accounting for about 1.1%.

From the above, we can see that the proportion of dApps that have undergone actual audits is quite low, and security in the dApp field remains a significant challenge.

Conclusion

As 2022 comes to an end, we look forward to a brighter 2023. However, the security risks in the blockchain world will not automatically disappear with the passage of time; instead, they will continue to emerge in increasingly difficult-to-detect and more covert forms.

In the face of these ever-evolving security risks, we believe that crypto security is a topic that requires ongoing attention. Continuity means that security protection is not a one-time effort but requires continuous maintenance and upgrading of response plans. For GoPlus, this means enhancing the sensitivity of our API security detection, expanding the coverage and attack surface of detection, and continuously iterating detection methods and defense strategies in response to changes in hacker attack methods.

In 2023, users, institutions, and security service providers in the blockchain world should work together to strive for a secure future for Web3.

We hope that in the new year, everyone can explore the blockchain world with greater safety and peace of mind.