This article mainly explain the fourth type of fraudulent methods, Vulnerability.
Smart contract vulnerabilities
- The DAO attacks
The attackers combined two vulnerabilities for attacking. The first vulnerability exploited by the attackers was calling the splitDAO function recursively. In other words, the splitDAO function would illegally call itself again after the initial legal call and then repeat the illegal calling process. This recursive call allowed the attackers’ DAO assets that were supposed to be cleared to be separated from The DAO’s asset pool dozens of times before being cleared. The second vulnerability exploited by the attackers was avoiding destruction of the separated DAO assets by The DAO asset pool. Normally, the attackers’ DAO assets would be destructed by The DAO asset pool after being separated. However, the attackers could avoid those DAO assets from being destructed by transferring the assets to their own accounts before the recursive call ended. After exploiting the first vulnerability for attacking, the attackers could transfer the DAO assets transferred out for safety back to the original accounts. In this way, the attackers initiated more than 200 attacks simply with two accounts and the same DAO assets.
The incident caused almost 15% of ETHs to be stolen by hackers. In order to recoup investors’ losses, the Ethereum community decided to retrieve the lost ETHs by carrying out a soft fork, which eventually led to the ETH fork.
- Parity Ethereum wallet contract vulnerability
The callback of smart contract uses the delegatecall (msg.data) function, which calls the function in data and sets msg.sender as the address of the original calling function. Hackers called initWallet by exploiting this vulnerability, and you might think that Parity would have initWalletset up conditions to block the hackers but it turns out this was not the case. As a result, the hackers successfully changed the owner of the contract and transferred Ethereums to their own accounts.
- Analysis of smart contract vulnerabilities with the MAIAN tool
Researchers from Singapore and the United Kingdom used the MAIAN tool to analyze and scan one million sample smart contracts, and found that about 3.4% of those smart contracts were vulnerable. The report from those researchers pointed out that due to imperfections in smart contract code, there were several vulnerabilities that expose million of US dollars worth of Ethereums to risks.
4.User loss resulting from the ERC20 standard
This problem mainly results from the lack of the possibility of handling incoming ERC20 transactions performed by the ERC20 token transfer method. If you send 100 ETHs to a contract that is not intended to work in conjunction with Ether, the contract can reject a transaction without returning any errors. If you send 100 ERC20 tokens to a contract that is not intended to be used with ERC20 tokens, the contract does not reject those tokens because it cannot recognize incoming transactions. As a result, contract balance is stuck by those tokens.
The following lists the lost ERC20 tokens to date (as of December 27, 2017):
$1,204,273 for QTUM;
$1,015,131 for EOS;
$249,627 for GNT;
$217,477 for STORJ;
$201,232 for Tronix;
$151,826 for DGD;
$149,941 for OMG;
$102,560 for STORJ.
Client vulnerabilities
- Ledger wallet vulnerability
The Ledger wallet generates a new address upon the receipt of a payment. However, if the computer hosting the wallet is infected with malware, attackers can initiate a man-in-the-middle attack to transfer cryptocurrency to the fraudulent address when users attempt to generate an address to transfer the cryptocurrency.
- JSON RPC vulnerability
Attackers can maliciously call eth_sendTransaction to steal tokens by exploiting the Geth/Parity RPC API authentication vulnerability of Ethereum nodes.
By globally scanning the open ports such as 8545 (HTTP JSON RPC API) and 8546 (WebSocket JSON RPC API) of Ethereum nodes, sending eth_getBlockByNumber, eth_accounts, and eth_getBalance to traverse the blockchain height, wallet address, and balance, and repeatedly calling eth_sendTransaction, the attackers can attempt to transfer the balance to their own wallet. When a node user performs unlockAccount on his or her wallet right in this condition, the attackers’ eth_sendTransaction can be correctly executed during the duration period without having to enter the password to sign the transaction, and the balance is then transferred to the attackers’ wallet. As of the release of this article, this address has received 4,313 transfers, namely 4,313 personal accounts were stolen with a total value of 38,079.4 ETHs or approximately 19,686,843 US dollars.
