Salus Publishes 2023 Web3 Security Landscape Report

Table of Contents

• Key Web3 Vulnerabilities Observed in 2023
• Access Control Issues
• Flash Loan Attacks
• Exit Scams
• Oracle Issues
• Phishing
• Reentrancy
• Top 5 Cyber Attacks in the Web3 Industry in 2023
• #1 Mixin Network
• #2 Euler Finance
• #3 Multichain
• #4 Poloniex
• #5 BonqDAO
• The Next Steps in Web3 Cybersecurity for 2024

Compared to 2022, overall financial losses from hacking in the web3 industry decreased to $1.7 billion in 2023.

True. The web3 industry is getting better at cybersecurity and prevention of cyber attacks. However, hacking is still lucrative for cybercriminal gangs such as Lazarus — threat actors who rely on advanced attacks.

Namely, the majority of combined losses (estimated 70%) can be attributed to high-profile cyberattacks. Think Multichain, Mixin Network, or Poloniex.

Salus, the cybersecurity company specializing in cybersecurity in the web3 industry and traditional security, compiled their 2023 Web3 Security Landscape Report.

The document highlights the top 10 attacks, overall losses due to crypto hacking, common vulnerabilities that have caused high-profile incidents in the industry, and the steps companies can take to decrease the chances of hacking.

Here are the highlights and key findings that companies within the web3 space can learn and apply to their security in 2024.

Key Web3 Vulnerabilities Observed in 2023

According to the Salus report, the weaknesses that are responsible for most of the hacks are:

• Access control issues — the cause of 39.18% of cyber attacks

• Flash loan attacks — accounting for 16% of cybercrime

• Exit Scams — responsible for 12% of yearly losses

• Oracle problems — triggered 6% of all exploits

• Phishing — social engineering behind 4% of all incidents

• Reentrancy — accountable for 4% of cybercrime

• Other — covering the remaining 17% of overall hacks

The most common types of cyber attacks and weaknesses involve both highly technical and sophisticated threats as well as those that rely on human bias and errors.

How can we prevent them in 2024?

Let’s break down the most common hacking threats and the best preventive measures to avoid them in the year that follows.

Access Control Issues

Most hacks (an estimated 39,18%) were possible because of problems associated with access control. The report says that 29 hacking cases led to losses of $666 million in 2023. All of them started with this exploit — Atomic Wallet, Multichain, and Poloniex included.

Access control exploits refer to a wide array of flaws that hackers can use to gain illicit entry. Be it older equipment, errors in setup, improper access management, overly permissive settings, stolen keycards, inability to integrate with other systems, etc. 

To prevent this common security flaw, set up strong authorization that follows the principle of minimal privilege. Update the access regularly. Make sure that those with higher privileged access get additional training. 

Lastly, have automated and thorough monitoring that helps you identify and mitigate attempts at access exploitation across the entire infrastructure.

Flash Loan Attacks

Flash loan attacks fall under the Decentralized Finance (DeFi) category because they misuse and alter smart contracts. In this hack, bad actors start a flash loan within the DeFi platform and borrow a lot of the crypto because it doesn’t require collateral.

Many companies in the crypto space have fallen for this scam. It was behind 37 incidents in 2023, causing losses of $274 million. Some of the companies that suffered this attack are Euler Finance, KyberSwap, and Yearn Finance.

To safeguard your assets from flash loan attacks, set up a limit on how much a person can borrow using the smart contract and put up a time limit. 

Having a fee for those who want flash loans is another way to deter hackers from exploiting this usually collateral-free option.

Exit Scams

This scam hurts the investor’s wallets the most. Crypto developers initiate the project only to abandon it. Exit scams, in most cases, involve some high-risk lucrative opportunity offered by opportunistic cybercriminals that end up vanishing with investors’ funds.

In 2023, there were 276 recorded exit scams in the crypto space and they resulted in losses of $208 million. 

This incident does not involve highly technical hacking — or any hacking at all. Therefore, to prevent it, it’s necessary to watch out for the most common signs of scams.

When an opportunity that seems too good to be true appears, make sure that you research the teams that are involved with that particular project. Work with trustworthy businesses that have a great track record.

Then, avoid investing everything in one place and be wary of unrealistic opportunities.

Oracle Issues

In the crypto industry, Oracle is used as a source of price feed for certain cryptocurrency protocols. If hackers find a vulnerability there, they can manipulate the prices. In the worst-case scenario, they can steal funds that were obtained as part of the flash loan attack.

Seven hacks that were caused by the errors within Oracle in the web3 industry led to losses of $234 million. BonqDAO cyber attack was one of the victims of Oracle's exploits in 2023. Hackers misused the flaws to alter token prices.

To prevent Oracle exploits, you’ll have to become token liquidity savvy. Avoid assessing  future prices based on the markets that feature shallow liquidity. Question whether the liquidity is suitable for you and consider the Oracle integration with your existing platform. 

Also, use Time-Weighted Average Price (TWAP).

Phishing

Social engineering tactics such as phishing top the list every year because they can be difficult to spot and get rid of completely. They evolve every year and rely on human error.

According to the report, 13 incidents involved some type of phishing and led to losses of $67.6 million.

Phishing is mostly done via email, convincing a person to perform some kind of action. It’s often used by hackers to gain entry into otherwise well-protected systems. Even known hacking groups such as Lazarus relied on phishing for their attacks in 2023.

