jakiro
At the beginning of the new year, CertiK arrived as scheduled throughout the year—《Hack3d: 2023 Annual Web3.0 Security Report》 was released at 10 pm Beijing time on January 3rd.This report, which has attracted much attention from the industry, reveals the latest trends in Web3.0 security through statistics and analysis of security incidents in the Web3.0 field in the past year.
As the most detailed and authoritative security report in the industry, the “Hack3d: 2023 Web3.0 Security Report” covers what happened in the Web3.0 ecosystem in 2023 throughout the yearComprehensive statistics and analysis of events such as hacker attacks, fraud and exploitation, is a necessary guide for developers, practitioners, regulators, users and enthusiasts to understand the current security status, challenges and opportunities of Web3.0.
Before reading the full report, let’s quickly understand the overall security situation of the Web3.0 industry in 2023:
Annual Overview – Total Security Incident Losses Decline by more than half
A total of security incidents occurred in 2023751It caused$1.84 billionThe loss of assets is compared with US$3.7 billion in 2022It’s down51%.Through statistical analysis, CertiK believes that the reasons for this decline are multiple. The development and evolution of smart contract agreements, changes in user behavior, upgrades and effectiveness of security measures are closely related to the reduction of total losses in security incidents.In addition, macro-industry trends also have a certain impact on the number of security incidents and the losses caused.
Data Insight
By classifying the timing, types and ecosystems of security incidents, we have found some insights worth studying:
-
The losses were the highest in the third quarter, and the losses were the heaviest in November.The third quarter of 2023 was the most losses for the whole year, a total of 183 security incidents occurred, causing losses of US$686 million; a total of 45 security incidents occurred in November, causing losses of US$364 million.
-
Private key leakage incidents cause the most losses.Although the total number of events accounts for only 6.3% of all events, it caused losses of US$881 million, nearly half of the total losses for the whole year.
-
The highest total loss of Ethereum.In 2023, Ethereum had 224 security incidents, causing losses of US$686 million, with an average loss of approximately US$3 million per event.Among all ecosystems, Ethereum did not experience the most security incidents in 2023, but it brought the highest total loss.
-
Cross-chain security incidents suffered heavy losses.In 2023, only 35 cross-chain security incidents caused US$799 million in losses, indicating that interoperability vulnerabilities remain a pain point for industry security.
Industry Trends
On the other hand, through comparative analysis of a series of major security incidents, we have also discovered some industry trends that have attracted wide attention:
1. The amount of “traceable loophole bounty” is increased, but “repairing the dead” is not as good as “preventing problems before they happen”
In 2023,34 security incidents recover $219 million in losses through negotiations with attackers on “traceable vulnerability bounty”, accounting for 12% of the total loss of US$1.8 billion, and the negotiated return amount increased by 54% compared with previous years.CertiK believes that although this strategy can help the project recover its losses to a certain extent, Web3.0 projects obviously cannot rely on negotiations with hackers to protect asset security.Therefore, it is crucial to establish a reward platform that fully motivates white hat security experts to report security vulnerabilities before an attack occurs.
If you want to know the attitudes of different project parties on the negotiation of “traceable vulnerability bounty”, you are welcome to read the detailed analysis of the follow-up solutions of the two incidents in Euler Finance and KyberSwap in the report.
2. Web2.0 risk spillover Web3.0——Long-term and ongoing challenges
On December 14, Web3.0 hardware wallet giant Ledger encountered a major security crisis.A former Ledger employee fell victim to a phishing attack.The attacker controlled its NPMJS account through Github, uploaded malicious code to Ledger’s NPMJS, and successfully obtained access to the Ledger Connect Kit, and directed wallet users to malicious websites.Ledger quickly deployed updates within 40 minutes of discovering the vulnerability, curbing potential follow-up threats.The attack caused approximately $610,000 in direct losses, although the amount is not huge, it has had an incalculable negative impact on Ledger’s reputation.
This Ledger incident, like the case where CertiK and WalletConnect teamed up to solve XSS vulnerabilities, reminds us: Although Web3.0 and blockchain ecosystems have a decentralized spirit, current Web3.0 applications still use Web2.0 ecosystem components in large quantities., such as account systems, QR codes, code bases, etc., thus inheriting the centralized vulnerability risks in the Web2.0 era.Once an employee’s account is successfully subjected to a phishing attack, it may cause huge losses to the majority of Web3.0 users.To this end, Web3.0 security practitioners including CertiK need toDecentralized concept and software development and maintenanceFinding a balance between the actual reality is a long-term and ongoing challenge.
3. Industry supervision continues to mature
In 2023, we are delighted to see that as Web3.0 supervision gradually matures,More and more institutions are beginning to actively explore the combination of blockchain technology and traditional businesses.Swift’s efforts to promote interoperability, the practice of many global banks in the field of asset tokenization, and the exploration of Internet financial giants such as Paypal at the stablecoin level, all show that enterprises have a consensus on blockchain technology and Web3.0 ecosystem.Continuously strengthening.
In terms of regulation, many regions including Hong Kong, Singapore, Japan, the United States, the European Union and the United Kingdom have introduced stablecoin regulatory frameworks or guidelines.The CertiK team has also recently served as a consulting expert, providing professional advice for the formulation of the Monetary Authority of Singapore (MAS) stablecoin framework and gained recognition from the latter.CertiK recently launched stablecoin security audit and compliance consulting services, and will continue to actively participate in consulting activities of local regulatory agencies to help the security development of the stablecoin field and the large-scale implementation of Web3.0.
CertiK’s 2023
With the joint efforts of the entire industry, Web3.0 security has made many progress in 2023.CertiK is honored to continue to contribute in this field and work towards the future of Web3.0.Let’s review CertiK’s highlights in 2023:
In April 2023, Skynet for Community was launched, providing users with a one-stop information platform.
In May 2023, it announced that it had reached a partnership with Alibaba Cloud to introduce blockchain security into the cloud platform.
In June 2023, the Sui Foundation awarded a reward bonus for discovering a major security threat to Sui blockchain.
In July 2023, it became the first Web3.0 security audit company to obtain SOC 2 Type I certification.
In July 2023, the advanced formal verification of Ant Group’s innovative open cross-platform trusted execution environment (TEE) HyperEnclave was completed.
In July 2023, we discovered and worked together to resolve security vulnerabilities in Safeheron open source TEE solution.
In August 2023, security vulnerabilities in the Worldcoin system were discovered.
In August and October 2023, CertiK received two thanks from Apple for discovering multiple security vulnerabilities in Apple’s iOS kernel.
In September 2023, SkyInsights, the Web3.0 compliance and risk management product, was released.
In November 2023, formal verification of the TON main chain contract was completed, providing verification for the TON network’s transaction record per second (TPS).
In November 2023, several major security vulnerabilities were discovered on the Web3.0 mobile side.
In December 2023, Cosmos Ecological Security Guide was released.
In December 2023, an XSS vulnerability in the WalletConnect Verify API was discovered.
In December 2023, vulnerabilities in Wormhole and OKX mobile terminals were discovered.
This is just a small part of the effort CertiK has put in protecting the security of the Web3.0 industry in 2023.Looking back at every line of code audit in 2023, the overnight tracking after each event, and every analysis and research, we are our commitment and expectations for the future world of Web3.0.
Thank you to all Web3.0 practitioners, security experts and users for walking along with us.I believe that the gains and lessons learned in 2023 will become the most valuable asset in building a secure Web3.0 world.
Full report: https://indd.adobe.com/view/b4928253-6534-48d9-b9c6-9993c99a18b5
