Web3 platforms and crypto networks were rocked in 2023 by over $1.8 billion lost across 751 reported security incidents, according to Cointelegraph
This staggering sum represents over half of the $3.7 billion drained by hacks in 2022, showing that while incremental progress has been made, lax security practices continue plaguing many cryptocurrency users and decentralized applications.
While the total amount stolen dropped 51% compared to 2022, the 751 successful attacks in 2023 still represent massive breaches that now seem commonplace to this emerging technology vertical.
Experts warn that certain attack vectors are increasing frequently as hackers get more advanced and complex layers of Web3 infrastructure provide wider attack surfaces.
Cross-chain bridges felt particularly heavy losses in 2023, with over $788 million stolen from bridges across 121 different security events. This represents a massive 313% increase from the $190 million stolen through bridge hacks just a year earlier in 2022.
DeFi protocols remain a common target, with over $329 million stolen from decentralized finance apps across 241 incidents last year.
As we look towards 2024, here are 10 of the most exploited Web3 vulnerabilities that are likely to lead to more major headline-grabbing hacks and tens or hundreds of millions in additional crypto drained from users:
Price Oracle Manipulation
Price oracles are services that send real-world price information to blockchain networks. Decentralized finance (DeFi) apps need to know the prices like stocks or currencies to work properly. Over $50 million was recently stolen by hacking price oracles.
The hackers find weaknesses in the software these oracles use. Then, they trick the oracles into sending false price data to DeFi apps. For example, they may make an oracle say Bitcoin is worth $1 when it's really worth $47,000.
DeFi apps trust the Oracle data they get. So, if they get tricked into thinking prices are very low, hackers can game the system by taking out flash loans. Flash loans let you borrow without collateral but must be paid back quickly.
Hackers can rapidly drain money from DeFi liquidity pools by using flash loans with fake low prices before anyone detects the bad data. Over 100 DeFi hacks happened this way in 2023, stealing tens of millions from price Oracle issues.
Teams must better secure oracles to prevent many of these attacks from now on, as this is the only way. data can be served to the blockchain
Stolen Private Key/Hash
Private keys and password hashes protect access to crypto wallets. When these get stolen, hackers have full control to steal funds.
Hackers steal private keys and passwords through phishing attacks, malware, or guessing weak passphrases.
Phishing uses fake login pages to trick users into entering their credentials. Malware secretly records if users type in a private key. Weak, easy-to-guess passwords also allow access.
Once hackers get this sensitive account info, they can secretly drain wallets, and users have no recourse. The transactions look valid to the blockchain.
Reward Manipulation
Many apps in crypto give out rewards to users who participate. These rewards are paid out automatically by smart contracts. Over $30 million in user rewards were stolen by hackers in 2023.
The hackers find bugs in the smart contract code that pays out rewards. Then, they exploit those bugs to trick the contract into sending them other users' reward coins or tokens.
For example, one hacker discovered a contract flaw that let him drain 2,000 users' token rewards. He stole over $10 million worth of crypto rewards meant to be claimed by those users.
Hackers often find ways to get smart contracts to generate much bigger reward payouts than other users.
Across dozens of attacks in 2023, flaws in reward programs let hackers walk away with tens of millions intended for honest crypto app users.
Insufficient Function/Access Control
Smart contracts run functions that perform actions like sending crypto. Functions should only be usable by certain people - for example, setting up a constructor function to ensure only the msg.sender
or a require
function to limit who can call the contract.
But often, developers forget to add "access controls" to restrict functions. This lets anyone run admin commands they shouldn't be able to.
For example, one hack happened because any user could run a "drain wallet" command just for the developer. Over $20 million was stolen this way in 2023 by regular users running powerful functions.
Allowing too much access has enabled over 45 hacks to steal over $100 million in funds that were supposed to be locked away.
Hacks From Faulty Contract Logic
Smart contracts are code programs that hold and control money. But they often contain logic errors hackers can exploit to steal funds.
One common error is overflow/underflow bugs. This happens when the code doesn’t handle large or small numbers properly. Hackers craft transactions to trigger overflows, letting them set super high token balances to steal from contracts.
