The True Origin Of Hacks & Top Web3 Vulnerabilities by Immunefi

(c) National Cancer Institute / Unsplash

Immunefi published a research report that lists the (types) of vulnerabilities that lie at the heart of many crypto hacks: The True Origin Of Hacks & Top Web3 Vulnerabilities

Key takeaways (based on data from 2022):

  • Infrastructure vulnerabilities (mainly private key management) are the origin of 46.5% of all hacks.
  • Smart contract vulnerabilities (broken access control, insufficient input validation, incorrect arithmetic operations, logic flow errors, etc.) account for 37.5%
  • Bridge hacks (bridges are inherently complex and difficult to secure) often incur large losses. 

The former is no surprise: Web3, with its "new" (ahem) blockchain and smart contract vulnerabilities, still relies on the good ol' World Wide Web (and its classic IT infrastructure) to run.

In addition: proper key management is notoriously hard to get right. It reminds me of this hilarious quote by James Mickens (read the entire article, it is a bit long-winded, but is still fantastic satire):

" [...] but constructing a public key infrastructure is incredibly difficult in practice. When someone says “assume that a public key cryptosystem exists,” this is roughly equivalent to saying “assume that you could clone dinosaurs, and that you could fill a park with these dinosaurs, and that you could get a ticket to this ‘Jurassic Park,’ and that you could stroll throughout this park without getting eaten, clawed, or otherwise quantum entangled with a macroscopic dinosaur particle.” With public key cryptography, there’s a horrible, fundamental challenge of finding somebody, anybody, to establish and maintain the infrastructure."

Related reading

With regard to bridge hacks, please refer to Common Cross-Chain Bridge Vulnerabilities by Immunefi

For a terrific story by dWallet Labs about Web3 infrastructure vulnerabilities, please read the The Billion Dollar Exploit: Collecting Validators Private Keys via Web2 Attacks.