上周，我们发布了《 2023 区块链安全与反洗钱年度报告》，接下来我们将把报告分为四篇文章来解读，剖析报告中的关键内容，帮助读者更全面深入地理解当前区块链生态系统中的关键安全挑战和机遇。

本篇主要聚焦区块链生态安全态势。

区块链安全态势

伴随着全球经济在宏观和地缘政治局势紧张的影响及残留的 2022 年各种暴雷事件影响的痕迹，区块链行业也遭受着令人难以置信的动荡。近一年以来，多家对加密货币友好的银行相继倒闭，再加上由朝鲜黑客 Lazarus Group 以及多个钓鱼团伙 Wallet Draines 引发的一系列安全攻击事件，进一步凸显了用户安全意识不足以及监管政策不完善的问题。

根据慢雾区块链被黑事件档案库(SlowMist Hacked) 统计，2023 年安全事件共 464 件，损失高达 24.86 亿美元。对比 2022 年，安全事件共 303 件，损失约 37.77 亿美元，2023 年的损失同比下降 34.2%，安全事件数量同比上升了约 53.13%。尽管损失有所降低，但安全事件的数量却呈上升趋势。

接下来，我们将分别从项目赛道、生态、事件原因三方面来解读 2023 年的区块链安全态势。

项目赛道

从项目赛道来看，DeFi 是发生安全事件最多，损失最大的领域。DeFi 的发展，不仅带来了新的创新和机会，也导致出现了更多的潜在风险和攻击面，而且由于 DeFi 项目存在一定的资金规模和用户基础，也容易成为黑客潜在的攻击目标。

2023 年 DeFi 安全事件共 282 件，占事件总数的 60.77%，损失高达 7.73 亿美元，对比 2022 年（共 183 件，损失约 20.75 亿美元），2023 年 DeFi 安全事件的损失虽然降低了 62.73%，但是事件数量却上升了 54.64%， 凸显 DeFi 领域在防范和处理安全问题上仍然面临严峻挑战。

 （2023 各赛道安全事件分布及损失）

（2022 和 2023 DeFi 安全事件分布及损失对比图）

生态

从生态方面来看，由于 Ethereum 是众多智能合约和去中心化应用的首选平台，因此成为黑客攻击的主要目标，损失最大，达 4.87 亿美元。其次是 Polygon，作为在以太坊上扩展的 Layer 2 解决方案，也面临相当规模的安全威胁，该生态上的 6 起安全事件造成的损失就达 1.23 亿美元，其中非托管借贷平台 BonqDAO 和加密基础设施平台 AllianceBlock 因 BonqDAO 的智能合约漏洞而被黑客攻击，导致损失约 1.2 亿美元。

（2023 各生态安全事件分布及损失）

事件原因

（2023 安全事件手法图）

• 2023 年由于项目方跑路导致的安全事件共 117 起，导致损失约 8300 万美元。其中，Base 生态的损失最高，达 3250 万美元。其次是 BSC 生态，达 2305 万美元。

（2023 各生态跑路事件分布及损失）

投资者在项目方跑路后通常难以追回损失，跑路是项目方主动作恶的一种方式，比如项目方启动初始流动性，推高价格后撤回流动性；比如项目方在项目中留下了后门代码等。

（2023 致损前十跑路事件及损失）

• 2023 年因存在合约漏洞而被攻击的事件有 57 起，导致损失约为 7582 万美元，然而合约漏洞利用往往伴随着闪电贷攻击、价格操纵等手法。2023 年黑客发起的闪电贷攻击就有 34 起，造成约 2.25 亿美元的损失；价格操纵攻击有 14 起，造成的损失约为 1.4 亿美元。

  
  

