In April 2023, CertiK published an analysis of Web3 projects that had been hacked or exploited between October 2020 and April 2023 which saw some some or all funds returned after trying to negotiate with their attackers. This report serves as an update on those findings, covering the period between 4 April and 18 September. Between 2020 and September 2023 the number of negotiated returns have increased year over year, with a 54.5% increase occurring in 2023 thus far. During the initial period covered in our previous report, there was no clear trend in terms of the amounts lost and the amounts returned. However, under current bear market conditions and decreasing overall funds invested in Web3 ecosystems we have seen a trend emerge. In incidents where returns occur, less money is being stolen and even less is being returned by attackers despite the number of incidents increasing.
In April, 2023 CertiK assessed a growing trend in the Web3 industry where projects targeted by malicious actors were able to negotiate a full or partial return of funds from their attackers. Since CertiK began recording these types of returns in 2020, we have seen an increasing number of negotiated settlements year-over-year. Our previous report on this topic examined 25 protocols from 2020 to April 2023 and their efforts to get funds returned following an incident.
To provide additional context, CertiK began recording incident data in February 2020. The first instance we noted of a negotiated return occurred on 25 October, 2020. Since we began collecting this data we have logged nearly $10.75 billion in total losses. The amount of funds lost in incidents where returns were negotiated between October 2020 and April 2023, which are covered in our previous report, are totaled below:
Approximately $1.35 billion in funds were stolen
Approximately $992 million in funds were returned (73%)
Approximately $314.5 million was kept by attackers (23.1%)
The remaining 3.9% of funds were either lost or frozen during the process
Funds were returned under a variety of circumstances, including:
At the behest of attackers who claimed they were trying to point out flaws in protocol design
After increasing pressure was put on attackers by projects and projects writing off the incidents as “white hat” bounties
After significant pressure from communities, including threats to dox an attacker following the incident
Given nearly 75% of stolen funds were eventually returned, we concluded that it’s in the best interest of projects and communities to attempt to negotiate with their attackers.
But does this trend hold true through the rest of the 2023? It has been nearly six months since we released our first report, and in that time the Web3 community crossed a significant annual milestone with over $1 billion lost to hacks, exploits, and scams. You can read our deep dive on this here. In this time we saw the number of incidents increase dramatically, though the amount lost compared to previous years dropped. Have we seen increasing numbers of projects having stolen funds returned? Is this trend continuing at the exponential pace it seems to have set thus far? This report seeks to further examine these trends looking at incidents from 5 April, 2023 to the present.
There has been a dramatic increase in the number of projects that have negotiated and subsequently had some or all of their funds returned. According to our data, the number of negotiated returns increased six-fold between 2020 and 2021, while nearly doubling again between 2021 and 2022, and increasing 54.5% in 2023 so far. There was only one notable fund return event that occurred in 2020 following an attack against Harvest Finance where $2.5 million was returned of the approximately $24 million stolen. While this was more of an arbitrage event than an exploit or hack, it signaled a shift in how the industry would attempt to handle these issues.
The growth of this trend is highlighted below, including the number of negotiated returns from between April 2023 - September:
When we look at the data collected for our previous report there is no apparent trend with regard to the amount of funds that were stolen. The amount stolen per incident varied greatly incident to incident.
Aside from a few outliers, the majority of incidents saw less than $30 million in losses. Many experienced only several million in losses and others less than one million. One significant incident that targeted Poly Network for $610,000,000 makes the scale of this difficult to visualize. To better demonstrate the differences in scale here we have included one bar chart that includes the Poly Network incident, which is dated 8 August, 2021, and one without:
Similarly, we can’t pinpoint any trends in funds being returned as they appear to be highly context dependent. To try and make better sense of this, we will delve further into what transpired between projects and attackers later as different negotiation strategies likely influenced the amounts that were ultimately returned.
Since CertiK started documenting instances of funds being returned in 2020, the trend has been on an upward trajectory, with an increasing number of negotiated settlements each year. However, when we include data from April 2023 to present and examine in the context of all our data collected from 2020, we see a noticeable downtrend in both the amount of funds lost and funds returned. This is partly influenced by several outlier incidents including the incident targeting unshETH (31 May, 2023) where negotiations are ongoing, Atomic Wallet (4 June, 2023) where a fraction of funds were retrieved with the help of ZachXBT and others, and Hashflow (14 June, 2023) where all funds were returned as the hacker involved was a legitimate whitehat. This is also very likely influenced by the overall state of the crypto markets and the low levels of liquidity.
Funds lost and returned from all incidents for this time period and highlighted below:
When we aggregate our data for all incidents where negotiations or fund returns took place from 25 October, 2020 to present we see that our total figures have only increased slightly relative to our original findings published in April.
Approximately $1.53 billion in total funds have been stolen across all incidents covered in this time period
Approximately $997 million in total funds have been returned across all incidents covered in this time period (65%)
Approximately $478 million in total funds have been kept by attackers across all incidents covered in this time period (31.2%)
While it’s important to to recognize that these figures are comparing almost two and a half years' worth of data to just five months of new data the comparisons provide some additional clarity on what the continuation of this trend looks like. More incidents are occurring, less is being stolen per incident, and attackers are returning less even if offered bounties or after engaging in negotiations. Again, these trends are most likely a consequence of overall bear market conditions in the crypto industry and the overall absence of liquidity in the markets. While we can’t predict the future, it's highly probable that we see these trends shift again when the market turns around.
