Attacks on crypto assets. Part I

Cryptocurrency and blockchain – this is amazing. This is the future. But in every bright undertaking there are dark forces. We will start a conversation about them. But why?

First, in order to learn to resist these attacks from the user. Secondly, to better understand Web 3.0 systems: Knowledge itself is your best shield. Thirdly, to build your own risk system- & Time Management that will help you in managing crypto assets .

The content of all parts

-Part I. General attacks and prerequisites

-Part II. Attacks on Defi/dexs/bridges

-Part III. Attacks on NFTS

-Part IV. Future attacks and Daos

-Part V. Non -trivial attacks: team of hodgepodge

Introductory

Firstly, I note that attacks are different:

1. Social:
2. Such as phishing (social + technical);
3. Social engineering;

I am primarily interested in technical attacks, but everything will have to be considered, because “Pure” attacks and their vectors are actually not and/or they are used extremely rare.

Below are different types (types) of attacks, and in the last part an attempt is made to their complete (albeit open) classification.

Chapter I. General about attacks

Submachine # 01. Priests

01.01. DDOS

Not everyone still understands that BTC is a coin that has several clearly expressed functions inside the network:

one.Remuneration of DAO Bitcoin (miners);

2.Internal value of the network bitcoin.

That’s why, When they tell you, that “fast and cheap” transactions are possible on some network-do not believe: someone always pays for quick and cheap transactions. In Web 2.0 – User due to his personal data, ligaments with different retail and t.D. In Web 3.0 – validators, enthusiasts, etc.D.

In any case, DDOS is actually a zero step of attacks, which then helps to organize:

1. Attack 51 (to comply with the condition of double expenses);
2. Different types of attacks of Sivilla;
3. Any attacks on exceptions (and in the world of cartoon, it will be noticeable: and let you not bother you. 2: This aspect is much wider, so so far I will simply highlight it separately);
4. Others.

01.02. Fishing

To begin with: Fishing is such an attack when a resource similar to the original is created in order to lure the private key, SEED-Frane, Login/password and/or other significant data from the user.

At the same time, the phishing resource can be both App (Appendix) or DAPP (decentralized application) Michael Saylor . Examples:

1. Website;
2. Mobile app;
3. Letter (email);
4. Other.

Among other things, I note fake extensions for browsers who are able to fake data on the fly.

As a general example, I will give “case when scammers created a site on which they offered up to 10 NFT Bull & Ape. At the same time, when the user tried to get 10 NFTS, he was requested from him sid-fraz. “.

And therefore, you can resist such attacks on several vectors:

1) install applications/addons For browsers to check the sites visited: of course, an attack on the application itself is also possible here, so it does not have complete confidence;

2) use the most “clean” browser with a strictly limited number of allowed/affordable addons;

3) install applications only through Google.Store/AppStore, unless you are an advanced user who understands why you need a hash-shumm in different software and how to check it, as well as how to make an installation from trusted developers and what is loading through the command line and GIT;

4) use the proven Antivirus (I’ll also tell you that antivirus companies themselves often sin in crypto-world) and, more importantly, a firewall with the rules that you understand;

5) Of course, follow the rules of general security : update OS and T and T.P. Read about this in detail in the part of the first and second material devoted to protection, but today, nevertheless, we are talking about the attack.

1) It is very important to learn Do not go to resources without https: // and be able to read certificates, because phishing resources are increasingly setting various kinds of free certificates to confuse more;

2) learn by heart 10-15 resources , to which you go to avoid a clear substitution of addresses;

3) Try not to go through the search (especially – Google/Yandex, where there is advertising) on ​​popular sites, since one of the Vectors of Fishing is the purchase of advertising for a malicious resource and its output into artificial top;

4) you need to train check All data when entering/withdrawal of funds. For this you can:

Trezor/Ledger/etc.;
1. Carry out transactions, checking from the Trezor/Ledger scoreboard;
2. Learn to verify: the first 3-4, the last 3-4 signs in each account/operations, as well as 2-4 spare numbers in the center, because one of the attacks (see. Below) – the creation of similar wallets and insert them through the ligaments of Keilger+Trojan and T.P.;
3. Be sure to take a screenshot before surgery and during to fix any anomalies;

1. Do not store eggs in one basket: to distribute everything between the “cold” and “warm” storage;
2. Do not carry out transactions in a given period (say, from 21:00 to 07:30; on holidays, etc.P.);
3. Do not participate in everything in a row on wallets, where there is at least something.

