AvengerDAO July 24th Weekly Report



AvengerDAO July 24th Weekly Report

Disclaimer: The information provided through the BNB Chain community does not constitute advice, investment, or trading recommendations. Projects are listed in no particular order below. BNB Chain does not take responsibility for any of your investment decisions. Please seek professional advice before taking financial risks.

AvengerDAO is a community-driven initiative created to protect the users and projects on BNB Chain from malicious actors and activity. AvengerDAO publishes a list of risk projects and addresses on DappBay Red Alarm every Friday.

By actively identifying and flagging such items through DappBay’s Red Alarm, AvengerDAO can help users identify high-risk BNB Chain dApps with the level of risk, the risk description, and other important risk details. Web3 users can safely navigate BNB Chain dApps while staying safe.

Security Incidents

HashDit is an industry-leading blockchain security company focusing on building a safe ecosystem for protocol users and smart contract developers on BNB Chain. HashDit is member of AvengerDAO. HashDit’s analysis shows that 3 security incidents happened in the week of July 14th, all of which were hacks.

Protocol NameAttack VectorLoss
MultichainMPC Compromised$1.7 Million
WGPTReserve Manipulation$82,500
LUSDReserve Manipulation$9,500

The total loss is $1,792,000. The weekly loss trend is rather flat, hovering around $1.5m.

Lessons Learned

For Reserves Manipulation attacks, the root cause is that the Staking contract has a bug that relies on the instantaneous price of a Liquidity Pool.
It could look something like this in the Vulnerable code:

Using DappBay’s Risk Scanner https://dappbay.bnbchain.org/risk-scanner, one can check if there are such risks.

Red Alarm Weekly Highlights

AvengerDAO publishes a list of risk projects and addresses on DappBay Red Alarm every Friday. Please contact here if you have questions or feedback for the risk highlights below.

Newly Detected High-Risk dApp Projects

CategoryDescriptionSpotted Project This Week
Ponzi or potential Ponzi dAppsPonzi schemes lure investors with the false promise of extremely high returns.AIMINERBNBDailyEverGreen
Phishing dAppsPhishing usually forges legitimate web pages to trick you into entering your private keys or authorizing transactions you don’t understand. BTCASH
Honeypot dAppsA honeypot is a way of trapping someone’s crypto. A scammer creates a new coin and, through the code, enables only their wallet to withdraw funds. A user only realizes that it’s a honeypot when the user tries to withdraw their funds, and they can’t.
Backdoor methods or potential backdoorA backdoor in crypto is similar to a backdoor being a weak spot in a castle’s defenses. Backdoors are built purposefully into the smart contract with the intention of bypassing security.Fintoch
High fees High token fees are fees incurred when buying, selling, staking, or withdrawing tokens from a dApp. High fees both ways mean users incur the cost of the transaction. 
Lack of documentation and whitepapersa lack of documentation and whitepapers can most likely indicate a risky dApp
Unverified contracts Unverified contracts make it difficult for users to read the source code, analyze the logic or conduct due diligence. However, not all dApps with unverified contracts are causes for concern as dApps can work on verifying their smart contracts.StargateLandshare 
Websites do not work or work properlyIf websites, dApps, or platforms don’t work or work as intended, then a certain level of risk is associated with using them.
Anonymous TeamsAnonymous teams and developers don’t always mean that a dApp is risky. Satoshi Nakamoto, the creator of Bitcoin, was an anonymous developer. However, several risky dApps share a common theme of anonymous teams or people. 
Imposer dApps A scammer creates a fake dApp with an identical name, logo, description, etc. However, the contracts of the fake dApp differ from the original. Unsuspecting users mistake the fake token for the original when interacting with it.

Newly Detected High-Risk Address

AvengerDAO members offer APIs to check the security of a contract to be interacted with or get relevant information, such as potential risks of a specific address, to perform due diligence. AvengerDAO API gives a comprehensive evaluation of each address. We advise you to regularly check with these APIs when receiving an airdrop for a certain token, or interacting with the contracts they want to invest in.  https://dappbay.bnbchain.org/risk-scanner is integrated with these APIs. Please have a try!

The latest high-risk addresses detected from Weekly Scan.

No.BSCScan Link 
1https://bscscan.com/address/0x2d1cfbb3468f78f916cca25f050d44b6115392e0 
2https://bscscan.com/address/0x11a1764c877837921eca6f3f58cdbe9bcd4e9e5e 
3https://bscscan.com/address/0xa676fe44219b0fffa74696b3f129c547115b5e57 
4https://bscscan.com/address/0x76f56f4b232d88d7470471a91d1c2e6ce916866e 

All the addresses are listed here.

Latest Risk Remediation – TVL >1M$ Projects

AvengerDAO is actively scanning TVL >1M$ projects. This week, 9 projects are identified with potential risks, and 3 have been resolved. Most of the issues are due to a lack of a multi-sig wallet setup. We recommend projects study the Web3 Risk Framework to learn more about best practices.

Stay Safe – DYOR (Do Your Own Research)

AvengerDAO advises you to act cautiously but asks that you take particular care when dealing with the projects we highlight as risky in our weekly update.  

AvengerDAO updated the comprehensive Web3 Risk frameworks, a collaborative effort to promote adopting best practices in Web3 Security. This aims to enhance further adoption by setting an industry standard for safe practices and raising awareness of safety and security in the ecosystem. (all information are available : Web3 Security Frameworks | Avenger DAO)

  • Business Continuity
    Critical element and business continuity best practices.
  • Crypto Wallet
    Comprehensive checklist of the critical elements surrounding the secure management of crypto wallets.
  • Decentralized Finance
    Checklist of the critical elements surrounding the secure development of DeFi decentralized applications.
  • Smart Contract
    Checklist of the critical elements surrounding the secure development of solidity smart contracts.
  • Project Management
    Critical elements surrounding the web3 project management best practices.

All the BNBChain projects should self-check based on the recommended best practices and checklists to avoid potential risks.

At the same time, HashDit is also emphasizing the importance of “How to identify the rug-pulls?” and to all the Web3 users, please ensure DYOR and keep BUIDL on BNBChain ecosystem and most importantly, stay SAFU!

About AvengerDAO

AvengerDAO is a community-driven initiative that protects users from possible exploits, scams, and malicious actors on BNB Chain. The founding members of AvengerDAO started this because BNB Chain is the largest public chain today, and the larger the community, the greater the responsibility.

Our goal is to protect users from financial losses and malicious contracts. Deter malicious actors and notify BNB Chain’s users. We aim to enhance further adoption by setting an industry standard for safe practices and raising awareness of safety and security in the ecosystem.