Back to all stories
Incident Analysis
March 2023 Monthly Report
March 2023 Monthly Report


In the first quarter of 2023, CertiK identified $320,281,458 lost in a total of 202 attacks, scams, and exploits across the Web3 industry. March saw an aggregate loss of $240,467,801 in 76 attacks.bThis is a 464.5% increase from February, which saw aggregate losses of $51,766,125 in 71 attacks.

Exit scams accounted for approximately $8,963,929 in losses across 39 incidents and made up 3.7% of the overall funds lost in March. Major exploits (losses over $100,000) saw losses totaling $238,412,538 with 25 incidents recorded. The total number of major attacks is lower than February’s 29 recorded incidents. However, the amount lost in these attacks is 471.7% higher. March saw the lowest number of flash loan attacks with 14 attacks recorded, but saw a $206,278,492 loss which is the highest number seen since the beginning of the year . Discord hacks have decreased considerably with 31 compromised Discord servers recorded this month. This represents a 40% decrease in Discord hacks compared to last month.

Major Exploits

In March there were a total of 23 major attacks. This is the second fewest number of attacks recorded since February 2022, which saw 21 major attacks. An average of $10,149,676.00 was lost per attack, which is a significant increase from the average of $1,742,748.00 per attack in the month of February.

The largest exploit this month was the Euler Finance incident, which saw around $197 million lost. The Euler Finance exploit, which happened on the 13th of March, is the largest attack this year thus far. With assets borrowed from flash loan, the attacker first created a highly leveraged insolvent position through the unique mint() function of the Euler lending protocol as well as the vulnerable ‘donateToReserves()’ function within Euler’s pool contracts. The attacker then liquidated their position in the same transaction to gain a large amount of derivative eTokens before draining the pool through withdrawal. The attacker repeatedly called the attacks on 5 Euler Finance Pools to drain all them. Euler reached out to the attacker’s address via transaction input data. The exploiter, going by the name Jacob, has gradually been returning funds related to the hack, now totalling $177 million.

The second largest exploit was on 26th March. Kokomo Finance had conducted an exit scam on their KOKO token deployed on the Optimism blockchain, leading to a total loss of $4.5 million. Approximately 110 WBTC ($3 million) has been bridged to Arbitrum and BSC. According to the project’s Twitter, Kokomo Finance is an open source and non-custodial lending protocol. The deployer of KOKO Token, address 0x41BE, deployed attack contract cBTC. They then set the reward speed, paused the borrow and set the implementation contract into a malicious one. Address 0x5a2d approved the cBTC contract to spend the 7010 sonne WBTC. Since the implementation contract has been upgraded to the malicious cBTC contract, the attacker called 0x804edaad method to transfer sonne WBTC to address 0x5C8d. Finally, the address 0x5C8d swapped 7010 sonne WBTC to 141 WBTC (around $4.5m) for profit. Currently most of the project's socials have been deleted.

Exit Scams

February also saw a total of $8.8 million lost to exit scams from a total of 36 incidents. This represents a 24.9% decrease in the dollar value lost and a 24.1% increase in the number of incidents recorded since February. The largest exit scam recorded was from the Kokomo Finance exploit with $4.5 million taken in user funds. In total, this incident accounts for 49.2% of the confirmed losses from exit scams in February. Exit scams have remained relatively consistent with what was observed in February. The first quarter of 2023 has continued the trend seen in 2022. This month, losses to exit scams made up 3.7% of the total lost in February. February saw a higher number at 23.2% of the total losses attributed to exit scams. This can primarily be explained by the increase in profits loss due to Flash Loans.

Flash Loans

March 2023 saw a total of 14 flash loan attacks. The total number of losses for March were $206,278,492 with an average of $14,734,178 lost per incident. This is a 1,195% increase from February. March incidents were significantly lower than the 2022 average, which stands at $3.5 million lost per month. Overall, the amount lost due to malicious flash loan exploits was the second highest out of all months in 2022 and 2023 thus far.

The exploit on Euler Finance is by far the largest exploit of 2023 and accounts for approximately 70% of all funds lost this year. Furthermore, this is the largest flash loan exploit seen in over 14 months, with the only other incident that comes close being Beanstalk Finance who suffered an exploit in April 2022 amounting to a $182.2 million lost. It’s unusual to see such a large amount of funds lost to a flash loan during a bear market. The average loss per attack in 2022 was approximately $3 million and so far in 2023 is approximately $400,000.

Discord Hacks and Phishing

On 2 March the creator of a prolific toolkit known as Monkey Drainer announced they were closing shop and no longer supporting nor distributing the toolkit. The Monkey Drainer kit was provided to users free of charge but had a built-in method which gave the owner 20% of phishing activity. It is estimated Monkey Drainer generated $13 million for its owner. As a result we have recorded a 40% decrease in the number of Discords being compromised at 31 compared to February. Since the Monkey Drainer announcement rival wallet drainers have made an effort to take top spot with Inferno Drainer amongst the most popular. Whilst Discord compromises have decreased there has been a rise in the number of phishing sites that we have recorded via other means such as Twitter posts.

On 24 March and 30 March a scammer was able to phish two users for $4 million and $3.7million respectively after they inadvertently approved the scammer to spend their ERC20 tokens

Crypto phishing scammer Monkey Drainer shuts down services, according to CertiK.


Compared to February, there was an uptick in incidents targeting Web3 investors. In February, we recorded 71 total attacks, while in March we recorded 76 total attacks. Aggregate losses also significantly increased in March as funds lost totaled $240,467,801 compared to $51,766,125 previous month. This large increase in funds lost is mainly due to the Euler Finance exploit which represents 81.9% of all of the money lost this month due to exploits.