2022 saw a massive increase in the number of developers participating across the blockchain development ecosystem, as well as pioneering protocols supporting the launch of novel technologies. With the rapid innovation came a deluge of new exploits, attack vectors, and hacking techniques that Web3 security teams must design for and defend against going forth.
OpenZeppelin and the greater community of Web3 security experts aim to document the security research from 2022 in order to enable the ecosystem at large to build safer decentralized technology.
As a result, we are announcing the Top 10 Blockchain Hacking Techniques of 2022 project, and are inviting community votes via the form below. This endeavor has the twofold purpose of surfacing new and practical security research while also providing a must-read top 10 of 2022 for every blockchain security researcher and Web3 security enthusiast. While projects like DASP Top 10 identify the most common vulnerability types, the Top 10 Blockchain Hacking Techniques project aims to identify the most novel, pervasive, and impactful vulnerability types, techniques, and methodologies of the previous year.
We would like to give credit to PortSwigger for leading the Top 10 Web Hacking Techniques project which we have “forked” to lead a similar initiative in the blockchain space.
- [Complete] – January 16 – 30. Community Nominations phase. During this phase, the community nominates pieces of research they see as novel. This can consist of either their own research or an article they’ve read somewhere. The main requirement is that the research must be from 2022.
- February 1 – 10. Community Vote phase. During this phase, the community votes on the nominations, in which a total of 15 are decided to be the top. These 15 will make it to the third phase. Voting will happen on this page via a form listing each of the submitted nominations.
- February 11 – 17. Panel Vote phase. After the community vote, a panel of blockchain security experts votes to narrow the 15 community-selected results into the final top ten.
- February 18th. Publish phase. During this final phase, the top ten hacking techniques will be published, along with a summary of each. Additionally, there will be further information on the honorable mentions that passed to the Community Vote phase.
List of Nominations
Here’s the list of hacking techniques received during the submission phase. Feel free to review each before voting via the form below:
- Merkle tree criteria can be resolved by wrong tokenids
- Semgrep rules for smart contracts
- A vulnerability disclosed in Profanity, an Ethereum vanity address tool
- Read-only Reentrancy – a Novel Vulnerability class responsible for 100m+ funds at risk
- Phantom Functions and the Billion-Dollar No-op
- Uniswap v3 TWAP Oracles in Proof of Stake
- Attacking an Ethereum L2 with Unbridled Optimism
- How did I Save 70000 ETH and Win 6 Million Bug Bounty
- Compound-TUSD Integration Issue Retrospective
- [CVE-2022-35961] ECDSA signature malleability
- Malicious contract can change public key
- The “6.2 L2 DAI Allows Stealing” issue in Code Assessment of the StarkNet-DAI-Bridge Smart Contracts
- Could Wrapped Tokens Like WETH Be (forced) Insolvent?
- Reveal the “Message’’ Replay Attacks on EthereumPoW
- How to Steal $100M from Flawless Smart Contracts
- Bunni Bug Report twitter thread and Bunni Bug Report blog post
- Avalanche Vulnerability Report: How We Discovered A $350M Risk and Avalanche Vulnerability Report: Technical overview