The attack and defense behind the theft of the NFT trading platform

Thefts in the cryptosphere are nothing new, or even commonplace. Recently, there has been a lot of uproar about the theft of the OpenSea trading platform. Although the results of the self-inspection concluded that it was an external attack rather than a systemic problem of the platform, the loss of nearly 3 million US dollars of assets has become a foregone conclusion. According to DappRadar data, in the hacking incident Since then, user activity on OpenSea has dropped rapidly, with user activity on the platform dropping by at least 20%. So, behind the theft incidents, are there any preventive measures that can be taken?

Deep awareness of safety, prevention but hindsight

The hardest hit area by hackers is very directional, that is, the "popular track" filled with a large amount of asset trading volume, which has become the tacit choice of hackers. Just earlier this month, an NFT collector tweeted that all his NFT avatars were stolen, worth as much as 18 million, and hoped to seek the help of the trading platform. In response to this security incident, the OpenSea platform can only collect the owner's address and related information. NFTs are marked in red. And there are many similar theft incidents. Many users said that the hackers easily realized the transfer of assets without any security warning, and the hackers seemed to be easy to succeed.

hacker

The platform understands the importance of security by drawing on the lessons of bankruptcy incidents in the industry due to theft. But on the whole, the safety factor of the overall industry is low. Contract loopholes, transaction loopholes and other problems are not uncommon. Although the platform is equipped with as many security precautions as possible and continues to carry out routine security loophole patches, the theft seems to be impossible to prevent, and the platform and users suffer huge loss of funds and trust. It can analyze the attack technology after the cause and effect of the event is retrieved, and it is intended to improve the security line of defense of the industry by summarizing the corresponding security precautions. Unfortunately, some loopholes and mistakes are still low-level, and the hackers' attack methods have become more diverse.

What are the means of hacking?

Hacking is not only a special case of the blockchain industry, it will exist with the entire industry for a long time, and any track will be on high alert. As a participant in it, we can have a simple understanding of hacker attack methods and know ourselves and others. The following is a brief introduction to several frequently occurring types: vulnerability attacks, phishing attacks, and quantum attacks.

Vulnerability attack is a common method used by hackers, and it is also a security incident caused by the insufficient security of the system itself. Vulnerabilities can be divided into different forms. One is a logic loophole. Last year’s flash loan attack profited by exploiting the logic loophole in asset circulation, making arbitrage with empty gloves and white wolf, which made criminals tried and tested again and again. One is security vulnerabilities, that is, hackers scan security defects such as blockchain protocols, smart contract mechanisms, and node device vulnerabilities to launch attacks.

Phishing attacks are malicious attacks from external sources. This OpenSea security incident is a typical phishing attack. In layman's terms, it means that the user clicks on the information with virus or authorization outside, which exposes his own information, or fails to distinguish the authenticity of the content and is influenced by the temptation of interests, which leads to the occurrence of the accident. As OpenSea explained, this incident was when hackers took advantage of the OpenSea contract upgrade and sent a phishing email to all users' mailboxes, and many users mistakenly regarded it as an official email and authorized their wallets, which led to Wallet stolen.

Quantum attack, with the emergence of quantum computers, is a huge threat, including JPMorgan Chase and others are studying related anti-quantum attack solutions. It is worth noting that the blockchain is the most vulnerable area to quantum attacks. Hackers crack the encryption algorithm and digital signature of key components of the blockchain. It is not alarmist to say that quantum attacks pose a risk to any security involving public keys. With the development of quantum hardware, the industry should pay close attention to the development of quantum computing and cryptography, be aware of the dangers that quantum attacks may bring, and take action today.