The total of lost funds in 2023 has reached $1.3b with $758m lost in Q3
Recovered funds YTD stand at $14m, suggesting a recovery rate of just 1.04%
Three of the largest cases of lost funds this quarter were: Multichain, which experienced a loss of $231.1 million, Mixin network which faced a setback of $200 million, and CoinEx reported a loss of $52.8 million.
The decentralized finance (DeFi) landscape faced severe turbulence in Q3 2023, with a significant loss of $758,983,260. This figure, when combined with the losses from the previous quarters, brings the total funds lost in 2023 to an astounding $1.3 billion.
Recovered funds for the year to date stand at a modest $14m, which is a mere 1.04% of the total lost funds, underscoring the challenges in recovering stolen or misplaced assets in the crypto world.
When compared with Q2 2023, which saw losses of $204,308,280, the Q3 figures represent an alarming increase of 271.49%. Recovery efforts also intensified, with a 78.09% increase in recovered amounts compared to the previous quarter.
Meanwhile, if we look at the same period last year, While Q3 2022 saw significant losses totaling $564.7 million, Q3 2023 surpassed this with losses amassing to $758.9 million, marking a 34.40% increase year-over-year.
DeFi Exploit Trends
In Q3 2023, the DeFi landscape witnessed a staggering 116 cases of scams, exploits, or unintended losses, showing the persistent risks in the sector – this is 6 more than last quarter.
Among the vast number of cases, three particular instances drew significant attention due to the sheer magnitude of their losses. Multichain experienced a loss of $231.1 million, Mixin network faced a setback of $200 million, and CoinEx reported a loss of $52.8 million. Together, these three incidents accounted for a loss of around $484 million.
Diving deeper into the types of issues, Access Control once again emerged as a critical vulnerability with losses amounting to $319 million.
Ethereum, being the dominant platform in the space, reported the highest losses, totaling a staggering $369.6 million across 72 cases. While Ethereum’s losses dwarfed other chains, the “Other” category also reported significant losses amounting to $323.4 million driven by the large loss from Mixin.
Other platforms such as Binance’s BNB Chain experienced losses of $13.5 million, and Centralized platforms reported $37 million in losses.
Emerging chains and Layer 2 solutions, like Optimism and Arbitrum, also faced exploits, albeit with relatively lower losses. The data underscores the vulnerabilities inherent across the DeFi landscape, regardless of the platform’s prominence or maturity.
Types of Exploit
The most frequent exploit was the “Rugpull“, with 78 cases resulting in losses of nearly $49.8 million. However, in terms of monetary impact, Access control issues were the most damaging, with only 6 cases accounting for a colossal loss of $319 million. Other significant exploits included Reentrancy attacks causing $65.8 million in losses across 8 cases, and general Exploits resulting in $82.2 million lost in 12 incidents. Less frequent but still impactful threats included Flash Loan Attacks, Phishing, Honeypot, and Oracle Issues, each contributing to the challenges in the crypto space.
Attack Vectors
Regarding attack vectors in Q3 2023, Tokens continued to be the primary target, with a staggering 80 cases. Exchanges, specifically DEXes, followed suit with 8 incidents, while Borrowing and Lending platforms saw 4 cases. The emerging Gaming/Metaverse sector was not immune, experiencing a significant loss in a single case.
In Q3, recovery of funds remains an area for improvement. The recovered amount of $8 million is dwarfed by the total losses, indicating the need for stronger measures to trace and recover stolen funds.
Top Cases This Quarter
On that note, let’s take a brief look at the top cases this quarter.
1. Multichain — $231m Lost
Multichain, a pivotal player in the realm of crosschain bridges, became the focal point of one of 2023’s most significant exploits, leading to a substantial loss of $231 million. The intricacies of the breach are alarming; nearly $130 million was siphoned off from multiple token bridges. Notably, the assets that were securely locked in the Multichain MPC address were abnormally transferred to an EOA address. This unauthorized movement of funds resulted in the complete depletion of Multichain’s Fantom Bridge, which lost its entire holdings of prominent tokens such as wBTC, USDC, USDT, and a selection of altcoins, amounting to over $130 million. Other affected areas included Multichain’s Moonriver and Dogecoin bridge contracts.
