The very promise made by Web3 technology is privacy and decentralization. This becomes possible due to the absence of regulatory bodies such as central banks or organisations.
But the lack of custody to authorities also introduces a lot of scope for security threats and vulnerabilities on DeFi projects making their way into the web3 ecosystem.
Research reveals that the frequency of attacks on the DeFi domain has become so big, accounting for 79.2% of the total attacks.
In this article, let’s analyse the most audacious crypto hacks of 2022 and leave with a takeaway lesson on how to curb the occurrences of these hacks.
A brief summary of 2022 Exploits
- Q1 of 2022 experienced a $1.2 billion loss, and Q2 recorded a $718.34million loss from the attack incident.
- The total asset loss in the first half of 2022 summed up to $1,912.87million.
- Out of all the hacks, 45.8% were due to smart contract exploits.
- Rug pull scams and Flash loan attacks correspond to the next larger portion of hacks after the contract exploits
- The losses from flash loan attacks figured at about $233 million, and that of rug pull is $34,266,402.
Comprehending The Nature Of Hacks That Accounted For Majority Losses
Wormhole Bridge hack: Wormhole hack is the second largest attack in the history of crypto theft from DeFi protocol, with losses totalling over $320M. The root cause of the exploit is the contract vulnerability.
The verification process used in the program failed to validate the “guardian” account that allowed the hacker to secure 120,000 wETH from the bridge.
Inverse Finance hack: The Inverse Finance hack happened in June, with losses estimated to be $1.2M. Here again, the main cause was the balanceOffunction used in the contract to calculate the price of the collateral.
The hacker managed to manipulate the price of the collateral in the contract and in turn, exchange large amounts of assets.
BSC bridge hack: More recently, in October 2022, the cross-chain bridge BSC Token Hub was attacked and the funds extracted from the bridge totalled around $100-$110M.
The reason for the exploit is that the hacker took advantage of the bug in the proof verification logic in the bridge and proposed legit proof to mint 2M BNB from the bridge. The hacker got successful in their attempt to withdraw 2M BNB from the bridge.
Critical Contract Vulnerabilities Leveraged By Hackers
Apart from the contract issues discussed above, there is a spread of several other coding loopholes that can be leveraged to steal money. Here we shall peek into what they are.
- Function default visibility
- Reentrancy issues
- Timestamp dependence
- Unchecked external call
- Byte array vulnerabilities
- Malicious libraries
- Compile version
- DOS with unexpected throw
- Unchecked math
- Incorrect calculation of output token amount
- Interface issues
- Usage of blockhash functions
- Incorrectly handled exceptions
How To Deal With Smart Contract Vulnerabilities And Overcome The Chances Of Exploit?
Statistics show that most of the hacks in 2022 were due to contract vulnerabilities such as improper business logic/function, validation issues, permission issues, call injection vulnerabilities, reentrancy, unchecked k-values, etc.
Irrespective of the blockchain networks, the attacks were launched across Ethereum, BNB chain, Solana and so on. In addition, the aftermath of the attack recorded a decline in the TVL values of the hacked protocols.
On observing the hacks closely, it was found that 52% of them were audited, and the rest of them were unaudited projects. Web3 security heavily demands the need for taking up auditing services to build security-strengthened web3 space.
However perfect the contract may look, the flaws can be spotted by a third party who performs smart contract security audits. Because it is not uncommon that a developer might oversee the errors, and therefore conducting a thorough review of code from security audit firms can greatly bring down the chances for the exploits that may be lying in the contracts.
Though audited projects were also victims of hacks, it is important to choose an audit firm with a good reputation and a portfolio of having audited well-established web3 projects.