Blockchain Hacking Techniques 2022


Top 10

Project Overview

In 2022, blockchain development saw increased participation and the launch of new technologies, but this also led to a surge in new hacking techniques and exploits leading to losses exceeding $3.7B. OpenZeppelin, in collaboration with the community of Web3 security experts, have documented the top security research from 2022 to promote best practices and effective security measures across the industry. This is crucial as blockchain technology becomes more widely adopted and impacts more aspects of daily life, there is a necessity to support developers and communities through safer Web3 experiences.

To compile the Top 10 Hacking Techniques, the community nominated and then voted on security research to be considered, after which a team of experts voted on these nominations to select and rank the final ten. In order to ensure impartiality, the experts were not allowed to vote for any research they were affiliated with.

Panelists

The panel of security experts who participated in the selection process represented a wide range of perspectives from across the community. These experts included:

samczsun

Head of Security at Paradigm

 

Nikesh Nazareth

Security Researcher at OpenZeppelin

 

Tincho

Ethereum Security Researcher, Creator of Damn Vulnerable Defi
 
 

cts

Co-Founder of Zellic and Perfect Blue
 
 

Ashiq Amien

Independent Security Researcher
 
 

PwningEth

Independent Security Researcher

 

Each expert brought a unique set of skills and experiences to the table, helping to ensure that the final selection was as comprehensive and accurate as possible.

Themes & Takeaways

This year's Top 10 Blockchain Hacking Techniques contest revealed a clear theme around the discovery of bugs at the level of precompile, node, or key generation. The Top 10 also includes a couple of new bug classes which have never been seen before.

Overall, the first annual endeavor was a success, given that the Web3 security community is now better informed about the novel hacking techniques that were discovered in the past year. In addition to the final ten, there were many other high-quality nominations that are worth reviewing as well. We encourage the security community to take a look at these additional resources and to continue working together to build a more secure and resilient blockchain ecosystem.

The Top 10

10 - Compound-TUSD Integration Issue Retrospective

The double-entry point issue described in Compound-TUSD Integration Issue Retrospective is a perfect example of a bug that subtly breaks one thing and can lead to significant consequences. The bug arose from having two contracts controlling the same assets, which enabled the bypassing of a safety check and allowed for the sweeping of all TUSD from the Compound protocol. This, in turn, made it possible to mint fresh cTUSD at a discount.

It is also worth noting that the disclosure process for this bug was a collaborative effort among multiple parties. This cooperation allowed for the protection of other protocols beyond the original bug identified in the integration of TUSD in Compound. Overall, this example underscores the importance of thorough testing and diligent bug hunting to ensure the security and stability of blockchain protocols.

3

 

9 - The “6.2 L2 DAI Allows Stealing” issue from the StarkNet-DAI-Bridge Smart Contracts Code Assessment

During the code assessment of the StarkNet-DAI-Bridge Smart Contracts audit, a security issue was discovered in a Cairo smart contract. As a relatively low-level language, Cairo has several potential pitfalls, and this issue is a prime example of one such problem. The language’s base type, felt,  currently contains 252 bits, which is different from Solidity’s uint type, which has 256 bits. As a result, Cairo provides an abstraction for uint256 which requires additional safety checks to be performed but it is easy to forget to do so.

Fortunately, many of these bugs can be mitigated by providing a higher-level API in Cairo or by applying static analysis tools to a codebase. The discovery of this bug highlights the importance of diligent testing and thorough code assessment to ensure the security and stability of blockchain protocols.

17

 

8 - Avalanche’s $350M Risk Report

The Statemind team’s Avalanche Vulnerability Report: How We Discovered A $350M Risk and Avalanche Vulnerability Report: Technical overview revealed a clever exploit of seemingly innocuous behavior in the precompile which allowed for the sending of native assets and an optional call to the receiver. This exploit was used to break the security assumptions of Abracadabra and Sushi contracts on multiple chains.

"Interesting idea. Finding the vulnerable contracts is tricky!"

- pwningeth, Independent Security Researcher

"'L1 introduced a precompile that broke core security assumptions’ was not on anyone's threat modeling bingo card."

- samczsun, Head of Security at Paradigm

21

 

7 - Read-only Reentrancy – a Novel Vulnerability class responsible for 100m+ funds at risk

In a recent talk, blog post, and post-mortem, ChainSecurity demonstrated that reentrancy to view functions can result in devastating consequences. This work uncovered a new vulnerability type; unfortunately, it is not the last time we will see it. Unlike most reentrancy issues, this type affects protocols built on top of the reentered one. Despite this, not all protocols potentially affected by this bug have taken action, and there have been several hacks related to this vulnerability. It is crucial for all protocols to check for this vulnerability and take appropriate action. This research is an excellent contribution to the Web3 security community. 

"I've been a strong advocate of updating the perception that reentrancy is strictly A->B->A' where the exploit occurs in A'. This is one such counterexample."

- samczsun, Head of Security at Paradigm

18

 

6 - How to Steal $100M from Flawless Smart Contracts

One of the three research pieces by PwningEth in this year’s top ten highlights the difficulty of introducing a precompile that doesn’t break the security assumptions of applications. The research uncovered that a malicious contract could approve a caller’s funds for itself and steal them, but the issue was further escalated by the exploitation of callbacks. This enabled the exploit to become user interaction-free and turn other smart contracts into victims as well. The research showcases the importance of thorough testing and vetting of precompiles to ensure the security of the overall system.

5 - Phantom Functions and the Billion-Dollar No-op

This bug is deceptively simple and could have resulted in a loss of billions if not identified.

