In the Web3 field, security vulnerabilities and hacker attacks have increasingly become areas of focus for users and investors. How to ensure the security of encrypted assets, and what new attack modes are emerging in the Web3 dark forest, SharkTeam will share and discuss from the front line.
Let’s first take a look at the statistics on the number and losses of security incidents from January to August 2023.
Due to the impact of the bear market, the total amount of assets in the encryption field has decreased, and losses due to security issues have dropped by 59% year-on-year. But this does not mean that the security environment in the Web3 field is getting better. On the contrary, we have seen that from January to August this year, the number of security incidents reached 693, an increase of 87% year-on-year, with an average of nearly 90 security incidents per month. , the highest frequency was in July, when 187 security incidents occurred.
Currently, smart contract security vulnerabilities, Rug Pull, and Web2-type security incidents (phishing attacks, social engineering) are the three main security risks of Web3.
There were 85 smart contract security vulnerability incidents, 47% of which were logic vulnerabilities. The main reason was that developers had weak security awareness, the development process was not rigorous enough, and lower-level security issues such as calculation errors and business logic errors were introduced. In addition, common contract vulnerabilities such as flash loan attacks and permission management still account for a relatively high proportion, exceeding 10%. Overall, it shows that the project party lacks necessary security awareness and skills during the contract development process, resulting in the continuous occurrence of common loopholes and primary problems.
The number of Rugpull fraud incidents is growing rapidly, with 110 incidents occurring. 73% of them occurred on BNBChain, which is directly related to the low transaction costs, large user base and the emerging Rugpull black industry chain on BNBChain.
Web2 type security incidents are also showing a rapid growth trend. This type of phishing attacks, social engineering and other hacker attack techniques have been very mature in the Web2 era. Web3 project parties and institutions are easy to ignore. Such security incidents usually steal wallet account authorization or Directly steal mnemonic phrases and private keys, and steal users’ encrypted assets.
So, from the perspective of ordinary Web3 users, how should we improve our security capabilities?
First of all, we must pay attention to the security of decentralized wallets and private keys, the security of centralized transaction accounts and passwords, and the security of equipment, software, and network environments.
In addition, in order to prevent Rugpull fraudulent projects, attention should be paid to avoiding speculation and luck, and objectively analyzing the fundamentals and data performance of proposed investment projects. The essence of finance is risk control.
Finally, always maintain a sense of security and prevention, and do not click on links or authorize at will to prevent acquaintances from committing crimes.
From the perspective of Web3 project parties and institutions, the following aspects need to be done to protect the security of encrypted assets:
First of all, during the project design and development stage, mechanisms and services for threat modeling, secure coding, and security testing must be consciously introduced so that security construction and business development can proceed simultaneously.
In addition, before going online, not only the security audit of smart contracts must be carried out, but also security penetration testing on the Web side, API side, and App side. These business carriers may become a breakthrough point for attacks in the eyes of hackers.
Finally, a clear security operation mechanism must be established during project operation, such as attack monitoring, emergency response plans, etc., and contract audits and penetration tests must be re-conducted when the business code needs to be upgraded. After a security incident occurs, it can detect the attack immediately and respond quickly, tracking the identity of the hacker and freezing assets in a timely manner.
The above are some basic but useful security construction solutions summarized by SharkTeam during the Web3 security service process. I hope it will be helpful to everyone. But more importantly, Web3's offense and defense are actually constantly upgrading, new attack methods are constantly emerging, and the Web3 dark forest is constantly evolving. Faced with this situation, how should we respond? How to know how to defend if you don't know how to attack? Let's first look at two typical examples.
RugPull factory: We found multiple Rugpull factories on BNBChain, and a new black industry chain of on-chain fraud has been formed. The fraud team has a clear division of labor:
(1) Intelligence collection: Specially responsible for collecting hot topics in the industry, such as the recently popular Cyber, TIP, HTX, etc.
(2) Automatic token issuance: Based on popular events, tokens with the same name are quickly issued. We have monitored that a certain Rugpull factory address can issue 70 to 80 fake tokens a month.
(3) False transaction volume: Fraudulent gangs frequently buy and sell Tokens of the same name on the chain to create transaction volume and improve concealment, making it difficult for users to distinguish authenticity.
(4) Phishing/Fund Disk: Make phishing websites or scams to deceive users’ trust and obtain user authorization or real purchases.
(5) Harvesting: After obtaining authorization or income, the program will automatically transfer or automatically Rugpull user assets.
(6) Layout: The income gained will be invested in the next Rugpull project, and it will snowball, getting bigger and bigger.
New APT attack (Advanced Persistent Theft): More and more high-level hackers are beginning to appear in the Web3 dark forest, and some are even national hackers. The funds they obtain in the Web3 industry will be turned into real assets through a series of new money laundering models to provide funds for subsequent illegal activities. The fund transfer method of this type of hacker is very complex and covert, usually passing through 30 to 50 intermediate addresses for transfer, and laundering money through "coin mixing" or "shelling", making it very difficult to track.
Web3 security has entered a stage of high-level, continuous network confrontation. So how should we respond to the threats of Rugpull factories and new APT attacks?
Establish a Web3 security defense system that covers before, during and after the event. Security has always been a system project and a shortcoming. If there is a problem in one place, the whole system will be broken. Therefore, we need to establish a three-dimensional security defense system to improve defense capabilities, attack perception capabilities, and emergency response capabilities after security incidents occur.
Utilize an infinite-level deep graph analysis engine, combined with billions of on-chain tags and list data, to conduct identity tracking and fund recovery for high-level hackers. Through a simple and easy-to-use graphical interface, the threshold for use is lowered, allowing more people to conduct effective on-chain analysis, work together to discover more clues, and strive for the initiative in this high-level confrontation of Web3 security.
SharkTeam's Web3 security service matrix is as above.
About SharkTeam:
SharkTeam's vision is to secure the Web3 world. The team consists of experienced security professionals and senior researchers from around the world, who are proficient in the underlying theory of blockchain and smart contracts. It provides services including on-chain big data analysis, on-chain risk warning, smart contract audit, crypto asset recovery and other services, and has built an on-chain big data analysis and risk warning platform ChainAegis. The platform supports unlimited levels of in-depth graph analysis and can effectively fight against Advanced Persistent Theft (APT) risks in the Web3 world.
-END-
Shuxin Cloud, a data security application and service platform based on blockchain