Table of Contents
In the process of compiling this report, we were fortunate to receive crucial contributions from AvengerDAO key members, Hashdit, CertiK, Ancilia, and Salus Security. Their expertise, insights, and dedication have immensely enriched the content and perspective of this report.
We eagerly anticipate further collaborations in the creation of more insightful reports in the future.
Overview
This report focuses on security events that happened on BSC in 2023, analyzing the type of projects targeted and sharing the common attack techniques used in 2023, with respect to the financial loss of the incidents.
Disclaimer
The financial data provided here is accurate based on our own monitoring system and based on the $USD amount of the cryptocurrency involved at the time of the incident. Due to the fluctuating price nature of cryptocurrencies, the total amount loss might differ with the current token valuations.
Furthermore, the financial data might not fully reflect the true “exploited amount” of the incident. This is especially true for scams where the total scammed amount is usually mixed with an initial base amount injected by the scam project party.
Executive Summary
- The total financial value lost on BNB Chain declined by a significant 85% in 2023.
- BSC fell from 1st to 4th rank in total losses across chains, representing just 8% of total losses.
- The AvengerDAO API and RedAlarm on dAppBay, PancakeSwap, and BSCScan helped remind and notify many users of risks in 2023. The Hashdit risk API was integrated by the most popular protocols, such as TrustWallet and PancakeSwap, displaying around 38 million warnings in 2023. In addition, Hashdit sent approximately 3,500 alerts via Red Alarm and about 330 alert tweets in 2023.
- May saw the most loss, with $53,300,806 across 42 incidents.
- Q2 was the most costly quarter, at $69,454,256 from 127 incidents.
- The most financially damaging attack vector belongs to Rugpulls, with $49,356,032 in 165 incidents.
New developments
Rise of Wallet Drainer Scams
Wallet Drainers are a form of Fraud technique that specifically targets users who are weak in security awareness. These drainers usually utilize a “Scam-as-a-Service” model, where people can purchase their malicious scripts to conduct their own scam campaigns. The underlying methodology is to trick the user into a phishing website and subsequently sign a scam transaction with their crypto wallet, resulting in their funds being stolen. This type of scam technique does not only target 1 chain, as it follows the money. As such, its attack scope is multichain, with the largest hitting chain being Ethereum. In 2023, AvengerDAO monitored more than a dozen Wallet Drainer groups, with new ones quickly replacing older ones.
Wallet Drainers are distributed in various forms, such as spreading phishing links through phishing emails, purchasing advertisements on multiple platforms like X and Google, and even compromising accounts on Discord and X usually by performing a Sim Swap attack. In terms of on-chain transactions, the phishing signature will usually require a user to approve their funds to a Scam address or transfer their funds to a Scam address. Once that is executed, the funds will be quickly transferred to the main operator’s wallet.
Supply chain as an attack vector for Crypto
Supply chain attack vector is an emerging threat, where hackers infiltrate a system by exploiting vulnerabilities in a component of a trusted service or software.
Several cases include:
- Curve finance’s $62M hack is due to a Vyper compiler bug. (https://cointelegraph.com/news/curve-finance-pools-exploited-over-24-reentrancy-vulnerability ).
- Design Patterns and Libraries are attack vectors: Early in 2023 a vulnerability was found and exploited by hackers that allowed them to hack reflection tokens ( https://twitter.com/AnciliaInc/status/1627016602507149314 ).
- Furthering this trend at the end of 2023 attackers began exploiting ERC2771 (https://medium.com/@Ancilia/web3camp-3p-token-exploit-analysis-w-openzepplins-arbitrary-address-spoofing-attack-ea96a8b5b00f). Design patterns and libraries, when vulnerabilities are present, can expose a large number of contracts/projects to attacks.
Year-over-Year (YoY)
This section aims to describe the security incidents YoY from 2020 to 2023.
General
In 2023, AvengerDAO monitored $161,176,631 funds loss on BSC. The amounts lost to exploits have actually dropped significantly from 2022 to 2023, breaking the 3 years uptrend, with a YoY 85% decrease in damages, as seen from the figure below.
