Top 10 Blockchain Hacking Techniques 2023

Overview

We are happy to announce the Top 10 Blockchain Hacking Techniques of 2023! This year’s theme is different compared to last year’s. Notably, the smart contract exploits of 2023 often use creative ways to exploit rounding errors. Composability is another aspect when smart contracts are safe in isolation but vulnerabilities arise when they are put in a certain context. Finally, we see infrastructure-level bugs shift from nodes and precompiles to compilers and other critical infrastructures like mev-boost.

To compile the list of the top 10 vulnerabilities of 2023, the panel of security experts narrowed down the community-selected list of 15 entries. In order to ensure impartiality, the experts were not allowed to vote for any research they were affiliated with.

The panel consisted of:

undefined-1

samczsun

Head of Security at Paradigm

undefined

Nikesh Nazareth

Principal Security Researcher at OpenZeppelin

undefined-2

Tincho

Ethereum Security Researcher, Creator of Damn Vulnerable DeFi and The Red Guild

undefined-Mar-01-2023-03-35-49-7624-PM

cts

Co-Founder of Zellic and Perfect Blue

undefined-3

Ashiq Amien

Independent Security Researcher

undefined-Mar-02-2023-03-06-21-9468-PM

PwningEth

Security Researcher, Co-Founder of Offside Labs

Diseño sin título-2

Gerard Persoon

Independent Security Researcher

 

Each expert brought a unique set of skills and experiences to the table, helping to ensure that the final selection was as comprehensive and accurate as possible.

We also encourage you to check out the list of community nominations as they are well worth reading too.

With that, let's start the countdown to the number 1 blockchain hacking technique of 2023!

Top 10 Blockchain Hacking Techniques of 2023

10 - Squashing a Pesky Bug in UniswapX

Group 238394-1The UniswapX protocol used the balance check approach to ensure that swaps were performed correctly. It did work well in isolation, but when put into context, it turned out to be insufficient. This is because the same balance check could be fulfilled by means other than honestly following the protocol. Interestingly, this bug had been found in FloodPlain and then in UniswapX which suggests that this may be a new vulnerability type for such protocols.

9 - Rate Manipulation in Balancer Boosted Pools — Technical Postmortem

The actual hack could have resulted in way more damage if not for the two preceding vulnerability disclosures that led to the outflow of most of the liquidity at risk. This is the first real loss from Balancer after two years in operation with 1 billion TVL. This article is a long read with a beautiful narrative around the whole story. It does not only cover the recent happenings and losses, but also tells a tale of innovation and dedication, with a note of thoughtfulness and reflection that is felt across the pages. The bug itself involves a few issues such as rounding errors and lack of minimum balance enforcement among others issues. However, the reflection of Balancer’s code evolution says it better. It is worth a read.

8 - Arbitrary Address Spoofing Attack: ERC2771Context Multicall Public Disclosure

Group 238396-1

The msgSender spoofing attack in Thirdweb's library had one of the most far-reaching effects on the Ethereum ecosystem since it was used by pretty much all major projects from OpenSea to Coinbase. The responsible disclosure process saved us from the mass exploitation seen in the case of the Vyper compiler bug, but it still could not save some projects like Time. A reminder that even the most audited library code may contain unexpected bugs.

- Peter Kacherginsky

 

7 - Inside the Governance Hack of Tornado Cash

Group 238401-2

This attack was interesting due to its use of metamorphic contracts to blindside anyone voting on the malicious proposal. While the amount stolen was not significant compared to other exploits, this incident highlighted one of the ways governance systems could be compromised. As web3 becomes more mainstream, governance will become increasingly important as it will control larger and larger treasuries. This attack vector was novel enough to make it to the top 10, but more importantly, it's included to bring awareness to how a project's governance could be compromised. 

- Ashiq Amien

 

Redeploy after selfdestruct won't be an issue anymore after the Dencun upgrade, but it is still important to be aware of how governance can be manipulated.

- Gerard Persoon

 

6 - The Billion-Dollar Exploit: Collecting Validators Private Keys via Web2 Attacks

Group 238398-1

Research shows that by using basic website hacking techniques, it is possible to compromise the validator infrastructure to steal a billion dollars worth of staked tokens. Luckily, because the identified vulnerabilities were responsibly disclosed by dWallet Labs, the funds are safe. Hopefully, this research will give rise to a wave of security measures geared towards improving the validator infrastructure.

Great example of (in)security not caring for our nonsense web2 or 3 or 4 distinctions. We need more researchers hunting and mitigating these kinds of threats.

- Tincho

For the first time, someone uncovered the security risks of staking, though in a web2 fashion.

