Infrastructure plays a critical role in crypto hacks and accounted for 46.5% of monetary attacks in 2022, according to ImmuneFi, whose report highlights that infrastructure issues that lead to exploits are often due to poor key management. private. Failures in this area can be attributed to issues such as faulty smart contract design, logical flaws, and poor coding.
Leading Web 3.0 bug bounty platform ImmuneFi has released a report outlining the root causes of crypto exploits in the industry. The report, published on November 15, reviews the history of cryptographic exploits in 2022, classifying them into different types of vulnerabilities. Concluding that 46.48% of cryptocurrency losses due to exploits in 2022 were not due to smart contract failures, but rather “infrastructure weaknesses” or problems with the developing company’s computer systems.
ImmuneFi’s founder and CEO Mitchell Amador is quoted in the report stating the following:
“Web3 projects are incredibly complex and can be attacked through multiple vectors. The standard methodology we developed highlights the fact that infrastructural issues remain a predominant category of vulnerabilities and a costly concern for the industry.”
ImmuneFi: Infrastructure Failures Cause Crypto Exploits
ImmuneFi’s report excluded exit scams or other frauds, as well as exploits that occurred solely due to market manipulations. It only considered attacks that occurred due to a security vulnerability. It found that attacks fall into three main categories.
First, some attacks occur because the smart contract contains a design flaw. ImmuneFi mentioned the BNB Chain bridge hack as an example of this type of vulnerability.
Second, some attacks occur because, although the smart contract is well designed, the code that implements the design is flawed. ImmuneFi mentioned the Qbit hack as an example of this category.
Third, there are “infrastructure weaknesses,” which ImmuneFi defined as “the computing infrastructure on which a smart contract operates, e.g., virtual machines, private keys, etc.” As an example, ImmuneFi listed the Ronin bridge hack, which was caused by an attacker taking control of 5 of the 9 Ronin node validator signatures.
ImmuneFi broke these categories down further into subcategories. As for infrastructure weaknesses, these can be caused by an employee leaking a private key, using a weak passphrase for a key vault, issues with two-factor authentication, DNS hijacking, BGP hijacking, compromising a hot wallet, or using weak encryption methods and storing them in plain text.
Another common vulnerability was “lack/weak access control and/or input validation,” the report stated. This type of defect resulted in only 4.62% of losses in terms of value, but was the largest contributor in terms of number of incidents, as 30.47% of all incidents were caused by this.
ImmuneFi Rewards Crypto Hackers for Discovering Vulnerabilities
ImmuneFi maintains an extensive community of white hat hackers who constantly examine the blockchain and smart contract code of the projects, identifying and responsibly disclosing vulnerabilities.
ImmuneFi incentivizes white hat hackers by rewarding them based on the severity of the vulnerabilities they discover. This strategy is intended to encourage a wide range of experts to thoroughly examine the project’s code for potential weaknesses.
ImmuneFi recently revealed that most cryptocurrency funds stolen in the third quarter of 2023 were due to two breaches. Despite the 49 hacks reported during the quarter, these two incidents stood out due to the significant amounts stolen in each incident.
A breach on September 26 led to the theft of $200 million in Mixin Network digital tokens. Additionally, on July 7, Multichain experienced a hack that compromised $126 million in assets.
By Leonardo Perez
