2023 Q3 Blockchain Ecological Security Report

Blockchain Ecological Security Report for Q3 of 2023

Author: Fairyproof

Overview

In the third quarter of 2023, the overall performance of the cryptocurrency market remained relatively calm. However, the frequency of security incidents in the ecosystem exceeded the previous two quarters. Approximately $572 million worth of crypto assets were lost in various security incidents during this quarter.

Fairyproof studied and analyzed 198 typical cases reported in the third quarter, and explored the characteristics of the security ecosystem reflected in these events, as well as the relevant precautionary measures that users can take.

Background Introduction: Before presenting the detailed research findings of Fairyproof’s report, it is necessary to explain and clarify the relevant terms used in this report.

• Will the Middle East crisis overturn the prediction that BTC will reach a new high in 2024?
• Decoding the recent hot DeFi protocol Vaultka Could it become the next generation of high-yield, low-risk products
• Modular Blockchain Emerges A New Perspective on Disputes over Functional Layer and DA Economics

CCBS

CCBS refers to “Centralized Cryptocurrency or Blockchain Service Providers.” It usually refers to non-blockchain, centrally operated platforms that mainly rely on traditional centralized technologies and engage in off-chain activities. Examples of this type include traditional cryptocurrency exchanges (such as Binance) and cryptocurrency issuance and acceptance platforms (such as Tether).

Flashloan

Flashloan is a common and popular method used by hackers to attack smart contracts on the Ethereum virtual machine platform. Flashloan is a contract invocation method invented by the well-known DeFi application AAVE. This contract invocation allows users to borrow crypto assets directly from DeFi applications that support this functionality without any collateral. As long as the user repays the assets within a single block transaction, the transaction is valid. Initially, this feature was invented to provide DeFi users with a more flexible and convenient means to engage in various on-chain financial activities. However, later on, due to its high flexibility, Flashloan became most commonly used by hackers to borrow ERC-20 tokens and then use them for attacks. Before initiating a Flashloan, users need to clearly describe the logic of lending (assets) and repayment (assets, interest, and related fees) in a contract, and then invoke the contract to initiate the Flashloan.

Cross-Chain Bridge

A Cross-Chain Bridge is an infrastructure that connects multiple independent blockchains, allowing tokens deployed on different blockchains to circulate among them.

As more and more blockchains have their own ecosystems, applications, and crypto assets, the demand for inter-blockchain communication and transactions has significantly increased. This has also made Cross-Chain Bridges a popular target for hackers.

Report Highlights

Fairyproof conducted a detailed study of 198 typical security events that occurred in the third quarter of 2023. This report provides statistical analysis of the factors such as the amount of losses caused by these events, the causes, and also provides corresponding prevention recommendations and measures.

Statistical Analysis of Security Incidents in the Third Quarter of 2023

The Fairyproof research team has conducted a detailed study of the prominent 198 security incidents in the third quarter of 2023. The statistics and analysis of the targets attacked and the sources of the attacks are listed and studied.

The total loss of encrypted assets caused by these 198 security incidents amounts to $572 million, with the total value of mainstream cryptocurrencies displayed on Tradingview reaching $105.6 billion. The proportion of the loss assets to the total market value is 0.05%.

Security Incidents Based on the Division of Victims

The security incidents studied by Fairyproof can be divided into the following four categories based on their victims:

1. Centralized cryptocurrency or blockchain service institutions (referred to as CCBS)

2. Blockchains

3. Decentralized applications (dApps)

4. Cross-chain bridges

In this report, CCBS security incidents refer to attacks or damage to CCBS systems. In these incidents, the assets held by CCBS are stolen or the operation of the services is forcibly interrupted. Blockchain security incidents refer to attacks or damage to the mainnet, side chains, or second-layer extension systems attached to the mainnet. In these incidents, hackers launch attacks from inside or outside the system or both, leading to abnormal system software or hardware and asset losses.

dApp security incidents refer to attacks on dApps that prevent them from functioning normally, thus giving hackers the opportunity to steal the encrypted assets managed within the dApps.

Cross-chain bridge security incidents refer to attacks on cross-chain bridges that prevent them from functioning properly, and even lead to the theft of the encrypted assets handled in their transactions.

Fairyproof has categorized the total of 198 incidents into the aforementioned four categories, and their proportional distribution is shown in the following chart:

From the chart, it can be seen that dApp security incidents account for 86.87% of the total, surpassing any other category. Out of the 198 incidents, 4 are CCBS security incidents, 14 are blockchain security incidents, 4 are cross-chain bridge security incidents, and 172 are dApp security incidents.

Blockchain Security Incidents

Security incidents involving blockchains can be further divided into the following three categories:

i. Blockchain mainnets

ii. Side chains

iii. Layer 2 solutions

Blockchain mainnets, also known as Layer 1, are independent blockchains with their own networks, protocols, consensus, and validators. Blockchain mainnets can validate transactions, data, and blocks, and all of this verification work is done by their own validators and ultimately achieves consensus. Bitcoin and Ethereum are typical examples of blockchain mainnets.

