Source: Shenzhen Lingshi Technology
2023 is the year of diversified innovation in the crypto world year, but behind the innovation, many shocking security incidents also occurred. The zero-hour technology security team released the "2023 Global Web3 Industry Security Research Report", which reviewed the global policies of the Web3 industry in 2023. The main tracks covered basic concepts, security incidents, loss amounts and attack types, and conducted a review of typical security incidents. A detailed analysis was conducted and safety prevention plans and measures were proposed. We hope to help practitioners and users understand the current status of Web3 security, improve network security awareness, protect digital assets, and take security precautions.
1. In 2023, the total market value of cryptocurrency in the global Web3 industry will reach a maximum of 1.3 trillion US dollars. Affected by industry explosions, compared with last year’s highest total market value of 2.4 trillion US dollars, this year has declined, but overall The number of assets is constantly expanding.
2. According to statistics from Zero Hour Technology, a total of 506 security incidents occurred in 2023, with cumulative losses reaching US$11 billion. Compared with 2022, there are 110 new Web3 security incidents this year, a year-on-year increase of 65.3%.
3. A total of 435 security incidents occurred in the six main tracks of Web3: public chain, cross-chain bridge, wallet, exchange, NFT, and DeFi, causing losses of over US$7.983 billion. In addition, emerging fields such as GameFi and DAO have become targets of hackers, with constant fraud and scammers causing serious losses.
4. Typical security incidents with losses exceeding US$100 million in 2023 will result in a total loss of US$3.2 billion, accounting for 29% of the total loss in 2023. Typical representatives include: crypto exchange Bitzlato Lianchuang admitted to US$700 million in money laundering; VenusProtoco exploited the Binance Bridge vulnerability to steal BNB worth nearly US$600 million; cross-chain bridge Wormhole was attacked and approximately US$323 million worth of ETH was stolen ; The multi-chain decentralized exchange (DEX) Dfyn vulnerability was exploited, causing a loss of US$300 million.
5. In 2023, there will be various attack types in global Web3 security incidents. Judging from the number of security incidents, the top 5 typical attack types are: hacker attacks, security vulnerabilities, asset theft, phishing, and incorrect permissions. In terms of the amount of losses, the top five typical attack types are: hacker attacks, security vulnerabilities, asset theft, flash loan attacks, and fraud.
6. The most representative regulatory case this year is: the North Korean hacker organization Lazarus has become the most serious APT organization affecting the Web 3 community. In 2023, the Lazarus group caused at least $750 million in losses, accounting for 20% of the total amount stolen in the cryptocurrency field in 2023. CertiK analyzed five major cryptocurrency attacks in 2023, including Atomic Wallet, Alphapo, CoinsPaid, Stake.com and CoinEx, resulting in losses of $290 million.
Web3 refers to a new generation of network based on encryption technology, integrating blockchain technology, token economics, and decentralization Various technologies and ideas such as organization and game theory were proposed by Ethereum co-founder Gavin Wood in 2014. Web3 is built based on blockchain. From 2008 to now, blockchain technology has been developed for more than 15 years. The outbreak of the Web3 industry in 2023 is inseparable from the accumulation of many years of development of the blockchain industry.
From a user perspective, the Web3 ecosystem can be divided into basic layer, application layer and third-party services. The basic layer is mainly based on public chains, cross-chain bridges and alliance chains to provide network infrastructure for Web3; the application layer is mainly based on APP (centralized applications) and DAPP (decentralized applications), which are commonly used by users. Applications to interact with include trading platforms, wallets, DeFi, NFT, GameFi, DAO, storage and social software, etc. The basic layer and application layer promote the prosperity of the Web3 ecosystem, but they also bring huge security risks to Web3. The service ecosystem is a third party in the Web3 industry. Media, education incubation and investment institutions provide assistance to the industry. Security service institutions such as Zero Hour Technology are an indispensable part of protecting Web3 security.
As of December 2023, according to CoinMarketCap statistics, the total market value of global Web3 industry cryptocurrencies reached a peak of US$2.4 trillion. Affected by industry explosions, this year has declined compared to the highest total market value of US$2.97 trillion last year. Although the total market value fluctuates, the overall asset volume is constantly expanding. Due to the fast pace of industry innovation, weak user security awareness, lack of supervision, and prominent security issues, Web3 is becoming a "cash machine" for hackers.
According to statistics from Zero Hour Technology, a total of 506 security incidents occurred in 2023, with cumulative losses reaching US$11 billion. Compared with 2022, there are 116 new Web3 security incidents this year, a year-on-year increase of 38%. Among them, 152 security incidents occurred in the six major tracks of public chain, cross-chain bridge, wallet, exchange, NFT, and DeFi, causing losses of more than 4.08 billion US dollars.
