Fairyproof Q3 2023 Blockchain Ecosystem Security Report

Enhancing Ecosystem Security Fairyproof's Q3 2023 Blockchain Report

Overview

In the third quarter of 2023, the overall performance of the cryptocurrency market remained relatively stable. However, the frequency of security incidents within the ecosystem surpassed the previous two quarters. Approximately $572 million worth of cryptocurrency assets were lost due to various security incidents.

Fairyproof studied 198 typical cases reported in the third quarter, conducted statistical analysis on these cases, and explored the characteristics of the security ecosystem reflected in these events, as well as the relevant preventive measures that users can take.

Before presenting the detailed research results of Fairyproof in this report, it is necessary to explain and clarify the relevant terms used.

CCBS

CCBS stands for “Centralized Cryptocurrency or Blockchain Service Institutions.” It typically refers to off-chain service platforms that are operated and managed by humans and primarily rely on traditional centralized technologies for their core operations. Traditional cryptocurrency exchanges (such as Binance) and cryptocurrency issuance and acceptance platforms (such as Tether) are typical examples of this.

• Ethereum Validators Racing to the Finish Line, as Staking Demand Rises to the Challenge
• Bye Bye Uptober Bitcoin Price Data Shows Investor Sentiment Hitting a 3-Month Low
• Crypto Markets Under Fire How the Latest Hot US CPI Numbers Caused Chaos

Flash Loan

Flash loans are a common and popular method used by hackers to attack smart contracts on the Ethereum virtual machine platform. Flash loans are a type of contract invocation invented by the popular DeFi application AAVE[1] team. This contract invocation allows users to borrow cryptocurrency assets directly from DeFi applications that support this function without any collateral. As long as the user returns the assets within the same block transaction, the transaction is considered valid[2]. Initially, this functionality was invented to provide DeFi users with a more flexible and convenient means of conducting various financial activities on the blockchain. However, later on, the high flexibility of flash loans made them mostly used by hackers to borrow ERC-20[3] tokens and use them for attacks. Before initiating a flash loan, users need to clearly describe the logic for lending (assets) and repayment (assets, interest, and related fees) in a contract, and then call that contract to initiate the flash loan.

Cross-Chain Bridge

A cross-chain bridge is an infrastructure that connects multiple independent blockchains, enabling the circulation of tokens deployed on different blockchains between them.

With more and more blockchains having their own ecosystems, applications, and cryptocurrency assets, the demand for cross-blockchain communication and transactions has significantly increased. This has also made cross-chain bridges an attractive target for hackers.

Report Highlights

Fairyproof conducted a detailed study of the 198 typical security incidents that occurred in the third quarter of 2023. This report provides statistical analysis on the various factors such as the amount of losses caused by these incidents and their causes. It also provides corresponding prevention suggestions and measures.

Statistical Analysis of Security Incidents in the Third Quarter of 2023

The Fairyproof research team has conducted a detailed study of the prominent 198 security incidents in the third quarter of 2023, listing statistical results from both the targets of the attacks and the sources of the attacks and analyzing them.

The total value of encrypted assets lost in these 198 security incidents reached USD 572 million, with the total value of mainstream encrypted assets displayed by Tradingview reaching USD 105.6 billion. The proportion of lost assets to total market value is 0.05%.

Security Incidents Divided by Victims

Security incidents studied by Fairyproof can be divided into the following four categories based on the victims:

1. Centralized cryptocurrency or blockchain service organizations (CCBS, referred to as CCBS below)

2. Blockchains

3. Decentralized applications (dApps)

4. Cross-chain bridges

The CCBS security incidents referred to in this report are incidents where the attacked or damaged entity is a CCBS system. In these incidents, assets held by CCBS are stolen or the services they provide are forced to be interrupted. Blockchain security incidents refer to attacks or damages to the main blockchain, side chains, or second-layer scaling systems attached to the main blockchain. Typically, hackers launch attacks from inside or outside the system or from both sides, causing software or hardware malfunctions and asset losses.

dApp security incidents refer to attacks on dApps that prevent them from functioning normally, giving hackers the opportunity to steal cryptographic assets managed within the dApp.

Cross-chain bridge security incidents refer to attacks on cross-chain bridges, resulting in their inability to function properly, and even the theft of cryptographic assets involved in the transactions they handle.

Fairyproof has divided a total of 198 incidents into the above four categories, and the distribution chart is shown below:

From the chart, it can be seen that the number of dApp security incidents accounts for 86.87% of the total, exceeding any other category. Among them, 198 incidents are dApp security incidents, 4 are CCBS security incidents, 14 are blockchain security incidents, and 4 are cross-chain bridge security incidents, with 172 being dApp security incidents.

Blockchain Security Incidents

Security incidents involving blockchains can be further divided into the following three categories:

i. Blockchain mainnets

ii. Side chains

iii. Layer 2 solutions

Blockchain mainnets, also known as Layer 1, are independent blockchains with their own networks, protocols, consensus, and validators. Blockchain mainnets can verify transactions, data, and blocks, and all of this verification work is done by their own validators to achieve consensus. Bitcoin and Ethereum are typical examples of blockchain mainnets.

