Quarterly Blockchain Security 2022
Q2 2022, Presented by Fairyproof on July 2022
Q2 2022, July, Presented by Fairyproof
OVERVIEW
A bear market persisted through the overall crypto space in Q2 2022. Consequentially, some big institutional investors filed bankruptcy. Despite the situation, many builders continued to work hard in the crypto space to contribute to the ecosystem.
Meanwhile, attacks by hackers against the crypto ecosystem persisted.
Fairyproof studied 95 publicly reported security incidents that occurred in Q2 2022. This report is composed of findings, analysis and best practices.
BACKGROUND
Before proceeding, the following terms and technologies are introduced in this report:
CCBS
CCBS stands for “centralized crypto or blockchain service”. A CCBS refers to a platform or a service that provides crypto or blockchain related products or services and is run by a conventional/centralized organization, entity or company such as conventional crypto exchanges e.g. Coinbase [1] and blockchain service companies e.g Cloudflare [2].
Flashloan
Flash loans are a popular feature that hackers utilize when attacking EVM-Compatible smart contracts. Flash loans were developed by the team behind the famous DeFi application AAVE [3]. This feature “allows users to borrow any available amount of assets without putting up any collateral, as long as the liquidity is returned to the protocol within one block transaction” [4]. Flash loans are quite often used to borrow ERC-20 tokens [5] and attack DeFi applications. To initiate a flash loan, users will need to write a contract that borrows an available amount of assets and pay back the loan + interest + necessary fees all within the same transaction.
Cross-Chain Bridge
A cross-chain bridge is an infrastructure that connects multiple independent blockchains and enables an exchange of cryptos, data or information from one blockchain to another.
As more blockchains have their own ecosystems, cryptos and dApps, the need for exchanging cryptos or data across different blockchains becomes increasingly high while the volume of cross-chain transactions dramatically increase. This causes cross-chain bridges to suffer more attacks.
FOCUS OF THIS REPORT
In this report we list our statistics collected from typical security incidents that happened in the blockchain industry in Q2 2022, give an in-depth analysis of their root causes and present our recommended best practices.
STATISTICS AND ANALYSIS OF SECURITY INCIDENTS OF Q2 2022
We studied 95 publicly reported security incidents that occurred in Q2 2022 and present our statistics and analysis based on the targets and root causes.
INCIDENTS CATEGORIZED BY TARGETS
Our researched incidents can be categorized into four types of targets
CCBS
Blockchains
DApps
Cross-chain Bridges
A CCBS related incident is one in which a centralized crypto or blockchain service platform is attacked by hackers resulting in a loss of crypto assets under its custody or that its services would fail.
A blockchain-related incident is one where a blockchain mainnet, side chain or layer 2 is attacked by malicious actors from inside, outside, or both, resulting in its operation going out of order, or that a blockchain fails to work properly due to issues related to software, hardware, or both. Attackers will then be able to exploit the consensus for profits.
A dApp-related incident is one where a dApp is attacked or that its daily operation goes out-of-order, leaving it open for attackers to exploit users and crypto assets under the custody of the dApp.
A cross-chain bridge-related incident occurs when a cross-chain bridge is attacked resulting in a failure of the exchange function between multiple blockchains or that the crypto assets under its custody would suffer a loss.
There were 95 incidents in total. Here is a figure that shows the percentage for each of these targets respectively.
The number of dApp-related incidents account for more than 88% of the total incidents. Out of 95 incidents, 1 was CCBS-related, 8 were blockchain-related, 2 were cross-chain bridge-related, and 84 were dApp-related.
BLOCKCHAIN RELATED INCIDENTS
Incidents that had occurred to blockchains can be further categorized into three sub-categories:
i. Blockchain mainnets
ii. Side chains
iii. Layer 2 solutions
A blockchain mainnet, also known as layer 1, is an independent blockchain that has its own network with its own protocol, consensus, and validators. A blockchain mainnet can validate transactions, data, and blocks generated in its network by its own validators and reach a finality. Bitccoin and Ethereum are typical blockchain mainnets.