In addition to the above six major tracks, there were a total of 354 other security incidents, with losses amounting to US$6.92 billion. Emerging fields such as GameFi and DAO have become targets of hackers, and fraud and scammers have emerged one after another. As multiple giants enter the Metaverse and NFT, the scale of assets on the chain will continue to grow in the future, and the number of Web3 network security violations may continue to soar.
According to statistics from Zero Hour Technology, among the six major tracks of the global Web3 ecosystem in 2023: 13 security incidents occurred in public chains, with a total loss of approximately US$280 million; 18 security incidents occurred in cross-chain bridges, with a total loss of approximately US$280 million; The loss was US$1.21 billion; 19 security incidents occurred in exchanges, with a total loss of US$1.208 billion; 35 security incidents occurred in wallets, with a total loss of US$600 million; 21 security incidents occurred in DeFi, with a total loss of US$720 million; 43 security incidents occurred in NFT Since then, losses have exceeded US$62 million.
Judging from the number of safety incidents that have occurred at major racetracks, NFT has the most security incidents, which is inseparable from the fact that it has become a popular track sought after by the industry in 2023. On the other hand, due to the increase in the number of people entering the Web3 industry, wallets and DeFi have become the hardest hit areas by security incidents. In terms of the amount of losses, cross-chain bridges ranked first and suffered the largest losses.
In 2023, judging from the number of global Web3 security incidents, the Top 5 typical attack types are: hacker attacks, accounting for 47%; asset theft, accounting for 29.6%; security vulnerabilities, accounting for 20.1%; phishing attacks, accounting for 13.8%; wrong permissions, accounting for 13.4%.
In terms of loss amount, the top five typical attack types of global Web3 security incidents are: hacker attack, loss amount is 6.05 billion US dollars; security vulnerability, loss amount is 4.8 billion US dollars; asset theft, loss amount is 3.04 billion US dollars U.S. dollars; flash loan attack, loss amount is 1.26 billion U.S. dollars; fraud, loss amount is 750 million U.S. dollars.
It is worth noting that many security incidents that occurred in 2023 were subject to more than one attack. Some incidents may have resulted in asset theft, private key theft, hacker attacks, private key leakage, and security vulnerabilities at the same time.
Note: The main attack types are explained as follows
Asset theft: virtual currency stolen, platform stolen
Hacker attack: hacker and other types of attacks
Information leakage: private key leakage, etc.
Security vulnerabilities: contract vulnerabilities, functional vulnerabilities
Incorrect permissions: incorrect system permission settings, incorrect contract permissions, etc.
Phishing attack : Phishing
Price manipulation: Price manipulation
According to monitoring information from Zero Time Technology’s blockchain security intelligence platform, typical security incidents in 2023 will cost more than US$100 million, with a total loss of 3.2 billion. US dollars, accounting for 29% of the total losses in 2023.
In 2023, the next-generation Internet Web3 based on blockchain will usher in a growth peak. In the face of this emerging industry with financial technology characteristics, the global Governments and regulators are watching it closely. Web3 has a wide range of application fields, global distribution and collaboration, and high technical content. In addition, countries around the world and their internal regulatory agencies are not unified in the development direction of the Web3 industry and the definition of digital assets, which has brought huge challenges to global financial supervision. In 2023, financial crimes, hacker attacks, fraud and extortion, and money laundering incidents will occur frequently, with huge amounts of money, serious losses, and widespread impacts. To ensure the security and compliance of Web3, various countries have introduced regulatory policies.
From the perspective of global regulatory policies for Web3 as a whole, investor protection and anti-money laundering (AML) are global consensus, and the acceptance and supervision of cryptocurrency exchanges vary greatly from country to country. Members of the U.S. Congress have proposed "ensuring Web3 happens in the United States" and are accelerating regulatory innovation; EU countries have relatively clear and positive policies; Japan, Singapore, and South Korea are affected by the 2023 thunderstorms, and supervision has become stricter; Mainland China still encourages the application of blockchain technology , strictly prohibit financial institutions and payment organizations from participating in virtual currency transactions and illegal fund-raising, and increase the crackdown on cryptocurrency crimes. Hong Kong, China, fully supports the development of virtual assets and implements a license system; the United Arab Emirates is the most active in the world in embracing cryptocurrency assets. For NFT, stablecoins, DeFi, asset protocols and DAO fields, the world is in a state of regulatory exploration.
