Crypto Security: The Battle Between Web2 and Web3

A recent report from blockchain security platform Immunefi has opened our eyes to a shocking truth: the vulnerabilities we thought were relegated to the sphere of Web3 actually have their roots in the good ol’ Web2. According to this report, nearly half of all crypto losses attributed to exploits in 2022 stemmed from these Web2 security issues. That’s right, while Web3 might be the shiny new toy, it turns out that the old reliable might be the culprit behind many mishaps.

Exploring the Report Breakdown

Released on November 15, the Immunefi report took a retrospective glance at the major crypto exploits of 2022, highlighting that a staggering 46.48% of lost crypto was due to “infrastructure weaknesses.” These weaknesses are essentially related to the computer systems and networks associated with the developing firms, rather than any flaws found in the smart contracts themselves.

Web2’s Involvement in Crypto Chaos

When you think about it, it makes complete sense. Most of these issues can be traced back to simple mistakes: leaked private keys, weak passwords, or maybe someone decided to send their private key over an unsecured channel. However, when considering the number of incidents instead of the value, the proportion of Web2 vulnerabilities is reduced to 26.56%. It seems even bad news has to be measured by its weight!

Categorizing the Exploits

Immunefi didn’t just wave their wand and throw numbers around; they meticulously categorized the different types of vulnerabilities. They boiled these down into three main categories:

• Design Flaws: For example, the infamous BNB Chain bridge hack which highlighted the dangers of inadequate design.
• Flawed Implementation: A notable instance being the Qbit hack, where an otherwise sound design was ruined by coding errors.
• Infrastructure Weaknesses: As evidenced by the Ronin bridge hack, vulnerabilities can arise when attackers gain control over key stakeholder signatures.

Infrastructure Woes: The Real Thieves?

When diving deeper into infrastructure weaknesses, the report identified several causes of these vulnerabilities, such as:

• Leaked private keys
• Weak passphrases
• Flaws in two-factor authentication
• DNS and BGP hijacking
• And, of course, that oh-so-special flavor of disaster—a hot wallet compromise.

These vulnerabilities accounted for the greatest loss, clearly indicating that sometimes, the easiest lock to pick might just be the one right at the front door.

Other Culprits in Crypto Losses

While we are busy labeling Web2 as the villain, the report highlighted cryptographic issues as the second-largest culprit, resulting in 20.58% of total losses. Think of everything from Merkle tree errors to blunders in generating random numbers. When you leave the cryptography to the amateurs, you might just get what you pay for.

Finally, while weak input validation and access control accounted for just 4.62% of losses by value, they represented about 30.47% of all incidents. So, while they may be tiny in terms of monetary value, it would be a mistake to underestimate the chaos they can sow!