The decentralized finance (DeFi) landscape faced severe turbulence in Q3 2023, with a significant loss of $758,983,260. This figure, when combined with the losses from the previous quarters, brings the total funds lost in 2023 to an astounding $1.3 billion.
Recovered funds for the year to date stand at a modest $14m, which is a mere 1.04% of the total lost funds, underscoring the challenges in recovering stolen or misplaced assets in the crypto world.
When compared with Q2 2023, which saw losses of $204,308,280, the Q3 figures represent an alarming increase of 271.49%. Recovery efforts also intensified, with a 78.09% increase in recovered amounts compared to the previous quarter.
Meanwhile, if we look at the same period last year, While Q3 2022 saw significant losses totaling $564.7 million, Q3 2023 surpassed this with losses amassing to $758.9 million, marking a 34.40% increase year-over-year.
In Q3 2023, the DeFi landscape witnessed a staggering 116 cases of scams, exploits, or unintended losses, showing the persistent risks in the sector – this is 6 more than last quarter.
Among the vast number of cases, three particular instances drew significant attention due to the sheer magnitude of their losses. Multichain experienced a loss of $231.1 million, Mixin network faced a setback of $200 million, and CoinEx reported a loss of $52.8 million. Together, these three incidents accounted for a loss of around $484 million.
Diving deeper into the types of issues, Access Control once again emerged as a critical vulnerability with losses amounting to $319 million.
Ethereum, being the dominant platform in the space, reported the highest losses, totaling a staggering $369.6 million across 72 cases. While Ethereum’s losses dwarfed other chains, the “Other” category also reported significant losses amounting to $323.4 million driven by the large loss from Mixin.
Other platforms such as Binance’s BNB Chain experienced losses of $13.5 million, and Centralized platforms reported $37 million in losses.
Emerging chains and Layer 2 solutions, like Optimism and Arbitrum, also faced exploits, albeit with relatively lower losses. The data underscores the vulnerabilities inherent across the DeFi landscape, regardless of the platform’s prominence or maturity.
The most frequent exploit was the “Rugpull“, with 78 cases resulting in losses of nearly $49.8 million. However, in terms of monetary impact, Access control issues were the most damaging, with only 6 cases accounting for a colossal loss of $319 million. Other significant exploits included Reentrancy attacks causing $65.8 million in losses across 8 cases, and general Exploits resulting in $82.2 million lost in 12 incidents. Less frequent but still impactful threats included Flash Loan Attacks, Phishing, Honeypot, and Oracle Issues, each contributing to the challenges in the crypto space.
Regarding attack vectors in Q3 2023, Tokens continued to be the primary target, with a staggering 80 cases. Exchanges, specifically DEXes, followed suit with 8 incidents, while Borrowing and Lending platforms saw 4 cases. The emerging Gaming/Metaverse sector was not immune, experiencing a significant loss in a single case.
In Q3, recovery of funds remains an area for improvement. The recovered amount of $8 million is dwarfed by the total losses, indicating the need for stronger measures to trace and recover stolen funds.
On that note, let’s take a brief look at the top cases this quarter.
1. Multichain — $231m Lost
Multichain, a pivotal player in the realm of crosschain bridges, became the focal point of one of 2023’s most significant exploits, leading to a substantial loss of $231 million. The intricacies of the breach are alarming; nearly $130 million was siphoned off from multiple token bridges. Notably, the assets that were securely locked in the Multichain MPC address were abnormally transferred to an EOA address. This unauthorized movement of funds resulted in the complete depletion of Multichain’s Fantom Bridge, which lost its entire holdings of prominent tokens such as wBTC, USDC, USDT, and a selection of altcoins, amounting to over $130 million. Other affected areas included Multichain’s Moonriver and Dogecoin bridge contracts.
Block Data Reference
Suspicious Addresses:
https://etherscan.io/address/0x418ed2554c010a0c63024d1da3a93b4dc26e5bb7
https://etherscan.io/address/0x027f1571aca57354223276722dc7b572a5b05cd8
Transactions:
https://etherscan.io/tx/0xda80a8c8d5a8fdf0208a6fd01c39af018e400763b1d08f3543f52353345fe62e
https://etherscan.io/tx/0xbd29fe07555c28527fb0207aa0ac2b67d4afef0426793c35b76d005613477fc4
2. Mixin — $200m Lost
Mixin Network, an decentralized wallet service, faced a breach on September 23, reporting a monumental loss of $200 million. The attack was not random; it specifically targeted Mixin Network’s cloud service provider database, revealing vulnerabilities that many within the crypto community might have overlooked.
The ramifications were immediate and far-reaching, with Mixin suspending both deposit and withdrawal services to contain the situation. Beyond the direct financial impact, the breach sent ripples across the market. Mixin’s native token, $XIN, experienced an 8% decline, settling at $195.
Mixin Network’s founder, Feng Xiaodong, took an immediate and transparent approach, announcing a live stream to discuss the exploit’s details. While the situation remains fluid, with investigations ongoing, the incident emphasizes the need for enhanced security even within established crypto entities.
