ETH Exchange ETH Exchange
Ctrl+D ETH Exchange
ads
Home > OKB > Info

Chengdu Lianan: Analysis of YFV extortion incident

Author:

Time:

YFV is a DeFi project based on Ethereum. Earlier today, YFV officially issued a document stating that it was blackmailed. The attacker can use the staking contract vulnerability to reset the YFV locked by the user arbitrarily.

And said that this incident may be related to the "pool 0" incident not long ago, and the blackmailer is most likely an "angry farmer" who did not get back the funds in the "pool 0" incident. the

There is a stakeOnBehalf function in the contract so that the attacker can stake for any user, as shown in the following figure:

Chengdu Lianan: The SeniorPool contract of the Goldfinch project was attacked, and the cumulative loss of the project party exceeded 540,000 US dollars: According to the security public opinion monitoring data of Chengdu Lianan's "Chain Bing-Blockchain Security Situational Awareness Platform", the SeniorPool contract of the Goldfinch project suffered Attack, the attacker gained a total of 28,523 USDC, and the project party lost a total of 541,158 USDC. According to the analysis of the technical team of Chengdu Chain Security, the reason for this attack is that the attacker can use Curve’s FIDU-USDC pool to obtain FIDU tokens to obtain the dividends of USDC tokens mortgaged by the SeniorPool contract. At present, the ratio of FIDU to USDC in Curve is 1:1.03, while the ratio in SeniorPool is 1:1.07, which creates arbitrage space. [2022/6/28 1:36:11]

Voice | Chengdu Lianan: Insufficient security awareness of users, insufficient security system of the exchange and other factors have caused frequent security incidents on the exchange: Chengdu Lianan statistics show that recent security problems have occurred from time to time. By summarizing the recent security incidents of various exchanges and user coin loss incidents, Chengdu Lianan believes that there are three main sources of security incidents in exchanges: 1. Insufficient security awareness of users leads to erroneous access to phishing websites and theft of private information . 2. The security system of the exchange is not perfect, and the platform itself has security loopholes. 3. The exchange has not established an emergency mechanism for uncontrollable factors after connecting to external data services or other services. [2019/8/26]

The lastStakeTimes[stakeFor] = block.timestamp; statement in this function updates the laseStakeTimes[user] of the user address map. And there is verification in the function used by the user to withdraw the mortgage, which requires the user to withdraw the time must be greater than lastStakeTimes[account]+72 hours. As shown below:

Bytom joins hands with Chengdu Lianan Technology to jointly build a new blockchain security ecosystem: Recently, the Bytom Foundation and Chengdu Lianan Technology signed a strategic cooperation agreement. The two parties will reach a preliminary cooperation intention in the field of blockchain security technology. In the future, Chengdu Lianan Technology will provide Bytom Chain with formal security verification of the underlying platform, smart contract development, auditing, security verification and other services to ensure that the Bytom Chain Security, functional correctness of the platform and smart contracts. [2018/5/10]

UnfrozenStakeTime is shown in the figure below:

To sum up, malicious users can mortgage small amounts of funds to normal users, thereby locking the funds of normal users.

According to the information on the chain, we found two suspected attacks, as follows:

0xf8e155b3cb70c91c70963daaaf5041dee40877b3ce80e0cbd3abfc267da03fc9

0x8ae5e5b4f5a026bc27685f2b8cbf94e9e2c572f4905fcff1e263df24252965db

One of them is shown in the picture below:

These two transactions are from the same address, and both are extremely small. From this, we can basically determine that this is a transaction to test the deadlock problem.

For this incident, the root cause is that the code audit work before going online was not done well. This incident is actually a loophole at the business level.

According to Chengdu Lianan’s experience in code auditing, individual project parties did not provide complete project-related information when conducting code audits, making code audits unable to find some business loopholes, resulting in heavy losses after going online.

Chengdu Lianan Security Lab hereby reminds all project parties: security is the cornerstone of development, and a good code audit is a prerequisite for going online.

Tags:

OKB
8.22 Midday market: the bulls are weak but it is not a good position to chase the short

Bitcoin started to fall at 11,880 dollars yesterday, reaching a minimum of 11,380 dollars, just hitting the 11,380 dollar position under the structure mentioned yesterday. The price is not bad at all.

Gu Yanxi: Analyzing the constraints of Goldman Sachs' blockchain business promotion

CNBC recently interviewed Matthew McDermott, the new head of digital assets at Goldman Sachs. Obviously Goldman Sachs hopes to have faster development in the field of digital assets.

Golden Observation丨In the world of central bank digital currency, Bitcoin and Libra may have a place

Golden Finance Blockchain, August 21st, the central bank of India - the Governor of the Reserve Bank of India (RBI), Raghuram Rajan (Raghuram Rajan) recently said in an interview with CNBC that in the future.

Chengdu Lianan: Analysis of YFV extortion incident

YFV is a DeFi project based on Ethereum. Earlier today.

Where does the token value of DeFi insurance leader Nexus come from?

Many readers of Blue Fox Notes have been asking about DeFi insurance.

Golden Chart | The total circulation value of DeFi Token has increased by 116.68% compared with last week

According to DappBirds DeFi special data, the total circulation value of DeFi Token is 17.865 billion U.S. dollars.

The most noteworthy DeFi projects in 2020 (Part 1)

Ethereum’s market capitalization has reached its highest point since August 2019, breaking through $40 billion. So, what is propelling Ethereum to such highs again? It is the DeFi market. Today.

ads