Web3 Security Situation Analysis: Analysis of Hacker Attack Methods in the First Half of 2022

In the first half of 2022, the Web3 sector experienced several major security incidents, resulting in substantial losses. This article will conduct an in-depth analysis of the attack methods commonly used by hackers during this period, explore which vulnerabilities were most frequently exploited, and discuss how to effectively prevent them.

Losses Caused by Vulnerability Attacks in the First Half of the Year

Data shows that there were a total of 42 major contract vulnerability attack incidents in the first half of 2022, with total losses reaching as high as 644 million USD. Among all the exploited vulnerabilities, improper logic or function design was the most commonly exploited by hackers, followed by validation issues and reentrancy vulnerabilities. These attacks accounted for approximately 53% of all incidents.

Major Loss Event Analysis

Wormhole cross-chain bridge attacked

On February 3, 2022, a certain cross-chain bridge project was attacked, resulting in a loss of approximately $326 million. The Hacker exploited a signature verification vulnerability in the contract to successfully forge system accounts to mint tokens.

Fei Protocol was attacked by a flash loan.

On April 30, 2022, a lending protocol suffered a flash loan reentrancy attack, resulting in a loss of $80.34 million. This attack dealt a fatal blow to the project, ultimately leading to the announcement of its closure on August 20.

The attacker exploited the reentrancy vulnerability in the protocol by following these steps:

1. Perform flash loans from liquidity pools
2. Exploiting the reentrancy vulnerability in the lending protocol
3. Extract all tokens from the affected pool by attacking the contract.
4. Repay the flash loan and transfer the proceeds from the attack

Common Vulnerability Types

During the audit process, the most common vulnerabilities can be divided into four main categories:

1. ERC721/ERC1155 Reentrancy Attack
2. Logical flaws (missing consideration of special scenarios, incomplete functional design)
3. Missing Authentication
4. Price Manipulation

Actual Vulnerabilities Exploited and Audit Recommendations

Data shows that the vulnerabilities discovered during the audit process have almost all been exploited by hackers in real scenarios, with contract logic vulnerabilities remaining the main attack target.

Through professional smart contract verification platforms and manual audits by security experts, most of these vulnerabilities can be promptly identified during the auditing phase. Security experts can provide corresponding remediation suggestions after evaluation, helping project parties enhance contract security.

In summary, contract security auditing is crucial for Web3 projects. Project teams should prioritize security issues and conduct comprehensive security audits in a timely manner to prevent potential attack risks.