This report focuses on security events that occurred on BNB Smart Chain (BSC) in Q3 of 2023. It analyzes the types of projects targeted, the common attack techniques used and the financial losses that resulted from the incidents.
1. Q3 sees significant reduction in fiat losses compared to Q2
Fiat losses dropped by 37% from $69m in Q2 to $43.5m in Q3. This was largely due to the lesser number of hacks seen, with Q3 demonstrating 45 compared to 79 in Q2.
2. BSC ranks fourth in Q3 fiat losses when compared to other chainsBSC saw 4% of the total fiat losses across all chains in Q3. It ranks fourth as compared to other chains. Third place goes to Fantom, representing 15%. Second place goes to Tron, representing 32%. First place goes to Ethereum, representing 36% for the total fiat loss across all chains.
3. Rugpulls, reserves manipulation and price manipulation were the three most commons types of exploit
Rugpulls remain the most common exploit vector, representing 67% of fiat losses on BSC. In second and third place, reserve manipulation and price manipulation combine to constitute roughly 12% of exploits.
Other common attack types include lack of validation (3.36%), access control issue (2.52%) and private keys being compromised (1.68%).
The financial data provided here is accurate based on our own monitoring system and based on the $USD amount of the cryptocurrency involved at the time of the incident. Due to the fluctuating price of cryptocurrencies, the total amount lost may vary based on changes in token valuations.
Furthermore, the financial data included here may not fully reflect the true “amount exploited” during the incident. This is especially true for scams where the total loss is mixed with an initial base amount injected by the project.
When we compare the data with Q3 of previous years, there is a decreasing trend. Q3 financial losses dropped by 27% between 2022 and 2023.This suggests that the security of BNB Chain has improved over the years.
Figure 1: Q3 financial losses in 2021, 2022 and 2023
2023 Q3 vs 2023 Q2
Figure 2: Financial losses from previous quarters in 2023
A handful of projects were responsible for inflated losses in Q2 and Q3.
Number of Incidents
Figure 3: Number of incidents across previous quarters in 2023
Interestingly, the number of incidents remained relatively consistent from Q2 to Q3.
Figure 4: Amount lost to exploits across the previous quarters in 2023
As seen in Figure 4, the amount lost due to exploits dropped significantly between Q2 and Q3 of 2023. This can be attributed to several factors.
Figure 5: Number of incidents due to hacks across the previous quarters of 2023
This can be attributed to the fact that Web3 security companies and on-chain sleuths are monitoring transactions very closely. Hence, hackers are deterred from blackhat activities for fear that they might be traced back to their real identity.
Figure 6: Proportion of funds loss across all chains in Q3
As seen in Figure 6, 70% of the total losses in Q3 of 2023 occurred on Ethereum and Tron.
Figure 7: Proportion of incidents across all chains from Q1-Q3
Ethereum still had the highest number of financial losses in each quarter of 2023 thus far. Losses on Ethereum constituted 85% and 36% of total losses in Q1 and Q3 respectively.
In total, nearly $43.58 million was lost as a result of security incidents on BSC in Q3. As demonstrated by Figure 8, the month with the greatest losses was September.
Figure 8: Amount of stolen funds in dollars per month in Q3 of 2023
Figure 9 shows the number of projects impacted by exploits in Q3 .
Figure 9: Number of project impacted by exploits
The highest number of security incidents took place in September. In total, there were 126 incidents on BSC between July and September.
Out of the total 126 security incidents, hacks made up 35.71%. The remaining 64.29% were scams.
Figure 10: Proportion of types of exploits
Even though there were more scams than hacks, the financial impact of scams was less significant. The total financial loss of scams was $13.6m and the total financial loss from hacks was $29.8m, as shown in Figure 11.
Figure 11: Financial impact measured in dollars comparing different types of incidents
This suggests that the number of scammers in the crypto space are growing, with strategies evolving to trick users.
Figure 12 shows the specific attack vectors and their corresponding financial losses in Q3 of 2023.
Figure 12: Proportion of funds lost across different types of exploits
In Q3, 67.23% of losses were attributed to rugpulls. Even with multiple reports highlighting rugpulls and strategies on how to look out for them, rugpulls remain prevalent in Web3.
The second most common attack vector was reserves manipulation, which accounted for 8.40%. This occurs when some lesser-known tokens change the transfer function to burn tokens from the Liquidity Pool upon certain conditions, which can result in an exploit.
The third most common attack vector was price manipulation, at 4.20%. This could be due to poorly designed smart contracts relying on the instantaneous price of liquidity pools, making them easier to manipulate with a large swap trade or flash loans by hackers.
When comparing the project type against financial loss, 94.96% of financial losses were attributed to DeFi projects.
The second most targeted project type was MEV related projects at 1.66%, followed by GameFi and gambling projects at 0.84% each.
Figure 13: Proportion of funds lost against the type of project
The large proportion of fiat losses associated with DeFi projects suggests that DeFi remains the most common type of crypto project in the Web3 space. It also shows how important it is for users to only invest in reputable and well audited projects, and to stay clear of potential rugpulls and vulnerabilities.
The following were the top 10 security incidents in terms of financial losses in Q3 of 2023.
Figure 14: Top exploits measured in dollars in 2023 Q3 on BNB Smart Chain
Stake.com, is a crypto gambling protocol, which offers a variety of casino games such as dice, blackjack, Lingo, and more. Additionally, they provide sports betting options for basketball, tennis, volleyball, and others. On 4 September, 2023, Stake.com encountered an abnormal outflow of funds, totaling approximately $41 million.
