Our review of the blockchain security industry in 2021, with global losses exceeding $9.8 billion

SlowMist
14 min readDec 30, 2021

2021 was a year of ups and downs for the blockchain industry. Blockchain technology continued to grow thanks to its decentralized, open, and transparent characteristics. The surge of users in DeFi, NFTs, and Metaverse has propelled the blockchain industry to new heights. As more projects are built on the blockchain, so did the exploits. This article will walk you through the developments and exploits within the blockchain industry in 2021.

Blockchain Security Environment

Policy, compliance, Supervision

The government has increased its focus on developing and applying blockchain technology within China. It plans to significantly improve blockchain technology and other facilities’ services capabilities by 2025. On the other hand, the government tightened its grip on Cryptocurrencies. In September, the NDRC and other departments published a joint statement regarding “ Notice of activities” and “ Remediation of Virtual Currency.”

Governments worldwide continue to pay close attention to cryptocurrency on a global scale. Cryptocurrency regulation is gradually improving, and policies are progressively becoming lenient. The Financial Action Task Force (FATF), an international anti-money laundering (AML) agency, released the most recent regulatory guidelines for cryptocurrencies. Seoul, South Korea, will build a “Meta Universe Platform” public service. The Texas Virtual Currency Act has officially begun. Bitcoin is now El Salvador’s legal tender. The Ukrainian Parliament passed virtual assets Bills, and so on.

Due to the rise in usage by institutions, governments worldwide are becoming more interested in blockchain technology as an essential part of the “new infrastructure.”

Technology, Application, Economy

The Chinese blockchain industry is expanding rapidly, with new applications being developed regularly. Guangdong Province issued the country’s first public data asset certificate, and the country’s first blockchain intellectual property protection agency was founded. Prominent corporations have also joined on board, with HUAWEI patenting security chips and processing algorithms. Tencent Cloud has released three blockchain-related products. Baidu has published patents on Blockchain System Upgrade Methods, Devices, Equipment, and Storage. The Metaspace Industry Communications Committee was formally constituted. China presently has the most blockchain patent applications globally, accounting for around 63 percent of all applications. In addition, the Ministry of Commerce declared that it would support the use of innovative technologies such as blockchain.

Blockchain technology made significant advancements in 2021, with more updates to follow in 2022. Ethereum completed the London update on August 5th. Arbitrum, the Ethereum Layer 2 solution, will release a new Nitro version based on WASM. Vitalik and others in the Ethereum community proposed EIP-4488 to reduce Ethereum’s gas prices in Q2 of 2022.

Security incidents

Blockchain technology is a double sword. While its decentralization, anonymity, and immutability features help move the industry forward, they also cause security concerns. Many types of crimes involve cryptocurrencies, such as money laundering and fraud. Theft, drug trafficking, and mining are also prevalent.

According to our “SlowMist Hacked”, when writing this article, there were 231 blockchain security incidents in 2021, with losses totaling more than $9.8 billion worldwide.

(hacked.slowmist.io)

There were 170 DApp and DeFi-related exploits, 15 exchange-related incidents, 8 Public-blockchain attacks, 3 wallet hacks, and 35 other types of security incidents.

Since 2018, there has been a steady rise in the number of exploits and funds lost.

Security incidents and opinions

Let’s examine some of these incidents, and we will offer our opinions. Even though this is only the tip of the iceberg, it depicts the current state of exploits in Blockchain.

Public-blockchain Attacks

BSV 51% attack
On August 4, BSV was suspected of being subjected to a 51% attack, and nearly 100 blocks were compromised.

ETC mainnet fork
On September 4, Ethereum Classic (ETC) tweeted that the ETC mainnet suffered a fork due to a vulnerability in the Ethereum client Geth.

Solana’s mainnet Beta denial of service attack
On September 14, the Solana mainnet Beta version became unstable. The network was down for 17 hours with no permanent damages and fully functional within 24 hours. The cause of the network stagnation was denial of service attacks. At 12:00 UTC, Grape Protocol launched on Raydium, and transactions generated by bots congested the network. These transactions created a memory overflow, causing validator nodes to crash and forcing the network to stop.

Our View
Although the public-blockchain vulnerabilities cause relatively small losses, they significantly impact the entire blockchain. Therefore, the public-blockchain must undergo a professional security audit before going online. It is recommended that the public-blockchain team cooperate with a credible and professional security team to deploy security recommendations tailored to their blockchain to minimize exploits and ensure the safety of the entire public-blockchain.

