- Infrastructure weaknesses like leaked private keys were the leading cause of crypto lost from exploits in 2022, accounting for 46.48% of losses.
- Cryptographic issues caused the second greatest amount of crypto losses in 2022 at 20.58%, though weak access control and input validation caused the most incidents.
- Despite the rise of Web3, neglecting traditional Web2 security practices like infrastructure and cryptography can still enable costly exploits even with well-designed smart contracts.
A new report from blockchain security platform Immunefi suggests that nearly half of all crypto lost from Web3 exploits is due to traditional Web2 security issues. The report provides insight into the different categories of vulnerabilities behind crypto exploits.
Immunefi’s Categorization of Web3 Vulnerabilities
Immunefi broke down crypto exploits into three broad categories:
- Smart Contract Design Flaws
- Smart Contract Implementation Bugs
Even well-designed smart contracts can contain bugs in the implementation code that lead to exploits. Immunefi cited the Qbit hack as an example.
- Infrastructure Weaknesses
This refers to issues with the IT infrastructure like private keys, virtual machines, etc. that smart contracts run on. The Ronin bridge hack that involved compromised validator nodes was an example.
Infrastructure Weaknesses: The Leading Cause
Infrastructure weaknesses accounted for 46.48% of crypto lost from exploits in 2022, making it the leading cause. These can stem from leaked private keys, weak encryption, DNS hijacking, hot wallet compromises, and more.
Other Key Vulnerability Types
While infrastructure weaknesses were the top cause of losses, cryptographic issues caused the second greatest amount of losses at 20.58% in 2022. Weak or missing access control and input validation was the top vulnerability type by number of incidents.
The report highlights that despite the growth of Web3, traditional Web2 security practices remain highly relevant. Neglecting these can lead to costly exploits even if smart contracts are well-designed. As the space matures, shoring up infrastructure and cryptographic weaknesses will be key.