Figure 1: Total amount stolen funds (in dollars) on BSC over the last 4 years
In total, there were 414 security incidents on BSC, this is a 44% YoY increase from 2022. Figure 2 shows an increasing trend of security incidents on BSC over the last 4 years.
Figure 2: Number of incidents on BSC over the last 4 years
Type of attack vectors
Analyzing the attack vectors trends based on Financial losses, both Hacks and Scams have dropped significantly from 2022, with Hacks accounting for $73.2m (91% decrease) and Scams accounting for $87.9m (54% decrease) in 2023.
Figure 3: Financial losses per attack vector over the last 4 years
In terms of incident count, both Hacks and Scams have increased from 2022, with 210 Hacks (96% increase) and 203 Scams (14% increase) in 2023.
Figure 4: Number of incidents per attack vector over the last 4 years
By comparing the increased percentages, it is evident that Hacks are growing at a concerning rate as well. This is likely supported by the fact that tracing the hacker’s real identity can be challenging with complicated use of money mixers and non-kyc exchanges.
Type of projects
This chart represents the type of projects that were exploited since 2020.
Figure 5: Security Incidents per type of project over the last 4 years
It is clear that DeFi projects are still the main targets for crypto hackers, with 352 in 2023, a 66% increase from 2022.
Chain comparison
The figure below shows the comparison between the chains with the top funds losses to exploits over the last 4 years.
Ethereum (in green) has shown an increasing trend since 2021. At the same time, other chains like Tron (in purple), Fantom (in light blue) and Arbitrum (in yellow) have shown large increases from 2022.
Figure 6: Biggest financial losses across chains over the last 4 years
2023 in focus
General
In total, roughly $161.17 million were lost to 414 security incidents on BSC.
Interestingly, when removing the top 3 outlier incidents, the total financial loss drops down to just $97m, slightly below $100m, a near 40% drop from the total amount loss of 2023.
Figure 7: Amount of stolen funds in dollars excluding the 3 largest incidents
By observing the quarterly and monthly trends below, there are some interesting observations to be made.
Quarter-over-Quarter (QoQ)
1. Q4 sees significant reduction in fiat losses compared to Q3
Fiat losses dropped by 64% from $43.7m in Q3 to $15.6m in Q4. This was largely due to the lesser number of hacks seen, with Q4 demonstrating 86 compared to 130 in Q3.
Figure 8: Financial losses across chains over the last 4 quarters in 2023
2. BSC ranks fourth in Q4 fiat losses when compared to other chains
Figure 9: Chain comparison fund losses in Q4
BSC saw 3.7% of the total fiat losses across all chains in Q4. It ranks fifth as compared to other chains. Fourth place goes to Bitcoin, representing 4.5%. Third place goes to Arbitrum, representing 5.3%. Second place goes to Tron, representing 13.6%. First place goes to Ethereum, representing 65% for the total fiat loss across all chains.
Month-over-Month (MoM)
- The average monthly loss is calculated to be ~$13.4m, with 10 out of the 12 months being below this average reference line.
Figure 10: Amount of stolen funds in dollars per month in 2023
In those months, the main contributing incidents were (1) Fintoch Ponzi, (2) ipp Rugpull, and lastly the (3) Stake platform’s Hot Wallet Compromise.
- Analyzing the number of security incidents trend, the chart shows that the cases largely peaked in from Q2 to early Q4 of 2023, with August being the exception.
Figure 11: Number of projects impacted by security exploits
Interestingly, even though October has the highest number of security incidents at 58, the financial loss only stands at $10m which is more than half of September’s data.
With a nearly similar count at 57, September’s financial loss is more than double, at $27m.
Such data reinforces AvengerDAO’s observation that we are seeing more incidents with lesser financial impact.
Rescued by Entities
In the year 2023, various entities came to our aid in an extraordinary display of cooperation and coordination, aiding in the recovery and freezing of stolen funds. Among these entities, renowned organizations such as Tether and several Centralized Exchanges (CEXs) played pivotal roles.
