Web3 Security Reports for Informed Decision-Making and Risk Mitigation
Stay ahead of the curve with expertly crafted Web3 security reports that offer actionable insights and unparalleled analysis.
Web3 Security Outlook 2022
-> $4B were lost in 300+ security exploits in 2022
-> The report outlines all major hacks and security breaches that occurred in 2022.
-> The report also explores new technologies, such as Layer 2 and zero-knowledge proofs, the role of AI in securing the Web3 ecosystem, and offers essential technical measures for smart contract developers to mitigate vulnerabilities.
Protecting your Web3 assets and users from security threats is crucial but can be overwhelming.
That's why we have curated a series of expertly crafted reports that provide real-world examples and practical advice. Our engaging and informative reports are the ultimate resource for businesses and organisations operating in the Web3 space. Join us on the journey to a safer Web3 world.
2. Here We’re!
Welcome to the Web3 Security Report for 2023. Security is of
utmost importance in the world of cryptocurrencies and
digital assets. Unfortunately, despite the efforts of many in
the industry, the number of successful attacks against
crypto assets has not declined in recent years.
In 2022, the crypto industry experienced a major blow as it
lost approximately $4 billion worth of digital assets to
various forms of theft and fraud.
As the world of Web3 and decentralized finance continues
to grow, it is becoming increasingly important to find new
and effective ways to secure digital assets and prevent
these types of losses from occurring. This report will delve
into the state of Web3 security in 2022 and examine the
various measures that can be taken to minimize the risks of
future attacks.
Our goal is to provide developers, investors, and
stakeholders in the Web3 ecosystem with the knowledge
and insights needed to build and use secure decentralized
applications.
The report provides practical recommendations for
developers to follow to mitigate security risks and
highlights the areas where further research and
development are needed.
This report is based on extensive research and analysis of
the latest security incidents, trends, and best practices in
the Web3 ecosystem. We hope this report will provide
valuable insights into the current state of Web3 security
and help drive further improvements in the ecosystem's
security.
01
3. TABLE OF CONTENTS
State of web3 security in 2022
Notable Security Breaches in 2022
Where to Focus on Web3 Security in 2023?
Mitigating Vulnerabilities in Web3: Smart
Contract Auditors' Insights
Exploring the Influence of New Technologies
on Web3 Security: Role of Layer 2 and Zero-
Knowledge Proofs
Role of AI in Securing Web3 Ecosystem
ChatGPT for Bug Bounty and Penetration
Testing in Web3
Mitigating Web3 Vulnerabilities: Essential
Technical Measures for Smart Contract
Developers & Audit Reports
Mitigating NFT Hacks: Essential Technical
Measure
NFT Security Red Flags
The Discord Trap: Spotting Red Flags
for Web3 Projects
Top Security Measures to Combat
Discord Traps
Staying Safe in Web3: A Survival
Guide for the Digital Wild West
02
3
1.
6
2.
22
3.
25
4.
30
5.
33
6.
37
7.
43
8.
48
9.
52
10.
55
11.
56
12.
57
13.
5. From a technical standpoint, the web3 security landscape in
2022 was characterized by the following:
Increasing complexity of web3 protocols and smart
contracts: As web3 protocols and decentralized applications
become more complex, the attack surface for hackers also
increases. This makes it more challenging to secure Web3
projects, as developers need to consider a wider range of
potential vulnerabilities.
Emergence of new security threats: As the web3 ecosystem
evolved, new types of security threats emerged. For
example, the rise of non-fungible tokens (NFTs) brought
with it new risks related to NFT ownership and transfer of
assets.
Growth of decentralized finance (DeFi): The growth of DeFi
platforms also contributed to the security landscape, as
these platforms require highly secure smart contracts to
manage large sums of assets.
Lack of security best practices: Despite the increasing
importance of web3 security, many developers were still
lacking the necessary skills and experience to build secure
decentralized applications. This led to a number of security
incidents caused by simple programming errors and lack of
proper testing
Importance of third-party auditing: To mitigate the risks
associated with web3 security, more emphasis was placed
on third-party security audits. These audits provide a
comprehensive assessment of the security of web3 protocols
and applications, helping developers to identify and address
potential vulnerabilities.
