CertiK Annual Report: Big events emerge one after another, where will it go in 23 years?
2022 will be a difficult year for the entire digital asset industry. In the general environment of the market downturn, 65% of the market value of digital assets has disappeared, and the unprecedented number of hacking attacks, fraud incidents and institutional collapses have made investors who have suffered heavy losses even worse.
From the $624 million theft of Ronin Bridge in March this year to the almost overnight collapse of FTX in November, the scale of losses in 2022 hit the largest in history. Asset losses this year are about $3.77 billion, well ahead of the $1.3 billion recorded in 2021.
This report will delve into the various factors that contributed to the downfall of centralized exchanges such as Celsius, BlockFi, and FTX. As an alternative to these centralized institutions that are rapidly repeating the industry's mistakes, Web3.0 and decentralized financial applications based on open source blockchains will play an important role, but this alone is expected to move towards mass adoption of Web3.0 Not very realistic yet. While losses in the decentralized world are relatively small compared to the scale of bankruptcies in the centralized space this year, they also total billions of dollars. The entire Web3.0 industry needs to reflect deeply on the past year and try to find a silver lining from this difficult period.
While insecure protocols continue to take their toll, that doesn't negate the true value of Web 3.0. Today, valuations of all types of assets are generally falling, and people's enthusiasm is gradually subsiding. This allows us to take a step back, look at the status quo, and build the industry on a more solid foundation.
first level title
2022 Industry Security Summary
① In 2022, hackers stole about $3.77 billion worth of assets from Web3.0 protocols.
② This figure represents a 189% increase from the $1.3 billion loss in 2021.
③ In 2022, there will be 316 exit scams, with a total of about 210 million US dollars stolen, and 102 flash loans and oracle machine manipulation events, resulting in a total of about 360 million US dollars in losses.
④ Just nine cross-chain bridge vulnerabilities accounted for more than one-third of all lost value, and hackers stole a total of about $1.35 billion from cross-chain bridge attacks.
⑤ Despite a year of bear market, the number of projects audited by CertiK continues to grow. To date, CertiK has completed a total of 5046 audits of Web3.0 projects. This represents a 73% increase in the number of total audits compared to the end of last year.
first level title
Centralized platforms may become difficult to reconcile contradictions
Since the beginning of this year, the demise of many well-known digital asset companies has cast a shadow over the entire industry. While these businesses are all in the business of buying, selling, lending, and trading digital assets, before we label them the same, we should consider whether these defunct businesses can really be classified as digital asset companies.
To be sure, the failure of these businesses has more to do with their business operating models than with the assets they manage. The fatal flaw of centralized digital asset businesses (also known as CeFi, which means "centralized finance," as opposed to "decentralized finance" DeFi) is implicit in their name: they operate on a centralized platform with a single point of control. system, which caused the single point of failure we've witnessed this year.
What follows is somewhat tragically ironic. During the Super Bowl in February this year (Super Bowl, the annual championship game of the National Football League), FTX had promoted the concept of digital assets to millions of viewers, claiming that digital assets were "the next big thing" and implying that they would not participate The people in it are like the fools in the commercials who miss it all.
However, FTX secretly sent users' deposits to the company's so-called "non-internal" but actually internal trading department - Alameda, which quickly lost billions of dollars on investment, which is also a serious violation terms of service of the exchange.
Shocking news about FTX’s illiquid balance sheet quickly spread, and a typical bank run ensued. If an exchange keeps deposit funds 1:1 and doesn't re-hypothecate or lend without permission, it might survive this test. But that's not the case with FTX.
Former FTX CEO Sam Bankman-Fried orchestrated a string of extravagant acquisitions, sponsorships, and bailouts, making FTX's downfall all the more incredible. For example, Voyager Digital, another now-defunct CeFi company, announced that FTX had successfully acquired its assets after filing for bankruptcy. However, after FTX’s flash crash, it had to file for bankruptcy again. These sudden events all occurred in the second half of 2022.
The collapse of companies such as FTX and Three Arrows Capital has indeed hit many large investment institutions, but it is the large number of ordinary retail investors who have been hurt the most. Overwhelming marketing, endorsements and personality cults have led them to cast their confidence in the wrong platforms and pay dearly for it.
