The year 2023 witnessed a dynamic and evolving landscape in the realm of Web3 security, as highlighted in the Web3 Security Landscape Report meticulously compiled by the expert team at Salus, a prominent research-driven Web3 security company. This comprehensive report provides an in-depth analysis of the current state of Web3 security, shedding light on ten significant hacks that occurred throughout the year.
Web3 Security Landscape at a Crossroads
One of the most notable revelations of the report is that 2023 marked a critical juncture in the Web3 security landscape, showcasing both advancements in resilience and persistent challenges. The staggering statistics reveal that cyberattacks on the Web3 industry resulted in losses exceeding a staggering $1.7 billion, with a total of 453 reported incidents. These attacks underscored the diverse range of threats present in the Web3 ecosystem, emphasizing the imperative for continuous vigilance within the Web3 community.
Despite an overall decline in losses, 2023 featured high-profile exploits that reverberated loudly in the Web3 space. Noteworthy among these were the $200 million loss incurred by Mixin Network in September, followed by Euler Finance’s $197 million loss in March and Multichain’s $126.36 million loss in July. These incidents brought to the forefront the persistent threats targeting bridges and decentralized finance (DeFi) protocols within the Web3 ecosystem.
An intriguing trend emerged upon closer inspection of monthly losses. While the months of September, November, and July stood out for substantial losses, a notable downturn was observed in October and December. This trend hinted at a potential shift in focus towards heightened security awareness and the implementation of robust safeguards within the Web3 community.
Web3 Vulnerabilities in 2023
The report from Salus meticulously classified key vulnerabilities in the Web3 security landscape, providing detailed insights into exit scams, access control issues, phishing, flash loan attacks, reentrancy, oracle issues, and other vulnerabilities. Exit scams accounted for 12.24% of attacks, resulting in a loss of $208 million. The recommended safety measures included thorough research on projects, prioritizing those with transparent security assessments, and diversifying investments.
In addition, access control issues constituted 39.18% of attacks, leading to a substantial loss of $666 million. The report advised implementing robust authentication and authorization mechanisms, conducting security training, and establishing comprehensive monitoring systems. Meanwhile, phishing incidents, making up 3.98% of attacks, resulted in a loss of $67.6 million.
The report emphasized the importance of Web3 penetration testing, user education, hardware wallets, multi-factor authentication, and email verification. Flash loan attacks contributed to 16.12% of attacks, resulting in a loss of $274 million. Mitigating risks involved implementing restrictions and introducing fees for flash loan usage. Reentrancy vulnerabilities, on the other hand, accounted for 4.35% of attacks, resulting in a loss of $74 million.
Safety measures included adhering to the Check-Effect-Interaction model and implementing comprehensive reentry protection. Oracle issues constituted 7.88% of attacks, leading to a loss of $134 million, with safety measures involving assessing token liquidity and increasing the attacker’s manipulation cost. Other vulnerabilities represented 16.47% of attacks, resulting in a loss of $280 million. The diverse challenges included Mixin’s database breach and various web2 vulnerabilities.
Top 10 Hacks of 2023
The report also delved into the top 10 hacks of 2023, which constituted nearly 70% of the year’s total losses, revealing a common vulnerability – access control issues, particularly private key thefts. Mixin Network experienced a $200 million loss as attackers targeted the cloud service provider’s database. Euler Finance suffered a $197 million loss due to a smart contract vulnerability, emphasizing the need for rigorous auditing in DeFi protocols.
Meanwhile, Multichain faced uncertainty as assets were moved to an unknown address, questioning internal security practices. Poloniex fell victim to the Lazarus Group, losing $126 million through compromised private keys, leading to enhanced security measures. BonqDAO’s $120 million loss highlighted the risks of oracle manipulation in DeFi platforms.
Atomic Wallet, targeted by the Lazarus Group, faced legal consequences after a $100 million loss, stressing the importance of proactive security measures. HECO Bridge and HTX lost $86.6 million and $12.5 million, respectively, exposing the vulnerability of decentralized bridges and prompting security protocol enhancements. On the other hand, Curve suffered a $69.3 million loss due to a language-specific bug, emphasizing the need for comprehensive smart contract audits.
AlphaPo’s $60 million loss resulted from sophisticated phishing techniques, underlining the evolving tactics of hacking groups. Finally, CoinEx lost $54.3 million due to a compromised hot wallet key, reinforcing the importance of securing private keys and transparent communication with users.
Overall, while 2023 saw reduced total losses compared to the previous year, the concentration of losses in the top 10 hacks emphasized the need for improved security measures. Rigorous auditing, heightened awareness, and a multi-faceted approach are deemed essential to safeguard the Web3 ecosystem. Users and stakeholders are strongly urged to prioritize platforms and services that not only fulfill functional needs but also adhere to the highest standards of security, paving the way for a secure Web3 future.