Web3 is a relatively special industry, and its most prominent feature is that it involves a large number of numbers In the management of encrypted assets, tens of millions of assets are stored on the chain, and the rights are confirmed through a unique private key. Whoever masters this private key is the owner of the assets. If an application or protocol in the ecosystem is attacked by hackers, it may cause huge losses. With the rapid development of the ecosystem, various new attack methods and fraud methods are emerging one after another, and the entire industry is advancing on the edge of security. The zero-hour technology security team has observed and counted the types of attacks that exist in Web3. Currently, the following attack types mainly pose threats to Web3 security: APT attacks, social engineering phishing, supply chain attacks, flash loan attacks, smart contract attacks, and web-side vulnerability attacks. , zero-day vulnerabilities, and online fraud.
Next, we will start from the perspective of infrastructure public chains, cross-chain bridges, representatives of application-side APPs and DAPPs: trading platforms, wallets, DeFi, NFT, anti-money laundering in regulatory areas, and web3 security education. Analyze the security status of each Web3 ecology in 2023, interpret attack events, and give corresponding security measure suggestions for each ecology.
Public chain is the infrastructure of the Web3 industry, carrying the protocols, applications and assets of the entire industry Accounting, with the industry's strong demand for public chain performance, interoperability, compatibility, and capacity expansion, multi-chain development is gaining momentum, and security issues are urgent.
According to incomplete statistics from Zero Hour Technology, as of December 2023, there are currently 194 public chains. In terms of the number of public chain ecological applications, according to rootdata data, Ethereum has 2,203 applications, Polygon has 1,301 applications, and BNB Chian has 1,239 applications, ranking firmly in the top three, followed by new public chains such as Solana, Avalanche, and ICP. Since then, it has shown a rapid growth trend.
In terms of public chain ecosystem market value, according to Coingecko data, Ethereum, BNB Chain, and Solana ecosystems rank in the top three with US$334.3 billion, US$47.7 billion, and US$42 billion respectively. At present, the total market value of the public chain ecosystem has exceeded one trillion U.S. dollars. The temptation of such huge funds makes hackers eye it.
As of December 2023, according to statistics from Zero Hour Technology, 13 safety incidents have occurred on the public chain track, with the cumulative amount of assets lost exceeding US$280 million.
From a quantitative perspective, the main types of attacks on the public chain are: hacker attacks, asset theft, security vulnerabilities, flash loan attacks and fraud, with the corresponding proportions being: 46.1%, 30.7%, 23% , 15.4%, 15.4%. In terms of loss amount, hacker attacks caused the highest loss, which was US$167 million, accounting for 60.1%; security breaches caused the second largest loss, which was US$131 million, accounting for 46.7%. (Note: Some projects have suffered from multiple types of attacks)
According to the monitoring information of Zero Time Technology Blockchain Security Intelligence Platform, the following picture shows some typical cases of public chain attacks in 2023:
Public chain security risks and measures suggestions
< p> According to the analysis of Zero Hour Technology’s security team, public chain security risks mainly come from the following three points:1) Technical complexity: It involves many technical fields and many security risk points.
2) Developer uncertainty: The code is written by developers, and loopholes will inevitably occur in the process.
3) Open source vulnerability transparency: The public chain code is open source, making it easier for hackers to discover vulnerabilities.
The zero-hour technology security team has the following four suggestions for public chain security:
1) Before the mainnet goes online, it is necessary to establish a rich set of risk points for the public chain. Security mechanism:
In terms of P2P and RPC, you need to pay attention to hijacking attacks, denial of service attacks, permission configuration errors, etc.;
In terms of consensus algorithm and encryption, You need to pay attention to 51% attacks, length extension attacks, etc.;
In terms of transaction security, you need to pay attention to fake recharge attacks, transaction replay attacks, malicious backdoors, etc.;
In terms of wallet security, It is necessary to pay attention to the security management of private keys, security monitoring of assets, security risk control of transactions, etc.;
Relevant staff of public chain projects need to have good security awareness, office security, development security, etc. common sense.
2) Conduct source code and smart contract audits to ensure that principle and obvious loopholes are filled:
Source code audits can be full code or is part of the module. Zero Hour Technology's security team has a complete set of public chain security testing standards, using a manual + tool strategy to test the security of target code, using open source or commercial code scanners to check code quality, combined with manual security audits, and security vulnerability verification. Supports all popular languages, such as: C/C++/C#/Golang/Rust/Java/Nodejs/Python.
3) After the mainnet goes online, conduct real-time security detection and early warning of system risks;
4) After a hacker incident occurs, trace the source in a timely manner Analyze to identify the problem and reduce the possibility of future attacks; quickly track the source and monitor the flow of losses to recover assets as much as possible.
Cross-chain bridge, also known as blockchain bridge, connects two blockchains and allows users to Send cryptocurrency from one chain to another. Cross-chain bridges enable cross-chain operations of funds by enabling token transfers, smart contracts and data exchange, as well as other feedback and instructions between two independent platforms.
