2023 Global Web3 Security Research Report: Analysis of the current status quo of ecological security

Source: Shenzhen Zero -time Technology

summary

2023 is the year of diversified innovation in the encrypted world, but behind innovation, many staggering security incidents have occurred.The Science and Technology Security Team released the “Global Web3 Industry Safety Research Report in 2023”, reviewing the global policy of the Web3 industry in 2023. The main track covers the basic concepts, safety events, losses, and types of attacks.After a detailed analysis, a safety prevention plan and measures were proposed.It is hoped that practitioners and users can understand the current status of Web3 security, improve the awareness of network security, protect digital assets, and take safety prevention measures.

1. In 2023, the total market value of the global Web3 industry has a total market value of 1.3 trillion US dollars. Affected by the industry explosion incident, the highest total market value last year was 2.4 trillion US dollars.

2. According to scientific and technological data statistics, a total of 506 security incidents occurred in 2023, with a cumulative loss of $ 11 billion.Compared with 2022, this year’s Web3 security incident increased 110, an increase of 65.3%year -on -year.

3. Six major tracks of Web3: Public chain, cross -chain bridge, wallet, exchange, NFT, and DEFI have a total of 435 security incidents, causing losses to exceed 7.983 billion US dollars.In addition, emerging fields such as Gamefi and DAO have become the object of hackers. Fraud and running incidents have continued and lost.

4. In 20123, a typical security incident of over 100 million US dollars lost a total of 3.2 billion US dollars, accounting for 29 %of the total loss of 2023.The typical representatives are: the encrypted exchange Bitzlato Lianchuang acknowledged $ 700 million in money laundering; Venusprotoco used Binance Bridge vulnerabilities to steal nearly $ 600 million in BNB; cross -chain bridge Wormhole was attacked at about $ 323 million ETH.; DFyn vulnerabilities (DEX) DFyn vulnerabilities were used, causing a loss of 300 million US dollars.

5. In 2023, the types of Web3 security incidents in the world are diverse. From the perspective of the number of security incidents, typical attack type TOP5 is: hacker attacks, security vulnerabilities, assets stolen, fishing, error permissions.From the perspective of the amount of losses, the typical attack type TOP5 is: hacking, security vulnerabilities, asset stolen, lightning loan attack, fraud.

6. The most representative regulatory case of this year is: North Korean hacker Lazarus has become the most serious APT organization affecting the Web 3 community.In 2023, the Lazarus organization caused at least $ 750 million in losses, accounting for 20%of the total stolen in the field of cryptocurrency in 2023.CERTIK analyzed five major cryptocurrency attacks in 2023, including Atomic Wallet, AlphaPo, Coinspaid, Stake.com and Coinex, causing a loss of $ 290 million.

1. Overview of the global web3 industry review and security situation

Web3 refers to a new generation of networks based on encrypted technology, which integrates various technologies and ideas such as blockchain technology, token economics, decentralized organizations, and game theory. It was proposed by Gavin Wood, co -founder of Ethereum in 2014.Web3 is built based on blockchain. From 2008, blockchain technology has developed for more than 15 years.The outbreak of the Web3 industry in 2023 is inseparable from the accumulation of the blockchain production industry for many years.

From the perspective of the user’s perspective, the web3 ecology can be divided into basic layers, application layers and third -party services.The basic layer is dominated by the public chain, cross -chain bridge, and alliance chain, and provides network infrastructure for Web3; the application layer is mainly APP (central application) and DAPPApplications that come to interact include trading platforms, wallets, DEFI, NFT, Gamefi, DAO, storage and social software.The basic and application layers promote the prosperity of the Web3 ecosystem, but also bring huge security risks to Web3.The service ecology is the third party of the web3 industry. Among them, media, educational incubation and investment institutions provide help to the industry. Security service institutions such as zero -time technology are an indispensable part of WEB3 security protection.

As of December 2023, according to COINMARKETCAP data statistics, the total market value of the global web3 industry has a total market value of 2.4 trillion US dollars. Affected by the industry explosion incident, the highest total market value last year was 2.97 trillion US dollars, and this year has declined.Although the total market value fluctuates, the scale of the overall assets is continuously expanding.Due to the fast rhythm of the industry, the weak user safety awareness, the supervision of supervision, and the prominent security issues, the web3 is becoming a “cash machine” of a hacker.