The reason why the proportion of injured retail investors is high is that on the Voyager platform, 97% of users have assets of less than $10,000. Many of these users who mistakenly believed that the CeFi platform was more secure have now lost their assets. They believe that depositing assets on the CeFi platform is more secure and has higher returns, while avoiding the high entry barriers and various risks brought about by smart contracts on decentralized platforms.
Although these lessons are very painful for people, they are actually essential lessons. The core principle of digital assets is Self-Custody and Self-Sovereignty (Self-Custody and Self-Sovereignty), so handing over control of users' assets to a centralized platform violates the above principles.
first level title
Terra Crash Event
One of the biggest events of the year is theTerra's Crash, its $45 billion market cap evaporated in a matter of days.
Unlike stablecoins such as Tether, USDC, and BUSD, algorithmic stablecoins do not rely on a 1:1 peg to the U.S. dollar to maintain stability, but instead maintain the currency peg through their internal mechanisms. Specifically, the algorithmic stable currency maintains its basic value through the minting and burning functions set by the smart contract.
Take Terra’s UST stablecoin as an example. UST is pegged to another independent digital asset, Luna. Holders of UST can exchange their assets for equivalent LUNA at any time. At the beginning of May, LUNA was trading at $85, at which point one UST stablecoin could be traded for 0.0118 LUNA.
If the trading price of UST falls below its set $1 threshold, market makers will immediately convert a large amount of UST into LUNA to close the gap in value between the two. The principle is to increase the demand for LUNA while reducing the supply of UST, that is, to maintain the stability of the currency anchor by increasing the price of the stablecoin reserve asset.
On May 7, on-chain analysis showed that UST was sold in large quantities, and 85 million UST was exchanged for 84.5 million USDC, which directly led to the decoupling of UST from the US dollar for the first time. Affected by this, the price of UST fell to a low of $0.985 on May 8.
To re-peg UST to the US dollar, the Luna Foundation Guard (LFG) deployed $750 million worth of Bitcoin to assist market makers in maintaining UST price stability. LFG repurchased another $750 million worth of bitcoin after market conditions returned to normal.
Unexpectedly, however, the price of UST fell to a low of $0.65 on May 9. The re-decoupling of UST then triggered a shock in the price of LUNA, which plummeted to $35, a drop of more than 44%, which in turn decoupled the market capitalization between LUNA and UST, jeopardizing its function as a stable reserve asset. Because the LUNA ecosystem at this time does not have enough value to mortgage all the circulating UST.
From this point on, the delicate balance between LUNA and UST began to unravel. Misfortunes never come singly, however, as Terra creator Terraform Labs CEO Do Kwon was revealed to be one of the anonymous co-founders behind a previously failed algorithmic stablecoin, Basis Cash. Do Kwon has misappropriated some $67 million worth of bitcoin without using it to maintain the currency’s peg following the decoupling of its value and billions of dollars in losses, according to allegations. South Korean prosecutors have issued an arrest warrant for Do Kwon's, but he is still at large.
first level title
The crisis continues to spread
Celsius, a centralized platform that allows users to deposit assets to earn yield, once held more than $500 million in the Terra ecosystem. Before Celsius collapsed, it claimed to have withdrawn all assets. But a month later, the company announced it was suspending deposits and filing for bankruptcy.
Users of Celsius will never know the source of the income they are earning, nor will they be aware of the risks they are taking.
Celsius has also used the decentralized platform to repay many debts in an effort to salvage what little liquidity it has left, which also proves the power of DeFi from the side: all on-chain activities are publicly visible, which is the same as Celsius for investment. This contrasts sharply with the various concealed liabilities of both lenders and creditors.
To add insult to injury, Celsius later publicly disclosed the names, balances, and transaction histories of thousands of its users in a court filing in order to demonstrate the privacy advantages of pseudo-anonymous decentralized finance platforms. This is extremely irresponsible and dangerous behavior.