Exchange Attacks

Second Cryptopia Exchange Hack
On February 20, Cryptopia, a New Zealand exchange, was hacked for the second time. Investigations revealed that the hacker had accessed a wallet that had been dormant since an earlier hack in January 2019. The wallet belongs to Stakenet and is controlled by Grant Thornton, the liquidator of Cryptopia. According to the investigation, the dormant wallet holds approximately USD 1.96 million worth of Xtake, which is the native token of Stakenet.

Liquid Exchange Hot Wallet Attack
On August 19, the Japanese crypto trading platform Liquid announced that its hot wallet had been compromised. It was estimated that $91.35 million(based on the price on the day of the incident) was stolen using our MistTrack AML tracking system. BTC, ETH, ERC20 tokens, TRX, TRC20 tokens, and XRP, were among the 70 different types of cryptocurrencies stolen.

Our View
Vulnerabilities in the exchange have been a critical source of concern for the exchange and its users. These weaknesses may be vital in determining an exchange’s survival. During the fourth quarter of 2021, various exchanges were targeted by hackers during the fourth quarter of 2021, resulting in significant losses.

Exchanges are frequently attacked for the following reasons:
(1) Exchanges have large deposits and have always been the target of hackers
(2) Weak defenses are prone to security vulnerabilities
(3) Users lack security awareness
(4) Inside Jobs

It is recommended that significant exchanges improve their internal management and technical procedures. Strengthen the security of digital assets by introducing security audit mechanisms, zero-trust mechanisms, and cold and hot asset security solutions. At the same time, actively embrace supervision.

Users can also increase their security awareness by learning about security features within the exchange, refraining from disclosing their private key to anyone, and looking for the official platform to avoid phishing incidents.

Wallets hacks

Ledger Wallet hack
On June 18th, Crypto wallet provider Ledger informed users that new scams involved using fake Ledger wallets. Users who have purchased ledger wallets received a package containing a compromised ledger wallet and a forged letter from Ledger. The letter stated that users need to replace their current ledger with the new one to protect their funds. Once the user transfers their funds to the new wallet, the hacker will access their funds.

Multiple Chivo wallets were stolen
Chivo Wallet is a national digital wallet launched by El Salvador’s government on September 7 to implement the nation’s Bitcoin Act. El Salvador has given a $30 Bitcoin incentive to anybody who downloads and authenticates Chivo Wallet. This decision enabled El Salvador’s official wallet to surpass two million users in a single month. However, between October 9th and October 14th, Cristosal, a Salvadoran human rights organization, received 755 complaints from Salvadorans that their Chivo wallet account had been stolen.

Our Views
Although the number of occurrences with wallet exploits has reduced this year, the number of losses resulting from fraudulent wallet apps has increased. According to a November SlowMist analysis, tens of thousands of fake wallet apps have been downloaded, resulting in losses of up to $1.3 billion. You can protect your assets by developing a sense of security and employing proper techniques.

1.Always go for the official website and avoid any other links.
2.Make a backup of your wallet and keep the private key in a secure location.
3.Always be wary; if it’s too good to be true, it probably is.

DApps, DeFi, NFTs, Cross-Chain protocols

  1. Ethereum Network

Sushiswap attack
SushiSwap was attacked again on January 27th, losing 81 ETH. This attack is similar to SushiSwap’s initial attack in that both attacks manipulated the trading pair prices. The attacker took advantage of the fact that DIGG did not trade with WETH and created this trading pair to manipulate the initial transaction price. This resulted in massive slippage during the exchange process. The attacker only used a small amount of DIGG and WETH to provide the initial liquidity.

$12.5M recovered after SIL was stolen
A high-risk vulnerability in the SIL.Finance contract was discovered on March 19. According to SIL.Finance, the event was caused by a flaw in the smart contract permissions, which triggered a generic preemptive trading robot to submit a series of profitable transactions. The funds in the smart contract could not be withdrawn due to the high-risk vulnerabilities, but 36 hours, $12.5M were recovered with the assistance of our SlowMist team and others.

Compound bugs and proposals
On September 30, the decentralized lending protocol Compound confirmed via Twitter that after the implementation of Proposal 62, the liquidity mining of the protocol had an abnormal distribution of COMP tokens. After an investigation, Compound said that deposits and borrowed funds were not at risk. Compound founder Robert Leshner noted that the problem appeared to be an error in the initial setting of the distribution rate of COMP tokens based on Proposition 62, resulting in too many COMP tokens being distributed. On October 4, just as Compound was trying to fix the vulnerability, another COMP pool worth US$68.8 million (202,472 COMP in total) was exploited due to the drip() function inside the Token distribution contract.

