0
+
24,440
微信扫码分享

How will BSC strive to address frequent DeFi security incidents?

Jun 9, 2021 3:06:45 PM
PANews
Follow

BSC is a public permission-less infrastructure, anyone can deploy projects on it, including bad actors and hackers. It is not unusual for DeFi projects to have bugs, and this is not unique to BSC.

Author| Peter  Editor | Tong  Producer | PANews

In the past month, the crypto market experienced a difficult time. Bitcoin dropped to $30,000, losing half of its peak values and so did the other tokens.Nascent and leading DeFi Projects also followed the bear slip., On June 6th, Debank published a report on how the DeFi TVL on Ethereum public chain was $86.66 billion, and it had dropped by 35% from the peak value of $132.33 billion on May 11th. BSC ecosystem was no exception to this!  Defistation data showed that the TVL has dropped to $26.66 billion, reducing by 50% from peak value of $53.6 billion on May 10th. Besides the overall market slump, the frequent security incidents on BSC have also compromised users’ confidence  in the DeFi projects  building on top of BSC.

BSC mistakenly blamed for DeFi flash loan attacks

On June 5th ,security organization PeckShield sounded the alarm that the first AMM on BSC, BurgerSwap, had encountered flash loan attacks again, only one week after the last one, which happened on May 28th. BurgerSwap encountered the first flash attack with 4400 WBNB (worth $7 million), 1.4 million USDTs and 432,000 BURGERs were stolen. A compensation plan was issued officially to airdrop new token cBURGER to qualified users. One week later, the same project on BSC was attacked again (the same flash loan attack).  

According to open statistics from PANews, not only BurgerSwap, many projects on BSC, including Spartan Protocol , PancakeBunny , Bogged Finance , AutoShark, JulSwap and Belt Financealso also encountered flash loan attacks in May on BSC, and the loss of value accounted for 35% of all assets losses due to security issues on BSC. 

DeFi users know that flash loans are not tools for bad actors, it is an innovative form of lending in a mortgage-free and vouch-free way. The borrower should pay back the loans and interest before the blockchain transaction completes, if not, the transaction will not be recorded into the block and the lended capital will be returned, just like the lending has never happened. Flash loans leverage the unique features of blockchain technologies to realize something that traditional finance cannot do.



For flash loan platforms such as Uniswap and PancakeSwap, they are lending the capital and receiving both the capital and interests, and they will not interfere with what the capitals are used for during the process. Since the lending smart contract has to be completed in the same lending transaction, the lender has to use other smart contracts to help it conduct immediate transactions with the lending capital before the transaction ends.  

Anyone can initiate a flash loan transaction as long as the strategies are applicable at the time. The initiator costs include: gas fees, transaction fees and slippages. Attackers who have spotted the vulnerabilities of the project can provide a huge amount of capital in a very short time as the attack costs, and then leverage the code bugs to attack or to manipulate the price for arbitrage.  

Regarding the frequent flash loan attacks, BSC  stated how they might have become the target of an organized group of bad actors. For this, BSC called for risk prevention measures  for on-chain DApps, and suggested on-chain projects to cooperate with audit companies for health checks. Forked projects should double-check the updates based on the original versions and adopt necessary risk-control measures for real-time monitoring, so that once abnormal conditions occur, the protocol can be paused timely. The project should also make emergency plans to prepare for the worst scenario. When conditions permit, bounty reward plans may be rolled out.  

Since quite a few of the DeFi Security incidents happened on BSC, some users have doubts on BSC and even thought that the cause was the security bugs of BSC.  

BSC Ecosystem Project Coordinator, Samy K. said, “BSC is a public permission-less infrastructure, anyone can deploy projects on it, including bad actors and hackers. It is not unusual for DeFi projects to have bugs, and this is not unique to BSC.” 

Judging from attacks on Dapps, it is hard to come to the conclusion that is happening solely on BSC.. There are a lot of public chains that encounter attacks, and we can not conclude that the whole public chain is not safe just because some projects on it get attacked. Furthermore, dApps are still in the early stage of development and they still need continuous upgrading and evolution in the technology, product and security aspects.  

In fact, BSC is facing a higher frequency of attacks because its DeFi ecosystem is getting more prosperous. To some extent, BSC is very similar to Ethereum last year. According to the security incident statistics in 2020 released by PeckShield, there were 60 DeFi security accidents on Ethereum, causing over $250 million of loss, much higher than the statistics in 2019. And flash loan attacks remain the No.1 cause of security issues and the reentrancy attack. 

BSC’s growth has attracted more hackers 

BSC has become a key attack target due to the prosperity of its ecosystem.  

