This article focuses on the top ten attacks in 2023.

Top Ten Attacks

(2023 Top 10 security attack incidents)

Mixin

On September 23, 2023, the Mixin Network cloud service provider database was attacked, resulting in the loss of some assets on the main network, involving approximately US$200 million. It was the most costly attack in 2023. Subsequently, Mixin officially tweeted that it had contacted Google and the SlowMist security team to assist in the investigation. Officials said they would pay up to 50% of losses, with the remainder paid in bond tokens and used for buybacks with profits.

(https://twitter.com/SlowMist_Team/status/1706133260869468503)

 (https://twitter.com/MixinKernel/status/1706139175018529139)

Euler Finance

On March 13, 2023, the DeFi lending protocol Euler Finance was attacked, and the attacker obtained The profit was approximately US$197 million. According to the analysis of the SlowMist security team, the attacker's entire attack process mainly uses flash loan funds to deposit, and then directly donates the funds to the reserve address to trigger the liquidation logic after two superimposed leveraged loans, and finally uses soft liquidation itself. Arbitrage out any remaining funds. There are two main reasons for the attack: the first point is that after donating funds to the reserve address, it does not check whether it is in a liquidation state, which can directly trigger the soft liquidation mechanism. The second point is that when high leverage triggers the soft liquidation logic, The yield value will increase, so that the liquidator only needs to transfer a part of the liabilities to itself to obtain most of the liquidated party's mortgage funds. Since the value of the mortgage funds is greater than the value of the liabilities (only a part of the liabilities is transferred due to soft liquidation), Therefore, the liquidator can successfully pass its own health coefficient check and withdraw the obtained funds. On April 4, Euler Labs tweeted that after successful negotiations, the attacker had returned all funds stolen from the protocol on March 13.

On January 10, 2024, Euler Labs CEO Michael Bentley published a blog called "War and Peace", which described the background of the attack , processing procedures and other details.

(https://medium.com/eulerfinance/war-peace-ab2670711175)

(https://twitter.com/euler_mab/status/ 1745079435332550836)

Poloniex

November 10, 2023 , the Poloniex exchange was hacked, causing losses of approximately US$130 million. According to the analysis of the SlowMist security team, judging from the attacker’s rapid and professional approach, it is speculated that it is a typical APT attack, and the attacker may be the North Korean hacker organization Lazarus Group. Justin Sun said: "The Poloniex team has successfully identified and frozen some assets related to the hacker address. Currently, the losses are within control. Poloniex's operating income can make up for these losses and the affected funds will be repaid in full."

(https://twitter.com/SlowMist_Team/status/1723006264693657708)

BonqDAO & AllianceBlock

On February 2, 2023, the non-custodial lending platform BonqDAO and the encryption infrastructure platform AllianceBlock were hacked due to BonqDAO's smart contract vulnerability, resulting in a loss of approximately US$120 million. In it, hackers removed approximately 114 million WALBT ($11 million), AllianceBlock’s wrapped native token, and 98 million BEUR tokens ($108 million) from a BonqDAO vault. According to the analysis of the SlowMist security team, the root cause of this attack is that the cost of the collateral required by the oracle quotation is much lower than the profit obtained by the attack, thereby manipulating the market and liquidating other users by maliciously submitting wrong prices. In addition, AllianceBlock stated that the incident had nothing to do with the BonqDAO vault, no smart contracts were compromised, and both teams are working to eliminate liquidity to mitigate hackers from converting stolen tokens into other assets. Details can be found in AllianceBlock’s statement in response to the BonqDAO hack.

(https://medium.com/allianceblock/allianceblock-issues-statement-in-response-to-bonqdao-hack-6510a61fcf5c)

HTX & Heco Bridge

November 22, 2023, HTX (formerly Huobi) and its related Heco cross-chain bridge were hacked, with a total amount of US$113.3 million. Justin Sun responded to the attack on Twitter: "HTX and Heco cross-chain bridge suffered hacker attack. HTX will fully compensate for the loss of HTX hot wallet. Deposits and withdrawals are suspended. Please rest assured that the community, all HTX funds are safe. We are investigating the hacker The specific cause of the attack. Once we complete the investigation and identify the cause, we will restore service."

(https://twitter.com/justinsuntron/status/1727304656622326180)

Atomic Wallet

On June 3, 2023, many Atomic Wallet users posted on social media that their Wallet assets stolen. Atomic says less than 1% of its monthly active users are currently affected/reported. According to the analysis of the SlowMist security team, Atomic Wallet officially offline the cloudflare download site and sha256sum verification site. It is speculated that there may be a security issue in the process of downloading historical versions. Damage is expected to be at least $100 million.

Orbit Chain

December 31, 2023 The cross-chain bridge protocol Orbit Chain was hacked, resulting in a loss of US$81.6 million. Orbit Chain tweeted that the team has asked major global cryptocurrency trading platforms to freeze the stolen assets. On January 11, 2024, Orbit Chain Twitter updated that it would issue a bounty of up to $8 million to decisive intelligence providers.

(https://twitter.com/Orbit_Chain/status/1745331289098711041)

Curve Finance and related events

On July 30, 2023, Curve Finance tweeted that due to a recursive lock failure, many stablecoin pools (alETH/msETH/pETH) using Vyper 0.2.15 Under attack. The crvUSD contract and other pools are not affected. So far, the Curve Finance stablecoin pool hack has caused a cumulative loss of $73.5 million to Alchemix, JPEG'd, MeTRONomeDAO, deBridge, Ellipsis and CRV/ETH pools. On August 6, Alchemix tweeted that Curve Finance hackers had returned all Alchemix’s funds in the Curve pool. On August 19, MeTRONomeDAO stated that a MEV bot named "c0ffeebabe" had recovered most of the stolen funds and returned them to MeTRONome.

CoinEx

September 12, 2023, Crypto The currency exchange CoinEx suffered a hacker attack. The cause of the incident was initially determined to be the leakage of hot wallet private keys. The loss is estimated to have reached 70 million US dollars, and the impact has affected multiple blockchains. CoinEx tweeted that it had identified and quarantined suspicious wallet addresses related to the hack and that deposit and withdrawal services had been suspended. On September 13, the SlowMist security team discovered during the analysis process that CoinEx hackers were related to Stake.com hackers and Alphapo hackers. CoinEx hackers may be the North Korean hacker group Lazarus Group.

(https://twitter.com/SlowMist_Team/ status/1701919426009035190)

Alphapo

July 2023 On the 23rd, the hot wallet of cryptocurrency payment service provider Alphapo was stolen, resulting in a loss of approximately US$60 million, including Ethereum, TRON and BTC. The stolen funds were first exchanged for ETH on Ethereum and then cross-chained to the Avalanche and BTC networks. Alphapo handles payments for many gambling services, such as HypeDrop, Bovada, and Ignition. The hack was most likely carried out by the Lazarus Group.

Summary

The top ten attacks in 2023 resulted in a total of About US$1.145 billion was lost, of which all stolen funds from Euler Finance were successfully recovered, and part of the stolen funds were recovered from Curve Finance and related incidents. The SlowMist security team recommends that the project party conduct a comprehensive audit to promptly discover and repair potential security vulnerabilities; establish a sound emergency plan to respond quickly and effectively when attacked; proactively disclose and assume responsibility after a security incident occurs , and take practical remedial measures to control the scope and degree of impact.

Full report download:

https://www.slowmist.com/report/ 2023-Blockchain-Security-and-AML-Annual-Report(CN).pdf