A new report from blockchain security platform Immunefi suggests that nearly half of all cryptocurrency lost to Web3 exploits is due to Web2 security issues, such as private key leaks. The report, published on November 15, analyzed the history of crypto exploits in 2022, classifying them into different types of vulnerabilities. He concluded that 46.48% of cryptocurrencies lost to exploits in 2022 were not due to failures in smart contracts, but rather "infrastructure weaknesses" or problems with the developing company's computer systems.
When considering the number of incidents rather than the value of cryptocurrency lost, Web2 vulnerabilities represented a smaller portion of the total at 26.56%, although they were still the second largest category.
Immunefi's report excluded exit scams or other frauds, as well as exploits that occurred solely due to market manipulations. It only considered attacks that occurred due to a security vulnerability. Of these, it found that the attacks fall into three broad categories. First, some attacks occur because the smart contract contains a design flaw. immunophy cited BNB Chain bridge hack as an example of this type of vulnerability. Second, some attacks occur because, although the smart contract is well designed, the code that implements the design is flawed. immunophy cited Qbit hack as an example of this category.
Finally, a third category of vulnerability is "infrastructure weaknesses," which Immunefi defined as "the IT infrastructure on which a smart contract operates, e.g. virtual machines, private keys, etc." As an example of this type of vulnerability, Immunefi listed the Ronin bridge trickwhich was caused by an attacker gaining control of 5 of the 9 Ronin node validation signatures.
Related: Uniswap DAO debate shows developers still struggling to secure cross-chain bridges
Immunefi divided these categories into subcategories. When it comes to infrastructure weaknesses, these can be due to an employee leaking a private key (for example, by transmitting it over an insecure channel), using a weak passphrase for a key vault, issues with authentication of two factors, DNS hijacking, BGP hijacking, compromise of a hot wallet, or use of weak encryption methods and plain text storage.
While these infrastructure vulnerabilities caused the most losses compared to other categories, the second largest cause of losses was โcryptographic issues,โ such as Merkle tree errors, signature replayability, and predictable random number generation. Crypto emissions accounted for 20.58% of the total value of losses in 2022.
Another common vulnerability was โweak or missing access control and/or input validation,โ according to the report. This type of failure generated only 4.62% of the losses in terms of value, but it contributed the most in terms of number of incidents, since 30.47% of the total incidents were caused by he.
Post navigation
