Immunefi, the leading bug bounty and security services platform for web3, has announced the release of its report The True Origin Of Hacks & Top Web3 Vulnerabilities. This report introduces the Vulnerability Classification Standard for Web3 and provides in-depth research on the root cause of the most damaging vulnerabilities.
The Vulnerability Classification Standard for Web3
Immunefi has analyzed 128 technical vulnerabilities that resulted in hacks and losses in 2022. Immunefi distinguished technical vulnerabilities from fraud (social engineering, scams, and rug pulls), since they are not triggered by any code or smart contract design flaws.
The research revealed that the root causes of hacks fall into three clearly identifiable categories:
Failure in the design/logic of the smart contract: when the project outlined on paper behaves improperly. A prime example of this is the attack on BNB Chain in October 2022, which resulted in $570 million in losses.
Poor coding/implementation of the contract: when the design and infrastructure are secure, but the code contains flaws. An instance of this is the attack on Qubit in January 2022, which led to $80 million in losses.
Infrastructure weaknesses: the IT-infrastructure on which a smart contract operates — for example virtual machines, private keys, etc. Infrastructure exposure can lead to hacks and losses, even if the smart contract itself has been designed, written, and tested well. The high-profile attack on Ronin Network in March 2022, resulting in a $625 million loss, is an example.
Immunefi has divided the three major domains of vulnerabilities into focused sub-domains. The full classification can be found here.
The Most Devastating Vulnerabilities
Infrastructure is king. 46.5% of all hacks in 2022 in monetary terms occurred via infrastructure, e.g. poor private key handling. It generated over $1.7 billion in losses. Developers and researchers generally focus on designing and coding the smart contract protocol, which forms the core of web3 projects, but all too often the danger lurks one level below. It is no surprise that infrastructure in particular is the major differentiator between DeFi and CeFi projects. 11 of 13 exploits in CeFi were infrastructural in nature.
The biggest infrastructural issue is private key management, which is essential to maintaining self-custody of crypto assets. Typically, private key management is not something that undergoes a security audit, and not all web3 projects adequately care about rigorous key management policies, practices, or emergency plans.
Developers make mistakes and introduce vulnerabilities far too often in smart contracts when it comes to access control, input validation, and arithmetic operations. This accounts for nearly 37.5% of all incidents. Fortunately, their damage in cash is small, representing only 5%.
Bridge hacks play an important role in losses. Blockchains are highly isolated environments; inter-blockchain communication is not easy, and third parties often step in to build what's known as a bridge to find some way to connect the two blockchains together. The basic functionality of a bridge is to lock funds from one blockchain and release the equivalent value of funds on the other blockchain. If there's a minor problem with such proof generation or verification, a malicious actor could steal funds on one side of the bridge.
"Web3 projects are incredibly complex and can be attacked through multiple vectors”, said Mitchell Amador, CEO of Immunefi. “The standard methodology we developed highlights the fact that infrastructural issues remain a predominant category. While a smart contract itself can be well-designed, written, and tested, the infrastructure on top of which it operates can be compromised, and lead to tremendous losses.”
Immunefi is the largest and most widely adopted bug bounty platform in web3 which is trusted by established, multi-billion dollar projects like Chainlink, Wormhole, MakerDAO, TheGraph, Synthetix, and more. Immunefi has paid out the most significant bug bounties in the software industry, amounting to over $85 million, and has saved over $25 billion in user funds.
The full report and standard classification are available on Immunefi’s website. Immunefi periodically publishes a flagship industry report titled Crypto Losses. This report showcases the volume of crypto funds lost by the crypto community due to hacks and scams throughout the year. Recently, Immunefi published the Crypto Losses in Q3 2023 report. In addition, Immunefi released the Hacker Ecosystem Survey 2023, which is a survey of the whitehat community displaying the top challenges, interests, and motivations at play in the web3 security industry.
Immunefi is the leading bug bounty and security services platform for web3, which features the world’s largest bounties. Immunefi guards over $50 billion in user funds across projects like Synthetix, Chainlink, SushiSwap, Polygon, LayerZero, MakerDAO, TheGraph, Wormhole, Optimism, and others. The company has paid out the most significant bug bounties in the software industry, amounting to over $85 million, and has pioneered the scaling web3 bug bounties standard. For more information, please visit https://immunefi.com