A sidechain is a separate blockchain that operates in parallel with the main blockchain. It also has its own consensus and validators, but it is somehow connected to the main blockchain (such as through two-way anchoring) and relies on the main blockchain for security and finality. Its main purpose is to address the scalability of the main blockchain and process transactions at a lower cost and price. Since 2021, second-layer scaling solutions attached to Ethereum have seen rapid development.

Sidechains and second-layer scaling solutions both aim to address the scalability of the main blockchain. The main difference between the two is that a sidechain does not rely on the main blockchain for security and consensus, while a second-layer scaling solution does.

In the third quarter of 2023, there were a total of 14 security events related to blockchain. The following graph shows the proportions of the main blockchain, sidechains, and second-layer scaling solutions.

From the graph, we can see that the proportions of security events related to the main blockchain and second-layer scaling solutions are 92.86% (13 cases) and 7.14%, respectively. There were no typical sidechain security events. The second-layer scaling solutions involved systems like Metis, while the main blockchain security events involved networks like Mixin, Quai Network, Swisstronik, SwapDex Blockchain, Aptos, etc.

DAPP Security Events

Among the 172 security events involving dApps, 16 were exit scams, 1 was collateral damage, and 155 were direct attacks. Direct attacks on dApps usually involve three aspects: the dApp’s frontend, backend, and smart contracts. Therefore, we divide the 155 directly attacked events into the following three categories: i. dApp Frontend ii. dApp Backend iii. dApp Contracts

In the events where dApp frontends were attacked, hackers mainly exploited frontend vulnerabilities to steal assets or disrupt services.

In the events where dApp backends were attacked, hackers mainly exploited backend vulnerabilities, such as hijacking communications between the backend and contracts, to steal assets or disrupt services.

In the events where dApp contracts were attacked, hackers mainly exploited contract vulnerabilities to steal assets or disrupt services. The following graph shows the proportions of these three categories of attacked events:

As shown in the above figure, the proportions of contract, backend, and frontend attacks are 19.35%, 0%, and 80.65%, respectively. Out of a total of 155 incidents, 125 were frontend attacks,

and 30 were contract attacks.

We further studied the amount of cryptocurrency losses caused by various types of incidents. The losses caused by contract attacks and frontend attacks amounted to 210 million USD and 39.8 million USD, respectively. They accounted for 84.03% and 15.97% of the total losses, as shown in the following figure:

Among numerous contract vulnerabilities, logic flaws, private key leaks, flash loan attacks, and reentrancy attacks are typical vulnerabilities.

We studied 30 security incidents involving direct attacks on contracts and obtained the following proportional diagram:

As shown in the above figure, logic flaws account for the highest proportion of contract security incidents. Logic flaws typically include lack of parameter validation and lack of permission verification. The number of security incidents caused by logic flaws is 13.

The following figure shows the proportion of losses caused by different vulnerabilities:

Losses caused by private key leaks account for the highest proportion. The 4 private key leak incidents caused a total loss of 173 million USD, accounting for 82.56% of the total loss.

Security incidents divided by cause

Based on the causes of blockchain security incidents, we divide the incidents into three categories: i. caused by hacker attacks,

ii. exit scam, iii. others.

Our research results are shown in the following figure:

As shown in the above figure, security incidents caused by hacker attacks and exit scams account for 91.92% (182 incidents) and 8.08% (16 incidents) respectively.

We studied the losses caused by these causes, as shown in the following figure:

As shown in the graph above, the loss caused by hacker attacks and exit scams account for 94.69% and 5.31% respectively. The former resulted in a loss of $541 million, while the latter resulted in a loss of $30.35 million. This indicates that in the third quarter of 2023, hacker attacks are still the main threat to industry security.

We have studied hacker attack incidents, as shown in the graph below:

As shown in the graph above, the events of hacker attacks on dApps, blockchains, CCBS, and cross-chain bridges account for 87.64% (156 cases), 7.87% (14 cases), 2.25% (4 cases), and 2.25% (4 cases) respectively.

We have studied the losses caused by various types of events, as shown in the graph below:

The percentage of asset losses caused by hacker attacks on blockchains, dApps, cross-chain bridges, and CCBS is 36.97%, 46.25%, 0.79%, and 15.99%, respectively. The specific loss amounts are $200 million, $250 million, $86.5 million, and $4.3 million. Other security incidents did not result in significant loss amounts.

Exit Scams

The typical exit scams that occurred in the third quarter of 2023 were all dApp projects. A total of 16 exit scams resulted in a loss of $30.35 million. This loss amount is much smaller compared to the scale of losses caused by hacker attacks.

Research Findings

From our statistical data, in the third quarter of 2023, hackers still prefer to attack dApp projects, with attacks on dApps far exceeding any other targets. The number of attacks accounted for 87.64% of the total, and the loss amount accounted for 46.25% of the total loss amount. Among all the attacks, the most severe one was against Multichain[12].

