Top 10 Web3 hacks of 2023 constituted nearly 70% of total losses

Rick Steves

For each type of Web3 attack, there is a distinct approach to safety. The comprehensive report prepared by the expert team at Salus explains how to go about each of them.  

In 2023, the Web3 security landscape witnessed both resilience and challenges, with cyberattacks causing losses exceeding $1.7 billion across 453 reported incidents, according to Salus, a research-driven web3 security company.

Notable trends included a decline in overall losses, contrasting with high-profile exploits like Mixin Network’s $200 million loss, Euler Finance’s $197 million loss, and Multichain’s $126.36 million loss.

Common vulnerability in access control issues

Vulnerabilities were diverse, with exit scams, access control issues, phishing, flash loan attacks, reentrancy, Oracle issues, and other vulnerabilities contributing to losses. Safety measures highlighted thorough project research, caution regarding high-return promises, robust access control mechanisms, Web3 penetration testing, and protective measures against flash loan attacks and reentrancy vulnerabilities.

The top 10 hacks of 2023, constituting nearly 70% of total losses, revealed a common vulnerability in access control issues, particularly private key thefts. Lazarus Group played a significant role in multiple breaches, draining funds from compromised hot wallets.

Major incidents included Mixin Network’s cloud breach, Euler Finance’s vulnerability exploit, Multichain’s asset movement, Poloniex’s Lazarus Group hack, BonqDAO’s oracle manipulation, Atomic Wallet’s North Korean Lazarus Group attack, HECO Bridge and HTX losses, Curve and Vyper’s compiler bug, AlphaPo’s sophisticated phishing, and CoinEx’s compromised private key.

Despite reduced total losses compared to the previous year, the concentration of losses in the top 10 hacks highlights the need for improved security measures. Rigorous auditing, Web3 penetration testing, and heightened awareness are crucial, especially in light of evolving infiltration methods demonstrated by the Lazarus Group attacks.

How to be safe in Web3

For each type of Web3 attack, there is a distinct approach to safety. The comprehensive report prepared by the expert team at Salus explains how to go about each of them.

Exit Scams:

  • Conduct thorough research on projects and teams, prioritizing those with a solid track record and transparent security assessments.
  • Exercise caution with projects promising unrealistically high returns, and diversify investments to mitigate risks.

Access Control Issues:

  • Implement robust authentication and authorization mechanisms, following the principle of least privilege.
  • Regularly update access permissions and provide ongoing security training for employees, especially those with high privileges.
  • Establish comprehensive monitoring systems to detect and respond promptly to any suspicious activities across infrastructure and applications.

Phishing:

  • Conduct Web3 penetration testing to identify vulnerabilities in front-end security.
  • Prioritize user education, encourage the use of hardware wallets and multi-factor authentication (MFA).
  • Employ email verification and domain monitoring to enhance phishing prevention measures.

Flash Loan Attacks:

  • Mitigate flash loan risks by implementing restrictions such as minimum borrowing amounts and time limits.
  • Introduce fees for flash loan usage to deter attackers and raise the cost of malicious exploits.

Reentrancy:

  • Adhere strictly to the Check-Effect-Interaction Model, running necessary checks and validations before state changes.
  • Implement comprehensive reentry protection for functions involving sensitive operations within the contract.
  • Conduct thorough smart contract audits by experienced and responsible auditors to mitigate reentrancy vulnerabilities.

Oracle Issues:

  • Avoid using markets with shallow liquidity for price predictions.
  • Assess token liquidity before integrating specific price oracle plans into your platform.
  • Increase the attacker’s manipulation cost through Time-Weighted Average Price (TWAP) to enhance oracle vulnerability protection.
  • Read this next

    Fintech

    Traxys taps Quantifi for risk management in commodities trading

    “We wanted to take a more sophisticated approach to risk management and have a consolidated view of risk exposures across our global operating model. Quantifi was our preferred choice as it has a track record of success in the commodities markets.”

    Digital Assets

    Startale Labs Secures Funding for Web3 Expansion

    Startale Labs, a leader in Japan’s Web3 development, including Astar Network and Startale Web3 Cloud, has raised an additional $3.5m from UOB Venture Management and Samsung Next. This seed extension round boosts their total seed funding to $7m, following a $3.5m investment from Sony Network Communications in June 2023.

    Retail FX

    XS.com acquires South African broker Ubutyebi Financial Services

    XS.com, the multi-regulated financial services provider, has made a strategic move to expand its presence in Africa by acquiring Ubutyebi Financial Services, a licensed Financial Service Provider (FSP) in South Africa regulated by the Financial Sector Conduct Authority (FSCA).

    Digital Assets

    Hong Kong advances legislation on stablecoins and crypto trading

    Hong Kong is moving forward with legislation to regulate stablecoins and crypto over-the-counter (OTC) trading in the latest effort to develop a legal framework to service the city’s digital-asset industry.

    Digital Assets

    Do Kwon to be extradited to US as South Korea request overturned

    Terraform Labs co-founder Do Kwon is set to be extradited to the United States to face fraud charges related to massive losses suffered by U.S. investors due to its algorithmic stablecoin collapse.

    Retail FX

    Prop firm Instant Funding pauses US accounts, citing ThinkMarkets ban

    Proprietary trading firm Instant Funding has become the latest retail platform to halt onboarding new US clients, citing a recent decision by their partner broker, ThinkMarkets.

    Retail FX

    Funded Trader and Alpha Capital switch to cTrader, Lark Funding to DXTrade

    Proprietary trading firms Lark Funding and Alpha Capital have both announced changes to their operations that mainly affect their business with US clients.

    Fintech

    Top 5 Most Reliable KYC Technology Providers

    The financial sector’s trade evolution has led to the emergence of several financial markets that provide excellent opportunities for wealth creation. However, it has also given rise to many fraudulent organisations that attempt to steal money from traders. KYC providers developed and offered KYC technology to combat criminal activity in the field of trading and investing.

    Crypto Insider

    Introducing the Inaugural CMC Crypto Awards by CoinMarketCap

    CoinMarketCap, a leading source for Crypto data and insights, is excited to introduce the inaugural CMC Crypto Awards. This virtual event, running from February 21st to March 6th, celebrates innovators and leaders who are making significant impacts in the Crypto and Web3 sectors.

    <