Analysis of Common Attack Techniques Used by Web3 Hackers: Review of the First Half of 2022

In the first half of 2022, security incidents in the Web3 field occurred frequently, with hacker attack methods emerging one after another. This article will conduct an in-depth analysis of the common attack methods during this period, aiming to provide beneficial references for the industry.

Overview of Security Incidents in the First Half of the Year

According to data from a blockchain security monitoring platform, there were a total of 42 major attack incidents caused by smart contract vulnerabilities in the first half of 2022, accounting for approximately 53% of all attack methods. The total losses from these incidents reached as high as $644 million.

Among all the exploited vulnerabilities, logical or function design flaws are the most commonly targeted by hackers, followed by validation issues and reentrancy vulnerabilities.

Major Loss Event Analysis

Wormhole cross-chain bridge attacked

On February 3, 2022, the cross-chain bridge project Wormhole in the Solana ecosystem was hacked, resulting in a loss of approximately $326 million. The attacker exploited a signature verification vulnerability in the contract to successfully forge system accounts and mint a large amount of wETH tokens.

Fei Protocol suffered a flash loan attack

On April 30, 2022, the Rari Fuse Pool under Fei Protocol suffered a flash loan combined reentrancy attack, resulting in a loss of $80.34 million. This attack dealt a fatal blow to the project, ultimately leading Fei Protocol to officially announce its closure on August 20.

The attacker carried out the attack through the following steps:

1. Obtain a flash loan from the Balancer protocol
2. Use borrowed funds to collateralize and lend at Rari Capital
3. Due to a reentrancy vulnerability in Rari Capital's cEther contract, the attacker successfully extracted all tokens from the affected pool by constructing a callback function.
4. Repay the flash loan and transfer the profits to the designated contract.

This attack stole over 28,380 ETH, equivalent to approximately 80.34 million USD.

Common Vulnerabilities in the Audit Process

The most commonly found vulnerabilities in smart contract audits are mainly divided into four categories:

1. ERC721/ERC1155 Reentrancy Attack: When using the secure transfer functions of these standards, if the receiving contract contains malicious code, it may lead to a reentrancy attack.

2. Logical vulnerabilities: including inadequate consideration of special scenarios (such as self-transfer leading to the creation of funds out of thin air) and imperfect functional design (such as lack of withdrawal or settlement mechanisms).

3. Missing access control: Key functions (such as minting, role settings, etc.) lack appropriate permission checks.

4. Risk of price manipulation: If the time-weighted average price is not used or if the token balance ratio in the contract is used directly as the price basis.

Exploitation of Vulnerabilities in Real Attacks

According to monitoring data, vulnerabilities found during audits have almost all been exploited by hackers in real scenarios, with contract logic vulnerabilities remaining the main target of attacks.

It is worth noting that these vulnerabilities can be discovered during the auditing phase through a professional smart contract formal verification platform combined with the manual review by security experts. Security experts can also provide corresponding repair recommendations after evaluation, offering important references for the project parties.

Conclusion

With the rapid development of the Web3 ecosystem, security issues have become increasingly prominent. Project parties should pay attention to the security audit of smart contracts, using advanced verification tools combined with manual reviews by professional teams to minimize security risks and ensure the safety of user assets.