So far in 2022, ~ $2.8 billion has been lost to various scams and exploits in the Web3 world and a total of ~508 attacks recorded this year. October has seen a 42.8% significant increase from last month’s with 40 major attacks recorded and an average loss of $7,245,027 per attack compared to 28 attacks recorded in September. Although major attacks have increased over this month, exit scams slightly decreased with a total of ~$6,282,700 loss and 25 incidents recorded versus $7,063,197 for 26 incidents for the month of September. Flash loan attacks also increased with a total of 16 incidents recorded which is the second highest amount after April. Although the number of attacks have increased, the amount lost to these attacks are significantly low compared to other months with $1,563,965 lost due to these flashloans. Discord and NFT scams also have significantly decreased over the past 2 months with 35 incidents recorded this month versus 97 in August and 57 in September. Out of the 68 exploits recorded this month, 25 were deemed exit scams,16 were analyzed as flashloan attacks, and 27 fell into other incident categories.
Major incidents in October amounted to $289,801,079 which is a 61% increase from September. This is the 6th month this year with major losses exceeding $250m, which means that this month is by no means unusual. Like with previous months with losses $250m, the majority of the funds have come from one or two exploits.
The largest exploit in October came from Mango Markets which saw an exploiter artificially manipulate the price of Mango token which was then sold for ~$116m. The hacker then leveraged their newly acquired MNGO tokens to submit a proposal allowing them to keep ~$40m worth of assets. Rather than being a vulnerability in a smart contract, this was more of a financial exploit.
The second largest exploit came from BSC Token Hub which saw ~$110m lost. A hacker was able to take advantage of a critical vulnerability whereby the bridge didn’t fully verify the merkle proof to the root hash, which allowed the attacker to copy a legitimate proof and mint 1m BNB in two separate transactions. The hacker was able to bridge $110m to other chains including Ethereum and Fantom.
October saw losses of $6,282,699 which is a 10.7% decrease from September. These losses came from 25 confirmed incidents which is the same number of exit scams as last month. The $6.28m in losses is near average for the year with 6 out of 10 months this year seeing exit scams losses between ~$6m - ~$8m. The largest exit scam was the JumpN $JST token. The JumpN project rug pulled for a total of ~$3.1 million, initially taking $1.1 million on 08 October and a further $2 million on 11 October. CertiK originally put out a warning tweet May 2022 alerting that JumpN was a potential honeypot, with community members reporting extreme difficulty with selling tokens.
Similar to previous months, we witnessed numerous instances of tokens washing money that have not been counted in our monthly statistics. These daily occurrences are qualified as potential money laundering. The majority of incidents were discovered on the BNB Smart Chain.
The month of October has been turbulent on all fronts and flash loan attacks are no different. This month has seen the largest amount of total attacks at 16, the next closest month would be April with 12. However, the month is on the lower end of total US dollars lost to attacks with a recorded $1,563,965. Looking briefly back to the previous month of September, this is a 35.5% decrease in the amount lost to flash loan attacks. An overall healthier month but the sheer amount of flash loan attacks is disconcerting. To showcase how much of a statistical outlier this month is compared to the other months of the year, it is currently the only month so far this year which has below $100,000 in average USD lost per attack sitting at $97,748. To conclude this overview on flash loans, in 2021 we recorded approximately 48 flash loan attacks total. This year with two months left to go, we have already recorded 82 total flash loan attacks.
The most significant flashloan attack occurred on the EFLever vault. On October 14, 2022, the attacker deposited 0.1 ETH to the EFLever Vault contract, and then got a flash loan from the Balancer Vault to EFLever. Then the attacker tried to withdraw its tiny deposit, which drained the EFLever balance, including the 560 ETH flashloan. The total loss is around 268ETH which was approximately $348K USD at the time.
Stay vigilant, flash loan attacks remain on the forefront of attack loss in 2022 and can cost upwards of over $182 million as made evident by attacks such as the one made on Beanstalk Farms. Trends are continuing to show a decrease in amounts lost but also a stark increase in the sheer number of attacks.
Our current projection for the amount of loss strictly from flash loan attacks in 2022 based on current data is: $412,263,460. Down over $43,000 or ~9.5% since our last prediction in September, continuing the trend of the deceleration in flash loan profits.
October has continued the downward trend in the number of Discords being compromised per month. In September we recorded 57 compromised Discord servers which was already a welcome decline on the 97 seen in August. That number is now just 35 in October.
Part of the decline will certainly be attributed to the arrest of 5 French scammers on 12 October. 2 of the scammers, known as ‘Mathys’ and ‘Camille’, have been linked to millions of dollars worth of NFT thefts including numerous Bored Ape NFTs.
We have also noticed a slight change in the method by which NFT transfers are approved during a phishing scam. Prior to a Metamask update which now makes it clear what permissions you grant when approving a transaction, phishing sites would simply ask a user to approve a transaction that allowed scammers to transfer your NFTs. In this type of transaction the scammer’s wallet is clearly shown. In the last 2 months there has been a shift, phishing sites will now ask you to approve a signature instead as Metamask doesn’t provide any details on what a user is signing. This change has encrypted the scammer’s wallet address which has also made it more difficult to identify the wallets used in phishing.
Although there has been a decline in the overall number of Discord compromises we continue to see high profile phishing incidents. On October 25, a scammer known as ‘Monkey Drainer’ was able to steal over 700 ETH from victims who fell for phishing links that had been posted on Twitter.
Overall, October is the fifth highest month for major incidents this year with a total loss of ~289.8m which accounts for 10.2% of all total losses for 2022. Big scams like Mango Market, BSC Token Hub, Transit Finance, Jumpn and Moola Market amongst other exploits account for a majority of these losses. The battle to secure the web3 space is greater now more than ever, and smart security auditing and KYC are services provided by CertiK help not only secure protocols, but also guide the average ‘hodler’ to safer projects.