2022 Global Web3 Industry Security Research Report(part 1)

10 min readJan 10


0x01 Report Summary

1, 2022, the global Web3 industry cryptocurrency total market value of up to 2.4 trillion U.S. dollars, affected by the industry bursts of lightning events, compared to last year’s highest total market value of 2.97 trillion U.S. dollars, this year has declined, but the overall size of the number of assets is expanding.
2. According to Lunaray Technology data, there were 306 security incidents in 2022, with a cumulative loss of US$10.1 billion. Compared with 2021, there were 64 new Web3 security incidents this year, an increase of 26% year-on-year.
3, Web3 six major tracks: public chain, cross-chain bridge, wallet, exchange, NFT, DeFi a total of 136 security incidents, resulting in losses of over $4.021 billion. In addition, emerging areas such as GameFi and DAO became the object of frequent hacker disturbance, with constant fraud and runaway incidents and serious losses.
4, 2022 losses of more than $100 million in typical security incidents a total loss of $2.845 billion, accounting for 28% of the total amount of losses in 2022. Among the typical representatives are: Poly Network, a cross-chain interoperability protocol, with a loss of $625 million; FTX, an exchange, with a loss of $600 million; and Solona eco-wallet, with a loss of $580 million.
5, 2022, the global Web3 security incident attack types are diverse, from the number of security incidents, typical attack types Top5 are: hacking, asset theft, security vulnerabilities, private key theft, phishing attacks. In terms of loss amount, the typical attack types Top5 are: asset theft, hacking, private key theft, price manipulation, and lightning loan attack.
6. The most representative regulatory case of the year is: the Office of Foreign Assets Control (OFAC) under the U.S. Treasury Department imposed sanctions on the Tornado Cash agreement, prohibiting U.S. entities or individuals from using the Tornado Cash service. According to the U.S. Treasury Department disclosure, Tornado Cash has helped launder over $7 billion since its inception in 2019.

1.1.1 Overview of Web3 Industry Ecology

Web3 refers to a new generation of networks based on encryption technology, which integrates various technologies and ideas such as blockchain technology, tokenomics, decentralized organizations, and game theory. It was proposed by Gavin Wood, the co-founder of Ethereum, in 2014. Web3 is built on the basis of blockchain. Since 2008, blockchain technology has been developed for more than 14 years. The outbreak of the Web3 industry in 2022 is inseparable from the accumulation of years of development of the blockchain industry.

Looking at the Web3 ecosystem from the perspective of users, it can be divided into basic layer, application layer and third-party services. The base layer is mainly based on chains such as public chains, cross-chain bridges, and Consortium Blockchain, providing network infrastructure for Web3; the application layer is mainly based on APP (centralized application programs) and DAPP (decentralized application programs), users commonly use Applications to interact with, including trading platforms, wallets, DeFi, NFT, GameFi, DAO, storage and social software, etc. The basic layer and application layer promote the prosperity of the Web3 ecosystem, but also bring huge security risks to Web3. The service ecology is a third party in the Web3 industry, in which media, education incubation and investment institutions provide assistance to the industry, and security service organizations such as Zero Time Technology are an indispensable part of escorting Web3 security.

1.1.2 Global Web3 Security Situation in 2022

As of December 2022, according to coinmarketcap statistics, the total market value of cryptocurrencies in the global Web3 industry reached 2.4 trillion U.S. dollars at its peak, which has declined this year compared to last year’s highest total market value of 2.97 trillion U.S. dollars. Although the total market capitalization fluctuates, the overall asset size is constantly expanding. Due to the fast pace of industry innovation, weak security awareness of users, unimproved supervision, and prominent security issues, Web3 is becoming a “cash machine” for hackers.

Among the six main tracks of the global Web3 ecology in 2022: 10 security incidents occurred on the public chain, with a total loss of about 157 million U.S. dollars; 14 security incidents occurred on cross-chain bridges, with a total loss of 1.338 billion U.S. dollars; The loss was 1.192 billion US dollars; there were 25 security incidents in the wallet, with a total loss of 693 million US dollars; 25 security incidents in DeFi, with a total loss of 593 million US dollars; 44 security incidents in NFT, with a loss of over 42.56 million US dollars.