As of December 2023, according to Dune Analytics data, the total value locked (TVL) of the major cross-chain bridges in Ethereum is approximately US$6.5 billion. The current TVL with the highest TVL is Polygon Bridges at US$2.99 billion, followed closely by Aritrum Bridge at US$2.04 billion, and Optimism Bridges ranks third at US$1 billion.
With the growth of blockchain and on-chain programs, there is an urgent need for multi-chain fund conversion. The collaborative features of cross-chain bridges can allow each blockchain to exert greater collaborative potential. Cross-chain bridges not only provide convenience to users, but also Hackers provide another door. Due to the nature of asset transfer across cross-chain bridges, once problems arise in the locking, casting, destruction and unlocking processes, user asset security will be threatened. It does not seem like a complicated cross-chain fund transfer operation, but in multiple cross-chain bridge projects, security vulnerabilities have occurred in different steps.
According to statistics from Zero Hour Technology, as of December, 18 security incidents occurred due to attacks on cross-chain bridges, with a cumulative asset loss of US$1.21 billion.
In 2023, the top five cross-chain bridges that suffered security incident losses are: Harmony, Wormhole, MultiChain, Aave fork, and HECO, with losses of US$350 million, US$300 million, US$210 million, and US$1.5 respectively. billion and US$100 million.
Judging from the number of security incidents, the main types of cross-chain bridge attacks are: hacker attacks, asset theft, security vulnerabilities, wrong permissions and flash loan attacks, accounting for 61%, 33%, 28%, 17% and 17% respectively. 11%. In terms of the amount of losses, hacker attacks accounted for the largest proportion, accounting for 55%; asset thefts followed, accounting for 29%; security breaches accounted for 14%, ranking third.
The picture below shows some typical cross-chain bridge attack cases in 2023:
Cross-chain bridge security risks and suggestions for measures
The Zero Hour Technology security team concluded from multiple cross-chain bridge attacks that there are more attacks before cross-chain and at the signature, and there is official sloppiness. Theft caused by carelessness. Regarding the security of more and more cross-chain projects and project contracts, Zero Hour Technology gives the following security measure suggestions:
1) Conduct a security audit of contracts before the project goes online;
2 ) The contract calling interface needs to strictly check its suitability;
3) The relevant interfaces and signature security need to be re-evaluated when the version is updated;
4) Cross-chain signers need to be Rigorous vetting is performed to ensure signatures are not controlled by malicious actors.
Web3’s trading platform is also called a digital currency exchange or cryptocurrency exchange. It is a blockchain An important part of the industry, it provides services for transactions between different digital currencies and between digital currencies and legal currencies. It is also the main place for the pricing and circulation of digital currencies.
According to Coingecko data, as of December 2023, there are 887 cryptocurrency exchanges, including 224 centralized exchanges, with a total 24-hour trading volume of US$8 billion; decentralized exchanges have 663, with a total 24-hour trading volume of US$3.7 billion; 94 derivatives exchanges, with a 24-hour trading volume of US$1.93 trillion.
Data shows that the top 10 exchanges by 24-hour trading volume are: Binance, Bybit, Coinbase Exchange, OKX, MEXC, Gate.io, Kraken, KuCoin, Bitfinex, and Binance US. Among them, Binance ranks first with a trading volume of 13.595 billion on 24th.
The top 10 decentralized centers by transaction volume The exchanges are: Uniswap V3 (Ethereum), Orca, Uniswap V3 (Arbitrum One), PancakeSwap (V3), Curve (Ethereum), Uniswap V3 (Ethereum), THORWallet DEX, THORSwap, Raydium, Ferro Protocol, of which Uniswap is Single-handedly occupying more than ten places in the top ten.
According to statistics from Zero Hour Technology, 19 security incidents occurred in cryptocurrency exchanges in 2023, with the cumulative amount of asset losses exceeding US$1.2 billion.
According to statistics from the Zero Time Technology Blockchain Security Threat Intelligence Platform, in 2023, the top 6 trading platforms with losses due to security incidents are: Curve, Coinbase, OKX, Platypus Finanace, Uniswap, Coins.ph, loss The amounts are respectively US$440 million, US$360 million, US$180 million, US$100 million, US$60 million and US$40 million.
Looking at the distribution of security incident losses across trading platforms, Couve accounts for 36.6%, CoinBase accounts for 30%, and Platypus Finanace accounts for 15%, ranking the top three.
According to statistics from Lingshi Technology, in terms of the number of security incidents, the main types of attacks on trading platforms are hacker attacks on security vulnerabilities, asset theft, phishing attacks, and flash loan attacks, accounting for 59%, 31.8%, 27%, respectively. 9%, 9%. Judging from the distribution of the amount of losses, hacker attacks accounted for 59% and were the main type of security incidents, security vulnerabilities accounted for 40%, and asset theft accounted for 33.3%.
