April Safety Monthly Report: Total On-chain Loss Across the Network Decreased by 42.11% Compared to March
The losses caused by security incidents this month have decreased compared to last month, but there are still many cases of private key leaks leading to asset losses. Please be sure to avoid disclosing your private keys or mnemonic phrases to anyone, and do not store them in screenshot form.Security awareness is your strongest shield in the Web3 world and the first line of defense for protecting your digital assets.
OKLink, as your security first stop, provides over 40 leading blockchain explorers, offering users a one-stop query entry.
At the same time, tools such as address monitoring, token authorization queries, and address health checks comprehensively assist users in navigating Web3 safely. For more details, see https://www.oklink.com/zh-hans/tools?channelId=wx0001
This month, the total losses across the network amounted to approximately $110 million, a decrease of 42.11% compared to March.
There were a total of 32 incidents of scams and phishing on official social media, accounting for 7.67% of the losses. These incidents were mainly concentrated on X, Discord, and various phishing websites.
The losses from REKT and RugPull incidents accounted for 43.90% and 44.07%, respectively, while other security incident losses accounted for 4.36%.
Case Analysis:
On April 19, Hedgey Finance experienced a significant security vulnerability on Ethereum and Arbitrum, resulting in losses of approximately $44.7 million. The hacker exploited a vulnerability due to a lack of user input validation, gaining authorization from the vulnerable contract and stealing assets from it. This incident became the largest REKT security event in April.
Attack Process:
Attack Transaction: https://www.oklink.com/cn/eth/tx/0xa17fdb804728f226fcd10e78eae5247abd984e0f03301312315b89cae25aa517
1) Borrowed 1.3 million USDC from Balancer flash loan;
2) Deposited 1.3 million USDC into the ClaimCampaigns contract via createLockedCampaign();
3) Due to the lack of input validation, the ClaimCampaigns contract erroneously authorized 1.3 million USDC to a malicious address;
4) Retrieved the deposited 1.3 million USDC through cancelCampaign(). At this point, the attacker gained authorization for 1.3 million USDC from the contract, allowing them to steal the 1.3 million USDC in subsequent attack transactions;
5) Repaid the flash loan;
https://www.oklink.com/cn/eth/tx/0x2606d459a50ca4920722a111745c2eeced1d8a01ff25ee762e22d5d4b1595739
6) Used the obtained authorization to steal 1.3 million USDC from the ClaimCampaigns contract.
Vulnerable Code
https://etherscan.deth.net/address/0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511
April RugPull Losses - Largest Security Incident
On April 21, the crypto gambling platform ZKasino experienced a Rugpull, resulting in losses of approximately $33 million.
OKLink Security Tips
The losses from security incidents this month have decreased compared to last month, but there are still many cases of asset loss due to private key leaks. Please be sure to avoid disclosing your private keys or mnemonic phrases to anyone, and do not store them as screenshots. Additionally, exercise caution when downloading software to prevent your device from being compromised by malware, which could lead to the leakage of private keys or mnemonic phrases. Maintain a skeptical attitude towards projects that claim to offer unusually high returns, and conduct thorough research on the project and team before considering any investment.
