Cointime

Cointime

Download App
iOS & Android

SharkTeam: Q2 2023 Web3 Security Report

According to data from SharkTeam's on-chain security analysis platform, ChainAegis, there were a total of over 228 security incidents in the Web3 sector during the second quarter of 2023, resulting in a cumulative loss of over $307 million. Despite a slight increase of approximately 8.05% compared to the previous quarter (211 incidents), Web3 security incidents continued to occur at a high frequency. However, the amount of funds lost decreased by 19.79% compared to the previous quarter ($383 million).

In this quarter, security incidents related to contract vulnerabilities have significantly increased, with a year-on-year increase of 64% and a quarter-on-quarter increase of 105%. SharkTeam hereby reminds project teams to prioritize contract audits to avoid unnecessary losses.

The number of Rug Pull incidents and other security incidents has remained relatively stable compared to the previous quarter. There is a wide variety of security incident types, and hackers continue to employ sophisticated attack methods, constantly coming up with new techniques. It is crucial for users to remain vigilant and not underestimate the risks when engaging with investment projects.

In the second quarter, the proportion of contract vulnerability incidents increased significantly compared to the previous quarter.

1. Contract Vulnerabilities

There were a total of 41 security incidents caused by contract vulnerabilities in the second quarter of 2023, resulting in a cumulative loss of over $74.1969 million.

On June 11th, Floating Point Group (FPG) was attacked, resulting in a loss of over $20 million. This incident was the most severe security event in terms of loss caused by contract vulnerabilities in this quarter.

On April 13th, Yearn Finance was targeted by a hacker attack, resulting in a loss of approximately $11.6 million. This event ranked second in terms of losses caused by contract vulnerabilities in this quarter. The attack was due to the attacker exploiting an incorrectly set fulcrum address in the yUSDT contract, enabling them to manipulate the stablecoin reserve balance within the yUSDT contract. By depositing USDT into yUSDT, they gained a significant amount of unexpected yUSDT tokens for profit.

Below are the specific losses incurred from other security incidents caused by contract vulnerabilities in this quarter:

In the second quarter of 2023, contract security vulnerabilities included permission vulnerabilities, logic vulnerabilities, reentrancy attacks, price manipulation, and others. Security incidents caused by logic vulnerabilities remained the highest, accounting for 54% and experiencing a significant increase of 175% compared to the previous quarter.

On May 6th, 2023, DEUS's stablecoin DEI contract had a burn logic vulnerability, resulting in an attacker profiting approximately $6.3 million. Logic vulnerabilities can be identified during the contract security audit phase, and project teams should opt for more professional third-party auditing firms to minimize losses caused by contract vulnerabilities.

Permission vulnerabilities refer to flaws in contract authorization checks that allow attackers to bypass permission checks and gain higher operational privileges after obtaining a low-privileged user account. Security incidents caused by permission vulnerabilities accounted for 7% of the total in the second quarter of 2023. On June 15th, Hashflow experienced an attack related to authorization, resulting in a loss of approximately $410,000.

Flash loan attacks continued to occur, with significant impact. Attack methods mainly included flash loan + governance attacks, flash loan + price manipulation attacks, and flash loan + reentrancy attacks. In this quarter, both price manipulation and reentrancy attacks accounted for 10% of contract vulnerability incidents.

On June 12th, the DeFi lending protocol Sturdy was attacked, resulting in a loss of approximately $770,000. The attacker utilized a flash loan + price manipulation attack. On May 20th, Tornado.Cash fell victim to a flash loan + governance attack, with the attacker profiting around $680,000.

2. Rug Pull

In the second quarter of 2023, there were a total of 31 Rug Pull incidents, resulting in a cumulative loss of over $15.1883 million. XIRTAM, a project built on the Arbitrum ecosystem, was a reputation-building platform that advocated for the anonymous and decentralized establishment of digital reputations. Users participating in activities on the XIRTAM system were rewarded. On May 3rd, the project behind XIRTAM executed a Rug Pull, where the deployer absconded with approximately 1,909 ETH of user funds. This incident was the most severe Rug Pull event in terms of loss in this quarter. Additionally, Swaprum, Merlin, and $KOKO experienced losses exceeding $1.5 million in this quarter.

