Table of Contents
1. BSC Serial Tragedy
Since the BSC Binance Smart Chain was launched, it has undertaken a large number of overflow users due to the slow performance of Ethereum and high handling fees, and it has become one of the most active and popular public chains after Ethereum.
Since users need BNB as a transaction fee every time they make a transaction on the Binance Smart Chain, according to CoinMarketCap data, the market value of BNB reached $100 billion on May 10, ranking second only to Bitcoin and Ethereum. The world’s third-largest cryptocurrency by market capitalization has won global attention.
However, after the Binance Smart Chain continues to be popular, it has gradually become a hotbed for hackers. Especially recently, security incidents of funds being stolen or arbitraged have occurred in the Binance Smart Chain. A total of 12 security incidents occurred in BSC in May. In total, more than $270 million was lost.
The biggest attack was on the star DeFi project Venus, which has always been known as the son of Binance. On the evening of May 18, the BSC-based DeFi lending platform Venus token XVS was doubled by the giant whale, and then XVS was used as a collateral asset Borrowed and transferred hundreds of millions of dollars worth of BTC and ETH, and then the price of the mortgage asset XVS fell sharply, however, due to the lack of liquidity in the XVS market, the system failed to liquidate in time, resulting in a huge deficit of more than 100 million US dollars in Venus.
In addition to Venus, a huge deficit project of over 100 million US dollars, other projects with losses of more than 10 million US dollars also abound.
On May 20, PancakeBunny, a BSC-based DeFi income aggregator, suffered a flash loan attack, losing 114,631 BNB and 697,245 BUNNY. The latter was minted and sold by hackers, and the price crashed from $240 to below $2. In total, the attacks cost about $42 million in damages.
On May 2, Spartan Pools V1, a BSC-based synthetic asset protocol, was attacked. Due to a vulnerability in the miscalculation of liquidity shares, the attackers diverted approximately $30 million from the pool.
On May 16, bEarn Fi, a cross-chain DeFi protocol based on BSC, suffered a flash loan attack on its bVaults BUSD-Alpaca strategy. Nearly 10.86 million BUSD in the pool was exhausted, resulting in a loss of about $10.86 million.
There are even more extreme hackers who carry out more vicious “killing and killing” operations on victims. In the DeFi 100 project, hackers stole $32 million in on-chain assets, and then published the text on the official website: ” We deceived you, but it’s useless for you to do anything.”
2. The truth behind the scenes
In fact, since the rise of DeFi in the second half of 2020, projects on the Ethereum chain have experienced large-scale flash loan attacks. Hackers have used oracles to manipulate prices, re-entry attacks, etc. All caused huge financial losses.
However, this time the BSC chain has been frequently stolen, hacked at a high density, and committed high-intensity crimes within a month, which is indeed the first time in the history of DeFi development, which has attracted attention.
So, why did the BSC Binance Smart Chain appear this time? The reasons may be roughly boiled down to the following points:
BSC needs independent innovations
The BSC ecological construction is extensive, lacks an atmosphere of independent innovation, and most of the Fork projects are backed by the mountain of Binance and as the “two-layer network” of Ethereum, although new projects on BSC are booming and the capital volume is soaring, some projects have no “respect” and become “human beings” in front of hackers. A high-quality attack target with a lot of stupid money.
Many projects simply fork the code of the Ethereum ecological protocol, arbitrarily combine different protocols, make micro-innovations on other people’s code, or do not have the “original intention” of long-term projects.
You must know that as DeFi becomes more and more abundant in the composability of protocols if you do not fully understand the logic behind the original protocol and make random combinations or innovations, exclusion in the process will appear, leading to potential loopholes and risks. Thus giving hackers an opportunity.
For example, after PancakeBunny was attacked, AutoShark and Merlin of Fork’s code suffered from same-origin attacks one after another.
From the point of view of the attack method, the attacker does not need too high technical threshold, as long as the same-origin vulnerability is repeatedly tested on Fork PancakeBunny’s DeFi protocol, a considerable amount of money can be made.
The transaction fee on the BSC chain is low, and the attack cost is lower
Compared to the high gas fees on Ethereum, the cost of a hacker attack on the BSC chain may only cost a few hundred dollars at most.
