Authors: Mario, Donny, Beosin Research Team
As the global digitalization process accelerates, blockchain technology as a new decentralized trading method is gradually becoming one of the core infrastructure of digital economy. However, as the application scenarios of blockchain continue to expand, the security risks it faces are also gradually increasing. In this context, understanding the Web3 blockchain security situation and the regulatory policies of the encryption industry has become one of the necessary measures to ensure the security and stability of blockchain applications. This research report is jointly created by Beosin, a blockchain security company, and the Blockchain Ecosystem Security Alliance initiated by SUSS NiFT. It conducts in-depth analysis and summary around the global blockchain security situation, Web3 hot events, and key regulatory policies of the encryption industry in the first half of 2023, aiming to provide valuable reference and inspiration for readers and help the safe and healthy development of blockchain technology.
I. Overview of Web3 Security Situation in Q1 2023
According to the monitoring of Beosin EagleEye security risk monitoring, early warning and blocking platform, the total loss caused by hackers, phishing scams, and project-side rug pulls in the Web3 field in the first half of 2023 has reached 655.61 million US dollars. Among them, there were 108 attack events, and the total loss amount was about 471.43 million US dollars; the total loss amount of phishing scams was about 108 million US dollars; and there were 110 project-side rug pull events, and the total loss was about 75.87 million US dollars.
The total loss amount of Web3 field hacker attacks has decreased significantly compared with last year. The total loss in the first half of 2022 was about 1.91 billion US dollars, the total loss in the second half of 2022 was about 1.69 billion US dollars, and the number dropped to 470 million US dollars in the first half of 2023.
From the perspective of attacked project types, DeFi is still the type with the highest attack frequency and the most loss amount. The total loss amount of 85 DeFi security incidents reached 292 million US dollars, accounting for 62% of the total loss amount.
From the perspective of chain platform type, 75.6% of the loss amount comes from Ethereum, about USD 356 million, ranking first among all chain platforms.
From the perspective of attack methods, (according to the root cause), the most frequent and most damaging attack method is the exploitation of contract vulnerabilities. 60 contract vulnerability incidents caused a loss of USD 264 million, accounting for 56% of all loss amounts.
From the perspective of fund flow, about USD 215 million of stolen assets have been recovered, accounting for 45.5% of all stolen assets. In addition, about USD 113 million of stolen assets have been transferred to Tornado Cash and other mixing services.
From the perspective of audit situation, about 49% of the attacked projects have not been audited.
In contrast to the downward trend of hacker attacks in 2022, phishing scams and project rug pull events have become more frequent for ordinary users in the first half of 2023. According to incomplete statistics, these two types of events involve a total amount of at least USD 184 million. Due to the decrease in the threshold technology of phishing (for example, malicious toolkits can be purchased from phishing gangs through some channels, and profits can be divided after earning), phishing scams have increased significantly in the first half of 2023, becoming the main reason threatening the security of Web3 users.
2. Overview of Attack Events
108 attack events caused losses of USD 471.43 million
In the first half of 2023, Beosin EagleEye security risk monitoring, warning, and blocking platform monitored a total of 108 major attack events in the Web3 field, with a total loss of USD 471.43 million. There was 1 security event with a loss of over USD 100 million, 7 events with losses in the range of USD 10 million to USD 100 million, and 23 events with losses in the range of USD 1 million to USD 10 million.
Attack events with losses exceeding ten million US dollars (sorted by amount):
● Euler Finance-USD 197 million
On March 13th, the DeFi protocol Euler Finance was attacked, and the loss reached USD 197 million. On April 4th, Euler Labs announced on Twitter that after successful negotiations, the attacker returned all stolen funds.
● Atomic Wallet – $67 million
On June 3rd, several Atomic Wallet users reported on social media that their wallet assets had been stolen. The stolen amount was at least $67 million. The hacker laundered the stolen funds through a coin mixing platform called Sinbad. The reason for the attack is still under investigation.
● MEV attack – $25 million
On April 3rd, several MEV bots were hit by a malicious sandwich attack, resulting in a total loss of about $25 million.
● Bitrue – $24 million
On April 14th, the hot wallet of the cryptocurrency exchange Bitrue was attacked, resulting in a loss of $24 million.
● FPG – $20 million
On June 11th, cryptocurrency brokerage company Floating Point Group (FPG) was hit by a cyber attack, resulting in a loss of about $20 million in cryptocurrency.
● GDAC – $13 million
On April 9th, the South Korean cryptocurrency exchange GDAC was hit by a hacker attack, resulting in a loss of nearly $13 million.
● Yearn Finance – $11.5 million
On April 13th, the yusdt contract of Yearn Finance was hit by a hacker attack, resulting in a profit of over $10 million for the hacker.
● MyAlgo Wallet – $11.2 million
In February, MyAlgo Wallet was hit by a middleman attack, resulting in a loss of $11.2 million.
Three, the type of attacked projects
85 DeFi security incidents causing a loss of $292 million
In the first half of 2023, DeFi projects had a total of 85 security incidents, accounting for 78.7% of the total incidents. The total loss of DeFi was $292 million, accounting for 62% of the total loss. DeFi is the project type with the highest frequency of attacks and the largest amount of losses.
