a16z: Detailed explanation of common attack types and lessons learned in the field of Web3 security
Compilation of the original text: Hu Tao, Chain Catcher
Original title: "Web3 Security: Attack Types and Lessons Learned》
Compilation of the original text: Hu Tao, Chain Catcher
Much of web3's security depends on blockchain's exceptional ability to make promises and be resilient to human intervention. But the related feature of finality—transactions are often irreversible—makes these software-controlled networks an attractive target for attackers. Indeed, as blockchains—the decentralized computer networks that underlie web3—and their accompanying technologies and applications accumulate value, they are increasingly becoming coveted targets for attackers.
Although web3 differs from earlier iterations of the Internet, we have observedSecurity Trendscommon ground. In many cases, the biggest problem is the same as ever. By researching these areas, defenders—whether developers, security teams, or everyday crypto users—can better protect themselves, their projects, and wallets from would-be thieves. Below we propose some common themes and predictions based on experience.
follow the funds
Attackers typically aim to maximize return on investment. They can spend more time and effort attacking protocols with more "total value locked" or TVL because the potential rewards are greater.
The most resourceful hacker groups target high-value systems more often. Novel attacks are also targeting these prized targets more frequently.
Low-cost attacks such as phishing will never go away, and we expect them to become more common in the foreseeable future.
fix bugs
As developers learn from tried-and-tested attacks, they may increase the status of web3 software to the point where it is "secure by default." Typically, this involves tightening the application programming interface orAPI, to make it harder for people to introduce bugs by mistake.
While security is always a work in progress, defenders and developers can increase the cost of attack by eliminating much of the low-cost fruit for attackers.
As security practices improve and tools mature, the success rate of the following attacks may drop significantly: governance attacks, price oracle manipulation, and reentrancy vulnerabilities. (More on these below.)
Platforms that cannot ensure "perfect" security will have to use vulnerability mitigations to reduce the likelihood of loss. This may deter attackers by reducing the "benefit" or upside of their cost-benefit analysis.
classification attack
Attacks on different systems can be categorized according to their common characteristics. Defining characteristics include the sophistication of the attack, how automated the attack is and what precautions can be taken to defend against them.
Below is a non-exhaustive list of the types of attacks we've seen in the biggest hacks of the past year. We also include our observations on today's threat landscape and where we expect web3 security to go in the future.
APT Operations: Top Predators
Expert adversaries, often referred to as advanced persistent threats (APTs), are security demons. Their motivations and abilities vary widely, but they tend to be wealthy and persistent. Unfortunately, they will likely be around all the time. Different APTs run many different types of operations, but these threat actors are often the most likely to directly attack a company's network layer to achieve their goals.
example:
example:
RoninThe validator is attacked
contour
who:Nation-states, well-funded criminal organizations, and other advanced organized groups. Examples include the Ronin hacker (Lazarus, with extensive ties to North Korea).
Complexity:High (only for resource-rich groups, usually in countries where they won't be prosecuted).
Automatability:Low (still mostly manual with some custom tools)
Expectations for the future:As long as APTs are able to monetize their activities or achieve various political ends, they will remain active.
User-Targeted Phishing: Social Engineering
Phishing is a well-known and common problem. Phishers try to lure their prey by sending decoy messages through various channels, including instant messaging, email, Twitter, Telegram, Discord, and hacked websites. If you browse your spam mailbox, you've probably seen hundreds of attempts to trick you into giving out things like passwords or stealing your money.
Now web3 allows people to directly trade assets such as tokens orNFTexample
example
directly to the userOpenSea phishing campaign
for front-end applicationsBadgerDAO Phishing Attack
contour
who:Anyone from scripting beginners to organized groups.
Complexity:Low-Medium (attacks can be low quality "spray" orsuper targeted, depending on the attacker's effort).
Automatability:Medium-High (most jobs can be automated).
