In the Web3 ecosystem, blockchain, smart contracts, application platforms, and users are all targets of hackers. Due to the decentralized, immutable, and anonymous nature of blockchain technology, recovering stolen assets poses significant challenges.
Moreover, the anonymity of virtual currencies and the difficulty in tracking transactions have led to a rise in illegal activities such as money laundering, fraud, and dark web transactions. Regulatory authorities are facing new challenges in combating these criminal activities.
In the recently published review of the Web3 blockchain security and anti-money laundering for the first half of 2023, we analyzed the security trends during that period. In the second half of 2023, hackers continue to target the Web3 ecosystem, and we still need to pay attention to the following security risks:
1. Security Challenges for Smart Contracts
According to the half-year report published by Beosin recently, the most frequent and damaging attack method in the first half of 2023 was exploiting contract vulnerabilities. 60 contract vulnerability incidents resulted in losses of $264 million, accounting for 56% of all losses.
Among the different types of vulnerabilities, the top three were business logic defects, permission issues, and reentrancy. 36 instances of business logic vulnerabilities led to approximately $239 million in losses, representing 90% of all losses from contract vulnerability attacks. These types of vulnerabilities are often overlooked by developers and can result in substantial losses, with 9 incidents leading to losses exceeding $1 million each.
It is evident that smart contracts still face significant security challenges in the second half of 2023.
2. Security Challenges for Cross-Chain Bridges
In recent years, with the continuous development of blockchain technology and the expansion of application scenarios, cross-chain bridges have become increasingly widespread. The primary function of cross-chain bridges is to connect different blockchains and enable cross-chain transactions. However, cross-chain bridges still pose some risks, including the following:
(1) Incomplete cross-chain message verification.
When checking cross-chain data, cross-chain protocols should include contract addresses, user addresses, quantities, chain IDs, and other essential elements. For instance, the pNetwork security incident occurred because the event record's contract address was not verified, allowing attackers to forge Redeem events to withdraw funds, resulting in cumulative losses of approximately $13 million.
(2) Validator private key leakage.
Currently, most cross-chain transactions rely on validators to execute cross-chain operations. If the private key is lost, it can threaten the entire protocol's assets. For example, the Ronin side chain suffered an attack where four of its validators and a third-party validator were controlled by attackers through social engineering, leading to unauthorized withdrawal of protocol assets and a loss of $600 million.
(3) Signature data reuse.
This mainly refers to the reuse of withdrawal certificates, enabling multiple fund withdrawals. The Gnosis Omni Bridge security incident resulted in a loss of approximately $66 million because it hard-coded the Chain ID, allowing hackers to use the same withdrawal certificate to withdraw corresponding locked funds on the ETH and ETHW chains.
Therefore, cross-chain bridge security still requires attention in the second half of 2023.
Additional readings on cross-chain bridge security:
3. Security Challenges for Blockchain Platforms
(1) Language encoding security
Common blockchain platforms are developed using languages such as C++, Go, Rust, and Java. The executable files of these blockchain platforms (i.e., node programs) run directly on servers such as Linux and Windows. Consequently, node programs may also have language encoding issues.
For example, there was a lurking stack overflow vulnerability in Ethereum (CVE-2021-39137) for almost two years:
Cause:
The GETH node program of Ethereum failed to consider thestack overflow problem when copying data, allowing the memory location storing the return value of an internal function to be overwritten during data copying.
Impact:
Hackers exploited this vulnerability to perform attacks on the Ethereum network, leading to a fork on ETH main chain. Since BSC, HECO, Polygon, and other public chains are secondary developments based on ETH, they may also be susceptible to this vulnerability.
(2) Security issues at the platform level
Security issues at the consensus level include double-spending attacks and 51% attacks.
At the permission management level, security issues involve private key leaks, DNS attacks, and CA attacks.
4. Security Challenges for zk Platforms
In the past two years, Zero-Knowledge Proof (zk) technology has rapidly developed, increasingly gaining attention as the importance of blockchain technology and data privacy protection grows. However, this technology still has some security risks, including the following:
(1) Under-constrained circuits
Under-constrained circuits lack the necessary constraints to force the proof provider to follow the expected rules of the circuit, leading to ineffective verifications.
(2) Non-deterministic circuits
Non-deterministic circuits are a subset of under-constrained circuits, usually resulting from a lack of constraints that introduce uncertainty into the circuit. In such cases, non-deterministic means that there are multiple ways to create valid proofs for specific results.
(3) Forzen Heart
Algorithmic vulnerabilities in the Fiat-Shamir protocol, which is used by many zk protocols. Improper implementation of the Fiat-Shamir transformation can allow attackers to forge proofs successfully.
(4) Trusted setup leakage
For Zero-Knowledge Protocols such as Pinocchio and Groth16, a trusted setup is required to generate prover and verifier keys. The trusted setup process typically involves parameters referred to as "toxic waste," which, if maliciously utilized by a proof provider, can be used to forge proofs.
(5) Double-spending attacks
Incorrect design and implementation may lead to double-spending attacks, such as CVE-2023-33252, where lack of complete legitimacy checks for parameters allowed attackers to forge multiple proofs, enabling double-spending attacks.
To ensure the security and reliability of zk platforms, multiple security measures, such as technical audits, risk management, and privacy protection, need to be implemented. Additionally, developers of zk platforms should continuously update and improve the protocols and technologies to adapt to evolving security threats.
Additional readings on zk security:
1. Beosin has discovered a vulnerability in the Circom verification library, identified as CVE-2023–332
2. An In-depth Analysis of zk-SNARK Input Aliasing Vulnerability
5. Security Challenges for Users
In February 2023, there were multiple NFT phishing and fraud incidents, resulting in more than $20 million in total losses for various NFT assets such as BAYC, Otherdeed, Doodles, and Meebits.
Shortly after, the Algorand wallet project MyAlgo suffered an attack, resulting in the theft of exceeding $9.2 million from 25 users. Trust Wallet also discovered vulnerabilities in its wallet, indicating security risks for addresses created using browser plugins from November 14 to 23, 2022.
Hence, user security remains a critical concern in the second half of 2023. Beosin has compiled reviewed articles on user security to help users stay protected.
Additional readings on user security:
6. Regulatory Security
In Beosin's half-year report, we conducted a comprehensive review of global Web3 virtual asset industry regulations and events during the first half of 2023. The increasing integration between the virtual asset market and the traditional financial market highlights the risks it brings. This emphasizes the importance and necessity of implementing effective regulation in the virtual asset industry.
Beosin has already launched a "one-stop" Web3 security and compliance solution in Hong Kong, including KYT/AML, smart contract security audits, virtual asset compliance technology due diligence, virtual asset security monitoring and early warning, and exchange security solutions. These products and services allow Virtual Asset Service Providers (VASPs) to meet Hong Kong’s new licensing system and requirements for security and regulatory technology.
It is foreseeable that in the second half of 2023, major jurisdictions worldwide will transition their regulatory policies from lenient approaches (targeting anti-money laundering and payment issues) to comprehensive supervision (focusing on investor protection). Therefore, regulatory security will also be a point worth paying attention to in the second half of 2023.
Contact
If you need any blockchain security services, welcome to contact us:
All Comments