Analysis of Common Attack Methods in the Web3 Field in the First Half of 2022

In the first half of 2022, the security situation in the Web3 field remained severe. This article will provide an in-depth analysis of the common attack methods during this period, exploring their frequency and preventive measures.

Overview of Losses Caused by Vulnerabilities

According to data from a blockchain security monitoring platform, there were 42 major contract vulnerability attack incidents in the first half of 2022, accounting for about 53% of all attack incidents. The total losses caused by these attacks amounted to as much as $644 million.

Among all the exploited vulnerabilities, logical or functional design flaws are the most commonly exploited types by hackers, followed by validation issues and reentrancy vulnerabilities.

Analysis of Major Loss Events

Wormhole cross-chain bridge attack incident

On February 3, 2022, the cross-chain bridge project Wormhole in the Solana ecosystem was attacked, resulting in a loss of approximately $326 million. The attacker exploited a signature verification vulnerability in the contract to forge system accounts and mint a large amount of wETH.

Fei Protocol attack event

On April 30, 2022, the Rari Fuse Pool under Fei Protocol suffered a flash loan and reentrancy attack, resulting in a loss of $80.34 million. This attack dealt a fatal blow to the project, ultimately leading to the announcement of its closure on August 20.

The attacker primarily exploited the reentrancy vulnerability present in the cEther implementation contract of Rari Capital. The attack process is as follows:

1. The attacker obtains a flash loan from Balancer.
2. Use flash loan funds for collateral lending on Rari Capital while exploiting a reentrancy vulnerability.
3. Extract all tokens from the affected pool through the constructed attack function callback.
4. Repay the flash loan and transfer the proceeds from the attack.

Common Types of Vulnerabilities in Audits

1. ERC721/ERC1155 Reentrancy Attack:
   • Conduct a reentrancy attack using the transfer notification function in the standard
   • The business function does not strictly follow the check-effective-interaction model.

2. Logical Flaw:
   • Special scenarios are not fully considered, such as self-transfers resulting in a sudden increase in tokens.
   • The functional design is incomplete, such as lacking extraction or clearing mechanisms.

3. Missing Authentication:
   • Key features (such as minting, character settings) lack permission control

4. Price Manipulation:
   • Improper use or absence of oracle
   • Directly use the proportion of the token balance in the contract as the price basis

Exploiting Vulnerabilities in Real Attacks

According to security monitoring data, the types of vulnerabilities found during the audit have almost all been exploited in actual attacks, among which contract logic vulnerabilities remain the main attack method.

It is worth noting that most of these vulnerabilities can be identified and fixed before the project goes live through professional smart contract verification platforms and manual reviews by security experts. Therefore, conducting comprehensive security audits is crucial for preventing potential attacks.