Compared to 2022, the overall financial loss due to hacking in the web3 industry decreased to $1.7 billion in 2023.
truth. The Web3 industry is becoming increasingly advanced in terms of cybersecurity and cyberattack prevention. However, hacking remains lucrative for cybercriminal groups like Lazarus, threat actors relying on advanced attacks.
This means that the majority of total losses (estimated at 70%) can come from high-profile cyberattacks. Think multichain, Mixin Network or Poloniex.
Salus, a cybersecurity company specializing in cybersecurity and traditional security for the Web3 industry, has compiled the 2023 Web3 Security Landscape Report.
This article highlights the top 10 attacks, total losses from cryptocurrency hacks, common vulnerabilities that have led to high-profile incidents in the industry, and steps businesses can take to reduce their chances of being hacked.
Below are key takeaways and key findings that companies within the web3 space can learn and apply to their security in 2024.
Major Web3 vulnerabilities discovered in 2023
According to the Salus report, the weaknesses responsible for most hacks are:
Access Control Issues – Cause of 39.18% of Cyber Attacks
Flash loan attacks – account for 16% of cybercrime
Exit fraud — accounts for 12% of annual losses
Oracle Issues — Occurs in 6% of all exploits
Phishing — Social Engineering Behind 4% of Incidents
Reentry — Accounts for 4% of cybercrime.
Others — Accounts for the remaining 17% of all hacks.
The most common types of cyber attacks and weaknesses include highly technical and sophisticated threats, as well as those that rely on human bias and error.
How can we prevent it in 2024?
Let’s break down the most common hacking threats and the best preventative measures you can take to avoid them in the coming year.
access control issues
Most hacks (about 39.18%) were possible due to issues related to access control. According to the report, 29 hacking cases resulted in losses of $666 million in 2023. All hacking cases, including Atomic Wallet, Multichain, and Poloniex, started with this attack.
Access control exploits refer to a wide range of flaws that hackers can use to gain illicit intrusion. These include outdated equipment, misconfigurations, inadequate access management, overly permissive settings, stolen key cards, and inability to integrate with other systems.
To avoid these common security flaws, set strong permissions that follow the principle of least privilege. Update your access permissions regularly. Users with higher access privileges will require additional training.
Finally, we have automated, thorough monitoring to help identify and mitigate access abuse attempts across your entire infrastructure.
Flash loan attack
Flash loan attacks fall into the decentralized finance (DeFi) category because they misuse and alter smart contracts. In this hack, malicious actors initiate flash loans within a DeFi platform and borrow large amounts of cryptocurrency since no collateral is required.
Many companies in the cryptocurrency industry have fallen for this scam. In 2023, there were 37 accidents resulting in losses of $274 million. Companies affected by this attack include Euler Finance, KyberSwap, and Yearn Finance.
To protect your assets from flash loan attacks, use smart contracts to set limits on how much an individual can borrow and set time limits.
Charging a fee to those seeking flash loans is another way to prevent hackers from exploiting the usually unsecured option.
scam ends
This scam hits investors’ wallets the hardest. Cryptocurrency developers start projects only to abandon them. In most cases, exit scams involve high-risk, lucrative opportunities offered by opportunistic cybercriminals that ultimately result in investors losing their funds.
In 2023, 276 exit scams were recorded in the cryptocurrency industry, resulting in losses of $208 million.
This incident has nothing to do with highly technical hacking or hacking at all. So, to prevent this, you need to watch out for the most common signs of fraud.
When an opportunity presents itself that seems too good to be true, you should research the team working on that particular project. Partner with a trustworthy company with a great track record.
If so, avoid investing everything in one place and beware of unrealistic opportunities.
Oracle problem
In the cryptocurrency industry, oracles are used as a source of price information for specific cryptocurrency protocols. If a hacker finds a vulnerability there, they can manipulate the price. In the worst case scenario, they can steal funds obtained as part of a flash loan attack.
Seven hacks in the Web3 industry caused by internal Oracle errors resulted in $234 million in losses. The BonqDAO cyberattack was one of the victims of the 2023 Oracle attack. Hackers exploited this flaw to change the token price.
To avoid Oracle abuse, you need to be familiar with token liquidity. Do not evaluate future prices based on markets with shallow liquidity. Ask whether liquidity is right for you and consider Oracle’s integration with your existing platform.
Also use TWAP (Time Weighted Average Price).
phishing
Social engineering tactics like phishing rank at the top every year because they are difficult to detect and completely eliminate. They evolve every year and depend on human error.
According to the report, 13 phishing-related incidents resulted in $67.6 million in losses.
Phishing is most often done via email and attempts to trick a person into taking some action. This is often used by hackers to gain access to well-protected systems. Known hacking groups such as Lazarus have also relied on phishing to attack in 2023.
In addition to awareness training for all employees, which is often suggested to combat phishing, recommended measures against more advanced forms of phishing include penetration testing.
Its role is to detect potential weaknesses early on that could allow phishing on the front end before hackers have a chance to exploit them.
Other necessary precautions include multi-factor authentication, domain security, email verification, and the use of hardware wallets.
reentry
In this exploit, the smart contract is interrupted and called again before completing its task. This allows an attacker to manipulate the contract state and most likely withdraw funds.
