So far in 2022, ~ $3.4 billion has been lost to various scams and exploits in the Web3 world and a total of 573 attacks recorded this year. November has seen a slight decrease from last month with 36 major attacks recorded. Although the number of attacks decreased, the loss per attack increased significantly with an average of $16,551,316 loss per attack versus $7,266,586 in October. Exit scams have also skyrocketed this month, with a 375.5% increase from October with a total of ~$29,876,968 losses and 35 incidents recorded in November versus $7,199,798 for 26 incidents in the month of October. The number of flash loan attacks decreased by half compared to last month with a total of 8 incidents recorded. However, losses increased: $5M was lost this month versus $1M in October. Discord and NFT scams have continued to decrease every month with 12 incidents recorded this month versus 97 in August and 57 in September. Out of the 62 exploits recorded this month, 35 were deemed exit scams, 8 were analyzed as flashloan attacks, and 19 fell into other incident categories.
The month of November saw a total of 36 major attacks. This is equivalent to the number of attacks we had in June. An average of $16,551,316 was lost per attack, which is a significant increase from the average of $7,266,586 per attack in the month of October.
The first major exploit was the FTX hack which saw a $477M loss. Moments after FTX filed for bankruptcy on November 11th, 2022 Ryne Miller, General Counsel at FTX tweeted that they were” investigating abnormalities”. On November 12th, 2022 a tweet from Ryne Miller said the company “initiated precautionary steps” and moved all its digital assets to cold storage, meaning the crypto wallet is no longer connected to the internet. There are numerous theories on how the hack had happened but most reports suggest it was an inside job. FTX ranks as the 2nd largest attack this year, behind the Ronin Bridge ($624M) in March. FTX is still an ongoing investigation and will be for quite some time.
The second largest exploit, which took place on November 2nd, 2022, was Derbit Exchange’s hot wallet exploit. A private key leak may have led to the loss of ~$28m in USDC, ETH and BTC across the Ethereum and Bitcoin chains. This is the third largest private key compromise of 2022. Derbit Exchange stated that the loss will be covered by company reserves. The Derbit Exchange claims to keep “99% of user funds in cold storage to limit the impact of these types of events”. They also stated that operations were not impacted by the event and that it is now impossible for any hacker to initiate withdrawals because it will now require additional human confirmation. They believe going forward that this will never happen again on their platform.
The third most significant loss, reported on November 13, 2022, was a recorded exit scam of $18.5M on Flare Token. This token is not related to Flare Networks. This Flare token did not have any social media accounts. As of right now the deployer who exit scammed is currently washing money via Tornado cash.
November saw losses of $29,876,968 which is a 375.5% increase from October. These losses came from 35 confirmed incidents which represents a 40% increase in the number of exit scams from last month. The $29.8M in losses is unusual for the year with 6 out of 11 months this year seeing exit scams losses between ~$6m - ~$8m. There was one major outlier in the exit scam statistics this month. The largest exit scam was the $FLARE token. The FLARE project rug pulled for a total of ~$18.5 million on November 13th, 2022. This event makes up the majority of funds lost in exit scams for the month of November.
Similar to previous months, we witnessed numerous instances of tokens washing money that have not been counted in our monthly statistics. These daily occurrences are qualified as potential money laundering. The majority of incidents were discovered on the BNB Smart Chain.
For the month of November there were fewer attacks compared to the month of October but the total number of losses was greater than. The number of total attacks at 8, was a significant decrease compared to October which had a total of 16 attacks. Though the number of attacks is fewer, the total number of losses for November was approximately $6 million, a staggering $5 million more than the previous month of October which totaled at $1M. An average of $637,378 was lost per attack, which is a significant increase from the average of $97,748 per attack in the month of October.
The most significant flashloan attack occurred on DFX Finance. At 8 PM UTC on Nov 10, 2022, DFX Finance's swapping contracts were attacked, leading to a loss of approximately $5M. The attacker took advantage of the vulnerable flashloan mechanism in the swapping contracts which bypassed the check of repaying the flash loan by depositing tokens to the contracts and then withdrew tokens from contracts after finishing the flash loan. The vulnerability lies in a design issue where the contract does not take into consideration that the flash loaned tokens can be used for deposit and finally “repay” flash loan.
Discord compromises have continued to fall for the 5th consecutive month, with just 12 recorded, for the month of November. The number of NFTs taken has remained high due to an incident on 27 November in which 253 NFTs were stolen. Those NFTs had a combined value of 44.95 ETH (~$52.5k). NFT hype appears to be at its lowest this year which is likely a contributing factor. The phishing exploit known as ‘Monkey Drainer’ is still active and is attributed to the aforementioned incident.
Overall, November saw the second largest amount of funds lost to hacks, exploits and scams this year. This figure is particularly high due to the hack on the FTX Exchange which amounted to $477m lost. This incident alone made up 79% of the total funds lost, and without it November would’ve been the third lowest month of the year regarding funds lost at $119.5m. Every month this year that has seen extremely high amounts lost has usually been because of the amount lost in one or two outlier incidents.