A quick look at "Hack3d: 2023 Annual Web3.0 Security Report"

The report will comprehensively reveal the latest trends in Web3.0 security through statistics and analysis of security incidents in the Web3.0 field over the past year.

Written by: CertiK

For the full text, see: “Hack3d: 2023 Annual Web3.0 Security Report”

At the beginning of the new year, CertiK’s big news for the whole year came as promised - “Hack3d: 2023 Annual Web3.0 Security Report” was released. This report, which has attracted much attention from the industry, comprehensively reveals the latest trends in Web3.0 security through statistics and analysis of security incidents in the Web3.0 field over the past year.

As the most detailed and authoritative security report in the industry, “Hack3d: 2023 Web3.0 Security Report” covers comprehensive statistics and analysis of hacker attacks, fraud, vulnerability exploitation and other incidents that occurred in the Web3.0 ecosystem throughout 2023. It is An essential guide for developers, practitioners, regulators, users, and enthusiasts to understand the current status, challenges, and opportunities of Web 3.0 security.

Before reading the full report, let’s take a quick look at the overall security landscape of the Web 3.0 industry in 2023:

Annual Overview - Total security incident losses fell by more than half

A total of 751 security incidents occurred in 2023, causing asset losses of US$1.84 billion, a 51% decrease from US$3.7 billion in 2022. Through statistical analysis, CertiK believes that there are multiple reasons for this decline. The development and evolution of smart contract protocols, changes in user behavior, the upgrade and effectiveness of security measures are all closely related to the reduction in the total loss of security incidents. In addition, macro industry trends also have a certain impact on the number and losses caused by security incidents.

Data Insights

By classifying the timing, type, and ecosystem of security incidents, CertiK uncovered some insights worth studying:

1. The third quarter has the highest losses, and November has the heaviest losses in a single month. The third quarter of 2023 was the most costly quarter of the year, with a total of 183 security incidents, causing losses of US$686 million; in November, a total of 45 security incidents occurred, causing losses of US$364 million.

Monthly number of security incidents and amount of losses in 2023 (USD)

2. Private key leakage incidents cause the most losses. Although the total number of incidents accounted for only 6.3% of all incidents, they caused losses of US$881 million, nearly half of the total losses for the year.

Number of occurrences and loss amount of various security incidents in 2023 (USD)

3. Ethereum has the highest total amount of losses. In 2023, 224 security incidents occurred in Ethereum, causing losses of US$686 million. The average loss per incident was approximately US$3 million. Among all ecosystems, Ethereum did not have the most security incidents in 2023, but it brought the highest total amount of losses.

4. Cross-chain security incidents cause heavy losses. In 2023, just 35 cross-chain security incidents caused $799 million in losses, indicating that interoperability vulnerabilities remain a pain point for industry security.

Industry Trends

On the other hand, through comparative analysis of a series of major security incidents, CertiK also discovered some new industry trends that have attracted widespread attention:

1. The refund amount of “Retroactive Bug Bounty” has increased, but “fixing the problem before it happens” is not as good as “preventing the problem before it happens”

In 2023, 34 security incidents recovered US$219 million in losses through “retroactive vulnerability bounty” negotiations with attackers, accounting for 12% of the total loss of US$1.8 billion. Compared with previous years, the negotiated return amount increased by 54% . CertiK believes that although this strategy can help projects recover losses to a certain extent, Web3.0 projects obviously cannot rely on negotiating with hackers to protect asset security. Therefore, it is crucial to establish a bounty platform that fully incentivizes white hat security experts to report security vulnerabilities before an attack occurs.

If you want to know more about the attitudes of different project parties towards the “retroactive bug bounty” negotiations, you are welcome to read the detailed analysis of the subsequent solutions to the two incidents of Euler Finance and KyberSwap in the report.

