Security in BSC & Digital Asset Protection?
Recently there have been multiple instances of scams and extensive attacks within the BSC ecosystem. Due to the decentralized permissionless nature of the BSC blockchain, this is an issue that can’t be resolved as easily. There are several major challenges in the BSC now:
As the BSC ecosystem grows at rocket speed, it’s becoming a special target of hackers. These hackers are well-organized and keep trying to identify the potential issues in different protocols, and may own more zero-day vulnerabilities now.
Some projects within the ecosystem lack experience in secure software development and have no risk control experts. There’s also a lack of code audits, penetration testing, and collaboration with security professionals.
This is a very challenging issue for many projects, many of which lost hundreds of millions of assets overnight.
What are the threats?
There are two types of threats for many projects:
These are all the threats coming outside of the project. External attackers usually exploit technical or operational vulnerabilities, infiltrate internal systems via hacks or social engineering, and attempt to steal the funds, valuable information, or just simply take the project down.
Internal — Internal threats are the well-known rug pulls, exit scams, and insider leaks. They are much harder to prevent and usually more complicated to investigate. In most cases, there are individual team members who felt an opportunity and abused their power, but there are also rare cases of organized groups and teams executing these attacks.
Are BSC-based Projects safe?
The question of whether BSC or any other blockchain, as a matter of fact, is safe, could be answered in different ways. One element is the security of the code, the nodes, and the blockchain itself, the second element is the security of the ecosystem. The BSC ecosystem consists of multiple parts and participants where each comes with a different set of threats. There’s code and the algorithm, validators and their hardware, projects building on BSC, and also the individuals using it.
The decentralized BSC blockchain is running on an open-source code accessible for third parties and the public for auditing. With open-source code, anyone (with required technical knowledge) has the ability to review the code line by line and assess the possible weakness and threats. The PoSA algorithm built around 21 elected validators prevents individual validators from gaining too much control over the network and going rogue.
The BSC network and the algorithm it operates on are indeed very safe. The track record of BSC clean of incidents or hacks shows that there are no known vulnerabilities or attack vectors that could be abused on the blockchain itself. Security teams and projects incentivized by the bounty program rigorously test every element of BSC’s security on a regular basis, ensuring that even the slightest issues get resolved immediately.
While Dapps with BSC network and code, we can verify and audit almost everything, with individual projects it’s a bit more difficult. Not every project on BSC is open-source, and even then, being open-source doesn’t automatically mean secure. Then there’s the security of smart contracts and no zero-defect codes and as each project is developed by an independent team, there’s always a chance of defects.
Due to the decentralized nature of BSC, basically, anyone can build on the network and attempt to list a token on one of the many decentralized exchanges. There’s no reviewal process or centralized governance that would prevent malicious projects from launching on BSC, as such censorship would damage the decentralization and it’s not technically or logistically possible.
There are multiple BSC security audit firms like PeckShield and CertiK that audit and verify different BSC tokens and Dapps. Delicate security audits look for potential vulnerabilities in the code, business model, and other aspects. They also often verify the core team members, review their previous experience, or audit the project’s finance. However, these audits are not mandatory and they rarely cover new or emerging dApps. When looking for a genuine project, it’s recommended to avoid uncertified projects and always prefer projects with multiple audits from different companies.
If you are a BSC user, we recommend that you do your own research and grow your knowledge and understanding of BSC and DeFi, participate in community education and awareness hosted by different BSC-based projects communities. The following tools may be helpful.
How do I learn about BSC and the projects based on it?
· BscScan: the blockchain explorer and analytics platform for Binance Intelligent Chain, where you can track transactions, contract address, token name, verified contracts and other information on BSC blockchain.
· BscProject: a third-party blockchain explorer and data analytics website, which can continuously track BSC network data, project data and update project information. Don’t miss out information about the state of the network and the BSC ecosystem.
· Debank: A data analytics site that tracks data from multiple blockchain networks, including BSC and hundreds of projects. Users can compare different blockchain markets here.
· Certik Blockchain Security Leaderboard: A Security panel created by Certik, BSC’s key security partner, that offers insights from different perspectives.
· Binance Academy: Binance Academy provides ordinary users with a range of content to help them understand blockchain, crypto assets, security, technology and operational knowledge. You can also learn about security audits and how to spot DeFi scams at Binance Academy.
Is there a way to report scams?
Thanks to PeckShield, one of the major security partners within the BSC ecosystem, there’s now an easy way to report scams or suspicious projects.
Simply visit https://forms.coinholmes.com/ and enter as much information as you can.
SheepDex — Building a better blockchain security
SheepDex is a decentralized exchange designed to improve the security of the BSC ecosystem and protect user assets and data. It has been audited by PeckShield and CertiK, and has a separate security team. Going through 2 audits, SheepDex will continue to work with security companies with a solid reputation to keep analyzing potential vulnerabilities. Moreover, SheepDex has also introduced a Vulnerability Reward Program and work with a third party platform, which can attract community testers to identify issues earlier. Last but not least, SheepDex provides better transparency, clearly communicate all major updates and roadmap, and organize community sharings for both developers and users.
Historically, DEXs have rarely been attacked. Even in some DEXs, the loss of user assets is caused by the excessive permission of the key management and the misappropriation of user assets. Therefore, it is strongly recommended that you should do research and view the audit reports and compare them carefully the contract deployment on the blockchain explorer to understand if there is any excessive permissions from the plaform.
SheepDex’s private key permissions are mostly related to token allocation and have no permission to use user assets because as a DEX, it does not require this type of permission. So there is no misappropriation at all in terms of the use of assets. At the same time, the team will also introduce a multisig mechanism that allows more stakeholders to participate the authorization, making every decision more open and transparent.
The last few months exposed that some of the critical infrastructure and services need to be rebuilt to cater to the rocket growth of users and network activity. As a community-driven and decentralized ecosystem, BSC can survive and thrive only if all the ecosystem members come together and coordinate as a community.
The BSC ecosystem will face many challenges over the upcoming months, but building a decentralized, scalable, and secure blockchain is not easy. We’re asking for your support during these times and we welcome all your suggestions.
Join SheepDex
Website: https://SheepDex .org
Twitter: https://twitter.com/SheepDex
Discord: https://discord.gg/HPcTX23vPT
Medium: https://medium.com/SheepDex
Telegram: https://t.me/SheepDex
