January 05, 2023
Beosin - Global Web3 Security Report 2022 (Text Version)
*This report is produced by Beosin, Buidler DAO, LegalDAO and Footprint Analytics. Read the full version of the Global Web3 Security Report 2022 & Crypto Regulatory Compliance Research
In 2022, Beosin EagleEye monitored over 167 major attacks in the Web3 space, with a total loss of approximately $3.6 billion from all types of attacks, an increase of 47.4% from 2021. Of these, 10 security incidents lost over $100 million in a single attack and losses of 21 security incidents ranged from $10 million to $100 million.
By project type, the 12 cross-chain bridge incidents have caused a total loss of approximately $1.89 billion, ranking first among all project types. DeFi-type protocols were attacked 113 times, or about 67.6% of the total attacks, making it the most frequently attacked project type.
A total of 20 public blockchains had major security incidents in 2022, with the top three by amount lost being Ethereum, BNB Chain, and Solana; and the top three by number of attacks being BNB Chain, Ethereum, and Solana.
Vulnerability exploits ranked highest in both frequency and loss throughout the year, with $1.458 billion lost in 87 vulnerability exploits.
Of the 167 major attacks monitored in 2022, audited and unaudited protocols accounted for roughly 50/50, at 51.5% and 48.5% respectively.
Approximately $1,396 million of stolen funds were deposited into Tornado Cash in 2022, representing 38.7% of the funds lost in all attacks. Only 8% of the stolen funds were recovered for the year, or around $289 million.
Global crypto crimes amounted to $13.76 billion for the year 2022 (financial crimes are excluded), with money laundering accounting for $7.33 billion, attacks/exploits $3.6 billion, pyramid schemes $1 billion and scams $830 million.
Among the scams in 2022, 243 Rug pulls have involved a total amount of $425 million (excluding the $440 million FTX event). Approximately 86.4% of the project rugged with funds in the range of $1k — $1M.
Global TVL shrank significantly in 2022, ending the year with TVL down approximately 80% from its peak at the beginning of the year. The market was heavily impacted by a series of black swan events represented by Three Arrows Capital, Terra Luna and FTX.
Despite a significant shrinkage in global crypto marketcap, the overall crime figure for blockchain in 2022 still reached $13.7 billion, with a significant increase in attacks compared to 2021. The past 2022 was a tough year for global blockchain security in general, and will place higher and more urgent demands on the security industry in 2023. Combating rampant hacking, accelerating the establishment of a global regulatory system, and bringing about technological breakthroughs to address existing industry shortcomings — these will be the key issues to be considered and urgently addressed in 2023.
1. Top Ten Security Incidents in 2022
No 1. Ronin Network
Loss: $624 Million
Attack Type: Social engineering
On 29 March 2022, the Axie Infinity sidechain Ronin was attacked and approximately $624 million in cryptocurrency was stolen. The hackers used the stolen private key to forge a withdrawal credential, which required at least five validators, and eventually the attackers managed to take control of five validators to steal the funds.
According to the investigation, the hackers sent a fake offer letter to Sky Mavis’ engineers by way of social engineering, and the document allowed the hackers to compromise Ronin’s system. After the attack, the stolen assets were sent to multiple addresses and laundered in batches through Tornado Cash. On 20 May, the Ronin attackers transferred the last batch of funds to Tornado Cash and all assets were laundered. On 28 June, Ronin announced its reopening on Twitter.
Beosin security team gave the following recommendations for such cross-chain bridge projects:1. Pay attention to the security of validator; 2. When the signature service is taken offline in the relevant business, the policy should be updated in time to close the corresponding service module, and the corresponding signature address can be discarded; 3. In multi-signature verification, the multi-signature service should be logically isolated from each other, and the signature content should be verified independently; 4. The project owner should monitor the abnormal situation of funds in real time.
No 2. BSC Token Hub (BNB Chain)
Loss: $560 Million
Attack Type: Blockchain vulnerability
On 7 October 2022, BNB Chain’s cross-chain bridge Token Hub was hacked. The hacker first paid 100 BNB to register as a Relayer by calling the contract at block height 21955968, and then acquired a total of 2 million BNB from BNB Chain’s TokenHub contract. The hacker then pledged 900,000 of these BNBs on BNB Chain’s lending protocol Venus and borrowed out 62.5 million in BUSD, 50 million in USDT, and 35 million in USDC.
