Intro
Smart contract auditing has evolved alongside the technology itself, with the first practical applications emerging on Ethereum around 2013. As the popularity of smart contracts grew, the frequency of hacks targeting them also increased.
This, in turn, highlighted the need for auditing contracts to identify vulnerabilities that could lead to fund theft.
Turning Point
In June 2016, one of the first major thefts in the history of smart contracts occurred. A hacker identified a weakness in The DAO's code, allowing them to steal $60 million through a reentrancy attack.
This incident highlighted the critical need for thorough smart contract audits.
The Rise of Exploits
Since then, the number of hacks has been steadily growing, posing a serious financial threat and resulting in multi-billion dollar losses.
2022 was a record year for stolen funds, with $3.7 billion lost. Interestingly, 2023 saw a decline in stolen funds. The amount dropped by 54.3%, reaching $1.7 billion compared to the previous year. This positive trend can be attributed to a complex of factors, such as increased security measures and decreased activity in the DeFi sector.
However, an analysis of the chart shows that hacks of centralized services make up a significant portion of all attacks and have been showing a steady increase since 2021. There have been several major attacks, including CoinEx ($54 million), Poloniex Exchange ($126 million), and HTX ($8 million).
Despite an overall decrease in hacks in 2023, there is a worrying trend of increasing incidents involving DeFi protocols. These attacks often exploit smart contracts that were either not audited or underwent poor quality checks.
Among the most significant hacking incidents are Euler Finance ($197 million), Multichain ($126 million), and Curve ($69 million).
Evolving Attack Vectors
Massive losses from hacks are driven by a combination of on-chain and off-chain vulnerabilities.
In 2023, price manipulation remained the most common type of attack, as seen in the case of the Zunami Protocol. However, a sharp increase in attacks involving private key compromise is a new and concerning trend. The Mixin Network hack serves as a stark example.
The rise in hacks involving private key leaks underscores the need for DeFi operators to not only enhance smart contract security but also pay close attention to off-blockchain aspects.
Fight Against Vulnerabilities
Despite the high level of malicious activity, the Web3 community is actively working to improve and secure this decentralized space.
Security companies and competitive audit platforms play a crucial role in this process. They not only identify and fix vulnerabilities in DeFi protocols but also train other auditors, thereby raising the overall level of security.
One of the leaders in this field is the Code4arena platform. By 2023, it had provided over 8,000 reports, helping developers and other specialists understand different types of vulnerabilities and improve the security of their projects.
Smart contract auditing saw slow development from 2016 to 2019. The amount of protocols and vulnerabilities found was low, reflecting limited market activity.
The first significant jump occurred in 2020. From that point on, the number of audited smart contracts increased sharply, coinciding with the boom in DeFi projects. By 2023, the growth in the number of vulnerabilities found was 476%, indicating a steady increase in smart contract complexity.
Over the entire period from 2016 to 2023, the number of issues found increased by 19,642%.
The audit process covers various types of protocols, which can be divided into categories. It's worth noting that auditors find the most vulnerabilities in DEXes. CDP (Collateralized Debt Position) takes second place in terms of the number of issues found.
This is not surprising, as DEX exchange hacks remain one of the most attractive targets for hackers. Examples of such hacks in 2023 include the high-profile cases of OKX ($2.7 million) and Merlin ($1.8 million).
The discovered issues are classified into the categories shown in the graph. The results show that over 42% of vulnerabilities are classified as low vulnerability (LOW). However, about 16.76% of vulnerabilities are highly critical (HIGH), which emphasizes the need for proactive security measures.
To ensure comprehensive security, the protocol undergoes multiple stages of verification. The first stage is a classic audit conducted by a specialized company. The second stage involves participation in competitive audits, where rewards are offered for finding vulnerabilities.
Multi-stage verification allows for the detection of a wide range of problems. It is thanks to this that the Astaria fixed-rate lending protocol ranked first in terms of the number of issues found, having passed competitive audits on the Sherlock and Code4Arena platforms, as well as an audit by the Spearbit.
Astaria is constantly evolving and has an active community. This indicates that the developers are improving the protocol and working to eliminate weaknesses in the code.
Language Matters?
The choice of programming language for a smart contract plays an important role. The inherent flaws of a particular language can make the code prone to certain vulnerabilities, which require careful analysis and additional attention.
Solidity, the native smart contract language for Ethereum, maintains its dominant position in the market. Backed by a strong and active community, Solidity smart contracts have a total value locked of a staggering $84.142 billion by the end of 2023. While Vyper initially held promise, Rust has seen a significant surge in popularity, securing the number two spot with a TVL of around $2.28 billion by year's end. This impressive rise can likely be attributed to Rust's unique ability to balance power and flexibility.
The year 2024 has further solidified this trend with a notable increase in audits focused on Rust-based protocols. This growing interest from security firms suggests a rising user base for Rust and potentially positions it as a strong competitor to Solidity's dominance in the coming years.
Summary
In this article, we analyzed the annual statistics on hacks and vulnerabilities found during smart contract audits. The data analysis demonstrates the urgent need for the community to make significant efforts to ensure maximum security in the decentralized space.