I will explain the last point. Separately.

Often phishing is based on greed. The simplest example is pseudo-forth. So, let’s say, both the broadcast and Bitcoin had forks that were created for one goal-so that you give your SEED-Fraz. After all, usually as it happens:

1. To open a wallet on a new network-you need some kind of client: say, a wallet;
2. For the new Fork you can’t find anything and go to the “manufacturer” website, where you download the “official” jack;
3. Then-enter there SEED-Fraz, you can even make a “accrual” of some Ethereum Anti Classic, and then-all the money will simply go to the sunset.

Fishing has a lot of forms and implementations, but in general it comes down to three primitives:

1. The main task, as in any tricks, to distract your attention and therefore later time, greed, emotional purchases and so on – do not work for you, but to fraudsters, hence – hence – hence – hence Do not be distructed ;
2. Further, it is important to make a high-quality, at least externally, copy: site, letters, applications, other things, so where you can customize something in appearance (background in the postal client, desktop wallpaper, personal account of the wallet, so on)- Castamize ;
3. Finally, the most important thing is not an understanding by the user of all processes. Therefore, it would be nice to figure out what a private key is, SEED-FRAZA, where they can and cannot be used,.P. – take your time .

Here are examples of complex attacks, where Fishing played an important role:

Airdrops; Cexs.

By the way, the latter (centralized exchanges) of the mentioned can teach a lot in the confrontation of phishing:

1. Pay attention to https: // and check the certificate;
2. Take your time: never;
3. Use the virtual keyboard wherever possible;
4. Do not say password aloud;
5. Learn to customize the pages of sites and others (D) Apps: from email to personal accounts;
6. Try to complicate the process of primary authorization (complex password >14 characters; OAUTH 2.0; IP restriction; Transaction code and t.P.).

At the same time, it is worth remembering that to Fining The advertisement of fake exchangers, exchanges, IDO and other things still slip in Google, although normal ones are blocked when advertising. Is the coincidence the fact that “one is possible, and others cannot”? I don’t think. Remember this too.

As for Fake Airdrop : Perhaps this attack has now become even more popular than in hype 2016-2018. Here’s an example: the speaking name Fake_phishing4953? As for me – yes. Do not rush to withdraw funds by entering a private key (and even more so-Seed Fraza). And always better wait: I want to throw it quickly? Perhaps you simply do not have the strength to engage in this market. The same applies to fake forks: they are easier to track by mass, but many still come across.

Finally, primitives in letters : the same phishing – side view. More precisely, this is one thing, if you go to the dummy site – everything is clear there. Another thing is the advanced spun, but the third is the discovery .PDF- and even .doc (x) -failov: why do this? Starting from ugly macros and ending with an advanced curtain into the body of a document – a mechanic of the attack through the docks – many. You need it? Make a white list of email addresses (yes, even if there are 1000-at the same time check: why the hell are so many to you?) and do not accept files from unknown.

Sub -head # 02. Attacks on L1

I usually start with L0, but since attacks on atomic swaps and similar structures are similar to the attacks on Defi, but much more difficult, I will put this aspect into a separate chapter. Plus-for understanding L0 attacks, it is important to understand the architecture L1.

Pow family

Here we will consider the attack 51 and related to it; selfish mining; attacks on full nodes; others.

POS family

Here is See. Trilogy: There are quite a lot of attacks on the examples of Polygon, Avalanche, Near, Solana (especially), BSC will analyze them and.