Beosin security team found that due to the BSC Token Hub used a special pre-compiled contract for validating the IAVL tree when performing cross-chain transaction verification. The implementation is vulnerable, allowing an attacker to forge arbitrary messages.
On 24 October, Binance founder Changpeng Zhao said that the scope of the attacker’s identity had been narrowed down with the help of law enforcement. In addition, CZ said Binance was able to freeze about 80 to 90 percent of the stolen funds, with actual losses in the range of $100 million.
No 3. FTX: Hack or rug pull?
Loss: $440 Million
Attack Type: Suspected rug pull
On 15 November 2022, shortly after FTX declared bankruptcy, FTX was announced that it had been hacked. Approximately $440 million was stolen. The administrator sent a message to the official telegram group stating that the bankrupt platform had been hacked and that all applications were malware. The administrator advised users to delete the app and not to visit the site or open their apps, as this would likely contain a Trojan horse. There are still many unknowns, many believe that this is likely to be an insider operation.
No 4. Wormhole
Loss: $326 Million
Attack Type: Contract vulnerability — validation issue
On 3 February 2022, Wormhole was hacked, resulting in a loss of approximately $326 million. Analysis by the Beosin security team found that the hackers had exploited a signature verification vulnerability in Wormhole contracts that allowed hackers to forge sysvar accounts in order to mint wETH. The vulnerability had been patched in Solana 1.9.4 and was still subject to a review process before it was finally live, and the hackers took advantage of this gap to attack contracts still using Solana 1.8 contracts.
Following the attack, Wormhole announced that it had restored its cross-chain bridge funding and was back online. Crypto investment fund Jump Crypto announced on 4 February that it had invested 120,000 Ether to cover the loss of the incident in order to support Wormhole’s continued growth.
No 5. Nomad bridge
Loss: $190 Million
Attack Type: Contract vulnerability — validation issue
On 2 August 2022, Nomad, a cross-chain bridge protocol, was subjected to a massive hack that involved over 500 hacker addresses and caused a loss of $190 million. Beosin security team analysed the transaction and found that the project owner had incorrectly added 0x000…000 as an acceptable root, causing the judgement to hold, thus allowing the attacker to withdraw the funds in the contract.
As a result, any attacker could simply copy the first hacked transaction and replace it with an unused attack address, then click to send it through Etherscan to steal the funds. Also, since it was the Replica contract that was vulnerable, all its corresponding BridgeRouter-related DApps were affected, so the stolen funds exhibited a multi-token nature.
On August 3, Nomad released a note to call on whitehat hackers to return the stolen funds. As of August 15, the project has recovered $37 million.
No 6. Beanstalk
Loss: $182 Million
Attack Type: Flashloan
On April 17, 2022, the algorithmic stablecoin project Beanstalk Farms suffered a flashloan attack, with the protocol losing $182 million and the attackers making a profit of $80 million. The attackers transferred the entire $80 million to Tornado Cash soon after the attack.
The attackers initiated a proposal one day before the attack, which will withdraw the funds from the Beanstalk Protocol contract. The hacker gained a large reserve of funds via flashloan, which was then swapped repeatedly. A final vote on the proposal resulted in its being passed. In response to this incident, the Beosin security team recommends that: 1. the funds used for voting should be locked in the contract for a certain period of time and avoid using the current fund balance of the account to count the number of votes; 2. the project owner and the community should pay attention to all proposals and, if a malicious proposal occurs, it is recommended to discard the proposal; 3. Consider banning contract addresses from voting.
No 7. Wintermute
Loss: $160 Million
Attack Type: Private key compromise
On September 20, 2022, Wintermute lost $160 million in the DeFi hack. Analysis by Beosin security team found that the attackers frequently exploited 0x0000000fe6a… address to call the 0x178979ae function of the 0x00000000ae34…contract to transfer money to the attacker’s contract. By decompiling the contract, it was found that calling the 0x178979ae function required permission checks, and by querying the function, it was confirmed that the 0x0000000fe6a address had setCommonAdmin permissions, and that the address had normal interaction with the contract before the attack, so it could be confirmed that the 0x0000000fe6a’s private key was compromised.
