Salus 2023 Web3 Security Landscape Report

Twitter icon  •  Published há 10 meses  •  Nikolas Sargeant

This Web3 security landscape report looks into the various security challenges in the ecosystem in 2023 and how users and stakeholders can enhance their security.

2023 was a significant turning point in the Web3 security landscape as it indicated both strides in resilience and persistent challenges. 

Last year, cyberattacks on the Web3 industry led to losses exceeding $1.7 billion, with approximately 453 reported incidents. The attacks indicated numerous threats, underscoring the crucial need for continued vigilance within the Web3 community.

Hacks: A Year of Contrasting Trends

Although the Web3 ecosystem witnessed a noteworthy decline in overall losses last year, high-profile exploits echoed loudly. The $200 million loss recorded by Mixin Network in September was a huge one, followed by Euler Finance ($197 million in March) and Multichain ($126.36 million in July). These attacks underscores persistent threats targeting bridges and DeFi protocols

Looking closer at the monthly losses revealed an intriguing trend. While September, November, and July stood out with substantial losses, October and December marked a notable downturn, hinting at an emergent focus on security awareness and implementing robust safeguards. 

Vulnerabilities: Web3 Security Snapshot 2023

Exit Scams: Exit scams accounted for 12.24% of attacks, with 276 incidents resulting in a loss of $208 million. Major examples include projects promising high returns that suddenly disappeared with investors' funds.

Safety Measures:

  1. Research projects and teams to ensure they have an excellent track record and prioritize projects with transparent security assessment by reputable firms.

  2. Be careful of projects promising unrealistically high ROIs and diversify your investments. 

Access Control Issues: Access control issues represented 39.18% of attacks, with 29 incidents leading to a substantial loss of $666 million. Popular examples include vulnerabilities exploited in Multichain, Poloniex, and Atomic Wallet.

Safety Measures:

Implement robust authentication and authorization mechanisms, stick to the principle of least privilege, and regularly update access permissions. Furthermore, carry out ongoing security training for employees, especially those with high privileges, and establish comprehensive monitoring systems to promptly detect and respond to any suspicious activities across infrastructure and applications.

Phishing: Phishing incidents accounted for 3.98% of attacks, with 13 incidents resulting in a loss of $67.6 million. Attackers used varied and ever-evolving phishing techniques, exemplified by the Lazarus Group's attack on AlphaPo.

Safety Measures:

Carrying out Web3 penetration testing is crucial to identify vulnerabilities and weaknesses in your system that phishers could exploit. Prioritize user education, promote the use of hardware wallets and multi-factor authentication (MFA), and employ email verification and domain monitoring.

Flash Loan Attacks: Flash loan attacks contributed to 16.12% of the attacks, with 37 incidents leading to a loss of $274 million. Euler Finance, KyberSwap, and Yearn Finance fell victim to precision flash loan attacks.

Safety Measures: 

Eliminate flash loan risks by implementing restrictions like minimum borrowing amounts and time limits. Introducing fees for flash loan usage can raise the cost for attackers, acting as a deterrent against malicious exploits.

Reentrancy: Reentrancy vulnerabilities accounted for 4.35% of attacks, with 15 incidents resulting in a loss of $74 million. The Vyper bug and the Exactly Protocol exploit were the major losses recorded in this aspect. 

Safety Measures:

Reentrancy is common and stubbornly persistent in smart contracts. Although it is popular, we still encounter projects getting tripped up by it. This bug can often be mitigated through a thorough smart contract audit, underscoring the importance of selecting experienced and responsible auditors.

  1. Stick to the Check-Effect-Interaction Model: Always run necessary checks and validations first. Only after passing these checks should you perform state changes, and interactions with external entities should come last.

  2. Implement Comprehensive Reentry Protection: Apply this to every function involving sensitive operations within the contract.

Oracle Issues: Oracle issues accounted for 7.88% of attacks, with 7 incidents leading to a loss of $134 million. The BonqDAO attack showcased the exploitation of Oracle vulnerabilities to manipulate token prices.

Safety Measures:

  1. Markets with shallow liquidity should not be used for price predictions.

  2. Before considering specific price oracle plans, take time to assess whether the token's liquidity is sufficient to ensure integration with your platform.

  3. Increase the attacker's manipulation cost through Time-Weighted Average Price (TWAP).

Other Vulnerabilities: Other vulnerabilities represented 16.47% of attacks, with 76 incidents leading to a loss of $280 million. Mixin's database breach and various web2 vulnerabilities showcased the diverse security challenges faced in the Web3 space.

Top 10 Hacks of 2023: Overview and Impact

The top 10 hacks of last year resulted in nearly 70% of the year's total losses ($1.2 billion approximately). These hacks revealed a common vulnerability – access control issues, particularly private key thefts. These breaches predominantly occurred in the second half of the year, with November witnessing three major attacks. Notably, the Lazarus Group played a significant role in multiple breaches, draining funds from compromised hot wallets. 

