CertiK: Release of the Web3.0 Industry Security Report for the Second Quarter of 2023

Author: CertiK

Summary

• Malicious actors, including hackers, extracted $310 million in value from the Web3.0 industry in the second quarter of 2023.
• This figure is close to the $200 million loss in the first quarter and represents a 58% decrease from the $745 million loss in the second quarter of 2022.
• CertiK identified a total of 212 security incidents, which means the average loss per incident in the second quarter was $1.48 million. This figure is slightly down from the average loss of $1.56 million per incident in the first quarter.
• 98 exit scams stole $70.35 million from investors, more than doubling the $31 million loss caused by exit scams in the first quarter.
• 54 flash loan attacks and oracle manipulation incidents allowed attackers to earn $23.75 million. This is a significant decrease from the total loss of $222 million from 52 oracle manipulations in the first quarter. Of course, last quarter's losses were heavily influenced by Euler Finance, where a single vulnerability accounted for 85% of the total amount.
• Additionally, some major "off-chain" events are occurring in the industry: the U.S. Securities and Exchange Commission has filed charges against the two largest cryptocurrency exchanges; and the world's largest asset management company has submitted an application for a Bitcoin ETF.
• Meanwhile, CertiK's security researchers have also discovered significant vulnerabilities in major blockchain protocols and applications, including security risks in Sui validator nodes and ZenGo's MPC wallet.

Data Display

Introduction

The total loss recorded in the Web3.0 sector for the second quarter of 2023 was $313,566,528, nearly the same as the previous quarter and a 58% decrease compared to the same period last year. The average loss per incident also saw a slight decline.

Throughout the second quarter, the number of oracle manipulation incidents significantly decreased, while the total losses from exit scams increased, indicating a change in the tactics employed by malicious actors.

As the industry evolves, cases such as attacks targeting MEV bots and the discovery of "hamster wheel" security threats on the Sui blockchain underscore the importance of ongoing in-depth security research, proactive measures, and continuous vigilance. With each challenge overcome, we move closer to a safer Web3.0 space.

Check the report for more details and data. (See the report download link at the end of the document.)

Malicious Exploitation of MEV Bots

In early April, MEV bots were exploited by hackers in Ethereum block 16964664. A malicious validator replaced several MEV transactions, resulting in a loss of approximately $25.38 million. This incident is the largest attack on MEV bots to date. The event occurred in Ethereum block 16964664, where 8 MEV transactions were exploited by the malicious validator. This validator was established on March 15, 2023, by the external address (EOA) 0x687A9 and managed to infiltrate Flashbots, which prevents front-running.

However, a vulnerability in the MEV-boost-relay allowed the malicious validator to re-bundle transactions, intercepting parts of the MEV bot's sandwich strategy, particularly reverse transactions. Due to the aforementioned vulnerability, the validator had access to detailed transaction information. With this detailed transaction information, the malicious validator could construct their own block and insert their front-running transactions before the original MEV bot transactions.

Overall, this malicious validator successfully stole approximately $25 million from 5 MEV bots, making it one of the largest loss events identified by CertiK to date. In the past 12 months, only 6 vulnerabilities in MEV bots have been discovered, and this incident alone accounted for 92% of the total loss of $27.5 million. The malicious validator exploited the MEV-boost-relay vulnerability by submitting an invalid but correctly signed block to initiate the attack. After seeing the transactions within the block, the validator could re-bundle them to claim assets from the MEV bots. This vulnerability has since been patched.

For more information about MEV bots and sandwich attacks, please check the report. (See the report download link at the end of the document.)

Atomic Wallet Hacked

In early June, over 5,000 Atomic Wallet users experienced the largest security incident of the quarter, with losses exceeding $100 million. Initially, Atomic Wallet stated that less than 1% of monthly active users were victims of this incident, later revising it to less than 0.1%. The scale of the attack and the massive losses highlight the severity of security vulnerabilities in wallet applications. Attackers targeted user private keys, gaining complete control over their assets. After obtaining the keys, they were able to transfer assets to their own wallet addresses, draining the victims' accounts.

