Back to all stories
Hack3d: The Web3 Security Quarterly Report - Q3 2023
Hack3d: The Web3 Security Quarterly Report - Q3 2023

Welcome to Hack3d: The Web3 Security Report for Q3 2023. Hack3d serves as an essential resource and record of statistics for understanding security challenges and vulnerabilities in the Web3 space. It equips stakeholders with the knowledge and insights needed to fortify their defenses and make informed decisions in an increasingly high-stakes environment.

With more than $699 million lost across 184 security incidents, Q3 has been 2023’s most eventful quarter. For reference, Q1 saw a total of $320 million lost and Q2 $313 million, meaning Q3’s losses eclipse those throughout all of H1 2023.

One of the most dominant threat actors in Web3 is the North Korean state-affiliated Lazarus Group. Lazarus is responsible for at least $291 million in confirmed losses this year. The group's sophisticated tactics have evolved to target Web3 personnel specifically, leveraging social engineering methods to compromise multiple platforms’ security. We’ll take a close look at Lazarus in this report.

Private key compromises have been another significant source of losses, accounting for $204 million in losses across 14 incidents. The Mixin and Multichain incidents together were responsible for $325 million in losses, possibly through private key compromises, but more accurately through centralized points of control that allowed for the takeover of the protocols. The centralized control of private keys has proven to be a critical vulnerability, and one that is particularly rankling to users who had been promised (though not provably delivered) decentralization. To address this, we’ve worked with a key partner to develop a new verification mechanism that helps users ensure projects have adopted enhanced private key management solutions.

The lack of universal standards for software development remains a major issue in the Web3 space. An extensive amount of hacks and smart contract exploits can be traced back to this void of standards. For example, the rampant use of copy-paste forks without proper due diligence (from both developers and users) causes consistent losses. These standards would provide a framework for ensuring consistent security measures, reducing vulnerabilities and increasing the resilience of the entire Web3 world.

On the bright side, major financial institutions are beginning to meaningfully integrate on-chain technologies, indicating a shift towards blockchain adoption. However, this transition also brings new types of risks that must be carefully managed. We give our predictions for what the meaningful maturation of the industry may look like over the next, six, twelve, and eighteen months.

CertiK regularly publishes a variety of technical and educational resources, and we’ll cover a selection of Q3’s highlights at the end of this report.

Until then, read on to arm yourself with the insights you need to navigate the Web3 world in safety.