Facts & Figures about Web3 Security in 2024
dadaista
11 views
21 slides
Sep 17, 2024
Slide 1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Presentation
An overview of the main facts and figures in web3 security. Analysis of the current trends, impacts of hackers and actions to mitigate the risks. Updated to 2024
Slide Content
Napul.eth 12-14 Sept 2024
di Davide Carboni1
di Davide Carboni1
Emiland©Resume — Location 2024 Your name @twitterhandle
Chi sono2
Chi sono2
Web
"I forgot my password, and now?"3
"I forgot my password, and now?"3
"You can't have them all"
"Smart contracts on Ethereum are worse than
even non-financial commercial code; as of May
2016, Ethereum contracts averaged 100 obvious
bugs [...] per 1000 lines of code. For comparison,
Microsoft code averages 15 bugs per 1000 lines,
NASA code around 0 per 500,000 lines"
This was 2016
even non-financial commercial code; as of May
2016, Ethereum contracts averaged 100 obvious
bugs [...] per 1000 lines of code. For comparison,
Microsoft code averages 15 bugs per 1000 lines,
NASA code around 0 per 500,000 lines"
This was 2016
2018Jan 2016 2017 2019 2020 2021 2022 2023 2024
THE DAO HACK
$60M
VARIOUS HACKS
TOTALLING >$1M
Reentrancy: An old travel mate
SOURCE: IMMUNEBYTES6
THE DAO HACK
$60M
VARIOUS HACKS
TOTALLING >$1M
Reentrancy: An old travel mate
SOURCE: IMMUNEBYTES6
$8.5B
Total hacked
$8.5B hacked out of TLV = $80B
Total hacked
$8.5B hacked out of TLV = $80B
Median size of hacks over time.
technique $M
Stolen
Count
of
hacks
Private Key hack (Unknown
Method)
373 6
Safe Multisig wallet Phishing
Exploit
235 1
Storage Slot Exploit 63 1
Other 47 5
Claim Contract Flashloan
Exploit
45 1
Private Key hack (Phishing)24 1
Flashloan Price Oracle
Attack
24 2
Infinite Mint and Dump 22 2
Flashloan Donate Function
Logic Exploit
20 1
Price Oracle Manipulation 16 2
Top vectors
2024
Stolen
Count
of
hacks
Private Key hack (Unknown
Method)
373 6
Safe Multisig wallet Phishing
Exploit
235 1
Storage Slot Exploit 63 1
Other 47 5
Claim Contract Flashloan
Exploit
45 1
Private Key hack (Phishing)24 1
Flashloan Price Oracle
Attack
24 2
Infinite Mint and Dump 22 2
Flashloan Donate Function
Logic Exploit
20 1
Price Oracle Manipulation 16 2
Top vectors
2024
Top vectors all time
technique $M StolenCount of
hacks
Private Key hack
(Unknown )
2292 37
Access Control
Exploit
659 13
Private Key hack
(SocEng)
626 2
Proof Verifier
Bug
570 1
Flashloan Price
Oracle Attack
411 26
Signature Exploit408 2
Safe Multisig
Phishing
235 1
Flashloan
Donate Function
228 5
Math Mistake
Exploit
216 4
Database Attack200 1
technique $M StolenCount of
hacks
Private Key hack
(Unknown )
2292 37
Access Control
Exploit
659 13
Private Key hack
(SocEng)
626 2
Proof Verifier
Bug
570 1
Flashloan Price
Oracle Attack
411 26
Signature Exploit408 2
Safe Multisig
Phishing
235 1
Flashloan
Donate Function
228 5
Math Mistake
Exploit
216 4
Database Attack200 1
Offchain traditional software Smart contract
Denial of service Loss grows linearly with the time of
recovery
No DoS, but gas fees can grow (a lot)
Data leakage Hackers can resell data There is no private data in smart
contracts
Data corruption Loss proportional to the time to recover
(if there is a backup)
Data corruption IS THE LOSS
Ransom Loss is based on pay-per-recover,
recover no guaranteed
Not applicable but it can become a
white hat bounty
Why smart contracts are different
Denial of service Loss grows linearly with the time of
recovery
No DoS, but gas fees can grow (a lot)
Data leakage Hackers can resell data There is no private data in smart
contracts
Data corruption Loss proportional to the time to recover
(if there is a backup)
Data corruption IS THE LOSS
Ransom Loss is based on pay-per-recover,
recover no guaranteed
Not applicable but it can become a
white hat bounty
Why smart contracts are different
Audited ≠ Secure
Program testing can be used to show the
presence of bugs, but never to show their
absence!
Edsger Dijkstra
Program testing can be used to show the
presence of bugs, but never to show their
absence!
Edsger Dijkstra
Scope is important
Bug bounties
Total rewards paid by top 10 projects in Immunipr
Avg: $330k
Max: $5.9m
Med: $85k
from 67 records with public data
Total rewards paid by top 10 projects in Immunipr
Avg: $330k
Max: $5.9m
Med: $85k
from 67 records with public data
Onchain
monitoring
monitoring
Is monitoring & pause
the new best
practice?
the new best
practice?
L2 Sec
Wait. But if I send
funds to a rollup how
is this different from a
CEX
If you don't pay the gas you are the token being traded
Wait. But if I send
funds to a rollup how
is this different from a
CEX
If you don't pay the gas you are the token being traded
Stages
source: l2beat.com
Stage 0 Stage 1 Stage 2
L2 State Roots on L1Yes Yes Yes
Data Availability on L1Yes Yes Yes
Source Code
Accessibility
Yes Yes Yes
Proof System N/A Use of appropriate
proof system
Permissionless
fraud-proof system
External Actors'
Fraud Proof
Submission
N/A At least 5 external
actors
Unlimited
User Exit without
Operator
Coordination
N/A Yes Yes
User Exit Time N/A > 7 days > 30 days
source: l2beat.com
Stage 0 Stage 1 Stage 2
L2 State Roots on L1Yes Yes Yes
Data Availability on L1Yes Yes Yes
Source Code
Accessibility
Yes Yes Yes
Proof System N/A Use of appropriate
proof system
Permissionless
fraud-proof system
External Actors'
Fraud Proof
Submission
N/A At least 5 external
actors
Unlimited
User Exit without
Operator
Coordination
N/A Yes Yes
User Exit Time N/A > 7 days > 30 days
Conclusions
•
•
•
•
•
•
Hacks are steadily happening, 20% of funds affected
Auditing alone is not enough
Bug bounties are the next level in code review
Real time monitor & pause is becoming a practice, though
poses some questions to decentralization
Second layer security: Follow stages!
Security is not a product, it is a process. Evaluate. Take Action.
Repeat.
•
•
•
•
•
•
Hacks are steadily happening, 20% of funds affected
Auditing alone is not enough
Bug bounties are the next level in code review
Real time monitor & pause is becoming a practice, though
poses some questions to decentralization
Second layer security: Follow stages!
Security is not a product, it is a process. Evaluate. Take Action.
Repeat.
Thanks!20
•
•
https://www.youtube.com/watch?v=EYF6lUoWAgk
•
https://www.youtube.com/watch?v=EYF6lUoWAgk
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 11
- Slides 21
- Age 439 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views