In a recent report by blockchain security platform Immunefi, it was revealed that nearly half of all cryptocurrency lost from Web3 exploits can be attributed to Web2 security issues, such as leaked private keys. This eye-opening information highlights the urgent need for stronger security measures in the cryptocurrency space. Released on November 15, the report delves into the history of crypto exploits in 2022, categorizing them based on the types of vulnerabilities involved.
The Dominance of Infrastructure Weaknesses
According to the report, an alarming 46.48% of the total crypto lost from exploits in 2022 can be attributed to “infrastructure weaknesses” or issues within the developing firm’s computer systems. These vulnerabilities, although not directly related to flaws in smart contracts, pose significant risks to the security of the entire ecosystem. It is essential to address and mitigate these weaknesses to safeguard the value and integrity of cryptocurrencies.
When looking at the number of incidents rather than the value of crypto lost, Web2 vulnerabilities accounted for 26.56% of the total. While this figure is lower than the percentage of total losses, it still signifies the importance of strengthening security measures within the Web2 framework. Web2 security issues remain the second-largest category of vulnerabilities, demonstrating the need for diligent attention to these concerns.
Immunefi’s report explicitly focused on security vulnerabilities that led to attacks, excluding exit scams, frauds, and market manipulation-related exploits. The report classifies attacks into three main categories based on their causes:
1. Design Flaws in Smart Contracts: Some attacks occur due to design flaws present within smart contracts themselves. For instance, the report references the BNB Chain bridge hack as an example of this category of vulnerability.
2. Flawed Code Implementation: Attacks can also arise from flaws in the code implementing the design of a smart contract, even if the initial design is sound. The Qbit hack serves as an instance of this type of vulnerability.
3. Infrastructure Weaknesses: The third category encompasses vulnerabilities related to the IT infrastructure on which a smart contract operates, including virtual machines and private keys. The Ronin bridge hack is an example of an attack resulting from an infrastructure weakness, as an attacker gained control of five out of nine Ronin nodes validator signatures.
To address infrastructure weaknesses more comprehensively, Immunefi further breaks them down into various subcategories. These subcategories include:
1. Private Key Leakage: One cause of infrastructure vulnerabilities results from an employee leaking a private key, often through insecure channels. This exposes the system to exploitation by malicious actors.
2. Weak Passphrases and Key Vaults: The use of weak passphrases for key vaults can compromise the security of the system. Implementing robust passphrase protocols is vital to protect against potential breaches.
3. Two-Factor Authentication Issues: Problems with two-factor authentication systems introduce vulnerabilities that can be exploited by attackers. Addressing these weaknesses is crucial to ensure the effectiveness of authentication mechanisms.
4. DNS and BGP Hijacking: Unauthorized access to domain name system (DNS) and border gateway protocol (BGP) poses significant risks to the security of infrastructure. Safeguarding against these hijacking tactics is paramount.
5. Compromised Hot Wallets: Utilizing weak encryption methods or storing encryption keys in plaintext within hot wallets can lead to severe security breaches. Strengthening encryption practices is essential to mitigate such risks.
In addition to infrastructure weaknesses, Immunefi’s report highlights the significant impact of “cryptographic issues” on crypto losses. These issues include Merkle tree errors, signature replayability, and predictable random number generation. Although they may constitute a smaller percentage in terms of value (20.58%), they are responsible for the highest number of incidents (30.47%) in 2022.
Conclusion: Strengthening Web2 Security for Web3’s Future
The findings from Immunefi’s report shed light on the critical importance of addressing Web2 security issues to prevent substantial crypto losses. Infrastructure weaknesses and cryptographic issues pose significant risks to the integrity of the cryptocurrency ecosystem. By prioritizing meticulous security practices, including proper implementation of key management protocols, robust authentication mechanisms, and encryption best practices, industry participants can contribute to a more secure Web3 environment. As the crypto space continues to evolve, safeguarding against these vulnerabilities becomes imperative to ensure the longevity and stability of the digital economy.