Cointime

Cointime

Download App
iOS & Android

Fairyproof's Review Of Q2 2023 Blockchain Security

Validated Project

OVERVIEW

The crypto market basically remained flat through Q2 2023. Attacks against the crypto ecosystem were still active. Crypto assets worth around US$107.73 million were exploited from April 2023 to June 2023.

Fairyproof studied 186 publicly reported security incidents that occurred in Q2 2023. This report is composed of findings, analysis and best practices of these incidents.

BACKGROUND

Before proceeding, the following terms and technologies are introduced in this report:

CCBS

CCBS stands for “Centralized Crypto or Blockchain Service”. A CCBS refers to a platform or service that provides crypto or blockchain related products or services, and is run by a conventional / centralized organization, entity or company such as conventional crypto exchanges (eg. Binance or Tether).

FLASHLOAN

Flash loans are a popular feature that hackers utilize when attacking EVM-Compatible smart contracts. Flash loans were developed by the team behind the famous DeFi application AAVE [1]. This feature “allows users to borrow any available amount of assets without putting up any collateral, as long as the liquidity is returned to the protocol within one block transaction” [2]. Flash loans are quite often used to borrow ERC-20 tokens [3] and attack DeFi applications. To initiate a flash loan, users will need to write a contract that borrows an available amount of assets and pay back the loan + interest + necessary fees all within the same transaction.

CROSS-CHAIN BRIDGE

A cross-chain bridge is an infrastructure that connects multiple independent blockchains and enables an exchange of cryptos, data or information from one blockchain to another.

As more blockchains have their own ecosystems, cryptos and dApps, the need for exchanging cryptos or data across different blockchains becomes increasingly high while the volume of cross-chain transactions dramatically increase. This causes cross-chain bridges to suffer more attacks.

FOCUS OF THIS REPORT

In this report we list our statistics collected from typical security incidents that happened in the blockchain industry in Q2 2023, give an in-depth analysis of their root causes, and present our recommended best practices.

STATISTICS AND ANALYSIS OF SECURITY INCIDENTS OF Q2 2023

We studied 186 publicly reported security incidents that occurred in Q2 2023 and present our statistics and analysis based on the targets and root causes.

In Q2, 2023 the total value of the exploited assets was US $107.73 million and the overall market cap of the cryptocurrency according to Tradingview was US $1156.19 billion. The value of the exploited assets accounted for 0.01% of the total market cap of the cryptocurrency.

INCIDENTS CATEGORIZED BY TARGETS

Our researched incidents can be categorized into four types of targets:

  1. CCBS
  2. Blockchains
  3. DApps
  4. Cross-chain Bridges

A CCBS-related incident is one in which a centralized crypto or blockchain service platform is attacked by hackers resulting in the failure of its services or a loss of crypto assets under its custody.

A blockchain-related incident is one where a blockchain mainnet, side chain or layer 2 is attacked by malicious actors from inside, outside, or both, resulting in its operation going out of order, or that a blockchain fails to work properly due to issues related to software, hardware, or both. Attackers will then be able to exploit the consensus for profits.

A dApp-related incident is one where a dApp’s daily operation goes out-of-order or is attacked, leaving it open for attackers to exploit users and crypto assets under the custody of the dApp.

A cross-chain bridge-related incident occurs when a cross-chain bridge is attacked resulting in a loss of crypto assets under its custody or a failure of the exchange function between multiple blockchains.

There were 186 incidents in total. Here is a figure that shows the percentage for each of these targets respectively.

The number of dApp-related incidents account for more than 84.41% of the total incidents. Out of 186 incidents, 8 were CCBS-related, 14 were blockchain-related, 4 were cross-chain bridge-related and 157 were dApp-related.

BLOCKCHAIN-RELATED INCIDENTS

Incidents that had occurred in blockchains can be further categorized into three sub-categories:

  1. Blockchain mainnets
  2. Side chains
  3. Layer 2 solutions

A blockchain mainnet, also known as layer 1, is an independent blockchain that has its own network with its own protocol, consensus, and validators. A blockchain mainnet can validate transactions, data, and blocks generated in its network by its own validators and reach a finality. Bitccoin and Ethereum are typical blockchain mainnets.