A side chain is a separate blockchain which runs in parallel and independently to a blockchain mainnet. It has its own network, consensus and validators. It is connected to a blockchain mainnet e.g. by a two-way peg[9].
A layer 2 solution refers to a protocol or network that relies on a blockchain as its base layer (layer 1) for security and finality [10]. Its main purpose is to solve the base layer’s scalability issues. It processes transactions faster and costs less compared to its base layer. For instance, the Ethereum blockchain saw a huge surge in the growth and development of layer 2 solutions since 2021.
Both side chains and layer 2 solutions are present to solve a blockchain mainnet’s scalability issues. The significant difference between a side chain and a layer 2 solution is that a side chain does not necessarily rely on its blockchain mainnet for security or finality but a layer 2 solution does.
There were 8 blockchain-related incidents in Q2 2022. The figure below shows the percentages of blockchain mainnet-related incidents, side-chain-related incidents, and layer 2-related incidents respectively.
The number of blockchain mainnet-related incidents and layer 2-related incidents account for 75% (6) and 25% (2) of the total incidents respectively. No side-chain related incidents were covered in our statistics. The layer 2 solutions that were attacked were Metis [11] and Optimism [12], while the attacked blockchain mainnets were COSMOS [13], Terra [14], Solana [15] and Elrond [16]. None of these mainnets were EVM-compatible blockchains.
DAPP RELATED INCIDENTS
Among the 84 incidents that occurred toward dApps, 6 were rug-pulls, 32 were involved in exploitation, and 46 were attacked. An attack against a dApp can specifically target its front-end, server side, or smart contract(s). We can therefore further classify these 46 incidents into three sub-categories:
i. dApp’s front-end
ii. dApp’s server side
iii. dApp’s smart contract(s)
dApp’s front-end related incidents refers to events where vulnerabilities from the conventional client side are exploited, compromising on the account information and personal details of users which can be used to steal their crypto assets.
dApp’s server side related incidents are those where vulnerabilities present in the conventional server side are exploited, leaving on-chain and off-chain communication open for hijacking and crypto assets of users open for exploitation.
Smart contract related incidents refer to vulnerabilities in a smart contract’s design or implementation, which are leveraged to exploit crypto assets from users.
Here is a figure that shows the percentages of front-end related incidents, server side related incidents and smart contract related incidents respectively.
The above figure shows that the number of smart contract related incidents, server side related incidents and front-end related incidents respectively accounted for 73.91%, 6.52% and 19.57% of the total incidents. Among 46 incidents, 9 were front-end related, 3 were server side related and 34 were smart contract related.
We further studied the amount of loss incurred from these sub-categories and derived the following:
Our study showed that $2.578 million were lost in front-end related incidents; the amount of loss in server-side related incidents was $0.06 million, and the amount of loss in smart contract related incidents was $409.805 million.
It’s clear that smart contract related incidents were the biggest issue. Typical vulnerabilities we found pertaining to smart contracts in Q2 2022 include flash loans, re-entracy attacks [17], attacks on oracle [18] and logic vulnerabilities, and more.
We studied the 36 incidents in which smart contracts were attacked and got the following figure based on vulnerability types:
The figure shows that the number of incidents with the highest rank are logical vulnerabilities followed by those that suffered oracle attacks. Missing validations for parameters follow third place. 13 projects suffered logical vulnerabilities, 5 from oracle attacks and 4 suffered missing validations for parameters.
The following figure illustrates the amount of loss for each vulnerability type:
It is interesting to note that although the number of incidents that suffered flash loans were miniscule, the amount of loss it caused was more than any single vulnerability type. Three incidents were caused by flash loans, totaling a loss of $203 million.
