Web3 security: types of attacks
We have already written a post on security risks in DeFi, yet we want to expand upon the types of attacks commonly seen in Web3. By learning about this, project teams and everyday crypto users can better guard themselves against possible threats.
We’ve reviewed the attack landscape over the past year and sorted exploits in terms of vulnerability and tactics applied.
Advanced Persistent Threat
APT implies an attack approach where a team of exploiters builds an illicit, long-term presence on a network. It is usually executed by a well-organized group of criminals. They use trojanized Windows and macOS apps to target the infrastructure of crypto companies or malicious apps for stealing private keys to further execute subsequent attacks. Sometimes, they even attack company employees with phishing campaigns using malware software.
The most notorious example of this type of attack is the Ronin network hack which cost the team $624M. The attack was so sophisticated that nobody from the team noticed it for six days.
System vulnerability attack
In most cases, Web3 projects require different third-party software libraries. Since those codes are developed by external teams, it’s very likely that known problems are overlooked. It’s crucial for dev teams to monitor these third-party software components for potential vulnerabilities, ensure upgrades are installed, and keep up with updates of projects they are dependent upon.
The market maker Wintermute lost $160M because their hot wallet was compromised via a vanity address created with Profanity. A vulnerability in private keys generated by Profanity had been known since at least January. Both Wintermute’s hot wallet and DeFi vault contract seem to have Profanity vanity addresses which were likely exploited and used to drain the vault.
Governance attacks
Many Web3 projects include a governance side for their token-holders to participate in making network decisions. This also opens a backdoor for bad actors to push forward malicious proposals that may damage the entire network.
Governance attacks have been on the rise recently. Attackers take out huge flash loans to swing votes. This year, Beanstalk was exploited for $181M through a flash loan attack on the protocol’s governance mechanism. The entire attack occurred in less than 13 seconds, based on the duration of an Aave flash loan. The attacker used a flash loan obtained through Aave to borrow $1B in DAI, USDC, BEAN, and LUSD and converted it into beans. This gave them a 67% voting stake in the project. With this stake share, the exploiter was able to approve the execution of code that transferred assets to their own wallet. The attacker then instantly repaid the flash loan with a $80M profit.
Pricing manipulation attacks
In the crypto world, market volatility is nothing new and sudden price fluctuations are common. Web3 projects usually use oracles to obtain on-chain data. Attackers have found ways to fool oracles and cause big price spikes which become profitable when well played by bad actors.
Not so long ago, Mango Markets — Solana’s flagship margin trading protocol — got rekt, losing $115M to a well-funded market manipulator. Mango Markets clarified that the oracle was not affected and the incident was not a genuine price manipulation. The attacker managed to spike the price of Mango Markets and drain their lending pools.
The same type of attack also hit Cream Finance, Elephant Money, GMX, Moola Market to name a few.
Timely detection of threats
We have brought up only a few out of a myriad of attacks happening in Web3. In many of the cases mentioned above, the level of attack sophistication is far from high from the technical standpoint. Oftentimes, no smart contracts are hacked and the postmortem shows smart price manipulation techniques or governance loopholes.
At Hackless, we are firm believers that powerful monitoring tools are needed for ensuring overall Web3 security. We believe that a great number of exploits can be detected earlier by spotting suspicious activity.
Stay with us — become Hackless!