Besides awareness training for all employees that is often suggested to fight phishing, recommended measures for more advanced forms of phishing include penetration testing. 

Its role is to detect potential weaknesses that might allow phishing at the front end early — before the hacker gets a chance to exploit them.

Other necessary prevention is multi-factor authentication, domain security, email verification, and the use of hardware wallets.

Reentrancy

In this exploit, a smart contract is interrupted and re-invoked before it finishes its task. This allows the attacker to manipulate the contract’s state — mostly to withdraw the funds.

In 2023, there were 15 hacking exploits in the web3 industry that relied on the reentrancy exploit and brought losses of $74 million. Exactly Protocol was one of the victims of reentrancy vulnerability. It was caused by the Vyper bug.

To prevent reentrancy attempts, have smart contract audit technology, make sure that all of your auditors are trustworthy and experienced, rely on the Check-Effect-Interaction Model, and introduce Comprehensive Reentry Protection to protect sensitive operations.

Top 5 Cyber Attacks in the Web3 Industry in 2023

The five worst cyber attacks in the web3 space that occurred in 2023 damaged:

1. Mixin Network — $200 million lost

2. Euler Finance — $197 million lost

3. Poloniex —  $126 million lost

4. Multichain — $125 million lost

5. BonqDAO — $120 million lost

Other high-caliber hacks that were lucrative for hackers included Atomic Wallet, HECO Bridge, Curve, AlphaPo, and CoinEx.

These ten incidents alone accounted for 70% of overall losses (which surpassed $1.7 billion in 2023).

Lazarus Group, known for operating from North Korea, profited the most. They’re responsible for many high-profile attacks that happened in the last couple of years.

The majority of losses happened in July, September, and November. Just in the month of September, $360 million was lost due to cyber-attacks. January, August, October, and December marked a strong decline in financial losses.

Let's break down the five most damaging hacks in the web3 industry in 2023.

#1 Mixin Network

In September, the Mixin Network revealed a breach that cost them $200 million — mostly in the form of Bitcoin. This was the biggest theft of the crypto assets recorded in 2023.

All of the details of the attack and investigation that followed have not been disclosed. What we do know is that hackers exploited vulnerabilities within cloud security. Bad actors exploited the database stored on the third-party cloud to obtain assets on the mainnet.

Mixin Network is known to provide free and faster cross-chain transfers of digital assets. To do so, they rely on the centralized database — providing the hackers with a major weak point.

#2 Euler Finance

In March, Euler Finance suffered a $197 million loss — now known as the second-worst crypto hack of 2023. The culprit of this hack was a weakness in their system known as the donateToReserves function.

The criminal used a flash loan to exploit the DeFi Protocol to steal funds. They used it to trigger debt and liquidation, leading to a sharp drop in Euler Finance's Total Value Locked (which represents all the money involved in their system).

Unexpectedly, the hacker apologized in a blockchain message and returned the stolen funds.

However, this event highlighted how crucial it is to carefully check and assess the risks in smart contracts used in decentralized finance.

#3 Multichain

In June, Multichain experienced a hack that drained wallets worth $120 million in crypto. Formerly, the company was known as Anyswap.

In June, there was an unexpected transfer of locked-up assets to an unknown address, which made users worried.

When the company resumed its operations in November, the company suffered an additional $1 million exploit.

The incident involved abnormal transfers, drainage of assets, and irregular movements of user funds to unknown wallets, but the details of the attack are not known. Internal security practices of the company are now questioned and users are still waiting for more answers. 

With the CEO and his sister in jail, the operations of the company were suspended and the access to servers and funds is currently under the custody of police in China.

#4 Poloniex

In November, Poloniex, a cryptocurrency exchange, suffered a $126 million loss due to a hack carried out by the Lazarus Group — the North Korean group notorious for their use of phishing combined with versatile attacks using their own malware.

The attackers exploited compromised private keys to drain funds from the exchange's hot wallets. With access to private keys,the bad actors could send crypto to the wallets that belong to Lazarus.

The attack showed many signs that are typical for Lazarus — including exploiting different token kinds and sending them to versatile addresses.

This incident is a reminder that relying on blockchain walltets that are controlled with a single private key can be dangerous in combination with social engineering.

Poloniex has since continued its operations and adopted stronger security measures, especially in managing its keys.

#5 BonqDAO

In February, BonqDAO, a lending and stablecoin protocol on the Polygon network, faced a two-stage attack due to oracle manipulation, causing a significant $120 million loss. 

The attacker manipulated the Tellor price feed, allowing them to borrow funds using artificially inflated collateral.

This event underscored the dangers linked to vulnerabilities in Oracle and their substantial impact on decentralized finance (DeFi) platforms — known as one of the most commonly exploited weaknesses in the web3 space of 2023.

The Next Steps in Web3 Cybersecurity for 2024

As mentioned, the majority of financial losses after successful hacks in 2023 are attributed to high-profile incidents. There were fewer cyber-attacks compared to 2022 but the mentioned exploits were still very lucrative for advanced hacking groups.

Every year, businesses are getting better at securing their assets from versatile cyber threats. However, with every new year, they face a higher number of threats as well as new types of cyber issues that seek improved security solutions and protocols.

How can we reduce the chance of major hacking within the web3 industry in 2024? 

Salus recommends taking a multi-faceted approach that consists of rigorous auditing and heightened awareness of Web3 penetration testing.

Security must cover possible weaknesses caused by both scams that exploit human psychology and sophisticated hacking that targets fatal flaws in technology.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.