Author: Fairyproof

Overview

In the third quarter of 2023, the overall performance of the cryptocurrency market remained relatively calm. However, the frequency of security incidents within the ecosystem exceeded that of the previous two quarters. Approximately $572 million in cryptocurrency assets were lost due to various security incidents during this quarter.

Fairyproof studied 198 typical cases reported in the third quarter, conducting statistical analysis and exploring the characteristics reflected in these events within the security ecosystem, as well as relevant preventive measures that users can take.

Before presenting the results of Fairyproof's research report in detail, it is necessary to explain and clarify the relevant terms used in this report.

CCBS

CCBS refers to "Centralized Cryptocurrency or Blockchain Service Institutions." It typically denotes off-chain service platforms managed by human operations, whose core technology mainly relies on traditional centralized technology, with daily operational activities primarily being off-chain. Traditional cryptocurrency exchanges (such as Binance) and cryptocurrency issuance and acceptance platforms (such as Tether) are typical examples of this.

Flash Loan (FLASHLOAN)

Flash loans are a common and popular method used by hackers to attack smart contracts on the Ethereum Virtual Machine platform. Flash loans are a contract calling method invented by the well-known DeFi application AAVE[1]. This contract calling allows users to borrow cryptocurrency assets directly from DeFi applications that support this feature without any collateral, as long as the user repays the asset within a single block transaction to make the transaction valid[2]. Initially, this feature was invented to provide DeFi users with a more flexible and convenient means to conduct various on-chain financial activities. However, later on, due to its high flexibility, the most common scenario for using flash loans became hackers borrowing ERC-20[3] tokens to carry out attacks. Before initiating a flash loan, users need to clearly describe the logic of borrowing (assets) and repaying (assets, interest, and related fees) in a contract, and then call that contract to initiate the flash loan.

Cross-Chain Bridge (CROSS-CHAIN BRIDGE)

A cross-chain bridge is an infrastructure that connects multiple independent blockchains, allowing tokens deployed on different blockchains to circulate among them.

As more and more blockchains develop their own ecosystems, applications, and cryptocurrency assets, the demand for cross-chain communication and transactions has significantly increased. This has also made cross-chain bridges popular targets for hackers.

Report Highlights

Fairyproof conducted a detailed study of 198 typical security incidents that occurred in the third quarter of 2023. This report statistically analyzes various factors such as the amount of losses caused by these incidents and their causes, and provides corresponding preventive recommendations and measures.

Statistics and Analysis of Security Incidents in Q3 2023

The Fairyproof research team conducted a detailed study of 198 prominent security incidents in the third quarter of 2023, listing statistical results from both the targets of the attacks and the sources of the attacks.

The total loss of cryptocurrency assets from these 198 security incidents reached $572 million, while the total value of mainstream cryptocurrency assets displayed on Tradingview reached $1,056 billion. The proportion of lost assets to the total market value is 0.05%.

Security Incidents Based on Victim Classification

The security incidents studied by Fairyproof can be classified into the following four categories based on their victims:

1. Centralized Cryptocurrency or Blockchain Service Institutions (CCBS, hereafter referred to as CCBS)
2. Blockchains
3. Decentralized Applications (dApps)
4. Cross-Chain Bridges

The CCBS security incidents referred to in this report are those where the attacked or damaged target is a CCBS system. In these incidents, the assets held by the CCBS are stolen or the services being operated are forced to cease. Blockchain security incidents refer to attacks or damages to the mainnet, sidechains, or second-layer expansion systems attached to the blockchain mainnet. Typically, in these incidents, hackers launch attacks from within the system, outside the system, or both, leading to malfunctions in the system's software or hardware and asset losses.

dApp security incidents refer to attacks on dApps that prevent them from functioning normally, thereby providing hackers with opportunities to steal the cryptocurrency assets managed within the dApp.

Cross-chain bridge security incidents refer to attacks on cross-chain bridges that prevent them from functioning normally, even leading to the theft of cryptocurrency assets involved in transactions they handle.

Fairyproof categorized the total of 198 incidents according to the above four categories, with the distribution chart shown below:

From the chart, it can be seen that the number of dApp security incidents accounts for 86.87%, exceeding any other category. Among the 198 incidents, 172 were dApp security incidents, 4 were CCBS security incidents, 14 were blockchain security incidents, and 4 were cross-chain bridge security incidents.

Blockchain Security Incidents

Security incidents involving blockchains can be further subdivided into the following three categories:

i. Blockchain Mainnets (Blockchain mainnets) ii. Sidechains

iii. Layer 2 Solutions (Layer 2 solutions)

Blockchain mainnets, also known as Layer 1, are independent blockchains with their own networks, protocols, consensus, and validators. Blockchain mainnets can verify transactions, data, and blocks, all of which are validated by their own validators to achieve consensus. Bitcoin and Ethereum are typical examples of blockchain mainnets.

