CertiK releases "Hack3d: 2023 Annual Web3.0 Security Report"

At the beginning of the new year, CertiK's big news for the whole year is coming as promised - "Hack3d: 2023 Web3.0 Security Report" was released on January 3, Beijing time Released at 10pm today. This report, which has attracted much attention from the industry, comprehensively reveals the latest trends in Web 3.0 security through statistics and analysis of security incidents in the Web 3.0 field over the past year.

As the most detailed and authoritative security report in the industry, "Hack3d: 2023 Web3.0 Security Report" covers the entire Web3.0 ecosystem in 2023 Comprehensive statistics and analysis of hacker attacks, fraud and vulnerability exploitation are essential for developers, practitioners, regulators, users and enthusiasts to understand the current status, challenges and opportunities of Web3.0 security. guide.

Before reading the full report, let’s take a quick look at the overall security situation of the Web 3.0 industry in 2023:

A total of 2023 Security incidents have occurred751, causing asset losses of1.84 billion, adown from USD 3.7 billion in 202251 %. Through statistical analysis, CertiK believes that there are multiple reasons for this decline. The development and evolution of smart contract protocols, changes in user behavior, the upgrade and effectiveness of security measures are all closely related to the reduction in the total loss of security incidents. In addition, macro industry trends also have a certain impact on the number and losses caused by security incidents.

Data Insights

By analyzing the time and date of security events, Classifying species and ecosystems, we discovered some insights worth studying:

• Third Quarterly losses were the highest, and November was the heaviest single month. The third quarter of 2023 is the quarter with the most losses in the whole year, with a total of 183 security incidents, causing a loss of 686 million U.S. dollars; a total of 45 security incidents occurred in November, causing a loss of 364 million U.S. dollars. dollar loss.

• Private key leakage incidents cause the most losses. Although the total number of incidents only accounted for 6.3% of all incidents, they caused losses of US$881 million, nearly half of the total losses for the year.

• Ethereum has the highest total loss. In 2023, 224 security incidents occurred in Ethereum, causing losses of US$686 million. The average loss per incident was approximately US$3 million. Among all ecosystems, Ethereum did not have the most security incidents in 2023, but it brought the highest total amount of losses.

• Cross-chain security incidents have caused heavy losses. In 2023, only 35 cross-chain security incidents caused US$799 million in losses, indicating that interoperability vulnerabilities remain a pain point for industry security.

Industry Trends

On the other hand, through comparison of a series of major security incidents Through analysis, we also discovered some new trends in the industry that have received widespread attention:

1. The return amount of "retroactive bug bounty" has increased, but " "Fixing the situation before it happens" is not as good as "preventing it before it happens"

In 2023,34 security incidents were negotiated with the attackers for "retroactive bug bounties" Recovered losses of $219 millionaccounting for 12% of the total losses of $1.8 billion, and negotiated returns increased by 54% compared to previous years. CertiK believes that although this strategy can help projects recover losses to a certain extent, Web3.0 projects obviously cannot rely on negotiating with hackers to protect asset security. Therefore, it is crucial to establish a bounty platform that fully incentivizes white hat security experts to report security vulnerabilities before an attack occurs.

If you want to know more about the attitudes of different project parties towards the "retroactive bug bounty" negotiations, please read the report on the subsequent resolution of the two incidents of Euler Finance and KyberSwap. Detailed analysis of the program.

2. Web2.0 risk spillover to Web3.0 - a long-term and ongoing challenge

On December 14, Web3.0 hardware wallet giant Ledger encountered a major security crisis. A former Ledger employee fell victim to a phishing attack. The attacker controlled his NPMJS account through Github, uploaded malicious code to Ledger's NPMJS, and then successfully obtained access to the Ledger Connect Kit, directing wallet users to malicious websites. Ledger quickly deployed updates within 40 minutes of discovering the vulnerability, containing potential follow-up threats. The attack caused a direct loss of approximately US$610,000. Although the amount was not huge, it had an immeasurable negative impact on Ledger's reputation.

This Ledger incident is the same as the case of CertiK and WalletConnect joining forces to solve XSS vulnerabilities. They all remind us that although Web3.0 and the blockchain ecosystem are decentralized spirit, but current Web3.0 applications still use a large number of Web2.0 ecological components, such as account systems, QR codes, code libraries, etc., so they also inherit the risk of centralized vulnerabilities in the Web2.0 era. Once an employee's account is successfully attacked by a phishing attack, it may cause huge losses to the majority of Web3.0 users. To this end, Web3.0 security practitioners, including CertiK, need to find a balance between the concept of decentralization and the actual reality of software development and maintenance. This is a long-term and ongoing challenge.

3. Industry regulation continues to mature

2023 , we are pleased to see that as Web3.0 supervision gradually matures, more and more institutions are beginning to actively explore the combination of blockchain technology and traditional businesses. Swift's efforts in promoting interoperability, the practice of many banks around the world in the field of asset tokenization, and the exploration of Internet financial giants such as Paypal at the stable currency level all show that enterprises have a strong understanding of blockchain technology and the ecological consensus of Web3.0 is constantly strengthening.

In terms of regulation, many regions, including Hong Kong, Singapore, Japan, the United States, the European Union and the United Kingdom, have introduced stable currency regulatory frameworks or guidelines. The CertiK team has also recently served as a consulting expert, providing professional advice to the Monetary Authority of Singapore (MAS) in formulating its stablecoin framework and was recognized by the latter. CertiK has also recently launched stablecoin security audit and compliance consulting services, and will continue to support the security development of the stablecoin field and the large-scale implementation of Web3.0 by actively participating in consultation activities with regulatory agencies in various regions.

CertiK in 2023

Common in the entire industry Thanks to our efforts, Web3.0 security has made progress in many aspects in 2023. CertiK is honored to continue to contribute in this field and work towards the future of Web 3.0. Let us review CertiK’s highlight moments in 2023:

In April 2023, Skynet for Community was launched to provide users with a Stationary information platform.

In May 2023, it announced a partnership with Alibaba Cloud to introduce blockchain security into the cloud platform.

In June 2023, a major security threat to the Sui blockchain was discovered and a bounty was awarded by the Sui Foundation.

In July 2023, it became the first Web3.0 security audit company to obtain SOC 2 Type I certification.

In July 2023, the advanced formal verification of Ant Group’s innovative open cross-platform Trusted Execution Environment (TEE) HyperEnclave was completed.

In July 2023, security vulnerabilities in the Safeheron open source TEE solution were discovered and worked together to resolve.

In August 2023, a security vulnerability in the Worldcoin system was discovered.

In August and October 2023, CertiK received two thanks from Apple for discovering multiple security vulnerabilities in the Apple iOS kernel.

In September 2023, the Web3.0 compliance and risk management product SkyInsights will be released.

In November 2023, formal verification of the TON main chain contract will be completed to provide verification for the transaction per second record (TPS) of the TON network.

In November 2023, multiple major security vulnerabilities were discovered in the Web3.0 mobile terminal.

In December 2023, the Cosmos ecological security guide will be released.

In December 2023, an XSS vulnerability in the WalletConnect Verify API was discovered.

In December 2023, Wormhole and OKX mobile vulnerabilities were discovered.

This is just a small part of CertiK's efforts to protect the security of the Web3.0 industry in 2023. Looking back at every line of code audit in 2023, the all-night tracking after every incident, and every analysis and research article, these are our commitment and expectations for the future world of Web 3.0.

Thank you to all Web3.0 practitioners, security experts and users for walking with us. I believe that the gains and lessons learned in 2023 will become the most valuable wealth in building a secure Web3.0 world.