Of the 85 DeFi security incidents, 51 incidents were due to contract vulnerabilities, resulting in a loss of $249 million, accounting for 85% of the total DeFi loss.
Wallet attacks resulted in a loss of approximately $78.2 million, ranking second among all project types. Of these, the Atomic Wallet attack resulted in a loss of at least $67 million, and the MyAlgo Wallet attack resulted in a loss of $11.2 million.
The third highest category in terms of total losses was exchanges, with losses of approximately $50.14 million. Exchange attacks also ranked third in terms of total losses in 2022, continuing the trend of frequent attacks this year.
Cross-chain bridge projects incurred the highest losses in 2022, with losses totaling $1.89 billion. However, in the first half of 2023, losses decreased significantly to $1.38 million.
IV. Losses by Chain Platform
75.6% of losses occurred on Ethereum
In the first half of 2023, there were 27 major attack incidents on the Ethereum chain, resulting in losses of approximately $356 million. Losses on the Ethereum chain ranked first among all chain platforms, accounting for approximately 75.6% of total losses.
BNB Chain experienced the most attack incidents, with a total of 58 incidents accounting for 53.7% of all incidents. Of the 58 attack incidents on BNB Chain, 40 involved unaudited projects.
There were a total of 7 attack incidents on the Arbitrum chain, resulting in losses of approximately $16.71 million. The number and amount of security incidents on Arbitrum increased compared to 2022 (when only two major security incidents occurred on the chain).
In 2022, losses on the Solana chain ranked third among all public chains, but no major attack incidents were monitored in the first half of 2023.
V. Analysis of Attack Methods
Contract vulnerabilities were the most common and costly attack method
*Note: When multiple attack methods are used simultaneously, the classification is based on the root cause. Attack incidents for which information is insufficient or for which the project party has not disclosed the cause are classified as “unclear”.
In the first half of 2023, the most common attack method and the one resulting in the highest losses was the exploitation of contract vulnerabilities. Sixty contract vulnerability incidents resulted in losses of $264 million, accounting for 56% of total losses.
Approximately $100 million in security incidents were classified as “unclear,” including events such as the theft of $67 million from the Atomic Wallet and an attack on cryptocurrency brokerage firm FPG resulting in $20 million in losses. These incidents involve large amounts of money and affect many users. It is recommended that project parties actively cooperate with third-party security companies to investigate the causes of such incidents, promptly disclose investigation results, take necessary repair measures, and shoulder the responsibility for user asset security.
Additionally, there were 7 incidents of private key leaks resulting in approximately $27.67 million in losses. In 2022, private key leaks are also the third most common type of attack in terms of losses. Private key leaks continue to pose a threat to project security. From some disclosed events, it is particularly important to strengthen the professional ethics and security awareness management of core members.
When broken down by vulnerability type, the top three causes of losses are business logic flaws, permission issues, and re-entry. 36 business logic vulnerabilities caused approximately $239 million in losses, accounting for 90% of all losses due to contract vulnerability attacks. These types of vulnerabilities are the easiest for developers to overlook, and the losses that occur after an attack are often significant. The losses from 9 events exceeded $1 million. It is recommended that project teams seek experienced professional audit companies to conduct audits.
VI. Analysis of typical attack methods
6.1 Euler Finance security incident
On March 13th, Euler Finance, a lending project on the Ethereum chain, was attacked by a flash loan, resulting in a loss of $197 million.
On March 16th, the Euler Foundation offered a reward of $1 million to gather information helpful in the arrest of the hacker and the return of stolen funds.
On March 17th, Euler Labs CEO Michael Bentley tweeted that Euler “has always been a project with strong security awareness.” From May 2021 to September 2022, Euler Finance underwent 10 audits by 6 blockchain security companies including Halborn, Solidified, ZK Labs, Certora, Sherlock, and Omnisica.
Starting on March 18th until April 4th, the attacker began to return funds one by one. During this time, the attacker apologized through on-chain information, stating that they “disturbed others’ money, work, and life” and requested forgiveness from everyone.
On April 4th, Euler Labs stated on Twitter that the attacker had returned all stolen funds through successful negotiation.
Vulnerability analysis: Replaying the sequence of events in the $200 million theft case of Euler Finance, what insights does this event bring us?
We will delve into the details of the money laundering of this hacker theft case, and use the Beosin KYT virtual asset anti-money laundering compliance and analysis platform to track and analyze the hacker’s money laundering tricks.
According to the Beosin team’s analysis, a total of 21 chains including BTC, ETH, and TRX are involved in the stolen event so far. The stolen funds are mainly concentrated on the Ethereum chain. Among them:
The stolen funds have been found to be virtual currency worth 16,262 ETH, about $30 million.
The stolen funds on the Tron chain are known to be virtual currency worth 251,335,387.3208 TRX, about $17 million.
The stolen funds on the BTC chain are known to be virtual currency worth 420.882 BTC, equivalent to $12.6 million.