04
6. 05
In conclusion, the state of web3 security in 2022 was a
reminder of the importance of security best practices and
the ongoing need for investment in security research and
development. The growth of the web3 ecosystem will
continue to bring new security challenges, but with the right
focus and investment, these challenges can be overcome.
8. 07
The decentralized finance (DeFi) ecosystem was the most
attacked sector in the blockchain industry in 2022.
This report analyses several attacks across various
blockchain sectors, with 47% of the attacks targeted at DeFi
protocols, resulting in a total loss of over $3 billion.
The report also highlights the importance of prioritising
security measures in the DeFi sector and suggests that
increased regulation and improved security standards may
be necessary to prevent such attacks in the future
$0B
$0.1B
$0.2B
$0.3B
$0.4B
$0.5B
$0.6B
$0.7B
$0.8B
$0.9B
$1B
$1.1B
$1.2B
2022 Loss by Quarter
Q1 - 2022 Q2 - 2022 Q3 - 2022 Q4 - 2022
$1.19B
$0.405B
$1.29B
$0.7183B
Unlock the Full Report
9. Top Hacks in 2022
January
Total Loss - $149.5M
$80M
$34M
$18.7M
$10M
$6.8M
22
$90 M
$80 M
$70 M
$60 M
$50 M
$40 M
$30 M
$20 M
$10 M
$0
Qubit finance
A bug allowed
hackers to call
the "deposit"
function without
actually
depositing any
funds.
2FA
compromise
Hot Wallet
Attack
Rug Pull
Hot wallet
Attack
Cause Cause Cause Cause Cause
Crypto.com Lympo
Max
(Loss color range)
Min
ArbixFinance LCX
08
10. Top Hacks in 2022
Febuary
Cause : Attackers used an earlier txn to
create a ‘signatureset’, a type of credential.
With this, they created a VAA, or validator
action approval, essentially a certificate
needed for approving transactions.
Once they created ‘signatureset’, they
used it to generate a valid VAA & trigger
unauthorized mint to their account.
Wormhole bridge
Loss- $320M
Cause: Smart Contract
Vulnerability
Superfluid Hack
Loss- $8.7M
Cause: Private Key
Leaked
Dego Finance
Loss- $10M
Cause- Smart
Contract Vulnerability.
Meter Passport
Loss- ~$4.2M
09
11. Top Hacks in 2022
March
Total Loss - $708M
$625M
$50M
$21M $12M
22
$900M
$800M
$700M
$600M
$500M
$400M
$300M
$200M
$100M
$0
Axie Infinity’s Ronin
Network Hack
Private Key
Leaked
Contract Exploit Rug Pull Flash Loan
Cause Cause Cause Cause
Cashio
Bored Bunny
Max
(Loss color range)
Min
Hundred Finance
and Agave Finance
10
12. Top Hacks in 2022
April
Cause- It was a flash-loan attack due to a
flaw in its newly introduced Curve LP Silos
that compromised the protocol’s
governance mechanism, ultimately
permitting the attacker to conduct an
emergency execution of a malicious
proposal siphoning project funds.
Beanstalk Farms
Loss- $182M
Cause: Flash Loan
Attack
Elephant Money
Loss- $11M
Cause: Re-entrancy
vulnerability
Fei Protocol
and Rari
Loss- $80M
Cause- Price
manipulation.
Inverse Finance
Loss- $15.6M
11
Unlock the Full Report
13. Top Hacks in 2022
May
Cause :The bug in question relates to the
Mirror lock contract. Under normal
circumstances, users lock their collateral,
and after a 14-day holding period, they can
use an unlock function to release the
collateral.
Until the UST implosion, the code which
governed the unlock function did not have
a duplicate check. Meaning an attacker
could repeatedly release funds after the
14-day lock-in period.
Mirror Protocol
Loss- $88M
Cause: Oracle
manipulation attack
Fortress Protocol
Loss- $3M
Cause: Rug Pull
PokeMoney
Loss- $3.5M
12
Unlock the Full Report
14. Top Hacks in 2022
June
Cause : Hackers exploited a vulnerability in
VM functionality on decentralized exchange
Maiar to steal around 1.65 million of elrond
egold (EGLD), the native token of the Elrond
blockchain. Researchers said the attacker
deployed a smart contract and used three
wallets to steal an estimated $113 million
worth of EGLD from the exchange.
