When it comes to web3 , we often focus on the security of the smart contracts and the blockchain layer. It has become an industry standard to get your smart contracts and code audited.
The reality is that the Web2 layer within the Web3 ecosystem is also riddled with vulnerabilities, often overlooked during security assessments. While smart contract audits primarily focus on the on-chain components, the off-chain infrastructure — including APIs, frontends, backend servers, and third-party integrations — frequently remains under-audited, exposing the entire system to significant risks.
Following are some of the big hacks where web2 components were compromised to carry out the hacks. This excludes the various phishing and private keys compromise issues. This shows the importance of web2 security.
| Project | Type of Attack | Loss | Reference |
|---|---|---|---|
| Bybit | Supply-Chain | $1.4 Billion | https://rekt.news/bybit-rekt |
| Vulcan Forged | SQL (Potentially) | $140M | https://x.com/samwcyo/status/1470511220436447232 |
| MyEtherWallet | DNS Hijacking | $150,000 | https://escape.tech/blog/top-5-web3-security-breaches/ |
| BadgerDao | Cloudflare Hijacking / Script Injection | $120 million | https://rekt.news/badger-rekt |
| khyberswap | Script Injection | $265,000 | https://blog.kyberswap.com/notice-of-exploit-of-kyberswap-frontend-all-funds-will-be-reimbursed/ |
| Curve Finance | |||
| DNS Hijacking | $575,000 | https://rekt.news/curve-finance-rekt | |
| Mixin Network | Cloud Database Compromise | $200M | https://rekt.news/mixin-rekt |
| Slope Wallet | Keys Compromise via Sentry | $4.1M | https://ackee.xyz/blog/2022-solana-hacks-explained-slope-wallet/ |
| PreMint NFT | Frontend Compromise via s3 Bucket | $375k | https://www.certik.com/resources/blog/77oaazrsx1mewnraJePYQI-premint-nft-incident-analysis |
In this post, we will look at some of the overlooked web2 vulnerabilities in web3 Realm and I have prepared a lab for demonstration purposes.
Caches play an important role in optimising web performance. It allows certain resources to be stored temporarily in order to limit redundant calls to the backend system and to speed up the response time and delivery time.
There are two type of Caches:
1. Private: It is generally stored in the browser and contains elements specific to the user’s session or profile. This type of cache should never be shared, as it may contain sensitive information.
2. Shared: It is used to store content common to several users, such as static files and images. This is managed at different levels of infra , via proxies or at CDNs(Content Distribution networks).
It's important to note that caches are mainly used for static contents
Before diving into the attacks , let's understand the common cache-control directives used in requests and responses.
| Directive | Purpose |
|---|---|
| no-cache | Force cache revalidation with origin server before using a cached copy. |
| no-store | Do not store any part of the request or response in the cache (extremely strict). |
| max-age=0 | Request only a fresh version (0 seconds allowed age). Forces revalidation. |
| only-if-cached | Only serve from cache; don’t make a network request if not cached. |
| min-fresh=x | Client wants a response that is still fresh for at least x seconds. |
| max-stale=x | Client willing to accept stale response, but only if it’s no more than x seconds stale. |
The client can control cache behaviour for its own needs or intermediate caches. In the following example request, Cache-Control: no-cache tells caches not to use a stored response without first revalidating it with the origin server, ensuring the client gets a fresh or verified copy.
GET /dashboard HTTP/1.1
Host: example.com
Cache-Control: no-cache