A report by Certik has shown the number and worth of security breaches in Web3 for the second quarter of 2023.
The overall loss of $313,586,528 registered in the second quarter is practically comparable to the preceding quarter and represents a 50% decrease when compared to the same time in 20233. The average loss per event was also reduced slightly.
All through the second quarter of 2023, there was a substantial decrease in oracle manipulation expense and an increase in the value of exit scams, reflecting alterations in harmful actors’ strategies.
The steady decline in the value plundered from Web3 users and investors is a positive indicator. While it’s tough to blame it completely on one development, attempts to educate users and creators about the necessity of security has paid off.
A rise in asset prices would enhance the nominal worth of successful exploits once more, but headway is being made.
While on-chain occurrences were relatively quiet during the quarter, big events occurred off-chain. The SEC filed charges against the two largest cryptocurrency exchanges.
As the sector grows, incidents such as the significant MEV bot exploit and the discovery of the ‘HamsterWheel security threat on the Sul blockchain highlight the ongoing necessity for continual research, preventive security measures, and vigilant attention. However, with each obstacle overcome, we move a step forward to a safer Web3 ecosystem.
Malicious Validator Take Advantage of MEV Bots
A hostile validator exploited multiple MEV bots at the beginning of April, resulting in a loss of more than $25 million for the bots. This is the most significant strike against automated trading bots to date.
MEV is an abbreviation for “miner extractable value” (or “maximum extractable value”), which means the profit a miner (or validator in a Proof of Stake system) can generate by using their power to arrange transactions within blocks.
They can utilize this feature to front-run user transactions sent to the mempool, resulting in a variety of MEV attacks, including the well-known sandwich attack.
The revenue that a miner can gain by using their power to arrange transactions within blocks is referred to as MEV.
In this method, the MEV bot’s purpose is to “sandwich” a user’s purchase request between their own front-run and back-run transactions to earn profit.
A sandwich attack consists of four steps:
- A trader submits a buy order.
- The MEV bot recognizes the upcoming order and places a more significant buy order, a front-run.
- The trader pays a greater price for their token.
- The MEV bot sells its position at a higher price, which is known as the back run.
$100 Million Atomic Wallet was Lost
At the beginning of June, more than 5,000 Atomic Wallet customers lost more than $100 million in the quarter’s biggest security incident, which was comparable to last year’s Slope Wallet attack.
The precise vulnerability exploited is unknown. Atomic Wallet originally said that this breach affected less than 1% of its monthly active customers, a statistic that has since been amended down to less than 0.1%.
The magnitude of this attack and the losses that followed emphasize the seriousness of security flaws in wallet applications.
The culprits obtained complete control of the victims’ funds by targeting their private keys. When the attackers obtained these keys, they were able to move assets to their own addresses, depleting the victims’ wallets.
Single customer losses differed in amount, with the highest single loss hitting a staggering $7.95 million. The combined losses of the five largest individual victims were $17 million.
The Lazarus Group, a North Korean government-affiliated hacking team described in the 2022 Hack3d yearly report, has been connected with “a high degree of assurance” to the Atomic Wallet hack.
The laundering method used by the attackers to obscure the origins of the stolen funds is evidence supporting this relationship.
Certain services, especially the Sinbad mixer and the US-sanctioned Russia-based Garantex exchange, were used, both of which were formerly associated with the Lazarus Group hacks.
To compensate for the losses, Atomic Wallet made an open bid to the hackers, promising to give up 10% of the stolen cash in exchange for the recovery of 90% of the stolen cryptocurrency.
Yet, considering the Lazarus Group’s track record and the fact that stolen funds have already been laundered, the possibility of financial recovery stays minimal.
Received Reward for discovering a new security threat
Certik’s Skyfall team discovered and reported a slew of denial-of-service flaws in the Sui blockchain. Among these flaws, a new sort of issue is distinguished owing to its significant serious consequences, which may prevent the Sul network from processing new transactions, thereby causing a network shutdown.
Unlike prior known attacks, this one enables a hacker to generate an indefinite loop in the validator node with a payload as tiny as 100 bytes. Furthermore, this assault deals continuous damage.
Furthermore, this attack causes enduring damage, therefore when was discovered responsibly notified Sui via their bug bounty program. Sul’s response was quick and effective.
They verified the vulnerability’s severe nature and took measures to resolve it before the network’s mainnet deployment.
Sui not only fixed this specific vulnerability but also implemented preemptive mitigations to reduce the possible harm resulting from exploitation.
The flaw stems from a flaw in the IDLeak Verifier, a method used in the Sui blockchain to verify transaction IDs.
This inconsistency might cause an infinite analysis loop, culminating in a total network shutdown, and it could even continue after a validator reboot, causing long-term damage.
The HamsterWheel attack takes advantage of this flaw. It painstakingly constructs a malicious control flow graph in the system, leading the IDLeak verifier to enter an indefinite loop, consuming all available CPU cycles and effectively stopping fresh transaction processing.
CertiK’s Skyfall team received a $500,000 bounty from the Sul network in recognition of their responsible exposure.
Download the full report here.
Don’t miss important articles during the week. Subscribe to blockbuild weekly digest for updates.