Web2 Security Flaws Blamed for Web3 Hacks

Reading Time: 2 minutes
  • Web2 security weaknesses are to blame for nearly half of hacks on web3 projects in 2022
  • A new report from Immunefi places infrastructure weaknesses, and not smart contract flaws, as the weak link in securing web3 projects
  • The report exempted incidences where crypto was lost due to manipulations from project developers or users

Blockchain security firm Immunefi has released a new report blaming weaknesses in the web2 world for crypto hacks happening in the web3 space. Immunefi estimates that nearly half (46%) of crypto exploits in 2022 were due to infrastructure weaknesses that saw crypto wallets’ private keys end up in the wrong hands. Excluding crypto lost due to known circumstances such as manipulation from project developers, it observed that only a few crypto hacks were due to genuinely faulty smart contracts.

Exploits Linked to Security Weaknesses

Focusing on exploits linked to security weaknesses, Immunefi noted that issues with computer systems used by web3 developers caused more harm than weaknesses in the projects themselves.

Immunefi discovered that security vulnerabilities were caused by flaws in the smart contracts design, code implementation or infrastructure. Of the three, weaknesses in “IT infrastructure” such as private keys and virtual machines caused much of the damage.

The firm said that infrastructure weaknesses have allowed for the use of weak crypto wallet login/recovery, authentication, encryption details and leaking of private keys. Other factors that made it simple for hackers to infiltrate web3 projects include “cryptographic [and] access control issues.”

Binance Halts BNB Chain

The report cited the hack attempt on the BSC Token Hub bridge that saw Binace halt its BNB Chain to avoid losses as an example of a hack fueled by a smart contract design flaw. Immunefi also cited the Ronin network hack as an example of an exploit caused by an infrastructure weakness.

With web2 weaknesses filtering into the web3 world it’s to be seen whether web3 developers can address weaknesses in computer systems they use.