Top Ten "Awesome" Security Incidents in 2023
Feb 5 2024

Those who cannot remember the past are condemned to repeat it.

In 2023, we've seen many security incidents that have caused serious losses to the community. They were tragedies for those affected. However, these incidents provide lessons to warn the community that security should be a priority.

Among the incidents, BlockSec handpicked ten exceptional cases, each with a unique reason. Some were rife with high drama; some featured "innovative" attack strategies, some led to significant financial losses, and some exploited previously unknown attack surfaces.

In this blog, we will illustrate the top ten security incidents that are worth mentioning in 2023 and their reasons. For each security incident, we will also present the root cause and the attack steps in separate blog posts.

#1 Harvesting MEV Bots by Exploiting Vulnerabilities in Flashbots Relay

Summary

On April 3, 2023, an attacker leveraged a vulnerability existing in the Flashbots relay to attack multiple MEV Bots, profiting around $20 million. The root cause of this attack is that a private transaction could be leaked to the public pool under certain conditions, and the attacker could back-run the leaked transaction to get profits.

Reason for Selection

The attacker used sophisticated methods to harvest MEV Bots by exploiting a Flashbots zero-day vulnerability, creating honeypot transactions to lure victims, and implementing tactics to evade detection. This is, so far, the most sophisticated attack, which combines the vulnerability in underlying blockchain infrastructure with a leveraged attack strategy that has had a significant financial impact.

#2: Euler Finance Incident: The Largest Hack of 2023

Summary

On March 13, 2023, Euler Finance suffered a flash loan attack on its lending pool, leading to losses of nearly $200 million. The attack stemmed from the donateToReserves() function lacking insolvency checks. This omission allowed attackers to contribute assets from a heavily leveraged position, reducing the position's health below 100% and incurring bad debt.

Euler's design incorporates a dynamic close factor for soft liquidations, meaning the lower the health of a position, the more collateral is eligible for liquidation—up to 75% in the event of bad debt, based on this incident's data. The liquidation of substantially discounted collateral, therefore, permitted the attacker to settle the flash loan and secure a profit.

Reason for Selection

A record-breaking $197 million in funds was stolen by a 20-year-old Argentinian named Federico Jaime, who presented the media with “a winding, sometimes confusing, and even contradictory narrative.” Nonetheless, “all of the recoverable funds” were later returned to Euler Finance's treasury address. However, a small portion of them (around $200K) was “unwittingly” sent to the Lazarus Group—an alleged state-sponsored North Korean crime syndicate sanctioned by the US Treasury.

#3: KyberSwap Incident: Masterful Exploitation of Rounding Errors with Exceedingly Subtle Calculations

Summary

On November 23, 2023, there were a series of attacks targeting KyberSwap. These attacks resulted in a total loss of over $48 million. The fundamental issue originated from incorrect rounding direction during KyberSwap's reinvestment process. This subsequently led to improper tick calculations and, ultimately, to double counting of liquidity.

Reason for Selection

This 2023 attack stands out for its complexity, featuring exceptionally nuanced calculations and serving as a prime example of the many precision-related security incidents that have significantly tested the community. Moreover, after extensive negotiations with authorities, the attacker issued a provocatively toned message to the public, asserting a demand for total control over the protocol.

#4: Curve Incident: Compiler Error Produces Faulty Bytecode from Innocent Source Code

Summary

On July 30, 2023, a series of exploits targeted multiple Curve pools, resulting in losses of millions of dollars. It was a typical reentrancy attack with a non-typical root cause, stemming from a compiler bug that led to the absence of reentrancy protection. Specifically, there was a mistake in which the reentrant locks for different functions within a smart contract were assigned different storage slots. As a result, smart contracts compiled using Vyper versions 0.2.15, 0.2.16, and 0.3.0 were vulnerable.

Reason for Selection

The vulnerability originated from the compiler, not the source code. It's the first time a compiler bug has led to a huge financial loss.

