46% of crypto lost to exploitation is due to traditional Web2 flaws – Immunefi
According to a new report from blockchain security platform Immunefi, nearly half of all crypto lost from Web3 exploits is due to Web2 security issues, such as leaked private keys. In the year The report, released on November 15, looks at the history of crypto exploitation in 2022 and categorizes it into different types of vulnerabilities. In the year It concluded that the full 46.48% of crypto lost from exploitation by 2022 was not due to smart contract flaws, but to “infrastructure weaknesses” or issues related to the company's evolving computer systems.
Web2 vulnerabilities were a small portion of the total at 26.56%, although they were still the second largest category when considering the number of incidents rather than crypto value lost.
The Immunefi Report does not include exit scams or other scams and exploits due to market manipulation. It only looked at attacks caused by security vulnerabilities. Among these, he found that the attacks fall into three broad categories. First, some attacks occur because the smart contract has a design flaw. Immunefi cited the BNB Chain bridge hack as an example of this type of vulnerability. Second, some attacks occur because the smart contract is well designed, but the code that implements the design is flawed. Immunefi cited the Qbit hack as an example for this category.
Finally, the third category of vulnerability is “infrastructure vulnerabilities,” which Imunefi defines as “IT-infrastructure on which smart contracts run—for example, virtual machines, private keys, etc.” For an example of this type of vulnerability, Immunefi details the Ronin Bridge hack, which compromised five of nine Ronin nodes' verifier signatures.
Related: Uniswap DAO debate shows devs are still struggling to maintain cross-chain bridges.
Immunefi breaks these categories down further into sub-categories. Infrastructure weaknesses include an employee leaking a private key (e.g., transmitting it over an unsecured channel), using a weak passphrase for a key vault, two-factor authentication issues, DNS hijacking, BGP hijacking, hot wallet compromise, or using weak encryption methods and making them public. Store in text.
While these infrastructure weaknesses caused the largest losses compared to other categories, the second largest cause of losses were “cryptographic issues” such as Merkle tree errors, signature replay, and predictable random number generation. Cryptographic issues account for 20.58% of total loss value in 2022.
Another common vulnerability is “weak/missing access control and/or input authentication,” the report said. This type of defect caused only 4.62% of losses in terms of value, but contributed the most as 30.47% of the events occurred.