  Last week, we released the annual report on blockchain security and anti-money laundering. Next, we will divide the report into four articles to interpret and analyze the key contents of the report, so as to help readers understand the key security challenges and opportunities in the current blockchain ecosystem more comprehensively and deeply. This article mainly focuses on the blockchain ecological security situation, which is accompanied by the impact of the global economic tension in macro and geopolitical situations and the traces of the impact of various thunderstorm events in the past year. The blockchain industry is also suffering. Incredible turmoil In the past year, a number of cryptocurrency-friendly banks have closed down one after another, coupled with a series of security attacks triggered by North Korean hackers and a number of fishing gangs, which further highlights the problems of users' lack of security awareness and imperfect regulatory policies. According to the statistics of the slow fog blockchain hacked incident archive, the annual loss of security incidents is as high as $ billion, which is about $ billion lower than that of the previous year. The number of security incidents has increased by about $ billion. There has been a decrease, but the number of security incidents is on the rise. Next, we will interpret the blockchain security situation in 2008 from three aspects: the reasons for the ecological incidents of the project track. From the perspective of the project track, the development of the field with the most security incidents and the greatest losses not only brings new innovations and opportunities, but also leads to more potential risks and attacks. Moreover, due to the existence of a certain fund scale and user base of the project, it is easy to become a potential target for hackers. The loss of the total number of incidents is as high as $100 million, compared with the annual total loss of about $100 million. Although the annual loss of security incidents has decreased, the number of incidents has increased. The prominent areas are still facing severe challenges in preventing and dealing with security issues. The distribution and loss of security incidents in each track and the comparison of the distribution and loss of security incidents have become the main target of hacking attacks because it is the preferred platform for many smart contracts and decentralized applications. The largest loss is $100 million. The solution to expand on the Ethereum also faces considerable security threats. The losses caused by the ecological security incidents amount to hundreds of millions of dollars, of which the unmanaged lending platform and the encrypted infrastructure platform were hacked due to smart contract loopholes, resulting in losses of about hundreds of millions of dollars. The distribution of various ecological security incidents and the causes of the losses are illustrated. In 2000, the security incidents caused by the project party running away caused losses of about 10,000 dollars, of which the ecological loss was the highest of 10,000 dollars, followed by the ecological loss. The distribution and loss of eco-running events amounting to USD 10,000. It is usually difficult for investors to recover the loss after the project party runs away. Running away is a way for the project party to take the initiative to do evil. For example, the project party starts the initial liquidity and pushes up the price, and then withdraws the liquidity. For example, the project party left the back door code in the project, and the top ten running events and the events that were attacked due to the existence of contract loopholes caused losses of about USD 10,000. However, the exploitation of contract loopholes is often accompanied by lightning loan attacks, price manipulation and other methods. The lightning loan attacks launched by hackers caused losses of 比特币今日价格行情网_okx交易所app_永续合约_比特币怎么买卖交易_虚拟币交易所平台

  合约漏洞的发生通常与合约代码的审查不足有关，应对合约进行持续的审计。并且，开发团队应采用最佳的安全开发实践，慢雾安全团队在 Github 上开放了智能合约安全审计技能树(https://github.com/slowmist/SlowMist-Learning-Roadmap-for-Becoming-a-Smart-Contract-Auditor) ；Web3 项目安全实践要求(https://github.com/slowmist/Web3-Project-Security-Practice-Requirements) 和  Solana 智能合约安全最佳实践(https://github.com/slowmist/solana-smart-contract-security-best-practices)，欢迎感兴趣的朋友移步到 Github 上阅读。

• 2023 年，各类主体账号被黑的安全事件达到了 70 起，随着 Web3 的火热发展，针对用户和项目方的攻击层出不穷，尤其是针对 Discord、Twitter 等媒体平台的攻击。

  黑客通常会在获取到管理员或者账户权限后，伪装成管理员身份并发布钓鱼链接，然后诱导用户授权，从而转移资产。建议项目方采用双因素认证、设置强密码等安全操作来保护账号，并警惕各种传统网络攻击和社会工程学攻击。

• 根据慢雾区块链被黑事件档案库(SlowMist Hacked) 统计，2023 年区块链行业出现了 11 起骗局。其中，2023 年香港加密货币骗局 JPEX 事件，以“低风险高回报”招徕投资。截至 2023 年 12 月 18 日，香港警方累计拘捕 66 人，共接获 2623 名受害者报案，涉款约 16 亿港元。据相关说法，JPEX 的暴雷可能成为香港历史上最大的金融欺诈案。

• 

建议

对于项目方来说：

• 应该持续对智能合约进行审计，确保代码的安全性和稳定性，防范合约漏洞的发生；

• 在合约中引入多层次的防御措施，包括权限控制、安全检查和保险机制，以最大程度地降低别攻击的风险；

• 建立紧急响应机制，在攻击发生时能够及时应对，控制损失范围；

• 采用双因素认证、设置强密码等安全操作，降低账号被黑的风险。

对于个人用户来说，遵守以下安全法则及原则，可以避免大部分风险：

• 两大安全法则：

• 零信任。简单来说就是保持怀疑，而且是始终保持怀疑。

• 持续验证。你要相信，你就必须有能力去验证你怀疑的点，并把这种能力养成习惯。

• 安全原则：

• 网络上的知识，凡事都参考至少两个来源的信息，彼此佐证，始终保持怀疑；

• 做好隔离，也就是鸡蛋不要放在一个篮子里；

• 对于存有重要资产的钱包，不做轻易更新，够用就好；

• 所见即所签。即你看到的内容就是你预期要签名的内容，当你签名发出去后，结果就应该 是你预期的，绝不是事后拍断大腿的；

• 重视系统安全更新，有安全更新就立即行动；

• 不乱下程序。

• 推荐阅读并掌握 《区块链黑暗森林自救手册》(https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md)。

完整报告下载：

https://www.slowmist.com/report/2023-Blockchain-Security-and-AML-Annual-Report(CN).pdf