Hackers and other malicious actors siphoned off $310 million worth of value from the Web3.0 industry in Q2 2023.
The figure is close to the $320 million losses in Q1 and represents a 58% drop compared to the $745 million losses in Q2 2022.
CertiK detected a total of 212 security incidents, which means the average loss per incident in Q2 was $1.48 million. This is slightly lower than the average loss of $1.56 million per incident in Q1.
98 exit scams stole $70.35 million from investors, more than double the $31 million losses caused by exit scams in Q1.
54 flash loan attacks and oracle manipulation events netted attackers $23.75 million. This is a significant drop from the 52 oracle manipulation incidents in Q1 that caused a total loss of $222 million. Of course, last quarter, one vulnerability, Euler Finance, accounted for 85% of the total amount lost.
Additionally, there are some major “off-chain” events happening in the industry: the U.S. Securities and Exchange Commission has filed charges against two of the largest virtual currency exchanges, and the world’s largest asset manager has submitted an application for a Bitcoin ETF.
CertiK security researchers also identified significant vulnerabilities in major blockchain protocols and applications, including security risks in Sui validator nodes and ZenGo’s MPC wallet.
Partial Data Display
The total loss recorded in the Web3.0 field in Q2 2023 was $313,566,528, almost the same as in the previous quarter, and a 58% decrease from the same period last year. The average loss per incident also showed a slight decline.
Looking at the second quarter, the number of oracle manipulation events has decreased significantly, while the total losses from exiting scams have increased, indicating that malicious actors have changed tactics.
As the industry develops, cases such as attacks against MEV robots and the discovery of “hamster wheels” security threats on the Sui blockchain confirm the importance of continuous deep research into security, proactive measures, and ongoing vigilance. Every challenge we overcome brings us one step closer to a safer Web3.0 space.
Check out the report for more details and data.
MEV Robot Misuse
In early April, MEV robots were exploited by hackers in Ethereum’s 16,964,664 block. A malicious validator replaced several MEV transactions, resulting in a loss of about $25.38 million. This event is the largest attack on MEV robots to date.
The event occurred in Ethereum block 16,964,664, where eight MEV transactions were exploited by a malicious validator. The validator was established on March 15, 2023, by an external address (EOA) 0x687A9 and has been trying to infiltrate Flashbot, which prevents frontrunning.
However, a vulnerability in MEV-boost-relay allowed the malicious validator to re-bundle transactions, intercepting some of the sandwich strategies of the MEV robot, especially reverse transactions. Due to the above vulnerability, the validator saw detailed transaction information. With this detailed transaction information, the malicious validator could establish their own block and insert their front-end transaction before the initial MEV robot transaction.
Overall, the malicious validator successfully stole about $25 million from five MEV robots, making it one of the largest MEV robot loss events discovered by CertiK to date. In the past 12 months, only six MEV robot vulnerabilities have been discovered, and only this event accounts for 92% of the total loss of $27.5 million.
The malicious validator exploited the MEV-boost-relay vulnerability by submitting an invalid but correctly signed block to begin the attack. Upon seeing the transactions inside the block, the validator could re-bundle them to claim assets from the MEV robot. The vulnerability has since been patched.
For more information on MEV robots and sandwich attacks, check out the report.
Atomic Wallet Hacked
In early June, more than 5,000 Atomic Wallet users experienced the largest security event of the quarter, resulting in losses of over $100 million. Initially, Atomic Wallet claimed that less than 1% of its monthly active users were affected, but later revised this to less than 0.1%. The scale of the attack and the huge losses highlight the seriousness of security vulnerabilities in wallet applications.
Attackers targeted user private keys to gain full control over their assets. After obtaining the keys, they were able to transfer the assets to their own wallet addresses and empty the victims’ accounts.
The amount of losses reported by individual users varied, with the highest reported loss reaching $7.95 million. The five largest individual victims had a combined loss of up to $17 million.
In an attempt to recover the losses, Atomic Wallet publicly proposed a deal to the attackers, offering to give up 10% of the stolen funds in exchange for 90% of the stolen tokens. However, given the history of the Lazarus Group and the fact that the stolen funds have already started to be laundered, the hope of recovering the funds is slim.
For more analysis on Atomic Wallet and the “mastermind” behind the attack, please see the report for details.
Sui “Hamster Wheel” New Vulnerability
Previously, the CertiK team discovered a series of denial-of-service vulnerabilities in the Sui blockchain. Among these vulnerabilities, a new and particularly impactful type of vulnerability stood out. This vulnerability can cause Sui network nodes to be unable to process new transactions, effectively shutting down the entire network. CertiK received a $500,000 bug bounty from Sui for discovering this major security vulnerability. The incident was reported by the US industry authority CoinDesk, and subsequent news reports were published by major media outlets.
This security vulnerability is aptly named the “Hamster Wheel”: its unique attack method is different from known attacks, as attackers only need to submit a payload of about 100 bytes to trigger an infinite loop in a Sui validation node, preventing it from responding to new transactions.
In addition, the damage caused by the attack can persist even after the network is restarted and can automatically spread throughout the Sui network, causing all nodes to be unable to process new transactions like hamsters endlessly running on a wheel. Therefore, we call this unique type of attack a “Hamster Wheel” attack.
After discovering the vulnerability, CertiK reported it to Sui through Sui’s bug bounty program. Sui responded promptly, confirming the severity of the vulnerability and taking appropriate measures to fix the problem before the mainnet launch. In addition to fixing this specific vulnerability, Sui also implemented preventive measures to reduce the potential damage this vulnerability could cause.
To thank the CertiK team for their responsible disclosure, Sui awarded a $500,000 bonus to the CertiK team.
Details can be found in “Sui’s latest vulnerability ‘hamster wheel’, technical details and in-depth analysis”.
Server-level vulnerability based on MPC wallet
Multi-party computation (MPC) is a cryptographic method that allows multiple participants to compute a function on their inputs while protecting the privacy of these inputs. The goal is to ensure that these inputs are not shared with any third party. This technology has multiple applications, including privacy-preserving data mining, secure auctions, financial services, secure multi-party machine learning, and secure password and secret sharing.
CertiK’s Skyfall team discovered a serious security flaw in the security architecture of the popular MPC wallet ZenGo during a preventive security analysis. It is called “device forking attack”. Attackers can use it to bypass ZenGo’s existing security measures and potentially control user funds. The key to this attack is to exploit a vulnerability in the API to create a new device key, fooling the ZenGo server into treating it as a real user device.
In accordance with responsible disclosure principles, the Skyfall team promptly reported this vulnerability to ZenGo. Upon realizing the severity of the problem, ZenGo’s security team took action to fix it quickly. To prevent the possibility of attacks, the vulnerability has been fixed at the API level on the server side, so no client code update is required.
After the vulnerability was fixed, ZenGo publicly acknowledged these findings and thanked CertiK for its important role in strengthening the security and trustworthiness of its MPC wallet.
“Multi-party computation has broad prospects and many important applications in the Web3.0 field. While MPC technology reduces the risk of single points of failure, the implementation of MPC solutions brings new complexities to cryptocurrency wallet design. This complexity can lead to new security risks, highlighting the need for comprehensive auditing and monitoring approaches.” – Professor Li Kang, Chief Security Officer of CertiK.
Click to get the full report