SlowMist: Data Analysis of the Ethereum Black Valentine’s Day Event & Disclosure of New Attack Methods (Released in 2018)
On March 20th of this year, we disclosed the theft incident caused by security vulnerabilities in the Ethereum ecosystem. As of now, the attacker has stolen a total of 47,865 ETH, worth over $20 million dollars at current prices, as well as various types of tokens with a total value of over 10 billion.
Despite the fact that the theft incident has been ongoing for two years, it appears that the attacker has not stopped their activities. Since 2018, there have been several incidents of theft, varying in size and amount, with the most recent one occurring on July 1st.
From January 1st, 2018 until now, there have been 2241 successful theft attacks resulting in the theft of a total of 3163 ETH, and the attacker has conducted 31 withdrawal operations.
The line chart of the latest stolen ETH also shows a surge in July, which occurred on July 4th — another large ETH wallet theft incident.
Based on the currently detected attacker wallet addresses, we can easily see that 0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464 is still the most active attacker, with a total of 5023 attacks and a total stolen ETH amount of 44,620, accounting for 93.22% of the total stolen, and has made multiple withdrawal operations.
This automated theft attack that exploits the Ethereum RPC authentication vulnerability has caused very serious economic losses to users around the world, and recently, new hidden attack methods have emerged in this incident!
The process of the new attack method is briefly described as follows:
- After the RPC interface of an Ethereum node is opened, and there is no ETH in the account (at this point, the attacker has already found the target through scanning), the attacker immediately constructs a transaction and signs it (setting the signed amount as X, and the nonce as the current N+1, N+2,…,N+N, multiple transactions can be constructed).
- The Ethereum node discovers the problem and closes the RPC port.
- The Ethereum node believes that it is now safe to transfer ETH to the account. However, the attacker has been monitoring in real-time through automated programs and broadcasts the previously signed information from the time when the RPC was open.
- The attack is completed.
The new attack method is highly stealthy and poses a real threat. The SlowMist security team urges users to avoid importing private keys into nodes. If it is necessary to do so, it is advisable to change the RPC to only listen to the intranet or use iptables to block external access. For nodes that have already imported private keys, it is recommended to stop using them for security reasons, transfer assets to a safe location, invalidate the private key file, and generate a new private key on another isolated machine. In the future, private key signature transactions with node broadcast transactions should be used to conduct transfer operations.
As a participant in the Ethereum ecosystem, SlowMist will continue to track and analyze the event to better promote the development of ecosystem security.
Security measures and review of the “Ethereum Black Valentine” incident:
A billion-dollar token theft case caused by a flaw in the Ethereum ecosystem.
Special coverage website for “Ethereum Black Valentine” incident:
PS.
We have officially settled on the CoinHu platform, and welcome you to follow the SlowMist Zone CoinHu homepage:
https://bihu.com/people/586104
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.
Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/
