So far in 2022, ~ $2,338,910,183 billion has been lost to various scams and exploits in the Web3 world and a total of ~377 attacks recorded this year. Just like in July, August has seen the same number of major incidents with 31 major attacks recorded. On the other hand, exit scams, flashloans, Discord and NFT scams have all decreased compared to last month’s. Out of the 44 exploits recorded this month, 33 were deemed exit scams, 7 were analyzed as flashloan attacks, and 4 fell into other incident categories.
Flashloan attacks have significantly decreased compared to July with a drop of 95% for these sorts of attacks cumulating to a $745,244 USD loss, the second lowest number logged this year after the month of February. Additionally, this month’s rug pulls and exit scams also have decreased from last month’s recorded incidents with a 25.9% drop, totalling a loss of $10,040,624. Finally, Discord hacks and NFT scams have also dropped compared to last month’s statistics with 86 incidents reported in August, a ~30% decrease from July’s numbers.
In August, there were 33 exit scams resulting in a total loss of $10,040,624, a 25.9% decrease from July. Nineteen were considered as a major exploit with profits over $100k which is a 5% increase from last month.
The largest exit scam was the Day of Rights $AMO token. Wallets associated with the project sold off large portions of the token which was sent to a wallet where the funds were aggregated. In total, ~$2m was taken from investors.
There was one outlier in the rug pull statistics in July that skewed the figures. Raccoon Network pulled off an IDO/fund raising exit scam which cost investors $32.7m, making it the most profitable exit scam this year as well as the 3rd highest attack over the past 12 months. If we subtract that from last month's figures we get the figure of $13,533,928 which is $3,493,304 difference between July and August. By discounting the Raccoon Network and Freedom Protocol exit scam, we see no significant divergence in trends between July and August.
We have seen many examples of tokens washing funds this month which we have not included in our monthly stats. This is because we associate these examples with likely money laundering activities that occur multiple times a day. Most of examples have all been found on the BNB Smart Chain and it’s currently unclear whether this increase is related to the sanctioning of Tornado Cash by OFAC.
The month of August presents a hopeful outlook for flashloan security. August boasts the lowest total amount lost since February this year and did not even break $1 million in loss. Over the course of 7 attacks, we recorded $745,244 in damages, an immense 95% decrease compared to the previous month of July. The average loss per attack this month was $106,463 the lowest amount we at CertiK have ever recorded for flashloans.
The most significant flashloan attack occurred on XStable where the attacker utilized price manipulation to secure approximately $366,975 in total. The protocol has since been self-destructed. Overall, flashloans remain a threat and this month may just be a statistical outlier but at the very least it shows progress in a positive direction.
Our current projection for the amount of loss strictly from flashloan attacks in 2022 based on current data is: $511,601,181. Down over $80,000 since our last prediction.
In the month of August there have been a total of 31 major attacks. This is equivalent to the number of attacks in July. An average of $7,013,378 was lost per attack, which is a significant increase from the average of $2,120,816 per attack in the month of July. The total amount of money lost in August compared to June’s exploits also increased in overall recorded attacks. The largest exploit this month was the Nomad Bridge exploit. In August, most attacks were reported between the 8th-13th, with a total of 12 attacks. Of those incidents, 6 were considered exploits, 4 were exit scams and 0 were flash loan attacks. Three of these major incidents stood out as they showed the most significant reported losses.
The first major exploit was the Nomad Bridge Exploit which saw a $190M loss. White hat hackers have returned $37.2 million of that exploit to date. The Nomad Bridge exploit, which occurred on August 1st, ranks as the 3rd largest attack this year, behind the Ronin Bridge ($624M) in March and Wormhole Bridge ($326M) in February. The vulnerability was in the initialization process where the “committedRoot” is set as ZERO. Therefore, the attackers were able to bypass the message verification process and drain the tokens from the bridge contract.
The second largest exploit, which took place consecutively on August 2nd, was Solana Wallets (Slope Finance). This attack recorded a total loss of ~$8M. Solana Wallets’ provider Slope Finance was identified as the source of the hack. After investigation by their devs, it appeared the affected addresses were at one point created, imported, or once used by Slopes’ mobile wallet app. The app, which had included a new third-party library, had sent secret phrases in cleartext and stored them on a server that was later compromised. Over 8,000 unique wallets were affected.
The third most significant loss, reported on the following day of August 3rd, was a recorded exploit of $4.8M on ZBExchange. A hot wallet private key compromise led to the loss. There does not seem to be a smart contract exploit, rather a compromised private key on the exchange's hot wallet. ZBExchange notified their community on August 2, 2022 that they are suspending deposit and withdrawal activities due to a “sudden failure of core applications”. The attack in fact took place on August 1st, but was almost certainly overshadowed by the Nomad Exploit that occurred that same day.
With the summer holidays in full swing we have seen a slight decrease in the number of Discord compromises as well as phishing attacks in general this month. July saw the highest number of Discord compromises this year with 123, this has dropped to 86 in August. Of the 97 Discord compromises, we investigated 26 wallets that were connected to phishing sites posted in the servers. 112 NFTs were taken with an average of just 4 per incident, the 4th month in a row the average per incident has declined, indicating that the NFT community is becoming more aware of these scams. In contrast Non-Discord related phishing scams (Twitter, Website, other Social Media) are having a much higher impact, in just 7 phishing incidents that we investigated 80 NFTs were taken at an average of 11 per incident.
The largest phishing incident recorded this month was a fake Twitter account imitating NFT project We All Survived Death taking 155 NFTs. The NFTs have a total floor price value at the time of incident of around 11.7 ETH. This is a fraction of the highest value incident on 16 August when 4x BAYC and an Otherdeed were taken, with a floor price value of 289.7 ETH ~$455k. As the summer holidays come to an end we expect to see an increase in the number of phishing scams so it’s important to remain vigilant and take a second before letting FOMO take over.