Sidechains are separate blockchains that operate in parallel with the main blockchain. They have their own consensus and validators, but they are somehow connected to the main blockchain (such as through two-way anchoring) [4]. Layer 2 scaling systems rely on the main blockchain for security and finality [5]. They are primarily designed to address the scalability issues of the main blockchain and process transactions at lower costs and prices. Since 2021, layer 2 scaling systems attached to Ethereum have seen rapid development.

Sidechains and layer 2 scaling systems are both aimed at addressing the scalability of the main blockchain. The main difference between the two lies in the fact that sidechains do not rely on the main blockchain for security and finality, whereas layer 2 scaling systems do.

In the third quarter of 2023, there were a total of 14 security incidents related to blockchain. The following graph shows the proportions of the main blockchain, sidechains, and layer 2 scaling systems.

From the graph above, it can be observed that the proportions of security incidents related to the main blockchain and layer 2 scaling systems are 92.86% (13 incidents) and 7.14% (1 incident), respectively. There are no typical security incidents related to sidechains. The layer 2 scaling system security incidents involve systems such as Metis [6], while the main blockchain security incidents involve mainnets such as Mixin [7], Quai Network [8], Swisstronik [9], SwapDex Blockchain [10], Aptos [11], and others.

DAPP Security Incidents

Out of the 172 security incidents involving dApps, 16 were exit scams, 1 was collateral damage, and 155 were direct attacks. Direct attacks on dApps typically involve three aspects: the dApp’s frontend, backend, and smart contracts. Therefore, we categorize the 155 direct attack incidents as follows: i. dApp frontend ii. dApp backend iii. dApp contracts

In the incidents where the dApp frontend was attacked, hackers mainly exploited frontend vulnerabilities to steal assets or disrupt services.

In the incidents where the dApp backend was attacked, hackers mainly exploited backend vulnerabilities, such as hijacking communication between the backend and contracts, to hijack assets or disrupt services.

In the incidents where the dApp contracts were attacked, hackers mainly exploited contract vulnerabilities to steal assets or disrupt services. The following graph shows the proportions of these three categories of attack incidents:

As shown in the above diagram, the proportions of contract, backend, and frontend attacks are 19.35%, 0%, and 80.65% respectively. Out of a total of 155 incidents, 125 were frontend attacks,

and 30 were contract attacks.

We further studied the amount of cryptocurrency losses caused by different types of incidents. The losses caused by contract attacks and frontend attacks are $210 million and $39.8 million respectively, accounting for 84.03% and 15.97% of the total loss amount, as shown in the following diagram:

Among numerous contract vulnerabilities, logical flaws, private key leakage, flash loan attacks, and reentrancy attacks are typical vulnerabilities.

We studied 30 security incidents involving direct attacks on contracts and obtained the following proportional diagram:

As shown in the above diagram, logical flaws account for the highest proportion of contract security incidents. Logical flaws typically include lack of parameter validation, lack of permission validation, etc. The number of security incidents caused by logical flaws is 13.

The following diagram shows the proportion of loss amounts caused by each vulnerability:

Losses caused by private key leakage account for the highest proportion. Four incidents of private key leakage resulted in a total loss of $173 million, accounting for 82.56% of the total loss amount.

Security Incidents Based on Causes

Based on the causes of blockchain security incidents, we divide the incidents into three categories: i. caused by hacker attacks

ii. exit scams iii. others

Our research results are shown in the following diagram:

As shown in the above diagram, security incidents caused by hacker attacks and exit scams account for 91.92% (182 incidents) and 8.08% (16 incidents) respectively.

We studied the losses caused by these causes, as shown in the following diagram:

As shown in the above diagram, losses caused by hacker attacks and exit scams account for 94.69% and 5.31% respectively. The former resulted in a loss of $541 million, while the latter resulted in a loss of $30.35 million. This indicates that in the third quarter of 2023, hacker attacks remain the main threat to industry security.

The hacker attack event, we have studied the hacker attack event, as shown in the figure below:

As shown in the above figure, the hacker attack events on dApps, blockchain, CCBS, and cross-chain bridges account for 87.64% (156 cases), 7.87% (14 cases), 2.25% (4 cases), and 2.25% (4 cases), respectively.

We have studied the losses caused by various types of events, as shown in the figure below:

The percentage of asset losses caused by hacker attacks on blockchain, dApps, cross-chain bridges, and CCBS is 36.97%, 46.25%, 0.79%, and 15.99%, respectively. The specific loss amounts are 200 million US dollars, 250 million US dollars, 86.5 million US dollars, and 4.3 million US dollars. Other security events did not result in significant loss amounts.

Exit Scam Events

The typical exit scam events that occurred in the third quarter of 2023 were all dApp projects. A total of 16 exit scam events resulted in a total loss of 30.35 million US dollars. This loss amount is much smaller compared to the loss amount caused by hacker attacks.