Maiar
Loss- $113M
Cause: Rug Pull
Animoon
Loss- $6.3M
Cause: Private Key
Leaked
Horizon Bridge
Loss- $100M
Cause- Flash loan
attack.
Inverse Finance
Loss- $1.2M
13
Unlock the Full Report
16. Top Hacks in 2022
July
Total Loss - $38.3M
$20M
$8.17M
$4.5M $3.5M $2.2M
22
$90 M
$80 M
$70 M
$60 M
$50 M
$40 M
$30 M
$20 M
$10 M
$0
Raccoon Network
and Freedom
Protocol
Rug Pull Phishing Attack Phishing Attack Flash loan
attack
Private Key
Leaked
Cause Cause Cause Cause Cause
Uniswap Teddy Doge
project
Max
(Loss color range)
Min
Nirvana
Finance
Bifrost
15
Unlock the Full Report
17. Top Hacks in 2022
August
Cause : The primary reason for the attack
was that Nomad's smart contract didn't
correctly validate the transaction's input.
This hack is interesting due to the fact that
Nomad's account was looted by thousands
of addresses. They may have been able to
add their addresses to the attacker's
original call data by copying and pasting it.
Nomad bridge
Loss- $190M
Cause: Rug Pull
Bribe Protocol
Loss- $5.5M
Cause: Unknown
Slope wallet attack
Loss- $6M
Cause- Hot wallet
compromised
ZB Exchange
Loss- $3.6M
16
Unlock the Full Report
18. Top Hacks in 2022
September
Cause : Wintermute, a market maker, used
a vanity address (an identifiable name or
number) as an admin account for their
crypto assets vault. A recent security
disclosure report from 1inch stated that
vanity addresses generated through
Profanity were not secure as the private
keys could be extracted through brute
force calculations.
Wintermute
Loss- $160M
Cause: Smart Contract
Vulnerabilities
ShadowFi
Loss- $298.2k
Cause: Flash loan
attack
Attacks on Avalanche
Blockchain
Loss- ~$370k USDC
Cause- Price
manipulation
GMX exchange
Loss- $40k
17
Unlock the Full Report
19. Top Hacks in 2022
October
Cause : There was an exploit affecting the
native cross-chain bridge between BNB
Beacon Chain (BEP2) and BNB Smart
Chain (BEP20 or BSC), known as “BSC
Token Hub.” A total of 2 million BNB was
withdrawn. The exploit was through a
sophisticated forging of the low level proof
into one common library.
Binance Smart Chain
Loss- $570M
Cause: Rug Pull
Freeway
Loss- $100M
Cause: Flash loan
attack
Mango Markets
Loss- $116M
Cause- Smart
Contract Vulnerability.
Team Finance
Loss- $14.5M
18
Unlock the Full Report
20. Top Hacks in 2022
November
Total Loss - $707M
$600M
$42M $28M $20M $17M
22
FTX
Telegram was
hacked
Wallet was
compromised
Hot Wallet
Stolen
Oracle manipulation
attack
Rug Pull
Cause Cause Cause Cause Cause
Bo Shen Deribit
Max
(Loss color range)
Min
Pando Flare token
$900M
$800M
$700M
$600M
$500M
$400M
$300M
$200M
$100M
$0
19
Unlock the Full Report
21. Top Hacks in 2022
December
Total Loss - $50.3M
$15M
$14.8M
$8M $7M
$5.5M
$90 M
$80 M
$70 M
$60 M
$50 M
$40 M
$30 M
$20 M
$10 M
$0
Helio
Attackers were able
to take advantage
of an exploit on the
Ankr protocol to
obtain around
183,000 aBNBc
tokens for only 10
BNB (~$2,900).
