Original Title: HACK3D 2022 WEB3.0 Domain Security Report
In mid-January 2023, as the Chinese New Year approached, cryptocurrencies represented by Bitcoin and Ethereum experienced a wave of “slight rise” after a few months of dormancy. Together with the Web3 industry, which has been sluggish because of FTX’s “thunderstorm”, it has regained a little vitality.
The past 2022 has been a difficult year for Web3 practitioners – from hacker attacks, the fall of cross-chain bridges, to the successive thunderstorms of well-known centralized exchanges and investment institutions, the entire Web3 industry has also been dragged into a bear market .
From a certain point of view, security issues, rather than “ease of use”, have become one of the biggest challenges in the Web3 industry.
Not long ago, the CertiK team, a startup company specializing in Web3 security, released the 2022 Web3 Security Report. As one of the few companies in the industry that specifically provides security solutions for the Web3 industry, CertiK has received investment from well-known institutions such as Sequoia, and its current valuation has exceeded 2 billion US dollars, becoming a unicorn company in the new Web3 industry.
According to this report, throughout 2022, hackers have stolen $3.77 billion worth of assets from the Web3 protocol, which is not counting the tens of billions of dollars lost to users due to thunderstorms in centralized institutions such as FTX and Terra.
Faced with such a problem, how should the Web3 entrepreneurial team and company ensure the safety of themselves and users’ property?
The following is the text of the 2022 Web3 Security Report launched by CertiK, edited by Geek Park.
To read the full report, please click the link to apply for download (https://certik-2.hubspotpagebuilder.com/2022).
Image credit: Pixabay
2022 will be a difficult year for the entire Crypto asset industry. In the general environment of the market downturn, 65% of the market value of Crypto assets has disappeared, and the unprecedented number of hacking attacks, fraud incidents and institutional collapses have made investors who have suffered heavy losses even worse.
From the theft of $624 million from Ronin Bridge in March 2022 to the collapse of FTX almost overnight in November, the scale of losses in 2022 hit the largest in history. The asset loss of the Web3 protocol in 2022 is about 3.77 billion US dollars, far exceeding the record of 1.3 billion US dollars in 2021.
This report will delve into the various factors that led to the collapse of centralized exchanges such as Celsius, BlockFi, and FTX. Web3 and decentralized financial applications based on open source blockchains will play an important role as an alternative to these centralized institutions that are quickly repeating the industry’s mistakes, but this alone is not realistic to expect Web3 to go to scale .
While the losses in the decentralized world are relatively small compared to the scale of bankruptcies in the centralized space in 2022, they still total billions of dollars. The entire Web3 industry needs to reflect deeply on the past year and try to find a silver lining in this difficult period.
While insecure protocols continue to take their toll, that doesn’t negate the true value of Web3. Today, valuations of all types of assets are generally falling, and people’s enthusiasm is gradually subsiding. This allows us to take a step back, look at the status quo, and build the industry on a more solid foundation.
In addition to reviewing major hacks and breaches in 2022, this report will also showcase CertiK’s public and exclusive security research in line with its mission to safeguard the Web3 world.
01, “Centralization” of the war, FTX “collapsed overnight”
Since 2022, the demise of many well-known Crypto asset companies has cast a shadow over the entire industry. While these businesses are all in the business of buying, selling, lending, and trading Crypto assets, before we label them the same, we should consider whether these defunct businesses can really be classified as Crypto asset companies.
To be sure, the failure of these businesses has more to do with their business operating models than with the assets they manage.
The fatal flaw of centralized Crypto asset firms (also known as CeFi, which means “centralized finance,” as opposed to “decentralized finance” DeFi) is implicit in their name: they operate on a centralized platform with a single point of control. system, which is what triggers the single point of failure we are witnessing in 2022.
What follows is somewhat tragically ironic. During the Super Bowl in February 2022 (Super Bowl, the annual championship game of the National Football League), FTX once promoted the concept of Crypto assets to millions of viewers, and claimed that Crypto assets are “the next big thing”, and implied Those who don’t participate are like the fools in the commercials who miss out on everything.
However, FTX surreptitiously sent user deposits to the company’s so-called “non-internal” but in-house trading arm – Alameda – which quickly lost billions of dollars on investments, which is also a serious violation. terms of service of the exchange.
