First release | SushiSwap imitation disk YUNO and KIMCHI smart contract loopholes or potential security risks

On August 31 and September 1, Beijing time, the CertiK security research team discovered that two Sushiswap imitation projects, YUNo Finance (YUNO) and KIMCHI.finance (KIMCHI), had vulnerabilities in their smart contracts. If this vulnerability is exploited, the smart contract owner can issue unlimited number of tokens corresponding to the project, leading to inflation of the project's financial progress and eventual collapse.

Taking the smart contract in the Yuno project as an example, the CertiK security research team conducted a detailed analysis of the infinite issuance vulnerability. The technical details are as follows: 

In line 1354 of the MasterChef.sol smart contract in the Yuno project, the dev method allows the smart contract caller who currently has the devaddr identity to transfer the devaddr identity to another address.

First release | imKey officially supports Filecoin, becoming the first batch of Filecoin hardware wallets: On December 1, with the launch of imToken2.7.2, imKey supports Filecoin simultaneously, becoming the first batch of hardware wallets in the industry to officially support FIL. As one of the priority projects supported by imKey's multi-chain, Filecoin has become the fifth public chain after the four public chains of BTC, ETH, EOS and COSMOS.

It is reported that the imKey team has fully launched the multi-chain support plan in Q4, planning to implement all public chain projects that imToken has supported. This imKey upgrade update does not need to replace hardware, does not involve firmware upgrades, and can be automatically upgraded through the application (Applet). Realize imKey's support for Filecoin and FIL's token management. [2020/12/2 22:52:32]

First Release | Canaan Announces Strategic Cooperation with Northern Data in AI, Blockchain and Other High-Performance Computing Fields: According to official news, on February 17, 2020, Canaan Announced a partnership with Blockchain Solutions and Data Center The service provider Northern Data AG reached a strategic cooperation. The content-ethexc of this cooperation covers high-performance computing fields such as AI, blockchain, and data center operation and maintenance.

Canaan has rich experience in the development of ASIC chips for high-performance computing. Northern Data AG focuses on the construction of high-performance computing infrastructure such as blockchain and data centers. Through this strategic cooperation, the two parties will further release growth potential in emerging fields such as AI and blockchain. [2020/2/19]

Screenshot from: https://etherscan.io/address/0x450f143f1a8650fff968d890814bd5884bdc8f1d#code

First release | Vice President of Global Business of Huobi Group: Supervision will determine the speed of blockchain technology and cryptocurrency landing: On January 21, Ciara Sun, Vice President of Global Business of Huobi Group, said at the World Economic Forum in Davos that the district 2019 is an important year for the regulatory attitude of blockchain and digital currency. In the United States, by the end of 2019, there were 21 bills targeting cryptocurrency and blockchain policy. These bills include tax issues, regulatory structures, tracking functions and ETF approvals, which federal agencies regulate digital assets, etc. The European Union (EU) implemented a new law on January 10, 2020, requiring cryptocurrency platforms to adopt stricter anti-money laundering practices. Switzerland, Japan, Lithuania, Malta and Mexico have passed laws requiring exchanges to be licensed according to KYC and AML guidelines. Countries like China, Turkey, Thailand, and others are planning their own central bank digital currencies (CBDC). Regulation will determine the speed at which blockchain technology and cryptocurrencies will be implemented. [2020/1/22]

In the figure below, you can see that the mint method in line 1282 of the smart contract is restricted by the decorator onlyOwner, which determines that only the owner of the smart contract can execute the contract.

First release | Antminer S17 real machine map for the first time exposed with dual-tube fan and all-in-one design: Following the official announcement of spot sales on April 9, Bitmain’s upcoming new Antminer S17 has new developments. It is reported that the real machine map of the Antminer S17 was first exposed on the Internet today.

Judging from the exposed pictures, the Antminer S17 continues the double-barrel fan design of the previous generation product S15, and adopts the body design of an all-in-one machine. Some people in the industry believe that the double-barrel design can effectively shorten the wind range, the temperature difference between the inlet and outlet of the mining machine will be smaller, and the performance of the machine will be greatly improved.

Previously, the person in charge of Bitmain’s product said in an interview with the media that compared with the previous generation of products, the new product S17 has greatly improved in terms of energy efficiency ratio and computing power per unit volume. [2019/4/3]

The above three screenshots are all from: https://etherscan.io/address/0x450f143f1a8650fff968d890814bd5884bdc8f1d#code

The caller with the identity of devaddr can issue unlimited tokens by calling the mint method in line 1282 of the MasterChef.sol smart contract when his identity happens to be the owner at the same time. The mint method on line 1282 will continue to call the mint method on line 1130, and the mint method on line 1130 will continue to call the _mint method on line 1044, and finally complete the token issuance operation.

 The unlimited issuance loophole in the smart contract of the Kimichi project is basically the same as the loophole above, so it will not be repeated here.

If the addresses of owner and devaddr are the same, then without external restrictions on the smart contract owner, the smart contract owner has the right to issue any number of tokens, which will put investors at risk. So are the devaddr and owner in the two projects Yuno and Kimichi the same person? Are there other external constraints that can limit the smart contract owners of these two projects?

The figure below shows the addresses with devaddr and owner identities in the MasterChef.sol smart contract of the Yuno project (as of 11:00 p.m., September 1, Beijing time).

Screenshot from: https://etherscan.io/address/0x9dd5b5c71842a4fd51533532e5470298bfa398fd#readContract

The picture below shows the addresses with devaddr and owner identities in the KimchiChef.sol smart contract in the Kimichi project (as of 11:00 p.m., September 1, Beijing time).

As can be seen from the above two figures, the addresses with devaddr and owner identities in the Yuno project are the same, so the smart contract owner has the right to issue unlimited tokens. In the Kimichi project, the identity of devaddr and owner are different, but since the identity of devaddr can be transferred, there are certain risks.

In order to ensure that the infinite issuance loophole will not be triggered, the smart contract owners of the Yuno and Kimichi projects must be restricted from the outside. The currently implemented restrictions are consistent with the Sushiswap project, that is, there is a 48-hour delay for any smart contract operations performed by the smart contract owner. Any operation from the smart contract owner will be observed by all investors and have 48 hours to respond.

At present, DeFi and related Farming projects are extremely popular. Since blockchain projects have requirements for the openness of project codes, the threshold for launching new projects is extremely low. Arbitrary bugs can be introduced into a project if it blindly borrows from other projects. Therefore, before the project goes online, a strict security audit should be conducted on the project.

From the perspective of investors, the return rate of several thousand percent of the current Farming project can easily prompt investors to invest blindly without sufficient understanding of the project itself. For example, the three projects of SushiSwap, Yuno and Kimchi were launched quickly without rigorous security verification. Investors may be confused by the huge returns and invest precious funds in smart contracts with great risks.

Tags：

ETH