In Q3 2023, a new report published by the Beosin EagleEye platform revealed that funds lost in web3 due to scams, rug pulls, and exploits amounted to $889.26 million. During this period, there were 43 major attacks, 81 rug pulls, and numerous phishing scams, resulting in losses of approximately $540.16 million, $282.96 million, and $66.15 million, respectively.
In comparison to Q1 and Q2, the losses in Q3 were higher. Q1 saw total losses of about $330 million, while Q2 2023 had losses of $333 million. Notably, these losses mostly occurred in DeFi projects and public chains.
According to the report, the DeFi sector experienced 29 attacks, constituting 67.4% of the total number of attacks. Blockchain attacks topped the list in the type of projects attacked where Ethereum was attacked the most based on chain platforms.
During Q3, there were 9 cases of private key compromises resulting in losses of up to $223 million. Additionally, there were cloud-based attacks, such as the one targeting Mixin Network, and exploits related to contract vulnerabilities. Further, 8 networks had attacks that resulted in the loss of more than $10 million whereas Mixin Network suffered the most loss of $200 million.
Of all the stolen funds, only 10% were recovered, and most of the funds remain in hacker addresses. Significantly, the asset recovery rate dropped compared to Q1. Beosin stated that “the main reason was frequent activity by North Korea’s Lazarus group this quarter, stealing a total of $208 million.” The Beosin further explained that the Lazarus group “is adept at utilizing various complex money laundering techniques to launder the stolen funds, with barely any returns.”
Conclusively, the Beosin EagleEye platform analyzed typical attacks and recommended security tips.
Exactly Protocol Attack: This attack occurred August 18, 2023, resulting in a loss of $7 million. The Manipulation of Market address parameters in the vulnerable contract allowed an attacker to bypass checks, steal USDC collateral, and liquidate user assets.
According to Beosin, protocols should implement a whitelist function for contract addresses used as LP tokens to prevent malicious manipulation.
Vyper/Curve Attack: This attack occurred July 31 when $73 million were lost and $52.3 million returned. Vulnerable reentrancy locks in Vyper versions 0.2.15, 0.2.16, and 0.3.0 led to an attacker exploiting add_liquidity and remove_liquidity functions, causing incorrect price calculations.
Beosin recommends that projects using Vyper versions 0.2.15, 0.2.16, and 0.3.0 should conduct self-checks and stay vigilant about vulnerability disclosures in third-party components.
Eralend Attack: occurred July 25, 2023, and $3.4 million was lost. Read-only reentrancy in the price oracle caused inconsistent loan and liquidation value calculations, enabling the attacker to make away with funds as profits.
Protocols should consider read-only reentrancy scenarios when using real-time reserves for price calculations to prevent inconsistencies, Beosin recommended.
What do you think of this article? Share comments below.