OpenZeppelin, a cryptocurrency cybersecurity firm offering an open-source framework for secure smart contract development, released a report of the top 10 blockchain hacking techniques in 2022.
According to the report, the year 2022 witnessed significant growth in blockchain development and the introduction of novel technologies. However, it also resulted in a rise in new hacking methods and exploits, which caused losses exceeding $3.7 billion.
Here is the list of Top 10 blockchain hacking techniques 2022:
10 - Compound-TUSD Integration Issue Retrospective
The double-entry point issue described in Compound-TUSD Integration Issue Retrospective is a perfect example of a bug that subtly breaks one thing and can lead to significant consequences.
9 - The “6.2 L2 DAI Allows Stealing” issue from the StarkNet-DAI-Bridge Smart Contracts Code Assessment
During the code assessment of the StarkNet-DAI-Bridge Smart Contracts audit, a security issue was discovered in a Cairo smart contract. As a relatively low-level language, Cairo has several potential pitfalls, and this issue is a prime example of one such problem.
8 - Avalanche’s $350M Risk Report
The Statemind team’s Avalanche Vulnerability Report: How We Discovered A $350M Risk and Avalanche Vulnerability Report: Technical overview revealed a clever exploit of seemingly innocuous behavior in the precompile which allowed for the sending of native assets and an optional call to the receiver.
7 - Read-only Reentrancy – a Novel Vulnerability class responsible for 100m+ funds at risk
In a recent talk, blog post, and post-mortem, ChainSecurity demonstrated that reentrancy to view functions can result in devastating consequences. This work uncovered a new vulnerability type; unfortunately, it is not the last time we will see it.
6 - How to Steal $100M from Flawless Smart Contracts
One of the three research pieces by PwningEth in this year’s top ten highlights the difficulty of introducing a precompile that doesn’t break the security assumptions of applications.
5 - Phantom Functions and the Billion-Dollar No-op
This bug is deceptively simple and could have resulted in a loss of billions if not identified.
It serves as a reminder to exercise caution when calling functions that don’t return a value - especially the permit function - as they may not revert when expected.
4 - How did I Save 70000 ETH and Win 6 Million Bug Bounty
This entry in the Top 10 Hacking Techniques of 2022 underscores the importance of considering delegatecalls in smart contract development.
3 - Could Wrapped Tokens Like WETH Be (forced) Insolvent?
This vulnerability allowed an attacker to empty all wrapped token contracts, and not only take over the balance of the wrapped token, but also buy other tokens from the DEX by using the wrapped token as a rubber check.
2 - A vulnerability disclosed in Profanity, an Ethereum vanity address tool
Despite being publicly disclosed, this bug remained relatively unnoticed until it was exploited approximately six months later.
1 - Attacking an Ethereum L2 with Unbridled Optimism
Saurik found a peculiar bug even deeper than precompiles. Discovering an exploit at the node level earns top place for this finding.
All Comments