August 17, 2022

H1 2022 Web3 Security Overview

In H1 2022, about 79 major security incidents were monitored in the Web3 space by Beosin, and losses due to various types of attacks reached $1,912.87 million.

Footprint Analytics — H1 Total Losses Amount & Count

The following data provide an overview of the Web3 security space in the first half of the year.

  • Seven cross-chain bridge attacks occurred in H1 2022 resulting in a total loss of $1,135.99 million.
  • About 53% of the attacks were contract vulnerability exploits.
  • Approximately 26.6% of the attacks involved flashloans.
  • Five security incidents with losses of over $100 million each occurred.
  • The overall DeFi market TVL fell by 71% from $276 billion at the beginning of January to $80 billion at the end of June.
  • Hackers laundered a total of $1,140.7 million through Tornado.cash.
  • About 71% of attacks occurred in the DeFi space.

In this semi-annual report, Beosin has extracted typical data on security incidents that occurred during the first half of the year and combined these with the Beosin security team’s years of experience in auditing, fund tracking and research in the field to find the deeper meanings and stories behind these data.

Download the full report at :

https://beosin.com/resources/Beosin_H1_2022_Web3_Security_Report.pdf

Data Source:

https://www.footprint.network/@Beosin/Footprint-Beosin-H1-2022-Report

Some data from the report:

I. Seven cross-chain bridge attacks occurred in H1, in which a total of $1,135.99 million was lost

Footprint Analytics — H1 Attacked Bridges

The techniques and vulnerabilities involved in cross-chain bridge attacks over the last year can be divided into three main categories:

1 Contract vulnerability, e.g.

Jan 18, 2022 Multichain incident, $1.34 million lost;

Jan 27, 2022 Qubit Bridge event, $80,000,000 lost.

2 Private key compromises, e.g.

Mar 30, 2022 Ronin bridge lost $625 million;

Jun 24, 2022 Harmony bridge lost $100 million.

3 Off-chain process defects, e.g. Jul 10, 2021 Anyswap incident, $7.87 million lost.

II. 53% of the attacks were contract vulnerability exploits

Footprint Analytics — H1 Loss Amount & Count by Contract Vulnerabilities

Which type of vulnerability has caused the highest loss in a single case?

The highest single loss resulted from a signature validation vulnerability. On February 3, 2022, the Solana cross-chain bridge project Wormhole was attacked resulting in cumulative losses of approximately $326 million. Hackers exploited a signature validation vulnerability in the Wormhole contract which allowed them to forge sysvar accounts to mint wETH.

The second highest single loss was the result of a reentrancy vulnerability. On April 30, 2022, Fei Protocol suffered a flashloan-assisted reentrancy attack that caused a total loss of $80.34 million.

III. About 26.6% of the attacks involved flashloans

In H1 2022, the number of attacks using flashloans reached 21, or 26.6%, and involved total losses of $332.91 million.

Footprint Analytics — H1 Flashloan Attacked by Month

IV. A total of $1,140.7 million laundered via Tornado.cash by hackers

In the first half of 2022, approximately $1,140.7 million in stolen funds was transferred to Tornado.cash by hackers, accounting for approximately 60% of the total amount lost. Approximately $635.36 million of the stolen funds were temporarily held at the hackers’ addresses.

Footprint Analytics — Fund Flow

V. About 71% of attacks occurred in the DeFi space

In the first half of 2022, there were 79 major security incidents across the blockchain ecosystem, of which a total of 56, or 71%, involved DeFi security; losses amounted to $550 million.

Footprint Analytics — Attacked Protocols By Category

H1 2022 Summary

From the whole crypto market trend in the first half of the year, each major channel, such as DeFi, NFT and GameFi, has continued to go down. The DeFi TVL fell from $279.8 billion at the beginning of January to $82.4 billion at the end of June, down 70.5% in six months. The analysis found that the frequency of hacking incidents showed some correlation with the market trend. Generally speaking, Increased money on the chain will attract more hackers. May and June saw a decrease in hacking incidents compared to previous months as TVL shrank significantly.

There were seven cross-chain bridge attacks in the first half of the year, with a total loss of $1,135.99 million. The attack techniques of cross-chain bridges are mainly contract vulnerability exploitation, private key compromise and off-chain flaws. For projects, security audits, off-chain risk control, regular checks of signature servers, strict scrutiny of signers, re-assessments after version updates, and bug bounty plans are all effective means of ensuring the safe operation of cross-chain bridge projects.

Among the attacks in H1 2022, about 53% of the attacks were contract vulnerability exploits. By comparing actual exploited vulnerabilities with the vulnerabilities occurred in the audit process, it can be found that most of the vulnerabilities can be detected in the audit phase, such as logic and reentrancy vulnerabilities, etc. Beosin VaaS can perform automatic formal verification of code in the contract development phase, including coding specification detection, standard specification detection, function call detection and business logic security detection. With tools coupled with manual inspection by audit experts, Beosin audit service can provide comprehensive security assurance before a project goes live, greatly reducing the risk of being attacked.

There are also 26.6% of flashloan attacks that caused $332.91 million in losses. In addition to adopting measures such as time-weighted average pricing (TWAP), more frequent price update mechanisms, and stricter governance logic, there are other tools available to monitor flashloans in a timely manner. Beosin EagleEye can monitor risk transactions such as flashloan, large outflows, privileged operations and exploiters moving assets. The project browser lists over 2,300 monitored projects with the project’s security audit results, risk transactions frequency and severity, decentralization, governance and transparency, and market volatility. Discover more at https://eagleeye.beosin.com.

In H1 2022, there were five security incidents with losses of over $100 million each, and the good news is that all five of the projects that were attacked issued remedies and went back online some time later. In past incidents, it was conversely that some small to medium sized projects would have struggled to restart after a major attack.

Approximately $1,140.7 million in stolen funds were transferred into Tornado Cash by hackers in H1 2022, representing around 60% of the total amount lost. While coin mixing technology enhances the anonymity and privacy of on-chain transactions, it has also been abused by hackers for crimes such as money laundering. Beosin has had several successful experiences in past cases analyzing hacker data traces and recovering assets into Tornado Cash. As of the time of the report, the U.S. Treasury Department has announced to sanction Tornado Cash. It can be predicted that more new types of money laundering methods are likely to emerge in the future, which are more difficult to track, and will further increase the difficulty of law enforcement. In the future, Beosin will also actively research new money laundering methods to defend the security of the blockchain ecosystem.