On 21 September, Wintermute confirmed that it had used Profanity and an internal tool to create wallet addresses in June, and that the Profanity tool was at risk of private key bursting.
No 8. Mango markets
Loss: $116 Million
Attack Type: Price manipulation
On October 12, 2022, the Mango protocol on Solana was hacked, approximately $116 million was lost. The hackers used two accounts and a total of 10 million USDT as starting funds to leverage 100+ million of assets. The main reason for this attack was the leveraged contract did not limit the positions that Mango could open, allowing the attackers to raise the price of Mango tokens for profit.
No 9. Elrond
Loss: $113 Million
Attack Type: VM issue
On June 5, 2022, the blockchain network Elrond was hacked, with hackers “obtaining” nearly 1.65 million in EGLDs and dumping through the decentralised exchange Maiar, causing $EGLDs to plummet by 92%.
Elrond has posted a post-mortem that the attackers did not exploit any smart contract code vulnerabilities and that the problem was with the virtual machine. Previous bugs have been resolved and almost all of the stolen funds have been recovered. Any remaining missing funds from known bugs will be fully covered by the Elrond Foundation.
No 10. Harmony
Loss: $100 Million
Attack Type: Private key compromise
On June 24, 2022, the Harmony cross-chain bridge was attacked, costing approximately $100 million. Harmony’s founder stated that the attack on Horizon was not due to a smart contract vulnerability, but rather to a private key compromise. Although Harmony stored its private keys encrypted, the attackers decrypted some of them and signed some unauthorized transactions.
Immediately after the attack, Harmony stopped the Horizon Bridge to prevent further transactions. It then contacted the FBI and multiple partners to investigate. The hackers nevertheless laundered the stolen funds through Tornado Cash. On 27 July, Harmony issued a compensation proposal.
2. Types of Attacked Project
In 2022, 12 cross-chain bridge security incidents caused a total loss of approximately $1.89 billion, the highest loss of any project type. Five cross-chain bridge projects lost over $100 million in a single incident: Ronin ($624 million), BSC Token Hub ($560 million), Wormhole ($326 million), Nomad ($190 million) and Harmony ($100 million). The attack types mainly included social engineering, private key compromise, and blockchain / contract vulnerabilities, etc.
Of the 167 major attacks for the year, DeFi-type projects were attacked 113 times, or approximately 67.6%, which is the most frequent type being attacked. DeFi ranks second in terms of losses after the cross-chain bridge, with a total loss amounting to approximately $950 million.
A total of 21 exchange and wallet security incidents throughout the year, resulting in a total loss of approximately $600 million. These incidents involved high amounts of money and a wide range of users, and their attack techniques were mainly private key compromises, contract vulnerabilities and supply chain attacks.
3. Loss by Chain
A total of 20 public chains have experienced major security incidents in 2022, with the top three by amount lost being Ethereum, BNB Chain, and Solana; and the top three by number of attacks being BNB Chain, Ethereum, and Solana.
The 59 attacks on Ethereum caused $2.01 billion in losses, accounting for 55.8% of the total losses for the year.
There were 72 attacks on BNB Chain, with 70% of the loss in a range from one thousand to one million. Notably, approximately 64% of the projects attacked on BNB Chain were unaudited, and 80% of the unaudited projects were attacked by contract vulnerability exploits.
The seven attacks on Solana resulted in a total loss of $512.76 million, the highest average loss per incident across all chains.Major security incidents on the Solana chain include the Wormhole incident in February ($326 million), the Cashio incident in March ($48 million) and the Mango Market incident in October ($116 million).
4. Attack Type
Vulnerability exploits saw the highest frequency and loss amount throughout the year. For the year 2022, $1,458 million was lost from vulnerability exploits in 87 attacks.
The second highest loss was caused by social engineering, which is the Ronin incident in March, resulting in $624 million in losses.
The third loss was from private key compromise, with 19 compromises resulting in a total loss of approximately $430 million, including eight incidents with a single loss of over $10 million. According to the findings of some incidents, the theft of private keys by team members/ex-members is frequent, which requires project owners pay extra attention to operational security and strengthen team management.
