Web3 and DeFi hacks on the rise
There was a rise in the number of reported cyber security hacks on Web3 and DeFi in Q1 2023 compared to the same period in 2022 and 2021, with 19 reported hacks.
This is up from 16 reported hacks in Q1 2022 and 10 reported hacks in Q1 2021, according to new analysis from Naoris Protocol.
Between 1 January 2023 and 14 April 2023 there were 22 reported cyber security hacks, totalling over $265-million in losses. The biggest single hack in Q1 2023 stole $197-million from Euler Finance.
The most common type of hack so far in 2023 is one that targets a weakness in protocol logic. There were 11 of these types of hacks reported in the first quarter of this year, totalling $230-million in losses, which is less than half the amount lost in the same period in 2022.
However, the number of these reported hacks in Q1 2023 was almost double that of Q1 2022, which saw six protocol logic attacks, but which totalled $471,8-million in losses.
There were also four attacks in Q1 2023 which targeted a weakness in the interaction between multiple protocols, classified as Ecosystem (there have been a further three reported attacks of this type since 1 April); two infrastructure attacks and two rug-pulls.
Types of attack year to date
| Classification of cyber security attack (1st Jan 23 – 14th Apr 23) | Total amount lost (US$) | Number of reported cyber security hacks |
| Protocol logic | 230.3 million | 11 |
| Ecosystem | 23.9 million | 7 |
| Infrastructure | 9.3 million | 2 |
| Rugpull | 1.9 million | 2 |
Targeting a weakness in protocol logic was also the most common type of attack in Q1 2022, with six in total valuing $471,8-million. During 2021, the attack type was one that targeted a weakness in the interaction between multiple protocols – classified as Ecosystem – with four recorded in the first quarter, totalling $52,8-million lost.
| Sum of amount lost (US$) | Number of reported cyber security hacks | Most common attack type | |
| Q1 2023 | 252,466,000 | 19 | Protocol logic (11) |
| Q1 2022 | 1,176,850,000
[226,850,000 when discounting Ronin and Wormhole] |
16 | Protocol logic (6) |
| Q1 2021 | 136,000,000 | 10 | Ecosystem (4) |
| Q1 2020 | 1,000,000 | 2 | Protocol logic (2) |
Targeting a weakness in protocol logic was also the most common type of attack in Q1 2022, with six in total valuing $471,8-million. During 2021, the attack type was one that targeted a weakness in the interaction between multiple protocols – classified as Ecosystem – with four recorded in the first quarter, totalling $52,8-million lost.
When discounting the two huge cyber-attacks in Q1 2022 – Ronin at $624 000 000 and Wormhole at 326 000 000 – the overall amount stolen in Q1 2023 has increased by 11% on Q1 2022. The average amount stolen per cyber-attack in Q1 2023 was $13 287 684 compared to a slightly larger $16 203 571 in Q1 2022, showing in general hackers are increasing the number of attacks but stealing slightly less each time, compared to last year.
Monica Oravcova, co-founder and chief operating officer at Naoris Protocol, comments: “Our analysis shows an alarming increase in the number of hacks. This is a disturbing trend, it’s . It’s important to use a new set of tools and technology, specifically, Distributed CyberSecurity Mesh Architecture, to protect the decentralised ecosystem. This could pre-emptively stop these attacks before they become costly breaches.”
Changing techniques used by Web3 and DeFi hackers
The new analysis reveals that hackers targeting Web3 and DeFi are using a variety of techniques, with five new techniques already being reported in 2023:
* Collateral offboarding mistake;
* Cloudflare key compromised;
* Social engineering;
* Redeem function exploit; and
* Flashloan donate function logic exploit.
| Top 5 hacking techniques reported in Q1 2023 (by USD value) | Top 5 hacking techniques reported in Q1 2022 (by USD value) | Top 5 hacking techniques reported in Q1 2021 (by USD value) | |
| 1 | Flashloan donate function logic exploit ($197 million) | Private key compromised – social engineering ($624 million) | Flashloan pool shares exploit ($37.5 million) |
| 2 | Access control exploit ($9.6 million) | Signature exploit ($326 million) | Drained contracts ($34.5 million) |
| 3 | Cloudflare key compromised ($9.2 million) | Transfer Logic Exploit ($80 million) | Infinite Mint and Dump ($27 million) |
| 4 | Flashloan reentrancy attack ($9.1 million) | Private key compromised – unknown method ($51.6 million) | Flashloan price oracle attack ($15 million) |
| 5 | Reentrancy ($6 million) | Collateral Validations Exploit ($48 million) | Delegatecall exploit ($14 million) |
Blockchains
Ethereum blockchain reported the highest amount lost in Q1 2023 – $204,2-million which is 81% of the overall amount lost in the first quarter.
The Ethereum blockchain reported the highest number of hacks in 2022 (23 in total), six of which took place in the first quarter, amounting to $685-million – more than half (58%) of the total amount stolen in Q1.
