Author: Fairyproof
Overview
In the third quarter of 2023, the overall crypto market remained calm. However, the frequency of security incidents in the ecosystem exceeded that of the previous two quarters. In this quarter, approximately $572 million of crypto assets suffered losses in various security incidents.
Fairyproof studied 198 typical cases publicly reported in the third quarter, compiled statistics and analyzed the cases, and explored the characteristics of the security ecosystem reflected by these incidents and the relevant preventive measures that users can take.
Background Introduction Before presenting the research results of Fairyproof in detail, it is necessary to explain and illustrate the relevant terms in this report.
CCBS
CCBS stands for "centralized crypto asset or blockchain service organization". It usually refers to a non-on-chain service platform that is operated and managed by humans. Its core technology mainly relies on traditional centralized technology, and its daily operation and maintenance activities are mainly off-chain activities. Traditional crypto asset exchanges (such as Binance) and crypto asset issuance and acceptance platforms (such as Tether) are typical examples of this type.
Flash Loan
Flash loans are a common and popular way for hackers to attack smart contracts on the Ethereum virtual machine platform. Flash loans are a contract call method invented by the well-known DeFi application AAVE[1] team. This contract call allows users to borrow crypto assets directly from DeFi applications that support this function without any collateral. As long as the user returns the asset within a block transaction, the transaction will be valid[2]. Initially, this function was invented to provide DeFi users with more flexible and convenient means to conduct various on-chain financial activities. However, due to its high flexibility, flash loans have become the most commonly used scenario for hackers to borrow ERC-20[3] tokens and then use them to attack. Before initiating a flash loan, users need to clearly describe the logic of borrowing (assets) and returning (assets, interest and related fees) in a contract, and then call the contract to initiate a flash loan.
CROSS-CHAIN BRIDGE
A cross-chain bridge is an infrastructure that connects multiple independent blockchains, allowing tokens deployed on different blockchains to circulate between each blockchain.
As more and more blockchains have their own ecosystems, applications, and encrypted assets, the demand for cross-blockchain communication and transactions among these applications and assets has grown significantly. This also makes cross-chain bridges a popular target for hackers.
Report Highlights
Fairyproof has studied in detail 198 typical security incidents that occurred in the third quarter of 2023. In this report, it conducted a statistical analysis of various factors such as the amount of losses and causes caused by these incidents, and gave corresponding prevention suggestions and measures.
Statistics and analysis of security incidents in the third quarter of 2023
The Fairyproof research team studied in detail 198 prominent security incidents in the third quarter of 2023, listed the statistical results and analyzed them from the two aspects of the targets of the attacks and the root causes of the attacks.
The total loss of crypto assets caused by these 198 security incidents reached US$572 million, and the total value of mainstream crypto assets shown by Tradingview reached US$1,056 billion. The proportion of lost assets to the total market value is 0.05%.
Security incidents based on victim classification
The security incidents studied by Fairyproof can be divided into the following four categories according to their victims:
1. Centralized Crypto Asset or Blockchain Service (CCBS, CCBS referred to below refers to this concept)
2. Blockchains
3. Decentralized Applications (dApps)
4. Cross-chain Bridges
The CCBS security incidents referred to in this report refer to the CCBS system being attacked or damaged. In these incidents, assets kept by CCBS are stolen or the operating services are interrupted. Blockchain security incidents refer to attacks or damage to the blockchain mainnet, sidechains, or second-layer extension systems attached to the blockchain mainnet. Usually in these incidents, hackers launch attacks from inside the system, outside the system, or both, resulting in system software or hardware malfunctions and asset losses.
A dApp security incident refers to a situation where a dApp is attacked and cannot function properly, giving hackers the opportunity to steal the crypto assets managed in the dApp.
A cross-chain bridge security incident refers to an attack on a cross-chain bridge, which causes it to be unable to work properly or even leads to the theft of crypto assets it handles.
Fairyproof divided the total 198 events into the above four categories, and the distribution of their proportions is shown below:
As can be seen from the figure, the number of dApp security incidents accounted for 86.87% of the total, exceeding any other category. Among them, 198 were dApp security incidents, 4 were CCBS security incidents, 14 were blockchain security incidents, 4 were cross-chain bridge security incidents, and 172 were dApp security incidents.
Blockchain security incidents
Security incidents involving blockchain can be further divided into the following three categories:
i. Blockchain mainnets ii. Side chains
iii. Layer 2 solutions
The blockchain mainnet is also called Layer 1. It is an independent blockchain with its own network, protocol, consensus, and validators. The blockchain mainnet can verify transactions, data, and blocks, all of which are completed by its own validators and ultimately reach consensus. Bitcoin and Ethereum are typical blockchain mainnets.