API key
compromise
Wallet Hack Price
Manipulation
Private Key
Compromised
Cause Cause Cause Cause Cause
3Commas BitKeep
Max
(Loss color range)
Min
Lodestar
Finance
Raydium
20
Unlock the Full Report
22. 21
$0M
$10M
$20M
$30M
$40M
$50M
$60M
$70M
$80M
$90M
$100M
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Rug Pulls by Month
Rug pulls in Year 2022
$2.75M
$26.29M
$53.81M
$105.25M
$91.64M
$17.18M
$55.76M
$15.74M
$3.7M
$3.16M
$45.04M
$4.76M
Avert Rug Pulls | Scan Now
Unlock the Full Report
25. 24
Smart contract security: Conduct thorough security audits
of smart contracts and regularly review and update them to
ensure they are secure.
Network security: Ensuring that the underlying network
infrastructure of Web3 systems is secure and resilient and
that communication between nodes is protected.
Access control: Implementing effective access control
mechanisms to prevent unauthorized access to sensitive
information and resources.
Incident response: Having a well-defined incident response
plan in place to quickly and effectively respond to security
incidents, minimize damage, and prevent a recurrence.
By focusing on these areas, Web3 companies can provide a
secure and trustworthy product for their users, while
maintaining the integrity and security of the Web3
ecosystem.
We would advise Web3 companies to focus on following
areas to ensure the security of their product :
Threat modeling: Developing a comprehensive
understanding of the threats facing Web3 systems, and
taking proactive measures to mitigate those risks.
Cryptographic security: Implementing strong cryptography
to protect sensitive information and ensure users' privacy.
Unlock the Full Report
27. 26
Check for hardcoded values and make sure that the
contract can handle changes in values by using safe math
libraries, such as the OpenZeppelin Safe Math library, or by
manually implementing overflow/underflow protection.
Code review :
Formal verification:
Verify the code using automated tools, such as Mythril,
Oyente, and Securify to identify common security
vulnerabilities such as reentrancy, overflow, and underflow
issues.
This section focuses on the insights and recommendations
of smart contract auditors for mitigating vulnerabilities in
web3 projects. We'll explore the best practices that web3
projects can follow to ensure the security of their smart
contracts, and minimize the risk of security breaches.
Use formal verification tools, such as Z3 and Coq, to prove
the correctness of the contract's behavior under all possible
conditions.
Manually review the code for security-critical sections and
implement defensive programming techniques, such as
using check-effects-interactions patterns and avoiding
common anti-patterns, such as the delegatecall anti-
pattern.
Ensure that the contract implements proper access control
and authorization mechanisms, such as using the
OpenZeppelin Contract Access Control library or similar, to
prevent unauthorized access to sensitive information and
resources.
28. 27
Security testing:
Verify that the contract implements proper error handling
and exception handling mechanisms to prevent the
contract from entering an unexpected state, by using assert
statements and revert statements.
Conduct unit testing on individual components of the
contract to ensure that they behave as expected.
Perform integration testing to verify the interactions
between components of the contract and with external
systems.
Conduct functional testing to verify the overall functionality
of the contract and ensure that it meets its specified
requirements.
Perform security testing to identify potential vulnerabilities,
such as reentrancy, overflow, and underflow issues, by using
automated tools and manual testing.
Use ethical hacking and penetration testing to simulate real-
world attack scenarios and identify potential security
weaknesses in the contract
Use specification languages, such as Solidity's specification
comments or an external tool like Mythril's annotations, to
specify the intended behavior of the contract and use formal
verification tools to prove that the contract meets these
specifications.
Unlock the Full Report
29. 28
Contract interoperability :
Access control :
Verify that the contract is compatible with other contracts
and external systems by using interface-based
programming and testing the contract's interactions with
other systems.
Implement role-based access control mechanisms to restrict
access to sensitive information and resources by using
contract inheritance and contract composition.
Ensure that data exchanged between the contract and
other systems is secure and cannot be tampered with by
using secure encoding and decoding mechanisms, such as
JSON-RPC.
Implement mechanisms for authorization and
authentication to verify the identity of users and authorize
access to resources by using contract events and the
Ethereum events API.
Verify that the contract has robust error-handling
mechanisms to handle unexpected errors and exceptions by
using try-catch blocks or exceptions in the contract's
interface.
