The threat of hacking remains a constant challenge in the cryptocurrency world. November 2023 was alarming for the crypto community, as the losses exceeded $331 million.
Such hacks are a blow to individuals and projects deeply invested in the world of digital assets and someone looking to leap into DeFi. For many, these losses shake confidence in the security mechanisms of blockchain.
A groundbreaking study by Immunefi, a renowned blockchain security platform, offers crucial insights on Web3 hacks. The study revealed that nearly half of the losses incurred from Web3 exploits can be traced back to issues rooted in traditional Web2 security flaws.
This blog aims to delve deep into the Immunefi study, dissecting its findings to better understand how Web2's legacy issues are impacting the security of Web3 ecosystems.
Findings of the Immunefi Report#
In the report released on November 15, 2023, Immunefi, a popular blockchain security protocol, presented an in-depth analysis of the hacking incidents throughout 2022. The report's most striking findings are that nearly half of the cryptocurrency lost due to exploits in 2022 can be attributed to security issues inherent in traditional Web2 systems.
It meticulously categorizes the various types of vulnerabilities observed in these incidents, leading to a startling conclusion: 46.48% of the financial losses from these exploits were not due to the intricacies of blockchain technology or smart contract vulnerabilities but were instead rooted in infrastructure weaknesses and Web2 vulnerabilities.
While 46.48% represents the total value lost, a different picture emerges when we consider the number of incidents. Web2 vulnerabilities accounted for 26.56% of the total number of hacking incidents.
It's important to note that the Immunefi report focused solely on security issues, excluding other forms of crypto-related losses such as rug pulls, scams, and market manipulations.
Another critical finding of the report is the identification of cryptographic issues as the second-largest cause of financial losses. These issues, which include complex aspects like signature replayability and predictable random number generation, accounted for 20.58% of the total value lost.
Deeper Look into the Vulnerabilities#
The Immunefi report provides a further detailed analysis of the vulnerabilities, classifying them into three broad categories.
The first category involves flaws inherent in the design of smart contracts. These are fundamental issues in how a smart contract is conceptualized and structured. For instance, the infamous DAO hack in 2016, where 3.64 million Ether, worth approximately $70 million at the time of the incident, was drained due to a reentrancy attack, is a classic example of a smart contract design flaw.
The second category is related to vulnerabilities arising from flawed code implementation. Here, the design of the smart contract might be sound, but the way it is coded introduces security gaps. A notable example is the Parity wallet hack in 2017, where a coding mistake led to the accidental destruction of over 513,000 Ether, worth $280 million.
The third category, and perhaps the most significant in terms of financial impact, is infrastructure weaknesses. This category extends beyond the blockchain and smart contracts to the broader IT infrastructure on which these systems operate. Leaked private keys, weak passphrases, weak authentication, DNS hijacking, wallet compromises, etc. fall under this category.
Web2 Vulnerabilities in the Web3 Context#
As the digital world transitions from Web2 to Web3, you might need to understand how traditional Web2 vulnerabilities manifest in the Web3 landscape.
Immunefi published an article sharing some Web2 vulnerabilities that are prevalent in Web3. Let’s discuss them in brief.
Cross-Site Request Forgery (CSRF)#
In the Web2 domain, CSRF attacks occur when a web application fails to include a unique token, such as a nonce or CSRF token, in an HTTP request. This oversight allows attackers to make unauthorized requests on behalf of a logged-in user, potentially leading to actions like changing the user's email address or password.
The impact of CSRF on dApps is considerably reduced. This is because dApps typically rely on client-side crypto wallets for authentication, which inherently requires user interaction for each transaction or significant action, thereby mitigating the risk of CSRF attacks.
Insecure Direct Object References (IDOR)#
IDOR vulnerabilities arise when an application exposes sensitive objects, such as user accounts or data, based on user input without adequate access control. It can enable attackers to access or modify information they should not have access to. IDOR attacks can be horizontal, affecting multiple users, or vertical, impacting a single user's account.
In the context of Web3, exploiting IDOR can be particularly challenging due to the use of non-sequential or random identifiers, which are common in blockchain applications. However, the risk remains, especially in interfaces that interact with the blockchain but may not fully adhere to its security protocols.
Open Redirect#
Open-redirect vulnerabilities occur when an application redirects users to a URL provided by the user without proper validation. Attackers may use this to divert users to phishing websites or other malicious web pages. In some cases, open redirects can escalate to more severe attacks, like cross-site scripting (XSS).
While blockchain technology itself is not susceptible to such redirection attacks, the associated websites and applications that interface with blockchain networks can be vulnerable.
Adopt the Best Security Measures#
The Immunefi report serves as a resource for understanding the security challenges facing the crypto world. By highlighting the Web2 vulnerabilities affecting the Web3 landscape, the report provides valuable insights into the nature of these security breaches.
On the other hand, it highlights the need for a more robust approach to securing digital assets. Web3 world security requires a concerted effort from a diverse group of stakeholders. Developers must prioritize security at every stage of development, learning from their oversights and previous mistakes. Investors and project owners need to foster a culture that values security as much as innovation. As the beneficiaries of these technologies, end users must be educated and vigilant, understanding the importance of following best practices for security.
Among other security measures, such as using reputable platforms, protecting private keys, password management, and so on, covering your funds with DeFi insurance is something you should consider.
At Neptune Mutual, we offer cover policies designed to protect funds against the threats of the DeFi sector. We operate on a parametric coverage model, meaning the insurance payouts are based on parameters or predefined events rather than individual loss assessment. If any hack or incident occurs, activating the parameters, the policyholders will be eligible for payouts without showing any proof of loss.
We offer a marketplace where projects can create cover pools in the Ethereum, Arbitrum, and BNB Smart Chain networks. Project owners looking to protect their communities can create cover pools, while community users can protect their funds by purchasing covers from the cover pools.
To stay updated with Neptune Mutual, follow us on X (Twitter) and chat with us on Discord.
