The amount of money lost to hacks and scams reached $685 million in Q3 of 2023, bringing losses so far this year to $1.4 billion.
The quarterly report compiled by Web3 bug bounty platform Immunefi shows that few areas of crypto are immune from attacks and — while personal wallet safety is one thing — it’s at the platform level where most attacks happen.
Most of Q3’s sum was lost by two specific projects: Mixin Network, a transactional network for digital assets, and Multichain, a cross-chain router protocol.
These two incidents lost $200 million and $126 million respectively, accounting for 47.5% of all the losses incurred during the third quarter.
The Q3 losses represent a 59.9% increase on the $428.7 million lost in Q2.
And the number of reported incidents has also increased to 76 from 30 over Q3 last year, representing a 153% increase year-over-year.
Immunefi also noted that state-backed actors played a crucial role as they were allegedly behind several cases this quarter. Their particular focus on CeFi led to a sharp surge in losses within this sector.
Throughout the quarter, Lazarus Group, funded by the North Korean state, has allegedly orchestrated high-profile attacks on several platforms, including CoinEx, where they made away with $70 million, and Alphapo, where $60 million was stolen.
The group also allegedly attacked Stake for $41.3 million and CoinsPaid for $37.3 million. In total, the group is accused of $208.6 million, or 30% of the Q3 losses.
The Impact of Crypto Hacks on Web3 Adoption
Despite the growing number of crypto hacks and scams, Web3 and crypto are innately very useful technologies aimed at giving users control over their assets as well as access to limitless and secure transactions.
This vision is positive and has attracted many users and investors. However, the rate at which the public is adopting Web3 is limited and greatly affected by the reports and well-founded fears of crypto hacks.
Some of these vulnerabilities include errors in smart contract code, compromised decentralized storage systems, and targeted attacks on individual users and people with privileged access through phishing and social engineering, among others.
In most cases, the security of a user’s assets is mostly addressed from the owner’s point of view and what they ought to do to secure their assets. However, most attacks happen at the platform handling funds for many users and occur less frequently at the individual level.
As such, security must be prioritized and addressed from the start at the platform level before an owner makes additional efforts to safeguard the assets.
What Can Crypto Projects Do Better?
Platforms can take several steps towards providing more security for their users’ assets. This will, in turn, win the users’ and investors’ trust and encourage increased adoption of crypto and web3.
The basis of audits is usually the smart contract or any code that builds the platform’s infrastructure. This code is prone to errors and loopholes that can be exploited to access users’ funds.
Crypto projects and platforms ought to ensure their code is free of errors and vulnerabilities from the start. This can be assured through audits that can examine every line of code, its function, and possible ways to bypass them, thus identifying vulnerabilities.
Once an in-depth audit has been done, it is important for the transparent results to be made public for users, community, and investors to assess. These results should also include any vulnerabilities found as well as what has been done to fix them. This increases the trust between the industry and its users.
However, as demonstrated by the several DeFi platforms that have been audited and then compromised, a single security audit is insufficient. Therefore, new audits should be carried out each time the code is modified.
This will help ensure that fresh problems don’t emerge. As teams create and implement smart contracts, taking a more security-centric approach is crucial because even a minor change to the code can have unanticipated consequences.
Bug Bounty Programs
Bug bounty programs and responsible disclosure are crucial in securing the Web3 space, with ethical hackers encouraged to find vulnerabilities so that developers can proactively fix them.
However, in past scenarios, crypto platforms have turned down chances to pay bug bounties and have later suffered losses from the exploitation of vulnerabilities that ethical hackers had identified.
Working with white hat hackers through bug bounty programs is a strategic move that reveals any vulnerabilities and shows the project’s dedication to securing its users’ assets at all costs.
Even with frequent and regular audits, projects need to maintain continuous security and operational awareness to note any suspicious activities in good time. Such activities could include a sudden spike in usage of a certain account, the system interaction with blacklisted addresses, and well as governance proposals submitted using flash loans.
By keeping an eye on privileged accounts and the relationship between the platform’s systems and the blockchain, the project will be able to identify the first signs of an attack, including unusually large transactions or many transactions towards a certain address.
The project will also be able to mitigate the losses that could be suffered by saving the remaining assets in the event of an attack.
Part of increasing the confidence that the crypto community and investors have in crypto platforms and their ability to keep their assets safe is assuring them that the persons with privileged access to their funds know how to secure their assets.
This necessitates that the individuals be educated on how to identify potential scam techniques such as phishing and social engineering to ensure they do not fall prey to such traps. Crypto platforms also need to ensure their employees are up to date with the latest hack techniques to ensure they also increase their vigilance.
If we want mainstream adoption of Web3 and to see cryptocurrency used in retail or held as a store of value, funds must be guaranteed safe.
Advocates for crypto regularly point out crypto’s advantages over, for instance, brick-and-mortar banks, and it’s a compelling narrative with plenty of truth in it.
But until wallets, exchanges, and defi platforms carry that same level of safety and trust as we might expect from a bank account, we can’t expect people on the street to rush to these new forms of money. The compelling argument for adoption will come when these quarterly reports of hacks start reducing in significance.
Until then, hacks will keep making headlines.