In fact, as early as in 2019, Binance launched the first public chain (Binance Chain), which is also of high throughput. However, due to lack of support for virtual machines and smart contracts, Binance Chain was used for the operation of Binance DEX and some other native DApps. 

In 2020, Binance Chain’s community members launched BSC, which is EVM-compatible and supports smart contract. It is easy for developers to migrate their DApps on Ethereum to BSC, only requiring minimal configuration to avoid the high transaction costs on Ethereum.  

Since the beginning of this year, BSC has seen significant growth from on-chain project ecosystem to user volume and user activity, showing more of its strength. According to bscproject data, by June 6th the BSC ecosystem covers DeFi, NFTs, tools and infrastructures, with 637 projects and 76,468,636 on-chain addresses; the daily transaction volume on BSC reached 4447,832, which is 392% of that on Ethereum, which was only 1134,526. According to CryptoDep data, out of the most active 10 dapps in the last 30 days, 9 were deployed on BSC.

Low gas fees and fast transaction speed significantly improved user experience and thus contributed a lot to the rapid rise of BSC. However, while there are a lot of public chains delivering high performance and low cost, BSC  may have a lot more to offer.  




The DeFi TVL of BSC has once reached 26%, and is 18.6% now. In terms of DEX 24-hour transaction volume, one of the BSC ecosystem projects PancakeSwap has surpassed top Ethereum projects, such as Uniswap and SushiSwap. PancakeSwap has saw a transaction volume of $156.48 billion in May, accounting for 49% of the total transaction volume on the DEX. Even outside the BSC ecosystem, the leading position of PancakeSwap is hard to shake. 

The more prosperous the BSC ecosystem is, the stronger the Matthew effect on on-chain assets aggregation. When there are hundreds of projects with millions of users flooding into the platform, the platform will easily become the target of hackers and fraud attacks. It may also be true that similar to the development of the projects on Ethereum, projects on BSC will become more stable after addressing these security bugs, and the BSC ecosystem will become even more prosperous.

Ensure security and grasp the internal logic of the “lego component” combination

Due to the frequent occurrence of flash loan incidents on BSC, the word “flash loan” has left a negative impression on the community, who might hesitate and stop building on BSC.  

PeckShield suggests that before launch, new contracts should go through audits, and pay attention to troubleshooting and identification of bugs in business logic when combining with other DeFi products. Also, work shall be done to introduce circuit breaker mechanism and third-party security threat awareness intelligence and data trend intelligence services to improve the security protection system.  

All DeFi protocols are subject to changes. Even if one protocol has been audited multiple times, a slight update will render it useless. Therefore all the things should be done again, even for a slight update.  

Besides, developers don’t have to worry too much about the security performance of BSC itself. According to official  information, the security of BSC mainly comes from 2 aspects: one is the security of the code, the nodes, and the blockchain itself, the other is the security of the ecosystem.

The BSC blockchain is running on an open-source code, accessible for third parties and the public for auditing. With open-source code, anyone (with required technical knowledge) has the ability to review the code line by line and assess the possible vulnerabilities and threats. The PoSA algorithm built around 21 elected validators prevents individual validators from gaining too much control over the network and abusing the power.



The BSC ecosystem consists of multiple parts and participants, each coming with a different set of threats. There’s code and the algorithm, validators and their hardware, projects building on BSC, and also the individuals using it.  

There are many ongoing community-driven efforts aiming to increase the security of the BSC ecosystem and protect the users and their funds & data. Besides, the BSC Core team has established CryptoSafe Alliance with industry-leading security companies for a series of security trainings; preparing for BSC CryptoSafe bounty plan; further enhancing the cooperation with industry security companies to provide more proactive penetration testing to identify issues earlier; BSC has also established BSC SAFU fund/insurance protocol to introduce better infrastructures and services. 

As projects are paying more and more attention to security, it is believed that the DeFi attacks BSC will be gradually reduced. 






PANews
Follow
评论

Selected Collections

0views
0pieces
PANews AMA
PANews AMA PANews AMA PANews AMA
0views
0pieces
PAData
PAData PAData PAData
0views
0pieces
DeFi
DeFi DeFi DeFi
0views
0pieces
2019 Consensus
2019 Consensus 2019 Consensus
Disclaimer
Website Usage Terms & Conditions

Introduction

Welcome to our website terms of use for PANONY website. Our website terms of use are important as they contain all the information you need to know about using our services, so please take a little time to read them and if you have any questions, please do not hesitate to contact info@panony.com and we will do our best to answer your questions.

Accessing and using our Website

Access to our Website is permitted on a temporary basis and we reserve the right to suspend, withdraw, discontinue or change any part of our Website, including the availability of any content, without notice. We will not be liable to you if for any reason our Website is unavailable at any time or for any period.