Block Data Reference
Affected Addresses:
0x52E86988bd07447C596e9B0C7765F8500113104c 0x3B5fb9d9da3546e9CE6E5AA3CCEca14C8D20041e 0xB5d631A74AD9c9efcF96d6e9e2fAbcB75C67Eafa bc1qq7uefmz6nng5c4dzs9mwrxxyh9sxg5cjg85hes
3. Coinex — $52.8m Lost
CoinEx, a crypto trading platform, fell victim to a sophisticated exploit on September 12, 2023.
The attackers demonstrated a deep understanding of the platform’s security infrastructure, compromising the private keys of CoinEx’s hot wallets.
This breach wasn’t restricted to a single chain; the exploiters were able to steal funds across 9 distinct chains, deftly transferring them to their addresses. The total monetary loss was pegged at a significant $52.8 million.
The aftermath of the exploit saw the stolen funds remaining, at least for a time, in the attacker’s addresses, raising questions about potential recovery efforts and the future security protocols of the platform.
Block Data Reference
Attackers:
https://etherscan.io/address/0xCC1AE485b617c59a7c577C02cd07078a2bcCE454
https://etherscan.io/address/0x8bf8cd7F001D0584F98F53a3d82eD0bA498cC3dE
https://etherscan.io/address/0x483D88278Cbc0C9105c4807d558E06782AEFf584
Funds Holders as of Sep 13, 2023:
https://etherscan.io/address/0x2118e4432d668aCFa347ddBA0efCcc6BB04DB297
https://etherscan.io/address/0x40cBe7580168d52b7FEC884120B31115c3F7E37E
https://etherscan.io/address/0x1A61Df134d766f1e240FBFAEe79bBeCC04195f62
Funds Draining Transactions:
https://etherscan.io/tx/0x741b707155327440baec494cfbc50b52a6709fb8cf3bf9149fe7b47dc7fd5af5
https://etherscan.io/tx/0x9e8d4d98d815a1725031f7f5f92de42f999045bef70eedc64baf6c15ca230eaa
https://etherscan.io/tx/0x8d19b10330961d7742eba9ef4debd35d5deacfe77ba44a1f76d33595b5abddb0
4. Vyper — $50.5m Lost
The Vyper Compiler is a vital tool for writing smart contracts. A vulnerability in certain versions of the compiler facilitated an exploit, impacting several projects and resulting in losses of over $50 million. Notably, some of these funds, approximately $6.8 million, were eventually returned.
Block Data Reference
Curve Pools:
Exploiters:
https://etherscan.io/address/0xb752def3a1fded45d6c4b9f4a8f18e645b41b324
https://etherscan.io/address/0xc0ffeebabe5d496b2dde509f9fa189c25cf29671
Malicious Transactions:
https://etherscan.io/tx/0xcd99fadd7e28a42a063e07d9d86f67c88e10a7afe5921bd28cd1124924ae2052
https://etherscan.io/tx/0x2e7dc8b2fb7e25fd00ed9565dcc0ad4546363171d5e00f196d48103983ae477c
JPEG’d:
Exploiter:
https://etherscan.io/address/0x6ec21d1868743a44318c3c259a6d4953f9978538
Malicious Transaction:
https://etherscan.io/tx/0xa84aa065ce61dbb1eb50ab6ae67fc31a9da50dd2c74eefd561661bfce2f1620c
Alchemix:
Exploiter:
https://etherscan.io/address/0xdce5d6b41c32f578f875efffc0d422c57a75d7d8
Malicious Transaction:
https://etherscan.io/tx/0xb676d789bb8b66a08105c844a49c2bcffb400e5c1cfabd4bc30cca4bff3c9801
MetronomeDAO:
Exploiter:
https://etherscan.io/address/0xc0ffeebabe5d496b2dde509f9fa189c25cf29671
Malicious Transaction:
https://etherscan.io/tx/0xc93eb238ff42632525e990119d3edc7775299a70b56e54d83ec4f53736400964
Funds Returning Transaction:
https://etherscan.io/tx/0x650a73bfff233815ec6c4de22f105ddff8d5194d10b7375b3cdcd23ec6469f9a
5. Stake — $41.4m Lost
Stake.com, a renowned crypto gambling protocol, reported a significant breach early in September 2023. This exploit wasn’t confined to a single vulnerability but spanned across multiple blockchain networks, including Ethereum, Polygon, and Binance Smart Chain. Specifically, attackers exhibited expertise by compromising the private keys of Stake.com’s hot wallets.
This enabled them to drain a diverse range of tokens, with the cumulative losses reaching an alarming sum of $41.4 million.
Currently, the exploiter addresses still held a significant sum of over $13 million across the three chains.