- PwningEth

 

5 - KyberSwap Hack Analysis and KyberSwap - REKT

Group 238402

One of the most sophisticated exploits I've seen.

- Tincho

A perfect example of how seemingly minor irregularities can break a core invariant.

- Nikesh Nazareth

A carefully crafted exploit to take advantage of the rounding error in Kyber's protocol.

- Peter Kacherginsky

 

4 - Saving $100M at Risk in KyberSwap Elastic

100proof's excellent research highlighted an issue in KyberSwap and safeguarded over $100m at risk. The bug was a very subtle issue in concentrated liquidity market makers that allowed an attacker to add double the liquidity than provided. While this research was novel for CLMMs themselves, the depth of research is why I believe this disclosure deserves a spot in the top 10 hacking techniques of 2023. This research should set the standard for other researchers, and I believe that further in-depth research into nuanced mechanisms like CLMMs will uncover further subtle, but critical vulnerabilities.

- Ashiq Amien

It's an objectively cool bug.

- samczsun

Great explanation of a subtle bug.

- Nikesh Nazareth

 

3 -  Euler Compromise Investigation Part 1 and Part 2


Group 238411-1

Really outstanding and memorable effort from everyone involved to recover funds. Also, the writeups by the 0x unit team at Coinbase are top-quality.

- Tincho

The Euler exploit was one of the largest non-bridge-related exploits in history, with nearly $200m stolen. The novelty of this bug stems from two parts, the addition of a simple utility function, and the simplicity of the attack. The `donateToReserves` function was introduced as a utility for wrapper functions and potential gas-saving - a seemingly innocent addition that aided this massive exploit. While an exact replica of the attack might not apply directly to other protocols, the addition of seemingly simple functions highlights the fragility of smart contract security as a whole. Because of the simplicity and massive damage of the attack, this exploit deserves a spot high on this list.  

- Ashiq Amien

 

2 - Post mortem: April 3rd, 2023 Mev-Boost Relay Incident and Related Timing Issue

Group 238407-1

The Flashbots mev-boost relay was attacked due to a vulnerability that leaked a block-builder's block contents if the block header was invalid. The attacker, a malicious proposer, was able to reconstruct their own block with the leaked contents and steal $20m from sandwich bots. This attack highlights one of the many layers in the web3 security stack that often goes overlooked. Due to its niche knowledge set for an attacker to exploit it, I believe this hacking technique deserves a spot on this list. 

- Ashiq Amien

The hacker launched a sophisticated attack against the MEV bots, exploiting the weakness in MEV-Boost relayers, the hidden layer of Ethereum. Exploiting privileges as the block proposer is not a new risk, but they were the first ones to execute this attack.

- PwningEth

Confidentiality is a largely unexplored territory in blockchain and this shows the difficulty. And timing usually isn't an issue for the EVM but for other layers it is.

- Gerard Persoon

 

Another fascinating exploit at the core of the Ethereum ecosystem - Flashbots. A very well-crafted exploit challenged our assumptions about trust in intermediate relay nodes where the leaking of private transactions allowed mass exploitation of MEV bots using specially crafted blocks.

- Peter Kacherginsky

 

1 - Vyper Nonreentrancy Lock Vulnerability Technical Post-Mortem Report

Group 238409-1

Curve pools being exploited due to the non-reentrancy bug in the Vyper compiler was a significant shift in the perceived scope of the web3 security landscape. While compiler bugs were not new at the time of the exploit, the exploit brought insight into the space where a large majority of researchers were strictly focused on smart contract security. Immediately, another layer of the security stack was unveiled as a target for blackhats.

- Ashiq Amien

A silently patched bug in an unpopular compiler went unnoticed for years and broke one of the most fundamental DeFi protocols, Curve, through the well-known reentrancy attack. It's an unbelievable attack in 2023.

- PwningEth

 

Normally the compiler is taken for granted, but there can be bugs as well.

- Gerard Persoon

Reentrancy keeps reentering our lives, this time due to a compiler flaw. Excellent post-mortem by the Vyper team.

- Tincho

Even the most audited projects rely on a safe execution environment involving nodes, compilers, and other blockchain infrastructure. A vulnerability in the compiler itself which effectively disabled a critical reentrancy control reminds us that we can never be 100% safe and need to build mitigating controls when our trust assumptions fail.

- Peter Kacherginsky

Conclusion

We also would like to give honorable mentions to the other 5 from the top 15 that was formed by the community vote, along with all the other community nominations on the page:

That is it for 2023! Once again, the top 10 list does not encompass all of the great research that was published so consider all the other community nominations.

If you notice a piece of security research this year, consider saving it to nominate it next year for the top 10 of 2024.

Finally, we would like to extend our gratitude to the community and the panel of experts for making this possible.

Until next year!