According to scientific and technological data statistics, a total of 506 security incidents occurred in 2023, with a cumulative loss of $ 11 billion.Compared with 2022, this year’s Web3 security incident increased 116, an increase of 38%year -on -year.Among them, there were 152 security incidents of public chain, cross -chain bridge, wallet, exchanges, NFT, and DEFI, which caused a loss of more than $ 4.08 billion.

In addition to the above six major tracks, there are 354 other safety events, with a loss of 6.92 billion US dollars. For example, emerging fields such as GameFi and DAO have become the objects of hackers.With the enlisation of multiple giants and NFT, in the future, the size of the assets on the chain will continue to grow, and the number of Web3 network security infringement may continue to soar.

According to scientific and technological data statistics, in 2023, of the six major tracks of the global Web3 ecology in 2023: 13 security incidents occurred in the public chain, a total of about 280 million US dollars; 18 security incidents of cross -chain bridges, a total of 1.21 billion US dollars; exchanges on the exchange; exchanges;There were 19 safety incidents, a total of 1.208 billion US dollars; 35 safety incidents in wallets, a total of $ 600 million in losses; 21 security incidents of DEFI, a total of $ 720 million in losses; 43 security incidents in NFT, loss of more than $ 62 millionEssence

Judging from the number of safety incidents that occur in major tracks, the NFT security incidents are the most, which is inseparable from the popular track of the 2023 industry.On the other hand, due to the increase in the number of people entering the web3 industry, wallets and DEFI have become the hardest hit areas of security incidents.From the perspective of the amount of losses, cross -chain bridges ranked first and suffered the most losses.

In 2023, from the number of security incidents in the global web3, the typical attack type TOP5 is: hacker attack, accounting for 47%; assets stolen, accounting for 29.6%; security loopholes, accounting for 20.1%; fishing attacks, accounting for 13.8 percentage of 13.8%; Error permissions, accounting for 13.4%.

From the perspective of the amount of losses, the typical TOP5 of the global Web3 security incident is: hacker attack, the amount of loss is US $ 6.05 billion; security vulnerabilities, $ 4.8 billion in losses; assets were stolen, losses were $ 3.04 billion; Lightning Loan attacks, losses, losses, lossesThe amount is US $ 1.26 billion; fraud, the loss amount is US $ 750 million.

It is worth noting that multiple security incidents that occurred in 2023 were not only attacked, but some incidents may occur at the same time as assets, private keys, hackers, private key leaks, and security loopholes.

Note: The main attack type interpretation is as follows

Asset stolen: virtual currency stolen, platform stolen platform

Hacker attack: multiple types of attacks such as hackers

Information leakage: private key leak, etc.

Security vulnerability: contract vulnerabilities, function vulnerabilities

Error permissions: System permissions setting error, contract permissions error, etc.

Fishing attack: Internet fishing

Price manipulation: price manipulation

According to the monitoring news of the technology blockchain security information platform at zero, a typical security incident of over 100 million US dollars in 2023 lost a total of US $ 3.2 billion, accounting for 29%of the total loss of 2023.

2. Global web3 regulatory policy

In 2023, the next -generation Internet WEB3 based on blockchain ushered in the peak of growth. Facing this emerging industry with fintech characteristics, global governments and regulators pay close attention to it.WEB3 applications are widely used, global distributed collaboration, and high technical content, coupled with the inadequate definitions of the development direction and digital assets of the web3 industry and its internal regulatory agencies, have brought huge challenges to global financial supervision.In 2023, financial crimes, hackers attacks, fraud ransom, and money laundering are frequent, with huge amounts, serious losses, and extensive impact.In order to ensure the security and compliance of Web3, countries have issued regulatory policies.

From the perspective of the global overall regulatory policy of Web3, investors’ protection and anti -money laundering (AML) is a global consensus. The acceptance and supervision of cryptocurrency exchanges is largely different.The US Congress proposed that “ensuring that web3 occurs in the United States” is accelerating regulatory innovation; the policies of the EU countries are relatively clear and active; Japan, Singapore, and South Korea are affected by the thunderstorm incident and rigorous supervision; mainland China still encourages blockchain technology applicationsIt is strictly forbidden for financial institutions and payment organizations to participate in virtual currency transactions and illegal fundraising, and increase the crackdown on cryptocurrency criminal incidents.Hong Kong, China, comprehensively supports the development of virtual assets and implements a license system; the UAE is the most active in the world and embrace cryptocurrency assets.For NFT, stablecoin, DEFI, asset agreements, and DAO fields, the world is in a state of supervision and exploration.