It is worth noting that in the recent several flash loan attacks on the BSC chain after the attackers made profits, they all quickly transferred the acquired assets to Ethereum and restored the assets through the cross-chain bridge of the Nerve protocol (Anyswap). Invest in DeFi liquidity mining. Technological innovations in the DeFi field have also resulted in new money laundering methods, posing new challenges to anti-money laundering.
However, like the flash loan, the cross-chain bridge itself is also a financial innovation. It is not a malicious money laundering tool. It breaks the barriers existing in the circulation of various encrypted assets, assisting the free flow of assets and the free interaction between public chains. This in turn enables DeFi to develop in depth.
Some unscrupulous project parties guard themselves against theft
I have to admit that in such a chaotic environment, not all project parties are here to do a good project. Some unscrupulous project parties have actually planted elaborate scams from the very beginning to attract innocent investors. “Hooked”.
On May 24th, after Pancake Bunny’s imitation disk AutoShark swept away $700,000, another imitation disk appeared a day later, named Merlinlab, which was attacked twice a day and resumed AutoShark’s old business, sweeping away 6.8 million, these scams are Constantly parasitic on Binance Smart Chain to deceive users.
As for the DeFi 100 project mentioned above, it explained on Twitter that the arrogant remarks on the homepage of the official website were also due to hackers’ attacks, and then there was no following. Is all this really stolen or a project? Fang Jian guards and steals, and they may be the only ones who know it best.
3. The warning bell rings long
Frequent hacking incidents have lit up a warning light for the BSC ecosystem. After all, no players are willing to put their funds on projects with loopholes, and the blockchain world also votes with its feet.
According to The Block data, due to the hacking incident, some of the locked funds of BSC have been returned to Ethereum, and the total locked amount has dropped to 2 billion US dollars.
In the face of such a series of dilemmas recently, it is worth reflecting on what we can do to avoid such security problems as much as possible.
For the project development team, it is necessary to raise security awareness, not just copying the code of other protocols, but be sure to check the logic, eliminate possible loopholes, or seek the help of a professional code audit team.
Before a new contract goes online, in addition to a full-professional smart contract security audit to check for various known vulnerabilities, it is also necessary to check for business logic loopholes when combined with other DeFi products to avoid cross-contract and other logic compatibility loopholes.
In addition, it is also necessary to introduce a certain risk control and circuit breaker mechanism, such as threat perception intelligence and data situation intelligence services of third-party security companies, so as to respond to security risks as soon as possible, and timely check and block security attacks.
When an attack occurs, all parties should be linked to build a complete asset tracking mechanism. Afterward, it is necessary to check and fill in the gaps and improve the defense system.
Investors themselves also need to learn the most basic common sense of DeFi and be able to identify new projects in the market. Don’t rush into new mines without asking three questions. You don’t know if you want its interest, but it has Possibly drawn your capital.
4. Get to the root of the matter
In fact, it has only been 12 years since the birth of the blockchain industry. Compared with many mature industries on the market, it is still very early. The underlying infrastructure of the industry is still not perfect, and the industry development rules and standards are not clear. The regulatory framework is also very vague.
Therefore, it is not only the frequent occurrence of security incidents of DeFi protocols, but with the implementation of various applications, the security problems caused by blockchain digital assets are on the rise. There are also many “black swans.
And this requires colleagues from all walks of life in the blockchain to pay attention to these problems. The project party should first grasp the correct development direction, not engage in short-sighted, quick money, fraud, and other things that damage the development of the blockchain industry, and establish a blockchain for the outside world. The positive image of the industry, and strive to put the blockchain industry on the right track as soon as possible; the majority of investors and users should continue to learn to improve their own understanding of the industry, actively explore and practice, not only have the ability to identify scams and protect the safety of personal assets, through personal learning and practice in this industry, seize the new opportunities in the future digital economy era, and achieve success.
In a word, no matter how sensational stories happen in this industry, the opportunities of blockchain still exist, and risks and opportunities will always coexist. When you are still afraid of repeated market harvests and frequent security incidents of DeFi projects, you are hesitant. , a group of people has quietly moved towards the bright road of the new era.