Industry Recap: Common Attack Methods for Web3 Hackers in the First Half of 2022
As reported by Footprint, 48 major attacks were monitored in the Web3 space during the second quarter of 2022, resulting in losses of approximately $718.34 million, a reduction of approximately 40 percent from $1.2 billion in the first quarter and about 2.42 times as much as in the first quarter of 2021 ($296.56 million).
There were 19 major security incidents and losses of approximately $374,889 in April, making it the most active month for exploits in Q2.
Contract exploits and flash loans remain the most common hacking techniques.
During the quarter, contract vulnerability exploitation accounted for 45.8% of attacks and caused a loss of approximately $138 million. Nine flash loans were attacked this quarter, resulting in losses of $233 million, the greatest loss from any hacking method. As in Q1, contract exploits and flash loans continue to be the most common hacking techniques in the blockchain space (50% and 24% of attacks, respectively). Despite continued concerns about private key security, losses from compromised private keys amounted to $131.15 million.
There were several vulnerabilities exploited this quarter, including improper business logic/function design, validation issues, permission issues, unchecked k-values, reentrancy, and call injection. The most exploited vulnerability is improper business logic/function design, far ahead of the other vulnerabilities. Reentrancy vulnerability was exploited by hackers only once, producing a loss of $80.34 million.
What types of vulnerabilities have led to significant losses?
On February 3, 2022, the Solana cross-chain bridge project Wormhole was attacked, resulting in cumulative losses of approximately $326 million. Hackers exploited a signature verification vulnerability in the Wormhole contract, which allowed hackers to forge sysvar accounts to mint wETH.
On 30 April 2022, Fei Protocol’s official Rari Fuse Pool suffered a lightning loan exacerbation attack that caused a total loss of $80.34 million. The attack caused irreparable damage to the project, and on August 20, officials said the project was officially shut down.
Summary
Almost all the vulnerabilities that emerge from the audit process have been exploited by hackers, with contract logic exploits still being a major part of the picture.
The vulnerabilities mentioned in this article can all be identified during the audit phase and can be remediated by security experts after a security assessment has been made.
About DeHacker
DeHacker is a team of auditors and white hat hackers who perform security audits and assessments. With decades of experience in security and distributed systems, our experts focus on the ins and outs of system security. Our services follow clear and prudent industry standards. Whether it’s reviewing the smallest modifications or a new platform, we’ll provide an in-depth security survey at every stage of your company’s project. We provide comprehensive vulnerability reports and identify structural inefficiencies in smart contract code, combining high-end security research with a real-world attacker mindset to reduce risk and harden code.