Another example is reentrancy bugs. We explain more below. These logic flaws let hackers make multiple withdrawal requests before the contract updates account balances.
In 2023, over 300 hacks were stealing around $200 million due to plain programming errors like these in smart contracts.
Teams need extensive testing and audits to remove logic bugs, as their effects can be disastrous. Leaving sloppy code controlling millions while on public blockchains is a recipe for repeated headaches until basic diligence improves across builders.
Hacks from Poor Input Checking
Users can input data into smart contract functions, like sending a transaction with parameters. The contract needs to validate and check this input data is as expected before using it.
But hackers find contracts without enough checking on user input. They pass in crafted malicious data designed to trigger bugs and steal funds.
For example, not double-checking the amount of a transfer request enables hackers to set super high transfer amounts to drain contracts. Over $150 million was stolen in 2023 from lack of input validation, leading to hacks like overflow attacks.
Teams must add robust checks on all user inputs. Codes should analyze and confirm data is within expected bounds before blindly running functions.
Skipping input checking is like leaving your front door open - it invites thieves to walk in and take whatever they want. Fixing validation gaps will be key to lowering future losses.
Governance Attack
Decentralized autonomous organizations (DAOs) are communities that allow members to vote on decisions. DAOs often hold large treasuries of crypto assets.
In 2023, over $250 million was stolen from DAOs in governance attacks. Hackers look for bugs in the voting systems or treasury management schemes of DAOs.
For example, one hacker found he could split a governance vote by tricking a smart contract into thinking there were double the actual number of voters. This gave him a majority vote to transfer the DAO coins to himself.
Other times, bugs have allowed hackers to bypass proposal queues or voting periods. They could instantly pass privileged commands to transfer DAO funds with no vote at all.
DAO creation platforms must make governance processes and treasury administration
unhackable. Voting and discussion underlie community trust; leaving openings for governance hijacking could severely set back the evolution of decentralized organizations.
Read Only Reentrancy
Reentrancy hacks allow attackers to make multiple withdrawals from a contract before balances get updated. These stole over $800 million in 2023.
Normally, reentrancy is blocked if the hacker tries to make a second withdrawal in the same transaction. But clever hackers found a way around this through fake read-only transactions.
Read-only means the transaction doesn’t intend to change the contract state, like only viewing a balance. The contract still allows these to do multiple lookups since nothing is modifying data.
But hackers can subtly slip in code to transfer funds or approve token allowances in these fake read-only transactions. By disguising the withdrawal calls, they can drain money while avoiding suspicion.
Over $100 million was stolen in 2023 using this tricky form of reentrancy. Contracts need stricter handling of external calls to avoid leaving openings for these disguised attack techniques.
Regular Reentrancy
Reentrancy remains one of the most common and dangerous smart contract security flaws. It can be used to drain funds from contracts securing millions of dollars, as seen in historical hacks like The DAO exploit. The risk of reentrancy continues to grow as more DeFi protocols are developed.
The Importance of Audits
There are mainly three types of security audits performed on Web3 platforms and code:
- Smart Contract Audits - Manual reviews of smart contract logic to identify security vulnerabilities.
- Penetration Testing - Attempting to hack and exploit a system or application actively.
- Security Analysis - Holistic review of system architecture, inputs, dependencies, etc., to find risks.
Audits are critical because most Web3 systems are decentralized and irreversible by design, so exploits and drained funds cannot be reversed or stopped by traditional means. Audits help project teams proactively identify and fix vulnerabilities before hackers find them.
If you find this article thrilling, discover extra thrilling posts like this on Learnhub Blog; we write a lot of tech-related topics from Cloud computing to Frontend Dev, Cybersecurity, AI, and Blockchain. Take a look at How to Build Offline Web Applications.
Resource
- Getting Started with Foundry for Beginners in 2024
- What are Smart Contracts?
- Create a Raffle Draw Smart Contract Using Foundry 2024 (Part 1)
Gift us a cup of coffee if you are so kind.
Top comments (0)