For the entire blockchain ecosystem, hackers are still the biggest security threat, both in terms of the number of security incidents caused and the amount of asset losses. The proportion of security incidents caused by hacker attacks exceeds 91.92% of the total, far surpassing the threat posed by exit scams to the ecosystem.

A typical dApp consists of three parts: frontend, backend, and smart contracts. When hackers attack a dApp, they may attack one or multiple parts simultaneously. According to our statistical data, attacks on dApp frontends far exceed attacks on contracts in terms of quantity, but the loss amount caused by attacks on smart contracts far exceeds that of frontend attacks.

This indicates that smart contract vulnerabilities are still the biggest risk to dApp security.

In the third quarter of 2023, typical exit scams occurred in dApp projects.

Among the events where smart contracts were hacked, the top three categories of reasons that caused the attacks are as follows: 1st place: logical flaws, 2nd place: flash loans.

However, in terms of the amount of losses, attacks caused by private key leaks ranked first, far surpassing other categories.

Practical solutions and measures to prevent security incidents

In this section, we will summarize some solutions and measures to help blockchain developers and users manage and prevent blockchain risks based on the characteristics of security incidents that occurred in the third quarter of 2023. We recommend that both blockchain developers and users actively implement and practice these solutions and measures as much as possible in their day-to-day operations and work to maximize project security and asset security.

Note: “Blockchain developers” refers to both the development engineers of the blockchain project itself and developers related to the blockchain system or its extended systems (such as encrypted assets). “Blockchain users” refers to all users who participate in blockchain system activities (such as management, operation, maintenance, etc.) or encrypted asset transactions.

For Blockchain Developers

Although there were no typical security incidents involving Layer 2 scaling systems in the third quarter, the security of Layer 2 scaling systems is still worth paying attention to. Because the development and deployment of Layer 2 scaling solutions will continue to be the focus and priority of the entire ecosystem, researching the security of these solutions will be a major challenge for the industry.

In blockchain applications, it is necessary to transfer the control of key operations in the project to multi-signature wallets or DAO organizations for management after the project has been deployed and stable for a period of time.

When hackers discover vulnerabilities in smart contracts, they often launch attacks on the contracts using flash loans. These vulnerabilities that can be exploited usually include reentrancy vulnerabilities, logic flaws (such as lack of permission verification, incorrect price algorithms), etc. Vigilantly preventing and dealing with these vulnerabilities is always a top priority for smart contract developers.

Our statistical data also shows that more and more hackers are launching phishing attacks through social media software (such as Discord, Twitter, etc.). This phenomenon has been ongoing from 2022 to the third quarter of 2023. Many users have suffered losses as a result. Project teams need to implement strict and comprehensive management of their social media operations, deploy corresponding security solutions to ensure the security and stability of their social media operations, and guard against hacker exploitation.

Blockchain Users

More and more users are participating in various blockchain ecosystem activities and holding assets in various blockchain ecosystems. In this process, cross-chain transaction activities are also growing rapidly. When users participate in cross-chain transactions, they need to interact with cross-chain bridges, which are often targeted by hackers. Therefore, before initiating cross-chain transactions, users need to thoroughly investigate and understand the security and operation status of the cross-chain bridges they are using to ensure the security, stability, and reliability of the cross-chain bridges.

When users interact with dApps, they must pay close attention to the quality and security of their smart contracts, as well as the security of the dApp frontend. Be cautious when dealing with suspicious or questionable information, prompts, and dialogues that appear on the frontend. Do not click or follow their guidance without careful consideration.

We strongly recommend that users thoroughly review and read the audit reports of any blockchain project before interacting with it or investing in it. Exercise caution when dealing with projects that lack audit reports or have suspicious reports.

We advise users to use cold wallets or multi-signature wallets to manage large assets or assets that are not frequently traded. Always be vigilant about the security of hot wallets and make sure that the hardware platform on which the hot wallet is installed is secure, reliable, and stable.

Users need to conduct some level of research and understanding of the background of blockchain projects. Be cautious of teams with obscure backgrounds and lacking credibility. Be cautious of the risk of exit scams with such projects. When using frequently traded centralized exchanges, users should pay attention to their backgrounds and credibility. Verify the backgrounds, information, and data of these exchanges from multiple third-party sources as much as possible to ensure the long-term and secure operation of the exchanges.

References

[1] Aave. https://aave.com/

[2] Flash-loans.. https://aave.com/flash-loans/

[3] ERC-20 TOKEN STANDARD. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/

[4] Sidechains. https://ethereum.org/en/developers/docs/scaling/sidechains/

[5] Layer-2. https://academy.binance.com/en/glossary/layer-2

[6] Metis. https://www.metis.io/

[7] Mixin. https://mixin.one/

[8] Quai Network. https://qu.ai/

[9] Swisstronik. https://www.swisstronik.com/

[10] SwapDex Blockchain. https://swapdex.network/

[11] Aptos. https://aptoslabs.com/

[12] Multichain. https://multichain.xyz/

We will continue to update Blocking; if you have any questions or suggestions, please contact us!