Collectively, these entities assisted in rescuing approximately $55 million. Specific contributions came from Centralized Exchanges (CEXs) and Tether, demonstrating their commitment to safeguarding the digital assets ecosystem.
Diving deeper into the recovery statistics for 2023, our collective efforts, in conjunction with other entities, resulted in the successful recovery or freeze of funds summed up to a total of $7.3 million on the BNB Chain alone. This demonstrates the effectiveness and importance of robust and swiftly reactive security measures placed on the BNB Chain.
Type of attack vectors
Out of the 414 security incidents, the type of the attack vectors are split almost equally with Hacks with a slight edge of 50.72% and Scams with 49.03%.
Figure 12: Proportion of different type of exploits
On the flip side, the total financial loss of scams ($87m) is more than that of hacks ($73m), as shown below in Figure 12.
Figure 13: Financial impact measured in dollars comparing different types of incidents
For further analysis of the specific attack vectors, this figure below displays this against the financial loss in 2023.
Figure 14: Proportion of the funds lost comparing the different type of vulnerabilities
35.18% attributed to Rugpulls where AvengerDAO monitored a change in rugpull techniques, scammers are adopting more complicated measures to obfuscate code and also funds flow . The 2nd largest contributor was Ponzi within smart contracts deployed on BSC, accounting for 22.53%. Ponzis are not a new form of scam technique, we have released an article on it previously which you can refer here: Ponzi Schemes in Web3.
The 3rd largest contributor was Hot wallet compromises within notable platforms like CEXs and other Entities. Web2 security is just as important as Web3 security as keys are often not secured properly and do not follow the proper security guidelines.
Type of projects
When focusing on the project type vs financial loss, without surprise, 60.38% of financial loss are attributed to Bridge projects. This is because cross-chain bridges generally lock large amounts of crypto assets on one chain to mint collateralized assets on the destination chain. Hackers took notice of this trend and targeted vulnerabilities within these cross-chain bridge smart contracts.
The 2nd most project type targeted was DeFi projects at 82.06%, followed by Gambling and CEX projects at 11.04% and 3.85% respectively.
Figure 15: Proportion of funds lost comparing the type of project
Statistical Analysis: Are We Learning Our Lessons?
2023’s headline figure of a 85% decline in losses from 2022 on BNB Chain is worth investigating. Is it simply the result of declining asset valuations? To answer this question, we’ll examine the relationship between Total Value Locked (TVL) and losses to hacks, scams, and exploits in Web3.
TVL is one of the most important metrics in DeFi. It’s a measure of the value of assets deposited in decentralized financial protocols, and as such is representative of the demand for DeFi’s offerings.
While many tokens deposited in DeFi protocols are stablecoins, many are not, which means they are subject to market fluctuations. Thus, TVL is influenced by overall market conditions, as well as user demand. This makes it a useful metric for gauging the true active engagement and growth in the DeFi space, beyond just surface-level market capitalization. Unlike crypto’s total market cap, which primarily reflects the valuation of assets, TVL offers insight into how much capital is actually being utilized within the DeFi ecosystem.
In late 2023, DeFi’s TVL (across all chains) stood at about $3.1 billion, down from a peak of $21.8 billion in November 2021, approximately a 85% decline.
Figure 16: Total Value Locked on BSC according to DeFiLlama
The decline in losses to security incidents from 2022 to 2023 mirrors the decline in time-weighted average TVL in 2023 compared to 2022.
As we cross reference the TVL values taken on the last day of each month from DeFiLlama’s dataset for 2023, we noticed there is a 19% correlation in 2023 with monthly losses.
There is a relatively low positive correlation between TVL and monthly losses, with an R2 value of 0.19. This suggests that approximately 19% of the variability in monthly losses can be statistically attributed to changes in DeFi’s TVL, which itself is a proxy for both asset valuations and user demand. This correlation, while statistically significant, leaves a significant 81% of the variability unexplained by TVL alone, suggesting other factors also play important roles in influencing the losses within the ecosystem such as new attack surfaces..