Third, 2023 web3’s ecological security status quo

Web3 is a relatively special industry. The most prominent feature is the management of a large number of digital encrypted assets. All the assets that are tens of millions of assets are on the chain.Who is the owner of the asset.If an application or agreement is attacked by a hacker in ecology, it may cause huge losses.With the rapid development of the ecology, various new types of attack methods and fraud methods have emerged endlessly, and the entire industry has moved forward in a safe edge of security.The technology security team has observed statistics on the types of attacks in Web3. At present, there are mainly the following types of attack types that threaten Web3 security: APT attacks, social workers fishing, supply chain attacks, lightning loan attacks, smart contract attacks, web -side vulnerabilities attack, Zero Day (0DAY) vulnerability, Internet fraud.

Next, we will from the infrastructure public chain, cross -chain bridge, applied app and DAPP representatives: trading platforms, wallets, DEFI, NFT, regulatory anti -money laundering, web3 security education angle, to analyze 2023 Web3 ecological security of various ecological security in 2023Status, interpret the attack event, and give corresponding security measures for each ecology.

1. Public Chain -WEB3 Ecological Safety Life pulse

The public chain is the infrastructure of the web3 industry. It carries the agreement, application and asset accounts of the entire industry. With the strong needs of public chain performance, interoperability, compatibility, and expansion in the industry, the development of multi -chain development is strong.The problem is urgent.

According to the incomplete statistics of science and technology, as of December 2023, there are currently 194 public chains.From the perspective of the number of public chain ecological applications, according to ROOTDATA data, Ethereum, 2203 applications, Polygon, 1301 applications, BNB Chian, 1239 applications, ranking in the top three, new public chains such as Solana, Avalanche, ICP are closely chasing closely chasing closely pursuitSubsequently, rapid growth trends.

From the perspective of the public chain ecological market value, according to Coingecko data, Ethereum, BNB Chain, and Solana ecology ranks among the top three for US $ 334.3 billion, $ 47.7 billion, and $ 42 billion.At present, the total market value of the public chain ecology has exceeded trillions of dollars, and such a huge capital temptation has made hackers watch it.

As of December 2023, according to scientific and technological data statistics, there were 13 security incidents in the public chain travele, with a cumulative loss of assets exceeding 280 million US dollars.

From the perspective of quantity, the types of attacks in the public chain are: hackers attack, assets, security vulnerabilities, Lightning loan attacks and fraud, and their corresponding proportion is 46.1%, 30.7%, 23%, 15.4%, 15.4%.From the perspective of the amount of losses, hacking attacks caused the highest loss at 167 million US dollars, accounting for 60.1%; security vulnerabilities caused the second to rank second, US $ 131 million, accounting for 46.7%.(Note: Some projects have suffered a variety of types of attacks)

According to the monitoring message of the science and technology blockchain security intelligence platform, the following figure is a typical case of some 2023 public chain attacks:

Public chain security risks and measures suggestions

At the analysis of the technology security team of zero time, the security risks of public chain are mainly from the following three points:

1)Technical complexity:There are many technical fields and many safety risks.

2)Developers uncertain:The code is written by the developer, and the process will inevitably appear loopholes.

3)Open source vulnerability transparency:The public chain code is open source, and hackers find vulnerabilities more convenient.

At the time of zero, the technical security team has the following four points: the following four points:

1) Before the main network, we need to set up a wealth of security mechanisms for the risk points of the public chain:

In terms of P2P and RPC, you need to pay attention to hijacking attacks, refuse service attacks, errors of authority configuration, etc.;

In the consensus algorithm and encryption, you need to pay attention to 51%attack, expand the attack attack, etc.;

In terms of transaction security, you need to pay attention to fake recharge attacks, transaction heavy attacks, malicious backdoor, etc.;

In terms of wallet safety, you need to pay attention to the security management of the private key, the safety monitoring of assets, and the safety risk control of transactions;

In terms of relevant staff of the public chain project, it is necessary to have good awareness of security, office safety, and development safety.

2) A audit of source code and smart contracts to ensure that the principles and obvious loopholes are made up:

The source code audit can be a full amount or some module.The technology security team has a complete set of public chain security test standards. It adopts the security test of the target code with the strategy of artificial+tools. It uses open source or commercial code scanner to check the quality of the code, combines artificial security audit, and security vulnerabilities.Support all popular languages, such as: C/C ++/C#/Golang/Rust/Java/Nodejs/Python.