The picture below shows some typical cases of exchange security incidents in 2023:
Trading platform Security Risks and Measures Suggestions
Reviewing the security incidents of all exchanges in the past, the zero-hour technology security team believes that from the perspective of the overall security architecture of a trading platform, the trading platform faces Security risks mainly include: development, server configuration, operation and maintenance, team security awareness, internal personnel, market and supply chain risks.
The zero-hour technology security team has published "Blockchain Security Introduction and Practical Combat", which conducted a comprehensive and detailed analysis of the security issues of cryptocurrency trading platforms. It includes the steps of penetration testing, such as information collection, social engineering, etc., and also introduces various attack surfaces, such as business logic, input and output, security configuration, information leakage, interface security, user authentication security, App security, etc.
For exchange security risks, Zero Hour Technology’s security team gives the following suggestions:
From the perspective of the trading platform:
1) Cultivate the security awareness of internal personnel, strengthen the security isolation of the exchange's production environment, test environment and debugging environment, and try to use professional network security protection products.
2) Through cooperation with professional security companies, conduct code audits and penetration tests to understand whether there are hidden vulnerabilities and security risks in the system, and establish a complete and comprehensive security protection mechanism. In daily operations, regular safety tests are conducted and safety reinforcement work is strengthened.
3) Upgrade the key structure and risk control measures of the account, establish an appropriate multi-signature key structure and establish strict risk control and detection and early warning mechanisms, and strengthen back-end hot and cold wallet security reinforcement, such as control Transfer frequency, large transfers, hot and cold wallet isolation, etc.
Because most users, in addition to using exchanges for transactions, more often use wallets to store digital assets.
Therefore, from a user perspective:
1) Do not install software from unknown sources at will.
2) Computer servers should avoid opening unnecessary ports, and corresponding vulnerabilities should be patched in time. It is recommended that the host install effective and reliable anti-virus or other security software, and install mining script isolation plug-ins on WEB browsers, etc. .
3) Do not click on unknown links sent by strangers at will.
Web3’s wallet is a blockchain digital wallet, also known as a cryptocurrency wallet or digital asset wallet. It is a tool for storing, managing, and using digital currency. It plays an important role in the field of blockchain and is the entrance for users to contact digital currency. Today, with the development of the ecosystem, digital wallets have become a multi-chain and multi-asset management platform.
According to statistics from the Zero Time Technology Blockchain Security Threat Intelligence Platform, as of December 2023, there are a total of 153 digital wallet projects. According to Blockchain.com statistics, more than 400 million people around the world will be using encrypted assets in 2023. Among them, the number of users with encrypted wallets will reach 81 million in 2022, and by November 2023, the number of encrypted wallet users has reached 221 million, with the number growing exponentially.
As the entrance to Web3, wallets have long become a "hot potato" in the eyes of hackers. According to statistics from Zero Hour Technology, there were 35 security incidents in digital wallets in 2023, with the cumulative asset loss exceeding US$600 million.
In 2023, the top five wallet security incidents that suffered attacks and losses mainly came from: BitKeep, Solana, Cropto.com, Transit, and Bable Finanace, with losses of US$200 million, US$130 million, and US$120 million respectively. , US$100 million and US$40 million. Among them, BitKeep suffered the highest loss due to the attack.
According to statistics from Zero Hour Technology, judging from the number of security incidents, the main types of attacks on digital wallets are: hacker attacks, asset theft, security vulnerabilities, phishing attacks and fraud, accounting for 44.9%, 35.5%, 27%, respectively. 13.4%, 9.8%. Attacks account for the highest proportion, ranking first.
The proportion of security incident losses corresponding to each major attack type is as follows: hacker attacks cause the highest losses, accounting for 48.2%; security breaches cause losses second, accounting for 41%; and asset theft losses rank highest. Third, accounting for 28%.
When a wallet is attacked, there are generally two situations. One is an institutional wallet, and the other is a personal wallet.
Digital Wallet Security Risks and Measures Suggestions
According to analysis by Zero Hour Technology’s security team, blockchain digital wallets exist in many forms.The main security risks include but are not Limited to the following aspects:
Institutional aspects: Security risks of the operating environment, security risks of network transmission, security risks of file storage methods, and the security of the application itself Risks, security risks of data backup, etc.
QR code guides customers to transfer and steal assets, steal private keys/mnemonic phrases by attacking the cloud platform where customers store information, malware, airdrop fraud, phishing, other phishing (pre-sales, APP downloads, winning traps) and other risks.
How to protect wallet security in the face of these risks?