Sidechains are separate blockchains that operate in parallel with blockchain mainnets. They also have their own consensus and validators, but they connect to the blockchain mainnet in some way (such as through two-way pegs[4]). Layer 2 solutions depend on blockchain mainnets for security and finality[5]. They primarily aim to address the scalability of blockchain mainnets, processing transactions at lower costs and prices. Since 2021, Layer 2 solutions attached to Ethereum have developed rapidly.

Both sidechains and Layer 2 solutions aim to solve the scalability issues of blockchain mainnets. The main difference between the two is that sidechains do not rely on blockchain mainnets for security and consistency, while Layer 2 solutions do.

In the third quarter of 2023, there were a total of 14 security incidents related to blockchains. The chart below shows the proportion of incidents related to blockchain mainnets, sidechains, and Layer 2 solutions.

From the chart, it can be seen that the number of security incidents related to blockchain mainnets and Layer 2 solutions accounts for 92.86% (13 incidents) and 7.14% (1 incident) of the total, respectively. There were no typical sidechain security incidents. The Layer 2 solution security incident involved the Metis[6] system, while the blockchain mainnet security incidents involved mainnets such as Mixin[7], Quai Network[8], Swisstronik[9], SwapDex Blockchain[10], and Aptos[11].

DAPP Security Incidents

Among the 172 security incidents involving dApps, 16 were exit scams, 1 was collateral damage, and 155 were direct attacks. Direct attacks on dApps typically involve three aspects:

The dApp's front end, back end, and smart contracts. Therefore, we categorize the 155 directly attacked incidents into the following three categories: i. dApp Front End ii. dApp Back End iii. dApp Contracts

In incidents where the dApp front end was attacked, hackers primarily launched attacks through front-end vulnerabilities to steal assets or paralyze services.

In incidents where the dApp back end was attacked, hackers primarily launched attacks through back-end vulnerabilities, such as hijacking communication between the back end and contracts, hijacking assets, or paralyzing services.

In incidents where the dApp contracts were attacked, hackers primarily launched attacks through contract vulnerabilities to steal assets or paralyze services. The chart below shows the proportion of incidents in these three categories:

From the chart, the proportions of incidents involving attacks on contracts, back ends, and front ends are 19.35%, 0%, and 80.65%, respectively. Among the total of 155 incidents, 125 involved attacks on the front end, while 30 involved attacks on contracts.

We further studied the amount of cryptocurrency asset losses caused by each type of incident. The losses caused by attacks on contracts and front ends were $210 million and $39.8 million, respectively, accounting for 84.03% and 15.97% of the total loss amount, as shown in the chart below:

Among the various contract vulnerabilities, logical flaws, private key leaks, flash loan attacks, and reentrancy attacks are typical vulnerabilities.

We studied 30 security incidents directly involving attacks on contracts and obtained the following proportion chart:

As shown in the chart, logical flaws account for the highest proportion of contract security incidents. Logical flaws typically include missing parameter validation, missing permission validation, etc. The number of security incidents caused by logical flaws was 13.

The chart below shows the proportion of losses caused by various vulnerabilities:

The losses caused by private key leaks account for the highest proportion. The 4 private key leak incidents caused a total loss of $173 million, accounting for 82.56% of the total loss amount.

Security Incidents Based on Causes

Based on the causes of blockchain security incidents, we classify the incidents into three categories: i. Caused by hacker attacks

ii. Exit scams iii. Others

Our research results are shown in the chart below:

As shown in the chart, security incidents caused by hacker attacks and exit scams account for 91.92% (182 incidents) and 8.08% (16 incidents), respectively.

We studied the losses caused by these causes, as shown in the chart below:

As shown in the chart, the loss amounts caused by hacker attacks and exit scams account for 94.69% and 5.31%, respectively, with the former causing a loss of $541 million and the latter causing a loss of $30.35 million. This indicates that in the third quarter of 2023, hacker attacks remained the primary threat to industry security.

Hacker Attack Incidents We studied hacker attack incidents, as shown in the chart below:

As shown in the chart, the proportions of hacker attacks on dApps, blockchains, CCBS, and cross-chain bridges are 87.64% (156 incidents), 7.87% (14 incidents), 2.25% (4 incidents), and 2.25% (4 incidents), respectively.

We studied the loss amounts caused by each type of incident, as shown in the chart below:

The asset losses caused by hacker attacks on blockchains, dApps, cross-chain bridges, and CCBS account for 36.97%, 46.25%, 0.79%, and 15.99%, respectively, with specific loss amounts of $200 million, $250 million, $86.5 million, and $4.3 million. Other security incidents did not result in significant loss amounts.

Exit Scam Incidents

The typical exit scam incidents that occurred in the third quarter of 2023 were all dApp projects. A total of 16 exit scam incidents caused a loss of $30.35 million. This loss amount is significantly smaller compared to the losses caused by hacker attacks.

Research Findings

From our statistical data, in the third quarter of 2023, dApp projects remained the most favored targets for hackers, with attack incidents on dApps far exceeding any other targets, accounting for 87.64% of the total number of attacks and 46.25% of the total loss amount. Among all attack incidents, the most severe was the attack on Multichain[12].

