A Report Reveals Web2 Security Issues Contribute to Nearly Half of Crypto Losses in Web3 Exploits
A new report from blockchain security platform Immunefi suggests that nearly half of all crypto lost from Web3 exploits is due to Web2 security issues such as leaked private keys. The report, released on November 15, looked back at the history of crypto exploits in 2022, categorizing them into different types of vulnerabilities.
The Breakdown of Crypto Losses
The report concluded that a full 46.48% of the crypto lost from exploits in 2022 was not from smart contract flaws but was rather from “infrastructure weaknesses” or issues with the developing firm’s computer systems. When considering the number of incidents instead of the value of crypto lost, Web2 vulnerabilities accounted for 26.56% of the total, making it the second-largest category.
It’s important to note that Immunefi’s report excluded exit scams or other frauds, as well as exploits that occurred solely because of market manipulations. It only considered attacks that occurred because of a security vulnerability.
Categories of Vulnerabilities
According to Immunefi’s findings, attacks fall into three broad categories. First, some attacks occur because the smart contract contains a design flaw. An example cited by Immunefi is the BNB Chain bridge hack. Second, some attacks occur because the code implementing the smart contract’s design is flawed. The Qbit hack was given as an example of this category.
The third and largest category of vulnerability, accounting for the most crypto losses, is “infrastructure weaknesses.” Immunefi defined this as “the IT-infrastructure on which a smart contract operates, such as virtual machines, private keys, etc.” An example listed by Immunefi is the Ronin bridge hack, which occurred when an attacker gained control of 5 out of 9 Ronin nodes validator signatures.
Different Subcategories of Vulnerabilities
Immunefi further broke down these categories into subcategories. Infrastructure weaknesses can be caused by an employee leaking a private key, using a weak passphrase for a key vault, problems with 2-factor authentication, DNS hijacking, BGP hijacking, a hot wallet compromise, or using weak encryption methods and storing them in plaintext.
While infrastructure vulnerabilities caused the greatest amount of losses compared to other categories, the second-largest cause of losses was “cryptographic issues” such as Merkle tree errors, signature replayability, and predictable random number generation. Cryptographic issues accounted for 20.58% of the total value of losses in 2022.
Another common vulnerability was “weak/missing access control and/or input validation,” resulting in only 4.62% of the losses in terms of value. However, it was the largest contributor in terms of the number of incidents, causing 30.47% of all incidents.
This report highlights the importance of addressing Web2 security issues to minimize crypto losses in Web3 exploits. Developers and organizations need to prioritize securing the infrastructure on which smart contracts operate and implementing strong cryptographic measures to prevent vulnerabilities.
– Immunefi (2022). “A Report on Web3 Exploits and Vulnerabilities.” Retrieved from [insert link].