The continued success of DeFi platforms such as Aave has provided positive material support for decentralized business models. Users can verify Aave's repayment ability in real time and understand where depositors earn their income. And the liquidation process of the platform simply does not allow the risk of eventually leading to the collapse of Celsius.
Compared with centralized financial platforms, DeFi obviously has many advantages. However, the smart contracts that power Web 3.0 are not invulnerable to some extent: DeFi protocols also have their own series of risks. For example, the non-standard writing of smart contracts will introduce a series of loopholes, and hackers have discovered and exploited These breaches have been exploited to steal over $3 billion in funds in 2022.
first level title
Web 3.0 Solutions
Perhaps this is what the Web 3.0 world is about: decentralized applications built on open-source blockchains that offer a powerful alternative to the opaque world of centralized institutions, as well as real solutions to the notoriously flawed way finance works. substitute.
Users who have used Aave may know that the platform cannot violate its terms of service, because these terms are written into the smart contracts that govern its operations, just like a code is written into DNA; Users also don't need to worry about the possibility of their asset control being transferred to the platform, because all transactions are executed openly and transparently on the blockchain; although various high-yield Yield products may make users take considerable risks , but it also depends on the characteristics and strategies of Yield products. In any case, users can see the whereabouts of their assets and how to obtain the yield at any time, and everything will be open and transparent.
Although the above does bring more due diligence burdens to users, the Web 3.0 model still has incomparable advantages over centralized platforms. Many centralized finance (CeFi) crash stories are in a decentralized environment. There's no way it's going to happen.
However, Web 3.0 still has some way to go before it can realize its full potential and be considered a real replacement for CeFi.
It’s worth thinking about: why are millions of users willing to “entrust” billions of dollars to these centralized organizations?
Perhaps because centralized organizations provide a service that simplifies the process and eliminates the risk of self-custody. In addition, they also provide greater liquidity and richer financial products, and provide support and service platforms to help users solve problems in a timely manner. Finally, don’t forget that hackers have exploited the loopholes of decentralized protocols to gain billions of dollars in 2022 alone, which is why more people choose to believe in centralized platforms.
To go far, Web 3.0 needs to improve in two main areas: usability and security.
Usability: To understand how to use a DeFi platform, sometimes it takes hours of research, and this is only before the capital is invested. It might even take days to research multiple platforms thoroughly.
first level title
Cross-chain bridge attack event
In 2022, attacks on cross-chain bridges caused a total of $1.3 billion in losses, which accounted for 36% of the total losses in the past 12 months. Just three of these incidents accounted for 87% of all cross-chain bridge asset losses, which also highlights the huge risks that cross-chain bridge attacks pose.
Most cross-chain applications have extremely complex technical structures, and also contain various attack vectors. Its complexity enables it to provide a wider range of capabilities, but at the cost of exposing a greater attack surface.
💣Ronin lost $625 million
Ronin Bridge eventIt can be said to be the largest attack event/vulnerability in the history of the DeFi field. On March 23, a sidechain built for the Web 3.0 game Axie Infinity was hacked, losing more than 173,600 ETH and 25.5 million USDC (a total value of $625 million).
According to Nomad’s report, hackers managed to obtain the private keys of five validator nodes securing the network, and there is evidence that the attackers are the North Korean hacking group Lazarus Group. The group used advanced spear-phishing attacks to obtain private keys, and after draining assets, the attackers laundered the stolen money through Tornado Cash and centralized exchanges, including FTX and Huobi.
💣Wormhole Lost $326 Million
On February 2, Wormhole Bridge was hacked and $326 million worth of assets were lost. Attackers bypass authentication checks by injecting fake sysvar accounts, allowing them to output malicious messages that are accepted by Bridge. The attacker successfully minted 120,000 WETH by calling the complete_wrapped function with malicious information. Two minutes after minting, the attacker bridged 10,000 ETH to the Ethereum blockchain. About 20 minutes later, another 80,000 ETH transactions were made on the Ethereum blockchain. As of the end of 2022, these stolen funds remain in the attacker's wallet.