Ensure that secure key management practices are in place
to protect private keys and other sensitive information by
using hardware wallets and secure key storage mechanisms.
Unlock the Full Report
30. 29
Gas optimization :
Properly handle gas costs in the contract to prevent gas
exhaustion and denial of service attacks by using the Solidity
Gas Ethereum Network contract library or similar.
Avoid infinite loops in the contract that can consume
excessive gas and cause gas exhaustion by using proper
loop conditions and limiting the maximum number of
iterations.
Minimize the use of expensive operations in the contract to
reduce the risk of gas exhaustion by using low-level
operations, such as bitwise shifting, instead of expensive
operations, such as division and multiplication, whenever
possible.
Optimize the contract's storage usage to reduce the risk of
running out of storage and causing contract failure by using
memory-efficient data structures and minimizing the use of
dynamic arrays.
Use the Solidity ABIEncoderV2 contract library or similar to
minimize the size of function calls and reduce the risk of
exceeding the block gas limit
By focusing on these technical areas, smart contract
developers can ensure that their contracts are secure and
able to handle real-world scenarios.
Additionally, regular security audits and code reviews can
help to identify and fix any potential security vulnerabilities
before they can be exploited by malicious actors
Unlock the Full Report
32. 31
As a smart contract developer or researcher, it is important
to be aware of the impact of new technologies on the
security of Web3 systems. This section will provide a
technical analysis of the impact of two such technologies:
layer 2 solutions and zero-knowledge proofs.
Layer 2 solutions, such as state channels and plasma chains,
aim to increase the scalability of Web3 systems by moving
some of the computation and storage off-chain while still
maintaining the security guarantees of the underlying
blockchain. This enables Web3 systems to process a larger
number of transactions per second, making them more
usable for real-world applications.
In terms of security, layer 2 solutions can provide enhanced
security for smart contracts by reducing the amount of data
that needs to be stored on-chain, and by isolating smart
contracts from the underlying blockchain layer. This makes
it more difficult for attackers to compromise the security of
smart contracts, as they would need to exploit vulnerabilities
in the layer 2 solution itself, rather than in the underlying
blockchain.
On the other hand, zero-knowledge proofs are
cryptographic techniques that enable users to prove a
statement's validity without revealing any underlying
information. This can be useful for ensuring the privacy of
transactions in Web3 systems and providing additional
security guarantees for smart contracts.
For example, zero-knowledge proofs can be used to verify
the authenticity of data in smart contracts, without
revealing the underlying data to other parties. This can be
useful for ensuring the privacy of sensitive information,
such as personal data or business secrets, in Web3 systems.
Unlock the Full Report
33. 32
Additionally, zero-knowledge proofs can be used to provide
strong cryptographic guarantees for the correctness of
smart contracts, helping to ensure that the smart contract
will behave as intended, even in the presence of attackers.
However, it is important to note that these technologies are
still relatively new, and more research is needed to fully
understand their security implications and to ensure their
widespread adoption in the Web3 ecosystem.
In conclusion, the integration of layer 2 solutions and zero-
knowledge proofs into Web3 systems has the potential to
significantly improve the security of smart contracts.
Unlock the Full Report
35. 34
The increasing number of threats and vulnerabilities the
blockchain industry faces has led to a growing demand for
advanced cybersecurity solutions.
By 2028, the AI cybersecurity market is projected to reach
$46 billion, growing at a compound annual growth rate of
over 23 percent
As a result, the integration of AI into cybersecurity solutions
is expected to enhance the detection and prevention of
sophisticated cyber threats.
The increasing adoption of AI-based platforms such as
OpenAI's ChatGPT, Google's Bard, and Microsoft's AI build
out of Bing indicates the potential for these technologies to
boost the development of heuristics-based cybersecurity.
AI algorithms can identify
potential vulnerabilities in
smart contracts.
This helps organizations
quickly fix security issues
AI can identify various
types of vulnerabilities
like buffer overflows and
contract logic flaws.
Vulnerability
Detection
AI automates exploitation
testing for smart
contracts.
This simulates attacks to
evaluate the impact of
security breaches.
This helps prioritize
remediation efforts and
simulates various types
of attacks.