For the entire blockchain ecosystem, hackers remain the biggest security threat, both in terms of the number of security incidents caused and the asset losses incurred. The number of security incidents caused by hacker attacks accounts for over 91.92% of the total security incidents, far exceeding the threat posed by exit scams to the ecosystem.

A typical dApp consists of three parts: front end, back end, and smart contracts. When hackers attack a dApp, they may target one part or attack multiple parts simultaneously. According to our statistical data, attacks on the dApp front end far outnumber attacks on contracts, but the losses caused by attacks on smart contracts far exceed those caused by front-end attacks.

This indicates that vulnerabilities in smart contracts remain the biggest risk to dApp security.

The typical exit scam incidents in the third quarter of 2023 all occurred in dApp projects.

In incidents where smart contracts were attacked by hackers, the following three categories of causes ranked as the top three: First: Logical flaws Second: Flash loans

However, in terms of loss amounts, attacks caused by private key leaks resulted in the highest asset losses, far exceeding other categories.

Practical Solutions and Measures for Preventing Security Incidents

In this section, we will summarize some solutions and measures to help blockchain developers and users manage and prevent blockchain risks based on the characteristics of security incidents that occurred in the third quarter of 2023. We recommend that both blockchain developers and users actively implement and practice these solutions and measures in their daily operations and work to maximize the protection of project security and cryptocurrency asset security.

Note: "Blockchain developers" refers to both the development engineers of blockchain projects themselves and developers related to blockchain systems or their extended systems (such as cryptocurrency assets). "Blockchain users" refers to all users participating in activities related to blockchain systems (such as management, operation, maintenance, etc.) or cryptocurrency asset trading.

For Blockchain Developers

Although there were no typical security incidents involving Layer 2 solutions in the third quarter, the security of Layer 2 solutions still deserves attention. This is because the development and implementation of Layer 2 solutions will continue to be a hot topic and focus for the entire ecosystem, and researching the security of these solutions will be a significant challenge faced by the industry.

In blockchain applications, it is essential to transfer the permissions controlling critical operations in the project to a multi-signature wallet or DAO organization for management after the project has been deployed and running stably for a period.

When hackers discover vulnerabilities in smart contracts, they often use flash loans to attack the contracts. These potentially exploitable vulnerabilities typically include reentrancy vulnerabilities, logical flaws (such as lack of permission validation, incorrect price algorithms), etc. Vigilantly preventing and addressing these vulnerabilities should always be a top priority for smart contract developers.

Our statistical data also shows that an increasing number of hackers are launching phishing attacks through social media software (such as Discord, Twitter, etc.). This phenomenon persisted throughout 2022 and continued into the third quarter of 2023, resulting in losses for many users. Project teams need to implement strict and comprehensive management of their operational social media and deploy corresponding security measures to ensure the safety and stability of their social media operations, preventing exploitation by hackers.

Blockchain Users

An increasing number of users are beginning to participate in various blockchain ecosystem activities and hold various blockchain ecosystem assets. In this process, cross-chain trading activities are also rapidly growing. When users participate in cross-chain transactions, they need to interact with cross-chain bridges, which are often targeted by hackers. Therefore, before initiating a cross-chain transaction, users need to thoroughly investigate and understand the security and operational status of the cross-chain bridge they are using to ensure its safety, stability, and reliability.

When users interact with dApps, they must pay close attention to the quality and security of their smart contracts, as well as the security of the dApp front end. Users should be cautious with any suspicious or dubious information, prompts, or dialogues that appear on the front end, avoiding clicking or following their instructions.

We strongly recommend that users carefully check and read the audit reports of any blockchain project before interacting with it or investing in it. For projects without audit reports or with suspicious reports, users should participate with caution.

We recommend that users manage large assets or assets not used for frequent trading using cold wallets or multi-signature wallets. Users should always be cautious about the operational security of hot wallets and ensure that the hardware platform on which the hot wallet is installed is secure, reliable, and stable.

Users need to conduct a certain level of investigation and understanding of the team background of blockchain projects. They should be cautious of teams with vague backgrounds or lacking credibility, as these projects may pose exit scam risks. For frequently used centralized exchanges, users should pay more attention to their backgrounds and credibility, verifying the backgrounds, information, and data of these exchanges from multiple third-party sources to ensure their long-term and secure operation.

References

[1] Aave. https://aave.com/

[2] Flash-loans. https://aave.com/flash-loans/

[3] ERC-20 TOKEN STANDARD. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/

[4] Sidechains. https://ethereum.org/en/developers/docs/scaling/sidechains/

[5] Layer-2. https://academy.binance.com/en/glossary/layer-2

[6] Metis. https://www.metis.io/

[7] Mixin. https://mixin.one/

[8] Quai Network. https://qu.ai/

[9] Swisstronik. https://www.swisstronik.com/

[10] SwapDex Blockchain. https://swapdex.network/

[11] Aptos. https://aptoslabs.com/

[12] Multichain. https://multichain.xyz/