3) After the main network is online, conduct real -time safety testing and early warning system risks;

4) After the hacking incident occurs, the traceability analysis is used in a timely manner to find out the problem and reduce the possibility of attack in the future; quickly track the surveillance loss flow of monitoring and find assets as much as possible.

2. Cross -chain bridge -a new type of withdrawal machine for hackers

Cross -chain bridge, also known as blockchain bridge, connects two blockchain, allows users to send cryptocurrencies from one chain to another.Cross -chain bridges perform capital cross -chain operations by enabling token transfer, smart contracts and data exchange and other feedback and instructions by the two independent platforms.

As of December 2023, according to data statistics from Dune Analytics, the total lock value (TVL) in Ethereum’s main cross -chain bridge in Ethereum was approximately US $ 6.5 billion.The highest current TVL is Polygon Bridges, which is US $ 2.99 billion, Aritrum Bridge followed closely, US $ 2.04 billion, and Optimism Bridges ranked third, US $ 1 billion.

With the growth of the program on the blockchain and the chain, the needs of multi -chain funds is urgent. The synergy of cross -chain bridge can make each blockchain exert greater synergy potential.Provides another door.Due to the characteristics of cross -chain bridge transmission of assets, once problems such as locking, casting, destroying, and unlocking are issues, they will threaten user asset security.It seems that it is not complicated to transfers the transfer operation, but in multiple cross -chain bridge projects, there have been security vulnerabilities in different steps.

According to scientific and technological data statistics, as of December, the cross -chain bridge had 18 security incidents due to attacks, and the cumulative loss assets were US $ 1.21 billion.

In 2023, the cross -chain bridges lost 5 in security incidents were: Harmony, Wormhole, Multichain, AAVE FORK, and Heco, respectively: $ 350 million, US $ 210 million, $ 150 million, and $ 100 million, respectively.

From the perspective of the number of security incidents, the types of cross -chain bridge attacks are mainly: hacking attacks, asset stolen, security loopholes, error permissions and lightning loan attacks, respectively, accounting for 61%, 33%, 28%, 17%, and 11 respectively%.From the perspective of the amount of losses, the proportion of hackers is the largest, 55%; assets are stolen, accounting for 29%; security vulnerabilities account for 14%, ranking third.

The following figure shows some typical cross -chain bridge attack cases in 2023:

Cross -chain bridge security risk and measure suggestions

At the time of zero, the technology security team obtained from many attacks on cross -chain bridges that there were many attacks with the signature before cross -chain, and there were official stolen incidents caused by the official horse tiger.For more and more cross -chain projects and project contract safety, the following safety measures are given at zero -time technology:

1) A safety audit of the contract before the project is launched;

2) The contract call interface needs to be strictly check its adaptability;

3) When the version is updated, the relevant interface and signature security need to be re -evaluated;

4) Strict review of cross -chain signatures is needed to ensure that the signature is not controlled by malicious personnel.

3. Trading platform -the source of huge temptation

Web3’s trading platform is also called digital currency exchanges or cryptocurrency exchanges. It is an important part of the blockchain industry. It provides services for transactions between digital currencies and legal currencies between different digital currencies.The main place of circulation.

According to Coingecko data, as of December 2023, there were 887 cryptocurrency exchanges, of which 224 centralized transactions were all 224, with a total transaction volume of $ 8 billion; 663 decentralized transactions, total trading 24 -hour transactionsThe volume is 3.7 billion US dollars; 94 derivative products exchanges, with a 24 -hour transaction volume of 1.93 trillion US dollars.

Data show that the top 10 exchanges in the 24 -hour transaction volume are: Binance, Bybit, Coinbase Exchange, OKX, MEXC, Gate.io, Kraken, Kucoin, Bitfinex, Binance US.Among them, Binance ranked first with 24 trading volume of 13.595 billion.

The top 10 decentralized exchanges in the transaction volume are: UNISWAP V3 (Ethereum), ORCA, Uniswap V3 (Arbitrum One), Pancakeswap (V3), CURVE (Ethereum), UNISWAP (Ethereum), Thorwal Let dex, Thorswap, Raydium, Ferro Protocol, of which Uniswap occupied more than ten in its own strength.

According to zero -time science and technology data unification, in 2023, 19 security incidents occurred on cryptocurrency exchanges, and the cumulative loss of assets exceeded US $ 1.2 billion.

