CertiK Q2 Web3.0 Industry Report: In-depth Analysis of $310 Million Losses "Behind the Scenes Mastermind"

特邀专栏作者

2023-07-06 12:29

This article is about 2560 words, reading the full article takes about 4 minutes

The security incidents in the second quarter of 212 caused a total loss of up to $310 million. The losses from Lightning Loan attacks and oracle manipulation have significantly decreased, but the losses from exit scams have more than doubled compared to the first quarter. In addition, the latest act

Summary

Hackers and other malicious actors extracted a value of $310 million from the Web 3.0 industry in the second quarter of 2023.
This number is close to the $320 million loss in the first quarter and a 58% decrease from the $745 million loss in the second quarter of 2022.
CertiK detected a total of 212 security incidents, which means an average loss of $1.48 million per incident in the second quarter. This number slightly decreased compared to the average loss of $1.56 million per incident in the first quarter.
98 exit scams stole $70.35 million from investors, more than doubling the $31 million loss caused by exit scams in the first quarter.
54 flash loan attacks and oracle manipulation events resulted in attackers earning $23.75 million. This is a significant decrease from the total loss of $222 million in the first quarter due to 52 oracle manipulation incidents. Of course, the previous quarter was dominated by the Euler Finance vulnerability, which accounted for 85% of the total amount in the previous quarter.
In addition, there are some major "off-chain" events happening in the industry: the U.S. Securities and Exchange Commission accusing two of the largest cryptocurrency exchanges, and the world's largest asset management company filing for a Bitcoin ETF.
At the same time, CertiK security researchers have also discovered major vulnerabilities in major blockchain protocols and applications, including security risks in the Sui validator nodes and the ZenGo MPC wallet.

Partial Data Display

Introduction

The total loss recorded in the Web 3.0 field for the second quarter of 2023 is $313,566,528, which is almost the same as the previous quarter and a decrease of 58% compared to the same period last year. The average loss per incident has also seen a slight decline.

Looking at the second quarter, the number of oracle manipulation incidents has significantly decreased, while the total loss from exit scams has increased, indicating a change in tactics adopted by malicious actors.

As the industry develops, cases such as attacks on MEV robots and the discovery of "hamster wheels" security threats on the Sui blockchain confirm the importance of continuous in-depth research on security, proactive measures, and maintaining vigilance. Every challenge overcome brings us one step closer to a more secure Web 3.0 space.

View the report for more detailed content and data.

MEV Robots Exploited Maliciously

At the beginning of April, the MEV Robot was exploited by hackers in block 16964664 of Ethereum. A malicious validator replaced several MEV transactions, resulting in approximately $25.38 million in losses. This is the largest attack against the MEV Robot to date. The attack occurred in block 16964664 of the Ethereum network, where 8 MEV transactions were exploited by the malicious validator. This validator was established on March 15, 2023, by the external address (EOA) 0x687A9 and managed to infiltrate the Flashbot that prevents frontrunning transactions.

However, a vulnerability in MEV-boost-relay allowed the malicious validator to rebundle transactions and intercept the MEV Robot's sandwich strategies, especially reverse trades. Due to this vulnerability, the validator had access to detailed transaction information. With this detailed information, the malicious validator could construct their own blocks and insert their front-running transactions before the original MEV Robot transactions.

In total, this malicious validator successfully stole approximately $25 million from 5 MEV Robots, making it one of the largest incidents of MEV Robot losses discovered by CertiK. In the past 12 months, only 6 MEV Robot vulnerabilities have been found, and this incident alone accounts for 92% of the total losses of $27.5 million. The malicious validator exploited the MEV-boost-relay vulnerability by submitting an invalid but correctly signed block to initiate the attack. Upon seeing the transactions in the block, the validator could rebundle them to extract assets from the MEV Robot. This vulnerability has since been patched.

For more information about MEV robots and sandwich attacks, please refer to the report.

