We are happy to announce the Top 10 Blockchain Hacking Techniques of 2023! This year’s theme is different compared to last year’s. Notably, the smart contract exploits of 2023 often use creative ways to exploit rounding errors. Composability is another aspect when smart contracts are safe in isolation but vulnerabilities arise when they are put in a certain context. Finally, we see infrastructure-level bugs shift from nodes and precompiles to compilers and other critical infrastructures like mev-boost.
To compile the list of the top 10 vulnerabilities of 2023, the panel of security experts narrowed down the community-selected list of 15 entries. In order to ensure impartiality, the experts were not allowed to vote for any research they were affiliated with.
The panel consisted of:
Each expert brought a unique set of skills and experiences to the table, helping to ensure that the final selection was as comprehensive and accurate as possible.
We also encourage you to check out the list of community nominations as they are well worth reading too.
With that, let's start the countdown to the number 1 blockchain hacking technique of 2023!
The actual hack could have resulted in way more damage if not for the two preceding vulnerability disclosures that led to the outflow of most of the liquidity at risk. This is the first real loss from Balancer after two years in operation with 1 billion TVL. This article is a long read with a beautiful narrative around the whole story. It does not only cover the recent happenings and losses, but also tells a tale of innovation and dedication, with a note of thoughtfulness and reflection that is felt across the pages. The bug itself involves a few issues such as rounding errors and lack of minimum balance enforcement among others issues. However, the reflection of Balancer’s code evolution says it better. It is worth a read.
The msgSender spoofing attack in Thirdweb's library had one of the most far-reaching effects on the Ethereum ecosystem since it was used by pretty much all major projects from OpenSea to Coinbase. The responsible disclosure process saved us from the mass exploitation seen in the case of the Vyper compiler bug, but it still could not save some projects like Time. A reminder that even the most audited library code may contain unexpected bugs.
- Peter Kacherginsky
This attack was interesting due to its use of metamorphic contracts to blindside anyone voting on the malicious proposal. While the amount stolen was not significant compared to other exploits, this incident highlighted one of the ways governance systems could be compromised. As web3 becomes more mainstream, governance will become increasingly important as it will control larger and larger treasuries. This attack vector was novel enough to make it to the top 10, but more importantly, it's included to bring awareness to how a project's governance could be compromised.
- Ashiq Amien
Redeploy after selfdestruct won't be an issue anymore after the Dencun upgrade, but it is still important to be aware of how governance can be manipulated.
- Gerard Persoon
Research shows that by using basic website hacking techniques, it is possible to compromise the validator infrastructure to steal a billion dollars worth of staked tokens. Luckily, because the identified vulnerabilities were responsibly disclosed by dWallet Labs, the funds are safe. Hopefully, this research will give rise to a wave of security measures geared towards improving the validator infrastructure.
Great example of (in)security not caring for our nonsense web2 or 3 or 4 distinctions. We need more researchers hunting and mitigating these kinds of threats.
- Tincho
For the first time, someone uncovered the security risks of staking, though in a web2 fashion.
- PwningEth
One of the most sophisticated exploits I've seen.
- Tincho
A perfect example of how seemingly minor irregularities can break a core invariant.
- Nikesh Nazareth
A carefully crafted exploit to take advantage of the rounding error in Kyber's protocol.
- Peter Kacherginsky
100proof's excellent research highlighted an issue in KyberSwap and safeguarded over $100m at risk. The bug was a very subtle issue in concentrated liquidity market makers that allowed an attacker to add double the liquidity than provided. While this research was novel for CLMMs themselves, the depth of research is why I believe this disclosure deserves a spot in the top 10 hacking techniques of 2023. This research should set the standard for other researchers, and I believe that further in-depth research into nuanced mechanisms like CLMMs will uncover further subtle, but critical vulnerabilities.
- Ashiq Amien
It's an objectively cool bug.
- samczsun
Great explanation of a subtle bug.
- Nikesh Nazareth
Really outstanding and memorable effort from everyone involved to recover funds. Also, the writeups by the 0x unit team at Coinbase are top-quality.
- Tincho
The Euler exploit was one of the largest non-bridge-related exploits in history, with nearly $200m stolen. The novelty of this bug stems from two parts, the addition of a simple utility function, and the simplicity of the attack. The `donateToReserves` function was introduced as a utility for wrapper functions and potential gas-saving - a seemingly innocent addition that aided this massive exploit. While an exact replica of the attack might not apply directly to other protocols, the addition of seemingly simple functions highlights the fragility of smart contract security as a whole. Because of the simplicity and massive damage of the attack, this exploit deserves a spot high on this list.
- Ashiq Amien
The Flashbots mev-boost relay was attacked due to a vulnerability that leaked a block-builder's block contents if the block header was invalid. The attacker, a malicious proposer, was able to reconstruct their own block with the leaked contents and steal $20m from sandwich bots. This attack highlights one of the many layers in the web3 security stack that often goes overlooked. Due to its niche knowledge set for an attacker to exploit it, I believe this hacking technique deserves a spot on this list.
- Ashiq Amien
The hacker launched a sophisticated attack against the MEV bots, exploiting the weakness in MEV-Boost relayers, the hidden layer of Ethereum. Exploiting privileges as the block proposer is not a new risk, but they were the first ones to execute this attack.
- PwningEth
Confidentiality is a largely unexplored territory in blockchain and this shows the difficulty. And timing usually isn't an issue for the EVM but for other layers it is.
- Gerard Persoon
Another fascinating exploit at the core of the Ethereum ecosystem - Flashbots. A very well-crafted exploit challenged our assumptions about trust in intermediate relay nodes where the leaking of private transactions allowed mass exploitation of MEV bots using specially crafted blocks.
- Peter Kacherginsky
Curve pools being exploited due to the non-reentrancy bug in the Vyper compiler was a significant shift in the perceived scope of the web3 security landscape. While compiler bugs were not new at the time of the exploit, the exploit brought insight into the space where a large majority of researchers were strictly focused on smart contract security. Immediately, another layer of the security stack was unveiled as a target for blackhats.
- Ashiq Amien
A silently patched bug in an unpopular compiler went unnoticed for years and broke one of the most fundamental DeFi protocols, Curve, through the well-known reentrancy attack. It's an unbelievable attack in 2023.
- PwningEth
Normally the compiler is taken for granted, but there can be bugs as well.
- Gerard Persoon
Reentrancy keeps reentering our lives, this time due to a compiler flaw. Excellent post-mortem by the Vyper team.
- Tincho
Even the most audited projects rely on a safe execution environment involving nodes, compilers, and other blockchain infrastructure. A vulnerability in the compiler itself which effectively disabled a critical reentrancy control reminds us that we can never be 100% safe and need to build mitigating controls when our trust assumptions fail.
- Peter Kacherginsky
We also would like to give honorable mentions to the other 5 from the top 15 that was formed by the community vote, along with all the other community nominations on the page:
That is it for 2023! Once again, the top 10 list does not encompass all of the great research that was published so consider all the other community nominations.
If you notice a piece of security research this year, consider saving it to nominate it next year for the top 10 of 2024.
Finally, we would like to extend our gratitude to the community and the panel of experts for making this possible.
Until next year!