The cryptocurrency industry lost more than $2 billion in crypto asset exploits in the first half of 2022, with the lion’s share of the losses registered in Q1. This already exceeds 2021’s total tally, and bad actors are showing no sign of slowing down.
This is according to blockchain smart contract security platform Certik, who last month published its Hack3d: Web3 Security Quarterly Report for Q2 2022 after auditing well over 600 crypto firms. The report delivers a number of scary statistics for the fledgling Web3 sector.
Q2 vs Q1 Overview: Bad to Worse?
Despite slumping crypto prices, Q2 did not trail Q1 by much, incurring its own fair share of losses. At least 48 major attacks were recorded in Q2, with losses adding up to $718.4 million. This is about 40% lower than the $1.3 billion lost in the first quarter.
However, it is important to note that the decrease in losses from Q1 to Q2 is mainly due to the first quarter breach of Axie Infinity’s Ronin Network in which $625 million was siphoned off, one of the largest hacks in DeFi’s short history.
The reduction in losses from the first to the second quarter does not mean that the attacks are slowing down. In fact, there was a marked increase in phishing attacks and flash loan attacks, two most popular methods used by hackers in crypto. Indeed, Q2 2022 was the worst quarter ever for flash loan attacks, with over $308 million lost, while phishing attacks grew by 170% quarter-on-quarter.
On the bright side, the number and scale of rug pulls are lower when compared to 2021. While there were more rug pulls in Q2 than in Q1, the total losses were significantly lower. One reason for this could be the bear market, as rug pulls and exit scams tend to proliferate during bull runs when newer, inexperienced money easily and quickly flows into the market.
The report also found that social media, which serves as the mouthpiece of the nascent cryptocurrency industry, is becoming the “Achilles’ heel” of Web3.
Social Media Hampers Web3 Security
Some social media platforms are often used as attack vectors by bad actors. Almost all those who are active on Twitter, Telegram or Discord can attest to this. While some platforms, like Twitter, provide methods for account verification, many others do not. Just in Q2, there were 290 recorded attacks, marking a 170% increase from 106 attacks in Q1.
The majority of these attacks exploited the Discord servers of the targeted projects, highlighting two important factors:
- Projects are heavily relying on Discord - and other social media platforms - for marketing, engagement, and community building.
- These platforms pose a security threat.
There are various reasons why hackers target platforms such as Discord and Telegram. One reason might be that these platforms don’t require account verification, making it easy for hackers to clone accounts and bait crypto participants with giveaways, token offers, etc.
Many of Web3’s security vulnerabilities stem from its reliance on outdated Web2 technologies, with human errors as one of the main entry points for attackers. The increase in phishing attacks demonstrates how Web3 needs to move away from Web2 technologies and the vulnerabilities they bring to the table.
There are a few short-term fixes for this:
- Projects need to beef up their security surrounding community managers and anyone who has access to important accounts. They must standardize additional security measures such as 2FA authentication and multi-sig authentication, or even better, eliminate single point of failure security vulnerabilities.
- Projects need to provide sufficient education to their communities to stay vigilant and be aware of possible attacks.
Flashloan Attacks and Rugpulls
Flash loan attacks continue to be a growing pain for Web3 and DeFi projects as Q2 losses totaled more than $308 million across 27 attacks. By comparison, Q1 saw 14 attacks in which just over $14 million was lost.
Q2’s numbers are skewed by the size of the flash loan attacks on record. In April, an attacker drained $182 million from the Beanstalk stablecoin protocol, which on its own accounts for 59% of the funds lost in flash loan attacks in Q2. The second-largest attack resulted in Fei Protocol losing $79 million. For reference, the largest flash loan attack in Q1 resulted in Deus Finance losing $3 million, a figure that pales in comparison to the aforementioned Beanstalk attack.
Certik observed that flash loan attacks are increasing in frequency and profits in each quarter, and that this pattern will most likely remain the same throughout the year. Thankfully though, the losses due to rug pulls and exit scams are on the decline. Q2 witnessed 89 attacks in which investors lost $37.6 million, an improvement compared to Q2 2021 where losses topped $2.65 billion.
The decrease in losses can be attributed to a bear market where only experienced and hardened traders and investors remain in the game. These more experienced traders are harder to lure to these exit scams. Furthermore, the shocking collapse of Terra (LUNA) and the insolvency of Three Arrows Capital and Voyager have further shaken investor confidence, making even the toughest investors more cautious.
Effects of Attacks on DeFi industry
The DeFi sector continues to be the biggest target for criminals. Around 79% of the attacks are geared towards the DeFi domain.
Ethereum was the most frequently attacked chain of Q2, and in the process, lost $381.35 million, with Binance Smart Chain taking the second spot. A majority of the chains recorded a decrease in total value locked (TVL) after the attacks.
The Certik report’s facts are for the most part corroborated by other DeFi and Web3 Q2 reviews from CoinGecko and Beosin and paint an increasingly dark picture for the securing of crypto’s most innovative assets.
The report prods at the ill-deserved reputation of Web3 as a digital Wild West, caused by its reliance on Web2’s insecure and outdated technologies. Measures to mitigate risk include:
- Strengthening security and access to privileged accounts (e.g. that of community managers),
- Mandating verification tools like 2FA and multi-sig to ensure Web3 projects have no single points of failure when intersecting with Web2 systems like social media,
- User education to become more accountable and aware of possible attack vectors, such as clicking on phishing links, especially acting as organization representatives.