QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$180 000 USD
MARCH 2019
GLOBAL
NKPAYMENTCAP
DESCRIPTION OF EVENTS
"On March 11, EOS DApp nkpaymentcap was attacked, and hackers successfully made a profit of 50,000 EOS, which is approximately more than 1 million yuan." "According to data monitored by PeckShield's risk control platform DAppShield, EOS DApp nkpaymentcap suffered a false transfer notification attack at around 2:30 in the morning, and lost 50,000 EOS. At the current price of EOS, the loss is about US$180,000."
"Fake Receipt Attack. The key feature of this attack is that the vulnerable smart contract is misled by the fake notification to receive tokens, while the actual token transfer occurs between the two accounts belonging to the same attacker (see §3.2). For simplicity, we will use from_account and to_account to represent the two accounts in the following, where to_account will send the fake receipt to vulnerable contract, and from_account is the ultimate beneficiary. Accordingly, we will first query all the transactions of token transfer whose tokens are issued by eosio.token and token symbols are “EOS”, to get all the true EOS token transfers."
"These transactions will be regarded as the fake receipts with crafted notifications. Next, if a from_account sends a fake receipt before making profits from the vulnerable contract, we will mark the corresponding transaction as potential. After that, by eliminating the unrelated EOS spending transactions (e.g., for testing purpose initiated by the attacker), we focus mainly on those who have gained more true EOS tokens than they spent. If the input-output ratio are still high, the corresponding transactions are labeled as suspicious. Finally, we will manually check the suspicious transactions whether the vulnerable smart contract will resume the normal execution after receiving the fake receipts. If so, we will mark such a transaction as a fake receipt attack."
"The attacker launched continuous attacks on EOS DApp nkpaymentcap and successfully profited 50,000 EOS. After analysis, it was found that the attacker used a fake transfer notification attack to obtain a large number of contract tokens, and then exchanged the tokens into real EOS for cash out through the DApp contract."
The EOS project nkpaymentcap was attacked through a fake receipt attack, where the token transfer was between two accounts owned by the attacker. A number of EOS smart contracts had a vulnerability where they would allow tokens to be withdrawn erroneously if an attacker sent funds to themselves. The project doesn't appear to exist at the moment, so it would not seem like anything happened to assist affected users.
HOW COULD THIS HAVE BEEN PREVENTED?
There are a number of ways to prevent and mitigate this situation. It is far more secure to have the majority of funds in a multi-signature wallet where keys are stored offline by multiple operators. This would limit the potential loss to only those funds being actively needed. Audits can be used to reduce the risks on the hot wallets further, and we advocate at least 2 reviews would be required prior to a project launch. Having known platform operators would ensure a best effort is made to assist them, with a comprehensive industry insurance fund as a fallback in the worst case.
SlowMist Hacked - SlowMist Zone (Nov 8)
我如何通知一方 - 币搜 (Dec 20)
https://www.usenix.org/system/files/sec21fall-he-ningyu.pdf (Dec 20)
Genius programmer: "The EOS code that I was lazy and didn't type in those years cost me everything, if..." - Fear Cat (Dec 20)
(PDF) Security Analysis of EOSIO Smart Contracts (Dec 20)
https://eosindex.io/eos/block-explorer/lookup/accounts/nkpaymentcap (Dec 20)
https://coinmarketcap.com/currencies/eos/historical-data/ (Dec 20)