Automated
Exploitation Testing
Unlock the Full Report
36. 35
AI can detect anomalies in
smart contract behaviour.
This helps identify
potential security issues
and respond quickly.
AI can identify various
types of anomalies, like
abnormal transaction
patterns.
Anomaly
Detection
AI analyzes smart contract
code and data for security
risk assessments.
This provides a
comprehensive view of
smart contract security
This helps prioritize
remediation efforts and
allocate resources
accordingly.
Security Risk
Assessment
It's important to note that while AI can be a powerful tool
for securing the Web3 ecosystem, but it is not a silver bullet.
AI algorithms must be properly validated, trained, and
maintained to ensure their accuracy and reliability.
Additionally, organizations should complement AI with
manual auditing and expert review to provide additional
oversight and ensure that AI results are properly validated.
The critical role of AI in building a more secure and
trustworthy web3 ecosystem cannot be overstated.
Unlock the Full Report
37. 36
Follow Our Blogs to Stay Current on the Web3 Security at Large!
Visit Our Blog
#WAGSI
39. 38
Using ChatGPT for bug bounty and penetration testing in
Web3 can greatly improve the efficiency and accuracy of
security testing.
It can generate test cases, simulate attacks, generate
documentation and custom code snippets, and perform
security risk assessments
Test Case Generation:
Suppose we have a smart contract function that transfers
tokens from one account to another, and we want to
generate test cases for this function. We can input the
function signature and a range of input values into ChatGPT,
and it can generate a large number of test cases based on
the input range.
For example, if our input range is 0 to 100 for the amount of
tokens to transfer, ChatGPT could generate test cases such as:
These test cases can then be used to validate the functionality
and security of the smart contract function and can help
identify any potential vulnerabilities or edge cases that need
to be addressed.
Transfer 1 token from account A to account B, then
attempt to transfer -1 token from account B to account
A (security testing)
Attempt to transfer 200 tokens from account A
to account B (edge case testing)
Attempt to transfer -10 tokens from account A to
account B (edge case testing)
Transfer 100 tokens from account A to account B
Transfer 50 tokens from account A to account B
Transfer 10 tokens from account A to account B
Transfer 0 tokens from account A to account B
Unlock the Full Report
40. 39
Attack Simulation:
Using Attack Simulation with ChatGPT, a security researcher
could train the model to recognize and simulate various
attack patterns that could potentially exploit vulnerabilities in
the transfer function.
For example, they could train the model to recognize the
following attack patterns:
The ChatGPT model could then simulate each of these attacks
on the smart contract and identify any potential security
vulnerabilities that could be exploited. The security researcher
could then prioritize remediation efforts based on the severity
of each vulnerability
A denial-of-service attack where an attacker floods
the transfer function with a large number of
transactions to exhaust the contract's gas
An integer overflow attack where an attacker transfers
more tokens than they have in their balance, causing
an integer overflow in the balanceOf[msg.sender]
variable
A reentrancy attack where an attacker repeatedly
calls the transfer function to drain the contract's
balance
Unlock the Full Report
41. 40
Documentation Generation:
Suppose a smart contract has been developed to handle
transactions for an online marketplace. Using ChatGPT,
developers can input the smart contract code and generate
detailed documentation that includes information on:
The generated documentation can then be used by security
researchers and penetration testers to gain a comprehensive
understanding of the smart contract's behaviour and identify
potential security vulnerabilities.
It can also be used by developers to ensure that the smart
contract is properly implemented and that all relevant
functions and parameters are accounted for.
Recommended best practices for implementing
and deploying the smart contract
Any potential security vulnerabilities in the smart
contract code
How the smart contract interacts with other
contracts and networks
The functions and parameters of the smart contract
Unlock the Full Report
42. 41
Custom Code Generation:
ChatGPT can allow the developers to quickly prototype the
smart contract and evaluate its security. This can be
particularly useful for:
These are just a few examples of the many ways ChatGPT can
be used for custom code generation in Web3 development
and security.
It's important to note that while ChatGPT can be a valuable
tool for bug bounty and penetration testing in the Web3
ecosystem, it should not be relied upon as the sole method of
testing and validation.
