Analysis of Common Attack Methods in the Web3 Field in the First Half of 2022
In the first half of 2022, the Web3 security sector faced severe challenges. Data shows that there were 42 major attack incidents caused solely by contract vulnerabilities, resulting in total losses of up to $644 million. Among these attacks, logical or function design flaws were the most commonly exploited vulnerabilities by hackers, followed by verification issues and reentrancy vulnerabilities.
Major Loss Cases
On February 3, a certain cross-chain bridge project was attacked, resulting in a loss of approximately $326 million. The hacker exploited a signature verification vulnerability in the contract to successfully forge accounts and mint tokens.
On April 30, a lending protocol suffered a flash loan reentrancy attack, resulting in a loss of $80.34 million. This attack dealt a fatal blow to the project, ultimately leading to its closure.
The attacker implements the attack through the following steps:
Perform a flash loan from a certain liquidity pool
Exploiting the reentrancy vulnerability in contracts using cEther on lending platforms
Extract all tokens from the affected pool by attacking the contract.
Repay the flash loan and transfer the proceeds from the attack.
Common Vulnerability Types
During the smart contract audit process, the most common vulnerabilities can be divided into four major categories:
ERC721/ERC1155 Reentrancy Attack: Involves malicious code in the token transfer notification function.
Logical Flaw:
Insufficient consideration of special scenarios, such as self-transfer leading to the creation of something from nothing.
The functional design is not perfect, such as lacking extraction or settlement mechanisms.
Missing Authentication: Key functions have not set permission control
Price Manipulation:
Unused Time-Weighted Average Price
Directly use the token balance ratio in the contract as the price
Vulnerability Prevention
Almost all vulnerabilities found in the audit have been exploited by hackers in real scenarios. Among them, contract logic vulnerabilities remain the main attack point. Most of these vulnerabilities can be discovered during the audit phase through professional formal verification platforms and manual reviews by security experts.
To enhance the security of Web3 projects, it is recommended that the development team:
Conduct a comprehensive contract security audit
Emphasize special scenario testing
Implement strict permission management
Use reliable price oracles
Follow the "Check-Effect-Interaction" design pattern
As attack methods continue to evolve, ongoing security awareness and upgrades to protective measures are crucial for the healthy development of the Web3 ecosystem.
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
13 Likes
Reward
13
9
Repost
Share
Comment
0/400
AirdropSweaterFan
· 08-18 13:16
Oh no, it's another issue with smart contracts.
View OriginalReply0
ser_we_are_early
· 08-18 01:54
Rekt 6 e, guys, we are still early.
View OriginalReply0
BakedCatFanboy
· 08-15 23:59
The project party is all busy with their Rug Pulls.
View OriginalReply0
InscriptionGriller
· 08-15 15:23
Another wave of suckers has been played for suckers. Unlock the classics.
View OriginalReply0
OPsychology
· 08-15 15:16
The money is gone, the money is gone, but the contract is still there.
View OriginalReply0
SigmaBrain
· 08-15 15:11
Money is gone, so it’s gone, right? Daily life.
View OriginalReply0
MEVHunter
· 08-15 15:05
just another day in defi... weak contracts get rekt, alpha leaks everywhere smh
Reply0
GateUser-40edb63b
· 08-15 14:59
Just knowing that exploiting vulnerabilities is really annoying.
Web3 lost $644 million in six months, with contract logic vulnerabilities becoming the main target for hackers.
Analysis of Common Attack Methods in the Web3 Field in the First Half of 2022
In the first half of 2022, the Web3 security sector faced severe challenges. Data shows that there were 42 major attack incidents caused solely by contract vulnerabilities, resulting in total losses of up to $644 million. Among these attacks, logical or function design flaws were the most commonly exploited vulnerabilities by hackers, followed by verification issues and reentrancy vulnerabilities.
Major Loss Cases
On February 3, a certain cross-chain bridge project was attacked, resulting in a loss of approximately $326 million. The hacker exploited a signature verification vulnerability in the contract to successfully forge accounts and mint tokens.
On April 30, a lending protocol suffered a flash loan reentrancy attack, resulting in a loss of $80.34 million. This attack dealt a fatal blow to the project, ultimately leading to its closure.
The attacker implements the attack through the following steps:
Common Vulnerability Types
During the smart contract audit process, the most common vulnerabilities can be divided into four major categories:
Vulnerability Prevention
Almost all vulnerabilities found in the audit have been exploited by hackers in real scenarios. Among them, contract logic vulnerabilities remain the main attack point. Most of these vulnerabilities can be discovered during the audit phase through professional formal verification platforms and manual reviews by security experts.
To enhance the security of Web3 projects, it is recommended that the development team:
As attack methods continue to evolve, ongoing security awareness and upgrades to protective measures are crucial for the healthy development of the Web3 ecosystem.