Security is becoming a concern once again, as DeFi protocols and Web3 projects have grown their liquidity. More complex decentralized systems open new possibilities for attacks and exploits.
Several high-profile protocols will fund research and events for Web3 security, which also affects DeFi protocols. Among them is MakerDAO, with a direct investment into SherlockDeFi, a firm specializing in the security of decentralized protocols.
Also Read: CertiK explains ethical hacking stance, Kraken admits full return of funds
In the case of Sherlock, the organization offers multiple targeted challenges for using and auditing DEX or other apps. The MakerDAO challenge is the biggest so far, with a bounty that is 10X the usual pool for SherlockDeFi.
Sherlock has worked with established Web3 security experts, and has closed 167 audit events so far. Sherlock’s audits claim to have prevented 383 critical bugs, caught before mainnet launches for multiple projects.
It is shaping up to be a Web3 security summer.
– @CodeHawks is bringing a new competition everyweek in july
– @MakerDAO $1.35 million on @sherlockdefi
– @immunefi is hosting a million dollar attackathon— funk-or-naut (@funkornaut) June 27, 2024
Exploits accelerate, leading to Web3 security summer
In June alone, the crypto world witnessed two high-profile exploits – UwU Lend, which lost $20M through a smart contract, and Kraken’s $3M ethical hack by Certik. The Velocore exchange also lost $6.8M in attacks against its ZKSync and Linea pools. In June, ImmuneFi recorded 12 incidents, which took away as much as $78M.
Also Read: Kraken recovers $3M as criticism mounts against CertiK
According to ImmuneFi, Q2 arrived with $509M in exploits, a 91% increase compared to the same period of 2023. Exploits and hacks slowed down during bear markets, but immediately grew as DeFi increased its holdings. In 2024, there were a smaller number of hacks, but more carefully targeted to specific protocols and their weaknesses.
DeFi has grown in complexity, spreading to several L2 chains. The bridges, smart contracts and wrapped assets open the door for exploits. The other big source of theft are MEV attacks, or sandwich attacks, which aim to front-run DEX traders.
ZachXBT, a high-profile researcher of blockchain exploits, recently exposed a MEV attacker.
As an update I am pleased to share that Robert Robb aka @pokerbrat2019 just plead guilty on Friday for his MEV bot investment fraud scheme and now faces up to 20 years in prison.
In December 2023 I made a post detailing 11+ investors who were victimized and revealed his… https://t.co/1Sdj7B2pUJ pic.twitter.com/zHYc4jzPBa
— ZachXBT (@zachxbt) June 24, 2024
Solana and Jito DAO also aim to slow down MEV activity and allow retail traders to post orders that will not be attacked.
The other big class of attacks and exploits to Web3 users include attempts to drain individual wallets. Funds from wallets can be taken through injecting faked addresses, malicious smart contracts or fake NFT buying links.
Competitions and bounties draw in Web3 developers
ImmuneFi is also offering both distance and in-person challenges for security experts. ImmuneFi made a call to developers for a live event in Brussels, during a general DeFi security event. ImmuneFi has established itself as one of the go-to platforms for new paid opportunities and ethical hacking.
The launch of multiple new Web3 and DeFi protocols helped ImmuneFi draw in more ethical hackers. In June, the aggregator reached a milestone with $100M paid out to bug hunters.
Also Read: Crypto hacks and scams doubled in Q2 2024: Report
ImmuneFi set up a bounty of up to $5,000, available during the July 8 challenge in Brussels. ImmuneFi is also constantly aggregating bounty and test opportunities for security experts. The platform brings bounties of all scales, covering both niche smart contracts and large protocols.
One of the biggest bounties in the DeFi space is that of Morpho, an aggregator of lending pools. Morpho aims to protect $1.85B in value locked, recently reaching an all-time high. For that reason, Morpho expanded its bug bounty vault to $2.5M. Morpho made a direct call to test specific smart contracts that make the backbone of its activity.
The new maximum bounties for Morpho's smart contracts:
Morpho Blue: $2.5M
Morpho Blue periphery contracts: $1.5M
MetaMorpho: $1.5M
Morpho Optimizers = $555kLearn more about the bounty on @immunefi 👇https://t.co/YqWxwIzQea
— Morpho Labs 🦋 (@MorphoLabs) June 27, 2024
According to Certik, almost all Web3 protocols contain still-undiscovered risks. Certik’s standards place the Wemix wallet and ecosystem as the safest possible in Web3.
Additionally, the summer of 2024 brought a near-constant wave of new tokens. Now, DEX, wallets and other services are trying to build whitelists and quickly flag potential risky tokens and rug-pulls.
The Code Hawks event will start with TempleDAO, from July 4. Each week in July, a new competition will open with a bounty for a different platform. The TempleDAO audit will have a prize pool of 25,000 USDC for successful bug hunters. Code Hawks aims to continue involving big protocols, while building a leaderboard of the best bug hunters.
Cryptopolitan reporting by Hristina Vasileva