The Web3 security space saw a dramatic shift in 2023, exhibiting both advances in resilience and enduring difficulties. Cyberattacks against the Web3 sector resulted in over $1.7 billion in damages in 2023; 453 incidents were documented. The variety of dangers shown by these assaults highlights the critical necessity for the Web3 community to maintain constant awareness. A team of experts at Salus, a web3 security business focused on research, developed this extensive analysis report.
Hacks: A Year of Differing Patterns
Even while total losses decreased considerably in 2023, high-profile exploits continued to have a significant impact. The $200 million loss suffered by Mixin Network in September, together with the $197 million losses suffered by Euler Finance in March and the $126.36 million losses suffered by Multichain in July, highlight the ongoing dangers to bridges and DeFi protocols.
Examining monthly losses in more detail shows an interesting pattern. Although there were large losses in September, November, and July, there was a noticeable decline in October and December, suggesting that security awareness and the implementation of strong protections are becoming more and more important.
Snapshot 2023 of Web3 Security Vulnerabilities
Exit Scams:
Of all assaults, exit scams constituted 12.24%, with 276 occurrences resulting in a $208 million loss. Prominent instances of ventures that promised substantial profits but abruptly vanished with investors’ money.
Safety Precautions:
1. Investigating projects and teams in-depth, making sure they have a proven track record, and ranking projects according to transparent security assessments provided by reliable companies.
2. Vary your investment portfolio and use caution when considering ventures that offer unreasonably high returns.
Problems with Access Control:
39.18% of assaults had access control problems, and 29 of those occurrences resulted in a significant loss of $666 million. Prominent instances include susceptibilities that were leveraged in Multichain, Poloniex, and Atomic Wallet.
Safety Precautions:
Adhere to the least privilege principle, put strong authentication and authorization procedures in place, and update access permissions often. In addition, provide personnel with regular security training, particularly those with high privileges, and set up thorough monitoring systems to quickly identify and address any suspicious activity across apps and infrastructure.
Phishing:
Phishing instances made up 3.98% of attacks, and 13 of those incidents cost $67.6 million in losses. Attackers used a variety of constantly changing phishing strategies, as shown by the AlphaPo assault by the Lazarus Group.
Safety Precautions:
Front-end assaults have increased in the web3 arena as a result of initiatives that undervalue front-end security. It is essential to do Web3 penetration testing to find system flaws and vulnerabilities that hackers could exploit. Make user education a top priority, encourage the usage of multi-factor authentication (MFA) and hardware wallets, and utilize domain monitoring and email verification.
Attacks using Flash Loans:
16.12% of the assaults were flash loan attacks, with 37 occurrences resulting in a $274 million loss. Precision flash loan assaults were launched against Yearn Finance, KyberSwap, and Euler Finance.
Safety Precautions:
Reduce the dangers associated with flash loans by putting in place limitations such as time limits and minimum borrowing quantities. By increasing the expense for attackers, charging for the use of flash loans may serve as a disincentive to use hostile attacks.
Reentrancy:
4.35% of attacks were caused by reentrancy vulnerabilities, and 15 of these occurrences resulted in a $74 million loss. The implications of a tiny flaw producing large losses was brought to light by the Vyper issue and the Exactly Protocol attack.
Safety Precautions:
1. Strictly Follow the Check-Effect-Interaction Model: Make sure that all relevant checks and validations are done before proceeding. You should only make state changes and engage with external entities once you have successfully completed these tests.
2. Put Comprehensive Reentry Protection into Practice: Use this for every function in the contract that involves sensitive procedures.
Problems with Oracle:
7.88% of assaults were caused by Oracle problems, and 7 of these instances resulted in a $134 million loss. The BonqDAO hack demonstrated how to alter token prices by taking use of oracle weaknesses.
Safety Precautions:
1. Price projections shouldn’t be made in markets with little liquidity.
2. Determine if the token’s liquidity is enough to guarantee platform integration before thinking about any particular price oracle plans.
3. Incorporate Time-Weighted Average Price (TWAP) to raise the cost of manipulation for the attacker.
Additional vulnerabilities
16.47% of assaults were made using other vulnerabilities, and 76 of these occurrences resulted in a $280 million loss. A lot of web2 vulnerabilities and Mixin’s database breach demonstrated the broad spectrum of security issues encountered in the Web3 domain.
Top 10 2023 Hacks: Synopsis
The top ten hacks of 2023, which accounted for about 70% of the year’s damages (around $1.2 billion), identified a common weakness: access control problems, especially those involving theft of private keys. The majority of these breaches happened in the second part of the year; three significant assaults happened in November.
Notably, the Lazarus Group was involved in many breaches that resulted in the loss of funds via hot wallet compromises. Mixin Network, Euler Finance, Multichain, Poloniex, BonqDAO, Atomic Wallet, HECO Bridge, Curve, Vyper, AlphaPo, and CoinEx were among the protocols that were exploited.
Conclusion:
By year’s end, 2023’s overall losses are less than those of 2022. But the concentration of damage in the top 10 attacks highlights how important it is to have better protection. Because of a wide range of vulnerabilities, protecting the Web3 space requires a multifaceted strategy.
It is impossible to overestimate the significance of thorough audits and increased knowledge of Web3 penetration testing, particularly in view of new infiltration techniques like those used in Lazarus Group assaults. It is highly recommended that users and stakeholders prioritize platforms and services that meet both functional demands and the highest security standards in order to pave the way for a safe Web3 future.
Click here to see the live report by the expert team at Salus.