Mixin Network: Clouds Part, Assets Vanish

Mixing Network was exploited, resulting in a $200 million loss. The hackers targeted the database of Mixin Network's cloud service provider, leading to the loss of assets on the mainnet. The incident raised concerns about the security of cloud service providers, prompting Mixin Network to implement security enhancements and compensation measures.

Euler Finance: Vulnerability in DeFi Protocol

Euler Finance recorded a heavyl loss of $197 million due to a vulnerability in the donateToReserves function. The hackers exploited this function, triggering bad debt and liquidation, causing Euler Finance's Total Value Locked (TVL) to plummet. The incident showcased the importance of rigorous smart contract auditing and risk assessment in decentralized finance (DeFi) protocols.

Multichain: Keys Lost, Chains Shattered

Multichain experienced an abnormal movement of lockup assets to an unknown address, leading to panic among users. The primary causee remained uncertain, raising questions about the security practices of Multichain. The incident showcased the potential risks associated with administrator keys and internal security practices.

Poloniex: Lazarus Strikes, Keys Compromised

Cryptocurrency exchange Poloniex fell victim to a hack orchestrated by the Lazarus Group, resulting in a $126 million loss. The hackers drained the project's hot wallets through compromised private keys. The attack exemplified the classic vulnerability of compromised hot wallets and prompted Poloniex to implement enhanced security measures, including improved key management.

BonqDAO: Oracle's Gamble, Protocol's Plunge

The Polygon-based lending and stablecoin protocol, BonqDAO, suffered a two-stage attack involving oracle manipulation, leading to a $120 million loss. The attacker manually updated the Tellor price feed, making it possible for them to borrow against inflated collateral. The incident highlighted the risks associated with Oracle vulnerabilities and their potential impact on DeFi platforms.

Atomic Wallet: North Wind Blows, Lawsuit Echoes

Atomic Wallet experienced a loss of over $100 million as addresses were drained through a three-step system. The North Korean Lazarus Group was also behind this attack. The incident led to legal consequences, with a lawsuit emphasizing the responsibility of platforms to address known vulnerabilities. It underscored the importance of proactive security measures and collaboration with law enforcement.

HECO Bridge, HTX: Bridges Burn, Wallets Drained

The HECO bridge attack saw the loss of $86.6 million and $12.5 million from hot wallets belonging to HTX (formerly Huobi). The HECO Bridge funds were drained via a compromised operator account, highlighting the need for secure infrastructure in decentralized bridges. The incident prompted HECO to boost its security protocols and reassess operational practices.

Curve, Vyper: Bug's Ballet, Pool's Lament

Curve, relying on Vyper, recorded a $69.3 million loss due to a 0-day compiler bug. The bug allowed attackers to re-enter transactions, manipulating LP token prices and draining the pool. The incident showcased the potential risks associated with language-specific vulnerabilities in smart contracts. Curve implemented patches and updates to address the bug.

AlphaPo: Lazarus' Silent Heist

AlphaPo, a crypto payments processor for gambling platforms, lost $60 million across ETH, TRON, and BTC. The hack, likely orchestrated by Lazarus, drained AlphaPo's hot wallet through sophisticated phishing techniques. The attack raised awareness about the evolving tactics of sophisticated hacking groups and prompted AlphaPo to implement enhanced security measures, including multi-factor authentication and user education.

CoinEx: Keys Leaked, Wallets Emptied

Cryptocurrency exchange CoinEx suffered a loss of $54.3 million due to a compromised hot wallet private key. Anomalous withdrawals from several hot wallet addresses led to the incident. North Korea’s Lazarus group remains the prime suspect. The vulnerability of hot wallet private keys was highlighted, prompting CoinEx to implement additional security measures and transparent communication with users.

Conclusion: Navigating a Secure Future

The losses recorded from 2023 were lower than what was recorded the previous year. However, the concentration of losses in the top 10 hacks emphasizes the imperative for improved security measures. The diverse distribution of bugs and vulnerabilities necessitates a multi-faceted approach to safeguarding the Web3 ecosystem.

As a Web3 project, it is important to carry out rigorous auditing, especially in light of emerging infiltration methods, as exemplified by Lazarus Group attacks. To pave the way for a secure Web3 future, users and investors are strongly encouraged to prioritize platforms and services that fulfil functional needs and also stick to the highest standards of security.

 

Next article Velar and StackingDAO Partner To Launch an STX/stSTX Stableswap Pool on Bitcoin

Author

Nikolas Sargeant

Nik is a content and public relations specialist with an ever-growing interest in Crypto. He has been published on several leading Crypto and blockchain based news sites. He is currently based in Spain, but hails from the Pacific Northwest in the US.