In the previous article, we mainly interpreted the dynamics of the North Korean hacker Lazarus Group, major phishing groups, and some money laundering tools in 2023. This article focuses on the top ten attacks in 2023.
Top 10 Attacks
(2023 损失 Top10 的安全攻击事件)
mix
On September 23, 2023, the Mixin Network cloud service provider database was attacked, resulting in the loss of some assets on the main network, involving approximately US$200 million in funds. It was the most costly attack in 2023. Subsequently, Mixin officially tweeted that it had contacted Google and the SlowMist security team to assist in the investigation. Officials said they would pay up to 50% of losses, with the remainder paid in bond tokens and used for buybacks with profits.
(https://twitter.com/SlowMist_Team/status/1706133260869468503)
(https://twitter.com/MixinKernel/status/1706139175018529139)
Euler Finance
On March 13, 2023, the DeFi lending protocol Euler Finance was attacked, and the attackers made approximately $197 million in profit. According to the analysis of the SlowMist security team, the attacker's entire attack process mainly uses flash loan funds to deposit, and then directly donates the funds to the reserve address to trigger the liquidation logic after two superimposed leveraged loans, and finally uses soft liquidation itself. Arbitrage out any remaining funds. There are two main reasons for the attack: the first point is that after donating funds to the reserve address, it does not check whether it is in a liquidation state, which can directly trigger the soft liquidation mechanism. The second point is that when high leverage triggers the soft liquidation logic, The yield value will increase, so that the liquidator only needs to transfer a part of the liabilities to itself to obtain most of the liquidated party's mortgage funds. Since the value of the mortgage funds is greater than the value of the liabilities (only a part of the liabilities is transferred due to soft liquidation), Therefore, the liquidator can successfully pass its own health coefficient check and withdraw the obtained funds. On April 4, Euler Labs tweeted that after successful negotiations, the attacker had returned all funds stolen from the protocol on March 13.
On January 10, 2024, Michael Bentley, CEO of Euler Labs, published a blog called "War and Peace", which described the background, handling and other details of the attack. (https://medium.com/eulerfinance/war-peace-ab2670711175)
(https://twitter.com/euler_mab/status/1745079435332550836)
Poloniex
On November 10, 2023, the Poloniex exchange was hacked, causing losses of approximately $130 million. According to the analysis of the SlowMist security team, judging from the attacker’s rapid and professional approach, it is speculated that it is a typical APT attack, and the attacker may be the North Korean hacker organization Lazarus Group. Justin Sun said: "The Poloniex team has successfully identified and frozen some assets related to the hacker address. Currently, the losses are within control. Poloniex's operating income can make up for these losses and the affected funds will be repaid in full."
(https://twitter.com/SlowMist_Team/status/1723006264693657708)
BonqDAO & AllianceBlock
On February 2, 2023, the non-custodial lending platform BonqDAO and the crypto infrastructure platform AllianceBlock were hacked due to BonqDAO’s smart contract vulnerability, resulting in a loss of approximately $120 million. In it, hackers removed approximately 114 million WALBT ($11 million), AllianceBlock’s wrapped native token, and 98 million BEUR tokens ($108 million) from a BonqDAO vault. According to the analysis of the SlowMist security team, the root cause of this attack is that the cost of the collateral required by the oracle quotation is much lower than the profit obtained by the attack, thereby manipulating the market and liquidating other users by maliciously submitting wrong prices. In addition, AllianceBlock stated that the incident had nothing to do with the BonqDAO vault, no smart contracts were compromised, and both teams are working to eliminate liquidity to mitigate hackers from converting stolen tokens into other assets. Details can be found in AllianceBlock’s statement in response to the BonqDAO hack.
(https://medium.com/allianceblock/allianceblock-issues-statement-in-response-to-bonqdao-hack-6510a61fcf5c)
HTX & Heco Bridge
On November 22, 2023, HTX (formerly Huobi) and its related Heco cross-chain bridge were hacked, with a total amount of $113.3 million. Justin Sun responded to the attack on Twitter: "HTX and Heco cross-chain bridge suffered hacker attack. HTX will fully compensate for the loss of HTX hot wallet. Deposits and withdrawals are suspended. Please rest assured that the community, all HTX funds are safe. We are investigating the hacker The specific cause of the attack. Once we complete our investigation and identify the cause, we will restore service."
(https://twitter.com/justinsuntron/status/1727304656622326180)
Atomic Wallet
On June 3, 2023, several Atomic Wallet users posted on social media that their wallet assets had been stolen. Atomic says less than 1% of its monthly active users are currently affected/reported. According to the analysis of the SlowMist security team, Atomic Wallet officially offline the cloudflare download site and sha256sum verification site. It is speculated that there may be a security issue in the process of downloading historical versions. Damage is expected to be at least $100 million.
Orbit Chain
On December 31, 2023, the cross-chain bridge protocol Orbit Chain was hacked, resulting in a loss of US$81.6 million. Orbit Chain tweeted that the team has asked major global cryptocurrency trading platforms to freeze the stolen assets. On January 11, 2024, Orbit Chain Twitter updated that it would issue a bounty of up to $8 million to decisive intelligence providers.
(https://twitter.com/Orbit_Chain/status/1745331289098711041)
Curve Finance and related events
On July 30, 2023, Curve Finance tweeted that many stablecoin pools (alETH/msETH/pETH) using Vyper 0.2.15 were attacked due to a recursive lock failure. The crvUSD contract and other pools are not affected. So far, the Curve Finance stablecoin pool hack has caused a cumulative loss of $73.5 million to Alchemix, JPEG'd, MeTRONomeDAO, deBridge, Ellipsis and CRV/ETH pools. On August 6, Alchemix tweeted that Curve Finance hackers had returned all Alchemix’s funds in the Curve pool. On August 19, MeTRONomeDAO stated that a MEV bot named "c0ffeebabe" had recovered most of the stolen funds and returned them to MeTRONome.
CoinEx
On September 12, 2023, the cryptocurrency exchange CoinEx suffered a hacker attack. The cause of the incident was initially determined to be the leakage of hot wallet private keys. The damage caused is estimated to have reached US$70 million, and the impact has affected multiple blockchains. CoinEx tweeted that it had identified and quarantined suspicious wallet addresses related to the hack and that deposit and withdrawal services had been suspended. On September 13, the SlowMist security team discovered during the analysis process that CoinEx hackers were related to Stake.com hackers and Alphapo hackers. CoinEx hackers may be the North Korean hacker group Lazarus Group.
(https://twitter.com/SlowMist_Team/status/1701919426009035190)
Alphapo
On July 23, 2023, the cryptocurrency payment service provider Alphapo’s hot wallet was stolen, resulting in a loss of approximately $60 million, including Ethereum, TRON, and BTC. The stolen funds were first exchanged for ETH on Ethereum and then cross-chained to the Avalanche and BTC networks. Alphapo handles payments for many gambling services, such as HypeDrop, Bovada, and Ignition. The hack was most likely carried out by the Lazarus Group.
Summarize
The top ten attacks in 2023 resulted in a total loss of approximately US$1.145 billion, of which all stolen funds from Euler Finance were successfully recovered, and part of the stolen funds were recovered from Curve Finance and related incidents. The SlowMist security team recommends that the project party conduct a comprehensive audit to promptly discover and repair potential security vulnerabilities; establish a sound emergency plan to respond quickly and effectively when attacked; proactively disclose and assume responsibility after a security incident occurs , and take practical remedial measures to control the scope and degree of impact.
Download the full report:
https://www.slowmist.com/report/2023-Blockchain-Security-and-AML-Annual-Report(CN).pdf