Shocking news about FTX’s illiquid balance sheet quickly spread, and a typical bank run ensued. If an exchange keeps deposit funds 1:1 and does not re-hypothecate or lend without permission, it may survive this test. But that’s not the case with FTX.
Former FTX CEO Sam Bankman-Fried orchestrated a string of extravagant acquisitions, sponsorships, and bailouts, making FTX’s downfall all the more incredible.
For example, Voyager Digital, another now-defunct CeFi company, announced that FTX had successfully acquired its assets after filing for bankruptcy. However, it had to file for bankruptcy again after FTX’s flash crash.
FTX “thunderstorm” makes the Web3 industry worse in the bear market｜The Block
The collapse of companies such as FTX and Three Arrows Capital has indeed hit many large investment institutions, but it is the large number of ordinary retail investors who have been hurt the most. Overwhelming marketing, public figure endorsements and personality cults have led them to place trust in the wrong platforms and pay dearly for it.
The reason why the proportion of injured retail investors is high is that on the Voyager platform, 97% of users have assets of less than $10,000. Many of these users who mistakenly believed that the CeFi platform was more secure have now lost their assets. They believe that depositing assets on the CeFi platform is more secure and has higher returns, while avoiding the high entry barriers and various risks brought about by smart contracts on decentralized platforms.
Although these lessons are very painful for people, they are actually essential lessons. The core principle of Crypto assets is Self-Custody and Self-Sovereignty (Self-Custody and Self-Sovereignty), so handing over control of users’ assets to a centralized platform violates the above principles. It is entirely possible that these platforms do not abide by their terms of service, and you have no way of knowing how your assets are being used by the platform.
In addition, you cannot verify the financial health of the platform, nor can you track the flow of assets to understand the literal source of income and the risks you have to take. Everything is based on the blind trust and belief of users, and what happened in 2022 The events of the 1980s bear witness to the outcome: what started as a seemingly safe place ends up in a disastrous end.
One of the most impactful events of 2022 was the crash of Terra, which wiped out its $45 billion market cap in a matter of days.
Unlike stablecoins such as Tether, USDC, and BUSD, algorithmic stablecoins do not rely on a 1:1 peg ratio with the US dollar to maintain stability, but maintain currency pegs through their internal mechanisms. Specifically, the algorithmic stablecoin maintains its basic value through the minting and burning functions set by the smart contract.
Take Terra’s UST stablecoin as an example. UST is linked to Luna, another independent Crypto asset. Holders of UST can exchange their assets for equivalent LUNA at any time. At the beginning of May, LUNA was trading at $85, at which point one UST stablecoin could be traded for 0.0118 LUNA.
If the trading price of UST falls below its set $1 threshold, market makers will then convert a large amount of UST into LUNA to close the gap in value between the two. The principle is to increase the demand for LUNA while reducing the supply of UST, that is, to maintain the stability of the currency anchor by increasing the price of the stablecoin reserve asset.
On May 7, on-chain analysis showed that UST was sold in large quantities, and 85 million UST was converted into 84.5 million USDC, which directly led to the decoupling of UST for the first time. Affected by this, the price of UST fell to a low of $0.985 on May 8.
In order for UST to re-anchor to the US dollar, the Luna Foundation Guard (LFG) deployed $750 million worth of Bitcoin to assist market makers in maintaining UST price stability. LFG repurchased another $750 million worth of bitcoin after market conditions returned to normal.
Mechanism between Terra and LUNA quickly collapsed in the face of crisis｜Bitnovo
However, unexpectedly, the price of UST fell to a lower point of $0.65 on May 9. The re-decoupling of UST then triggered the price shock of LUNA, whose price plummeted to $35, a drop of more than 44%, which in turn decoupled the market value between LUNA and UST, thus jeopardizing its function as a stable reserve asset. Because the LUNA ecosystem at this time does not have enough value to mortgage all the circulating UST.
From this point on, the delicate balance between LUNA and UST began to unravel.
Misfortunes never come singly, however, as Terra creator Terraform Labs CEO Do Kwon was revealed to be one of the anonymous co-founders behind the previously failed algorithmic stablecoin Basis Cash. Do Kwon has misappropriated some $67 million worth of bitcoin without using it to maintain the currency’s peg, following the decoupling of its value and billions of dollars in losses, according to allegations. South Korean prosecutors have issued an arrest warrant for Do Kwon’s, but he is still at large.