2.Web2.0 risk spillover Web3.0 - a long-term and continuous challenge

On December 14, Web3.0 hardware wallet giant Ledger encountered a major security crisis. A former Ledger employee has fallen victim to a phishing attack. The attacker controlled his NPMJS account through Github, uploaded malicious code to Ledger’s NPMJS, and then successfully obtained access to the Ledger Connect Kit, directing wallet users to malicious websites. Ledger quickly deployed updates within 40 minutes of discovering the vulnerability, deterring potential follow-up threats. The attack caused a direct loss of approximately US$610,000. Although the amount was not huge, it had an immeasurable negative impact on Ledger’s reputation.

This Ledger incident, like the case of CertiK and WalletConnect joining forces to solve XSS vulnerabilities, reminds us that although Web3.0 and the blockchain ecosystem have a decentralized spirit, current Web3.0 applications still use a large number of Web2.0 ecological components , such as account systems, QR codes, code libraries, etc., therefore they also inherit the risk of centralized vulnerabilities in the Web2.0 era. Once an employee’s account is successfully attacked by a phishing attack, it may cause huge losses to the majority of Web3.0 users. To this end, Web3.0 security practitioners, including CertiK, need to find a balance between the concept of decentralization and the actual reality of software development and maintenance, which is a long-term and ongoing challenge.

3. Industry supervision continues to mature

In 2023, CertiK is pleased to see that as Web3.0 regulation gradually matures, more and more institutions are beginning to actively explore the combination of blockchain technology and traditional businesses. Swift’s efforts to promote interoperability, the practice of many banks around the world in the field of asset tokenization, and the exploration of Internet financial giants such as Paypal at the stable currency level all show that enterprises have a strong understanding of blockchain technology and the ecological consensus of Web3.0 is constantly strengthening.

In terms of regulation, many regions, including Hong Kong, Singapore, Japan, the United States, the European Union and the United Kingdom, have introduced regulatory frameworks or guidelines for stablecoins. The CertiK team has also recently served as a consulting expert to provide professional advice to the Monetary Authority of Singapore (MAS) in formulating its stablecoin framework and was recognized by the latter. CertiK has also recently launched stablecoin security audit and compliance consulting services, and will continue to support the security development of the stablecoin field and the large-scale implementation of Web3.0 by actively participating in consulting activities of local regulatory agencies.

Certik’s 2023

With the joint efforts of the entire industry, Web3.0 security has made progress in many aspects in 2023. CertiK is honored to continue to contribute in this area and work towards the future of Web3.0. Let’s review CertiK’s highlight moments in 2023:

• In April 2023, Skynet for Community will be launched to provide users with a one-stop information platform.
• In May 2023, it announced a partnership with Alibaba Cloud to introduce blockchain security into the cloud platform.
• In June 2023, a bounty was awarded by the Sui Foundation for discovering a major security threat to the Sui blockchain.
• In July 2023, became the first Web3.0 security audit company to obtain SOC 2 Type I certification.
• In July 2023, the advanced formal verification of Ant Group’s innovative open cross-platform Trusted Execution Environment (TEE) HyperEnclave was completed.
• In July 2023, security vulnerabilities in the Safeheron open source TEE solution were discovered and worked together to resolve.
• In August 2023, a security vulnerability was discovered in the Worldcoin system.
• In August and October 2023, CertiK received two thanks from Apple for discovering multiple security vulnerabilities in the Apple iOS kernel.
• In September 2023, the Web3.0 compliance and risk management product SkyInsights was released.
• In November 2023, provide verification of transactions per second (TPS) for the TON network.
• In November 2023, multiple major security vulnerabilities in the Web3.0 mobile terminal were discovered.
• In December 2023, the Cosmos Ecological Security Guide will be released.
• In December 2023, an XSS vulnerability in the WalletConnect Verify API was discovered.
• In December 2023, Wormhole and OKX mobile vulnerabilities were discovered.

This is just a small part of CertiK’s efforts to guard the security of the Web3.0 industry in 2023. Looking back at every line of code audit in 2023, the all-night tracking after every incident, and every analysis and research, these are CertiK’s commitment and expectations for the future world of Web3.0.

Thank you to all Web3.0 practitioners, security experts and users for being with us along the way. I believe that the gains and lessons learned in 2023 will become the most valuable wealth in building a secure Web3.0 world.