In the second quarter of 2022, Chengdu LianAn Chain Bing-Blockchain Security Situational Awareness Platform detected over 48 major attacks in the Web 3 field, with a total loss of approximately US$718.34 million, compared with US$1.2 billion in the first quarter A drop of about 40%, or about 2.42 times the loss in the second quarter of 2021 ($296.56 million).
From January to June 2022, the total amount of losses due to attacks in the Web 3 field has reached approximately $1.91287 billion.
In terms of time, April was the most active month for hacking attacks. In May, the number of attack incidents and the amount of losses dropped sharply. In June, the activity of hackers showed a trend of recovery.
From the perspective of the type of attacked projects, DeFi is still the type of project that has been attacked the most, and about 79.2% of the attacks occurred in the DeFi field.
In terms of TVL (Total Locked Value), the TVL value of all chains and projects under attack saw a significant drop in May. Most projects experience a dip in TVL after the point of attack.
From the perspective of chain platforms, Ethereum lost the most amount this quarter, reaching $381.35 million. The chain with the highest attack frequency is the BNB Chain, reaching 26 times.
From the perspective of attack methods, the most common attack methods are still contract exploits and flash loans. About 45.8% of the attacks are contract exploits. The losses caused by flash loans amounted to 233 million US dollars, ranking first in the amount of losses caused by various attack methods.
Looking at the flow of funds, about $418.89 million of stolen funds were transferred to Tornado.cash by hackers, accounting for 58.3% of the total amount stolen during the quarter.
Judging from the audit situation , only 52% of the attacked projects have been audited.
In other respects, a total of over 43 major Rug pull events on the chain were monitored this quarter, and the project side took away a total of about $34,266,402. According to incomplete statistics, there have been over 151 cases of Discord servers being hacked. Rug pull and phishing security incidents occurred frequently in May and June.
In the second quarter of 2022, a total of over 48 major attacks in the Web 3 domain were detected, with a total loss of approximately US$718.34 million. Among them, there were 3 attacks with losses of US$100 million or more, 12 attacks with losses of US$10 million or more, and 28 attacks with losses of US$1 million or more. The top three losers were Beanstalk Farms, Elrond and Harmony, with $182 million, $113 million and $100 million, respectively.
In terms of time, April 2022 was the most active month for hacking this quarter, with 19 major security incidents and losses of approximately $37489. Both the number of attacks and the amount of losses in May were significantly reduced, which may be related to the sharp decline in the market value of the entire cryptocurrency in May. Although the market did not see a recovery trend in June, the frequency of hacking attacks and the amount of project losses increased significantly compared with May.
As in the first quarter, DeFi is still the most attacked project type, with about 79.2% of the attacks occurring in the DeFi field. The total loss amount is about 454.74 million US dollars, accounting for 63.3% of the total loss amount in Q2.
There were still two cross-chain bridge attacks this quarter, with a cumulative loss of approximately $100 million. In the first quarter of 2022, the total loss of 4 cross-chain bridge attacks is $950 million. So far, the amount of losses caused by cross-chain bridge attacks in the first half of 2022 has reached $1.05 billion.
Judging from the TVL of some of the attacked projects, the TVL of almost all projects has shrunk collectively in May. Most projects experience a dip in TVL after the point of attack. Some projects lost their TVL directly after being attacked, such as Beanstalk and Blizz Finance.
Judging from the TVL ratio between the attacked project and the attacked time, in most cases, the loss amount is less than 30% of the project TVL. There are also individual projects such as Blizz Finance and Beanstalk, whose losses have reached 100% or even 500% of TVL.
Ethereum lost the most money during the quarter at $381.35 million. The chain with the highest attack frequency is the BNB Chain, reaching 26 times.
Compared to the previous quarter, the chains that have experienced attacks in two consecutive quarters include Ethereum, BNB, Fantom, and Cronos. The Solana chain, which lost $374 million in 2 attacks in the first quarter, saw no major security incidents during the quarter.
In Q2, all on-chain TVL values saw a significant drop in May. The TVL top 2 Ethereum and BNB Chain are still the main targets of hackers. Attacks lost a total of $718.34 million this quarter, more than the combined TVL value of Osmosis, Elrond, and Metis in June.
From the perspective of DeFi projects, the amount of DeFi projects attacked on Ethereum is the largest, but the proportion of the average TVL in the second quarter is not high, and the amount lost by the Metis chain accounts for the highest proportion of TVL. The smallest proportion is Avalanche.
Judging from the number of attacks on DeFi protocols, in the second quarter, the DeFi protocols attacked on BNB Chain accounted for the highest proportion of the total number of protocols, reaching 7%. The DeFi ecosystem on Metis is not rich enough. Although there is only one attack, it accounts for a high proportion in both the number and amount.
