On-chain Security Discussion

According to data from SlowMist, the financial losses caused by hacking incidents in the crypto world in 2022 exceeded $3.5 billion US dollars, A total of 275 hacking incidents have occurred this year.

Due to that, MDEX will hold a special on-chian security knowledge discussion (part 1) in order to raise the awareness of crypo assets among the users.

1. What are Mnemonic Phrase / Private Key, and how to keep them safe?

According to the announcement issued by DAO Maker, at around 1:00 UTC on August 12, hackers maliciously used a wallet of DAO Maker and gained administrative access to start the testing of the vulnerability and initially successfully stealing 10,000 USDC, After that, the attacker quietly made 15 more transactions. In this way, hackers stole approximately $7 million before security teams were able to trace, contain, and stop the outflow of funds. As a result, a total of 5,251 users were affected, costing an average of $1,250 per user.

In another incident on Levyathan, the encryption index protocol on the BSC chain reports that a hacker minted 100,000,000,000,000,000,000,000 LEV tokens, causing the price of LEV to fall to zero, and lost about $1.5 million. The official attributed the cause of the accident to the leakage of the developer’s private key, and such incidents never ends.

So today, we will teach everyone how to keep mnemonic phases and private keys in a safer place. The private key is composed of 64 hexadecimal characters. The generation method of the private key is completely random. This number has exceeded the number of atoms in the universe, so it is impossible to use the “brute force cracking” method on the private keys one by one, so as long as we do not share the private key, it is basically very safe.

The mnemonic is another manifestation of the private key of the wallet account. The purpose is to simplify the complex private key and help users remember it a easier way. A wallet has only one corresponding mnemonic. The mnemonic and the private key of the wallet address are interoperable and convertible. It is just a simple form of the private key of the blockchain digital wallet. Due to its clear text nature, it is not recommended to save it electronically, but to write it down on a physical medium.

Once the mnemonic phrase and private key are lost, the assets will never be able to be retrieved, so be sure to make a good backup of the two. The safest method for mnemonic words and private keys is to save them by handwriting (offline), and it is better not to save them online.

Do not save mnemonic words or private keys in WeChat, memos, or mailboxes.

Do not save mnemonic words or private keys in computer folders, netdisks, or flash drives.

Do not take screenshots or photos to save mnemonic phrases or private keys.

Do not use email, WeChat, or QQ to send mnemonic words or private keys.

Do not share your mnemonic phrase or private key with others.

Do not use an Apple ID provided by others.

Do not import seed phrases or private keys to unknown third-party websites.

Do not copy and paste your wallet mnemonic or private key.

2. How do hackers steal funds from your wallet?

Common scams that hackers will use include the following:

Pretending to be a customer service agent to get your private key
The attackers disguise themselves as customer service agents in the community, and try to solve problems users encounter. During this process, they will ask users for their private key to steal the funds eventually.

-Scan malicious QR codes to steal

The attacker sends the user the pre-prepared malicious QR code and encourages the user to scan the QR code in order to test the transfer for a small amount. During this time, authorization is required (in fact, this is the authorization of your USDT);

-Online or Cloud account stolen

Most people save mnemonic phrases or private keys by taking screenshots, pictures, or copying and pasting it to save in the Cloud. However, transmitting or storing it through email, QQ, WeChat, netdisk, memos, etc. will give attackers a chance to steal them.

-The hot wallet server was attacked

Many blockchain applications use hot wallets to store a large number of digital assets. However, issues such as a lack of security reinforcement, a lack of security awareness, failed maintenance, and so on have resulted in the hot wallet server being hacked, resulting in the theft of digital assets, and the hot wallet server has even been used as a springboard for other wallet attacks.

-The private key was stolen by someone around you

There is an old saying: “You can’t defend a thief that is living in your house.” It means you should never share your private key/mnemonic with anyone around you.

-Phishing or clickbait

The attacker clones a well-known project that is hard to distinguish; once users enter its mnemonic phrases or private keys, the assets will get stolen.

- Malicious application

Hackers will add applications to the Google Play Store, once users download them through a phishing link, that might be the start of your information being stolen.

-Attacks through public Wi-Fi

In public areas with heavy traffic, such as train stations, airports, hotels, etc., the Wi-Fi network is unsafe. Some are even malicious, created by hackers, connecting this type of Wi-Fi might leave your information or private key/mnemonic phrase in jeopardy when transmitting with it.

3. What is “DApp over-authorization”? How to deal with the problem of DApp over-authorization?

On January 18, 2022, Multichain stated that an important vulnerability was found affecting six tokens: WETH, PERI, OMT, WBNB, MATIC, and AVAX. Although the vulnerability has been fixed, users still need to revoke the authorization as soon as possible, otherwise, the assets may still be exposed to risk. A month later, Multichain officially released an investigation report on the vulnerability. A total of 7,962 user addresses were affected, 4,861 addresses have been revoked, and the remaining 3,101 addresses have not been revoked. A total of 1889.6612 WETH and 833.4191 AVAX were stolen. The value is approximately 6.04 million US dollars, according to the price of Weth and Avax on January 18.

