a16z: A Detailed Explanation of Common Attack Types and Lessons Learned in the Web3 Security Field

Original Authors: Riyaz Faizullabhoy and Matt Gleason

Original Title: 《Web3 Security: Attack Types and Lessons Learned》

Compiled by: Hu Tao, Chain Catcher

A significant portion of web3 security relies on the unique ability of blockchains to make commitments and resist human intervention. However, the relevant characteristic of finality—transactions are often irreversible—makes these software-controlled networks enticing targets for attackers. In fact, as blockchains—decentralized computer networks that underpin web3—and their accompanying technologies and applications accumulate value, they increasingly become coveted targets for attackers.

While web3 differs from earlier iterations of the internet, we have observed similarities with previous software security trends. In many cases, the biggest issues are the same as before. By studying these areas, defenders—whether developers, security teams, or everyday crypto users—can better protect themselves, their projects, and their wallets from potential thieves. Below, we present some common themes and predictions based on our experience.

• Follow the Money
• Attackers often aim to maximize their return on investment. They may spend more time and effort attacking protocols with higher "total value locked" or TVL, as the potential rewards are greater.
• The most resource-rich hacker organizations more frequently target high-value systems. Novel attacks are also more often aimed at these precious targets.
• Low-cost attacks (such as phishing) will never disappear, and we expect them to become more prevalent in the foreseeable future.
• Patch Vulnerabilities
• As developers learn from well-established attacks, they may elevate the state of web3 software to a "default secure" level. This often involves tightening application programming interfaces or APIs to make it harder for people to inadvertently introduce vulnerabilities.
• While security is always a work in progress, defenders and developers can increase the cost of attacks by eliminating much of the low-hanging fruit for attackers.
• With improvements in security practices and the maturation of tools, the success rates of the following attacks may significantly decrease: governance attacks, price oracle manipulation, and reentrancy vulnerabilities. (More on these below.)
• Platforms that cannot ensure "perfect" security will have to use vulnerability mitigations to reduce the likelihood of losses. This may deter attackers by reducing the "gains" or upside potential in their cost-benefit analysis.
• Classify Attacks
• Attacks on different systems can be classified based on their common characteristics. Defining features include the complexity of the attack, the degree of automation, and what preventative measures can be taken to defend against them.

Below is a non-exhaustive list of attack types we have seen in the largest hacks over the past year. We also include our observations on the current threat landscape and our expectations for the future of web3 security.

APT Operations: Top Predators

Often referred to as Advanced Persistent Threats (APTs), expert adversaries are the demons of security. Their motivations and capabilities vary widely, but they tend to be wealthy and persistent. Unfortunately, they are likely to remain a constant presence. Different APTs conduct many different types of operations, but these threat actors are often most likely to directly attack a company's network layer to achieve their goals.

We know that some advanced groups are actively targeting web3 projects, and we suspect there are others that have yet to be identified. The most notorious APTs often operate from places without extradition treaties with the U.S. and EU, making it harder for them to be prosecuted for their activities. One of the most famous APTs is Lazarus, a North Korean organization that the FBI recently claimed conducted the largest crypto hack to date.

• Examples:
• Ronin validator attack
• Profile
• Who: Nation-states, well-funded criminal organizations, and other advanced organized groups. Examples include the Ronin hackers (Lazarus, with extensive ties to North Korea).
• Complexity: High (only applicable to resource-rich groups, often in countries where they won't be prosecuted).
• Automatability: Low (still primarily manual operations using some custom tools).
• Future Expectations: As long as APTs can monetize their activities or achieve various political objectives, they will remain active.

User-Targeted Phishing: Social Engineering

Phishing is a well-known pervasive issue. Phishers attempt to lure their prey by sending bait messages through various channels, including instant messaging, email, Twitter, Telegram, Discord, and hacked websites. If you browse your spam folder, you may see hundreds of attempts to trick you into revealing passwords or stealing your money.

Now that web3 allows people to trade assets directly, such as tokens or NFTs, it is almost immediately evident that phishing activities are targeting its users. For those with little knowledge or technical expertise, these attacks are the easiest way to make money by stealing cryptocurrency. Even so, for organized groups, they remain a valuable method to track high-value targets or, for advanced groups, to launch widespread wallet-draining attacks through website takeovers, for example.

• Examples
• Directly targeting users in OpenSea phishing activity
• BadgerDAO phishing attack targeting front-end applications
• Profile
• Who: Anyone from script kiddies to organized groups.
• Complexity: Low-Medium (attacks can be low-quality "spray-and-pray" or highly targeted, depending on the effort put in by the attacker).
• Automatability: Medium-High (most of the work can be automated).
• Future Expectations: The low cost of phishing and the tendency of phishers to adapt and bypass the latest defenses lead us to expect an increase in the frequency of these attacks. User defenses can be improved through increased education and awareness, better filtering, improved warning banners, and stronger wallet controls.

Supply Chain Vulnerabilities: The Weakest Link

When car manufacturers discover defective parts in vehicles, they issue safety recalls. The same is true in the software supply chain.