You are responsible for ensuring that all persons accessing our Website through your connection are aware of these Terms and that they comply with them. Where you are provided with a user ID, password or any other piece of information as part of our security procedures you must treat such information as confidential and you must not disclose it to any third party. We have the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if in our reasonable opinion you have failed to comply with any of the provisions of these Terms.

The content on our Website is provided for information only. Although we make reasonable efforts to update the information on our Website, we make no representations, warranties or guarantees, whether express or implied, that the content on our Website is accurate, complete or up-to-date.

In accessing any part of our Website, you agree not to:

use our Website in such a way that disrupts, interferes with or restricts the use of our Website by other users;

use our Website for any activities which breach any laws or regulations or infringe any third party rights;

use the personal information of another person in order to access or use our Website;

remove, obscure, or alter any copyright notices, trademarks, or other proprietary rights notices of ours or any third party;

decompile, reverse engineer, disassemble, copy or adapt any software or other code or scripts forming part of our Website;

transmit any viruses, Trojans, worms, logic bombs or other material which is malicious or technologically harmful through our Website.

Our content

Our content, trademarks, copyright, patents, logos, domain names and other related intellectual property rights or other features of our brand belong to us or to our licensors. Your use of our Website does not grant you any rights in our and/or our licensor’s intellectual property whether for commercial or non-commercial use.

We grant our users a licence to access and use our services and intellectual property rights (subject to your ability to access our services as set out above) and to the following usage restrictions:

you may use our services for personal, private and non-commercial purposes; and

you must not commercially exploit, or sell any content appearing on our services (this does not apply to any user content posted by you and in which you retain ownership rights, see paragraph on user generated content below).

If you wish to use or reproduce any of our content, please contact our Syndication team on info@panony.com and they will gladly assist you or your organisation.

Links to third party websites

Our Websites may include links to third party internet websites which are controlled and maintained by others. These links are provided for information and convenience and we have no control over and cannot therefore accept responsibility or liability for the content of any linked third party website. We do not endorse any linked website.
Got it
User Agreement
Website Usage Terms & Conditions

Introduction

Welcome to our website terms of use for PANONY website. Our website terms of use are important as they contain all the information you need to know about using our services, so please take a little time to read them and if you have any questions, please do not hesitate to contact info@panony.com and we will do our best to answer your questions.

Accessing and using our Website

Access to our Website is permitted on a temporary basis and we reserve the right to suspend, withdraw, discontinue or change any part of our Website, including the availability of any content, without notice. We will not be liable to you if for any reason our Website is unavailable at any time or for any period.

You are responsible for ensuring that all persons accessing our Website through your connection are aware of these Terms and that they comply with them. Where you are provided with a user ID, password or any other piece of information as part of our security procedures you must treat such information as confidential and you must not disclose it to any third party. We have the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if in our reasonable opinion you have failed to comply with any of the provisions of these Terms.

The content on our Website is provided for information only. Although we make reasonable efforts to update the information on our Website, we make no representations, warranties or guarantees, whether express or implied, that the content on our Website is accurate, complete or up-to-date.

In accessing any part of our Website, you agree not to:

use our Website in such a way that disrupts, interferes with or restricts the use of our Website by other users;

use our Website for any activities which breach any laws or regulations or infringe any third party rights;

use the personal information of another person in order to access or use our Website;

remove, obscure, or alter any copyright notices, trademarks, or other proprietary rights notices of ours or any third party;

decompile, reverse engineer, disassemble, copy or adapt any software or other code or scripts forming part of our Website;

transmit any viruses, Trojans, worms, logic bombs or other material which is malicious or technologically harmful through our Website.

Our content

Our content, trademarks, copyright, patents, logos, domain names and other related intellectual property rights or other features of our brand belong to us or to our licensors. Your use of our Website does not grant you any rights in our and/or our licensor’s intellectual property whether for commercial or non-commercial use.

We grant our users a licence to access and use our services and intellectual property rights (subject to your ability to access our services as set out above) and to the following usage restrictions:

you may use our services for personal, private and non-commercial purposes; and

you must not commercially exploit, or sell any content appearing on our services (this does not apply to any user content posted by you and in which you retain ownership rights, see paragraph on user generated content below).

If you wish to use or reproduce any of our content, please contact our Syndication team on info@panony.com and they will gladly assist you or your organisation.

Links to third party websites

Our Websites may include links to third party internet websites which are controlled and maintained by others. These links are provided for information and convenience and we have no control over and cannot therefore accept responsibility or liability for the content of any linked third party website. We do not endorse any linked website.
Disagree
Agree
Free-Login
Login
Login with social media accounts