A side chain is a separate, independent blockchain which runs in parallel to a blockchain mainnet. It has its own network consensus and validators. It is connected to a blockchain mainnet (eg. by a two-way peg [4]).

A layer 2 solution refers to a protocol or network that relies on a blockchain as its base layer (layer 1) for security and finality [5]. Its main purpose is to solve scalability issues of its base layer. It processes transactions faster and costs less resources compared to its base layer. Since 2021, there has been a huge surge in the growth and development of layer 2 solutions for the Ethereum ecosystem.

Both side chains and layer 2 solutions exist to solve the scalability issues of a blockchain mainnet. The significant difference between a side chain and a layer 2 solution is that a side chain does not necessarily rely on its blockchain mainnet for security or finality whereas a layer 2 solution does.

There were 14 blockchain-related incidents in total in Q2 2023. The figure below shows the percentages of blockchain mainnet related incidents, side-chain related incidents, and layer 2 related incidents respectively.

The number of blockchain mainnet related incidents and layer 2 related incidents account for 92.68% (13) and 7.14% (1) of the total incidents respectively. No prominent side-chain related incidents were covered in our statistics. The layer 2 solutions that was attacked was zkLink[6], while the attacked blockchain mainnets included CoreDAO[7], Radix[8], Manta[9], LayerZero[10], BNB Chain[11] and more.

DAPP RELATED INCIDENTS

Among the 157 incidents that occurred toward dApps, 7 were rug-pulls, 2 were involved in exploits and 148 were directly attacked. An attack against a dApp can specifically target its front-end, server side, or smart contract(s). We can therefore further classify these 148 incidents into three sub-categories:

  1. dApp’s front-end
  2. dApp’s server side
  3. dApp’s smart contract(s)

dApp’s front-end related incidents refers to events where vulnerabilities from the conventional client side are exploited, compromising on the account information and personal details of users which can be used to steal their crypto assets.

dApp’s server side related incidents are those where vulnerabilities present in the conventional server side are exploited, leaving on-chain and off-chain communication open for hijacking and crypto assets of users open for exploitation.

Smart contract related incidents refer to vulnerabilities in a smart contract’s design or implementation, which are leveraged to exploit crypto assets from users.

Here is a figure that shows the percentages of front-end, server-side and smart contract related incidents respectively.

The above figure shows the number of smart contract related incidents, server side related incidents, and front-end related incidents, accounting for 25%, 0%, and 75% of the total incidents respectively. Among 148 incidents, 111 was front-end related and 37 were smart contract related.

We further studied the amount of loss incurred from these sub-categories. Our study showed that the amount of loss in server-side related incidents was 0, and the amount of losses in smart contract related incidents and front-end related incidents were US $32.70 million and US $35.11 million respectively. And they accounted for 48.22% and 51.78% of the total loss respectively.

Typical vulnerabilities we found pertaining to smart contracts in Q2 2023 include logic vulnerabilities, private key leaks, flash loans, price manipulation, and more.

We studied the 37 incidents in which smart contracts were directly attacked and derived the following figure based on vulnerability types:

The figure shows that the number of incidents with the highest percentages was logic vulnerabilities. Logic vulnerabilities mainly include missing validations for parameters, missing validation for access control, improper logic etc. 15 projects suffered logic vulnerability attacks.

The following figure illustrates the amount of loss for each vulnerability type:

The amount of loss caused by logic vulnerabilities ranked first. It accounted for 73.42% of the total loss. 15 incidents were caused by logic vulnerabilities, totaling a loss of US $24 million. This loss was greater than the total loss caused by all the other vulnerabilities.

INCIDENTS CATEGORIZED BY ROOT CAUSES

The root cause of these incidents can be categorized into the following:

  1. Attacks from hackers
  2. Rug-pulls
  3. Misc.

We studied these incidents and got the following figure.

The above figure shows that the number of attacks from hackers and rug-pulls incidents accounted for 96.24% (179) and 3.76% (7) of the total incidents respectively.