Contract exploits were the most common attack method in this quarter. 22 attacks were contract exploits, accounting for 45.8% of the total. The total loss caused by contract exploits was approximately US$138 million. The second most common attack method is flash loan. A total of 9 flash loan attacks occurred this quarter, resulting in a loss of US$233 million, ranking first in the amount of losses from various attack methods.
As in the first quarter, the most common attack methods in the Web3 field are still contract exploits and flash loans (50% and 24%, respectively, in the first quarter). In addition, the loss caused by the leakage of private keys still reached 103.15 million US dollars, and the security of private keys is still worthy of attention.
The exploited vulnerabilities in this quarter mainly include: improper business logic/function design, validation issues, permission issues, k-value verification issues, reentrancy vulnerabilities and call injection vulnerabilities. Among them, the most exploited vulnerabilities are improper business logic/function design, which is much higher than other vulnerabilities. The reentrancy vulnerability was exploited once by hackers this quarter, resulting in a loss of $80.34 million.
On April 2, 2022, the Inverse Finance project suffered a price manipulation attack with an estimated cumulative loss of approximately $15 million. The main reason for the attack is that the time window used by the TWAP oracle is too short. When calculating the price of Xinv token, rely on the pair WETH/INV to calculate. Since the pair pool has been manipulated and the timeElapsed interval is short, the attacker can manipulate the value of the xINV token if it is not called in the current block.
On June 16, 2022, Inverse Finance was hacked again, and the hacker made a profit of $1.2 million. The main reason is that the project contract uses the balanceOf function when calculating the price of the collateral, and the attacker can increase the price of the collateral anYvCrv3Crypto by exchanging a large amount.
Security advice: Avoid relying on the real-time balance of the token when obtaining the token price. Instead, use a TWAP-type price oracle and set a sufficient time window.
On April 24, 2022, the NFT project Akutars locked up $34 million due to a smart contract vulnerability and could not be withdrawn. Notably, the project’s contracts have not been audited by security firms. After analysis, it was found that Akutars’ contract contains two loopholes.
The first contract loophole is in processRefunds, where the designer performs recurring refunds based on the refundProgress counter. Here, the call function is used to perform the refund operation, and the result of the refund is used as the judgment condition of require. Therefore, if an attacker performs a refund operation in the queue at this time, when the call is called to refund the attacker, the attacker performs malicious revert in the fallback, which will cause everyone behind the queue to be unable to refund. Fortunately, this vulnerability was not actually exploited by attackers.
The vulnerability was the direct cause of approximately $34 million worth of assets locked in the contract.
In the claimProjectFunds function, this function is mainly used to withdraw funds from the project side. In the function, require(refundProgress >= totalBids), where refundProgress indicates how many users’ refunds have been processed, and totalBids indicates how many NFTs all users bid in total. Since a user can bid for multiple NFTs, the refundProgress may be smaller than totalBids in a numerical comparison.
In the refund function processRefunds: require(_refundProgress < _bidIndex); bidIndex represents all users participating in the bidding, and refundProgress will never be higher than bidIndex. The value of bidIndex is 3669, and the value of totalBids is 5495.
Therefore, the judgment condition of refundProgress>=5495 and refundProgress<3669 will never be established, and the project team will never be able to perform subsequent withdrawal operations. The refundProgress should be compared with bidIndex here, the developer made a very low-level mistake. This eventually resulted in the project party’s $34 million assets being locked and unable to be withdrawn.
Security advice: Professional security audits are necessary before the project goes live.
On April 17, 2022, the algorithmic stablecoin project Beanstalk Farms was attacked by a flash loan. The hacker made nearly $80 million in profit and the protocol lost $182 million. This was the item with the highest loss in the quarter.
Looking back at this attack, the attacker launched a proposal to withdraw funds from Beanstalk: Beanstalk Protocol the day before, and then called emergencyCommit to make an emergency submission to execute the proposal. This is because the project party stipulates that voting can only start one day after the proposal.
During the attack, the attacker took advantage of the loophole that “the number of votes in the voting contract is calculated from the account’s proposal token holdings”, and borrowed a huge amount of funds worth 1 billion US dollars through a flash loan, which was exchanged for tokens and put into the mining pool. , temporarily obtain a huge amount of proposal tokens, which ensures that the proposal can be passed without the need for other people to vote. The final proposal was passed and executed, and the attacker successfully withdrawn the project’s funds, then exchanged and repaid the flash loan, and left the market with a profit.
1. The funds used for voting should be locked in the contract for a certain period of time to avoid using the current fund balance of the account to count the number of votes;
2. The project party and the community should pay attention to all proposals. If the proposal is a malicious proposal, it is suggested that measures should be taken in time during the proposal voting period, the proposal should be discarded, and it is forbidden to accept voting and execution;
3. Consider prohibiting contract addresses from participating in voting.
Looking at the flow of funds, in the second quarter of 2022, about $418.89 million of stolen funds were transferred to Tornado.cash by hackers, accounting for 58.3% of the total amount stolen in the quarter. Another $131 million in assets was recovered, and $168.45 million in assets remained in the hacker’s address without mixing or flowing into exchanges.
