a16z: Top 6 Web3 Attack Types and Lessons Learned

The security of web3 depends heavily on the blockchain’s special ability to make promises and its resilience to human intervention. But the associated finality feature — transactions are often irreversible — make these software-controlled networks an attractive target for attackers. In fact, as blockchains — the distributed computer networks that underlie web3 — and their accompanying technologies and applications continue to accumulate value, they are increasingly coveted targets for attackers.

Although web3 is different from the early Internet, we have observed commonalities with previous software security trends. In many cases, the biggest problem remains the same as before. By researching these areas, defenders — whether builders, security teams, or everyday crypto users — can better protect themselves, projects, and wallets from potential hackers. Below we present some common themes and predictions based on our experience.

chasing money

  • Attackers often aim to maximize return on investment. They can spend more time and effort attacking protocols with more “Total Value Locked” (TVL) because the potential rewards are greater.
  • The most resourceful hacker groups attack high-value systems more often. The most valuable new attacks also target these valuable targets more frequently.
  • Low-cost attacks — like phishing — will never go away, and we expect them to become more common in the foreseeable future.

close the loopholes

  • As developers learn from proven attacks, they may improve the state of Web3 software, making it “secure by default.” Often, this involves tightening application programming interfaces, or APIs , to make it harder for people to introduce vulnerabilities by mistake.
  • While security concerns are always a work in progress — and to be sure, nothing is hack-proof — defenders and developers can increase the cost of attacks by eliminating targets that are easy for attackers to achieve.
  • As security practices improve and tools mature, the success rate of the following attacks may drop significantly: governance attacks, price oracle manipulation, and reentrancy errors. (explained in more detail below).
  • Platforms that cannot ensure “perfect” security will have to use vulnerability mitigations to reduce the likelihood of loss. This can deter attackers by reducing the “benefit” or upside portion of their cost-benefit analysis.

Categorize Attacks

  • Attacks on different systems can be classified according to their common characteristics. Defined characteristics include the sophistication of attacks, how automated they are, and what precautions can be taken to defend against them.

Below is a non-exhaustive list of the types of attacks we’ve seen in the biggest hacks of the past year. Also included are our observations of today’s threat landscape and our expectations for the future of web3 security.

APT: Top Predator

a16z: Top 6 Web3 Attack Types and Lessons Learned

Expert adversaries, often referred to as advanced persistent threats (APTs), are the fiends of the security world. Their motivations and abilities vary widely, but they tend to be wealthy and, as their name suggests, persistent; unfortunately, they’re likely to be around forever. Different APTs run many different types of operations, but these threat actors are often most likely to directly attack a company’s network layer to achieve their goals.

We know that some advanced groups are actively targeting the web3 project, and we suspect there are others that have yet to be discovered. The people behind the most concerning APTs tend to live in places with no extradition treaties with the US and EU, making it harder for them to be prosecuted for their activities. One of the most well-known APTs is Lazarus, a North Korean group that the FBI recently believed to have carried out the largest crypto hack to date.


  • Ronin Validator Hack


  • Who: Nation-states, well-funded criminal organizations, and other advanced organized groups. Examples include the Ronin hacker (Lazarus, with extensive ties to North Korea).
  • Sophistication: High (only for resource-rich groups, usually in countries that won’t prosecute).
  • Automation: Low (mostly manual, with some custom tools).
  • Expectations for the future: As long as APTs can make their activities profitable or serve various political ends, they will remain active.

Phishing targeting users: social engineers

a16z: Top 6 Web3 Attack Types and Lessons Learned

Phishing is a well-known and ubiquitous problem. Phishers try to lure their prey by sending lure messages through a variety of channels, including instant messengers, email, Twitter, Telegram, Discord, and hacked websites. If you browse your spam mailbox, you may see hundreds of emails tempting you to reveal information, such as passwords, or steal your money.

Now that web3 allows people to trade assets such as tokens or NFTs directly, with an almost instant end result, phishing campaigns are targeting web3 users. These attacks are the easiest way for someone with little knowledge or technical expertise to steal cryptocurrency for profit. Even so, they remain an important method for organized groups to pursue high-value targets, or for advanced groups to launch widespread, wallet-draining attacks, such as through website takeovers.


  •  OpenSea phishing campaigns targeting users directly
  • BadgerDAO Phishing Attack


  • Who: Anyone, from scripting newbies to organized groups.
  • Sophistication: Moderate to low (attacks can be low-quality “spray” or hypertargeted, depending on the effort of the attacker).
  • Degree of automation: Moderate to high (most jobs can be automated).
  • Expectations for the future: Phishing is easy, and phishers tend to adapt — and bypass — the latest defenses, so we expect the incidence of these attacks to rise. Users can be better protected against attacks through enhanced education and awareness, better filtering, improved warning banners, and stronger wallet controls.

Supply Chain Fragility: The Weakest Link

a16z: Top 6 Web3 Attack Types and Lessons Learned

When automakers find a defective part in a vehicle, they issue a safety recall; the same is true in the software supply chain.

Third-party software libraries introduce a huge attack surface. This was a system-wide security challenge long before web3, such as the log4j vulnerability last December that affected large-scale web server software. Attackers scan the internet for known vulnerabilities to find unpatched issues they can exploit.