2. BSC(Binance Smart Chain) Network

Attacks on Cream Finance
Cream Finance, a DeFi lending platform, was attacked again on October 27 and lost around $130M. The funds stolen were mostly Cream LP tokens and other ERC-20 tokens. According to reports, this is the third-largest DeFi hacker attack in history. Furthermore, Cream Finance has repeatedly been the victim of flashloan attacks, losing $37.5M in February and another $19M in August.

3. EOS Network

Flash.sx Smart Contract Reentrancy Attack
On May 14th, at 11:28 UTC, the flash.sx flashloan smart contract suffered a reentrancy attack. It is estimated that 1.2 million EOS and 462,000 USDT were stolen. According to official sources, after the attack, the project party initiated a proposal to directly change the hacker’s EOS account permissions and transfer back the assets.

PIZZA Hack
At 8 p.m. on December 8, the hacker account itsspiderman used an overflow vulnerability in eCurve to create additional tripool market-making certificates, pledging and lending the majority of the tokens in a PIZZA contract. Following that, hackers created over 1.3 million accounts and distributed the stolen assets. The loss to the PIZZA protocol in this attack is about $5 million.

4. Polygon Network

SafeDollar Attack
SafeDollar, an algorithmic stablecoin project on Polygon, was the target of a hack on June 28. An unverified contract appeared to have stolen $250,000 in USDC and USDT.

PolyYeld Fiance Contract Exploit
The PolyYeld Finance farming contract was exploited to issue 4.9 trillion YELD tokens dumped in the secondary market.

5. HECO Network

HSO Scam
On March 10, the Huobi Eco-Chain HECO oracle project HSO carried out an IDO and ran away 30,000 HT. The website and Telegram were unable to be reached. Later, 24823 HTs were recovered with the help of the HECO core code contribution team Star Lab, the HECO technical community, and the HECO White Hat Security Alliance.

XDX Swap Exploit
The XDX Swap (DDEX) on the Heco chain’s cross-chain decentralized exchange DDEX was attacked on July 2. The attacker received 85.17 ETH (about $176,000) and transferred it to the Ethereum network. There appeared to be a backdoor in the DDEX code. With the help and collaboration from DDEX, Star Labs, and the HECO White Hat Security Alliance, XDX Swap has recovered the majority of the funds involved in this incident, totaling more than $5M.

6. Other Networks

Near Network: Ref.Finance contract vulnerabilities
The Ref.Finance team on the Near protocol tweeted on August 15th team noticed abnormal behavior of the REF-NEAR trading pair. They discovered a patch of a recently deployed contract had an error being exploited by multiple users. This error affected approximately 1 million REFs and 580,000 NEARs.

Solana Network: Solend Attack
On August 19th, the lending protocol Solend on Solana announced that they had been hacked. The attacker exploited the weak identity check in the UpdateReserveConfig method to liquidate all accounts. Furthermore, the hacker increased the APY on borrowed funds to 250 percent. During this time, the funds of 5 users were inadvertently liquidated. Solend stated that no funds were stolen as a result of this incident. In the future, they plan to increase their bug bounties and implement a more robust monitoring and alert system.

Polkadot Network: Polkatrain Arbitrage Attack
On April 5, an incident occurred on Polkatrain’s IDO platform Polkatrain. According to our analysis, the contract in question was the POLT_LBP contract. The contract has a swap function as well as a rebate mechanism. A set rebate is obtained when users utilize the swap function to purchase PLOT tokens. The refund is delivered to the user via the contract’s _update function by calling transferFrom. Because the _update function neither sets the maximum number of rebates in a pool nor determines whether the total rebates have been used up. Malicious arbitrage contracts can call the swap function indefinitely to exchange tokens for Rebate payouts.

Avalanche Network: Vee.Finance hack
On September 20, the Vee.Finance lending protocol on the Avalanche network discovered numerous suspicious transactions. After additional research, it was found that 8804.7 ETH and 213.93 BTC had been stolen (total value over 35 million U.S. dollars). Stablecoins in the protocol were not affected by this attack.

Fantom Network: GrimFinance Exploit
On December 19, GrimFinance, a DeFi protocol on the Fantom network, suffered a flashloan attack with losses exceeding $30M. The attacker uses the function “beforeDeposit()” to exploit the GrimFinance’s contract with another malicious contract.

7. Cross-Chain Protocols

THORChain Attacks
THORChain, a cross-chain protocol, was the victim of multiple attacks within a month. On June 29th, THORChain was attacked by “fake deposits” and lost $350,000. It then happened again on July 16 and July 23, losing about $8M each time.

