The True Origin Of Hacks & Top Web3 Vulnerabilities by Immunefi
Immunefi published a research report that lists the (types) of vulnerabilities that lie at the heart of many crypto hacks: The True Origin Of Hacks & Top Web3 Vulnerabilities
Key takeaways (based on data from 2022):
- Infrastructure vulnerabilities (mainly private key management) are the origin of 46.5% of all hacks.
- Smart contract vulnerabilities (broken access control, insufficient input validation, incorrect arithmetic operations, logic flow errors, etc.) account for 37.5%
- Bridge hacks (bridges are inherently complex and difficult to secure) often incur large losses.
The former is no surprise: Web3, with its "new" (ahem) blockchain and smart contract vulnerabilities, still relies on the good ol' World Wide Web (and its classic IT infrastructure) to run.
In addition: proper key management is notoriously hard to get right. It reminds me of this hilarious quote by James Mickens (read the entire article, it is a bit long-winded, but is still fantastic satire):
" [...] but constructing a public key infrastructure is incredibly difficult in practice. When someone says “assume that a public key cryptosystem exists,” this is roughly equivalent to saying “assume that you could clone dinosaurs, and that you could fill a park with these dinosaurs, and that you could get a ticket to this ‘Jurassic Park,’ and that you could stroll throughout this park without getting eaten, clawed, or otherwise quantum entangled with a macroscopic dinosaur particle.” With public key cryptography, there’s a horrible, fundamental challenge of finding somebody, anybody, to establish and maintain the infrastructure."
Related reading
With regard to bridge hacks, please refer to Common Cross-Chain Bridge Vulnerabilities by Immunefi.
For a terrific story by dWallet Labs about Web3 infrastructure vulnerabilities, please read the The Billion Dollar Exploit: Collecting Validators Private Keys via Web2 Attacks.