Third-party software libraries introduce a significant attack surface. Before web3, this had been a cross-system security challenge, such as the widely impactful log4j vulnerability that affected web server software last December. Attackers scan the internet for known vulnerabilities to find unpatched issues they can exploit.

The imported code may not be written by the project's own engineering team, but its maintenance is crucial. Teams must monitor vulnerabilities in their software components, ensure updates are deployed, and stay informed about the dynamics and health of the projects they rely on. The real and immediate costs of exploiting web3 software vulnerabilities make it challenging to responsibly communicate these issues to users. There is currently no consensus on how or where teams can communicate this information in a way that does not inadvertently put user funds at risk.

• Examples
• Wormhole bridge attack
• Multichain vulnerability
• Profile
• Who: Organized groups such as APTs, independent hackers, and insiders.
• Complexity: Medium (requires technical knowledge and some time).
• Automatability: Medium (can automatically scan for faulty software components; however, manual construction of exploit payloads is needed when new vulnerabilities are discovered).
• Future Expectations: As the interdependence and complexity of software systems increase, supply chain vulnerabilities may rise. Opportunistic hacking may also increase until a good, standardized vulnerability disclosure method is developed for web3 security.

Governance Attacks: Election Predators

This is the first issue specific to the crypto industry to make the list. Many projects in web3 include governance aspects where token holders can propose changes to the network and vote on them. While this provides opportunities for ongoing development and improvement, it also opens a backdoor for malicious proposals that could undermine the network if implemented.

Attackers design new methods to circumvent controls, commandeer leadership, and plunder treasuries. Attackers can take out large "flash loans" to gain enough votes, as seen in the recent incident with the DeFi project Beanstalk. Governance votes that lead to automatic execution of proposals are easier for attackers to exploit. However, if there are time delays in proposal formulation or if multiple manual signatures are required (e.g., through multi-signature wallets), it may be more difficult to implement.

• Examples
• Beanstalk fund transfer incident

• Profile
• Who: Anyone from organized groups (APTs) to independent hackers.
• Complexity: Ranges from low to high, depending on the protocol.
• Automatability: Ranges from low to high, depending on the protocol.
• Future Expectations: These attacks are highly dependent on governance tools and standards, especially when related to monitoring and proposal formulation processes.

Pricing Oracle Attacks: Market Manipulators

Accurately pricing assets is challenging. In traditional trading, artificially inflating or deflating asset prices through market manipulation is illegal, and one could face fines or arrest for it. In DeFi markets, the issue is evident as random users can "flash trade" hundreds of millions or billions of dollars, causing sudden price fluctuations.

Many web3 projects rely on "oracles"—systems that provide real-time data and are sources of information not found on-chain. For example, oracles are often used to determine exchange pricing between two assets. However, attackers have found ways to deceive these so-called sources of truth.

As oracle standardization progresses, there will be safer bridges between the off-chain and on-chain worlds, and we can expect the market to become more resilient to manipulation attempts. With any luck, one day these types of attacks may nearly disappear.

• Examples
• Cream market manipulation
• Profile
• Who: Organized groups (APTs), independent hackers, and insiders.
• Complexity: Medium (requires technical knowledge).
• Automatability: High (most attacks may involve automated detection of exploitable issues).
• Future Expectations: As accurate pricing methods become more standardized, this may decrease.

New Vulnerabilities: Unknown Unknowns

"Zero-day" vulnerability attacks—named so because they are publicly disclosed only after 0 days—are a hot topic in information security, and the web3 security space is no exception. Because they appear suddenly, they are the hardest attacks to defend against.

If anything, web3 makes it easier to monetize these expensive, labor-intensive attacks, as it is difficult to recover stolen crypto funds once taken. Attackers can spend significant time carefully studying the code running on-chain applications to find a bug that validates all their efforts. Meanwhile, some once-novel vulnerabilities continue to plague unsuspecting projects; the infamous reentrancy vulnerability occurred in the early Ethereum project TheDAO and continues to resurface elsewhere today.

It remains unclear how quickly or easily the industry will be able to adapt to classify these types of vulnerabilities, but ongoing investment in security defenses such as audits, monitoring, and tools will increase the cost for attackers attempting to exploit these vulnerabilities.

• Examples
• Poly Network cross-chain transaction vulnerability
• Qubit infinite minting vulnerability
• Profile
• Who: Organized groups (APTs), independent hackers (less likely), and insiders.
• Complexity: Medium-High (requires technical knowledge, but not all vulnerabilities are too complex for people to understand).
• Automatability: Low (discovering new vulnerabilities requires time and effort and is unlikely to be automated. Once discovered, scanning for similar issues in other systems becomes easier).
• Future Expectations: Increased attention will attract more white hats and raise the "barrier to entry" for discovering new vulnerabilities. At the same time, as web3 adoption grows, the motivation for black hat hackers to seek new vulnerabilities is also increasing. As in many other security domains, this is likely to remain a cat-and-mouse game.