The attack transpired across multiple chains, incurring losses of around $15.7 million on Ethereum, $7.8 million on Polygon, and $17.8 million on BSC. This brought the cumulative losses to over $41 million.
One of the fraudulent transactions can be traced back to: transaction.
From the transaction details, it's evident that the funds were transferred directly from Stake.com's hot wallet: transaction to the attacker's address. Subsequently, the funds were dispersed among numerous accounts.
Stake confirmed this security breach via social media, stating, "Three hours ago, unauthorized transactions were initiated from Stake's ETH/BSC hot wallets." As a result of this security incident, Stake's operations were temporarily put on hold.
On 12 September 2023, CoinEx detected irregular withdrawals from several of its hot wallet addresses, which were utilized to store user assets. The unauthorized transactions affected 19 chains, including $ETH, $TRON, and $MATIC, bringing the total loss to an estimated $55 million.
One particular unauthorized transaction can be seen here: transaction. The assets were directly transferred from CoinEX's hot wallet to the hacker's address. This indicates that the culprits may have managed to seize control of CoinEX's hot wallet's private key.
Following the hacking event, CoinEx temporarily suspended crypto deposits/withdrawals, relocated assets to more secure addresses, overhauled and redeployed the wallet system, and engaged in efforts with other exchanges to freeze the attacker's assets.
On 18 July 2023, $GMETA, on the BSC rug pulled with ~$2.36M. The price dropped -96%.
The contract creator 0x9f02c29ad35fd20a51cd48250512a7b7feeb8ed1 transferred 1M $GMETA to the address 0xd33D347d8f54EC3229A771F2092A6c6b6750D695, and then used 120K $GMETAs to swap out 2,367,507 USDTs from the pair, which led to the price slippage.
The contract creator previously minted the 1B $GMETA tokens during the deployment transaction.
Multichain, a Bridge project, was exploited due to a Private Key Compromise on 10 July 2023, resulting in users losing more than $1.7 million USD on BSC. The team made a tweet regarding the incident stating that:“The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally.
The team is not sure what happened and is currently investigating.
It is recommended that all users suspend the use of Multichain services and revoke all contract approvals related to Multichain.”Subsequently, the Multichain team announced that their CEO was arrested and they were unable to continue business without him and hence declared that they were winding down services.
While the exact attack vector is unclear, the behavior of transactions suggest that the attacker could control the chain addresses directly.
The staking contract is: 0xdedbd1804569f369e33e453ee311f0f97dcd0bde
The privileged address 0xee08d6c3a983eb22d7137022f0e9f5e7d4cf0be2 directly withdraws 1,427,200 BSC-USD staked in the vPoolv6 contract via the backdoor function withdrawFunds().
On 27 July 2023, the IEGT token rug pulled for $1.14 million. The IEGT token was created back on BSC on July 13. However, its creators secretly minted a large amount of tokens, displaying signs of a rug. Although the project reportedly had only 5 million tokens in supply, this allowed the team to sell 1 billion tokens, cashing out approximately $1.14 million in the USDT stablecoin.
The team tried to cash out the funds through Binance, specifically with this address. However, due to the fast action by the Binance team, the funds were eventually frozen.
On 20 August 2023, A fake LayerZero token removed liquidity, resulting in a removal of 4,827.99 WBNB (~$1M).
The scammer removed all of the liquidity in 1 transaction.
Funds have then been swapped to BUSD and transferred to this wallet https://bscscan.com/address/0xa792a4ad2f1f120a63821b6ff20fac154ead4d84.
On 25 July 2023, PalmSwap, a DeFi platform was exploited for ~$900k on BSC.
Palmswap v2 provides a highly liquid, powerful and user-friendly decentralized leveraged trading platform. Among them, PLP is the liquidity provider token of Palmswap trading platform, which is composed of USDT asset index for leveraged trading.
PLP can be minted with USDT and then burned back with USDT. The minted and reburned prices are calculated by dividing the total value of assets in the index (including profit and loss on open positions) by the PLP supply.
The “White-Hat” has returned 80% of funds.
On 19 July 2023, there was an Access Control hack related to CRN-DEX
The hack transaction is as follows:
https://bscscan.com/tx/0xd8d4d19995bebc0e5cf3e18c432bfb7bc04d85b6a16bea2937683bc5045ba05dThe hacker was able to invoke a privileged function 0x80cad990 of the victim contract 0xb454bf72b2398dae86234b9e023bc1ac8d3f14af to steal ~$850k worth of funds.
On 3 August 2023, NFT_SalesRoom ($ASN) on BSC experienced a substantial loss, with ~670k worth of tokens rugged. The ASN contract dropped ~98% in value afterwards.
A significant transfer of tokens was transferred to the rugpull address from the deployer.
Once received, this address went on to sell 1M $ASN for ~$670k BSC-USD.
The USDT funds were then washed and transferred to different CEXs.
BNB Smart Chain continues to be a strong competitor, outperforming Ethereum in terms of daily active users and transactions. However, 2023 Q3 has been a tough year for both investors and developers due to the bear market and hack incidents which impeded trust within the cryptocurrency community. Below we have some final tips for investors and developers:
For BNB Chain Users:
For BNB Chain Developers:
HashDit’s core mission is to provide the essential threat intelligence for the everyday crypto investors to make informed decisions. Our methodology includes a variety of automated and manual techniques to evaluate a DApp project.
Hashdit has launched several products in 2023 Q3 including:
Blog: The goal is to share security knowledge for builders, investors and users in the Web3 community. With all the players in the industry equipped with the security knowledge needed and adopting a security-first mindset, only then will the Web3 ecosystem be a safer place for everyone. Read Hashdit's Github blog here!