The majority of fraudulent activities by project teams were concentrated on the Ethereum (ETH) blockchain, with some incidents occurring on the Binance Smart Chain (BSC). A few incidents also took place on the Arbitrum network and other platforms.

3. Other Risks

In the second quarter of 2023, there were a total of 156 security incidents classified under other types. Out of these, 78 incidents involved server attacks, accounting for the largest proportion at 50%, which represents a 12% increase compared to the previous quarter. Phishing attacks ranked second with a cumulative total of 50 incidents, accounting for 32% of the total, which saw a 16% decrease compared to the previous quarter.

There was a slight increase in other types of incidents compared to the previous quarter, such as theft of hot wallets, NFT theft, royalty vulnerabilities, and disruption of trading applications, among others. Hackers continuously update their fraudulent techniques, expanding their reach into various domains. When engaging in project investments, it is essential to remain cautious and vigilant to avoid potential losses that may arise from seemingly minor risks.

• On April 14th, the digital asset trading platform Bitrue tweeted that they discovered a vulnerability in a hot wallet, and attackers had stolen approximately $23 million worth of ETH, MATIC, and other assets.

• On April 20th, a fake account with the handle @aidogenft, claiming to be the official ArbDoge AI, started sharing phishing links at hxxps://aidoge.me/.

• On May 20th, the U.S. Department of Justice announced that a man from Nevada was charged for his alleged involvement in CoinDeal, an investment fraud scheme that defrauded over 10,000 victims of more than $45 million.

• On May 31st, one of the deployment private keys for the unshETH contract in the LSD protocol was leaked, prompting the official suspension of withdrawals for unshETHETH as a precautionary measure.

• On June 14th, users of the Atomic Wallet suffered losses exceeding $100 million in a hacking attack. This marked the first major cryptocurrency theft since the $100 million attack on Horizon Bridge one year ago.

• On June 12th, the Swiss government announced that federal administrative agencies were hit by a DDoS attack, causing certain websites and applications to become unavailable.

• On June 16th, the @ShellProtocol Discord server experienced a cyberattack.

The ever-changing and evolving attack methods reflect the constant evolution of fraud and intrusion techniques employed by hackers and scammers. Therefore, users should always maintain a respectful awareness of the risks, avoid greed and complacency, remain vigilant at all times, and take necessary precautions to prevent asset losses.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org/
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg

Web3 SharkTeam
Comments

All Comments

Recommended for you

  • RWA platform Re completes new round of financing of US$7 million, led by Electric Capital

    Re, a tokenized reinsurance RWA platform, has completed a new round of funding of $7 million, led by Electric Capital. It is reported that the project had completed a seed round of funding of $14 million at the end of 2022. Re's goal is to support $200 million in premiums by the end of this year.

  • Crypto prediction market Polymarket has raised $70 million in two rounds of funding

    Peter Thiel's venture capital firm, Founders Fund, is investing in the cryptocurrency prediction market Polymarket. A spokesperson for Polymarket stated that the company has raised $70 million in two rounds of financing, with the latest round led by Founders Fund. The company's supporters also include Ethereum co-founder Vitalik Buterin, and it has been attracting users to predict the outcomes of various events, with bets on the 2024 US presidential election becoming the most popular contract on its platform.

  • ChainML raises $6.2m in seed extension funding for community-governed AI platform, Theoriq

    ChainML, a Silicon Valley-based AI and ML development and research lab, has raised $6.2m in seed extension funding for its AI platform called Theoriq. The funding round was led by Hack VC and included participation from several other venture capital firms. The company plans to use the funds to expand its development efforts and continue building community-governed AI systems based on principles of social evolution and blockchain technology. CEO Ron Bodkin expressed excitement about the potential for unlocking new potentials for AI integration within the decentralized space.

  • Zeta Markets Raises $5 Million in Token Funding Round

    Solana DEX Zeta Markets raised $5 million in a new round of funding led by Electric Capital. Other investors in this round of funding include Digital Asset Capital management company, Selini Capital, and Airtree Ventures. Angel investors include Solana's Anatoly Yakovenko, Helius' Mert Mumtaz, Tensor's Richard Wu, Pyth's Genia Mikhalchenko, Wintermute's JMR Luna, and Bonk's Nom also participated in this round of funding.