#5: Platypus Finance Incidents: Surviving Three Attacks with a Stroke of Luck

Summary

Platypus Finance is a legendary DeFi protocol that miraculously endured three successive attacks, as follows:

  • On February 17, 2023, it experienced a hack due to an incorrect solvency check, resulting in a total loss of about $9.05M. Of this, $2.4M was rescued with BlockSec's help. Approximately 380K tokens were stuck in the Aave contract and were then returned.
  • On July 12, 2023, it was hacked, with around $50K lost due to ignoring the price gap between stablecoins.
  • On October 12, 2023, it suffered from price manipulation attacks, with around $2.2M lost. After negotiating with the exploiter, 90% of the stolen funds were returned.

It is said, “A person's destiny, of course, depends on one's own efforts, but one must also consider the course of history.” Obviously, the project is lucky to survive all those attacks. Our analysis of these three exploits shows that the logical flaws could be avoidable -- if with careful audit or more active security measures.

Reason for Selection

  • Surviving once is tough, but doing so thrice must be considered legendary.
  • The project was hit by three distinct attacks, each targeting a different vulnerability.
  • The proactive actions by BlockSec helped the project to rescue $2.4M.

#6: Hundred Finance Incident: Catalyzing the Wave of Precision-Related Exploits in Vulnerable Forked Protocols Throughout 2023

Summary

On April 16th, 2023, Hundred Finance, a Compound v2 fork, was attacked, leading to a loss of about $6.8 million. The attack involved two primary root causes:

  • An incorrect rounding issue;
  • Empty markets that allowed the attacker to manipulate the exchange rate.

Specifically, the precision issue is exploited to affect the redemption and withdrawal of collateral. Markets or pools that are not properly initialized may face a liquidity shortage, which can lead to manipulation and a resulting liquidity imbalance between the underlying asset and the corresponding share token (e.g., Compound's cToken). Consequently, the share token's price may inflate, allowing it to be used as collateral—with only a minimal amount, or slightly more, of the original asset—to borrow other valuable underlying assets. Ultimately, the attackers were able to redeem and withdraw the original underlying asset due to a loss of precision.

This incident on Hundred Finance, and a subsequent one targeting HopeLend, an Aave v2 fork, unveiled a new paradigm of exploitations that could potentially target these two prominent protocols and their forks by manipulating the LP token rates. Subsequently, a series of similar attacks was observed.

Reason for Selection

Hundred Finance, the first Compound V2 fork to suffer a hack due to precision loss, set the stage for a series of similar DeFi security breaches. Moreover, this incident may have catalyzed the subsequent wave of attacks on Aave V2-forked protocols.

#7: ParaSpace Incident: A Race Against Time to Thwart the Industry's Most Critical Attack Yet

Summary

On March 17, 2023, due to a vulnerability in the price oracle, ParaSpace became the target of a hacker attack. After the hacker's three failed attempts, the BlockSec Phalcon Block system intervened in a timely manner, saving over 5 million dollars worth of ETH through a rescue operation.

Reason for Selection

Industry's Most Important Block: over $5M rescued by BlockSec Phalcon Block System

#8: SushiSwap Incident: An Attempt Rescue Leads to a Series of Copycat Attacks

Summary

On April 9, 2023, SushiSwap fell victim to an exploit caused by an Unverified External Parameter. The protocol itself was unscathed, but users who had granted permissions to the RouteProcessor2 contract were the primary targets. The nature of the attack, which focused on users with active authorization to the contract and its ease of replication, led to substantial user losses.

BlockSec successfully rescued 100 Ether and returned to the victim. A whitehat with the username @trust__90 made the first attempt to rescue funds, but this effort unfortunately failed. The method used by the whitehat was easily replicable and only aimed at saving a small portion of the total funds at risk. This opened the door for attackers to execute multiple copycat transactions, effectively draining most of the funds.

Reason for Selection

  • SushiSwap, which was under attack, is a leading protocol on Ethereum with a large user base. The attack had a wide-ranging impact.
  • The whitehat rescue unfortunately failed, leading to several copycat attacks. This raises questions about how to perform a whitehat rescue and how to manage it correctly.

