According to reports from Cointelegraph, fraud has once again become a major driver of cryptocurrency crime, causing direct losses of 4.6 billion dollars last year (2023).

According to a CertiK data report, there were 223 significant on-chain security incidents in the cryptocurrency sector in the first quarter of 2024 alone, resulting in losses totaling 500 million dollars. Additionally, a recent SlowMist report highlighted that there were over 31 notable security incidents last month (May), causing losses of 124 million dollars due to hacking, phishing scams, account theft, and rug pulls. This represents an increase of about 52.5% compared to April.

Furthermore, the widely discussed incident involving the theft of large amounts of funds from OKX users has reportedly not only drained substantial funds from some users but also led to 630 million dollars of user funds being withdrawn from the exchange this month.

These incidents are just the ones we know about. Many scams, such as “pig butchering” schemes targeting newcomers to the field, are difficult to quantify.

That’s why I always emphasize two fundamental principles for newcomers in this field: first, protect your initial capital, and second, avoid things you don’t understand. Simply put, always prioritize security awareness. We’ve previously summarized some points on security in earlier articles. Today, we’ll continue this discussion by highlighting some common security issues:

1. DeFi Protocol Vulnerabilities

Common vulnerabilities in DeFi include flash loan attacks and oracle manipulation, both of which can drain a DeFi protocol’s resources.

Flash loans are an innovative DeFi product allowing users to borrow any amount of crypto assets from a protocol pool without collateral, provided the principal and interest are repaid within the same transaction (one block). The advantage of flash loans is that they enable users to exploit market arbitrage opportunities, achieving low-cost, high-reward operations. The risk is that if the user cannot repay within the specified time, the transaction is canceled, resulting in a loss of transaction fees and interest.

Flash loan attacks work by rapidly executing multiple borrowing and trading operations on the same blockchain network, causing errors in smart contracts, and allowing attackers to gain undue benefits. For example, on May 14th, the Optimism-native lending protocol Sonne Finance, based on Compound, suffered a flash loan attack, losing over 20 million dollars.

Oracles are applications that obtain, verify, and transmit external information (off-chain data) to smart contracts on the blockchain. Besides pulling off-chain data and broadcasting it on Ethereum, oracles can also push information from the blockchain to external systems. For instance, a smart lock can be unlocked once a user sends a fee through an Ethereum transaction. Without oracles, smart contracts would be limited to using only on-chain data.

Oracle manipulation can result in oracles reporting incorrect data about external events or real-world conditions. For instance, consider a crypto asset traded across five exchanges, where 85% of the trading volume occurs on two of them. If the oracle only covers the other three exchanges with lower liquidity, its coverage is insufficient. An attacker could manipulate the prices on these three low-liquidity exchanges, causing the oracle to report prices that deviate from the actual market prices, thus creating a risk of manipulation.

For instance, on June 10, the lending platform UwU Lend was attacked, resulting in a loss of approximately 19.3 million dollars. The core of this attack involved the attacker manipulating the price oracle by making large trades in the CurveFinance pool, which affected the price of the sUSDE token. The attacker then exploited the manipulated price to withdraw other assets from the pool.

Therefore, when using DeFi protocols, it’s important to diversify your investments and avoid using protocols that haven’t been audited or have low liquidity pools.

2. Various phishing websites

Many users have likely encountered phishing websites. Scammers create fake official websites that look legitimate and spread them widely through social media, emails, discussion groups, and other channels. If a user visits a fake website and, tempted by some benefits, connects their wallet and grants authorization, the assets in their wallet can be automatically stolen.

To avoid this, always double-check the DApp domain (URL) when visiting websites, especially those requiring wallet authorization, like DEX platforms. It’s best to bookmark the official websites you frequently use instead of searching for them on Twitter or Google each time, as search results can sometimes be misleading. Additionally, avoid clicking on project ads on various websites, as scammers often place fake ads.

Avoid clicking on links sent by strangers. For example, a common scam on Discord involves scammers sending messages with links to fake pages or Twitter posts (the Twitter post link might be correct, but it contains a fraudulent link).