  • Tornado Cash Developer Alexey Pertsev Sentenced to 64 Months in Prison

    On Tuesday, a Dutch judge ruled that Tornado Cash developer Alexey Pertsev was guilty of money laundering. The court sentenced Pertsev to 64 months in prison. In August 2022, Tornado Cash was blacklisted by the US government, and this is the first time the developer has been sentenced to prison in the Netherlands. At the time, the US Treasury Department claimed that Tornado Cash was a key tool for the North Korean hacker group Lazarus. The Lazarus group is linked to the $625 million hack of Axie Infinity's Ronin Network and other major cryptocurrency thefts.

  • Dutch court finds Tornado Cash founder Alexey Pertsev guilty of money laundering

    A Dutch court composed of three judges has ruled that Tornado Cash developer Alexey Pertsev committed the crime of laundering $1.2 billion in illegal assets on a cryptocurrency mixing platform. It is expected that the panel will also sentence 31-year-old Russian resident Alexey Pertsev on Tuesday, and Pertsev's lawyer will have 14 days to appeal the judge's ruling. Experts say that this ruling will reshape the privacy protection process in the decentralized finance field and have a "chilling effect" on the development of open-source software that provides financial privacy protection tools for users.

  • Cross-border money laundering group laundered HK$88 million, 8 people arrested

    The Hong Kong Police Commercial Crime Bureau locked onto a cross-border money laundering group in November 2023. The investigation found that the group recruited mainlanders to open puppet bank accounts in Hong Kong from September 2023 to March 2024. They used various types of fraud, such as telephone scams, nude chat scams, investment scams, and job scams to defraud victims. The victims were instructed by the fraudsters to deposit the stolen money into the puppet accounts controlled by the criminal group. The group would then withdraw the stolen money from the puppet accounts in cash and buy cryptocurrencies on the over-the-counter (OTC) market. They would also open accounts on overseas cryptocurrency platforms with false identities and deposit the cryptocurrencies purchased with the stolen money before transferring them to multiple cryptocurrency wallets to launder the criminal proceeds. The police also pointed out that the group used 72 local puppet bank accounts to launder more than HKD 88 million in criminal proceeds, of which HKD 6.7 million was related to 48 fraud cases. As of yesterday, the police arrested 7 men and 1 woman aged between 26 and 51 for conspiring to launder black money. They claimed to be a lifeguard, photographer, telephone programmer, salesperson, and unemployed. Six of them were core members, and two were puppet account holders.

  • Sharp Alpha Advisors Raises $25M for Second Fund Targeting Early Stage Software Companies in Sports, Gaming, and Entertainment Industries

    New York-based venture capital firm Sharp Alpha Advisors has secured $25 million for its second fund, which will primarily invest in early stage software companies in the sports, gaming, and entertainment sectors. The fund aims to invest between $1 million and $2 million in 15 startups that fall under the category of "competitive entertainment," such as technology firms catering to sports betting, fantasy sports, streaming platforms, and video games. Sharp Alpha has already invested in London-based technology startup C15 Studio, which operates and distributes streaming channels for Formula 1 and One Championship, and plans to make further investments over the next three to five years. Additionally, the firm has a sidecar vehicle for limited partners to invest more money in individual companies within the fund.

  • cointelegraph ·

    OKX Ventures invests in Web3 ‘play ARPG to train AI’ game Blade of God X

    The game is currently available in early access on the Epic Games Store.

    OKX Ventures invests in Web3 ‘play ARPG to train AI’ game Blade of God X

  • Barcelona-based Web3 Video Games Startup GFAL Raises $3.2M in Seed Funding to Expand Team and Accelerate Production Plans

    Barcelona-based startup GFAL has secured $3.2 million in seed funding from investors including Supercell Ltd and Mitch Lasky. The company plans to use the funds to expand its team and accelerate its game production plans, which leverage AI and Web3 technology for immersive gameplay. GFAL's Elemental Raiders mobile game soft-launched in March 2023, with plans to build on this for a 2024 launch. CEO Manel Sort expressed gratitude for the investment and excitement to work with former colleagues from Digital Chocolate.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company