The data shows that Tornado.cash is still the usual way for hackers to launder money. The recovery of funds this quarter is better than that of the previous quarter. In some cases, the project party will negotiate with the hackers through on-chain information, and some hackers will choose to return a certain amount of stolen money to “avoid legal sanctions”.
Only 52% of the projects attacked were audited, compared to 70% last quarter. Audited projects lost $547.63 million in attacks this quarter, accounting for 76.2% of the losses, much higher than the previous quarter.
While audited project losses still amounted to $547.63 million, that doesn’t mean audits are no longer relevant.
As more and more security companies set foot in the audit business, the audit market is uneven and mixed. Due to some unprofessional companies, some loopholes in smart contracts that should have been audited have not been audited. Therefore, some project parties and investors began to question the necessity and professionalism of auditing, thinking that “auditing is also a white audit”. For example, the most common “inappropriate business logic/function design” among contract vulnerabilities this quarter, such vulnerabilities can be found in the audit stage. Therefore, it is recommended that the project party must find a professional security company for auditing before the project is launched.
Rug pull usually refers to the withdrawal of developers from the DEX liquidity pool or a sudden abandonment of a project, swept away investors’ funds without warning, which is commonly known as “running”. In the second quarter of 2022, a total of 43 major Rug pull events on the chain were monitored, and the project party took a total of about $34.266402 million.
The attack data shows that the activity of hackers dropped significantly in May. However, May was the month with the highest frequency of Rug pulls. When the TVL of various public chains and projects shrunk sharply in May, some project parties chose Rug pull, which caused a large number of investors to suffer losses. The reason may be that it cannot continue to operate, or it may be that “it is better to run away instead of waiting for TVL to return to zero”, or it may be planned to run away, but the sharp decline in TVL has accelerated this process.
According to incomplete statistics, in the second quarter of 2022, a total of over 151 Discord servers including Opensea, BAYC, Moonbirds, RTFKT, Akutars, Doodles, and Otherside were hacked in the Web3 field, especially in May and June. Individual servers were attacked twice or even three times during the quarter.
Similar to the Rug pull data, phishing security incidents may actually increase in the case of a downturn in the market. There are many forms of Discord phishing in this quarter, such as hacking of bot accounts, sending phishing links in disguised administrators or private messages from bots, spreading fake Discord invitation links through social media, and so on. The more bearish the market is, the more users and project parties should raise their anti-fraud awareness and protect their assets.
In the second quarter of 2022, DeFi security remains the focus of attention, with about 79.2% of attacks occurring in the DeFi space. For two consecutive quarters, DeFi has been the focus of hacking. Although the frequency of NFT, cross-chain bridge, and exchange security incidents is not as high as that of DeFi, the amount involved in individual incidents is also huge. Therefore, all types of Web 3 project parties should strengthen their security awareness and do a good job in security protection.
About 45.8% of the attacks in this quarter were contract exploits, and the vast majority of them could be discovered and fixed during the audit phase. And only 52% of the projects attacked this quarter were audited. It is recommended that the project seek a professional auditing company for auditing before going online.
During the quarter, approximately $418.89 million of stolen funds were transferred to Tornado.cash by hackers for laundering. Another approximately $131 million in assets was recovered, but most of the recovery methods were negotiated with the hackers on the chain, allowing the hackers to return some of the stolen funds. In fact, it is not impossible for stolen funds to enter the tornado. Chengdu Lianan has accumulated a number of success stories in assisting with the tracking of stolen funds, including some cases where funds entered a tornado. It is suggested that when the project party is unfortunately hacked, in addition to negotiating with the hacker to return it, they can also seek some professional security companies to track funds.
This quarter, the TVL values of various public chains and projects fluctuated greatly, and there were also cases where project funds were abnormal or risky transactions occurred due to various security incidents. It is suggested that the project party and investors should pay attention to the operation of the project in a timely manner. Chengdu Lian’an [Chain Bing-Blockchain Security Situational Awareness Platform] allows project parties and users to discover risky transactions in a timely manner, so as to take measures quickly.
In the sluggish market this quarter, various security incidents such as Rug pull and phishing occurred more frequently, and some Web 2 attack methods were still active in the Web 3 field. All project parties and users should raise their security awareness, keep their private keys, and do not easily click on unidentified links, and conduct multi-channel verification of various types of information.
Web anti-phishing tool:
*Special thanks to Footprint Analytics for supporting the graphs and data in this report. All charts in this report can be viewed online at: https://www.footprint.network/@Beosin/Footprint-Beosin-Q2-Report
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/the-total-loss-of-global-web3-attacks-in-q2-2022-is-about-718-34-million-us-dollars/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.