Web3 Security Situation Analysis: Analysis of Hacker Attack Methods in the First Half of 2022

In the first half of 2022, the security situation in the Web3 field remains severe. Through a comprehensive analysis of blockchain security incidents, we can gain deeper insights into the common attack methods used by hackers and how to effectively prevent these threats.

Overview of Security Incidents in the First Half of the Year

According to data from a certain blockchain security monitoring platform, there were a total of 42 major contract vulnerability attack incidents in the first half of 2022, accounting for 53% of all attack methods. The total losses caused by these attacks amounted to as much as $644 million.

Among all the exploited vulnerabilities, logical flaws or improper function design are the most commonly exploited types by hackers, followed by validation issues and reentrancy vulnerabilities.

Analysis of Major Loss Cases

Wormhole cross-chain bridge attack incident

On February 3, 2022, the cross-chain bridge project Wormhole in the Solana ecosystem was attacked by a Hacker, resulting in a loss of approximately $326 million. The attacker exploited a signature verification vulnerability in the contract to successfully forge system accounts and mint a large amount of wETH.

Fei Protocol suffered a reentrancy attack

On April 30, 2022, the Rari Fuse Pool of Fei Protocol suffered a flash loan combined reentrancy attack, resulting in a loss of $80.34 million. This attack dealt a fatal blow to the project, ultimately leading to its official shutdown announcement on August 20.

The main steps of the attacker include:

1. Flash loan from Balancer
2. Attack using the reentrancy vulnerability in the cEther contract of Rari Capital
3. Extract all tokens in the pool through the constructed attack function callback.
4. Repay the flash loan and transfer the proceeds from the attack

Common Vulnerability Types

The most common vulnerabilities in the audit process can be classified into four categories:

1. ERC721/ERC1155 Reentrancy Attack: When using the secure transfer functions of these standards, malicious code in the receiving contract may be triggered, leading to a reentrancy attack.

2. Logical loophole:
   • Insufficient consideration of special scenarios, such as transferring funds to oneself.
   • The functional design is incomplete, such as the lack of extraction or settlement mechanisms.

3. Missing authentication: Key functions such as minting and setting roles lack effective permission control.

4. Price Manipulation:
   • Unused Time-Weighted Average Price
   • Directly use the token balance ratio in the contract as the price

Vulnerability Prevention Suggestions

1. Strengthen code auditing: By using professional smart contract verification platforms and manual reviews by security experts, most potential vulnerabilities can be identified before the project goes live.

2. Follow secure development guidelines: Design business functions strictly according to the check-effect-interact pattern to reduce the risk of reentrancy attacks.

3. Improve permission management: Set up multi-signature or time-lock mechanisms for critical operations.

4. Use reliable price oracles: Adopt time-weighted average prices to avoid easy manipulation of prices.

5. Consider extreme scenarios: When designing contract logic, fully take into account various boundary cases and special scenarios.

6. Regular Security Audits: Even for projects that are already live, regular security assessments and vulnerability scans should be conducted.

By taking these measures, Web3 projects can significantly enhance their security and reduce the risk of being attacked by hackers. However, as technology continues to evolve, new types of vulnerabilities may emerge, making it crucial to remain vigilant and continue learning.