According to statistics from the science and technology blockchain security threat intelligence platform, in 2023, the trading platform of the TOP6 loss of security incidents was: Curve, Coinbase, OKX, Platypus Finanace, Uniswap, Coins.ph, the amount of losses was 440 million US dollars, respectively, respectively, respectively, respectively.$ 360 million, $ 180 million, $ 100 million, $ 60 million and $ 40 million.

From the perspective of the loss distribution of security incidents in various transaction platforms, Couve accounted for 36.6%, Coinbase accounted for 30%, Platypus Finanace accounted for 15%, ranking the top three.

According to the statistics of science and technology data, from the perspective of the number of security incidents, the types of attacks on the trading platform are mainly hackers’ security vulnerabilities, asset stolen, fishing attacks, and lightning loan attacks, respectively, accounting for 59%, 31.8%, 27%, 9, 9, and 9%, 9%.From the perspective of the distribution of losses, hacking accounts for 59%, which is the main type of security incidents. Security vulnerabilities account for 40%, and assets are stolen by 33.3%.

The figure below shows a typical case of some security incidents in the 2023 Exchange:

Suggestions and measures for security risks and measures of trading platforms

回顾以往所有交易所的安全事件，零时科技安全团队认为，从一个交易平台整体安全架构来看，交易平台面临的安全风险主要有：开发、服务器配置、运维、团队安全意识、内部人员、Market and supply chain risk.

The science and technology security team has published “Blockchain Security Beginning and Real War”, which has comprehensively and detailed analysis of the security issues of the cryptocurrency trading platform.Including the steps of penetrating tests, such as information collection, social engineering, etc., various attack surfaces have also been introduced, such as business logic, input and output, security configuration, information leakage, interface security, user certification security, APP security, etc.

For exchanges’ security risks, the science and technology security team gives the following measures for suggestions:

From the perspective of the trading platform:

1) Cultivate the safety awareness of internal personnel, strengthen the production environment, testing environment, and commissioning environmental security isolation of the exchange, and try to use professional network security protection products as much as possible.

2) Through cooperation with professional security companies, conduct code audit and penetration tests to understand whether the system has hidden vulnerabilities and security risks, and establish a sound and comprehensive security protection mechanism.In daily operations, conduct regular safety tests to strengthen safety and reinforcement work.

3) Upgrade the key structure and risk control measures of the account, establish an appropriate multiple signature key structure and establish a strict risk control and detection and early warning mechanism to strengthen the safe reinforcement of hot and cold wallets in the rear, such as controlling the frequency of transfer, large transfer, and large amounts of transfers.Cold and cold wallet isolation.

Because most users use exchanges for transactions, they are more often acting as wallet stored digital assets.

therefore,From a user perspective:

1) Do not install unknown software at will.

2) The computer server should avoid opening the unnecessary port. The corresponding vulnerabilities should be patch in time. The host recommends that the effective and reliable anti -virus or other security software should be installed, and the mining script isolation plug -in is installed on the web browser.

3) Don’t click the unknown link issued by the stranger at will.

4. Wallet -Cocuna asset management injury

Web3’s wallet is the blockchain digital wallet, also known as cryptocurrency wallet or digital asset wallet. It is a tool for storing and managing and using digital currency. It has a pivotal position in the blockchain field. It is the entrance to users to contact digital currencies.Today, with the development of ecology, digital wallets have become a multi -chain and multi -asset management platform.

According to statistics from the science and technology blockchain security threat intelligence platform, as of December 2023, the number of digital wallet projects has a total of 153.According to Blockchain.com statistics, more than 400 million people around the world are using crypto assets in 2023.Among them, users with encrypted wallets reached 81 million in 2022, and by November 2023, the number of encrypted wallet users had reached 221 million, and the number was exponentially increased.

As the entrance to the web3, wallets have long become the “fragrant” in the eyes of hackers.According to scientific and technological data statistics, in 2023, there were 35 security incidents in digital wallets, and the cumulative loss of assets exceeded $ 600 million.

In 2023, the wallet safety incident that was attacked by TOP5 mainly came from: Bitkeep, Solana, Cropto.com, Transit, Bable Finanace, respectively: $ 200 million, $ 130 million, $ 120 million, $ 100 million and 40 million.Dollar.Among them, Bitkeep has the highest losses.

