Cyber-attacks targeting Web3 cost organizations $1.84bn in 2023 across 751 incidents, according to Certik’s Hack3d: The Web3 Security Report 2023.
The average cost per incident was $2.45m in 2023. However, there was a wide disparity between the losses suffered, with the 10 most costly attacks alone accounting for $1.11bn.
The highest costs occurred in Q3, where $686.5m was lost from 183 hacks.
The report, which examined hacks, scams, and exploits in the entire Web3 industry, found there was a 51% decline in losses from incidents in 2023 compared to 2022, when the total was $3.7bn.
However, a major factor for the reduction in losses is the fall in the value of decentralized finance (DeFi), with the time-weighted average value down by approximately 46% in 2023 compared to 2022.
How do Attackers Target Web3?
Web3 is an internet service built using decentralized blockchains, designed to put control in the hands of the users.
However, this ecosystem comes with significant cyber-risks, with threat actors frequently stealing cryptocurrency from DeFi platforms.
The Certik report found that the attack vector that caused the highest losses was private key compromise, which accounted for $880.9m in costs across just 47 incidents.
Six of the 10 most costly Web3 security incidents were due to private key compromises.
The researchers said this highlighted the importance of secure private key management among Web3 users, advising practices such as:
- Utilizing multi-signature wallets to distribute control across multiple parties
- Consider hardware wallets for high-grade key storage and cryptographic operations
- Keep backups of private keys in secure offline environments
- Define strict access control policies
- Regularly monitor and audit the use of private keys to detect any anomalies
Exit scams, when the developers of a cryptocurrency pull their funds and abandon the project to profit from investors, were the most common vector used to target Web3, at 308 incidents.
Code vulnerability and phishing also accounted for a large amount of losses across Web3, at $291m and $207m, respectively.
The report noted that wallet drainers continued to be a persistent threat in Web3 throughout the year. These drainers are a type of malicious software or script that allow attackers to “drain” assets from a victim’s wallet to their own.
Security breaches affecting multiple chains accounted for $799m of losses in just 35 incidents, which Certik said highlights the persistent pain-point that is cross-chain interoperability.
BNB Chain experienced the highest number of security incidents, at 387, which led to $134m in losses. This was followed by Ethereum, with 224 incidents and $686.9m in losses.
Rise of Retroactive Bug Bounties
Another significant trend identified in 2023 was “retroactive bug bounties,” which led to $219m of stolen funds returned across 36 events.
The report cited the case of Euler Finance, in which an exploit enabled an attacker to steal $197m in March 2023.
After the exploit, Euler offered a $1m bounty for information leading to the arrest of the attackers and demanded the return of the stolen funds.
The hacker ultimately returned approximately $147.8m and expressed remorse for the attack, leading to Euler withdrawing the $1m bounty.