Web3 surfaced as the peak of innovation and offered many opportunities to the adopters of decentralization. These opportunities also caught malicious actors’ eyes, making the Web3 and DeFi space an attractive target for hackers and scammers, generating victims from a broad scale of backgrounds.
According to the Web3 Security Landscape Report by Web3 security provider Salus, more than $1.7 billion was lost to cyberattacks on the Web3 industry in 2023. Approximately 453 reported incidents occurred, displaying a wide range of threats and emphasizing the vital requirement for constant vigilance in the Web3 community.
A Diverse Range of Hacks, Exploits, and Scams
Although 2023 saw a substantial decrease in overall losses, partly due to the decreasing value of cryptocurrencies, the impact of several high-profile exploits shook the entire ecosystem.
Another highlight of the report was the remarkable diversity of attacks targeting DeFi protocols. While access control issues, which resulted in the exploitation of Multichain, Poloniex, and Atomic Wallet, took the lion’s share with almost 40% of total losses, the rest of the list is somewhat evenly distributed between flash loan attacks, exit scams, oracle issues, and phishing.
Here are some of the most damaging attacks the DeFi ecosystem witnessed in 2023:
- Euler Finance, a non-custodial DeFi protocol, lost $197 million due to a vulnerability in a crucial function, which allows Euler users to put funds into a reserved address. The attackers’ exploitation of this function led to bad debt and liquidation, causing the firm’s total value locked (TVL) to plummet.
- Multichain, a cross-chain router for Web3, saw an unusual transfer of lockup assets to an unknown address, causing panic among users. The root cause remained unclear, casting doubt on Multichain’s security practices.
- Cryptocurrency exchange Poloniex was hacked by the North Korean Lazarus Group, causing a loss of funds worth $126 million. The perpetrators drained Poloniex’s hot wallets using compromised private keys, highlighting the vulnerability of such wallets.
- Atomic Wallet, a non-custodial crypto wallet, suffered a loss of over $100 million due to a breach orchestrated by the Lazarus Group. Atomic Wallet said the incident did not exceed 1% of monthly active users. A lawsuit underlining the platforms’ responsibility for known vulnerabilities resulted in legal consequences.
- Curve Finance, a decentralized exchange that utilizes the Vyper programming language, experienced a $69.3 million loss from a 0-day compiler bug. The 0-day bug refers to the fact that the developer has only just learned about the exploit, meaning they have “zero days” to fix it. The bug enabled attackers to re-enter transactions, manipulating LP token prices and the drainage of the pool.
- CoinEx, a global cryptocurrency exchange, lost $54.3 million to anomalous withdrawals from several hot wallet addresses. The incident, caused by a compromised hot wallet private key, is suspected to be another mischief of the Lazarus Group.
How to Stay Safe in Web3
So, what precautions can users take to defend themselves? Here are six tips to stay safe in Web3 in 2024, courtesy of Salus:
Do your own research: Web3 is full of exciting opportunities but also many risks. Doing detailed research on projects and their teams before investing is the most repeated but often ignored way to stay safe from scams. Users should narrow their investments to projects with transparent security assessments by reputable firms and a solid track record. Beware of overly-promising returns. If something appears too good to be true, it probably is.
Not your keys, not your coins: Private keys allow users to access and manage their digital assets. Users should keep their private keys and seed phrases secure and never disclose them. Consider diversifying your wallets, especially if you have significant holdings. Users can prefer to use a hardware wallet for added security, as they are less susceptible to hacks.
Be aware of the existence of phishing: Users should not click links or download attachments from unsolicited messages or emails. Verify the sender’s authenticity if they claim to be from an official association. Double-check URLs and use bookmarks for often visited websites. Opt for well-known and reputable wallets and platforms. Check user reviews to get another opinion.
Regularly update your Web3 software to ensure you are using the latest version. Web3 application and platform updates usually include security patches against recent security threats.
Go beyond ‘123456’ for the password: Make sure you employ a strong password containing uppercase and lowercase letters, numbers, and symbols. Enable Two-Factor Authentication (2FA) wherever possible. 2FA adds an extra security layer by requiring two distinct forms of identification to grant access – usually in the form of a code sent to the user’s email or mobile device. Consider installing Web3 security tools that actively protect users against potential threats.
Keep an eye on your assets: Monitor your assets regularly and watch out for any unusual activity. Check your account balance after using your wallet on a new platform. If you spot any suspicious transactions, immediately report the situation to your wallet provider or DeFi platform.
As the community grapples with the aftermath of these exploits, a crucial realization emerges: Web3 education is imperative. A more informed user base will become a powerful deterrent against malicious activities, potentially diminishing the impact of future exploits.