The reported losses from individual users varied, with the highest reaching $7.95 million. The cumulative loss for the five largest individual victims amounted to $17 million. To recover the losses, Atomic Wallet publicly made a proposal to the attackers, promising to forfeit 10% of the stolen funds in exchange for 90% of the stolen tokens. However, based on the historical record of the Lazarus Group, coupled with the fact that the stolen funds have already begun to be laundered, the hope of recovering the funds is very slim.

For more analysis on Atomic Wallet and the "puppet master," please check the report. (See the report download link at the end of the document.)

New "Hamster Wheel" Vulnerability in Sui

Previously, the CertiK team discovered a series of denial-of-service vulnerabilities on the Sui blockchain. Among these vulnerabilities, a new and significantly impactful vulnerability stands out. This vulnerability can cause Sui network nodes to be unable to process new transactions, effectively shutting down the entire network. CertiK was awarded a $500,000 bug bounty by Sui for discovering this critical security vulnerability. The incident was reported by the authoritative U.S. media CoinDesk, followed by other major media outlets publishing related news.

This security vulnerability has been vividly termed the "hamster wheel": its unique attack method differs from currently known attacks, as the attacker only needs to submit a payload of about 100 bytes to trigger an infinite loop in the Sui validator nodes, preventing them from responding to new transactions. Furthermore, the damage caused by the attack can persist even after the network is restarted and can automatically propagate within the Sui network, causing all nodes to be unable to process new transactions, akin to hamsters running endlessly on a wheel. Thus, we refer to this unique type of attack as a "hamster wheel" attack.

After discovering this vulnerability, CertiK reported it to Sui through their bug bounty program. Sui promptly responded, confirming the severity of the vulnerability and actively taking measures to address the issue before the mainnet launch.

In addition to fixing this specific vulnerability, Sui also implemented preventive measures to mitigate potential damage that the vulnerability could cause. To thank the CertiK team for their responsible disclosure, Sui awarded the CertiK team a $500,000 bounty.

For more details, please check the report for text and video content. (See the report download link at the end of the document.)

Server-Level Vulnerability in MPC Wallets

Multi-Party Computation (MPC) is a cryptographic method that allows multiple participants to compute a function of their inputs while protecting the privacy of those inputs. Its goal is to ensure that these inputs are not shared with any third party. This technology has various applications, including privacy-preserving data mining, secure auctions, financial services, secure multi-party machine learning, and secure password and secret sharing.

During a preventive security analysis of the currently popular MPC wallet ZenGo, CertiK's Skyfall team discovered a serious vulnerability in the wallet's security architecture, referred to as the "device fork attack." Attackers can exploit this vulnerability to bypass ZenGo's existing security measures, thereby gaining the opportunity to control users' funds. The key to this attack is exploiting a vulnerability in the API to create a new device key, tricking ZenGo's servers into recognizing it as a legitimate user's device.

Following the principle of responsible disclosure, the Skyfall team promptly reported this vulnerability to ZenGo. Upon realizing the severity of the issue, ZenGo's security team quickly took action to fix it. To prevent the possibility of an attack, the vulnerability has been patched at the server's API level, eliminating the need for updates to the client-side code. After the vulnerability was fixed, ZenGo publicly acknowledged these findings and thanked CertiK for playing an important role in enhancing the security and trustworthiness of its MPC wallet.

"MPC has broad prospects and many important applications in the Web3.0 field. While MPC technology reduces the risks associated with single points of failure, the implementation of MPC solutions introduces new complexities to cryptocurrency wallet design. This complexity can lead to new security risks, highlighting the necessity of comprehensive auditing and monitoring approaches." ------ Professor Li Kang, Chief Security Officer of CertiK

For more details, please check the report for a detailed analysis. (See the report download link at the end of the document.)

Report Content Display

Download Methods

1. Copy the link to your browser: http://certik-2.hubspotpagebuilder.com/2023-q2-web3-cn-0 to download immediately.

2. Follow CertiK's official WeChat account and leave a message in the background with "2023 Q2 Report" to obtain the PDF download link.