The imported code may not have been written by your own engineering team, but its maintenance is critical. Teams must monitor components of their software for vulnerabilities, ensure updates are deployed, and stay informed about the momentum and health of the projects they rely on. The real and immediate cost of exploiting web3 software vulnerabilities makes responsibly communicating these issues to users a challenge. The jury is still out on how or where teams communicate this information to each other in a way that doesn’t accidentally put user funds at risk.


  • Wormhole Bridge Hack
  • Multichain Vulnerability Disclosure Hacker


  • Who: Organized groups such as APTs, individual actors, and insiders.
  • Complexity: Moderate (requires technical knowledge and some time).
  • Degree of Automation: Moderate (scanning for problematic software components can be automated; however, when new vulnerabilities are discovered, exploits need to be built manually).
  • Expectations for the future: Vulnerabilities in supply chains are likely to increase as software systems become more interdependent and complex. Opportunistic hacking may also increase until a good, standardized approach to vulnerability disclosure is developed for Web3 security.

Governance Attacks: Election Stealers

a16z: Top 6 Web3 Attack Types and Lessons Learned

This is the first encryption specific question up to this form. Many projects in web3 include governance, where token holders can propose and vote on proposals to change the network. While this provides an opportunity for continuous development and improvement, it also opens a backdoor for introducing malicious advice that, if implemented, could potentially disrupt the network.

Attackers have devised new ways to circumvent control, expropriate leadership, and plunder wealth. Governance attacks were once a theoretical concern , but have now been shown to work. Attackers can influence voting through massive “flash loans,” as happened recently with decentralized finance (DeFi) project Beanstalk. Governance votes that result in automatic execution of proposals are more likely to be exploited by attackers; they are less successful if proposals are enacted with time delays or require manual signing by multiple parties (e.g., via a multi-signature wallet).


  • Beanstalk Fund Embezzlement


  • Who: Anyone, from organized groups (APTs) to independent actors.
  • Complexity: Low to High, depending on the protocol. (Many projects have active forums, communities on Twitter and Discord, and empowerment dashboards that can easily expose more amateurish attempts).
  • Degree of automation: from low to high, depending on the protocol.
  • Future expectations: These attacks are highly dependent on governance tools and standards, especially related to the monitoring and proposal enactment process.

Pricing Oracle Attacks: Market Manipulators

a16z: Top 6 Web3 Attack Types and Lessons Learned

Pricing an asset accurately is hard. In the traditional world of trading, it is illegal to manipulate the market to artificially raise or lower the price of an asset, and you could be fined and/or arrested for doing so. In DeFi, it gives random individuals the ability to “flash transactions” of hundreds of millions or billions of dollars, causing sudden price swings, and the problem is obvious.

Many web3 projects rely on “oracles” — systems that provide real-time data and are the source of off-chain information. For example, “oracles” are often used to determine the exchange price between two assets. But attackers have found ways to fool these so-called sources of truth.

As oracle standardization progresses, more secure bridges will be available between the off-chain and on-chain worlds, and we can expect markets to become more resilient to manipulation attempts. With any luck, such attacks may one day disappear entirely.


  • Cream market manipulation


  • Who: Organized groups (APTs), individual actors and insiders.
  • Complexity: Moderate (requires technical knowledge).
  • Degree of Automation: High (most attacks may involve automated detection of exploitable issues).
  • Expectations for the future: As methods for accurate pricing become more standard, these types of attacks are likely to decrease.

Novel Vulnerabilities: Unknown Uncertainties

a16z: Top 6 Web3 Attack Types and Lessons Learned

“Zero-day” vulnerabilities — also known as zero-day attacks, which refer to security vulnerabilities that are maliciously exploited immediately after being discovered — are a hot issue in the field of information security, and Web3 security is no exception. Because they appear suddenly, they are the most difficult attacks to defend against.

If anything, web3 makes these expensive, labor-intensive attacks easier to profit from, because once cryptocurrency funds are stolen, it is very difficult for people to recover them. Attackers can spend a lot of time studying the code of an application running on-chain to find a vulnerability that would justify all their efforts. Meanwhile, some once-novel bugs continue to plague unsuspecting projects; the reentrancy bug that killed the early ethereum venture TheDAO , is re-emerging elsewhere today .

It’s unclear how quickly or easily the industry can adapt to these types of vulnerabilities, but continued investment in security defenses, such as auditing, monitoring and tools, will increase the cost of attackers seeking to exploit these vulnerabilities.


  • Poly cross-chain transaction vulnerability
  • Qubit Unlimited Minting Vulnerability


  • Who: Organized groups (APTs), single actors (unlikely), and insiders.
  • Complexity: Medium to high (requires technical knowledge, but not all vulnerabilities are complex enough for people to understand).
  • Degree of automation: Low (discovering new vulnerabilities takes time and effort and is impossible to automate; once discovered, it is easier to scan other systems for similar problems).
  • Expectations for the future: More attention attracts more white hats, making the “barrier” for discovering new vulnerabilities higher. At the same time, as web3 applications increase, so does the incentive for hackers to find new vulnerabilities. This may still be a cat-and-mouse game, as it is in many other areas of security. ‌

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/a16z-top-6-web3-attack-types-and-lessons-learned/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-04-24 11:25
Next 2022-04-24 11:34

Related articles