The reason for this incident is that Multichain had a problem checking the legitimacy of the Token passed in by the user. It failed to account for all underlving tokens have implemented the permit function, resulting in the WETH of users who had previously authorized WETH to the AnyswapV4Router contract. Transfer to an address maliciously constructed by the attacker.

When users interact with DApps that involve digital assets, they need to authorize first. To avoid repeative authorization, DApp developers typically set the tokens’ authorization in smart contracts to maximum by default. However, if the smart contract or the contract administrator fails, the user’s assets are vulnerable. Therefore, we should reserve assets in special asset accounts and trading accounts, where, asset accounts are only for token transfer and asset storage, and it is best to isolate them from dapps on the chain without interaction or transactions, and transaction accounts are generally used for interactive operations such as swaps, stakes, and signatures on the chain. For interactive actions involving signatures, you must be extra careful when interacting with any Dapps to avoid being deceived.

Suggestion 1: hange to a wallet once authorization on a DAPP is done.

Suggestion 2: Clear [DAPP Authorization] in time

4. Token can have the same name, how to avoid buying fake tokens?

Because there are no issuance thresholds for ERC20 tokens, anyone can create them by deploying smart contracts, resulting in a large number of counterfeit coins that are difficult to distinguish from the legitimate.

(1) Check the unique token contract address on the project’s official website or ask the community administrator for it.

(2) Check the project’s official social media accounts to see if tokens have been issued.

(3) Don’t be greedy. Counterfeit projects often scam users with gimmicks such as incentives, OTC transactions, low-cost exchanges, and decentralized exchange transactions;

(4) Counterfeit tokens often have the same or similar names as the legitimate project, but with a small number of token holders, a low transaction volume, and a high degree of concentration of tokens, which are very easy to identify;

5.How to recognize and avoid phishing messages and emails, as well as how to avoid fake DAPPs

It is reported that hackers have been impersonating the BTC ERA trading platform and sending phishing emails to entice users to invest. To give an example of the Bitcoin wallet Electrum, when the user has an old version that connects to the attacker’s node, that gives a chance for the attacker to send a malicious or clickbait link, and once the user downloads it, the hacker can easily get the user’s private key. So, when searching for Dapps on Google, make sure to double-check the legitimacy of the official website.

(1) Check the sender address and confirm it with the community administrator or the official website.

(2) Be extra aware of the clickbait.

6. How to prevent airdropped tokens from unknown sources?

The decentralized cross-chain transaction protocol THORChain (RUNE) stated that hackers airdropped UniH tokens with malicious contracts to at least 76,000 Ethereum addresses as bait to steal RUNE tokens from user wallets. When users sell the fake UniH tokens (or even just approve the transaction) on a DEX such as Uniswap, hackers will steal all the RUNE tokens they have in their wallets. This is because the RUNE token uses a non-standard token contract called “tx.origin.” According to Thorchain’s RUNE token contract code, “beware of phishing contracts that may steal tokens by intercepting TX currency.” It knew this type of attack could happen, and in just a few hours, the hackers had stolen $76,000 worth of tokens.

When receiving an unknown airdrop, please double-check the project’s legibility. Do not authorize access to any unknown website to avoid any possible risks.

Here are a few ways to avoid airdrop scams:

1, Do not consider the airdrops that require a donation. If the project looks promising and only requires a small amount of gas, research about it and make your decision.

2, Do not share your information on unreliable platforms.

3, A platform that requires you to import wallets needs to be extra cautious. In a decentralized world, the private key is the only owner of the wallet. If the private key is accidentally leaked, there is no way to retrieve your funds.

4.Create a special wallet for airdrops! Even if it gets stolen, you don’t feel bad.

7. How to avoid the rug pull project?

1.According to the report from SlowMist Technology, StableMagnet has perpetrated a rugpull on their users in an initial attack valued upwards of $22 million; while Africrypt scammed for $2,300,000,000. The only way to protect your fund is to stay away from the rug pull project as much as possible.

2. Do not rely on the project’s slogan to validate it.

3. For the promotional content related to the project, double check.

4. Make good use of the official website and blockchain browsers.

5. Avoid sharing your private key and allowing too many wallet authorizations.

6. Do not click on unknown links, update your APP through legit channels.

7.Be wary of self-proclaimed platform customer service or other fraudulent buy-high transaction.

Finally, I would like to thank Slowmist for providing the above content. For more details, please refer to https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md

If you master these, you can master the security of your crypto assets.