💣Nomad loses $190 million
August 1,Nomad Bridgewas exploited, with losses worth approximately $190 million. The attacker exploited a vulnerability in the initialization process - that is, the contract parameter committedRoot is initialized to zero when deploying the contract. This vulnerability could allow an attacker to bypass message validation, thereby depleting the tokens held in the bridge contract. As long as the attacker deposits ETH (such as 0.1 or even 0.0001 ETH) on one chain, he can receive any amount of ETH on the other chain.
first level title
Profanity Vulnerability and Private Key Leakage
Attacks triggered by leaked private keys may be one of the most damaging events in 2022: The amount stolen through leaked private keys exceeded $1 billion in 2022, accounting for nearly one-third of annual losses. This figure represents an increase compared to 2021, when private key breaches cost $892 million. The Ronin incident is a typical example of malicious exploitation due to private key leakage.
Once a malicious actor obtains a wallet's private key, they have full control over all assets in the wallet. Compromised private keys may be the result of the keys themselves not being securely managed. However, the biggest security incident of the last year was caused by a specific vulnerability in the Vanity addresses generated by the Profanity tool.
What is Profanity?
Most Ethereum addresses will start with 0x and look like a random string of hexadecimal characters. This has the benefit of providing a level of privacy, but it doesn't satisfy users who want a unique address. The Vanity address is like a license plate or a QQ account, which can help users generate keys for addresses containing specified words or strings.
besides,ProfanityIt can also be used to create wallet addresses to optimize handling fees. This is also the original intention of the Wintermute team to create the 0 x 00000000 AE 347...b 92280 f 9 e 75 address, but it eventually led to the wallet being hacked. The lengthy string of 0s at the beginning simplifies the address, reduces the computing power demand of the Ethereum network, and thus reduces transaction fees to a certain extent. Small amounts add up in transactions.
In January 2022, user k 06 a proposed an issue on the private key generation method on Profanity's GitHub (which has been abandoned by developers for more than three years): Issue: Profanity uses a random 32-bit seed number to generate 256-bit private keys and calls attention to how private keys are generated. However, this opinion does not appear to have been resolved.
Brute-forcing a password or private key is similar to using hardware to keep trying every possible combination. If you have 1000 keys and a lock, you just try each key until you find the right one.
In just two days, the vulnerability was exploited by hackers in full view: 0 x 6...b 93 wallet account emptied multiple Vanity wallets, including 500 ETH from 0 x 0 Babe...B 05, 100 ETH at 0 x 888888888...597, 104.4 ETH at 0 x 000000...422, and more assets in other wallets with a total value of $3.3 million.
"A set of 1000 GPUs could theoretically brute force the private key for every 7-word Vanity address generated using Profanity in 50 days. Using a Macbook M1 with 16 GB of RAM, we precomputed a Dataset - This dataset only needs to be calculated once to utilize different addresses. The actual process (not counting the precomputation), for an address with seven leading zeros, takes about 40 minutes. We did it, and Cracked the private key for 0x0000000...99 b in less than 48 hours."
—— Amber Group
In the rapidly changing Web 3.0 world of technological development, it only takes two days to use this vulnerability to break into a Wintermute DeFi transaction wallet. The loss of 162 million US dollars is also the second largest financial loss caused by private key leakage this year, second only to Yu Ronin.
Currently the problem has not been resolved: all wallets built on top of Profanity are at risk. All users generating wallets using Profanity should transfer assets to wallets that can generate keys offline as soon as possible.
"Private key management security is a fundamental requirement in the Web 3.0 space. As the Profanity vulnerability and multiple other private key breaches have shown, any weakness in key generation or management can spell disaster for Web 3.0 users and applications sexual consequences."
first level title
Hacking group Lazarus Group
Lazarus Group has been one of the most persistent and effective threat actors in the digital asset space. In addition to the Ronin Bridge breach, which netted them more than $500 million, the North Korean state-backed hacking group has also carried out several profitable attacks in 2022. Most noteworthy are the Operation In(ter)ception, the Gate.io vulnerability, and the Harmony Horizon Bridge attack. Operation In(ter)ception is a job fraud advertising scheme run by the Lazarus Group, in which Lazarus posts job opportunities on sites such as LinkedIn, asking applicants to download a PDF file that deploys an executable file, the malware then makes Lazarus' operations Security personnel can target vulnerabilities in victim systems to steal sensitive information from industry employees.