In 2023, there were 15 hacking attacks relying on re-entrancy attacks in the Web3 industry, resulting in losses of $74 million. Exactly the protocol was one of the victims of a re-entrancy vulnerability. This was caused by a Vyper bug.
To prevent re-entry attempts, have smart contract auditing technology in place, ensure that all auditors are trustworthy and experienced, use confirmation effect interaction models, and introduce comprehensive re-entry protection to protect sensitive operations.
Top 5 Cyber Attacks in Web3 Industry in 2023
Here are the five worst cyberattacks in the web3 space in 2023.
Mixin Network — $200 million lost
Euler Finance — $197 million loss
Poloniex — $126 million loss
Multichain — $125 million lost
BonqDAO — $120 million lost
Other advanced hacks that have been profitable for hackers include Atomic Wallet, HECO Bridge, Curve, AlphaPo, and CoinEx.
These 10 accidents alone accounted for 70% of total losses (exceeding $1.7 billion in 2023).
The Lazarus Group, known to operate in North Korea, gained the most. They are responsible for many notable attacks that have occurred over the past few years.
Most of the losses occurred in July, September and November. In the month of September, cyberattacks resulted in $360 million in losses. Financial losses decreased significantly in January, August, October and December.
Let’s analyze the five most damaging hacks in the Web3 industry in 2023.
#1 Mixin Network
Last September, Mixin Network revealed a breach that caused $200 million in losses, mostly in the form of Bitcoin. This is the largest cryptocurrency asset theft incident recorded in 2023.
Full details of the attack and subsequent investigation have not been released. What we do know is that hackers have exploited vulnerabilities in cloud security. Malicious actors acquired assets on the mainnet by exploiting databases stored in third-party clouds.
Mixin Network is known for providing free and fast cross-chain transfers of digital assets. To do this, they rely on centralized databases, providing hackers with a major weakness.
#2 Euler Financial
In March, Euler Finance lost $197 million. This is currently known as the second worst cryptocurrency hack of 2023. The culprit of this hack was a weakness in the system known as the donateToReserves function.
Criminals have used flash loans to exploit DeFi protocols to steal funds. They used this to trigger debt and liquidation, which caused Euler Finance’s total locked value (representing all the money involved in the system) to fall sharply.
Unexpectedly, the hacker apologized in a blockchain message and returned the stolen funds.
However, the event highlighted how important it is to carefully identify and assess the risks of smart contracts used in decentralized finance.
#3 Multichain
Last June, Multichain experienced a hack that leaked $120 million worth of cryptocurrency wallets. Previously, the company was known as Anyswap.
Last June, locked assets were unexpectedly moved to an unknown address, making users anxious.
When the company resumed operations in November, it suffered an additional $1 million in abuses.
The incident involved abnormal transfers, asset exfiltration, and irregular movements of user funds to unknown wallets, but the details of the attack are unknown. Now the company’s internal security practices are being questioned and users are still waiting for more answers.
With the CEO and his sister in prison, the company’s operations have been halted, and access to its servers and funds is now controlled by Chinese police.
#4 Poloniex
Last November, cryptocurrency exchange Poloniex lost $126 million due to a hack by the Lazarus Group, a North Korean group notorious for its use of phishing and various attacks using its own malware.
Attackers exploited compromised private keys to drain funds from the exchange’s hot wallets. With access to the private keys, malicious actors can send cryptocurrency to wallets owned by Lazarus.
The attack showed many typical signs of Lazarus, including exploiting different token types and sending them to various addresses.
The incident is a reminder that relying on blockchain wallets controlled by a single private key can be risky when combined with social engineering.
Poloniex continued to operate thereafter and adopted stronger security measures, particularly in key management.
#5 BoncDao
In February, BonqDAO, a lending and stablecoin protocol on the Polygon network, suffered a two-stage attack due to oracle manipulation, resulting in losses worth $120 million.
The attackers manipulated the Tellor price feed to allow them to borrow funds using artificially inflated collateral.
The event highlighted the risks associated with vulnerabilities in Oracle, known to be one of the most commonly exploited weaknesses in the web3 space in 2023, and the significant impact this will have on decentralized finance (DeFi) platforms.
The Next Steps in Web3 Cybersecurity in 2024
As previously mentioned, the majority of financial losses following successful hacks in 2023 will be due to high-profile incidents. Although there were fewer cyberattacks compared to 2022, the attacks mentioned were still very profitable for advanced hacking groups.
Every year, businesses are improving their ability to protect their assets from a variety of cyber threats. But with each new year, we are faced with a greater number of threats and new types of cyber challenges that require improved security solutions and protocols.
How can we reduce the likelihood of large-scale hacking within the Web3 industry in 2024?
Salus recommends taking a multi-pronged approach consisting of rigorous audits and raising awareness of Web3 penetration testing.
Security must cover weaknesses that can arise from fraud that exploits human psychology and sophisticated hacking that targets critical flaws in technology.
Disclaimer: This article is provided for informational purposes only. It is not provided or intended to be used as legal, tax, investment, financial or other advice.