We studied the amount of loss of each category of incidents based on the root cause and got the following figure:

The above figure shows that the amount of loss in the incidents that suffered attacks and the amount of loss in rug-pull incidents each accounted for 97.49% and 2.51% of the total loss respectively. The amount of loss in the incidents that suffered attacks was US $105.02 million and the amount of loss in rug-pull incidents was US $2.71 million. This reveals that attacks from hackers posed the largest threat to the whole crypto ecosystem in Q2 2023.

ATTACKS FROM HACKERS

We studied the targets the hackers attacked and got the following figure:

The figure above shows that the number of attacks on dApps, blockchains, CCBSs and cross-chain bridges accounted for 85.23% (150), 7.95% (14), 4.55% (8) and 2.27%(4) respectively.

After we studied the amount of loss in each of them we got the following figure:

The amount of loss in attacks on dApps and CCBSs were 65.61% and 34.39%, resulting in a loss of US $68.91 million and US $36.12 million respectively.

RUG-PULLS

All rug-pulls that happened in Q2 2023 were against dApps. There were 7 incidents totaling a loss of US $2.71 million which was not as severe as losses caused by attacks.

RESEARCH FINDINGS

Dapps were the most prominent target for attacks in Q2 2023. The number of attacked dApps incidents accounted for 85.23% of the total incidents and the amount of loss in attacked dApps accounted for 65.61% of the total loss. Among all the attacked dApp incidents the biggest one was the attack on Jimbos Protocol[12].

Hackers still proved to remain as the main threat to the crypto industry, accounting for 96.24% of all the number of incidents. It far surpassed any other root causes such as rug-pulls, etc.

A dApp consists of three parts: a front-end, a server-side and smart contracts. Either one or multiple parts are targeted during dApp attacks. According to our statistics, attacks on front-ends accounted for an extraordinarily higher percentage of attacks compared to the smart contracts and server sides with regard to attack frequencies. And the amount of loss in attacks on front-ends also surpassed that of the attacks on smart contracts. This shows that attacks on front-ends posed as the biggest threat to dApps in Q2 2023 and security solutions for front-ends are needed as well in the crypto landscape with regard to security.

All rug-pulls in Q2 2023 were dApps.

Finally, for smart contract related incidents, we found the number of attack sub-categories (except the misc incidents) to be ranked as the following:

Rank 1: Logic vulnerabilities

Rank 2: Flash-loan attacks

And the amount of loss in the incidents that suffered logic vulnerabilities far surpassed any other.

BEST PRACTICES TO PREVENT SECURITY ISSUES

In this section we present some best practices to help both blockchain developers and users manage the risks posed by the incidents that happened in Q2 2023, and support coordinated and efficient response to crypto security incidents. We would recommend both blockchain developers and users to apply these practices to the greatest extent possible based on the availability of their resources.

Note: “Blockchain developers” refers to both developers of blockchains and developers of dApps, and blockchains or systems pertaining to crypto cyrrencies. Here, “blockchain users” refer to everyone that participates in activities pertaining to crypto system’s management, operation, trading, etc.

FOR BLOCKCHAIN DEVELOPERS

Awareness of security for layer 2 solutions should still be kept even though attacks on them were few with negligible losses as more layer 2 solutions will emerge in the coming years. Research and development for solutions to tackle security challenges in this area must be prompt.

A step to transfer an admin’s access control to a multi-sig wallet or a DAO to manage access control to crypto assets or critical operations is a must-have.

Attackers would employ flash loans to maximize their exploits when they detect vulnerabilities in smart contracts, including issues of re-entrancy, missing validations for access control, incorrect token price algorithm, and more. Proper handling of these issues should have the highest priority for a smart contract developer when designing and coding a smart contract.

Our statistics show that hackers were still very active in using social media tools – especially Discord – to launch phishing attacks. This persisted through 2022 and Q2 2023 and will very likely persist in the whole year of 2023. Many users have suffered huge losses. Project developers and managers are advised to prioritize safely and securely managing social media accounts and finding security solutions for them on top of project implementation.

FOR BLOCKCHAIN USERS

More users are varying their crypto portfolio across different blockchains. The demand for cross-chain transactions is rapidly increasing. Whenever a user participates in a cross-chain transaction, the user will have to interact with a cross-chain bridge – a popular target among hackers. Hence, before starting a cross-chain transaction, users are advised to investigate the bridge’s security condition and ensure they use a reliable, safe and secure bridge.

