Factors Making Web3 More Vulnerable to Hacks and Our Mitigation Strategies
Aug 30 2023

In a world where blockchain hacks and capital exploitation seem to occur almost weekly, the question arises: Can we effectively prevent these security breaches?

BlockSec, the expert in the blockchain security field, offers valuable insights. We acknowledge the complexity of the issue while actively working to enhance security measures. Phalcon Block, one of our products, provides precise alerts before attack transactions are executed, and takes automatic actions to fight hackers back.

Here's our BlockSec founder, Professor Yajin Zhou, sharing his perspectives on the proactive approach to blockchain security during a monitoring panel.

Considering the frequent occurrence of hacks and capital exploitation on the blockchain almost every week, is it realistic to prevent them effectively?

In the world of blockchain security, the answer is a bit complex. Our team is constantly working on ways to spot DeFi hacks. If you ask us whether we can catch all ongoing attacks, the answer is yes. However, here's the catch: if we label every transaction as suspicious or an attack, we can find all hacks, but this creates a problem. We need to carefully balance between false alarms and missing real threats.

When we create products for our customers and set up monitoring systems, we have to make sure our alerts make sense. If our system generates too many alerts, like 50, 100, or even 200 a day, most users will ignore them because most of them turn out to be false alarms. So, our challenge is to maintain that balance effectively.

At Blocksec, we're actively working on strategies to spot attacks while reducing false alarms. Looking ahead, with the help of the security community, we hope to identify a large portion of attacks. While we might not prevent them all, we can certainly improve our detection abilities significantly.

What specific factors in Web3 make it more vulnerable to security attacks than Web2?

In the world of Web3 security, a few things stand out that can make Web3 more vulnerable to attacks compared to Web2.

  • Firstly, Web3 is very open. Everything, like smart contracts and source code, is out in the open for everyone to see. This openness can make it easier for both regular folks and attackers to spot vulnerabilities. In contrast, Web2 systems, like those in traditional banks, keep their code hidden, making it much harder to find weaknesses.

  • Secondly, some parts of the blockchain, like flash loans, actually make it easier for attackers. In regular finance systems, attackers often need a lot of money, like a million dollars, to execute an attack. But in the blockchain world, they can use flash loans to borrow a large amount of cash, like ten million dollars, and use it for attacks.

  • Lastly, Web3 lacks good tools to find vulnerabilities. I'm a university professor, and I've seen students creating tools to find tricky problems in regular software for Web2. But when it comes to Web3 and smart contracts, there's still a lot of work to be done. Finding logical bugs related to business rules is especially tough. It involves things like changing inputs, understanding how different inputs relate, and using reliable information sources – challenges we haven't fully tackled yet.

So, all of these factors together make Web3 a tempting target for attackers but a tough place for protocols to stay secure.

How do you view the connection between monitoring in Web3 security? Can it empower attackers while also offering an opportunity to integrate optional monitoring solutions?

I have encountered challenges related to audio debases and privacy transactions within Blocksec. Similar to flashbots, these services are susceptible to abuse by attackers. One proposed solution from a colleague suggests investing transactions within flashloans to prevent their misuse. However, I believe this solution may not be practical or accessible in a decentralized world.

Preventing the abuse of such services by attackers remains an open question. Nevertheless, there are a few actions we can take.

  • Firstly, if an attacker is identified, collaborating with authorities to share information can be beneficial in verifying the attackers' identities. This collaboration with authorities can be a step towards mitigating the issue.

  • Additionally, in the future, implementing community-based eventing systems within transactions could prove useful. By incorporating decentralized community-based mechanisms, we can delay transactions that appear malicious.

While these measures may not fully resolve the issue, they can help address the current challenges we face.

Could you please recommend any tools or resources specifically designed to detect security flaws in web3 applications?

When it comes to recommendations, I believe exploring the DeFi Hack Labs is an excellent starting point for transitioning from web2 to web3 security.

This resource offers a wealth of past hack transactions that can be analyzed to gain insights into the motives and methods behind these attacks. By understanding the underlying causes and triggers of these hacks, one can develop tools to analyze and detect similar attacks in the web3 ecosystem. Consider utilizing both static and dynamic analysis tools, which can be developed independently or by building upon existing solutions. Continuously improving and expanding your knowledge in this area will be crucial.

Could you explain the process of front-running malicious transactions, what would be the infrastructure setup?

In our experience with front-running attack transactions, the process involves setting up infrastructure to monitor the memory pool transactions.

A crucial aspect is developing an automated system that can swiftly synthesize front-running transactions. This involves replicating the attack behaviors from the malicious contracts within your own smart contracts. It becomes essential to replace critical variables, such as substituting the attack address with your own black hat addresses. Additionally, having a responsive infrastructure is crucial to ensure immediate execution as soon as your transaction is on the blockchain.

In conclusion, BlockSec's expertise in the realm of blockchain security reflects our commitment to addressing the evolving challenges of Web3. BlockSec's approach combines technological innovation with collaboration and community involvement, ensuring a safer blockchain ecosystem for all users.

Join our waitlist and be the first to experience our outstanding services!

Sign up for the latest updates
#10: ThirdWeb Incident: Incompatibility Between Trusted Modules Exposes Vulnerability
Security Insights

#10: ThirdWeb Incident: Incompatibility Between Trusted Modules Exposes Vulnerability

This blog shows the vulnerability and attack caused by Incompatibility of commonly used modules.

#9: MEV Bot 0xd61492: From Predator to Prey in an Ingenious Exploit
Security Insights

#9: MEV Bot 0xd61492: From Predator to Prey in an Ingenious Exploit

On August 3, 2023, an MEV Bot on Arbitrum was attacked, resulting in $800K in loss. The root cause of this attack was **Insufficient User Input Verification**.

#8: SushiSwap Incident: A Clumsy Rescue Attempt Leads to a Series of Copycat Attacks
Case Studies

#8: SushiSwap Incident: A Clumsy Rescue Attempt Leads to a Series of Copycat Attacks

On April 9, 2023, SushiSwap became the target of an exploit due to an Unverified External Parameter. The total loss is about $3.3 million.

BlockSec uses cookies and other identifiers to analyze our traffic in accordance. We also share information about your use of our site with our analytics partners. By remaining on this website, you consent to our use of cookies and the Privacy Policy.