There were also some cases of private key compromises due to the use of third-party tools, and projects are advised to conduct careful security assessments before using third-party tools.
A breakdown by type of vulnerabilities shows that the top three causes of loss were validation issues, blockchain vulnerability (BNB Chain incident) and improper business logic/function design and reentrancy.
Eighteen validation issues caused $619 million in losses, with major incidents including a signature validation vulnerability in the Wormhole incident and a message validation bypass issue in the Nomad bridge incident.
The most frequent issue was improper business logic/function design, with 30 occurrences. During Beosin’s daily audits, this type of vulnerability is also the one that appears most frequently and is most likely to be overlooked by developers.
5. Audit Analysis
Of the 167 major attacks monitored in 2022, audited and unaudited projects account for almost half of the total, at 51.5% and 48.5% respectively.
Of the 86 audited projects, 39 attacks (45%) still originated from vulnerability exploitation. The quality the overall audit market is not promising. A review of these incidents by Beosin found that the vast majority of vulnerabilities were detectable and fixable during the audit phase.
No projects that were attacked due to contract vulnerabilities in 2022 were audited by Beosin. It is recommended that projects must be audited by a professional security company before they go live in order to effectively safeguard assets.
6. Stolen Fund Flow
Approximately $1,396 million of stolen funds were transferred to Tornado Cash in 2022, representing 38.7% of all funds lost in attacks. Since Tornado Cash was sanctioned by the US OFAC in August, funds transferred to Tornado Cash have fallen significantly from the first half of the year. Only $44.85 million in stolen funds was transferred to Tornado Cash in the fourth quarter.
In 2022, approximately $289 million of stolen funds were recovered, representing only 8% of all losses. The vast majority of this came from unsolicited returns from whitehat hackers.
Around $18.2 million of the stolen funds went to various exchanges. Often hackers who involve smaller amount of stolen funds would have transferred assets to exchanges immediately after the attack. It is particularly important for exchanges to be able to identify the hacker’s address in time to block the transaction.
Approximately $443 million in stolen funds were frozen by exchanges, with the bulk of this amount stemming from the BNB Chain incident in October, when Binance immediately froze 80 to 90 percent of the hackers’ funds, resulting in an actual loss of around $100 million for that incident.
7. Rug Pulls in 2022
There were 243 rug pulls throughout 2022, involving a total amount of $425 million (excluding FTX incident).
In 2022, Rug pull events were characterised by the following features.
1. A high number of rugged projects throughout the year. On average, one project rugged every 1.5 days.
2. Short rug period. Most projects rugged within 3 months after going live, that’s why most funding amount were in the range between $1K — $1M.
3. Most projects are unaudited. Some projects have hidden backdoor functions in their code, making it difficult for the average investors to assess the security of the project.
4. Social media information is lacking. At least half of the rug pull projects do not have a well-developed website, Twitter account, or Telegraph/Discord group.
5. Projects are not standardised. Some projects have official websites and whitepapers, but on closer inspection there are many spelling and grammatical errors, and some are even plagiarised in large sections.
6. The number of tokens launched under trending events has increased. Various kinds of tokens have rugged this year, such as Moonbird, LUNAv2, Elizabeth, TRUMP, etc., which usually go online quickly and rug with the money in a flash.
Download the full report:
Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs in the team. It has offices in Singapore, Korea, Japan and other 10+ countries. With the mission of “Securing Blockchain Ecosystem”, Beosin provides “All-in-one” blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 2500 smart contracts including famous Web3 projects PancakeSwap, Uniswap, DAI, OKSwap and all of them are monitored by Beosin EagleEye. The KYT AML are serving 100+ institutions including Binance.
If you have need any blockchain security services, please contact us:
Related Project Secure Score
Guess you like
Global Web3 Security Report 2022 & Crypto Regulatory Compliance Research
January 05, 2023
Web3's Next Narrative? – Things to Know About the Ethereum Shanghai Upgrade
January 31, 2023
Blockchain Security Monthly Recap of January: $14.64M lost in attacks
February 01, 2023
Beosin and CoinW Entered Into A Strategic Partnership
February 01, 2023