Web3 projects lose over $2 billion to hacks and exploits in 2022

Graphic illustrating the concept of Web3
(Image credit: Getty Images)

Web3 projects lost over $2 billion in the first half of the year, meaning 2022 has already seen more to hacks and exploits than the entirety of 2021, making it the most expensive year for Web3 by far.

Over the last three months, projects including blockchain-based initiatives and cryptocurrency schemes lost $870,802,424 hacks, scams, and exploits. This is according to the quarterly Web3 security report from blockchain auditing and security company CertiK, published earlier this week.

Examples of Web3 projects might include Beanstalk, a decentralized stable coin protocol built on the Ethereum blockchain, Inverse Finance, an open source protocol for lending and borrowing assets, or bDollar, an algorithmic multi-peg stable coin running on the Binance smart chain.

Over the full course of 2022, the thousands of Web3 projects in development are forecast to see a 223% surge in funds lost to cyber attacks, compared to 2021.

Despite the projections, the amount lost to attacks is down 42% from the previous quarter. The report, however, admitted the data is skewed by the catastrophic attack against the Ronin Network for $624 million in late March.

In the second quarter of the year, $308,579,156 was lost to 27 flash loan attacks, making it the highest amount lost via these types of attacks ever recorded. Flash loan attacks are a type of decentralised finance attack whereby someone takes out a flash loan, a form of lending, for a short period of time. Here, attackers can manipulate the value of specific tokens on exchanges and manipulate the market in their favour.

This represents an increase of 2,000% in funds lost between Q1 and Q2. These recent figures, though, are skewed by the highest profiting flash loan attack on record, in which a hacker stole $182 million after targeting Beanstalk Farms. This accounted for 59% of the total loss in the last quarter alone.

The $79 million flash loan attack against the Fei protocol also accounted for a significant portion of this. For comparison, the biggest flash loan attack in Q1 was the $3 million attack against Deus Finance. Even without these two outliers, Q2 has still been a far more devastating quarter than Q1 for attacks of this nature, said CertiK.

Web3 phishing attacks on the rise


An analysis of the European cyber threat landscape

Human risk review 2022


Additionally, phishing attacks have increased by 170% since the last quarter, with CertiK underlining that social media platforms are a major pain point for Web3 projects. There were 290 attacks in Q2 versus 106 in the previous quarter. The vast majority of these attacks targeted projects’ Discord servers. CertiK pointed out that unlike Twitter, which supports account verification, Discord and Telegram don’t. This allows hackers to clone accounts and lay bait in the form of giveaways and token offers.

“What’s frustrating about these hacks from a Web3 security perspective, is that the hackers are deploying the tried and tested tricks of Web2 that exploit centralisation and human error as a starting point, and are using this to make lateral moves to exploit Web3 in turn,” said CertiK in its report.

“In this way, the prevalence of phishing attacks shows Web3’s ongoing and fraught relationship with the outmoded and vulnerable infrastructures of Web2. Indeed much of Web3’s negative reputation as a digital ‘wild west’ arises from the points where it relies on Web2 technologies and the vulnerabilities it entails.”

Carving out an exit strategy

Rugpulls and exit scams were also one of the most popular forms of attack, with $37,462,472 lost across 90 attacks. This is where a project’s founders stop its development and disappear with its funds. This is a 16.7% decrease from Q1, however, as Q2 continues the sharp decline in losses to rugpulls and exit scams from the previous year. For example, Q2 of 2021 saw $2,650,234,662 lost in rugpulls and exit scams.

“Whilst this decline is of course welcome, it is likely a consequence of the persistent bear market,” said CertiK. “As the flow of new money entering the Web3 economy dries up, so do the kinds of uneducated investors who are likely to fall prey to the wild promises of bad faith projects.

“By contrast, the average Web3 investor weathering the so-called crypto-winter is both harder to dupe, and a lot less willing to part with their hard earned funds. Add to this the devastating events that occurred in Q2 such as the collapse of Terra, Three Arrows Capital and insolvency issues with Celsius, and it is no wonder that we have not seen a rush of new investors entering the space.”

Lastly, over $520 million was lost in Q2 to exploits across 39 attacks. This is a 57% decline versus $1.2 billion lost in Q1 across 33 attacks, although the Ronin Network attack, again, skewed these figures.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.