Web 3 security firm Beosin recently released its 2022 Q2 Web 3 Security Report, analyzing the latest hacks and exploits to impact the blockchain sphere. It found that over $718 Million were lost to related schemes during that time – most of which occurred in the defi space.
Break down the numbers
The report – produced in conjunction with Footprint Analytics – cites 48 major “attacks” as responsible for the losses. These attacks were far from equal: three alone (Beanstalk Farms, Elrond, and Harmony) each accounted for more than $100 million in losses, with 28 representing between $1 million and $10 million in losses.
Last quarter’s losses are technically a 40% drop from the near $1.2 million lost in Q1, 2022, but is still a 2.42 times increase from the $296.56 million lost in Q1 2021. Furthermore, losses in Q1 2022 were likely dominated by the infamous Ronin Bridge hack, which netted over $600 million for the attacker.
Data shows April was the busiest month for hacking, with “19 major security incidents” and over $374 million lost. Losses narrowed significantly in May alongside the price of Bitcoin, but saw an interesting spike in June despite the market continuing to decline.
“All chains and attacked projects saw a significant decrease in TVL values in May,” reads the report. “Most projects experienced a decrease in TVL immediately after they were attacked.”
The most common attacks
Decentralized finance (defi) was the overwhelming target of web 3 hackers. Defi allows crypto users to access financial services such as borrowing and lending in a decentralized way using smart contract programs auto -executables.
About 79.2% of attacks occurred in this space last quarter, accounting for 63.3% of losses. The most common attack method was to exploit vulnerabilities in smart contract code, netting hackers $138 million in total. These comprised 45.8% of attacks, compared to 50% of attacks in Q1.
The second most common method of attack involved the use of flash loans – challenge loans that do not require collateral but must be repaid quickly. Hackers often use flash loans to gain broad control over a given protocol’s governance token, allowing them to transmit malicious protocol changes. These attacks brought in $233 million in the second quarter, more than any other hacking method.
Another $131.15 million were lost to compromised private keys, around which security “continues to be a concern.”
52% of the attacked projects would have been audited. Audited projects still accounted for the vast majority (76.2%) of stolen funds.
BNB Chain: King of Hacks
As the longtime king of defi, Ethereum was home to $381.35 million in losses last quarter – more than any other chain. According to Defi Llama, nearly $48 billion is still locked in defi protocols on Ethereum, out of $77.11 billion across the entire ecosystem.
The network saw a significant recovery in defi’s market share after the collapse of Terra – the former number 2 defi network. The new runner-up is Binance Smart Chain (BSC; aka BNB Chain), which only holds 6, $21 billion blocked.
However, when broken down by the volume of major attacks, BNB chain accounted for 26 – more than half of them. The chain joins Ethereum, Fantom, and Cronos as having suffered major attacks for two quarters in a row. By contrast, Solana was walloped with $374 million in losses across two exploits in Q1 but suffered no major attacks in Q2.
Unsurprisingly, more than half of the funds stolen in the second quarter ($418.89 million) were transferred to Tornado Cash, a cryptocurrency mixing service that helps thieves cover their tracks on the blockchain. Of these funds, $131 million in assets were recovered.
