Web3 Hacker Analysis of Common Attack Techniques in the First Half of 2022

In the first half of 2022, the security situation in the Web3 field was severe. Data shows that there were a total of 42 major attack incidents caused by smart contract vulnerabilities, resulting in total losses of up to $644 million. Among these attacks, the exploitation of contract vulnerabilities accounted for more than half, reaching 53%.

Common Attack Techniques

Analysis shows that the most commonly exploited vulnerabilities by hackers include:

1. Improper design of logical OR function
2. Verification Issues
3. Reentrancy Vulnerability

Major Loss Cases

Wormhole event

On February 3, 2022, the Solana cross-chain bridge project Wormhole was attacked, resulting in a loss of approximately $326 million. The Hacker exploited a signature verification vulnerability in the contract to successfully forge accounts to mint wETH.

Fei Protocol event

On April 30, 2022, the Rari Fuse Pool under Fei Protocol suffered a flash loan combined with a reentrancy attack, resulting in a loss of $80.34 million. This incident ultimately led to the project's announcement of closure on August 20.

The attacker implements the attack through the following steps:

1. Obtain flash loans from Balancer
2. Exploiting the reentrancy vulnerability in the cEther contract of Rari Capital
3. Extract all tokens affected in the pool through the callback function
4. Repay the flash loan and transfer the profits

Common Vulnerabilities in Audits

The most common types of vulnerabilities in the smart contract auditing process include:

1. ERC721/ERC1155 Reentrancy Attack
2. Logic flaws ( insufficient consideration of special scenarios, imperfect function design )
3. Missing Authentication
4. Price Manipulation

Vulnerability Prevention

Most of the vulnerabilities that are actually exploited can be discovered during the audit phase. Contract developers should focus on:

• Strictly follow the check-effect-interactive mode
• Improve special scenario handling
• Strengthen permission management
• Use a reliable price oracle

Through a professional smart contract formal verification platform and manual review by security experts, potential risks can be effectively identified, and timely remediation measures can be taken to enhance contract security.