OKLink 2023 Annual Security Incident Review

Author: OKLink

I. Overview

The blockchain ecosystem has experienced over 52 publicly disclosed security incidents, resulting in losses exceeding $1.7 billion. This marks a decrease of approximately 54% compared to the $3.728 billion lost in 2022, thanks to the gradual improvement of the global regulatory framework and continuous breakthroughs in on-chain security technologies represented by OKLink Onchain AML.

II. Ecosystem

Among these, there were 485 security incidents involving various ecosystem DApps, DeFi, NFTs, 8 incidents related to exchanges, 10 incidents concerning public chains, 9 incidents involving wallets, and 14 incidents of other types.

III. Key Security Incident Review

(1) Public Chains

On March 9, 2023, attackers targeted the smart contract service code of the Hedera mainnet, stealing assets worth at least $570,000. All Hedera DApps using Hedera Token Service (HTS), such as LP tokens or wrapped tokens, were affected.

On May 16, 2023, Zellic disclosed how it discovered and fixed a critical security vulnerability affecting all Move L1 chains, including Aptos, Sui, Starcoin, and 0L. This vulnerability violated the core security properties of Move and could put billions of dollars at risk.

(2) Exchanges

On November 10, 2023, the cryptocurrency exchange Poloniex was hacked, resulting in the theft of approximately $125 million in assets, including $56 million in Ethereum, $48 million in TRX tokens, and $18 million in Bitcoin. The attack was suspected to be due to a private key leak.

(3) Wallets

On June 3, 2023, the non-custodial decentralized cryptocurrency wallet Atomic, which has over 5 million users, suffered a hack, resulting in losses exceeding $100 million.

(4) Other Key Events

On September 6, 2023, a whale user fell victim to a phishing attack, losing cryptocurrency worth $24.24 million, including approximately 4,851 rETH and 9,579.2 rETH.

On September 23, 2023, the decentralized cross-chain transfer protocol Mixin Network was hacked. The attackers exploited a vulnerability in Mixin Network's cloud service provider, stealing $200 million worth of cryptocurrency.

IV. Security Incident Review by Ecosystem

(1) ETH Ecosystem

On March 14, 2023, the non-custodial permissionless lending protocol Euler Finance on Ethereum was hacked, with attackers profiting approximately $197 million.

(2) BSC Ecosystem

On March 28, 2023, the DeFi protocol SafeMoon in the BNB Chain ecosystem was hacked, resulting in a loss of approximately $8.9 million from its liquidity pool.

(3) NFTs

On December 16, 2023, NFT Trader suffered a series of attacks, with stolen NFTs including 37 BAYC and 13 MAYC, resulting in user asset losses of approximately $3 million.

(4) Others

On April 3, 2023, a rogue Ethereum validator stole over $25 million in cryptocurrency from multiple Ethereum MEV bots engaged in sandwich trading.

On May 21, 2023, Zhao Jun, the CEO of the cross-chain bridge protocol Multichain, was taken away by the police at his home, losing contact with his team. Starting from July 6, 2023, Multichain experienced unusually large unauthorized withdrawals, with stolen assets valued at over $230 million.

On July 30, 2023, due to serious vulnerabilities found in certain versions of Vyper, projects such as Curve and JPEG'd were successively attacked, with total losses exceeding $73 million. Hackers and white hats ultimately returned approximately $52 million in assets.

V. Official Social Media Security Incidents

A total of 519 incidents of scams and phishing were reported, concentrated on platforms such as Twitter and Discord, with 173 and 292 incidents respectively.

e.g. On September 10, 2023, the Twitter account of Ethereum founder Vitalik was hacked. The hacker, who took control of Vitalik's Twitter account, posted a malicious phishing link and stole over $691,000 in assets, 73% of which came from non-fungible tokens.

VI. OKLink Security Experts' Views

Compared to last year's significant decrease in financial losses, this can be attributed to the gradual improvement of the global regulatory framework, exemplified by Hong Kong, Singapore, and the European Union, as well as continuous breakthroughs in on-chain security technologies represented by OKLink Onchain AML.

To minimize potential risks and losses, we recommend implementing stricter and more comprehensive security measures to enhance the resilience of systems and individuals against attacks.

Project teams should strengthen security checks on their platforms, conducting comprehensive risk assessments to identify and fix potential security vulnerabilities in a timely manner to reduce the occurrence of unknown attacks.

Users and project teams must enhance the protection of private keys and passwords to avoid economic losses due to accidental leaks. Employing multi-factor authentication, hardware wallets, and other security measures can effectively improve asset security.

When purchasing cryptocurrencies, users should carefully review the security of tokens, especially for those that prevent events like Rug Pulls, and make more cautious investment decisions. Additionally, users should enhance their security awareness on social media, particularly on high-risk platforms like Discord and Twitter. Be vigilant against scams and phishing incidents, ensuring the authenticity and security of social interactions.

Contact us: info@oklink.com