While it is necessary to pay great attention to the security for smart contracts when interacting with a dApp, the importance to also pay attention to the security of the user interface while exercising caution to detect suspicious messages, prompts, and behavior presented by the UI is increasing.

We strongly urge users to check whether a project has audit reports and read these reports before proceeding with further actions.

Use a cold wallet or a mutl-sig wallet where possible to manage crypto assets that are not for frequent trading. Be careful about using a hot wallet and make sure the hardware in which a hot wallet is installed is safe and secure.

Be cautious of a dApp where its team members are unknown or lack reputation. Such dApps may eventually be rug-pull projects. Be cautious of a centralized exchange which has not established a reputation or does not have tracked transaction data on third party media as it may also eventually prove to be rug-pull projects.

REFERENCES

[1] Aave. https://aave.com/

[2] Flash-loans.. https://aave.com/flash-loans/

[3] ERC-20 TOKEN STANDARD. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/

[4] Sidechains. https://ethereum.org/en/developers/docs/scaling/sidechains/

[5] Layer-2. https://academy.binance.com/en/glossary/layer-2

[6] zkLink. https://zk.link/

[7] CoreDAO. https://coredao.org/

[8] Radix. https://www.radixdlt.com/

[9] Manta. https://manta.network/

[10] LayerZero. https://layerzero.network/

[11] BNB Chain. https://www.bnbchain.org/en

[12] Jimbos Protocol. https://www.v2.jimbosprotocol.xyz/

Tether USDt Tether USDt $1.00
-0.03%
security
Comments

All Comments

Recommended for you

  • VitalikButerin ·

    Multidimensional gas pricing

    In Ethereum, resources were up until recently limited, and priced, using a single resource called "gas". Gas is a measure of the amount of "computational effort" needed to process a given transaction or block. Gas merges together multiple types of "effort", most notably:

    Multidimensional gas pricing

  • UXUY Completes $7 Million Pre-A Round of Financing, with Investments from Binance Labs, Bitcoin Magazine, and Other Institutions

    UXUY, the next-generation decentralized multi-chain trading platform incubated by Binance Labs, announced the completion of a $7 million Pre-A round of financing. Since its establishment, its total financing amount has exceeded $10 million. UXUY is an important builder of the Bitcoin ecosystem, and more than 100,000 traders use Bitcoin Lightning Network services through UXUY. UXUY's current round of financing has received investment from well-known institutions in Asia, North America, and Europe, such as Binance Labs, UTXO Management (Bitcoin Magazine), JDI Ventures, Bixin Ventures, SWC Global, Matrix Partners, CMS Holdings, Dewhales Capital, Comma3 Ventures, Satoshi Labs, YBB Capital, GBV Capital, Web3Vision, Pentos Ventures, NGC Ventures, Alti5, Metalpha, and GSR. The funds raised by UXUY in this round will be used for the construction of the Bitcoin ecosystem infrastructure, and will be committed to promoting the efficient and low-cost trading of Lightning Network Taproot Assets, Ordinals BRC-20, Runes, and other assets. Jordan, co-founder of UXUY, said: "We are pleased to be strategic partners with all investors! This year, we have successfully built a bridge between the Bitcoin Lightning Network and the multi-chain ecosystem. UXUY will continue to promote the use cases and popularization of the Lightning Network in trading scenarios, and make more contributions to the Bitcoin ecosystem." According to RootData, a Web3 asset data platform, UXUY is a next-generation decentralized multi-chain trading platform based on MPC wallets. UXUY actively participates in the construction of the Bitcoin Layer2 ecosystem, fully integrates into the Bitcoin Lightning Network and Taproot ecosystem, provides Lightning Address DID services to users, and becomes an important bridge connecting the Bitcoin and Ethereum ecosystems. As a decentralized multi-chain trading platform, UXUY provides immediate cross-chain trading services for Coin, Token, and Inscription among public chains through the establishment of uPool.