NFT has the most security incidents, inseparable from becominga popular track sought after by the industry in 2022. On the other hand, due to the increase in the number of people entering the Web3 industry, wallets and DeFi have become the hardest-hit areas for security incidents. In terms of the number of losses, the cross-chain bridge ranked first and suffered the most losses.

In 2022, from the perspective of the number of security incidents occurring on the global Web3, the top 5 typical attack types are: hacker attacks, accounting for 37%; asset theft, accounting for 19%; security breaches, accounting for 13%; private key theft, accounting for 9%; phishing attacks, accounting for 7%.

In terms of the loss amount, the top 5 typical attack types of global Web3 security incidents are: asset theft, a loss amount is 5.581 billion US dollars; hacker attack, loss amount is 3.029 billion US dollars; private key theft, loss amount is 1.25 billion US dollars; price manipulation, loss amount The amount is 232 million US dollars; flash loan attack, the loss amount is 137 million US dollars.

It is worth noting that many security incidents that occurred in 2022 were not only attacked by one kind of attack; some incidents may have stolen assets, private key theft, hacking, private key leakage and security breaches at the same time.

1.2 Overview of Global Web3 Regulatory Policies and Standards

From the perspective of the overall regulatory policy on Web3, investor protection and anti-money laundering (AML) are the global consensus, and the acceptance and supervision of cryptocurrency exchanges vary greatly from country to country. Members of the U.S. Congress proposed “to ensure that Web3 takes place in the United States”, which is accelerating regulatory innovation; the policies of EU countries are relatively clear and positive; Japan, Singapore, and South Korea are affected by the 2022 thunderstorm incident, and their supervision has become stricter; mainland China still encourages the application of blockchain technology , strictly prohibit financial institutions and payment organizations from participating in cryptocurrency transactions and illegal fundraising, and increase the crackdown on cryptocurrency crimes. Hong Kong, China fully supports the development of virtual assets and implements a licensing system; the United Arab Emirates is the most active in the world, embracing encrypted currency assets. The world is in a state of regulatory exploration for NFT, stable currency, DeFi, asset agreement and DAO fields.

1.3 Research Methods and Tools

The tools used in this report are mainly.
1) Intelligence database based on artificial intelligence and big data analysis technology
Lunaray Security collects data sources in real time including: dark web platforms, honeypot networks, and all contents of global blockchain ecological links, and extracts accurate data from huge big data sets through mining, analysis and integration of massive data, combined with artificial intelligence technology.

2)Automatic identification of KYC&KYT tag library
Zero2IPO’s tag library automatically identifies entities behind digital currencies and associated intelligence through massive threat intelligence correlation analysis, builds rich KYC & KYT data portraits according to the situation, and performs risk warning on transactions to enhance analysis efficiency.

3)Blockchain Traceability System
Zero2IPO blockchain traceability system automatically identifies risky transactions and risky funds and conducts early warning through automated on-chain traceability and real-time monitoring, combined with learning algorithms, and rapid analysis of suspicious addresses and suspicious transactions, together with threat intelligence system and marked address database. It can accurately identify risky transactions and risky funds, and lock the responding address entity to which the funds flow, and generate credible traceability reports.

4)Blockchain Security Threat Intelligence Center
This intelligence center automatically classifies the acquired blockchain security-related information through data collection and analysis combined with its own security event analysis model, identifies data change trends, high-frequency words, geographical distribution and other dimensions and visualizes them. The system exists in various forms, such as platform, applet and API interface, and can be subscribed and custom developed for users and partners to meet the long-term monitoring needs of specific fields, specific topics and key information customization.

0x02 Status of each ecological security of Web3 in 2022

Web3 is a relatively special industry, the most prominent feature of which is that it involves the management of a large number of digital crypto assets, which are often in the tens of millions of millions of assets on the chain, and the rights are confirmed through a unique private key, and whoever holds this private key is the owner of the assets. If a certain application or protocol in the ecology is hacked, it may cause huge losses. With the rapid development of the ecology, various new attack techniques and fraudulent means are emerging, and the whole industry is playing forward at the edge of security. Lunaray security team has observed and counted the types of attacks that exist on Web3. Currently, there are mainly the following types of attacks that pose threats to Web3 security: APT attacks, social worker phishing, supply chain attacks, lightning loan attacks, smart contract attacks, web-side vulnerability attacks, zero-day (0day) vulnerabilities, and network frauds.