A sidechain is a separate blockchain that runs in parallel with the main blockchain network. It also has its own consensus and validators, but it is connected to the main blockchain network in some way (such as two-way anchoring[4]). The second-layer expansion system is a system that relies on the main blockchain network. It requires the main blockchain network to provide security and final consistency[5]. It is mainly to solve the scalability of the main blockchain network and can process transactions at lower fees and prices. Since 2021, the second-layer expansion system attached to Ethereum has developed rapidly.
Both sidechains and second-layer extension systems are designed to solve the scalability of the blockchain mainnet. The main difference between the two is that sidechains do not rely on the blockchain mainnet to provide security and consistency, but second-layer extension systems do.
There were a total of 14 blockchain-related security incidents in the third quarter of 2023. The following figure shows the proportion of blockchain mainnet, sidechains, and second-layer expansion systems.
As can be seen from the above figure, the number of security incidents related to the blockchain main network and the number of security incidents related to the second-layer extension system accounted for 92.86% (13 incidents) and 7.14% of the total, respectively.
There are no typical sidechain security incidents. The systems involved in the second-layer extension system security incidents include Metis[6], and the mainnets involved in the blockchain mainnet security incidents include Mixin[7],
Quai Network[8], Swisstronik[9], SwapDex Blockchain[10], Aptos[11] etc.
DAPP Security Incidents
Of the 172 security incidents involving dApps, 16 were scams, 1 was compromised, and 155 were direct attacks. Direct attacks on dApps usually involve three aspects:
Dapp’s frontend, backend, and smart contracts. Therefore, we divided the 155 direct attacks into the following three categories: i. dApp frontend ii. dApp backend iii. dApp contract
In the case of dApp front-end attacks, hackers mainly launch attacks through front-end vulnerabilities to steal assets or paralyze its services.
In the case of dApp backend attacks, hackers mainly launch attacks through backend vulnerabilities, such as hijacking the communication between the backend and the contract, hijacking assets or paralyzing services.
In the cases where dApp contracts were attacked, hackers mainly launched attacks through contract vulnerabilities to steal assets or paralyze their services. The following figure shows the proportion of these three categories of attacks:
As shown in the figure above, the proportions of contract, backend and frontend attacks were 19.35%, 0% and 80.65% respectively. Of the 155 incidents, 125 were frontend attacks.
30 were contract attacks.
We further studied the amount of crypto asset losses caused by various events. The losses caused by contract attacks and front-end attacks were $210 million and $39.8 million, respectively, accounting for 84.03% and 15.97% of the total loss, as shown in the following figure:
Among the many contract vulnerabilities, logical flaws, private key leakage, flash loan attacks, and reentrancy attacks are typical vulnerabilities.
We studied 30 security incidents involving direct attacks on contracts and obtained the following proportion chart:
As shown in the above figure, logical defects account for the highest proportion of contract security incidents. Logical defects usually include lack of parameter verification, lack of permission verification, etc. The number of security incidents caused by logical defects is 13.
The following figure shows the ratio of losses caused by various vulnerabilities:
The loss amount caused by private key leakage accounts for the largest proportion. The four private key leakage incidents caused a total loss of US$173 million, accounting for 82.56% of the total loss amount.
Safety incidents classified by causes
Based on the causes of blockchain security incidents, we divide the incidents into three categories: i. Caused by hacker attacks
ii. Run away iii. Other
Our findings are shown in the figure below:
As shown in the above figure, security incidents caused by hacker attacks and running away accounted for 91.92% (182 cases) and 8.08% (16 cases) respectively.
We studied the losses caused by these factors, as shown in the figure below:
As shown in the above figure, the losses caused by hacker attacks and absconding accounted for 94.69% and 5.31% respectively, with the former causing a loss of $541 million and the latter causing a loss of $30.35 million. This shows that in the third quarter of 2023, hacker attacks are still the main threat to industry security.
We studied the hacker attack incidents, as shown in the following figure:
As shown in the above figure, hacker attacks on dApp, blockchain, CCBS and cross-chain bridge accounted for 87.64% (156 cases), 7.87% (14 cases), 2.25% (4 cases) and 1.3% (2 cases) respectively.
2.25%(4)。
We studied the amount of losses caused by various types of events, as shown in the figure below:
The asset losses caused by hacker attacks on blockchain, dApp, cross-chain bridge and CCBS accounted for 36.97%, 46.25%, 0.79% and 15.99% respectively, with specific losses of US$200 million, US$250 million, US$86.5 million and US$4.3 million respectively. Other security incidents did not result in significant losses.
Runaway incident
The typical runaway incidents in the third quarter of 2023 were all dApp projects. A total of 16 runaway incidents caused losses of $30.35 million. This loss amount is much smaller than the loss amount caused by hacker attacks.
The study found
According to our statistics, in the third quarter of 2023, hackers’ favorite target was still dApp projects. Attacks on dApp far exceeded any other targets, accounting for 87.64% of the total number of attacks and 46.25% of the total amount of losses. Among all the attacks, the most serious one was the attack on Multichain[12].