The Lazarus Group’s activities are not limited to digital assets: they were behind the Sony Pictures hack in 2014 and earlier DDoS attacks in South Korea and the United States. But since turning its attention to Web 3.0, the group's malign influence has grown. The 2017 WannaCry ransomware attack carried out by the gang was the largest of its kind, affecting more than 300,000 computers in 150 countries and demanding ransom payments in bitcoin. Spear-phishing attacks against individual users and the exploitation of South Korean exchanges have generated millions of dollars for the Lazarus Group.
first level title
secondary title
Industry chain veil
KYC,Know your customer, also known as project background check. Project developers can choose to undergo KYC verification in order to show their community that they are willing to disclose their identity and link their identity and reputation to the services they provide to increase project credibility.
However, the KYC actor industry upends the legitimacy of identity verification. CertiK recently published a report onKYC actorInterviews and investigative reports on black market trading. On the black market, the service of having a professional KYC actor do the verification on your behalf can be purchased for less than RMB 50. So KYC that doesn't take this potential risk of actor substitution into account is pointless.
CertiK'sKYC project background investigation serviceIt is an in-depth investigation process. The experts hired by CertiK use their professional investigation background to provide the highest level of identity verification, so there is no need to worry about KYC fraud, and the risk will return from the community to holding millions or tens Project developers with billions of dollars in user funds.
A truly decentralized protocol is one in which its developers have explicitly relinquished any ownership of the platform. Therefore, it makes sense that projects with centralized control over user funds are required by the community to undergo KYC to increase transparency and trust.
“This year, we added customized KYC project background investigation services to CertiK end-to-end security services. Since anonymous founders may have criminal records and other issues, teams may also use KYC certifications of uneven quality or even forged, many Lack of user trust in Web 3.0 teams creates real problems. We will use our domain-specific knowledge and expertise to conduct project team reviews, giving team members precise and in-depth identity audits. Of course, we share this risk assessment with the community The results are absolutely guaranteed to protect the privacy of the team."
first level title
phishing attack
phishing attackis still a constant threat in the Web 3.0 realm, and the tricks of the fraudsters are only getting better and better with every step of the way. Millions of dollars worth of assets have been stolen through phishing. Not only communities, but individual users are also targeted by malware and malicious actors. New phishing methods emerge in endlessly, and their fraudulent behaviors all take advantage of the irreversibility of the blockchain and the lack of experience of users.
first level title
laws and regulations
first level title
2022 Annual Review
In 2022, the market value of digital currencies lost trillions of dollars, tens of billions of dollars were blocked in the bankruptcy process of centralized institutions, and decentralized protocols lost more than 3 billion dollars, so the rosy picture of 2022 has been over. It's hard to picture.
Due to the extreme volatility of the situation, many of the top Web 3.0 players have disappeared into history, including projects or platforms that we once thought were invulnerable. But most of the surviving Web 3.0 applications and platforms are still slowly moving forward through the crisis, so far it seems that things are still normal.
The past 12 months have been a major stress test for the industry, and not everyone has made it through. But "what doesn't kill you makes you stronger", the survivors will learn the lessons of the past and fight for a more promising prospect.
Open source, decentralized systems provide real benefits to users and can make the internet a freer and fairer place, a vision to keep in mind as we build the digital future. But fairness and liberty mean nothing when your assets can be stolen in an instant. That's why safety is a crucial factor. CertiK's end-to-end security solutions provide users and builders with the tools they need to safely navigate the emerging Web 3.0 world.
Security is a choice, and one that will undoubtedly need to be made in order to bring the benefits of Web 3.0 to the broadest possible audience.
first level title
The PDF version of the report has been included and a link has been generated, welcome to download and view.
The PDF version of the report has been included and a link has been generated, welcome to download and view.
CertiK official WeChat public account background message [2022] or [Year] to get the PDF download link👌
Copy the link to your browser to download immediately:
http://certik-2.hubspotpagebuilder.com/2022
