Back to Blog

Unlocking Web3 Security: How BlockSec Combats DeFi Hacks

Phalcon
September 5, 2023

In the ever-evolving world of Web3, the significance of security cannot be overstated. Despite bear market conditions, the alarming surge in DeFi hacks and scams has raised concerns. Countless victims have sought assistance after losing their hard-earned money, underscoring the gravity of the issue and the critical need for preventive measures.

The Introduction of BlockSec

Our blockchain platform was established in 2021 with support from prominent investors and customers. It offers various products, including Phalcon Explorer, which is widely used by security researchers to analyze transactions. Additionally, the platform provides the MetaDock and MetaSleuth, which are available free of charge to the community.

Why Security Matters in Web3

The importance of security in Web3 is evident, as even during the bear market conditions, the rise in DeFi hacks and scams is concerning. The increasing number of victims reaching out for help after losing their money demonstrates the seriousness of the issue and the need for assistance to prevent bankruptcy caused by such attacks.

Why DeFi Hacks are Very Common

DeFi hacks are common today due to several reasons.

  • Firstly, attackers have economic incentives to perform these hacks, as they can gain substantial profits from such actions.
  • Secondly, the lack of enough qualified developers contributes to the vulnerabilities in the protocols. Many developers focus on functionalities rather than security and lack adequate training in blockchain security.
  • Additionally, universities have limited courses on blockchain security, leading to a shortage of qualified experts in the community.
  • Lastly, some hacks are initiated by organized hacking groups or Countrywide organizations. These groups are highly covert and persistent, specifically targeting financial institutions, military organizations, and cryptocurrency exchanges to seek huge profits. Their advanced attack methods and abundant resources pose an even greater threat to DeFi projects.

Security of DeFi Protocol

When discussing protocol security, many people think of code audits as the primary solution for DeFi protocols. However, code audits alone are not sufficient due to their high cost and time-consuming nature. Qualified auditing services are expensive, and the process can take several months, making it impractical for some protocols with time constraints.

Moreover, there is a scarcity of qualified auditors in the space, leading to a lack of available expertise. Consequently, some protocols are forced to go live without comprehensive security measures, which may result in unaddressed vulnerabilities and potential threats.

Why the Proactive Approach is Important in Web3

In order to ensure the security of DeFi protocols, a proactive approach is crucial. This means that protocols cannot simply be deployed and left unattended. They need to actively monitor the ongoing activities within the protocol and be prepared to respond automatically to any potential attacks.

The importance of this proactive approach is heightened in Web3 compared to Web2, for the following reasons.

  • First, Web3 introduces more attack vectors and the openness of blockchain makes it easier for both good and bad users to access and analyze the source code of smart contracts.
  • Second, exploiting vulnerabilities becomes lucrative for attackers, especially due to the anonymous nature of blockchain transactions, which makes tracking their activities challenging.
  • Third, the availability of flash loans allows attackers to amplify their financial capabilities, unlike in Web2 where launching attacks required significant capital.
  • Last but not least, certain private transaction services can be abused to conceal malicious transactions.

Consequently, the unique properties of Web3 make it easier for harmful attacks on protocols and users to happen, while simultaneously making it harder to trace and identify the attackers.

How Our System Works

We have developed a prototype system called BlockSec Phalcon in the blockchain industry. Since February 2022, we have been actively exploring ways to overcome certain challenges associated with DeFi hacks, going beyond code audits.

BlockSec Phalcon empowers us to closely monitor transactions in the blockchain. By monitoring these transactions and automatically responding to them, we can reconstruct the underlying technology by replaying the attack transactions and replicating the essential logic of the attack contract.

This process allows us to synthesize a new rescue smart contract. We can then send rescue transactions to ensure that our transactions are faster and placed on the blockchain ahead of the attack transactions. By leveraging this approach, we have the potential to completely block the attack transactions by acting faster and gaining a leading position within the blockchain.

How the “Attack” Contract Construction Works

The key aspect of this mechanism or system is how it automatically reconstructs attack transactions and "attack" contracts. The fundamental idea is to consider what is most important in attack transactions and attack smart contracts—the critical elements being the attack logic within the smart contract.

Though the basic idea is simple, it is not as straightforward in practice. We face a series of technical challenges. The most significant point is how to handle the reuse of basic blocks within smart contracts. Compilers often utilize block reuse to generate smaller code, which is a common practice in code size reduction. Throughout this process, we were inspired by the concept of binary code rewriting, a technique that has been used and developed for over two centuries, if not longer. Therefore, we leverage this idea and apply it to the technique of bytecode rewriting.

What Remarkable Milestones We Have Achieved

By leveraging our system, we have successfully prevented multiple protocol attack transactions and recovered substantial liquidity losses. For instance, we managed to recoup $5 million in losses for ParaSpace this year and we recovered $3.8 million for Saddle Finance last year. In the following discussion, we will highlight representative cases to illustrate how we prevented these transactions.

