The third quarter saw the smallest losses from hacks that the industry has seen in the last three years, according to a report by cybersecurity company Hacken. About $460 million was stolen across 28 incidents. Still, the recovery rate was the lowest in recent years at only 5%. Hacken breaks down this data along with the broader state of Web3 security in Q3. It also discusses major types of attacks, the most affected project categories and strategies for mitigation.
Access control attacks remain the most detrimental
Exploits of access control mechanisms accounted for $316 million, or almost 70% of the total funds stolen in crypto hacks in Q3. The perpetrators of such attacks gain control over the keys that control smart contracts. Once in control of the keys, they can withdraw funds from the contract to their own wallets or upgrade the proxy contract implementation to activate the withdrawal function.
Losses across various attack types in 2024. Source: Hacken
Smart contract vulnerabilities were second in Q3 losses. Smart contracts are sometimes vulnerable to reentrancy attacks, which involve calling the withdrawal function multiple times while the contract’s state fails to properly update before a withdrawal of funds is executed. This type of attack is especially detrimental for protocols with liquidity pools, as they can be drained by a series of multiple recursive calls in a single transaction. Minterest suffered from one of the three reentrancy attacks in Q3, suffering a $1.46 million loss. The execution of the hack is described in detail in the report.
Centralized exchanges endured the biggest losses
Centralized exchanges were the most-exploited projects by amount of funds. The biggest hack was to WazirX India on July 18, when its Ethereum multisig wallet was compromised. The hacker manipulated the exchange’s multisig wallet by obtaining three signatures from employees and one from Liminal, a digital asset custody provider. With four signatures out of six, the actor was able to drain over $230 million. The stolen funds are yet to be recovered. The exchange and Liminal ran independent audits but found no security breaches, which has sparked debate about a possible inside job.
Mostly due to the magnitude of the WazirX hack, exploits of centralized exchanges recorded the highest losses in Q3. The hacks of yield aggregators and cross-chain bridges come next in the statistics. Still, bridges were only compromised on three occasions. One victim was Ronin Bridge, but luckily for its users, a white hat MEV bot front ran the malicious transaction and returned the funds shortly afterward.
Losses to crypto hacks across different project types: Source: Hacken
Lending and borrowing protocols were deprived of $19.6 million in Q3. Even industry leader Aave fell victim to an exploit of a periphery contract, which resulted in a loss of $56,000. The attack on Aave was executed in one transaction, meaning that it could not have been spotted or stopped. The majority of decentralized finance (DeFi) exploits involve multiple transactions, such as a malicious proxy update or consecutive withdrawals from a pool. The consequences of such exploits can be mitigated if the state of smart contracts is constantly monitored and action is taken immediately.
The Automated Incident Response Strategy system developed by Hacken can be customized to provide such protections. It can be triggered to pause a smart contract if certain conditions are met or to freeze funds withdrawn in a suspicious transaction. According to Hacken, about 28.7% of the losses from DeFi hacks could have been prevented if the target companies had used monitoring and automated incident report systems.
The Nexera exploit — a case study
A scammer exploited the DeFi protocol Nexera and drained 47.2 million NXRA, the platform's native token. He managed to swap 15 million NXRA before the team was able to pause the contract. The attack resulted in a loss of $1.5 million.
With the Automated Incident Response Strategy by Hacken, the pausing function could have been programmed to activate immediately when the proxy was upgraded. As soon as the pause function is activated, no tokens can be transferred, meaning that the stolen funds cannot be swapped. Five other such cases in which the Automated Incident Response strategy would have worked are discussed in the report. These include a reentrancy attack on Penpie causing $27 million in losses, and a Ronin bridge exploit resulting in $12 million siphoned from the protocol.
Hacks that could have been averted with the Automated Incident Response Strategy. Source: Hacken
The opinions expressed in this article are for general informational purposes only. They are not intended to provide specific advice or recommendations for any individual or on any particular security or investment product.