This historic crash of Terra/LUNA has caught the entire blockchain ecosystem off guard, and practitioners and users have to stop and think about the profound impact this event will have on the future of Web3.
Is decentralization the answer?
Compared with centralized platforms, the continued success of DeFi platforms such as Aave provides positive material support for decentralized business models. Users can verify Aave’s repayment ability in real time and understand where depositors earn their income. And the liquidation process of the platform does not allow the risk of eventually leading to the collapse of Celsius.
Compared with centralized financial platforms, DeFi obviously has many advantages.
However, the smart contracts that power Web3 are not invulnerable to some extent: DeFi protocols also have their own series of risks. These breaches have stolen more than $3 billion in funds in 2022.
Perhaps this is what the Web3 world is about: decentralized applications built on open-source blockchains that offer a powerful alternative to the opaque world of centralized institutions, as well as real alternatives to the notoriously flawed way finance works .
Users who have used Aave may know that the platform cannot violate its terms of service, because these terms are written into the smart contracts that govern its operations, just like a guideline is written into DNA; Users also don’t need to worry about the possibility of their asset control being transferred to the platform, because all transactions are executed openly and transparently on the blockchain; although various high-yield Yield products may cause users to take considerable risks, But it also depends on the characteristics and strategy of Yield products. In any case, users can see the whereabouts of their assets and how to obtain the yield at any time, and everything will be open and transparent.
DeFi is more reliable in mechanism than CeFi, but there are still security challenges｜BAP Solution
Although the above does bring more due diligence burdens to users, the Web3 model still has incomparable advantages over centralized platforms. Impossible.
However, Web3 still has some way to go before it can realize its full potential and be considered a real replacement for CeFi.
It’s worth thinking about: why are millions of users willing to “entrust” billions of dollars to these centralized organizations?
Perhaps because centralized organizations provide a service that simplifies the process and eliminates the risk of self-custody. In addition, they also provide greater liquidity and richer financial products, and provide support and service platforms to help users solve problems in a timely manner. Finally, don’t forget that hackers have exploited the loopholes of decentralized protocols to gain billions of dollars in 2022 alone, which is why more people choose to believe in centralized platforms.
If it wants to go far, Web3 needs to improve in two main areas: usability and security.
Usability: To understand how to use a DeFi platform, sometimes it takes hours of research, and this is only before the capital is invested. It might even take days to research multiple platforms thoroughly.
Security: While DeFi may lose less than CeFi in 2022, the value lost from Web3 is still in the billions. By summarizing the main events of 2022, we hope to draw attention to areas where Web3 still needs improvement, especially security. Only by recommitting to the basic ideals and returning to the original heart can we build a complete alternative product that provides everyone with a truly free and fair financial system.
02. Hackers are ferocious
In 2022, attacks on cross-chain bridges will cause a total of $1.3 billion in losses, which accounts for 36% of the total losses in the past 12 months. Only three of these incidents accounted for 87% of the entire cross-chain bridge asset loss, which also highlights the huge risks that cross-chain bridge attacks will bring.
Most cross-chain applications have extremely complex technical structures, and also contain various attack vectors. Its complexity enables it to provide a wider range of capabilities, but at the cost of exposing a greater attack surface.
Play-to-earn’s hottest game Axie Infinity has been hacked｜Play to Earn
Ronin loses $625 million
The Ronin Bridge incident can be said to be the largest attack incident/vulnerability in the history of the DeFi field. On March 23, the sidechain built for the Web3 game Axie Infinity was hacked, and more than 173,600 ETH and 25.5 million USDC (a total value of $625 million) were lost.
According to Nomad’s report, hackers managed to obtain the private keys of five validator nodes securing the network, and there is evidence that the attackers are the hacker group Lazarus Group. The group used advanced spear-phishing attacks to obtain private keys, and after draining assets dry, the attackers laundered the stolen money through Tornado Cash and centralized exchanges, including FTX and Huobi.
Wormhole loses $326 million
On February 2, Wormhole Bridge was hacked and $326 million worth of assets were lost. Attackers bypass authentication checks by injecting fake sysvar accounts, allowing them to output malicious messages that are accepted by Bridge. The attacker successfully minted 120,000 WETH by calling the complete_wrapped function with malicious information.