Conclusion
BSC continues to be a strong competitor, outperforming Ethereum in terms of daily active users and transactions. Even though 2023 has shown to be a better performing year in terms of the total funds lost to exploits, it is undeniable that scammers and hackers will continue to change their methods until there are stricter measures to hold them accountable.
In AvengerDAO, we will keep improving:
- Implement a comprehensive set of stringent audit guidelines that all Top TVL projects must meet before any significant features are deployed on-chain.
- Collaborate promptly with key AvengerDAO members to conduct in-depth root cause analyses on all major incidents, ensuring similar issues are not present in the Top TVL projects.
- Work closely and share intel within the AvengerDAO members to identify potentially fraudulent projects at an early stage, particularly those projects amassing substantial liquidity.
- Monitor any malicious activities related to hacks and scams vigilantly and transmit alerts via numerous channels such as Twitter and Telegram to rapidly inform the community.
- Continually extend AvengerDAO’s influence to the community by regularly publishing articles and reports related to hacks and scams techniques, to strengthen user’s knowledge regarding security awareness in the crypto space.
Appendix
AvengerDAO
AvengerDAO is a community initiative to unite all ecosystem partners to protect our BNB chain users.
As part of our mission to secure the BNB Chain, AvengerDAO offers a range of instruments intended to assist projects and investors in adopting a holistic strategy towards security.
HashDit
- Chrome extension: The HashDit Extension is designed to serve as an extra layer of protection when interacting with websites that involve digital assets. It works by sitting in between websites and extension-based wallets like TrustWallet and MetaMask, analyzing transactions, identifying risk factors, and alerting you to potential threats. This approach employs a multi-layered defense mechanism to safeguard your online interactions.
- Risk assessment: All-in-one collection of security rating framework, auto-scan tools, and corresponding APIs, which are able to deliver accurate detection for potential scam/exploit risks based on a smart contract address. This is integrated with platforms like Trust Wallet and PancakeSwap, to leverage their reach and protect more users. It is able to detect multiple risks, such as Tornado Cash interaction, risky functions encompassing ERC20 or ERC721 token standards (such as Migrate() or Blacklist() ), HoneyPot detection, Phishing behaviors and other types of scams. This can help users gain a better understanding of the smart contract, if it could be a scam.
Additionally, our API covers accurate and timely detection for scam/exploit risks based on a domain url as well. This ensures that users requesting a specific domain are warned if there are any signs of a scam.
- Monitoring: Detecting sensitive events / transactions that happen on-chain to quickly respond and minimize any additional financial losses. This information is shared on multiple channels such as Twitter or Telegram.
- Education: Our goal is to share our security knowledge for builders, investors and users in the Web3 community. With all the players in the industry equipped with the security knowledge needed and adopting a security-first mindset, only then will the Web3 ecosystem be a safer place for everyone.
- Audit service: Comprehensive code audits following extensive and detailed best practices for smart contracts and discovering code loopholes / security vulnerabilities before they are deployed on-chain, guaranteeing users’ safety on BSC.
2023 highlights:
- Integrated our Security API with Trust Wallet, protecting Trust Wallet users from risks.
- Integrated our Threat Intelligence API with PancakeSwap, protecting PancakeSwap users from risks
- In late 2023, we launched our Chrome Extension, growing our user base quickly.
- Released multiple blogs for users education such as Ponzi risks, Hot wallet compromises, and Gas Mint Scams, amassing 147,000 views on our HashDit blog site.
- Led the effort towards tackling and eliminating on-chain scams, leading to a significant 75% scam loss reduction on BSC in Q3 2023.
Certik
As part of our mission to secure the Web3 world, CertiK provides a number of tools designed to help projects and investors take an end-to-end approach to security.
- CertiK KYC: Provides comprehensive and private identity verification for project teams. This process includes an ID authenticity inspection using AI-based detection systems, as well as liveness checks to ensure the individual is indeed real and matches the ID. CertiK will also undertake a live video call with each team member to verify their identity and other parameters as needed.
- Penetration Testing: Final component of a comprehensive approach to securing crypto applications in a runtime environment. Our penetration testing services uncover even the smallest weaknesses by leveraging proprietary tooling, powered by an experienced team of ethical hackers.