It should be used in conjunction with manual code review,
expert review, and other security tools and techniques to
ensure the accuracy of results and the overall security of
smart contracts
Generating code for smart contract upgrades or
migrations
Creating custom code for multi-signature wallets,
escrow contracts, and other types of decentralized
finance (DeFi) applications.
Building out example contracts that demonstrate
best practices for specific use cases
Creating custom utility functions to aid in the
development and testing of smart contracts
Generating smart contract code for new
decentralized applications (dApps)
Unlock the Full Report
45. 44
This section of the report highlights the essential technical
measures that smart contract developers should take to
minimize the risk of vulnerabilities in their Web3 projects
Input validation: Ensure that the inputs to smart contracts
are validated properly before processing. For example, in
Solidity, you can define custom data types and use require
statements to enforce input constraints.
Avoid using self-destruct: The self-destruct functionality in
Solidity can be used to delete a contract, but if not
implemented properly it can lead to loss of funds.
Developers should avoid using it unless necessary and
should always implement proper security checks before
calling the selfdestruct function
Unlock the Full Report
46. 45
Use libraries instead of inline code: Reusing existing code
can help prevent bugs and save time. Developers should use
libraries instead of writing inline code whenever possible
Proper access control: Smart contracts should implement
proper access control mechanisms to ensure that only
authorized entities can access and modify the state. For
example, you can use the modifier keyword in Solidity to
define access control functions.
Use recent compiler versions: Make sure to use the latest
compiler versions to benefit from bug fixes and security
improvements.
Unlock the Full Report
47. 46
Unit testing: Write unit tests to validate the functionality of
smart contracts and ensure that the expected results are
obtained.
External security audits: Finally, have the smart contracts
reviewed by experienced security auditors to identify and fix
potential vulnerabilities.
48. 47
Our Audit Reports Set a New Benchmark for
Web3 Projects
Explore.Learn.Protect
50. 49
Proper use of smart contract patterns: Use well-established
and battle-tested smart contract patterns, such as the Pull
Over Push pattern, to reduce the risk of funds being stolen.
This pattern involves the user sending a transaction to the
contract with the desired actions, instead of the contract
calling external addresses.
Secure key management: Securely manage private keys
and seed phrases to prevent unauthorized access to funds.
Consider using hardware wallets, or using multi-sig wallets
to reduce the risk of funds being stolen due to a single point
of failure.
Unlock the Full Report
51. 50
Proper use of access controls: Implement proper access
controls, such as role-based access control or access control
lists, to restrict the actions that can be performed by specific
actors within the contract. This can help prevent
unauthorized modifications to the contract logic or data.
Use of verified libraries: Use verified and well-established
libraries, such as OpenZeppelin, to avoid introducing
security vulnerabilities into the contract. These libraries have
been audited by the community and have proven track
records of being secure.
Unlock the Full Report
52. 51
Regular code audits: Regularly conduct code audits,
including third-party security audits, to ensure that the
contract code is free from vulnerabilities. Fix any issues that
are identified during the audit process.
54. 53
Unchecked return values: Unchecked return values from
external calls or delegatecalls can lead to reentrancy attacks
or other security issues. Developers should always validate
return values from external calls and delegatecalls.
Unprotected sensitive information: NFT projects often store
sensitive information such as private keys or seed phrases in
the smart contract. Developers should implement proper
access controls and encryption mechanisms to protect this
information.
Lack of proper event handling: Proper event handling is
crucial in NFT projects to track transfers, approvals, and
other important actions. If events are not properly handled,
attackers can exploit this to steal NFTs or manipulate the
state of the contract.
Unrestricted contract transfers: Allowing unrestricted
contract transfers can lead to contract hijacking attacks,
where an attacker can transfer ownership of the contract to
themselves and gain control over its functionality and data.
Developers should restrict contract transfers to trusted
actors only.
Here is a code example to demonstrate one of the red flags
mentioned above, in this case, unrestricted contract
transfers:
Use of vulnerable libraries: Developers should always use
secure libraries, and avoid using vulnerable libraries that
have known security issues. This can be accomplished by
using verified libraries or libraries that have undergone a
thorough security audit.
