The Risks are Real: Base Network Flooded with Vulnerabilities
The blockchain security space continues to innovate. In many cases, security is playing catchup in the speedy development environment of the industry, coupled with the relentlessness of hackers and bad actors targeting vulnerabilities.
Webacy’s mission is to make crypto safer for everyone, and we work alongside many companies that share a similar mission. One of those companies is Trugard Labs, a cybersecurity platform protecting Web3.
Trugard recently released an impressive dataset of vulnerabilities found across ecosystems, with a shocking 34k vulnerabilities across the Base network as just one example. Trugard CTO Jeremiah O’Connor also posted about these findings, highlighting the detectors and their ability to detect malicious behavior. These signals often follow market cycles and successful marketing campaigns. Onchain Summer by Base was arguably one of the largest attention-grabbing activations in crypto this season, making it easy for bad actors to allocate attention to follow the money.
The articles highlight critical findings including digital signature issues, malicious boolean checks on token transfers, unauthorized token burns, balance updates, controlled minting attacks, hidden balance updates, minting manipulations, and more. These terms may be known to security experts, but we’ve decided to expand upon them to explain to developers and builders in crypto: What does it mean?
The Power to Mint Tokens
Contracts with a hidden mint or control mint function could be manipulated with malicious intent.
Example 1:
Project: Levyathan
bsc: 0x304c62b5b030176f8d328d3a01feab632fc929ba
Description: Levyathan operates a legitimate contract. In this case, the owner was the only account with permissions to manage and mint (create) more tokens. However, a hacker obtained access to the owner account’s private key and minted millions of tokens. Later, the hacker drained all funds from the Levyathan contract.
Example 2:
Project: Flash USD (FUSD)
ftm : 0xe1c9dc364032ee7B668D636a577f42DC085F4FC2
Description: Admin enabled a special function to mint tokens to their own account. This could heavily influence the token mechanics and value accessible to the admin.
Boolean Checks
Smart contracts can contain functions that include checks, which can pause functionality. This could lead to blocking token transfers, approvals, or allowances that could be malicious to the end-user.
Project: MINI BASKETBALL
bsc: 0x31d9bb2d2e971f0f2832b32f942828e1f5d82bf9
Description: This project has over 3,500 active buyers and more than 14,000 transactions. However, this scam disabled the ability for users to sell the token. Only certain eligible addresses could transfer or sell tokens.
Balance Updates
Some vulnerabilities enable certain contracts and functions to make unauthorized or malicious updates to token balances.
Project: Polyhedra Network (ZK)
eth: 0xF876DAE8322Bbab7B76fbE4C0BF3266279B6B3D9
Description: The admin can change any user’s balance at any time. This requires full trust of the admin account and team. It also means that all security relies on the team’s ability to secure that admin account.
Token Burning
Functions may exist that allow accounts to control unapproved token burns.
Example 1:
Project: Flash USD (FUSD)
ftm: 0xe1c9dc364032ee7B668D636a577f42DC085F4FC2
Description: The admin can burn anyone’s token. WTF.
Example 2:
Project: PANDONIA (PANDO)
eth: 0xA63EcA3D9Ae591e44D7053B776E67a48F17b2B36
Description: Malicious burn functions hidden in this contract burns some tokens on each transfer.
Digital Signatures and Tampering
Developers often utilize common libraries like SafeMath and Strings. It’s possible to detect deviations against the standard versions to test for vulnerabilities.
Project: Chips Squad ($CHIPS)
bsc: 0x9082A3502418992196eA881011afCE978DBF4441
Description: The developer of this contract modified the SafeMath sub function, hiding a backdoor for minting an infinite number of tokens.
Summary
The growing number of smart contracts must be met with the right security services to review, audit, and protect against malicious activity. Needless to say: a traditional audit is not enough. Many of these projects are considered “safe” or “trusted” by the ecosystem, yet contain severe vulnerabilities and issues that can be exploited.
TLDR: More people need to be talking about this. Builders need to be leveraging the tools and services out there to keep their projects, and ultimately their users, safe. Accountability is at an all-time low. If we hope to build any kind of long-term value in this industry, and not be labeled as just a place for gambling degens and bad actors, we need to take steps towards a safer future.
Luckily, the building blocks we need already exist.
//
About Webacy: Webacy is the safety and security layer - enabling users to assess their risk, monitor their assets, and act in case of emergency - and empowering companies to mitigate risk through robust APIs that actively monitor their contracts, vetting their users, and protecting their brand.
Website | LinkedIn | X
About Trugard Labs:
Trugard Labs is a leading provider of smart contract risk and intelligence data serving Web3 users and builders alike. Advocating for better awareness of smart contract risk for retail and institutional stakeholders, investors, and researchers, Trugard Labs, is enabling better, faster, smarter due diligence, risk management, and brand.
Website | LinkedIn | X