- CertiK Bug Bounty Program: crowdsources intelligence from the world’s top ethical hackers to uncover vulnerabilities before malicious actors can exploit them. CertiK’s expert security engineers screen and qualify submissions and work with clients to implement the right fixes. Our 0% fee model reduces the payout pressure for projects and allows white hat hackers to receive the full bounty.
- SkyTrace: Tracing tool to help analyze and visualize transaction data across Ethereum and BSC wallets. This tool provides actionable insights into identifying and tracing suspicious flows to and from one’s own personal wallet or a project’s team wallet.
- CertiK Security Score Leaderboard: Lists and ranks projects according to their Security Score. The Security Score is generated using a proprietary algorithm that takes into account a project’s Code Security, Fundamental Health, Operational Resilience, Community Trust, Market Stability, and Governance Strength.
- Skynet Alerts: Provides timely notifications on rugpulls and exploits in the cryptocurrency space. Skynet Alerts constantly monitors various sources of information to identify and report on potential rugpulls and exploits as they happen.
- Smart Money Wizard: Access point for the Wallet Analyzer feature, and enables users to directly search for wallet addresses, view trending wallet searches, top smart money wallets, and top liquidity pairs. The Wallet Analyzer feature provides insights on wallet addresses and makes it easy to decipher on-chain transactions between wallets by displaying key wallet characteristics, visualizing wallet relationships and token trading activity.
2023 highlights:
- Discovered and safely disclosed a bug in Wormhole’s Aptos contracts
- Were recognized in Apple’s security updates for identifying vulnerabilities in iOS and iPadOS software (twice). We have a total of eight published CVEs, with more on the way.
- Were awarded a $500K bounty by Sui for the discovery of a critical vulnerability, codenamed “HamsterWheel”, that had the potential to disrupt the entire Sui Layer one chain
- Were proud to see our co-founder, Professor Ronghui Gu, honored with the VMware Systems Research Award
- Became the first Web3 auditing firm to achieve SOC II Type I and II Compliance
- Verified The Open Network’s (TON) transaction per second record
- Released SkyInsights, a crypto compliance and risk monitoring platform
Ancilia
Ancilia is a pioneering Web3 cybersecurity company that provides automated and real-time threat detection and prevention software-as-a-service (SaaS) products through a combination of on-chain + off-chain information.
The company’s mission is to provide the most effective and easily adoptable Web3 security solutions. Ancilia has been a trusted security partner of Binance since 2022 providing Threat Monitoring and Alerting for a large number of Web3 projects deployed on BSC.It offers a Web3 threat intelligence API for Web3 Business that protects against hacks, phishing, scams, money laundering, and other malicious and/or risky activities.
Highlights:
- Early warning for the Curve Finance exploit
- Early warning for the Para space exploit
- Ancilia joined Franklin Templeton Incubator Program
- Ancilia and Uniwhale Strategic Partnership
Salus Security
Protect | Discover | Redefine.
Salus, a Binance Labs portfolio company, tackles the most complex security challenges through fundamental scientific research and pushing the boundaries of Web3 security.
Highlights:
- Smart Contract Expert Audit: Our audits, with a record of zero REKT, offer the industry’s most extensive scope, blending comprehensive mathematical and business logic analysis.
- ZK Innovation: As initiator and advocate of ZK application layer solutions on EVM, we’re at the forefront of the “DApp+ZK” era, driving innovation in Web3.
- Our team’s Zero-Knowledge research emerged as 2023’s most-viewed article on ethresear.ch, highlighting our multidisciplinary expertise.
- Found new type of ZK vulnerability reviewed by the PSE Security team
- Competition: 2023 Paradigm CTF, finishing top 10 out of over 1000 teams and invited as authors for the 2024 Paradigm CTF.
- Academic Recognition: Our research on deep learning and vulnerability detection was issued in Scientific Reports, a prestigious scientific publication by Nature.
2023 Top 10 incidents on BSC
https://hashdit.github.io/hashdit/blog/2023-Top10-Incidents