Two minutes after minting, the attacker bridged 10,000 ETH to the Ethereum blockchain. About 20 minutes later, another 80,000 ETH transactions were made on the Ethereum blockchain. As of the end of 2022, these stolen funds remain in the attacker’s wallet.
Nomad loses $190 million
On August 1, the Nomad Bridge was exploited and the damage was worth approximately $190 million. The attacker exploited a vulnerability in the initialization process — that is, the contract parameter committedRoot was initialized to zero when deploying the contract. This vulnerability could allow an attacker to bypass message validation, thereby depleting the tokens held in the bridge contract. As long as the attacker deposits ETH (such as 0.1 or even 0.0001 ETH) on one chain, he can receive any amount of ETH on the other chain.
It is worth noting that at least 41 wallets have copied this attack process since the attack process was quickly made public and the funds were still in Bridge. As a result, Nomad Bridge was nearly wiped out, with its Total Value Locked (TVL) plummeting from $190 million to $12,000 in a matter of minutes.
Predators and Fishing
Lazarus Group has been one of the most persistent and effective threat actors in the Crypto asset space. In addition to the Ronin Bridge exploit that netted them over $500 million, the hacking group has also carried out several profitable attacks in 2022. Most noteworthy are the Operation In(ter)ception, the Gate.io vulnerability, and the Harmony Horizon Bridge attack.
Operation In(ter)ception is a job fraud advertising scheme run by the Lazarus Group, in which Lazarus posts job opportunities on sites such as LinkedIn, asks applicants to download a PDF file that deploys an executable file, and this malware then makes Lazarus’ operations Security personnel can target vulnerabilities in victim systems to steal sensitive information from industry employees.
The Lazarus Group’s activities underscore the importance of building and operating securely in the Web3 industry. And if the DeFi platform wants to be safe enough, it must not only resist attacks from unscrupulous Solidity developers, but also resist attacks from the most effective hackers in the world. Otherwise, smart contracts holding hundreds of millions of dollars in user funds will continue to be targeted.
On the other hand, phishing attacks are still a constant threat in the Web 3 world, and fraudsters are getting more sophisticated with each passing day. Millions of dollars worth of assets have been stolen through phishing. Not only communities, but individual users are also targeted by malware and malicious actors. New phishing methods emerge in endlessly, and their fraudulent behaviors all take advantage of the irreversibility of the blockchain and the lack of experience of users.
For example, a new phishing method recently released is called an Ice Phishing scam. In a popular understanding, it is an empty-handed white wolf.
It is different from traditional phishing attacks and is unique to Web3. Traditional phishing usually obtains personal information such as private keys or passwords through some means, while Ice Phishing is more to deceive users into signing permissions and grant malicious actors to spend their assets arbitrarily without obtaining the user’s private key.
Ice Phishing is quite a threat to investors in Web3, because interacting with DeFi protocols requires users to grant certain permissions, and it is not always 100% clear which permissions the signature grants.
03, Web3 stress test
In 2022, the market value of cryptocurrencies lost trillions of dollars, tens of billions of dollars were locked in the bankruptcy process of centralized institutions, and decentralized protocols lost more than 3 billion dollars, so the rosy picture of 2022 It has been difficult to describe.
Due to the extreme volatility of the situation, many of the top Web3 players have disappeared into history, including those projects or platforms that we once thought were invulnerable. However, most of the surviving Web3 applications and platforms are still slowly moving forward in the crisis, so far everything is still maintaining the normalcy.
The past 12 months have been a major stress test for the industry, and not everyone has made it through. But “what doesn’t kill you makes you stronger.” Survivors will learn from the lessons of the past and fight for more potential prospects.
Open source, decentralized systems provide real benefits to users and can make the internet a freer and fairer place, a vision to keep in mind as we build our Crypto future. But fairness and liberty mean nothing when your assets can be stolen in an instant. That’s why safety is a crucial factor. CertiK’s end-to-end security solution provides users and builders with the tools they need to safely browse the emerging Web3 world.
Security is a choice, and one that will undoubtedly need to be made in order to bring the benefits of Web3 to the broadest user base.
2022 was a tough year, but the tough times are over. Now is the time to look to the future of the industry with fresh optimism.
Disclaimer: This content is the author’s independent opinion, does not represent the position of 0x Finance and Economics, and does not constitute investment advice, please treat it with caution, if you need to report or join the exchange group, please contact WeChat: VOICE-V.