From the institutional side, Zero Hour Technology’s security team recommends:
Whether it is a centralized or decentralized wallet, software wallet or hardware Wallets must have sufficient security testing in terms of security. For the security audit of digital wallets, Zero Hour Technology’s security team includes but is not limited to the following test items:
1. Network and communication security testing. Network nodes should Achieve the function of timely discovery and resistance to network attacks;
2. The wallet operating environment is safe. The wallet can detect known major vulnerabilities in the operating system, virtual machine detection, and integrity detection; digital wallets must have the third The third-party program hijacking detection function prevents third-party programs from hijacking wallets and stealing relevant user information.
3. Wallet transaction security. All transactions issued by the wallet must be signed. When signing, the private key must be decrypted by entering the payment password. After the transaction signature is generated, the decrypted private key in the memory must be cleared to prevent The private key was stolen and leaked, etc.
4. Wallet log security. In order to facilitate users to audit wallet operation behaviors and prevent abnormal operations and unauthorized operations, the wallet operation log needs to be recorded. At the same time, the wallet log must be desensitized and must not contain confidential information. information.
5. Node interface security audit. The interface needs to sign the data to prevent hackers from tampering with the data; interface access needs to add a token authentication mechanism to prevent hackers from carrying out replay attacks; the node interface needs to control the user connection rate Implement restrictions to prevent hackers from simulating user operations to conduct CC attacks.
For the client, Zero Hour Technology’s security team recommends:
1) Take measures to store private keys: such as copying and backing up private keys as much as possible, Or use cloud platforms and social networks such as email to transmit or store private keys.
2) Use strong passwords and enable two-step verification MFA (or 2FA) whenever possible, and always maintain security awareness and vigilance.
3) Pay attention to verify the hash value when updating the program version. Install anti-virus software and use a firewall when possible. Monitor your account/wallet to confirm there are no malicious transactions.
4) Hardware wallets are suitable for users with large amounts of digital assets and who require a higher level of security protection. The usual recommendation is to use a software wallet to store your small assets for daily use, and a hardware wallet to store large assets, which can achieve both convenience and security.
What if funds are stolen?
If an unintentional authorization operation occurs, before the funds are stolen, transfer the wallet funds out as soon as possible and cancel the authorization; if funds have been stolen or the private key has been stolen after authorization, For fund transfers, please contact Zero Hour Technology’s security team immediately for asset tracking.
The full name of DeFi: Decentralized Finance, generally translated as distributed finance or decentralized finance. DeFi projects are roughly divided into five categories: oracles, DEX, mortgage lending, stable currency assets, and synthetic derivatives.
The full name of TVL: Total Value Locked means total locked value. The total value of assets mortgaged by users is one of the most important indicators to measure the development of the DeFi ecosystem. Usually TVL growth represents the better the development of the project.
According to statistics from Zero Hour Technology’s blockchain security threat intelligence platform, as of December 2023, there are a total of 1,297 DeFi projects. According to DeFi Llama data, the total locked-up value of DeFi reached US$39.051 billion. Among them, Ethereum accounts for 58.59%, ranking first with a TVL of 23.02 billion US dollars, followed by Tron, accounting for 11.1%, ranking second with a TVL of 4.036 billion US dollars, followed by BSC, accounting for 10.47%, with a TVL of 40.12 TVL ranked third in terms of US$100 million. Many emerging public chains such as Avalanche, Ploygon, Optimism, etc. have rapidly developed on-chain ecology by embracing DeFi, and have also attracted a large number of users and capital deposits.
DeFi’s prominent smart contract security issues have become the biggest challenge in the DeFi industry. In addition, no DeFi service provider or regulatory agency can refund funds transferred in error. When hackers find vulnerabilities in smart contracts or other aspects of DeFi services and steal user assets, there may not necessarily be a DeFi service provider to compensate investors. In addition, many hidden interconnection problems may cause a series of financial accidents.
According to statistics from Zero Hour Technology, as of December 2023, a total of 24 DeFi security incidents had occurred, with the cumulative amount of assets lost exceeding US$720 million.
Looking at the distribution of the number of DeFi security incidents that occurred in each ecology, the Ethereum ecosystem had 6 incidents each, accounting for 25%, ranking first, and BSC (BNB Chian) had 5 incidents in total, accounting for 25%. than 20%, accounting for 24%, ranking second. There were 3 incidents in the Solana ecosystem, accounting for 15%, ranking third.
Looking at the loss distribution of security incidents in various DeFi, the top three public chain ecosystems are: Ethereum ecosystem DeFi incident loss amount exceeded 216 million US dollars, accounting for 30%, ranking first; Solana ranked second, loss amount US$144 million, accounting for 20%; BNB Chain ranked third, with a loss of US$130 million, accounting for 18%. It can be seen that the more active the ecology is, the more attention it receives from hackers, and the losses are the most prominent.