Block Data Reference
Ethereum
Attacker Address:
https://etherscan.io/address/0x3130662aece32f05753d00a7b95c0444150bcd3c
Funds Holders as of Sep 07, 2023:
https://etherscan.io/address/0x94f1b9b64e2932f6a2db338f616844400cd58e8a
https://etherscan.io/address/0xbda83686c90314cfbaaeb18db46723d83fdf0c83
https://etherscan.io/address/0xba36735021a9ccd7582ebc7f70164794154ff30e
https://etherscan.io/address/0x7d84d78bb9b6044a45fa08b7fe109f2c8648ab4e
Transactions:
https://etherscan.io/tx/0x98610e0a20b5ebb08c40e78b4d2271ae1fbd4fc3b8783b1bb7a5687918fad54e
https://etherscan.io/tx/0x4629b7622c1beba84fdbbac78432fe06707894c8ed40811b1b70815e8a7efe7a
Binance Smart Chain
Attacker Address:
https://bscscan.com/address/0x4464E91002c63a623A8A218bD5Dd1f041B61ec04
Funds Holders as of Sep 07, 2023:
https://bscscan.com/address/0xff29a52a538f1591235656f71135c24019bf82e5
https://bscscan.com/address/0x0004A76E39d33EDfeAc7FC3c8d3994f54428a0be
https://bscscan.com/address/0x95b6656838a1d852dd1313c659581f36b2afb237
https://bscscan.com/address/0xbcedc4f3855148df3ea5423ce758bda9f51630aa
https://bscscan.com/address/0xe03a1ae400fa54283d5a1c4f8b89d3ca74afbd62
Transactions:
https://bscscan.com/tx/0xcc696992ac198e8fadd91dbacb8292e9ac23584e111e1e6fafa965de6ece97f0
https://bscscan.com/tx/0x232267ed159684b84e0355ea16c4cc92667371f3bc8cbc01b023620b20f0f37b
https://bscscan.com/tx/0x65ba9579dce9948a6ba7e15211c8dd002811982d9b23838dc0942239ff238e52
Polygon
Attacker Address:
https://polygonscan.com/address/0xfe3F568d58919B14aFf72BD3F14e6f55Bec6C4E0
Funds Holders as of Sep 07, 2023:
https://polygonscan.com/address/0xa26213638f79f2ed98d474cbcb87551da909685e
https://polygonscan.com/address/0xf835cc6c36e2ae500b33193a3fabaa2ba8a2d3dc
https://polygonscan.com/address/0xa2e898180d0bc3713025d8590615a832397a8032
https://polygonscan.com/address/0x32860a05c8c5d0580de0d7eab0d4b6456c397ce2
Transactions:
https://polygonscan.com/tx/0x30dab44e09593c6aae593fe8b8384d07c51a23b5c9307444f1c293eb7c5f4858
https://polygonscan.com/tx/0x630466d8ac04e0278839e4cac76886d97fa750a71e43d60fe8100eb51ca4178a
Conclusion
To conclude, Q3 showcased considerable financial setbacks, underscoring the ever-present and evolving risks within the crypto sector. Despite the growth and advancements in DeFi, the quarter was a testament to the intricate challenges that lie ahead in terms of security. As the landscape continues to expand, it becomes imperative for stakeholders to bolster their security infrastructure and prioritize rapid responses to emerging threats.
The substantial losses witnessed this quarter serve as a stark reminder of the inherent vulnerabilities in DeFi engagements. Investors are urged to be vigilant, taking the time to understand the nuances of the platforms they engage with and to implement robust safeguards for their assets. At De.Fi, we understand the complexities of the current DeFi environment. In line with this, we remain steadfast in our mission to equip our users with the necessary insights and tools to navigate this dynamic industry with confidence and foresight.
About De.Fi
De.Fi is an all-in-one Web3 Super App featuring an Asset Management Dashboard, Opportunity Explorer, and home of the world’s first Crypto Antivirus powered by the largest compilation of hacks and exploits, the Rekt Database. Trusted by 850K users globally, De.Fi aims to drive DeFi adoption by making the self-custody transition as simple and secure as possible. Backed by Okx, Huobi, former Coinbase M&A, and used by large companies worldwide, including University College London and Coingecko.
Website | Twitter | De.Fi Security | Rekt Database
October 3 • 11 minutes
In this blog, we'll walk through what Gnosis token approvals are and how you can audit + revoke them using the free De.Fi Shield tool.
April 19 • 7 minutes
During Q1 2024 ... total losses amounting to $414,875,820 across a range of exploits and security incidents.
April 1 • 10 minutes
Among the many options available, Phantom Wallet has emerged as a popular choice for those in the Solana ecosystem, sparking questions about its safety, legitimacy, and features.
March 22 • 17 minutes
A total of $148,690,165 was lost across various platforms and chains due to diverse exploits.
March 2 • 11 minutes
Celo token approvals can go by many names including token permissions, smart contract permissions, token allowances, etc.
February 23 • 7 minutes
The top three largest governance hacks resulted in $414M in losses over the years
February 12 • 5 minutes
© De.Fi. All rights reserved.
