Web3 Security: Types of attack
Most of web3's security is based on the blockchain’s unique ability to be resistant to human intervention. However, because of the associated feature of finality, where transactions are generally irreversible, these software-driven networks are an attractive target for attackers. Likewise, as the value of blockchains — the distributed computer networks that underpin Web3 — grows, they become increasingly appealing.
While web3 differs from previous web iterations, we have seen similarities with prior software security patterns. In many cases, the most serious issues stay unchanged. Advocates, whether they are builders, security teams, or everyday crypto users, can better secure themselves, their projects, and their wallets by learning these areas. Based on people's experiences, we've compiled a list of recurring themes and predictions.
Chase the money
Typically, attackers seek to maximise their return on investment. Because the potential return is bigger, they may devote more time and effort to attacking protocols with a higher "total value locked," or TVL for short.
Hacking groups with the highest amounts of resources are more likely to target high-value systems. New, more valuable exploits are also more likely to target these important targets.
Low-cost assaults, such as phishing, will never go away, and we expect them to become more prevalent in the near future.
Fixing a hole
As developers learn from tried-and-true assaults, they can improve web3 software to the point where it is "safe by default." This frequently entails tightening up application programming interfaces (APIs) to make it more difficult for people to add vulnerabilities by mistake.
Because security is always a work in progress, and nothing is ever immune to hacking, defenders and developers may make attacks more expensive by removing most of the low-hanging fruit for attackers.
The success of the following attacks may be considerably reduced as security policies and tools improve: control attacks, price oracle manipulation, and re-entry problems.
Platforms that cannot provide "perfect" security will have to employ exploit mitigation methods to decrease the possibility of losses. This can deter attackers by lowering the "benefit" or possible benefit component of their cost-benefit analysis.
Attack classification
Attacks on various systems can be categorised based on their similarities. The sophistication of the attack, the extent to which attacks can be automated, and the preventive measures available to fight against them are all defining aspects.
The following are some of the types of assaults that users have observed in the most recent hacks. We've also included our thoughts on the current threat landscape and what we anticipate from web3 security in the future.
Top predators in APT Operations
Advanced attackers, often known as advanced persistent threats (APTs), are a security nightmare. Their motivations and talents vary significantly, but they are usually well-endowed and, as the term suggests, persistent; unfortunately, they are likely to constantly be present. APTs carry out a wide range of operations, but these threat actors are the most likely to actively assault a company's network layer to achieve their objectives.
We know that certain advanced groups are actively pursuing web3 initiatives, and assume that there are others who have yet to be discovered. The people behind the most serious APTs typically reside in countries with no extradition accords with the US and EU, making it harder to punish them for their actions. Lazarus Group, a North Korean gang responsible for the greatest сryptocurrency heist on record, is one of the most well-known APT attackers.
We anticipate that APTs will continue to operate as long as they can monetize their activities or achieve various political objectives.
Social engineers engage in customer phishing
Phishing is a well-known and prevalent issue. Phishers attempt to trick their victims into falling into a trap by delivering bait messages over numerous channels such as instant messengers, email, Twitter, Telegram, Discord, and compromised websites. If you look through your spam folder, you're sure to find hundreds of efforts to deceive you into disclosing personal information or stealing money.
Phishing efforts are targeting web3 users now that it allows people to directly exchange assets like tokens or NFTs quickly. These assaults are the simplest way for persons with little to no technical knowledge to profit from cryptocurrency theft. They remain, however, a viable technique for organised teams with serious goals or advanced groups looking to undertake large-scale wallet-emptying attacks, such as website hijacking.
We anticipate a rise in these attacks because phishing is inexpensive and phishers seek to adapt to and circumvent the most recent security features. Increased education and awareness, better filtering, clearer warning banners, and tighter wallet restrictions can all help to improve user protection.
Vulnerabilities in the supply chain are the weakest links
Third-party software libraries expose a significant surface for attack. This has long been a security concern for pre-Web3 systems, as evidenced by the log4j hack that compromised a popular web server’s software in December. Attackers will search the Internet for known vulnerabilities in order to locate unpatched flaws to attack.
Although the imported code was not built by your engineering team, it must be maintained. Teams must keep an eye out for vulnerabilities in their software components, ensuring that updates are deployed, while staying up to speed on the dynamics and progress of the projects on which they rely. The real and immediate cost of exploiting web3 software vulnerabilities makes communicating these issues to library users challenging. The decision on how and where the teams communicate this in a way that does not mistakenly jeopardise users' monies is still pending.
We expect Supply Chain Vulnerabilities to rise as the dependency and complexity of software systems grow. Random hacking assaults are expected to rise as well until solid, standardised ways for exposing web 3 security flaws are created.