Atomic Wallet is Hacked

In early June of this year, over 5,000 Atomic Wallet users experienced the largest security event of this quarter, resulting in losses exceeding $100 million. Initially, Atomic Wallet stated that less than 1% of their monthly active users were affected by this incident, but later revised it to less than 0.1%. The scale of this attack and the substantial losses highlight the seriousness of security vulnerabilities in wallet applications. The attackers targeted user private keys to gain complete control over their assets. With the obtained keys, they were able to transfer the assets to their own wallet addresses, emptying the victims' accounts.

The reported losses varied in amount, with the highest being $7.95 million. The cumulative losses of the top five affected retail investors reached as high as $17 million. In an effort to recover the losses, Atomic Wallet publicly proposed an offer to the attackers, promising to relinquish 10% of the stolen funds in exchange for 90% of the stolen tokens. However, given Lazarus Group's track record and the fact that the stolen funds have already started to be laundered, the prospects of recovering the funds are very slim.

For more analysis on Atomic Wallet and the "mastermind" behind it, please refer to the report.

Sui "Hamster Wheel" New Vulnerability

Previously, the CertiK team discovered a series of denial-of-service vulnerabilities in the Sui blockchain. Among these vulnerabilities, a new and highly impactful vulnerability stands out. This vulnerability can cause Sui network nodes to be unable to process new transactions, effectively shutting down the entire network. CertiK received a $500,000 bug bounty from Sui for discovering this major security vulnerability. The incident was reported by CoinDesk, a leading media outlet in the United States, and subsequently other major media outlets followed suit with related news.

The security vulnerability is vividly referred to as the "hamster wheel": its unique attack method differs from known attacks, as attackers only need to submit a payload of about 100 bytes to trigger an infinite loop in the Sui validation node, rendering it unresponsive to new transactions. Furthermore, the damage caused by the attack persists even after network restarts and can automatically propagate within the Sui network, causing all nodes to be unable to process new transactions, like hamsters endlessly running on a wheel. Therefore, we refer to this unique attack type as the "hamster wheel" attack.

After discovering this vulnerability, CertiK reported it to Sui through Sui's bug bounty program. Sui promptly responded, acknowledging the severity of the vulnerability and taking appropriate measures to address the issue before the mainnet launch.

In addition to fixing this specific vulnerability, Sui has implemented preventive mitigation measures to reduce potential damage caused by this vulnerability. As a token of appreciation for CertiK's responsible disclosure, Sui awarded the CertiK team a $500,000 bonus.

For more details, please consult the report for text and video content.

Server-Level Vulnerability Based on MPC Wallet

Multi-party computation (MPC) is an encryption method that allows multiple participants to jointly compute a function on their inputs while protecting the privacy of these inputs. The goal is to ensure that these inputs are not shared with any third party. This technology has multiple applications, including privacy-preserving data mining, secure auctions, financial services, secure multi-party machine learning, and secure sharing of passwords and confidential information.

The Skyfall team at CertiK discovered a serious vulnerability in the security architecture of the popular multi-party computation (MPC) wallet ZenGo during a proactive security analysis. This vulnerability is known as "device forking attack." Attackers can exploit it to bypass ZenGo's existing security measures and potentially control users' funds. The key to this attack is exploiting vulnerabilities in the API to create a new device key, tricking ZenGo servers into considering it as a legitimate user's device.

In accordance with responsible disclosure principles, the Skyfall team promptly reported this vulnerability to ZenGo. Upon realizing the severity of the issue, ZenGo's security team took immediate action to fix it. The vulnerability has been patched at the API level on the server, eliminating the need for updates to the client code. After the vulnerability was fixed, ZenGo publicly acknowledged these findings and expressed gratitude to CertiK for their important role in enhancing the security and trustworthiness of their MPC wallet.

"Multi-party computation has broad prospects and many important applications in the Web 3.0 domain. While MPC technology reduces the risks associated with single points of failure, implementing MPC solutions introduces new complexities in the design of cryptocurrency wallets. These complexities can lead to new security risks, underscoring the necessity of comprehensive auditing and monitoring approaches." - Professor Li Kang, Chief Security Officer at CertiK

For more details, please refer to the report for a detailed analysis with text and images.