For the entire blockchain ecosystem, hackers are still the biggest security threat, both in terms of the number of security incidents they cause and the asset losses they cause. The number of security incidents caused by hacker attacks accounts for more than 91.92% of the total number of security incidents, far exceeding the threat posed to the ecosystem by runaway incidents.
A typical dApp consists of three parts: frontend, backend, and smart contracts. When hackers attack a dApp, they attack one part or multiple parts at the same time. According to our statistics, the number of attacks on the dApp frontend far exceeds that on the contract, but the amount of losses caused by attacks on smart contracts far exceeds that of attacks on the frontend.
This shows that smart contract vulnerabilities are still the biggest risk to dApp security.
Typical runaway incidents in the third quarter of 2023 all occurred in dApp projects.
Among the incidents of smart contracts being hacked, the following three categories of reasons ranked in the top three: First: Logical flaws Second: Flash loans
However, in terms of the amount of losses, the amount of asset losses caused by attacks caused by private key leakage ranks first, far exceeding other categories.
Practical plans and measures to prevent safety accidents
In this section, we will summarize some solutions and measures to help blockchain developers and users manage and prevent blockchain risks based on the characteristics of security incidents that occurred in the third quarter of 2023. We recommend that both blockchain developers and users actively implement and practice these solutions and measures as much as possible in their daily operations and work to maximize the protection of project security and crypto asset security.
Note: "Blockchain developers" refers to both the development engineers of the blockchain project itself and the developers related to the blockchain system or its extended systems (such as encrypted assets, etc.). "Blockchain users" refers to all users who participate in blockchain system activities (such as management, operation, maintenance, etc.) or encrypted asset transactions.
For blockchain developers
Although there were no typical security incidents involving the second-layer extension system in the third quarter, the security of the second-layer extension system is still worthy of attention. Because the development and implementation of the second-layer extension solution will continue to be the hot spot and focus of the entire ecosystem, the research on the security of its solution will be a major challenge facing the industry.
In blockchain applications, after a project has been deployed and run stably for a period of time, it is necessary to transfer the authority to control key operations in the project to a multi-signature wallet or DAO organization for management.
When hackers discover vulnerabilities in smart contracts, they often use flash loans to attack the contracts. These vulnerabilities that may be exploited usually include reentrancy vulnerabilities, logical defects (such as lack of permission verification, incorrect price algorithms), etc. Smart contract developers need to pay close attention to and even rank first in terms of importance in order to rigorously prevent and handle these vulnerabilities.
Our statistics also show that more and more hackers will launch phishing attacks through social media software (such as Discord, Twitter, etc.). This phenomenon runs through the entire 2022 and continues into the third quarter of 2023. Many users have suffered losses. Project owners need to implement strict and comprehensive management of the social media they operate, and deploy corresponding security solutions to ensure the security and stability of their social media operations and prevent them from being exploited by hackers.
Blockchain users
More and more users are beginning to participate in various blockchain ecosystem activities and hold assets in various blockchain ecosystems. In this process, cross-chain transaction activities are also growing rapidly. When users participate in cross-chain transactions, they need to interact with cross-chain bridges, which are often targeted by hackers. Therefore, before initiating cross-chain transactions, users need to investigate and understand the security and operation status of the cross-chain bridges they use in detail to ensure that the cross-chain bridges are safe, stable, and reliable.
When users interact with dApps, they must pay close attention to the quality and security of their smart contracts, as well as the security of the dApp frontend. Be careful with some unknown, highly suspicious information, prompts, and dialogues displayed on the frontend, and do not click or follow their instructions at will.
We strongly recommend that users carefully check and read the audit report of any blockchain project before interacting with it or investing in it. Be cautious when participating in projects that do not have an audit report or have a suspicious report.
We recommend that users use cold wallets or multi-signature wallets to manage large assets or assets that are not used for frequent transactions. Always be careful about the operational security of hot wallets and ensure that the hardware platform on which the hot wallet is installed is safe, reliable and stable.
Users need to conduct a certain degree of investigation and understanding of the team background of blockchain projects. Be careful of teams with unclear backgrounds and lack of credibility. Be careful of the risk of such projects running away. For centralized exchanges that are used more frequently, users should pay more attention to their background and credit, and verify the background, information, and data of these exchanges from multiple third-party data sources as much as possible to ensure that the exchanges can operate safely and continuously for a long time.
References
[1] Ghost. https://aave.com/
[2] Flash-loans.. https://aave.com/flash-loans/
[3] ERC-20 TOKEN STANDARD. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
[4] Sidechains. https://ethereum.org/en/developers/docs/scaling/sidechains/
[5] Layer-2. https://academy.binance.com/en/glossary/layer-2
[6] Placed. https://www.metis.io/
[7] Mixin. https://mixin.one/
[8] Quai Network. https://qu.ai/
[9] Swisstronik. https://www.swisstronik.com/
[10] SwapDex Blockchain. https://swapdex.network/
[11] Apartments. https://aptoslabs.com/
[12] Multichain. https://multichain.xyz/