ETH fraud data
As of the release of this article, 818 ETH fraudulent addresses have been collected with 20,025 victims, 118,945.7 defrauded ETHs, with a value of approximately 61,494,4926.9 US dollars. Among those fraudulent addresses, 640 of which use phishing as the fraudulent method and account for 78.1% of total frauds, 171 of which use fraud and account for 20.9% of total frauds, and 7 of which use fake ICO websites and account for almost 1% of total frauds. As the base for addresses that have profited from exploiting vulnerabilities is too small, the proportions have not been computed.
Nodes and trends of fraudulent means
By summarizing the compilation of fraudulent means, the general development of fraudulent means can be divided into the following three stages:
The first phase was the period before September 2017. During this period, ICOs prevailed and an endless stream of new projects emerged. As a result, the strong profitability effect attracted a number of investors and any project could quickly raise tens of millions of dollars. In this condition, criminals exploited the madness and the lack of discerning capability of investors, to forge or attack the websites hosting ICOs to earn huge profits.
The second stage was the period from September 2017 to February 2018. Since China banned ICO on September 4th, the strong profitability effect of ICOs was no longer present, and the fund raising method of projects changed to become private placement. In this case, surrogate investment came in because capital agencies held quotas, which could be resold to ordinary investors. Given that no central management was available to surrogate investments and all of them were initiated by individuals with morality as the only constraint, frauds on private placement or surrogate investment also increased.
The third stage is the period after February 2018. As the currency market gradually became bearish, the issuance of private-placement tokens ushered, and investors became more rational and did not carry out private placements or surrogate investments any more. Thus, sudden profiting conditions in the first two phases are no longer available for the criminals, and they have to turn to common frauds, such as posing as a celebrity and releasing cashback fraud information on social platforms.
Due to the strong profitability effect of ICOs, China introduced a policy for prohibiting ICOs in September 2017. Because of this, the number of frauds concerning ICOs will be decrease but other simple fraud methods will continue to emerge with more varied tricks and which are more difficult to prevent.
Theft incidents of exchanges in the last few years
February 24, 2014, the world’s largest Bitcoin exchange operator Mt.Gox announced that 850,000 bitcoins on its trading platform had been stolen.
March 2014, the U.S. digital currency exchange Poloniex suffered a loss of 12.3% of bitcoins to theft.
August 15, 2014, the Altcoins trading platform released news stating that 50 million NXTs were stolen by hackers with a market value of approximately 10 million RMB.
January 5, 2015, the bitcoin trading platform Bitstamp was hacked and $5.1 million worth of Bitcoins was stolen.
February 14, 2015, hackers stole all 7,170 BTCs in the cold wallet of the Bter trading platform by exploiting the interval of filling the hot wallet from the cold wallet by Bter.
August 4, 2016, the Hong Kong bitcoin exchange Bitfinex was hacked and 119,756 BTCs were stolen with a total value of approximately $75 million.
April 22, 2017, the South Korean bitcoin exchange called Yapizon lost 3,831 bitcoins worth $5.3 million.
December 2017, the South Korean bitcoin exchange called Youbit was hacked and lost about 17% of its assets. Later on, they filed for bankruptcy.
December 21, 2017, the Ukrainian bitcoin exchange Liqui lost 60,000 bitcoins, and the unit price of bitcoin plummeted by $2,000.
January 26, 2018, the Japanese trading platform Coincheck lost 3.4 billion RMB worth of NEM.
March 7, 2018, the Binance exchange was robbed and the currency in some accounts was sold across the board.
The following suggestions are provided for investors to reduce the probability of being defrauded:
Improve the awareness of fraud prevention by not transferring money to any strangers or unknown addresses to avoid great losses for small gains.
Choose the most secure wallet to manage your digital assets.
SafeWallet, which is a trustworthy wallet with high security.
1)When your wallet is opened, it initiates a security scan to detect viruses in time avoiding asset loss.
2)SafeWallet provides a blacklist address database and checks if the target transfer address is authenticated during funds transfer with a prompt.
3)The wallet provides a complete defense system against potential attacks.
About us
Telegram: https://t.me/safewalletgroup
Official Website:https://www.cmcmbc.com
Twitter:https://twitter.com/safewallethelp
Youtube:https://www.youtube.com/channel/UCGgAmQhnx6ijeqnDaPKL3Rw