Expectations for the future:Phishing is cheap, and phishers tend to adapt and bypass the latest defenses, so we expect these attacks to rise. User defenses can be improved through increased education and awareness, better filtering, improved warning banners, and stronger wallet controls.
Supply Chain Vulnerabilities: The Weakest Link
When automakers discover defective parts in vehicles, they issue safety recalls. The software supply chain is no exception.
Third-party software libraries introduce a large attack surface. This has been a cross-system security challenge before web3, such as the impact of widespread web server software last Decemberlog4j exploit.Attackers will scan the internet for known vulnerabilities to find unpatched issues they can exploit.
example
example
Wormholebridge attack
Multichainloophole
contour
who:Organized groups such as APTs, independent hackers, and insiders.
Complexity:Moderate (requires technical knowledge and some time).
Automatability:Moderate (can automatically scan for faulty software components; but when new vulnerabilities are discovered, exploits need to be built manually).
Expectations for the future:As the interdependence and complexity of software systems increase, supply chain vulnerabilities are likely to increase. Until a good, standardized approach to vulnerability disclosure is developed for web3 security, opportunistic hacking is likely to increase as well.
Governance Attacks: Election Looters
This is the first crypto industry-specific question to make the list. Many projects in web3 include a governance aspect where token holders can propose and vote on changes to the network. While this provides an opportunity for continuous development and improvement, it also opens a backdoor to introduce malicious proposals that could disrupt the network if implemented.
example
example
Beanstalkfunds transfer event
contour
who:Anyone from organized groups (APTs) to independent hackers.
Complexity:From low to high, depending on the protocol.
Automatability:From low to high, depending on the protocol.
Expectations for the future:These attacks are highly dependent on governance tools and standards, especially as they relate to monitoring and proposal development processes.
Pricing Oracle Attacks: Market Manipulators
Accurately pricing assets is difficult. In the world of traditional trading, artificially inflating or depressing asset prices through market manipulation is illegal and you could be fined or arrested for it. The problem is evident in DeFi markets where random users are able to "flash trade" hundreds of millions or billions of dollars and cause sudden price swings.
OracleOracle”—systems that provide real-time data, are sources of information that cannot be found on-chain. For example, oracles are often used to determine the pricing of an exchange between two assets. But attackers have found ways to deceive these so-called sources of truth.
example
example
Creammarket manipulation
contour
who:Organized groups (APTs), independent hackers and insiders.
Complexity:automation:
automation:High (most attacks likely involve automated detection of exploitable issues).
Expectations for the future:Likely lower as exact pricing methods become more standard.
New Vulnerabilities: Unknown Unknown
"Zero-day" exploits — so named because they are vulnerabilities that are only 0 days public when they appear — are a hot topic in information security, and web3 security is no exception. Because they appear suddenly, they are the most difficult attacks to defend against.
If anything, web3 makes it easier to monetize these expensive, labor-intensive attacks, since it is very difficult for people to recover crypto funds once stolen. Attackers can spend a lot of time poring over the code that runs on-chain applications to find a bug that justifies all their efforts. Meanwhile, some once-novel vulnerabilities continue to plague unsuspecting projects; the famous reentrancy bug that occurred on early Ethereum project TheDAO continues to resurface elsewhere.
example
example
Poly NetworkVulnerabilities in cross-chain transactions
QubitUnlimited minting exploit for
contour
who:Organized groups (APTs), independent hackers (unlikely), and insiders.
Complexity:Moderate-High (requires technical knowledge, but not all vulnerabilities are too complex for people to understand).
Automatability:Low (discovering new vulnerabilities takes time and effort, and is unlikely to be automated. Once discovered, it will be easier to scan for similar issues in other systems).
Expectations for the future:More attention attracts more white hats and makes the "barrier to entry" higher for discovering new vulnerabilities. At the same time, as web3 adoption grows, so does the incentive for black hat hackers to find new vulnerabilities. As in so many other areas of security, this will likely remain a game of cat and mouse.
