2023 marked a pivotal moment in the security dynamics of Web3, highlighting advancements in resilience alongside enduring challenges.
Despite this, the Web3 sector continued to experience cyberattacks, resulting in losses surpassing $1.7 billion in 2023, encompassing around 453 reported incidents, according to a report from Salus shared with Finbold on January 2.
These incidents, despite being less than the figures recorded in 2022, revealed diverse threats, emphasizing the imperative for ongoing vigilance within the Web3 community.
Picks for you
Decline in losses, but bigger individual ones
Although 2023 saw significantly reduced overall losses, prominent exploits garnered attention. September witnessed the highest loss, with $360 million, followed by a $350 million loss in November and $303 million in July, highlighting ongoing threats against bridges and DeFi protocols.
A detailed analysis of monthly losses unveils an interesting pattern. While September, November, and July experienced the most substantial losses, October and December witnessed a noteworthy decline, suggesting a growing emphasis on security awareness and implementing robust safeguards.
Biggest hacks in 2023 in the Web3 industry
In 2023, the top 10 cyber incidents, accounting for nearly 70% of the year’s total losses of approximately $1.2 billion, exposed a common vulnerability: access control issues, particularly private key thefts. These incidents were prevalent in the latter half of the year, with the Lazarus Group playing a significant role in multiple breaches.
Mixin Network faced a substantial breach, resulting in a $200 million loss, highlighting concerns about cloud service providers’ security. Euler Finance suffered a $197 million loss due to a vulnerability in the donateToReserves function, emphasizing the importance of rigorous smart contract auditing in DeFi protocols.
Multichain witnessed an abnormal movement of lockup assets, raising questions about its security practices. Poloniex fell victim to a hack by the Lazarus Group, resulting in a $126 million loss and prompting enhanced security measures. BonqDAO, Atomic Wallet, and HECO Bridge also experienced significant losses due to attacks exploiting various vulnerabilities.
Curve faced a $69.3 million loss due to a 0-day compiler bug, highlighting risks associated with language-specific vulnerabilities. AlphaPo lost $60 million to a sophisticated phishing attack, while CoinEx suffered a $54.3 million loss due to a compromised hot wallet private key.
Types of attacks that brought the biggest losses
Furthermore, the report highlighted various threats, such as ‘exit scams,’ constituting 12.24% of attacks, resulting in a $208 million loss across 276 incidents. Notable cases involve projects promising high returns that abruptly disappeared with investors‘ funds.
Access control issues constituted 39.18% of attacks, resulting in a $666 million loss across 29 incidents. Noteworthy vulnerabilities were exploited in Multichain, Poloniex, and Atomic Wallet.
Phishing accounted for 3.98% of attacks, resulting in a $67.6 million loss across 13 incidents. The Lazarus Group’s attack on AlphaPo exemplified evolving phishing techniques.
Flash loan attacks constituted 16.12% of incidents, resulting in a $274 million loss across 37 cases. Precision flash loan attacks targeted Euler Finance, KyberSwap, and Yearn Finance.
Reentrancy vulnerabilities, contributing to 4.35% of attacks, led to a $74 million loss in 15 incidents, notably highlighted by the Vyper bug and the Exactly Protocol exploit.
Oracle issues constituted 7.88% of attacks, causing a $134 million loss in 7 incidents, exemplified by the BonqDAO attack manipulating token prices. Other vulnerabilities accounted for 16.47% of attacks, resulting in a $280 million loss across 76 incidents.
2024, a year of increased cybersecurity
As 2023 concluded, reduced overall losses highlight the need for improved security measures, especially with concentrated losses in the top 10 hacks. Safeguarding the Web3 ecosystem demands a comprehensive approach due to diverse vulnerabilities.
Given emerging infiltration methods like Lazarus Group attacks, rigorous auditing and heightened awareness of Web3 penetration testing are crucial. Users and stakeholders are urged to prioritize platforms and services that fulfill functional needs while adhering to the highest security standards for a secure Web3 future.