According to statistics from Zero Time Technology, from the perspective of DeFi attack types, they are mainly: hacker attacks, asset theft, flash loan attacks and security vulnerabilities. The distribution of the number of security incidents corresponding to each major attack type is as follows: hacker attacks account for 50%, ranking first; security vulnerabilities account for 29%, ranking second; asset theft accounts for 20%, ranking third ; Flash loan attacks accounted for 16%, ranking fourth.
From the perspective of loss distribution of main attack types, hacker attacks caused the highest losses, accounting for 48.6%, followed by asset theft, accounting for 34.7%, and security vulnerabilities ranked third, accounting for 43%.
DeFi security risks and suggested measures
DeFi projects face multiple security risks, which can be divided from the group into the project side (protocol execution) and the user side; from the security type into the protocol, they are divided into The security of combinations, including some defects between combinations, smart contract security, open source security, high returns are accompanied by high risks, and some security issues caused by lack of supervision.
From a security audit perspective, the risks faced by DeFi projects are shown in the figure below:
< img src="https://img.jinse.cn/7174945_image3.png" alt="52inDQVXcu0Owhr77nvjCBJg47F05kEHHGlcZVmV.png">
From the protocol execution process, DeFi risks include:< /strong>Smart contract attack risks, design issues in economic incentives, custody risks, reconstruction of the original protocol, lack of privacy and other risks.
From a user perspective, the risks faced by DeFi users are:Technical risks: There are loopholes in smart contracts and are subject to security attacks; Liquidity risks: The platform’s liquidity is exhausted; Cryptocurrency risks: Key management risk: The platform’s master private key may be stolen. Security awareness risks: being phished, encountering arbitrage scam projects, etc.
The Zero Hour Technology Security Team recommends that as project parties and users, you can deal with risks from the following four points:
1) Project parties are launching DeFi projects When doing so, you must find a professional security team to conduct a comprehensive code audit, and try to find as many joint audits as possible to discover as many project design flaws as possible to avoid unnecessary losses after going online.
2) It is recommended that users must check carefully when investing in these projects, have a certain understanding of the project, or check whether it has passed a security audit before going online.
3) Increase personal security awareness, including Internet behavior, asset storage and wallet usage habits, and develop good security awareness habits.
4) Projects are high-yield and high-risk, so you need to be cautious when participating. If you don’t understand the project, try not to participate to avoid losses.
6. NFT - Pond of Phishing Attacks
NFT is the abbreviation of Non-Fungible Token, which is a non-fungible token based on the blockchain. , and it is a unique digital asset stored on the blockchain, often used as an electronic certification or certificate of ownership of virtual goods, which can be purchased or sold.
According to NFTScan data, as of December 31, 4,624 NFT projects have been included, totaling 1,476,479,394 NFTs. The current total market value of NFT reaches US$25.6 billion, with 4.7338 million holders. Judging from the market value distribution of various projects, PFP (Picture for proof), that is, the profile picture NFT market value is far ahead. This is also the NFT with the most use scenarios at present, followed by collectibles. Looking at NFT assets and contracts from the current eight major public chains, Polygon is far ahead in terms of the number of assets and contracts.
From the perspective of transaction scale: among the top 10 NFT trading platforms ranked by sales volume within 24 hours, Blur ranked first, followed closely by OKX NFT, and OpenSea ranked third. From the perspective of traders, among the top 10 markets ranked by the number of traders, buyers and sellers within 24 hours, Blur ranked first, OKX NFT ranked second, and OpenSea ranked third.
As the value of NFT becomes more prominent, hackers are also eyeing this piece of fat. Although the entire crypto market is currently experiencing a violent downward trend, the popularity of NFTs remains unabated.
According to incomplete statistics from Zero Hour Technology, as of December 2023, a total of 44 safety incidents occurred on the NFT track, with a cumulative loss of approximately US$62 million in assets.
From the perspective of attack types on the NFT track, they are mainly: hacker attacks, security vulnerabilities, asset theft, phishing attacks, and so on. The corresponding number of security incidents accounted for 50%, 35%, 25%, and 23% respectively.
Looking at the proportion of losses caused by the main types of NFT attacks, hacker attacks caused the most losses, accounting for 50%; asset theft followed, accounting for 30%; security vulnerabilities ranked third, accounting for 30%.
NFT Security Risks and Measures Suggestions
Currently, there are various hacker attacks in the NFT track. In terms of groups, the objects at risk are generally platforms and users.
For the centralized platform, the security risks that may be faced include: Account risk, commercial competition risk, security awareness risk, insider risk, market risk, etc.
For the user side, Discord attacks have become the main attack method this year.
