The success and sustainability of decentralized protocols hinge on overcoming the persistent challenge of security vulnerabilities. Each year, exploited security vulnerabilities end up costing the blockchain industry billions of dollars. In light of this reality, and owing to our commitment to securing the blockchain ecosystem, OpenZeppelin has started a series of blog posts aimed at publishing the top 10 blockchain hacking techniques of the year. The series was successfully kicked off in 2023 with our first blog post being about the Top 10 Hacking Techniques of 2022.
This endeavor has a threefold purpose: documenting all the notable hacking techniques and security research for the year, surfacing overlooked security research, and compiling a must-read top 10 list of vulnerabilities for every blockchain developer and security researcher. Ultimately, the goal is to bring the most devious vulnerabilities to the fore, and discuss, document and share them with all the stakeholders of the web3 ecosystem.
While projects like DASP Top 10 identify the most common vulnerability types, OpenZeppelin's Top 10 Blockchain Hacking Techniques project sets itself apart by identifying and publishing the most novel, pervasive, and impactful vulnerability types, techniques, and attack vectors on a yearly basis.
With the voting stage having drawn to a close, we now have the list of top 15 shortlisted entries!
Community Voting Outcome
The top 15 hacking techniques, as voted for by the community, are given below! At the moment, a panel of security experts is going through these nominations to select the final top 10. Stay tuned for the final blog post by following us on X.
- Post mortem: April 3rd, 2023 mev-boost relay incident and related timing issue - The Flashbots Ship
- Vyper Nonreentrancy Lock Vulnerability Technical Post-Mortem Report - HackMD
- Squashing a Pesky Bug in UniswapX :: Kebabsec
- Rate manipulation in Balancer Boosted Pools — technical postmortem | by Juani
- A thought experiment about empty ERC-4626 vaults that ended up making this white hat $33,500
- A unique $100,000 bug in SiloFinance and Silo Finance Logic Error Bugfix Review
- Halting and disabling the Cronos Gravity Bridge
- Inside the Governance Hack of Tornado Cash
- KyberSwap Hack Analysis and KyberSwap - REKT
- ERC-4626 vault inflation attack
- Euler Compromise Investigation Part 1 and Part 2
- Vyper compiler bug involving incorrect success values
- Saving $100M at risk in KyberSwap Elastic
- Arbitrary Address Spoofing Attack: ERC2771Context Multicall Public Disclosure
- The Billion Dollar Exploit: Collecting Validators Private Keys via Web2 Attacks
Community Nominations
While we have our Top 15 entries, the original list of nominations is given below due to the high quality of each entry. It is well worth one's time to go through each and gain a better understanding of some of 2023's most important vulnerabilities and attack vectors.
- Helping Secure BNB Chain Through Responsible Disclosure
- Post mortem: April 3rd, 2023 mev-boost relay incident and related timing issue - The Flashbots Ship
- Stealing Gas: Bypassing Ethermint Ante Handlers
- Vyper Nonreentrancy Lock Vulnerability Technical Post-Mortem Report - HackMD
- Squashing a Pesky Bug in UniswapX :: Kebabsec
- Rate manipulation in Balancer Boosted Pools — technical postmortem | by Juani
- Most Governance Contracts Have an Upcoming Vulnerability We Should All Pay Attention To
- A thought experiment about empty ERC-4626 vaults that ended up making this white hat $33,500
- A unique $100,000 bug in SiloFinance and Silo Finance Logic Error Bugfix Review
- Halting and disabling the Cronos Gravity Bridge
- The NFTTrader hack that resulted in millions of dollars worth of NFTs being stolen
- Inside the Governance Hack of Tornado Cash
- KyberSwap Hack Analysis and KyberSwap - REKT
- Decoding Sentiment Protocol’s $1 Million Exploit
- ERC-4626 vault inflation attack
- One more problem with ERC-777
- Euler Compromise Investigation Part 1 and Part 2
- How to almost take over any DNSSEC name on ENS
- Vyper compiler bug involving incorrect success values
- Public transfer vulnerability of the Tether Gold smart contract
- Assets being bridged from the L1 to Polygon zkEVM(L2) cannot be claimed properly in the L2, thus blocking L1->L2 asset migration
- Saving $100M at risk in KyberSwap Elastic
- Critical bugs in Facebook/Polygon Winterfell library
- Balancer’s Bountiful Merkle Orchard and Balancer Logic Error Bugfix Review
- Election Fraud? Double Voting in Celer’s State Guardian Network
- Arbitrary Address Spoofing Attack: ERC2771Context Multicall Public Disclosure
- OpenZeppelin Governor Denial of Service
- Game of TRON: Critical 0-Day in TRON Multi-Signature Wallets
- The Engineer’s Guide to Blockchain Finality
- Bounty Program Helps Fix Contract Vulnerability
- GMX Granted Million Dollar Bug-Bounty to Collider; The Bug Aftermath
- Aztec Connect Claim Proof Bug
- The Billion Dollar Exploit: Collecting Validators Private Keys via Web2 Attacks
- NEAR Rewards $1.8 Million to Ethical Hackers at HackenProof
- Report on Certik’s Aptos-Related Bug Bounty
- The Wildcat Protocol Findings: codehash check in factory contracts does not account for non-empty addresses
The “Top 10” process
The process of selecting these top 10 hacking techniques is as follows: first, the community is invited to submit their candidate hacking techniques or piece of blockchain security research. Then, the community is allowed to vote for the nominated entries after which only 15 entries remain. Afterwards, a panel of top blockchain security experts chooses 10 out of these 15 entries. These 10 finalist hacking techniques are then published in a final blog post.
A detailed breakdown of the entire process and its timeline is given below:
Phase 1: Community Nominations
January 18 - February 5
The community submits their entries. These can consist of either the submitter's research or an article they have read somewhere. The main requirement is that the research should have been published in 2023.
Phase 2: Community Voting
February 6 - February 12
The community votes on the nominations after which only 15 will remain. These 15 will then make it to the third phase. Voting will happen on this page via form listing each of the submitted nominations.
Phase 3: Panel Voting
February 13 - February 26
A panel of blockchain security experts votes to narrow down the 15 community-selected results to the final 10.
Phase 4: Publishing
February 29
The Top 10 Blockchain Hacking Techniques are published along with their respective summaries.
To stay up-to-date with the whole process as it unfolds, be sure to follow OpenZeppelin on X.