Every new-age technology has its own set of vulnerabilities, which are eventually discovered and exploited by hackers and scammers. During the genesis of web3, it was popularized that it is the safest version of the internet till now, equipped with the prominent features of blockchain. Unfortunately, we witnessed losses worth $3.7 billion in 2022 due to Web3 security vulnerabilities; it was more than double the losses that occurred in the year before that.
This proved that just like web2, web3 has its own cons and vulnerabilities, which can be exploited by hackers and can cause really big losses. But in some ways, the vulnerabilities of web3 are more harmful than those of web2.
In web2, a hacker can access your personal information, which could result in a leak of your address, bank, debit card, or credit card details. But in such cases, banks, being the centralized authorities, can easily freeze your account or block your credit or debit cards. And this could easily prevent severe losses.
But in Web3, hackers can get access to your crypto accounts by hacking your private keys or by compromising the smart contracts. Thus, they can completely drain your crypto accounts and steal your digital assets. However, the worst scenario here is that due to the irreversible feature of Web3, the losses can not be reversed or stopped. As such losses have occurred in the recent past, let's discuss some of the major web3 hacks and exploits in detail.
Types of Web3 Security attacks with examples
User Targeted Phishing
We all were familiar with phishing attacks way before Web3 came into existence. In such cyber attacks, phishers send tempting messages to their prey as bait through various channels like emails, Facebook Messengers, Instagram messages, etc. Opening such messages could divulge users' sensitive information to the phishers, which could further help them steal users' money.
Now, as people can directly and instantly trade their digital assets, like NFTs and Tokens, phishers are targeting them as well. These methods can even be used by non-technical experts to steal digital assets. Usually, organized groups use these methods to rob high-value targets.
In Feb 2022, 17 users of the online Web3 marketplace, OpenSea , became victims of a phishing attack. In this attack, more than 250 NFTs worth over $1.7 million were stolen. A few months before this, in December 2021, the users of the Badger DAO platform became victims of a similar phishing attack and lost $120 million worth of cryptocurrencies.
Recommended by LinkedIn
Governance Attacks
A lot of Web3 projects these days have a certain kind of governance aspect. Leveraging such governance aspects, the token holders can put forward and vote on certain proposals that can alter the network. Lately, this aspect is also being used by hackers to propose malicious proposals and damage the network.
In April 2022, Beanstalk Farms, a coin-based stablecoin protocol, became the victim of Governance Attack. The attackers proposed a flash loan in the name of funds for Ukraine and stole $182 million in the form of collateral from the platform. If the governance votes can bring out automatic execution of the proposal, then it is much easier for hackers to attack. However, it is very difficult for an attacker to attack if the execution requires manual sign-off of the parties associated.
Zero-day Exploits
These were completely novel Web3 security attacks and were completely unprecedented before their occurrence, hence called Zero-day attacks. And because these attacks are completely unprecedented, they are the hardest to prevent and defend against.
As no one can crawl back to the crypto funds after they are stolen, Web3 has made it much easier for attackers to carry out these expensive and labor-intensive security attacks. Now, attackers spend a really long time analyzing the code-running on-chain application to find that one vulnerable bug that could justify all their time spent. And even a single unprecedented vulnerability can be used to attack a completely unsuspecting project.
In April 2022, a reentrancy attack was carried out on a lending network, Voltage Finance, which caused them a loss of $4.67 million. The attackers found a reentrancy vulnerability in its ERC677 token standard. Although reentrancy is a common bug, hackers exploit it to make repeated calls to the protocol and trick the smart contracts in order to steal assets.
A call acts as an authorization signal for the smart contract address, which enables it to interact with the user's wallet address. And using such bugs, attackers can easily rob users.
Endnote
It is quite uncertain how long the industry will take to become familiar with and make itself immune from these attacks. However, more investment in enhancing security defenses like monitoring, auditing, and tooling will certainly make it much more difficult for hackers to attack.