INCIDENTS CATEGORIZED BY ROOT CAUSES
The root cause of these incidents can be categorized into the following:
i. Attacks from hackers
ii. Rug-pulls
iii. Misc.
We studied these incidents and got the following figure:
The above figure shows that the number of attacks from hackers, rug-pulls and of misc incidents accounted for 89.47% (85), 6.32% (6) and 4.21% (4) of the total incidents respectively.
We studied the amount of loss of each category of incidents based on the root cause and got the following figure:
The above figure shows that the amount of loss in the incidents that suffered attacks and the amount of loss in rug-pulls each accounted for 97.53% and 1.91% of the total loss respectively. That amount of loss in the incidents that suffered attacks was $547.25 million and the amount of loss in rug-pulls was $10.69 million. This reveals that attacks from hackers pose the largest threat to the whole crypto ecosystem.
ATTACKS FROM HACKERS
We studied the targets the hackers attacked and got the following figure:
The figure above shows that the number of attacks on dApps, blockchains, cross-chain bridges and CCBS accounted for 89.66% (78), 6.9% (6), 2.3% (2) and 1.15% (1) respectively.
After we studied the amount of loss in each of them we got the following figure:
The amount of loss in incidents involving attacks on dApps, cross-chain bridges, and blockchains were 79.5%, 19.15% and 1.27%, resulting in a loss of $417.97 million, $100.6 million and $6.65 million respectively. The sole CCBS attack was prevented by the project team, incurring no loss.
RUG-PULLS
The rug-pulls that happened in Q2 2022 were all dApps. There were 6 incidents and the total amount of loss was $10.69 million.
RESEARCH FINDINGS
Cross-chain bridges were prominent targets for attacks in Q2 2022. Although the number of cross-chain bridge incidents only accounted for 2.23% of the total, the amount of loss in the cross-chain bridge incidents accounted for nearly 20% of the total amount of loss. Its security situation needs increasing awareness in the crypto space.
Although the number of attacks on mainnets still accounted for more than half of the attacks, the increase in number of attacks against layer 2 solutions was exponential compared to the research conducted for Q1 2022 (Only 1 incident was reported then.). Additionally, the total loss incurred for attacks on mainnets was lesser than attacks on layer 2 solutions despite the number of attacks on the former were more than those of the latter. The amount of loss related to layer 2 attacks reached $25.2 million while the amount of loss in blockchain main net related attacks was just $6.65 million.
Hackers proved to remain as the main threat to the crypto industry, accounting for 89.47% among all incidents.
A dApp consists of three parts: a front-end, a server-side and smart contracts(s). Either one or multiple parts are targeted during dApp attacks. According to our statistics, smart contract(s) accounted for a higher percentage of attacks compared to the front-ends or server sides with regard to both attack frequencies and amount loss in Q2 2022. This shows that attacks on smart contracts still posed as the biggest threat to dApps. However, it is worth noting that the number of attack against front-ends have increased rapidly and accounted for nearly 20% of the total attacks in Q2 2022.
All rug-pulls in Q2 2022 also involved dApps.
Finally, for smart contract related incidents, we found the attack sub-categories to be ranked as the following:
Rank 1: Logical vulnerabilities
Rank 2: Oracle attacks
Rank 3: Missing validations for parameters.
In contrast, the amount of loss in the incidents that suffered flash loans far surpassed any one of these ranks.
BEST PRACTICES TO PREVENT SECURITY ISSUES
In this section we present some best practices to help both blockchain developers and users manage the risks posed by the incidents that happened in Q2 2022 and support coordinated and efficient response to crypto security incidents. Both blockchain developers and users are recommended to apply these practices to the greatest extent possible based on availability of their resources.
Note: the blockchain developer here refers to not only developers of blockchains but also every developer that participates in development of dApps, blockchains or systems pertaining to crypto currencies. The blockchain user here refers to everyone that participates in activities pertaining to crypto system’s management, operation, trading etc.
