Fairyproof’s Opinions on the New Trend on Web3 Applications
BadgerDAO, a DeFi application that seeks to port Bitcoins to DeFi applications was exploited on the 2nd of 2021,.
BadgerDAO, a DeFi application that seeks to port Bitcoins to DeFi applications was exploited on the 2nd of 2021,.
The most affected victim in this exploitation was reported to be Celsius, a CeFi crypto lending company. The company admitted a loss of crypto assets valued at 120 million USDs in this incident.
The root cause of the exploitation was someone inserted a malicious script in the UI of BadgerDAO’s website. When a user interacted with the site intending to do a Web3 transaction, the malicious script would intercept the transaction and transfer the user’s crypto assets to the attacker’s specified address.
A lot of details have been discussed about this incident. But one of the interesting things that caught our attention is that Nexus, a DeFi insurance company that seeks to compensate users for their losses on DeFi applications, refused to pay out to people who bought coverage for BadgerDAO.
The reason Nexus gave was that this was a front-end vulnerability, not a smart contract vulnerability. Nexus only covers smart contract vulnerabilities.
Technically speaking, this is not a smart contract vulnerability, but a typical web vulnerability which conventional security companies would mention or discuss more frequently.
However, this vulnerability is not rare. Just in this year, it has been reported at least twice.
One of the cases that happened in September of this year was with Sushi’s Miso application. That application was exploited because a front-end developer who worked anonymously with Miso’s team inserted a malicious code section and a specified wallet address in the project’s codebase. Without being discovered, the code with this vulnerability was deployed and resulted in crypto assets being transferred to the developer’s specified address.
In general, when blockchain security companies talk about security issues, quite often they talk about issues with smart contracts, blockchain client software,etc. because these issues are born with blockchain applications, which have never been dealt with before the advent of blockchain applications, and they have caused great losses in the past to both project teams and users in the blockchain space.
Therefore, blockchain security companies’ focus has been mainly on these issues. With regard to tackling these issues, the most important way is to undergo a project audit.
Today when both web3 application teams and blockchain security companies talk about project audit, by default they mean smart contract audit or blockchain client software audit. Audit on a project’s front-end has rarely been talked about or even touched on. A lot of teams are not even aware that audit on front-end is a necessity.
But as more cases of this kind happen and greater losses have been caused by front-end vulnerabilities, the whole industry is increasingly aware of this overlooked area.
From Fairyproof’s point of view, as the “DeFi summer” opened the door of blockchain applications to mass population, NFT booms accelerated the adoption of blockchain technologies in wider areas and GameFi revolutions are bringing a huge influx of crypto novices, the user experience will become increasingly important and play a key role on web3 applications. And front-end will outweigh on a web3 application’s development thus front-end security will draw more attention and awareness of both the development team and the users.
Eventually, audit on front-end will be a must-have step in a web3 project’s audit and it will be at least as equally important as audit on smart contracts, or blockchain client software, etc.
This new trend is approaching. And we are fully equipped and ready for its arrival.
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.