Real-World Examples of dApps, Lessons Learned & Strategies for Protecting Every Layer

dApps, like traditional Web2 applications, face numerous security threats. Understanding these threats helps identify potential attackers and mitigate risks. Web3 attacks share common vectors with Web2 despite differing objectives. The figure below illustrates the differences in protection between Web2 and Web3 applications.

In general, Web3 applications can be divided into three parts, each requiring distinct protection measures:

• Clients (frontend)
• API layers
• Blockchain nodes and bridges

Additionally, securely integrating and developing these components involves robust DevOps and cloud security policies.

Client-Layer Protections and Cases

Client-layer applications include web applications, mobile apps, extensions, and less common clients like chatbots and other services. Key security concerns include:

• Private Key Storage and Authentication: Secure storage and authentication of private keys are crucial. Automated phishing attacks often target server wallets. If private keys are stored insecurely, hackers can extract and misuse them. For example, the Atomic Wallet breach highlights the risks of insecure layers.
• Secure Mnemonic Phrase Recovery: The mnemonic phrase recovery process should be well-protected to prevent bot attacks. Using a significant number of words (24 or more) and avoiding clear-text storage are recommended practices.
• Mobile Device Protection: Ensure pinned certificates for secure communication and verify device privileges (e.g., detecting JailBreak on iOS or root mode on Android). Additionally, logs should not contain private keys or session tokens to prevent extraction during debug mode.

Check out this article: Manual for Static Analysis of Android Applications. 

Basic Protection for Web Applications and Extensions

Client developers must also guard against XSS, Clickjacking, and open redirect attacks. Control the storage of private keys and mnemonic phrases and validate security using resources like the OWASP Testing Guide.

For further reading, see:

• dApp Security: A Proactive Guide To Building Secure Decentralized Applications
• Wallet Security: Best Practices For Keeping Your Crypto Safe
• Hacken Research: How Safe is Your NFT Wallet?

API Layers Protections and Cases

In the context of Web3 architecture, the API layer is an interface that facilitates communication between the decentralized application and blockchain networks, enabling seamless interaction with smart contracts and external services.

API layers generally have more mature security measures, as outlined in the OWASP API Security Top 10. However, decentralized applications need continuous review. Key considerations include:

• Preventing Reentry Attacks: Block certain smart contract functions during processing to prevent reentry attacks.
• Proper API Logging: Ensure API logs are collected appropriately for audit purposes in case of attacks or failures.

Crypto Hacks Exploiting API Layer Vulnerabilities

Two significant cases highlight API vulnerabilities:

• Coinbase BOLA: On February 11, 2022, a Broken Object Level Authorization (BOLA) vulnerability was found in Coinbase’s API, allowing trades with an incompatible source account. The researcher received $250,000 through a bug bounty reward.
• Kronos Research – Broken Authentication: An attacker accessed APIs by discovering their secrets through open ports, leading to unauthorized trading. Kronos Research admitted to an attack involving unauthorized API key access, resulting in a $26M loss.

1/ Since 1:20 am (GMT+8), our team has been working round the clock to minimize the impact and resume trading operations, following a hacking incident that involved unauthorized access to our API Keys. https://t.co/t2cP9s69sZ

— Kronos Research 🟠 (@KronosResearch) November 19, 2023

Blockchain Nodes and Bridges Layers

Blockchain Architecture and Security Concerns

• The infrastructure layer relies on nodes to validate and broadcast transactions. These nodes are critical to maintaining the network’s consensus and can be targeted through various attacks, such as denial-of-service (DoS) and information leakage. Ensuring robust security measures, like strong encryption and distributed nodes, is essential to protect this foundational layer.
• The protocol layer, which includes consensus mechanisms, is prone to attacks like long-range, race, and liveness denial attacks. These can compromise the blockchain’s integrity and disrupt its operations.
• The network layer, responsible for peer-to-peer communication, faces threats like Sybil, eclipse, and eavesdropping attacks. Implementing effective verification mechanisms, increasing node connections, and employing Trusted Execution Environments (TEE) are vital to safeguard these layers.

For detailed information, see:

• Blockchain Security: Common Vulnerabilities and How to Protect Against Them
• Blockchain Architecture Layers: A Comprehensive Guide

Security Risks of Cross-Chain Bridges

Cross-chain bridges, which enable asset transfers between different blockchains, are particularly vulnerable and have been a significant target for hackers. They account for over 50% of the total value lost in DeFi hacks. Common attacks include false deposit events, fake deposits, and validator takeovers. 

Ensuring the security of cross-chain bridges requires thorough code reviews, continuous monitoring, and adopting best practices like penetration testing and bug bounty programs.

For a deep dive into cross-chain operability, see Cross-Chain Bridge Security

Conclusions

The security landscape of dApps is more complex than traditional Web2 applications, with potential issues arising at more levels, from client and API layers to blockchain nodes. Past hacks highlight the need for robust measures at every layer. By learning from these breaches and implementing best practices, the Web3 community can build more secure and resilient dApps, fostering greater trust and adoption.

Follow @hackenclub on 𝕏 (Twitter)