FOR BLOCKCHAIN DEVELOPERS
Developers of cross-chain bridges need to pay closer attention to the bridges’ security as cross-chain transactions become increasingly popular. Cross-chain bridge solutions include handling of operations — not only on-chain but also off-chain. Naturally, the off-chain part would be more vulnerable to attacks. Hence, security solutions for cross-chain bridges should be particularly capable of handling off-chain activities safely and securely.
Awareness of security for layer 2 solutions in particular should increase as more layer 2 solutions have and will emerge in the coming years. Research and development for solutions to tackle security challenges in this area must be prompt.
The security for the front-end and server-side for dApps requires more awareness, even though the security for smart contracts remains as a priority. An audit of a dApp’s front-end should not be ignored.
A step to transfer an admin’s access control to a multi-sig wallet or a DAO to manage access control to crypto assets or critical operations is a must-have.
Attackers would employ flash loans to maximize their exploits when they detect vulnerabilities in smart contracts, including issues of re-entrancy, missing validations for access control, oracle security, incorrect token price algorithm, and more. Proper handling of these issues should have the highest priority for a smart contract developer when designing and coding a smart contract.
Our statistics show that an increasing number of hackers have been using social media tools — especially Discord — to launch phishing attacks. Many users have suffered huge losses. Project developers and managers are advised to prioritize safely and securely managing social media accounts and finding security solutions for them on top of project implementation.
FOR BLOCKCHAIN USERS
More users are varying their crypto portfolio across different blockchains. The demand for cross-chain transactions is rapidly increasing. Whenever a user participates in a cross-chain transaction, the user will have to interact with a cross-chain bridge — a popular target among hackers. Hence, before starting a cross-chain transaction, users are advised to investigate the bridge’s security condition and ensure they use a reliable, safe and secure bridge.
Q2 2022 witnessed a boom in Ethereum’s layer 2 solutions. However, their security situations were not optimistic. Users must comprehensively investigate a layer 2 solution’s security status before participating in activities on top of it.
While it is necessary to pay great attention to the security for smart contracts when interacting with a dApp, the importance to also pay attention to the security of the user interface while exercising caution to detect suspicious messages, prompts, and behavior presented by the UI is increasing.
We strongly urge users to check whether a project has audit reports and read these reports before proceeding with further actions.
Use a cold wallet to manage crypto assets that are not for frequent trading. Be careful about using a hot wallet and make sure the hardware in which a hot wallet is installed is safe and secure.
Be cautious of a dApp where its team members are unknown or lack reputation. Such dApps may eventually be rug-pull projects. Be cautious of a centralized exchange which has not established a reputation or does not have tracked transaction data on third party media as it may also eventually prove to be rug-pull projects.
REFERENCES
[1] Coinbase. https://www.coinbase.com/
[2] Cloudflare. https://www.cloudflare.com/
[3] Aave. https://aave.com/
[4] Flash-loans.. https://aave.com/flash-loans/
[5] ERC-20 TOKEN STANDARD. https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
[9] Sidechains. https://ethereum.org/en/developers/docs/scaling/sidechains/
[10] Layer-2. https://academy.binance.com/en/glossary/layer-2
[11] Metis. https://www.metis.io/
[12] Optimism. https://www.optimism.io/
[13] COSMOS. https://cosmos.network/
[14] Terra. https://www.terra.money/
[15] Solana. https://solana.com/
[16] Elrond. https://elrond.com/
[17] DeFi Protocols Agave, Hundred Finance Hacked: Attacker Steals $11M Worth of Crypto. https://cryptopotato.com/defi-protocols-agave-hundred-finance-hacked-attacker-steals-11m-worth-of-crypto/ March 16, 2022
[18] $3 Million in DAI and ETH Stolen From Deus Finance in the Latest DeFi Hack. https://cryptopotato.com/3-million-in-dai-and-eth-stolen-from-deus-finance-in-the-latest-defi-hack/ March 15, 2022