For the above security risks, Zero Hour Technology’s security team gives the following suggestions:
For ordinary users,
strong> To protect your own Discord, you need to pay attention to the following points: Make sure the password is secure enough, use alphanumeric special characters to create a long random password; turn on 2FA authentication, although the password itself is complex enough, it cannot be protected by one method; do not click From unknown senders or links that look suspicious, consider limiting who can private message you; don’t download programs or copy/paste code you don’t recognize; don’t share or screen share your authorization token; don’t scan anything from someone you don’t know Someone you know or a QR code whose legitimacy you cannot verify.
For server owners: Audit your server permissions, especially for higher-level tools like WebHook; when making any changes, keep official server invitations updated and on all Visible on the platform, especially when the majority of new server members are from communities outside of Discord; likewise, don't click on suspicious or unknown links! If an account is compromised, it could have a greater impact on the moderated community.
For projects: It is recommended that the contract should strictly judge the rationality of the purchase quantity input by the user; it is recommended that the contract limit the possibility of purchasing NFT with zero funds; it is recommended that NFT Tokens of ERC721 and ERC1155 protocols be carried out. Strictly distinguish to avoid confusion and fake Discord official cases. At present, malicious mint links are found in many chat software, and many user funds have been stolen. In order to avoid such incidents of coin theft, it is recommended that everyone verify the reliability of the link source when performing mint operations, and at the same time ensure the content and content of the actual signed transaction. Expectations match.
The well-known case of all Sohu employees being defrauded by salary subsidy phishing emails has made many companies realize that if network security awareness is not improved, they will face difficulties in the future. Various security incidents such as trade secrets will inevitably affect the development of enterprises. Web3's decentralized self-organized participation method makes individuals realize that if they do not improve their security awareness, they will become a cash machine for hackers.
At present, there are TV series, movies, communities and other ways to improve personal network security awareness in the market. Zero Hour Technology has also preached hundreds of network security knowledge on various platforms.
In addition, Lingshi Technology has also developed a self-developed security awareness assessment management platform, which is mainly aimed at industry organizations that have a need for network security awareness, including government, public security, education, finance, electric power, etc., network security awareness assessment Based on phishing technology, the platform helps enterprises build a private cloud-based network security awareness assessment and management platform, integrating theoretical systems, phishing drills, host detection, management assessments, and scenario customization systems to achieve continuous and systematic improvement of the network security of all employees. consciousness. In addition, based on the professional strength of Zero Hour Technology's security team, it also provides corporate network security consulting and training services, solidifying the security shield from the source.
Web3 because of its huge innovation capabilities And the advantages of open source have become a booming new generation of network infrastructure, bringing a more trustworthy and value-delivering ecosystem to the entire Internet world. Although security incidents in the Web3 industry continue, and hackers and criminals use various methods in an endless stream, this does not hinder the healthy development of the Web3 industry.
On the contrary, just like the two sides in the game, the "white hats" of the Web3 world, security agencies like our Zero Hour Technology, will definitely protect this lush ecosystem and protect the assets of users in the new world. Fight wits and courage with hackers, and continue to work hard to establish a more complete mechanism, stronger technical system, and safer transactions.
Vulnerabilities are always there, security is priceless, and the game between development and security will never stop. I hope we can all equip ourselves with a safety shield to cope with the complex technological world of the future!
Modular blockchain, analysis of GoPlus Network: Why will the modular security layer bring changes to Web3 security? Golden Finance, will a modular security unified network be the optimal solution?
JinseFinanceI saw early in the morning that @GoPlusSecurity is going to build a modular unified user security layer.
JinseFinanceThis article starts from the security challenges faced by the current market and explores the security risks brought about by the rapid growth of Web3 users.
JinseFinanceRepubliK's integration with Fireblocks enhances Web3 security, prioritizing transparency and user-centricity. This pioneering move signifies a pivotal step in fortifying social media platforms against evolving digital threats.
BerniceCosmos focuses on improving blockchain interoperability and achieving efficient interoperability between different blockchains. A series of leading projects including Celestia and dYdX v4 are built based on the Cosmos SDK and IBC protocol.
JinseFinanceDiscovered on November 21, these vulnerabilities pose a risk to numerous smart contracts in the Web3 ecosystem, including some of Thirdweb's own pre-built smart contracts.
BrianThirdweb identifies a security flaw in Web3 smart contracts, urging immediate action for contracts created before November 23. Mitigation steps include locking contracts, taking snapshots, and migrating to secure alternatives. Token holders in pools should withdraw tokens, and contract builders must request users to revoke approvals. Thirdweb has remedied affected contracts created post-November 23, with other services operating unaffected.
Huang BoIf everything sucks, what's the way forward?
Clement
Coinlive A total of 37 major exploits were monitored, with a total loss of approximately $405 million