According to the statistics of scientific and technological data at zero, from the perspective of the number of security incidents, the types of attacks of digital wallets are mainly: hackers attack, asset stolen, security vulnerabilities, fishing attacks and fraud, accounting for 44.9%, 35.5%, 27%, 13.4, 13.4%, 9.8%.The attack is the highest, ranking first.

Among them, the proportion of safety incidents corresponding to each major attack type accounted for: hackers caused the highest loss, accounting for 48.2%; security vulnerabilities caused the second, accounting for 41%;Essence

Wallets are attacked and are generally divided into two cases.One is the institution’s wallet, and the other is a personal wallet.

Digital wallet safety risk and measure suggestions

After the analysis of the technology security team of zero time, the blockchain digital wallet exists in various forms.The main safety risks include but not limited to the following aspects:

Institutional side:The safety risks of the operating environment, the security risk of network transmission, the security risk of the document storage method, the application of its own security risks, and the security risk of data backup.

User side:Facing private key loss or stolen: such as camouflage customer service to deceive private keys, hackers upgraded targeted attacks through wallets to collect user aid words, send malicious QR codes to guide customers to transfer assets, and stole the information on the cloud platform through attacking customer storage information.Pick -up key/assistant words, malware, airdrop deception, online fishing, other fishing (pre -sale, APP download, medium -signed trap) and other risks.

How to protect wallet safety in the face of these risks?

Suggestions from the institutional side, zero -time technology security team:

Regardless of whether it is centralized or decentralized, software wallets or hardware wallets must have sufficient security testing in terms of security. For security audits for digital wallets, the technology security team at zero time includes but not limited to the following tests:

1. Network and communication security tests. The network node should achieve the function of timely discovery and resistance to the network attack;

2. The operating environment of the wallet is safe. Wallets can detect major vulnerabilities in the operating system, virtual machine detection, and complete detection; digital wallets need to have third -party program hijacking detection functions to prevent third -party procedures from hijacking wallets to steal relevant user informationEssence

3. The wallet transaction is safe. All transactions issued by the wallet must be signed. When signing the signature, the private key must be decrypted by entering the payment password. After the transaction signature is generated, the private key in the memory must be removed.wait.

4. Wallet log Safe. In order to facilitate the user’s audit wallet operation behavior and prevent abnormal operation and unauthorized operation, the wallet operation log is required. At the same time, the wallet log must be processed by desensitization, and it must not contain confidential information.

5. Node interface security audit. The interface needs to sign the data to prevent hackers from being tampered with data; interface access needs to add token certification mechanisms to prevent hackers from being replayed; node interface needs to limit the user connection rate to prevent hackers from simulating user usersOperation performs a CC attack.

For the user side, the science and technology security team suggestion:

1) Do a good job of private key storage measures: If the private key is used to copy and back up, or use social networks such as cloud platforms and mail to transmit or store private keys.

2) Use a strong password and start two -step verification MFA (or 2FA) as much as possible to maintain a sense of security awareness at all times.

3) Pay attention to verifying the Hash value when updating the program version.Install anti -virus software and use the firewall as much as possible.Monitor your account/wallet and confirm that there are no malicious transactions.

4) Among them, the hardware wallet is suitable for users with large digital assets and require higher security protection levels.The usual suggestions are to use software wallets to save their own small assets for daily use and hardware wallets to save large assets, which can achieve both convenience and security.

What if the funds are stolen?

If an unintentional authorization operation occurs, before the funds are stolen, the wallet funds are transferred out as soon as possible and the authorization is canceled.The team tracked assets.

5. DEFI -WEB3 safe and severely disaster area

Defi Full name: Decentralized Finance, generally translated into distributed finance or decentralized finance.DEFI projects are generally divided into five categories: prophecy machines, DEX, mortgage lending, stable currency assets, and synthetic derivatives.

TVL full name: Total Value Locked is the total lock value.The total assets mortgaged by users are one of the most important indicators to measure the development of DEFI. Generally, the better the TVL growth represents the project development.

Data statistics from the science and technology blockchain security threat intelligence platform. As of December 2023, a total of 1,297 DEFI projects.According to DEFI LLAMA data, the total locking value of Defi reached US $ 39.051 billion.Among them, Ethereum accounted for 58.59%, ranking first with TVL of $ 23.02 billion, followed by TRON, accounting for 11.1%, ranking second with TVL of $ 4.036 billion.The dollar TVL ranked third.Many emerging public chains such as Avalanche, Playgon, and Optimism, etc. have attracted a large number of users and funds to settle the ecology on the rapid development of the DEFI.