Next, we will analyze the current security situation of each Web3 ecology in 2022, interpret the attacks, and give corresponding security measures suggestions for each ecology from the perspective of infrastructure public chains and cross-chain bridges, representatives of application-side APP and DAPP: trading platforms, wallets, DeFi, NFT, regulatory-heavy anti-money laundering, and web3 security education.

2.1 Public Chain Security

Public chain is the infrastructure of the Web3 industry, bearing the protocol, application and asset bookkeeping of the whole industry. With the industry’s strong demand for public chain performance, interoperability, compatibility and expansion, the development of multiple chains bursts into strong momentum, and the security issue, can’t be delayed.

According to the incomplete statistics of Lunaray Security, as of December 2022, there are 152 public chains at present. In terms of the number of public chain ecological applications, according to root data, Ethereum, with 1275 applications, Polygon, with 767 applications, and BNB Chian, with 704 applications, are firmly in the top three, with new public chains such as Avalanche, Solana, and Arbitrum following closely behind showing a rapid growth trend.

2.1.5 Public Chain Security Risks and Measures Suggestions

Lunaray security team analyzes that public chain security risks mainly come from the following three points.
1) Technical complexity: there are many technical fields involved and many security risk points.
2) Developer uncertainty: The code is written by developers, and the process is inevitably flawed.
3) Open source vulnerability transparency: public chain code is open source, and it is more convenient for hackers to discover vulnerabilities.

Lunaray security team recommends the following three points for public chain security.
1) Before the main web goes online, for each risk point of public chain, rich security mechanisms need to be set up.
In terms of P2P and RPC, attention needs to be paid to hijacking attacks, denial of service attacks, misconfiguration of permissions, etc.
In consensus algorithm and encryption, attention needs to be paid to 51% attack, length extension attack, etc.
In terms of transaction security, attention should be paid to fake top-up attacks, transaction replay attacks, malicious backdoors, etc.
In terms of wallet security, attention should be paid to the security management of private keys, security monitoring of assets, security risk control of transactions, etc.
In terms of staff related to public chain projects, they need to have good security awareness, office security, development security and other common sense.
2) Conduct source code and smart contract audits to ensure that the principle and obvious loopholes are closed.
Source code audit can be full amount of code or partial modules. Zero2IPO security team has a complete set of security testing standards for public chain, using manual + tool strategy for security testing of target code, using open source or commercial code scanners to check code quality, combined with manual security audit, and security vulnerability verification. All popular languages are supported, e.g. C/C++/C#/Golang/Rust/Java/Nodejs/Python.
3) Real-time security detection and early warning of system risks after the main web goes online.
4) After a hacking incident, timely identify the problem through traceability analysis to reduce the possibility of future attacks; rapidly source tracking to monitor the flow of losses and retrieve assets as much as possible.

2.2 Cross-chain bridge — a new cash machine for hackers

Cross-chain bridges, also known as blockchain bridges, connect two blockchains and allow users to send cryptocurrency from one chain to the other. Cross-chain bridges operate across chains by enabling token transfers, smart contracts and data exchanges, and other feedback and instructions between two separate platforms for funding.

As of December 2022, the total locked-in value (TVL) of major cross-chain bridges in Ethereum is approximately $5.56 billion, according to Dune Analytics data. The current highest TVL is Polygon Bridges at $2.949 billion, followed by Aritrum Bridges at $1.206 billion and Optimism Bridges in third place at $834 million.

In 2022, the top 5 cross-chain bridges with security incident losses are: Ronin, Wormhole, Nomad, Harmony (Horizon), and QBridge, with losses of US$615 million, US$320 million, US$190 million, US$100 million and US$80 million respectively Dollar.

Top 5 cross-bridge hack incidents

Stay tuned for the part 2




Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.