Mixin Network, an decentralized wallet service, faced a breach on September 23, reporting a monumental loss of $200 million. The attack was not random; it specifically targeted Mixin Network’s cloud service provider database, revealing vulnerabilities that many within the crypto community might have overlooked.
The ramifications were immediate and far-reaching, with Mixin suspending both deposit and withdrawal services to contain the situation. Beyond the direct financial impact, the breach sent ripples across the market. Mixin’s native token, $XIN, experienced an 8% decline, settling at $195.
Mixin Network’s founder, Feng Xiaodong, took an immediate and transparent approach, announcing a live stream to discuss the exploit’s details. While the situation remains fluid, with investigations ongoing, the incident emphasizes the need for enhanced security even within established crypto entities.
CoinEx, a crypto trading platform, fell victim to a sophisticated exploit on September 12, 2023.
The attackers demonstrated a deep understanding of the platform’s security infrastructure, compromising the private keys of CoinEx’s hot wallets.
This breach wasn’t restricted to a single chain; the exploiters were able to steal funds across 9 distinct chains, deftly transferring them to their addresses. The total monetary loss was pegged at a significant $52.8 million.
The aftermath of the exploit saw the stolen funds remaining, at least for a time, in the attacker’s addresses, raising questions about potential recovery efforts and the future security protocols of the platform.
The Vyper Compiler is a vital tool for writing smart contracts. A vulnerability in certain versions of the compiler facilitated an exploit, impacting several projects and resulting in losses of over $50 million. Notably, some of these funds, approximately $6.8 million, were eventually returned.
Stake.com, a renowned crypto gambling protocol, reported a significant breach early in September 2023. This exploit wasn’t confined to a single vulnerability but spanned across multiple blockchain networks, including Ethereum, Polygon, and Binance Smart Chain. Specifically, attackers exhibited expertise by compromising the private keys of Stake.com’s hot wallets.
This enabled them to drain a diverse range of tokens, with the cumulative losses reaching an alarming sum of $41.4 million.
Currently, the exploiter addresses still held a significant sum of over $13 million across the three chains.
To conclude, Q3 showcased considerable financial setbacks, underscoring the ever-present and evolving risks within the crypto sector. Despite the growth and advancements in DeFi, the quarter was a testament to the intricate challenges that lie ahead in terms of security. As the landscape continues to expand, it becomes imperative for stakeholders to bolster their security infrastructure and prioritize rapid responses to emerging threats.
The substantial losses witnessed this quarter serve as a stark reminder of the inherent vulnerabilities in DeFi engagements. Investors are urged to be vigilant, taking the time to understand the nuances of the platforms they engage with and to implement robust safeguards for their assets. At De.Fi, we understand the complexities of the current DeFi environment. In line with this, we remain steadfast in our mission to equip our users with the necessary insights and tools to navigate this dynamic industry with confidence and foresight.
About De.Fi
De.Fi is an all-in-one Web3 Super App featuring an Asset Management Dashboard, Opportunity Explorer, and home of the world’s first Crypto Antivirus powered by the largest compilation of hacks and exploits, the Rekt Database. Trusted by 850K users globally, De.Fi aims to drive DeFi adoption by making the self-custody transition as simple and secure as possible. Backed by Okx, Huobi, former Coinbase M&A, and used by large companies worldwide, including University College London and Coingecko.
During Q2 of 2024, we noticed a significant increase in crypto losses caused by hacks and scams - the total was $430,118,000, which is much higher than what we observed during this period last year (a loss of $204,308,280).
In the rapidly expanding universe of web3 and decentralized finance (DeFi), selecting a reliable and secure wallet is crucial. Rainbow Wallet has emerged as a popular choice, especially for those new to the crypto world.
Among the many options available, Phantom Wallet has emerged as a popular choice for those in the Solana ecosystem, sparking questions about its safety, legitimacy, and features.