DEFI’s outstanding smart contract security problem has become the biggest challenge in the Defi industry.In addition, no DEFI service provider or regulatory agency can refund the funds for wrong transfer.When a hacker finds other aspects of smart contracts or DEFI services, it is not necessarily a DEFI service provider to compensate investors. In addition, many hidden interconnections may cause a series of financial accidents.

According to the statistics of scientific and technological data at zero, as of December 2023, a total of 24 DEFI security incidents occurred, with cumulative loss of assets exceeding 720 million US dollars.

From the perspective of the number of DEFI security incidents that occur in each ecology, 6 occurred in the Ethereum ecology, respectively, accounting for 25%, ranking first, and 5 (BNB CHIAN) from BSC (BNB CHIAN), accounting for 20%, accounting for 20%, and the proportion is both.It was 24%, ranked second, and 3 occurred in the Solana ecosystem, accounting for 15%, ranking third.

From the perspective of the loss distribution of security incidents in each DEFI, the top three public chain ecology is that the loss of the Ethereum ecological DEFI incident exceeded US $ 216 million, accounting for 30%, ranking first; Solana ranked second, with a loss amount of 1.44$ 100 million, accounting for 20%; BNB CHAIN ​​ranks third, with a loss amount of US $ 130 million, accounting for 18%.It can be seen that the more active the ecology is, the more the hacking is, and the losses are the most prominent.

According to the statistics of scientific and technological data, from the perspective of DEFI attack types, it is mainly: hacking, asset stolen, lightning loan attack and security vulnerabilities.Among them, the distribution of security incidents corresponding to the main attack types accounted for: 50%of hackers’ attacks, ranking first; security vulnerabilities accounted for 29%, ranking second;; Lightning Loan attack accounted for 16%, ranking fourth.

Judging from the distribution of main attack type loss, hackers have caused the highest loss, accounting for 48.6%, assets were stolen, accounting for 34.7%, and security vulnerabilities ranked third, accounting for 43%.

DEFI security risk and measure suggestions

In the face of multiple security risks, the DEFI project is divided from the group, which are the project side (agreement execution) and user end; from the type of security category, the combined security of each protocol, including some defects between the combinations, and some of the defects between the combinations.Smart contract security, open source security, high yields accompanied by high risk, lack of supervision, etc. Some security issues caused by supervision.

From the perspective of security audit, the risk faced by the DEFI project is shown in the figure below:

From the execution process of the agreement, the DEFI risk includes:Intelligent contract attack risks, design problems in economic incentives, storage risks, reorganization of the original agreement, and lack of privacy.

From a user perspective, the risks faced by DEFI users are:Technical risk: There are vulnerabilities in smart contracts, which are attacked by security; liquidity risk: The liquidity of the platform is exhausted; key management risks: The private key of the platform may be stolen.Risk of safety awareness: Fishing, encountering arbitrage running scam projects, etc.

The science and technology security team suggested that as a project party and users, the risk can be dealt with from the following four points:

1) When the project party is launched on the DEFI project, he must find a professional security team to do a comprehensive code audit, and find multiple joint audits as much as possible.Losses.

2) It is recommended that users must do a good job when they participate in these projects. They must have a certain understanding of this project, or it depends on whether it has undergone safety audit before going online.

3) Increase personal security awareness, including the behavior of Internet access, asset preservation, and wallet use habits to develop a good habit of security.

4) High -yields and risks of the project. Participation needs to be cautious, do not understand the project, try not to participate, and avoid losses.

6. NFT -Pond of Fishing Attack

NFT is the abbreviation of Non-FUNGIBLE token. It is a non-homogenized token based on the blockchain. At the same time, it is a unique digital asset stored on the blockchain. It is often used as an electronic certification or voucher for the ownership of virtual commodities.Can be purchased or sold.

According to NFTSCAN data, as of December 31, there were 4,624 NFT projects, totaling 1,476,479,394 NFT.At present, the total market value of NFT has reached 25.6 billion US dollars, and the holders reached 4.7338 million.From the perspective of the market value distribution of various projects, PFP (PICTUREF ProOF), that is, the market value of Personal Data Pictures NFT is far ahead. This is also the NFT with the most use scenarios, followed by collectibles.Looking at NFT assets and contracts from the current eight mainstream public chains, Polygon is far ahead of the number of assets and contracts.