Chainswap theft affects multiple platforms
On July 11, the cross-chain bridge project Chainswap was attacked again by hackers. Over 20 project tokens that deployed smart contracts on the bridge were stolen by hackers. The total loss is about $4 million, which is almost the most widespread security accident in DeFi history.According to the Chainswap analysis, there was an issue with setting a limit for tokens to be traded across chains. This meant that the on-chain swap bridge quota automatically went up. The goal was to be more decentralized without having to use manual control. However, this automatically made the number of invalid addresses not allowed to go up because of the flaw. Chainswap also suffered from another hack on July 2. Some user tokens were taken out of wallets interacting with ChainSwap. Approximately $800,000 was lost during that incident.

$610M returned after Poly Network hack
The Poly Network attack on August 10th may have been the largest hack in DeFi history. More than $610M worth of crypto assets were stolen but returned within 15 days. The entire blockchain community experienced the ups and downs together with Poly Network. At present, all involved funds have been returned to the network, and system functions have been restored to the levels before the incident.

8. NFTs Scams

Our View
Since the birth of DeFi, it has been plagued with numerous exploits. Although the value of many DeFi projects has been steadily increasing, so has the attack on Defi projects. According to our statistics, the common hacks in DeFi usually involves the following methods:

(1) Flashloan attacks
(2) Contract vulnerabilities
(3) Compatibility or architecture issues
(4) Private key leakage or front-end attacks
(5) Inside jobs

If the project wants to minimize vulnerabilities and reduce security risks, it must make an effort to conduct an in-depth security audits before the project goes live. Simultaneously, it is advised that all DeFi project participants strengthen their asset security by implementing a multi-signature technique. On the other hand, when the DeFi project interacts with other protocols, it is critical to ensure that the protocols are compatible. When transplanting the code of different protocols, developers must thoroughly understand the architecture of the transplantation protocol and the architecture design of their projects.

As the blockchain industry gets more complex, users should research before investing in a project. Check to see if a project is open source and has been audited. Always be cautious when investing in projects and know the risks involved.

Other Types of Exploits

Blackmail
The nation’s largest oil and gas pipeline operator, Colonial Pipeline, was forced to halt operations on May 7 due to targeted ransomware attacks. Following that, it paid 75 bitcoins(worth more than $4M )to re-establish normal operations. The ransomware attack targeted national-level essential infrastructure, causing worldwide shock and concern. US Department of Justice authorities said they had successfully retrieved more than $2M in ransom in reaction to this incident. However, US government officials did not detail how they obtained the secret key and recovered the ransom, only stating that this action demonstrates that the US will go to any length to respond to ransomware attacks.

Scams
On August 20th, the founder of one of Russia’s largest cryptocurrency scams was imprisoned for allegedly defrauding more than $1.5B from its investors. Finiko was established in Kazan in 2019 and pretended to be a legitimate BTC investment company. In December 2020, Finiko released its native cryptocurrency, FNK. According to local reports, the founders took BTC from investors and rewarded them with FNK tokens.

Phishing
On October 15th, Sophos released a report stating that the CryptoRom app stole more than $1.4M through “super signature service” and Apple’s developer enterprise plan. To date, Bitcoin addresses related to the scam have sent more than $1.39M, and there may be additional addresses related to the fraud. According to the report, most of the victims are iPhone users. The report stated that CryptoRom bypassed all security checks in the App Store and remained active every day. The report also said that Apple should warn users about installing apps through temporary distribution or the enterprise configuration system since Apple has not reviewed these apps.

Our View
Amid the blockchain’s rapid development, plenty of new attacks in regards to blockchain has also multiplied. Take ransomware, for example:according to a report released by the US Department of the Treasury’s Financial Crimes Enforcement agency, ransomware-related transactions totaled more than $590 million in the first half of 2021. SlowMist encourages users not to open unknown email attachments, to identify phishing websites carefully. Always maintain a suspicious and cautious attitude with new sites and use anti-virus software.

Summary

Despite the increasing value of several cryptocurrencies such as BTC and the current development in the blockchain industry, cryptocurrency crimes have also increased. From the statistical data, most of these incidents happened in April, June, and August. The majority of the hacks were on the Ethereum network, followed by the BSC. These attacks mainly targeted DeFi protocols and centralized exchanges.

It is recommended that the project party carry out internal management and technical system upgrades. Internal security staff should look for gaps in security-related content instantly. The most important thing to do before the project goes live is a complete and thorough security audit. This way, there is less chance of security problems.

Users should treat the blockchain correctly and rationally, establish correct currency concepts and investment concepts, and effectively improve risk prevention awareness. For instance, before investing, consider whether the smart contract is open source and whether the platform itself has undergone a security assessment. Most importantly, save your private key carefully and do not release it to anyone.

Lastly, we look forward to all the innovation and value creation within the blockchain industry in 2022 and the years to come.

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.