55. 54
In the above code, the transfer Ownership function allows
the owner of the contract to transfer ownership to a new
address.
However, this opens the contract up to potential contract
hijacking attacks, as any address can call the function and
transfer ownership to themselves. To mitigate this risk,
developers can add additional checks to ensure that only
trusted actors can transfer ownership.
Unlock the Full Report
56. 55
Lack of Moderation: A Discord server that lacks moderation
or has poor moderation practices can be a breeding ground
for spam, phishing scams, and other malicious activities
Insufficient Security Measures: Discord servers that do not
have two-factor authentication, IP address restrictions, or
other security measures in place can be more vulnerable to
hacking attacks
Suspicious Activity: If you notice any suspicious activity on
the Discord server, such as excessive spamming, phishing
scams, or the presence of bots, it's important to report it to
the moderators.
Inactive or Dormant Accounts: If a large number of
accounts on the Discord server are inactive or dormant, it
could indicate that the server is being used for malicious
purposes.
Lack of Transparency: If the Discord server does not provide
clear information about the project, its development, and its
security measures, it could indicate that the project is not
legitimate or trustworthy.
By monitoring these red flags and taking action when
necessary, you can help ensure the security and reliability of
your Web3 project and avoid any potential threats and risks.
The Discord Trap: Spotting
Red Flags for Web3 Projects
Unlock the Full Report
57. 56
Verify the authenticity of the Discord server: Before joining
a Discord server, make sure it is an official server created and
run by the project team. Scammers may create fake servers
and impersonate the official team to scam users.
Monitor the communication: Keep an eye on the
communication happening in the server, look for any
suspicious activity and report it immediately to the official
team.
Check the information: Before making any investment
decisions, make sure to double-check the information
shared on the server. Do not blindly trust any information
shared in the server, especially if it is not supported by
official sources
Be cautious with private messages: Be cautious of private
messages from unknown individuals and do not share any
sensitive information. Scammers may try to get access to
your personal information or trick you into sending them
money.
Monitor the community: Keep an eye on the community
and observe how they interact with each other and the
project team. If you notice any unhealthy behavior or
discussions, report it to the official team.
Keep updated with security alerts: Stay updated with the
latest security alerts and follow the recommended actions
shared by the project team to keep your account and
information secure.
It is always advisable to be vigilant and exercise caution
when using any Discord server related to Web3 projects. The
above measures will help you stay safe and secure while
participating in a Discord server
Top Security Measures to
Combat Discord Traps
Unlock the Full Report
58. 57
Congratulations! You made it to the end of our report on
Web3 security. But before you go, we have one final piece of
advice for you: how to navigate Web3 safely.
As you explore the world of Web3, keep in mind that the
decentralized nature of this new ecosystem means that the
responsibility for security falls largely on you. Here are a few
tips to help you stay safe:
Educate yourself: Learn about the potential risks and best
practices for Web3 security. Stay up-to-date on the latest
developments and emerging threats in the space
Use trusted services: Only use services that have been
thoroughly vetted and have a proven track record of security.
Be wary of new, untested platforms and services.
Secure your private keys: Your private keys are the keys to
your digital assets. Make sure to store them in a secure
location, and never share them with anyone.
Use two-factor authentication: Set up two-factor
authentication for all of your Web3 accounts. This provides
an extra layer of protection against unauthorized access
Be wary of phishing: Phishing attacks are a common tactic
used by cybercriminals to steal sensitive information. Always
double-check the URL and ensure that you are on a
legitimate site before entering any information.
By following these tips and staying vigilant, you can navigate
Web3 safely and with confidence. Happy exploring!
Staying Safe in Web3: A Survival
Guide for the Digital Wild West
60. 59
This report is provided for informational purposes only and
does not constitute financial, legal, or investment advice. The
contents of this report are based on current information
available at the time of writing and may change without
notice.
We’re All Gonna Secure It!
#WAGSI
The report does not make any guarantees or promises about
the accuracy, completeness, or reliability of the information
presented. Readers should perform their own research and
consult with qualified professionals before making any
financial or investment decisions. The authors and
publishers of this report are not responsible for any losses or
damages that may result from the use or misuse of the
information presented in this report.
Disclaimer