From the perspective of the transaction scale: Among the top 10 NFT trading platforms ranked in the top 10 in 24 hours, Blur ranked first, OKX NFT followed closely, Opensea ranked third.From the perspective of a dealer, in the market with the top 10 markets in 24 hours, Blur ranked first, OKX NFT ranked second and Opensea ranked third.

As the value of NFT was highlighted, hackers also stared at this fat.Although the entire encryption market is currently undergoing a fierce trend of shocks, the popularity of NFT is not reduced.

According to incomplete statistics from science and technology, as of December 2023, there were 44 security incidents in the NFT track, and the cumulative loss of assets was about $ 62 million.

From the perspective of the type of attack of the NFT track, it is mainly: hacking, security vulnerabilities, assets stolen, fishing attacks, and the number of safety events accounted for 50%, 35%, 25%, and 23%, respectively.

From the perspective of the main attack type loss amount of NFT, hacking attacks caused the most losses, accounting for 50%; assets were stolen, accounting for 30%; security vulnerabilities ranked third, accounting for 30%.

NFT security risk and measure suggestions

Currently on the NFT track, hacking methods are diverse.Divide in groups, the objects facing risks are generally platforms and users.

For centralized platforms, the security risks that may face are:Account risk, commercial competition risk, security awareness risk, internal personnel risks, market risks, etc.

For the user side, Discord attack has become the main attack method of this year.

For the above security risks, the science and technology security team gives the following measures at zero:

For ordinary users,To protect your Discord, you need to pay attention to the following points: to ensure that the password is safe enough, use the alphabetic digital special characters to create a long random password; open the 2FA identity verification, although the password itself is complicated, but cannot be protected by one way; do not click from the unknown unknownSendor or a linked link, consider restricting who can make private messages with you; don’t download the program or copy/paste the code you don’t know; don’t share or share your authorization to the screen;People or you cannot verify the QR code of its legitimacy.

For the server owner:Review your server permissions, especially for higher -level tools such as Webhook; when making any changes, keep an official server invitation to update and see on all platforms, especially when most new server members come from communities other than Discord;Similarly, don’t click suspicious or unknown links!If the account is invaded, it may have a greater impact on the management community.

For projects:It is recommended that contracts strictly judge the rationality of users entering the purchase quantity; it is recommended that contracts restrict the possibility of zero funds to purchase NFT; it is recommended to strictly distinguish the NFT Token of the ERC721 and ERC1155 protocols to avoid the official case of counterfeiting Discord.At present, multiple chat software will find malicious MINT links, and many user funds will be stolen. In order to avoid such incidents of currency stolen, it is recommended that you verify the reliability of the link source when performing MINT operation. At the same time, ensure the content of the transaction and the content of the transactionExpectation is consistent.

7. Safety Education-Web3 Security Shield

All well -known Sohu employees have encountered salary subsidies for fishing email fraud cases that many companies can realize that if the awareness of network security does not improve, various security incidents such as commercial secrets in the future will inevitably affect the development of the enterprise.The web3 decentralized self -organized participation method made individuals realize that if the awareness of security is not improved, it will be reduced to a hacker withdrawal machine.

At present, the market has many ways such as television dramas, movies, communities, and other methods to improve personal network security awareness. At zero, technology has also preached hundreds of network security knowledge on each platform.

In addition, there is also a self -developed safety awareness assessment management platform at zero -time technology., Help enterprises build a private cloud -based network security awareness assessment management platform, integrate the theoretical system, fishing drills, host testing, management assessment, and scene customization systems, and realize the continuous and systematic system of enterprises to improve the awareness of network security.In addition, based on the professional strength of the zero -time technology security team, it is also a solid security shield for corporate network security consulting and training services.

Conclusion

Because of its huge innovation capabilities and open source advantages, web3 has become a booming new generation of network infrastructure, bringing more credible and more credible ecosystems to the entire Internet world.Although the security incidents of the web3 industry have continued, and hackers and criminals have emerged endlessly, this does not hinder the healthy development of the Web3 industry.

On the contrary, just like the two parties in the game, the “white hat” of the web3 world, a security institution like our zero -time technology, will definitely escort this lush ecology, protect the assets of new world users, fight with hackers, and fight for wisdom.Establish more comprehensive mechanisms, stronger technical systems, and more secure transactions without continuous efforts.

The loopholes are often, safe and priceless, and the game of development and security will not stop. I hope we can install a security shield for ourselves to cope with this complex technology world in the future!