#9: MEV Bot 0xd61492: From Predator to Prey in Flash Loan Exploit

Summary

On August 3, 2023, an MEV Bot on Arbitrum was attacked, resulting in a loss of $800K. The root cause of this attack was Insufficient User Input Verification. The attacker deceived the "Arbitrage MEV Bot" (0x8db0ef) into borrowing from the "Vault MEV Bot" (0xd61492), thereby activating the flash loan mechanism. Simultaneously, the attacker, posing as a flash loan provider, appropriated all assets loaned to the "Arbitrage MEV Bot" and seized the approval from the "Vault MEV Bot".

Considering the intricate interactions between MEV Bots and their lack of open-source verification, it's perplexing how the attacker pinpointed and navigated this elaborate exploit path.

Reason for Selection

Arbitrage MEV Bots are often regarded as a mysterious predator due to their non-open-source nature. Understanding the exact logic behind these MEV Bots can be challenging. However, most of them utilize flash loans to maximize the utilization rate of funds, which creates opportunities for attackers. The MEV Bot 0xd61492 hack is a real case for exploiting the interaction between the Bot and the flash loan provider.

The interesting parts of this incident include:

  • First, the vulnerability hidden within the complex callback functions of the MEV Bot modules.
  • Second, bypassing restrictions in the multi-contract MEV Bot system.

#10: ThirdWeb Incident: Incompatibility Between Trusted Modules Exposes Vulnerability

Summary

On December 5, 2023, ThirdWeb's smart contracts were reported to be vulnerable. The issue is an incompatibility problem involving the ERC-2771 and Multicall standards. ERC-2771 defines an interface for receiving meta-transactions through a trusted forwarder, while Multicall allows for batching multiple function calls within a single transaction. The vulnerability occurs when a call, forwarded by a trusted forwarder, retrieves the actual caller address from the calldata, which can be manipulated by an attacker. Although each standard operates correctly on its own, their combined usage can break certain assumptions and lead to unexpected security issues.

Reason for Selection

Both ERC-2771 and Multicall standards are implemented in popular development libraries such as OpenZeppelin and ThirdWeb. Developers often place their trust in these well-established codebases and might overlook them during code audits. This oversight can introduce new security vulnerabilities, even if the individual modules are not inherently flawed. Third-party libraries play a crucial role in software security, a fact that is often overlooked.

Conclusion

In this blog post, we have outlined ten significant security incidents from 2023. As the often-quoted saying goes, *"What we learn from history is that we do not learn from history." This remains painfully relevant, especially in the context of security incidents. We hope that this blog, along with subsequent entries, will enable the community to learn more effectively from past incidents and prevent similar mistakes in the coming year.

As a full-stack security service provider, BlockSec always aims to assist the community. BlockSec's approach to DeFi protocol security is comprehensive. We employ state-of-the-art auditing techniques, automated attack defense tools, and security incident management. This positions us as a vital partner for protocols aiming to strengthen their security posture and safeguard user assets against the evolving threats in the DeFi landscape of 2024.

Stay tuned for more blogs in this series.

Sign up for the latest updates
#10: ThirdWeb Incident: Incompatibility Between Trusted Modules Exposes Vulnerability
Security Insights

#10: ThirdWeb Incident: Incompatibility Between Trusted Modules Exposes Vulnerability

This blog shows the vulnerability and attack caused by Incompatibility of commonly used modules.

#9: MEV Bot 0xd61492: From Predator to Prey in an Ingenious Exploit
Security Insights

#9: MEV Bot 0xd61492: From Predator to Prey in an Ingenious Exploit

On August 3, 2023, an MEV Bot on Arbitrum was attacked, resulting in $800K in loss. The root cause of this attack was **Insufficient User Input Verification**.

#8: SushiSwap Incident: A Clumsy Rescue Attempt Leads to a Series of Copycat Attacks
Case Studies

#8: SushiSwap Incident: A Clumsy Rescue Attempt Leads to a Series of Copycat Attacks

On April 9, 2023, SushiSwap became the target of an exploit due to an Unverified External Parameter. The total loss is about $3.3 million.

BlockSec uses cookies and other identifiers to analyze our traffic in accordance. We also share information about your use of our site with our analytics partners. By remaining on this website, you consent to our use of cookies and the Privacy Policy.