It serves as a reminder to exercise caution when calling functions that don’t return a value - especially the permit function - as they may not revert when expected. This issue could potentially affect other applications as well, making further research on this behavior a valuable pursuit for the future!

"This bug was unique due to the fact that it stemmed from a previously unknown subtlety involving WETH, the most widely used ERC20 token. While this vulnerability was not widespread across many different protocols, its impact was severe due to the enormous amounts of funds at risk, as well as the ease of exploit."

- Ashiq Amien, Independent Security Researcher

"An interesting exploit of mismatched assumptions with severe consequences."

- Nikesh Nazareth, Security Researcher at OpenZeppelin

4 (1)

 

4 - How did I Save 70000 ETH and Win 6 Million Bug Bounty

This entry in the Top 10 Hacking Techniques of 2022 underscores the importance of considering delegatecalls in smart contract development.

Delegatecall-related issues are a common problem in blockchain security, and this particular vulnerability applies delegatecalls to a precompile. As a result, it was a serious issue that earned PwningEth one of the biggest bounties in the blockchain space and a 4th place ranking in the chart. It's important for developers to thoroughly review and test their code for potential delegatecall-related vulnerabilities to ensure the safety and security of their smart contracts.

For a more detailed technical explanation, we recommend reading the blog posts linked in this entry: 

Aurora Inflation Spend Bugfix Review: $6m Payout and Aurora Mitigates Its Inflation Vulnerability.

"You can't say it's not impactful"

- samczsun, Head of Security at Paradigm

"Another free money printing issue - awesome catch, good writeup, huge impact."

- Tincho, Ethereum Security Researcher, Creator of Damn Vulnerable Defi

ashiqamien

 

3 - Could Wrapped Tokens Like WETH Be (forced) Insolvent?

This vulnerability allowed an attacker to empty all wrapped token contracts, and not only take over the balance of the wrapped token, but also buy other tokens from the DEX by using the wrapped token as a rubber check. An advanced attack had the potential of using the lending protocol to borrow all other tokens of value against the fraudulent deposit.

"A simple incompatibility that impacted a whole ecosystem"

- Nikesh Nazareth, Security Researcher at OpenZeppelin

Several wrapped token contracts were affected by this bug, which by itself, is a critical issue as the native balance could be drained. However, the impact is further spread as DEXes and lending markets all rely on the ecosystem’s wrapped token. The damage of this bug through direct loss and lending pool exploits is estimated to be near the $200 million mark, not accounting for the ripple effects caused by interfering with the protocols itself.

- Ashiq Amien, Independent Security Researcher

6

 

2 - A vulnerability disclosed in Profanity, an Ethereum vanity address tool

Despite being publicly disclosed, this bug remained relatively unnoticed until it was exploited approximately six months later.

In addition to the quotes from panelists describing the bug, we'd like to emphasize the importance of having a coordinated vulnerability disclosure process and the need to check if private keys were generated using tools like Profanity. If so, steps should be taken to migrate the keys to ensure their security.

If you are interested in delving deeper into the bug, we highly recommend checking out the ​​Exploiting the Profanity Flaw blog post. 

"While an exact total value at risk isn't available, it's likely that at least $160m was at risk, not counting several other known thefts."

- Ashiq Amien, Independent Security Researcher

"Not where you would usually expect to find a bug, extremely high impact across multiple unrelated people/projects, and possibly could've all been avoided."

- samczsun, Head of Security at Paradigm

"A silent exploit that leaves no trace. A good reminder that security requires careful attention to detail."

- Nikesh Nazareth, Security Researcher at OpenZeppelin

"The idea/algorithm that speeds up the brute forcing is brilliant! But the bug was exploited widely. The research has huge (negative) impact."

- pwningeth, Independent Security Researcher

Group 238363-1-png-1

 

 

1 - Attacking an Ethereum L2 with Unbridled Optimism

Saurik found a peculiar bug even deeper than precompiles. Discovering an exploit at the node level earns top place for this finding.

"Still trying to decide what’s best, the writeup or the actual finding. Great catch by Saurik, adding yet another chapter to the story of the infamous selfdestruct."

- Tincho, Ethereum Security Researcher, Creator of Damn Vulnerable Defi

"This infinite mint bug takes my number 1 spot since its potential impact not only affects the chain the bug lives on but all of the surrounding chains too. This includes the protocols that live on the respective chains, as an infinite mint of the native optimism token would collapse many (if not all) optimism protocols, and many surrounding protocols up to the liquidity on the bridge to the respective chain."

- Ashiq Amien, Independent Security Researcher

1

 

Conclusion

We would like to thank everyone in the broader Web3 community who nominated and voted on the top research. An even greater thank you to the blockchain security researchers and panelists who have been documenting and sharing their research so that blockchain development security best practices may keep up with the rapid pace of innovation across Web3. This project’s continued success relies on the entire community to be beneficial to the safety and security of new and experienced Web3 supporters. An additional thank you to PortSwigger for the Top 10 Web Hacking Techniques project which was the source of inspiration for this project.

To the blockchain security community, we encourage you to continue publishing your research on novel hacking techniques and attack vectors in order to support a safer ecosystem for developers and end users. We will be reviewing research nominations published as of January 1st for the Top 10 Blockchain Hacking Techniques of 2023.

OpenZeppelin is the leading blockchain security company providing products & audits to the most trusted organizations in Web3. To learn more about blockchain security advisory, scheduling an audit, or learning about our secure development platforms, please get in touch