Let's consider ParaSpace as an example. It encountered an attack in March this year, but the attackers made critical errors. They failed to allocate sufficient gas, resulting in the transaction being reverted. We monitored and identified this transaction on the blockchain. We then automatically synthesized a similar rescue contract. After executing our rescue contract on the blockchain, BlockSec successfully recovered the $5 million loss for ParaSpace.

Another case is Platypus, which faced an attack in February this year. Exploiting a vulnerability in the smart contract, the attackers found an entry point to exploit the Platypus DeFi protocol. However, they overlooked setting up the logic to withdraw funds from the compromised contract. Consequently, the hackers encountered a challenge: how to extract the remaining $2.4 million from the compromised contract?

In this scenario, BlockSec possesses an internal system that automatically disassembles the attack contract. Through heuristic methods, we conducted a comprehensive analysis of the attack smart contract, uncovering intriguing features.

First, we found that the flash loan callback in this contract was exposed. Second, the Platypus pool contract had been granted approval for USDC. The pool contract can be upgraded to utilize the approval from the attacked contract to withdraw the remaining USDC. By sharing this idea and PoC with the protocol, we helped them successfully retrieve $2.4 million from the attack contract.

Another case involves Transit Swap, which was targeted by an MEV bot. We discovered that the MEV bot's address was generated by a flawed tool called Profanity. Exploiting the vulnerability in this tool, we calculated the private key of the MEV bot and retrieved the funds to reimburse the protocol.

How to Improve the Efficiency of this System

We think to improve the efficiency of this system requires careful thought and strategic actions.

  • Firstly, a rapid and proactive response is essential. It is crucial to gather information and take immediate steps when situations arise.
  • Secondly, maintaining accuracy is crucial. We must avoid generating excessive false alerts. As we discussed previously, if your monitoring tool generates too many alerts, it significantly impacts the usability of the product. Therefore, we should strive for a systematic approach rather than focusing on tracking attackers.

BlockSec possesses a range of tools for contract analysis and disassembly, employing heuristic methods to conduct meticulous bytecode analysis. All these measures are aimed at constructing a comprehensive system and delivering an effective product.

In the dynamic realm of Web3, security is of utmost importance. With the rise of DeFi hacks, it is imperative to adopt a proactive approach and leverage innovative systems like BlockSec Phalcon to protect protocols and users. By continually pushing the boundaries of security measures, we strive to enhance the safety and integrity of Web3, paving the way for a secure and prosperous decentralized future.

Sign up for the latest updates
The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis
Security Insights

The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis

This BlockSec deep-dive analyzes the KelpDAO $290M rsETH cross-chain bridge exploit (April 18, 2026), attributed to the Lazarus Group, tracing a causal chain across three layers: how a single-point DVN dependency enabled the attack, how DeFi composability cascaded the damage through Aave V3 lending markets to freeze WETH liquidity exceeding $6.7B across Ethereum, Arbitrum, Base, Mantle, and Linea, and how the crisis forced decentralized governance to exercise centralized emergency powers. The article examines three parameters that shaped the cascade's severity (LTV, pool depth, and cross-chain deployment count) and provides an exclusive technical breakdown of Arbitrum Security Council's forced state transition, an atomic contract upgrade that moved 30,766 ETH without the holder's signature.

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026

This BlockSec weekly security report covers four attack incidents detected between April 13 and April 19, 2026, across multiple chains such as Ethereum, Unichain, Arbitrum, and NEAR, with total estimated losses of approximately $310M. The highlighted incident is the $290M KelpDAO rsETH bridge exploit, where an attacker poisoned the RPC infrastructure of the sole LayerZero DVN to fabricate a cross-chain message, triggering a cascading WETH freeze across five chains and an Arbitrum Security Council forced state transition that raises questions about the actual trust boundaries of decentralized systems. Other incidents include a $242K MMR proof forgery on Hyperbridge, a $1.5M signed integer abuse on Dango, and an $18.4M circular swap path exploit on Rhea Finance's Burrowland protocol.

Weekly Web3 Security Incident Roundup | Apr 6 – Apr 12, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 6 – Apr 12, 2026

This BlockSec weekly security report covers four DeFi attack incidents detected between April 6 and April 12, 2026, across Linea, BNB Chain, Arbitrum, Optimism, Avalanche, and Base, with total estimated losses of approximately $928.6K. Notable incidents include a $517K approval-related exploit where a user mistakenly approved a permissionless SquidMulticall contract enabling arbitrary external calls, a $193K business logic flaw in the HB token's reward-settlement logic that allowed direct AMM reserve manipulation, a $165.6K exploit in Denaria's perpetual DEX caused by a rounding asymmetry compounded with an unsafe cast, and a $53K access control issue in XBITVault caused by an initialization-dependent check that failed open. The report provides detailed vulnerability analysis and attack transaction breakdowns for each incident.