Analysis of the SlowMist 2023 Blockchain Security & AML Report

SlowMist
6 min readJan 10, 2024

Last week, we published the ‘SlowMist Blockchain Security and Anti-Money Laundering Annual Report’ for 2023. In the following article , we will divide the report into four articles for interpretation, dissecting the key contents of the report to help readers understand more comprehensively and deeply the key security challenges and opportunities in the current blockchain ecosystem.

This article mainly focuses on the current security landscape of the blockchain ecosystem.

Current Security Landscape

Amidst the global economic unrest influenced by macroeconomic and geopolitical tensions, along with the remnants of various catastrophic events from 2022, the blockchain industry has also suffered incredible turmoil. In the past year, several crypto-friendly banks have collapsed, compounded by a series of security attacks initiated by North Korean hacker group Lazarus Group and various phishing collectives like Wallet Drainers. These incidents have further highlighted the lack of user security awareness and the inadequacy of regulatory policies.

According to statistics from SlowMist’s blockchain hacking incident archive (SlowMist Hacked), there were a total of 464 security incidents in 2023, with losses amounting to $2.486 billion. In comparison, there were 303 incidents in 2022, with losses around $3.777 billion. Although there was a 34.2% decrease in losses year-over-year, the number of security incidents increased by approximately 53.13%. Despite the reduction in losses, the number of security incidents is on the rise.

Next, we will interpret the 2023 blockchain security situation from three aspects: project hacks, blockchains, and cause of incidents.

Project Hacks

In terms of project hacks, DeFi (Decentralized Finance) is the sector with the most security incidents and the greatest losses. The development of DeFi has brought new innovations and opportunities, but it has also led to more potential risks and attack surfaces. Additionally, DeFi projects, due to their significant capital scale and user base, have become attractive targets for hackers.

In 2023, there were a total of 282 DeFi security incidents, accounting for 60.77% of all incidents, with losses amounting to $773 million. Compared to 2022, which saw 183 incidents with losses around $2.075 billion, the losses from DeFi security incidents in 2023, although reduced by 62.73%, saw an increase in incident numbers by 54.64%. This highlights that the DeFi sector still faces severe challenges in preventing and handling security issues.

Losses by Blockchain

From a blockchain perspective, Ethereum, being the preferred platform for numerous smart contracts and decentralized applications, has always been the primary target for hackers. This resulted in the greatest losses of approximately $487 million. Following Ethereum is Polygon, a Layer 2 scaling solution built on Ethereum, which also faces significant security threats. There were six security incidents in the Polygon ecosystem, leading to losses of $123 million. Notably, the non-custodial lending platform BonqDAO and the crypto infrastructure platform AllianceBlock were compromised due to vulnerabilities in BonqDAO’s smart contracts, leading to a loss of around $120 million.

Cause for Incidents

In 2023, there were 117 security incidents caused by project operators absconding, resulting in losses of about $83 million. Among these, the Base ecosystem suffered the highest losses, reaching $32.5 million, followed by the BSC ecosystem with losses of $23.05 million.

Investors often find it difficult to recover losses after project operators abscond. Absconding is a form of active malfeasance by project operators, such as initiating initial liquidity, pumping the price, and then withdrawing liquidity, or leaving backdoor codes in the project.

Cause of Incidents

In 2023, there were 117 security incidents caused by project operators absconding, resulting in losses of about $83 million. Among these, the Base ecosystem suffered the highest losses, reaching $32.5 million, followed by the BSC ecosystem with losses of $23.05 million.

Investors often find it difficult to recover losses after project operators abscond. Absconding is a form of active malfeasance by project operators, such as initiating initial liquidity, pumping the price, and then withdrawing liquidity, or leaving backdoor codes in the project.

There were 57 incidents in 2023 due to contract vulnerabilities, resulting in losses of about $75.82 million. However, the exploitation of contract vulnerabilities often involves tactics like flash loan attacks and price manipulation. In 2023, there were 34 flash loan attacks initiated by hackers, causing losses of about $225 million; price manipulation attacks numbered 14, causing losses of about $140 million.

Contract vulnerabilities usually occur due to insufficient review of the contract code. Continuous auditing of contracts is essential. Furthermore, development teams should adopt the best security practices. Our Security Team has made it publicly available the Smart Contract Security Audit Skill Tree on GitHub, Web3 Project Security Practice Requirements, and Solana Smart Contract Security Best Practices for those interested in reading more.

In 2023, there were 70 incidents of various entity accounts being hacked. With the rapid development of Web3, attacks against users and project operators have become increasingly frequent, especially those targeting media platforms like Discord and Twitter.

Hackers often impersonate administrators after gaining access and post phishing links to induce users to authorize and transfer assets. It’s recommended that project operators use two-factor authentication, set strong passwords, and stay alert to traditional network attacks and social engineering attacks.

According to the SlowMist blockchain hacked incident archive, there were 11 major scams in the blockchain industry in 2023. Among them was the JPEX incident in Hong Kong, which lured investors with the promise of “low risk, high return”. As of December 18, 2023, the Hong Kong police had arrested 66 people and received reports from 2,623 victims, involving about HK$1.6 billion. It is alleged that the JPEX collapse could become the largest financial fraud case in Hong Kong’s history.

Recommendations to Stay Secure

For project:

- Continuously audit smart contracts to ensure the security and stability of the code, preventing contract vulnerabilities.

- Introduce multi-level defense measures in contracts, including permission controls, safety checks, and insurance mechanisms, to minimize the risk of attacks.

- Establish an emergency response mechanism to promptly address attacks and control the extent of losses.

- Adopt security practices such as two-factor authentication and strong passwords to reduce the risk of account breaches.

For individual users, following these safety rules and principles can avoid most risks:

Two Key Safety Rules:

1. Zero Trust: Maintain skepticism at all times.

2. Continuous Verification: Trust needs to be backed by the ability to verify your doubts and turn this into a habit.

Safety Principles:

- Verify online information using at least two sources, cross-checking and maintaining skepticism.

- Diversify your assets — don’t put all your eggs in one basket.

- For wallets holding significant assets, avoid unnecessary updates. If it works, it’s sufficient.

- What you see is what you sign: Ensure that what you’re signing is exactly what you expect, to avoid regret later.

- Pay attention to system security updates and act immediately when they are available.

- Avoid downloading untrustworthy programs.

Recommended readings: Blockchain Dark Forest Self-Guard Handbook.

To download the complete report:

https://www.slowmist.com/report/2023-Blockchain-Security-and-AML-Annual-Report(EN).pdf

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.