In our previous blogs posts we discussed the changing trends of attack techniques. We argued, for example, that attackers have recently started using verified contracts to legitimize their actions. In this post, we present another phenomenon related to the evolving security landscape - a more sophisticated use of attack contracts.
Traditionally, an attack is composed of the following three steps:
Step 1: Fund a new wallet with a mixer
Step 2: Deploy an attack contract
Step 3: Execute the attack
Standard practice, if you can call it that, of an attack usually involve multiple stages - making it more straightforward for current security solutions to detect and alert protocols before financial losses can get worse.
These alerts usually occur after step 2 (as shown above), however, as we learned empirically, even having the attack broken into stages does not guarantee the ability to prevent it; at most, it allows retrospective reporting after it’s already too late to prevent most (if not all) of the damage.
A Growing Trend: Executing Hacks in a Single Transaction
Recently, attackers started to wander off the traditional attack route:
First, since using a mixer is now known to be suspicious, they use easily obtainable stolen wallets.
Second, which is our main focus in this post - attackers combine the attack transaction along with the contract deployment stage. Meaning, the attack contract is deployed in the same transaction as the attack occurs. Consequently, those attacks cannot be early detected at the suspicious contract deployment stage and the attackers are able to execute the hack to complete the hack. Additionally, the fact that this combined transaction is not sent to the mempool most of the time, prevents any ability to alert the attack before it is finalized.
Some examples of a single-step attack:
A well-known example of this method appeared as early as 2022 in the Beanstalk stablecoin hack (in which $180M was lost). In this attack, the attacker ensured to deploy the attack contract in the same transaction where the funds were drawn. Back then, this method was relatively rare.
In contrast, over the past year, this phenomenon has significantly increased, which does not appear to be coincidental. Here are a few examples from 2024:
The first instance of this phenomenon in 2024 occurred on January 4, when Gamma protocol liquidity management was hacked, and incurred damage of $4M. The attacker deployed the attack contract within the attacking transaction, making it unidentifiable beforehand.
Only a few days later, on January 16, 2024, Socket’s Bungee bridge was hacked, resulting in a damage of $3.3M. Here as well, the attack contract was included within the attack private transaction, a combination which makes it unidentifiable and unstoppable for existing security solutions, and more specifically for monitoring solutions.
The phenomenon also repeated on January 30 when abracadabra was attacked and incurred damage of $6.5M.
Subsequently, in March 2024, Unizen protocol was attacked in a similar way for $2M.
Two months later, in May 2024, Woofi was also attacked using the same method, resulting in $8.5M in damages.
A recent example is the UwU Land exploited twice by this method (!) in June 2024. This incident resulted in a damage of $23M...
These examples are just a selection out of a more comprehensive list of protocols hacked using a single step. The increasing number of cases in 2024 illustrates that this is not an isolated or rare occurrence. This demonstrate the changing landscape of hackers and the ability to bypass existing security solutions easily.
What Can Be Done?
How can we mitigate sophisticated attacks?
This trend underscores the importance of robust security practices in Web3 development. Here are some steps forward:
- Extensive Testing: Rigorous internal testing before deployment can help uncover potential issues.
- Thorough Audits: Audits by reputable security firms are crucial in identifying and patching vulnerabilities.
- Community Involvement: Encouraging white-hat hackers and security researchers to participate in bug bounty programs strengthens the protocol's defenses.
- Real-time on chain security: Look for real-time protection tools that can revoke malicious transactions before they cause damage, and by that prevent the attack. Remember, in cases where the attacker executes the hack in a single transaction - which includes the deployment of the malicious contract - post-incident alerts will be useless and will not not be able to prevent the attack.
Conclusions and take aways
In conclusion, web3 hacks executed through a single step (contract deployment included) represent a sophisticated and alarming growing trend in the blockchain ecosystem. These attacks exploit the inherent transparency and immutability of decentralized networks, often leaving significant financial and reputational damage in their wake. As the frequency and complexity of these hacks continue to evolve, it is imperative for developers, security experts, and users to stay vigilant and adopt robust security practices.
Conclusion
Education and awareness are critical in combating these threats. Understanding the mechanics of single-transaction hacks and implementing comprehensive security audits can help mitigate risks. Additionally, leveraging real-time exploit prevention solutions that are not affected by the evasion methods like we mentioned, such as those offered by spherex technologies. By fostering a culture of security and collaboration within the web3 community, we can collectively work towards a safer and more resilient decentralized future.
About the author
Maor has many years of experience in software development, QA, cyber security and more. Before joining SphereX as an analyst, Maor served 10 years in the Israeli intelligence doing software development, QA, research and leading teams, and 4 years in Kayhut as R&D group leader and product management.