  • Taiwan's administrative agency passed four new anti-fraud laws to bring cryptocurrency traders under control

    It was announced that Taiwan's administrative management agency has passed the "New Anti-Fraud Law" to regulate cryptocurrency traders. In the future, businesses or individuals providing virtual asset services or third-party payment services must complete anti-money laundering measures and register their services or log in. Failure to do so may result in a maximum of 2 years in prison or a fine of up to NT$5 million. Businesses or individuals outside of Taiwan providing virtual asset or third-party payment services must register their companies or branches according to company law and complete anti-money laundering measures and service registration or login. Otherwise, they are not allowed to provide virtual asset services or third-party payment services in Taiwan. Qiu Shuzhen, the deputy chairman of Taiwan's financial regulatory agency, stated that there are currently around 60 to 70 cryptocurrency traders in the market, of which 25 have passed the anti-money laundering review by the financial regulatory agency. In the future, all traders will be required to declare and undergo review, and a cryptocurrency traders' association will be established for legal, administrative, and association management. Accounting professionals will also be enlisted to assist with internal control.

  • EigenLayer TVL falls back to $14.794 billion

    According to DefiLlama data, the total value locked (TVL) in Ethereum's re-staking protocol EigenLayer has fallen below $15 billion, currently at $14.794 billion.

  • The EU is considering including cryptocurrencies in the 12 trillion euro investment market, and its impact may far exceed that of US ETFs

    The European Securities and Markets Authority (ESMA) is consulting with the investment product advisory industry and experts on whether cryptocurrency assets should be included. This move could open up a broader market for cryptocurrencies, far exceeding the market size of spot Bitcoin ETFs. The plan aims to expand the scope of UCITS (EU Transferable Securities Collective Investment Scheme), with the UCITS market reaching as high as €12 trillion. If successful, this would be a key step in mainstreaming cryptocurrency assets in Europe.

  • SlowMist: The hacker who stole 1,155 WBTC may be from Hong Kong

    According to SlowMist analysis , the IP address associated with the theft of 1155 WBTC has been traced to Hong Kong (VPN use cannot be ruled out). Earlier reports indicated that a certain address was suspected to be a victim of phishing attacks and lost 1155 WBTC, worth 71 million USD. Subsequently, the fraudsters sold all 1155 WBTC and exchanged them for 22960 ETH, and used a large number of wallet addresses to send and launder the funds.

  • Web3 game developer Seeds Labs completes $12 million seed round of financing, with participation from Solana Foundation and others

    According to Cointelegraph, Web3 game developer Seeds Labs has announced the completion of a $12 million seed round financing, with participation from Avalanche's Blizzard Fund, Solana Foundation, Krust, Hashkey Capital, UOB Ventures, Signum Capital, IVC, and Emoote.It is reported that Seeds Labs, a Solana ecosystem game infrastructure developer, was established in 2021, and its Web3 game Bladerite is scheduled to be released this month.

  • The total subscription volume of Hong Kong Bitcoin ETF yesterday was 101.6, and the Ethereum ETF showed net redemption for two consecutive days

    The Hong Kong Bitcoin spot ETF had a net purchase of 101.6 bitcoins and a total holding of 4350 bitcoins on May 8th. The daily trading volume was 2.67 million US dollars, and the total net assets were 270 million US dollars. The daily BTC purchase came from Bosera HashKey and Huaxia Bitcoin ETF.

  • Trump announces he will accept cryptocurrency donations for his presidential campaign

    Donald Trump announced that he is accepting cryptocurrency as a form of donation for his presidential campaign.

  • Uniswap founder: Founders and VCs need to stop valuing startups and pre-coin crypto projects at more than $1 billion

    Uniswap founder Hayden Adams posted on social media that cryptocurrency founders and venture capitalists need to stop valuing projects at over $1 billion in the early stages of development and before tokens have been released, until they are truly worth that valuation. Building something worth 7-9 figures is an incredible achievement, and not every project needs to be a unicorn at launch. Additionally, Hayden Adams said, perhaps it's naive, but I think raising funds as a founder at a fair valuation (real talent wants upside) and investing at a fair valuation as a VC (LPs want upside) can make more money. It's just harder to do it that way.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company