If you need to install browser plugins, only install ones you are familiar with. Recently, on June 3rd, a user reported losing a million dollars after installing a malicious Chrome extension called Aggr.

Therefore, when dealing with browser plugins (using Chrome as an example), ensure you only install known plugins from the Chrome Web Store to avoid unknown extensions. You might also consider using security check plugins like ScamSniffer for safer browsing.

If you are particularly concerned about security, consider creating a separate Chrome user profile specifically for DApp interactions that require wallet access. Do not install any plugins on this profile and make sure to log out immediately after completing your transactions.

3. Check Your Wallet Regularly

In addition to verifying the safety and reliability of protocols when authorizing various DApps, it’s advisable to regularly check your wallet’s authorization history and revoke any authorizations that might be risky or unclear, even if you have already disconnected your wallet.

There are several tools available for checking wallet authorizations, with RevokeCash being one of the more commonly used ones, as illustrated in the image below.

Additionally, some wallets offer features for managing historical authorizations. For example, the Rabby wallet, which is a crypto wallet under Debank, supports this functionality, as shown in the image below.

Regarding wallet usage, if you have a significant amount of assets, it’s advisable not to keep all your funds in hot wallets like Metamask or Phantom. You can keep a portion of your frequently used funds in hot wallets (distributed across multiple hot wallets), and another portion in exchanges (distributed across different exchanges, but only use major ones). The remaining funds should be stored in cold wallets.

Additionally, cold wallets don’t have to be hardware wallets like Ledger, Trezor, or Ellipal. Personally, I use two separate Apple phones offline as cold wallets. For daily transactions, I use a separate Apple phone as a hot wallet (I don’t recommend using Android phones), which is also separate from my everyday phone.

4. Prevent false airdrops

Many people, especially newcomers, think of airdrops as free tokens or NFTs they can claim. Scammers take advantage of this by using fake airdrops to trick people into revealing their wallet private keys or leading them to phishing websites where they authorize their wallets.

For instance, you might unexpectedly receive an NFT (a small image) in your wallet with a URL on it, enticing you to visit the website. If you visit the site and authorize your wallet, your assets could be instantly drained.

When you see free token claim addresses or airdrop links for popular projects on social media, always verify their authenticity through the official website of the project. Never share your seed phrase or private key to claim any airdrop. Your seed phrase equals all your assets—never disclose it to anyone.

We’ve only listed some common security issues and prevention tips here. The crypto space is rife with evolving scam methods. Scammers continuously think of new ways to deceive, underscoring the point we made earlier: when someone focuses on a specific area and keeps researching, they can get ahead. Scammers are always refining their tactics, making it increasingly difficult for most people to stay protected.

To wrap up, let’s take a look at some of the latest hot news from the past couple of days:

• On June 17, Binance listed ZKsync (ZK) at 16:00 Beijing time and opened related spot trading pairs.
• On June 17, the ZK Nation airdrop became available at 15:00 Beijing time.
• On June 16, data from the GeniiData platform showed that the rune COOK•THE•MEMPOOL has been fully minted, with a total of 4,309,311 mints, making it the most minted rune currently, with 28,435 holding addresses.
• On June 15, the Twitter account LayerZero Foundation posted a message with the image “06.20.2024”. People speculate that LayerZero might announce its token airdrop information on the 20th.
• On June 15, TON’s price hit a historic high. Game projects in the TON ecosystem, such as Pixelverse, MomoAI, Hamster Kombat, and Catizen, are gaining more attention. Despite the overall market downturn, Toncoin has become a rare bright spot in the market recently.
• On June 14, AO (a Layer1 built on the Arweave data storage platform) announced its tokenomics, with 36% allocated to AR holders and 64% to cross-chain users.
• On June 14, there were reports that an ETH ETF might launch on July 2.
• On June 14, a Forbes magazine article stated that CZ, currently imprisoned in the US, is the 24th richest person in the world, making him the wealthiest person ever to be incarcerated, with a fortune of 61 billion dollars. CZ’s wealth mainly comes from his 90% stake in Binance and his holding of 94 million BNB, which accounts for 64% of the circulating supply.

Disclaimer：

1. This article is reprinted from [话李话外], All copyrights belong to the original author [话李话外]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.