When projects are lucky enough to have a portion of their losses returned, it usually takes one of three forms.
Community-driven efforts, which can involve on-chain specialists or whitehat hackers identifying and exploiting a weak contract, ultimately restoring the misappropriated assets to their legitimate owners.
Proactive measures by security entities or whitehat hackers who preemptively intercept a breach, effectively reacquiring the stolen assets. Subsequently, the victims are presented with a recovery contract or an offer to repatriate a significant portion of the stolen funds.
Negotiated settlements, potentially involving legal channels or law enforcement. Typically, a bounty is offered to the offender, aiming to recoup a large chunk of the assets upon mutual agreement of terms.
Certain projects have managed to reclaim assets from their attackers by means of offering a bounty, threatening legal proceedings, or rallying the community to pitch in, either through ethical hacking or by mobilizing crypto sleuths.
A few projects experienced success with this strategy in the past year. Euler Finance, for instance, announced a $1 million bounty against their exploiter and threatened to involve law enforcement if funds were not returned. This move prompted the hacker to return the "salvageable" assets accompanied by an apology. Consequently, Euler Finance retracted the bounty they had instituted. Sentinel Protocol, exploited on 4 April, 2023 proposed a $95,000 bounty to the hacker who exploited their protocol. By 6 April, 2023 around 90% of the stolen funds had been restored.
Not every project experiences this degree of success. Filda Finance encountered a $2 million breach on 12 April, 2023 and despite their efforts to negotiate only a fraction of their losses were recovered. They managed to reclaim $229,000 USD and 21,000 DAI via on-chain communication. Nevertheless, the hacker remained in possession of the balance, even when Filda proposed a bounty in exchange for the $1.6 million being returned. This outcome isn't rare; Exactly Protocol experienced a similar impasse. After a $7.6 million breach, the team's $700,000 bounty offer went unanswered. Though this method showed early promise, its effectiveness seemingly dwindled during the latter part of 2023.
The past year saw several occasions when the crypto community united to aid in fund recovery. For example. Palmswap was compromised for $900,000 on 24 July, 2023. A few days post-incident, the organization declared that 80% of the stolen amount was retrieved via a whitehat operation. Furthermore, an exploit of the Vyper Compiler versions 0.2.15 to 0.3.0, exploiting a glitch in the reentrancy lock slots within the add_liquidity and remove_liquidity functions, led to a staggering loss of $50 million. Yet, thanks to a whitehat hacker, $6.8 million was restored, limiting Vyper's total losses to about $43 million. In June 2023, on-chain professionals collaborated to salvage funds from Atomic Wallet's $115 million breach, culminating in the recovery of $1.2 million.
There were also instances where whitehat hackers preemptively identified and exploited vulnerabilities to highlight them. This tactic became evident when Hashflow was compromised for $600,000, but a whitehat presented a fund recovery contract. Similarly, EDE Finance was compromised by a whitehat in May, who exposed the project's oracle vulnerabilities after seizing assets worth $658,370 USD. The hacker subsequently conveyed their actions through an on-chain message:
"All trades that were executed were using prices signed/produced by the devs which allowed anyone to take advantage of these prices and easily empty out the entire ELP pool with just a few transactions. The malicious activity involved intentionally signing incorrect prices to manipulate users' positions and steal their funds while implementing backdoors that allowed them to force liquidate any position they desired. The whole pool was always at risk as there were additional vulnerabilities present too provided you agreed upon certain terms."
The attacker ended up returning $420,170, but ultimately kept the rest.
2023 has undeniably been a volatile year for the cryptocurrency industry, with CertiK documenting losses surpassing $1 billion as of early December. Despite this, there have been instances where the crypto community succeeded in recuperating some of these losses, albeit inconsistently across the year.
In the first quarter of the year, major exploits accounted for a total of $221.5 million. Impressively, approximately $188 million, which translates to 84.8% of these losses, were successfully returned.
However, the subsequent months saw a downturn in this recovery rate. From April onwards, nine significant exploits led to $175 million in losses, but just $11.5 million was recovered. This marks a sharp drop to a recovery rate of just 6% for this period.
The disparity in these figures underscores the dynamic and unpredictable nature of the crypto industry, emphasizing the importance of continuous vigilance and the need for robust security measures.
Our comprehensive analysis of the $1 billion in losses underscores the evolving dynamics of cyberattacks in this sector. A significant trend emerges from the data: while the frequency of incidents is on the rise, the amount stolen during each breach has witnessed a decline.
This pattern continues when it comes to negotiated returns. The incidents where negotiations led to successful returns have increased, but the monetary value of these returns has declined.
One can speculate on the reasons for these trends. Bear market conditions seem to be a major influence. With lower-value assets in circulation, attackers might be assessing potential exploits with a more discerning cost/benefit lens. In simpler terms: if there's less gold in the vault, the heist might not be worth the effort.
Yet the persistence of negotiated returns, despite its reduced financial impact, is worth noting. This suggests that the method has merit. As the Web3 landscape continues to attract fresh projects and investors, we can anticipate a more widespread adoption of this strategy. After all, in a rapidly evolving ecosystem, adaptability is key.