Analysis of Common Web3 Hacker Attack Methods: Interpretation of Security Situation in the First Half of 2022

In the first half of 2022, the security situation in the Web3 field was not optimistic. According to monitoring data from a blockchain situational awareness platform, there were a total of 42 major contract vulnerability attack incidents, resulting in losses of up to $644 million. Among these attacks, contract vulnerability exploitation accounted for more than half, becoming the hackers' preferred method.

Analysis of Main Attack Types

Among all the exploited vulnerabilities, logical or function design flaws are the most commonly targeted by hackers. Following that are validation issues and reentrancy vulnerabilities. These vulnerabilities not only occur frequently but often lead to significant losses.

For example, in February 2022, the cross-chain bridge project Wormhole in the Solana ecosystem was attacked, resulting in losses of up to $326 million. The attacker exploited a signature verification vulnerability in the contract to successfully forge system accounts and mint a large amount of wETH.

Another major incident occurred at the end of April, when the Rari Fuse Pool under Fei Protocol suffered a flash loan combined reentrancy attack, resulting in a loss of 80.34 million USD. This attack dealt a fatal blow to the project, ultimately leading to the project's announcement of closure in August.

In-depth Analysis of Fei Protocol Attack Cases

The attacker first took out a flash loan from Balancer and then used these funds for collateralized borrowing on Rari Capital. Due to the reentrancy vulnerability in the cEther implementation contract of Rari Capital, the attacker successfully extracted all tokens from the affected pool through a carefully crafted callback function.

The attack process is roughly as follows:

1. Obtain a flash loan from Balancer
2. Use borrowed funds to operate on Rari Capital, triggering a reentrancy vulnerability.
3. By attacking specific functions in the contract, repeatedly extract tokens from the pool.
4. Repay the flash loan, and the profits will be transferred to the designated contract.

This attack ultimately resulted in the theft of over 28,380 ETH (approximately $80.34 million).

Common Vulnerability Types

During the smart contract auditing process, the most common types of vulnerabilities mainly include:

1. ERC721/ERC1155 Reentrancy Attack: Involves the malicious use of callback functions in the standard.
2. Logical flaws: including inadequate consideration of special scenarios and incomplete functional design.
3. Missing authentication: Key functions lack effective access control.
4. Price manipulation: Improper use of oracle or defects in price calculation methods.

These vulnerabilities not only frequently appear during audits but are also the most commonly exploited weaknesses in actual attacks. Among them, logical vulnerabilities in contracts remain the hackers' favorite attack targets.

Prevention Suggestions

To enhance the security of smart contracts, it is recommended that project parties take the following measures:

1. Conduct comprehensive formal verification and manual auditing
2. Pay special attention to contract behavior in special scenarios
3. Improve the contract function design, especially regarding the parts related to fund operations.
4. Strictly implement access control mechanisms
5. Use reliable price oracles and avoid using simple balance ratios as the basis for pricing.

Through professional security auditing and verification platforms, combined with manual checks by security experts, most vulnerabilities can be identified and fixed before a project goes live. This not only effectively reduces project risks but also contributes to the healthy development of the entire Web3 ecosystem.