From Update to Exploit: How Web3 Updates Become Targets for Hackers

‍

The world of Web3 promises innovation, transparency, and decentralization. Yet, it also faces unique challenges, especially in the realm of protocol updates. This blog post explores a phenomenon that, while not new, is often overlooked: the surge in Web3 hacks following protocol updates. This issue deserves the attention of both users and protocol owners, as understanding its root causes can help in crafting more robust defenses against such exploits.

Let's delve into the reasons why updates can present opportunities for attackers:

• New Code, New Vulnerabilities: Updates often introduce fresh code, and within that code, potential vulnerabilities can lurk. Hackers scan these updates meticulously, looking for exploitable weaknesses before anyone else identifies them.
• Misconfiguration Mishap: Updates can sometimes lead to misconfigurations within the protocol itself. This misalignment can create unforeseen loopholes that attackers can leverage to their advantage.
• Opportune Environments: Certain updates, like the creation of a new market, might unintentionally offer attackers a new environment perfectly suited for an exploit.
• Spotlight Effect: Updates often bring protocols back into the public eye. This increased attention can attract malicious actors who see an opportunity to strike while the iron is hot.

‍

Some examples for post update hacks:

The following are just a few documented cases where hacks followed protocol updates:

• WildCredit:  On May 27, 2021, the lending protocol WildCredit on the Ethereum chain was exploited for ~$650k, just 4 days after an update.
• Beanstalk: A permissionless fiat stablecoin protocol, that was the victim of a whopping $181M hack on April 17, 2022. The attack on the Ethereum chain happened only 15 days after an update.
• Ulme: On October 25, 2022, Ulme Token was attacked by a hacker, just 6 days after deploying a new contract. More than $50K were lost.
• Sheep Farm: An investment blockchain game, was hacked on November 15, 2022 for $72K. The attack happened 6 days after an update, due to incorrect registration implementation

‍

‍

• SushiSwap: A popular decentralized exchange that has faced an exploit on April 9, 2023, in which $3.3M were lost. The attack on Ethereum happened only 4 days after a new routing contract was launched.
• Level Finance: On May 1, 2023, just two weeks after a significant update, Level Finance—a decentralized liquidity marketplace—suffered an attack. The update involved the deployment of the LevelReferralControllerV2 contract, which unfortunately contained a business logic flaw and incorrect calculations. These vulnerabilities were exploited, resulting in a loss of $1.1 million.
• Radiant: On January 2, 2024, the Radiant Protocol, deployed on Arbitrum, was subjected to the theft of approximately $4.5M. The attacker took advantage of a new market launch to attack only 15 seconds afterwards.
• Gamma: Gamma suffered a loss of over $6.3M on January 4, 2024 due to a price manipulation vulnerability. The attack occurred 23 days after a new Hypervisor contract of Gamma Strategies was added.
• Pike Finance: On April 30, 2024, Pike Finance was attacked due to an uninitialized proxy vulnerability. This flaw, introduced during an update that followed another hack just four days earlier, led to a total loss of over $1.4 million. The breach allowed the attacker to exploit the initialize function and add his address to the _isActive variable.

‍

‍‍


• Dough Finance: On July 12, 2024, Dough Finance was exploited for ~$1.8M. The root cause for the attack was due to unvalidated input in the ConnectorDeleverageParaswap contract, which was deployed less than one month prior to the attack.
• RES, DFX, GPU, Shido, Predy Fincance and numerous other protocols also experienced an attack after the going through an upgrade.

‍

What Can Be Done?

This trend underscores the importance of robust security practices in Web3 development. Here are some steps forward:

• Extensive Testing: Rigorous internal testing before deployment can help uncover potential issues.
• Thorough Audits: Pre- and post-update audits by reputable security firms are crucial in identifying and patching vulnerabilities.
• Community Involvement: Encouraging white-hat hackers and security researchers to participate in bug bounty programs strengthens the protocol's defenses.
• Transparency is Key: Clear communication about updates, potential risks, and mitigation strategies builds user trust.
• Real-time on chain security: Look for real-time protection tools that can revoke malicious transactions before they cause damage, and by that prevent the attack.

‍

Safe update process using spherexProtect

spherexProtect is an on-chain tool that can identify and stop malicious transactions before they are finalized, while maintaining the contract’s continuity. This is done by integrating the spherex solution into the the protocol’s own code. This seamless integration then provides observability into the state of the protocol during each step of the transaction execution. This process is even easier for upgradable contracts, as the integration is done on the proxy contracts, leaving the implementation contracts untouched.

When a contract is updated (leading to behavior change) spherexProtect can detect and inspect the behaviors it enables during development - using existing tests, or by performing a short run on a Testnet. These practices are standard during smart contract development. Due to the integrated nature of our solution, we allow the owner of the protocol to inspect any new behavior and approve it in advance, before deployment to production chains.

‍