Web2 Security Flaws Account for Nearly Half of 2022's Crypto Losses, Says Immunefi Report
Summary:
Blockchain security firm Immunefi's report reveals that nearly half of all crypto losses from Web3 exploits in 2022 are tied to Web2 security issues such as exposed private keys. The analysis categorizes these vulnerabilities, attributing 26.56% of total incidents to Web2 vulnerabilities. It also highlights three major types of attacks: those due to smart contract design flaws, flaws in smart contract code, and weaknesses within the IT infrastructure. Notably, the report reveals that infrastructure vulnerabilities cause the most significant financial losses, while issues with weak or missing access control lead to the highest number of incidents.
Blockchain security provider Immunefi has recently shared a report revealing that almost half of all cryptocurrency losses resulting from Web3 exploits in 2022 can be traced back to Web2 security problems like exposed private keys. This report, unveiled on November 15, examined the past incidents of crypto exploitations for the year, grouping them by the variety of identified vulnerabilities. It was deduced that 46.48% of all crypto stolen in 2022 wasn't from smart contract glitches but rather due to “infrastructure weaknesses” - issues present within the systems of the developing companies.
When switching the perspective from the lost crypto’s overall value to merely counting the incidents, Web2 vulnerabilities contributed to 26.56% of the total, making it the second most common cause.
Immunefi fully dismissed cases involving exit scams or any other types of fraud, as well as those resulting from market manipulations. The report only considered cases that happened due to identifiable security vulnerabilities. From these, three major categories were observed. First, attacks triggered by design flaws present within the smart contract itself, exemplified by the BNB Chain bridge hack. Second, attacks where the well-designed smart contract’s code is flawed - the Qbit hack being a case in point.
The final category was termed as “infrastructure weaknesses,” including aspects such as the IT-infrastructure on which smart contracts operate—for example, vulnerabilities associated with virtual machines or private keys. The Ronin bridge hack was mentioned as an example, where an attacker managed to control 5 out of 9 Ronin nodes validator signatures.
Further analysis revealed subcategories within these main categories. Infrastructure vulnerabilities could arise from incidents like an employee leaking a private key through an insecure channel, weak key vault passphrases, issues with 2-factor authentication, DNS hijacking, BGP hijacking, hot wallet compromise, or weak encryption methods storing them in plaintext. These types of vulnerabilities led to the highest financial loss comparatively.
The second largest cause of losses were cryptographic issues, including Merkle tree errors, signature replayability, and predictable random number generation, accounting for 20.58% of the total losses in 2022. The report also mentioned vulnerabilities related to "weak/missing access control and/or input validation." Although this category only caused 4.62% of total losses in value, it was responsible for triggering the highest number of incidents, coming in at 30.47% of all recorded cases.
Published At
11/15/2023 7:21:22 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.