Research Findings

From our statistical data, in the third quarter of 2023, hackers still predominantly targeted dApp projects, with the number of dApp attack events far exceeding any other objects, accounting for 87.64% of the total and the loss amount accounting for 46.25% of the total loss amount. The most severe attack was on Multichain[12].

For the entire blockchain ecosystem, hackers remain the biggest security threat, both in terms of the number of security events caused and the asset losses incurred. The proportion of security events caused by hacker attacks exceeds 91.92%, far surpassing the threat posed by exit scam events to the ecosystem.

A typical dApp consists of three parts: frontend, backend, and smart contracts. When hackers attack a dApp, they may attack one or more parts simultaneously. According to our statistical data, attacks on the dApp frontend far exceed attacks on the contracts in terms of quantity, but the loss amount caused by attacks on smart contracts far exceeds that of frontend attacks.

This indicates that smart contract vulnerabilities remain the biggest security concern for dApp security.

The typical exit scam events in the third quarter of 2023 occurred in dApp projects.

Among the events where smart contracts were attacked, the top three categories of causes for the attack events in terms of quantity are: 1. Logic flaws, 2. Flash loans.

However, in terms of loss amount, attacks caused by private key leaks rank first, far exceeding other categories.

Practical Plans and Measures to Prevent Safety Accidents

In this section, we will summarize some plans and measures to help blockchain developers and users manage and prevent blockchain risks based on the characteristics of safety accidents that occurred in the third quarter of 2023. We recommend that both blockchain developers and users actively implement and practice these plans and measures in their daily operations and work to maximize the security of projects and encrypted assets.

Note: “Blockchain developers” refers to both the developers of blockchain projects themselves and developers of related or extended systems (such as encrypted assets). “Blockchain users” refers to all users involved in blockchain system activities (such as management, operation, maintenance) or encrypted asset transactions.

For Blockchain Developers

Although there were no typical security incidents involving layer 2 scaling systems in the third quarter, the security of layer 2 scaling systems is still worth attention. Because the development and implementation of layer 2 scaling solutions will continue to be the focus of the entire ecosystem, researching their security will be a major challenge for the industry.

In blockchain applications, it is necessary to transfer the control of key operations in a project to a multi-signature wallet or DAO organization for management after the project has been deployed and stable for a period of time.

When hackers discover vulnerabilities in smart contracts, they often attack the contracts using flash loans. These exploitable vulnerabilities often include reentrancy vulnerabilities, logic flaws (such as lack of permission verification, incorrect pricing algorithms), etc. Rigorously preventing and addressing these vulnerabilities should always be a top priority for smart contract developers.

Our statistical data also shows that more and more hackers are launching phishing attacks through social media software (such as Discord, Twitter, etc.). This phenomenon has been prevalent throughout 2022 and continues into the third quarter of 2023. Many users have suffered losses as a result. Project parties need to implement strict and comprehensive management of their social media operations and deploy corresponding security solutions to ensure the security and stability of their social media operations and prevent hackers from exploiting them.

Blockchain Users

More and more users are participating in various blockchain ecosystem activities and holding assets in various blockchain ecosystems. In this process, cross-chain transaction activities are also growing rapidly. When users participate in cross-chain transactions, they need to interact with cross-chain bridges, which are often targeted by hackers. Therefore, before initiating cross-chain transactions, users need to thoroughly investigate and understand the security and operation status of the cross-chain bridge they are using to ensure its security, stability, and reliability.

When users interact with dApps, they must pay close attention to the quality and security of the smart contracts and also need to consider the security of the dApp frontend. Be cautious when dealing with any suspicious information, prompts, dialogues, etc., that appear in the frontend. Do not click or follow their instructions casually.

We strongly recommend users to carefully inspect and read the audit reports of any blockchain projects before interacting with them or investing in them. Exercise caution when dealing with projects that do not have audit reports or have suspicious reports.

We advise users to use cold wallets or multi-signature wallets to manage large amounts of assets or assets that are not used for frequent transactions. Always be cautious about the security of hot wallets and ensure that the hardware platform on which the hot wallet is installed is secure, reliable, and stable.

Users need to conduct some investigation and understanding of the background of blockchain projects. Be cautious of teams with vague backgrounds and lack of credibility. Be cautious of the potential risks of such projects running away. For frequently used centralized exchanges, users should pay attention to their background and credibility. Verify the background, information, and data of these exchanges from multiple third-party sources as much as possible to ensure the exchanges can operate securely for a long time.

References

[1] Aave. https://aave.com/

[2] Flash-loans.. https://aave.com/flash-loans/

[3] ERC-20 TOKEN STANDARD. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/

[4] Sidechains. https://ethereum.org/en/developers/docs/scaling/sidechains/

[5] Layer-2. https://academy.binance.com/en/glossary/layer-2

[6] Metis. https://www.metis.io/

[7] Mixin. https://mixin.one/

[8] Quai Network. https://qu.ai/

[9] Swisstronik. https://www.swisstronik.com/

[10] SwapDex Blockchain. https://swapdex.network/

[11] Aptos. https://aptoslabs.com/

[12] Multichain. https://multichain.xyz/

We will continue to update Blocking; if you have any questions or suggestions, please contact us!