The stolen funds on the BSC chain are known to be virtual currency worth 40.206266 BNB.
XRP: 1,676,015 XRP, about $840,000
LTC: 2,839.873689 LTC, about $220,000
DOGE: 800,575.67369797 DOGE, about $50,000
In the hacker’s operation of the stolen funds, there are two main ways on the Ethereum attacked chain:
1. Divergence through contracts and using Avalanche cross-chain for money laundering
According to the Beosin team’s analysis, the hacker will first unify the valuable coins in the wallet into the main coin of the public chain, and then use two contracts to collect them.
The contract address will package ETH into WETH through two layers of transfer, and then transfer WETH to the contract used to diverge ETH. It will then be transferred through up to 5 layers of transfer to the wallet address used for cross-chain operation on Avalanche. This cross-chain operation does not use a contract and belongs to the internal accounting transaction type of Avalanche.
The Ethereum chain diagram is as follows:
Full article: A wallet theft case involving at least $60 million, Beosin KYT reveals the hacker’s money laundering tricks
8. Analysis of the Flow of Stolen Assets
45.5% of stolen assets were recovered
In the first half of 2023, the Beosin KYT virtual asset anti-money laundering compliance and analysis platform showed that about $215 million of stolen assets were recovered, accounting for 45.5% of all stolen assets. In 2022, only 8% of stolen assets were recovered. The chance of recovering funds has increased significantly in 2023. In addition to negotiating with hackers for recovery, the number of cases of recovery by relying on security companies, law enforcement agencies, and community efforts is increasing. Furthermore, the improvement of the global regulatory system and the increase in law enforcement efforts have also played a deterrent role in hacker behavior.
Approximately $113 million of stolen assets were transferred to mixer services. Among them, about $45.38 million was transferred to Tornado Cash, and about $68.14 million was transferred to other mixer platforms. Since Tornado Cash was sanctioned by the US OFAC in August 2022, the total amount of funds mixed using Tornado Cash has decreased significantly, while the usage rate of other mixer platforms has increased significantly, such as FixedFloat, Sinbad, etc.
9. Analysis of Project Auditing
The proportion of audited and unaudited projects is roughly the same. Among the 108 attacked projects, 51 were audited and 53 were unaudited, which is roughly the same proportion as in 2022.
Among the 51 audited projects, 31 (60%) were attacked due to contract vulnerabilities. This ratio is higher than last year’s 45%, and the quality of the entire auditing market is still not optimistic. It is recommended that project parties must find professional security companies for auditing.
10. Rug Pull Analysis
110 Rug Pull incidents took away $75.87 million
In the first half of 2023, a total of 110 major Rug Pull incidents were monitored in the Web3 field, involving approximately $75.87 million.
In terms of the amount, 14 (12.7%) Rug Pull incidents had an amount above $1 million, 41 (37.3%) incidents were in the range of $10,000 to $1 million, and 55 (50%) incidents were below $10,000.
The largest amount of assets involved in a Rug Pull event was the Fintoch project, which took away about $31.6 million in assets.
From the perspective of blockchain platforms, there were 80 Rug Pull events on the BNB Chain, involving $53.37 million, far more than other public chains.
Summary of Security Situation in the First Half of 2023
Overall, the total amount of losses from hacker attacks in the Web3 field has decreased significantly compared to 2022. The total loss from attacks in the first half of 2022 was about $1.91 billion, in the second half of 2022 it was about $1.69 billion, while in the first half of 2023, this figure dropped to $470 million, and about $215 million of the stolen assets were recovered. Hacker attacks are showing a significant slowdown, and the main reasons for this are the gradual improvement of the global regulatory system, increased law enforcement efforts, improved security awareness of project parties, Tornado Cash being sanctioned, and the improvement of AML anti-money laundering technologies and procedures. In addition, there have been cases of using community forces to locate the identities of hackers through off-chain intelligence and force them to return.
Even though hacker attacks have slowed down significantly, contract security issues cannot be ignored. In the first half of 2023, the most frequent and damaging attack method was contract vulnerability exploitation. 60 contract vulnerability incidents caused a loss of $264 million, and the majority of exploited vulnerabilities were business logic issues. Some more complex business logic vulnerabilities require experienced professional auditing companies to discover. The Beosin auditing team will conduct in-depth analysis of every hacker attack event (Twitter@BeosinAlert), ensuring that the experience and technology summarized from them are applied to the project auditing process to address potential hacker attacks.
Contrary to the trend of declining hacker attacks, phishing scams targeting ordinary users are becoming more frequent. In the first half of the year, a series of wallet drainer gangs represented by Venom Drainer appeared. They developed malicious toolkits and sold them, and after successful phishing, buyers shared profits with them. Such phishing scams have a wide range of user impacts, and Venom Drainer alone has produced at least 15,000 victims. For ordinary users, it is best to pay attention to security company alerts regularly, systematically learn some anti-phishing and anti-theft knowledge, and install anti-phishing plug-ins, transaction pre-execution tools, etc. for reminders (but cannot rely solely on tools, strengthening their own security awareness is always the first priority).