top of page
stock_background.png

Beyond Audits: Why Web3 Demands More Than Smart Contract Security


In the ever-evolving realm of Web3, security remains a paramount concern. September 2023 witnessed a series of incidents, shaking the community with losses resulting from protocol hacks. Interestingly, these breaches focused on traditional Web2 security exploits rather than smart contract vulnerabilities. This emerging trend underscores the importance of a holistic security approach in safeguarding your Web3 products. Join us as we delve into three noteworthy incidents from September 2023 and explore recommendations for project teams to avert similar losses.


1. Stake.com Hot Wallet Key Compromise: On September 4, 2023, security researchers raised alarms about suspicious transactions on Ethereum and Binance Smart Chain hot wallets. Stake.com later confirmed the hack, suspending deposits and withdrawals temporarily. The breach resulted in a staggering $40 million loss, with stolen funds eventually ending up bridged to the Avalanche Network. Notably, the FBI attributed this attack to North Korea's Lazarus Group, marking another high-profile threat actor targeting Web3 companies. The Lazarus Group's cumulative impact in 2023 now exceeds $200 million.

Thanks for reading Highland Security Blog! Subscribe for free to receive the latest web3 security news, and security tips.

Subscribe


2. Balancer.fi Front End Attack: September 20, 2023, saw the Balancer.fi security team report a concerning incident affecting the DNS records of their front-end UI. Malicious JavaScript code executed when users visited the site, prompting phishing attempts to sign unauthorized transactions and drain wallets. The attackers swapped the HTTPS certificate, attempting to conceal their changes. Quick action from the community and the Balancer DAO limited the impact to approximately $250K.


3. Mixin Network Cloud Compromise: On September 23, hackers breached the database of Mixin's cloud service provider, suspected to be Google Cloud. The outcome was a substantial $200 million loss from the protocol's mainnet. While deposits and withdrawals were promptly suspended, regular transfers remained unaffected as an extensive investigation was launched. The core asset targeted and stolen in this attack was Bitcoin, and the identity of the threat actor or vector remains undisclosed.


Why Web2 Infrastructure Matters in Web3 Security: 

Web3 businesses present a perfect storm of attractive attributes for top-tier threat actors, as evidenced in September's incidents. Assets on-chain exist beyond traditional financial systems, making them ideal for movement after compromise. Furthermore, many Web3 organizations, often startups, operate with constrained security budgets, primarily allocated to securing smart contracts. However, it's crucial to recognize that pure smart contract audits only address one facet of the threat landscape. Web3 protocols frequently rely on cloud infrastructure, web applications/apis, mobile apps, and involve people susceptible to social engineering attacks. These factors collectively lower the barrier for threat actors, making Web2 assets a lucrative target.


Protecting Yourself and Your Customers: 

To fortify your Web3 product's security posture, consider the following strategies:


  • System/Organization Threat Modeling: Gain a comprehensive understanding of your organization's attack surface through threat modeling. Identifying vulnerabilities is essential to designing an effective risk mitigation strategy with appropriate security controls.

  • Choose a Comprehensive Security Partner: Prioritize partners who can assist with more than just audits. A holistic approach that assesses individual components and their interactions is crucial.

  • Secure Your Employees and Systems: Beyond code, ensure your organization's infrastructure is resilient against common vulnerabilities. As Web3 attracts more threat groups, expect Web2 hacking techniques to resurface. Strengthen your security hygiene accordingly to protect your product and users.

In the dynamic landscape of Web3, security is an ongoing challenge. By adopting these strategies and remaining vigilant, you can enhance the security posture of your Web3 products and systems.

Looking for a security partner that can provide holistic security solutions for your product? Our team is standing by to assist! Contact us to get started.

0 views0 comments

Comments


bottom of page