Security Research

Forta illuminates the Web3 Kill Chain

May 4, 2022

This blog post introduces the Web3 Kill Chain and how this framework is useful in securing Web3 from a monitoring and incident response perspective. We look at some of the recent hacks, review the alert signal Forta emitted, and how those alerts could have been used to mitigate the attack.


Reviewing the hacks that happened in 2021/2022, approximately $3 billion in funds have been stolen! To reverse this trend, protocols need to adopt a comprehensive security approach with library usage, audits, penetration testing, as well as bug bounties, monitoring, and incident response.

Forta is a real-time detection network for security & operational monitoring of blockchain activity. Existing security detection bots monitor a broad range of security related activities with the ultimate goal of mitigation of the attack and securing Web3. $45 billion in TVL is monitored by Forta today.

Anatomy of an Attack

Web3 attacks - despite the common belief - are not atomic, but rather are executed in a series of distinct stages:

- Funding: an attacker requires funds to pay gas, execute trades, or use as collateral for borrowing in order to execute the attack. With many centralized exchanges having instituted KYC, attackers often turn to privacy oriented protocols, like Tornado Cash.

- Preparation: depending on the type of attack, the attacker may need to set up a few things prior to moving to the exploitation stage. For instance, when exploiting an reentrancy attack, the attacker needs to set up a contract; when executing an ice phishing attack, the attacker needs to trick users into token approvals.

- Exploitation: in this stage, the attacker actually drains the funds from smart contracts or users. The approaches in this stage are broad and can range from logic bugs, flash loans, reentrancy attacks, etc.

- Money Laundering: once the funds have been obtained with the previous stage, an attacker proceeds to launder these funds so they can actually be used again turning to privacy oriented protocols.

As an attacker moves through these stages, confidence that a set of transactions constitute an attack increases. E.g. an account funded by Tornado Cash is in itself a pretty weak signal, but if we observe such funding, a contract being created that will interact with the protocol, a transaction that calls the protocol contract numerous times with unusual high gas, and finally large funds being funneled to Tornado Cash, confidence increases.

This increasing confidence opens the door to take more automated remediation actions. Towards the early stages, alerts may simply raise awareness of the protocol and community at large to keep out a more watchful eye. As the attack progresses through the stages, alerts may trigger manual or automated incident response processes; Finally, after funds have been drained in the exploitation phase and attacker proceeds to launder their loot, a protocol could institute an overall shutdown to prevent further losses.

The Illumination

Forta is designed to illuminate the entire Web3 Kill Chain through a series of community created detection bots that identify a broad range of security related events. These detection bots can be generic or protocol specific. Generic security relevant bots are bundled and can simply be subscribed to (‘Monitor my contracts’ button) without further action. Protocol specific bots are developed in an adhoc basis (see Forta App for how some teams use Forta for monitoring their protocol)

Looking at some of the recent hacks illustrates how Forta illuminates the Web3 Kill Chain:

As the chart illustrated, Forta often illuminated the kill chain prior to funds being extracted from the protocol or users giving Beanstalk, BadgerDAO and Revest Finance early signals that could have potentially mitigated loss of funds. In the case of the Ronin Bridge, the attack was quite atomic due to the fact that the attacker obtained keys to simply issue the withdrawal transactions. However, this attack illustrated that even detection in the latter stage of the attack can be valuable. The attack wasn’t discovered for 6 days and remaining/ newly deposited funds were at risk during this period.

As can be seen by the matrix above, Forta illuminates a significant portion of the Web3 Kill Chain, but further opportunities for illumination exist. Forta is community driven; If you are a developer, data scientist, or a security researcher, join the Forta community and develop detection bots to make Web3 more secure. If you are a protocol, add monitoring and incident response to your security repertoire to protect your user’s funds. Several generic detection bots exist that you can subscribe to today here.

Appendix: Detections Bots References

Suspicious Contract Deployed

Money Laundering with Tornado Cash

Reentrancy

High Value Transaction

High Gas Usage

New Contract Created

Funded through Tornado Cash

Flashbot Usage

Ice Phishing Suspicious Token Approvals

Ice Phishing Transfers 

Share