New Delhi: The total amount of money lost to hacks and breaches of web3 platforms has crossed $2 billion in the first half of 2022 — thus exceeding the total volume of breaches seen globally in 2021. This, according to US-based cyber security firm CertiK, could see crypto and blockchain hacks grow 3.23x year-on-year (YoY) this year — showing little signs of letting up through the year.
According to the Web3 Quarterly Security Report for Q2 2022 by CertiK, the second quarter of the year saw over $870 million lost to web3 hacks and breaches. Interestingly, flash loan breaches saw a massive uptick during this quarter — while Q1 saw $14.2 million lost in flash loan attacks, the period between April and June saw over $308 million lost in similar attacks.
Flash loans are instantaneous, uncollateralized crypto loans offered by blockchain networks, which use smart contracts to put forth a number of conditions that a borrower needs to fulfill. Upon failure to do so, the smart contract fails — and the loan is nullified.
Breaches such as the $182 million attack on stablecoin project Beanstalk Farms, and the $79 million hack of fellow stablecoin project Fei Protocol, are among the biggest contributors of the sharp uptick in flash loan exploits.
The hacks represent an increasing number of breaches of flash loan services offered by decentralised finance (DeFi) platforms, which cyber security experts around the world have said is a growing concern arising out of coding flaws within these platforms.
Speaking to Mint, Akshat Jain, co-founder and chief technology officer (CTO) of cyber security firm Cyware, said that one key factor why such breaches have steadily grown is the lack of emphasis on security in DeFi platforms, blockchain networks and crypto wallets.
“Over the past two years, a number of web3 platforms grew at breakneck speed, during which they largely focused on onboarding more users and adding features to their platforms. However, this also meant that apart from a select few, most of them did not put in any effort in the security department. Some, till date, do not even have an information security officer,” Jain said.
This, he added, led to zero-day attacks being left for attackers to exploit at will.
Jain also added that while a select number of users have invested heavily, the amount invested by users in web3 — particularly in India — is largely small. “This often leads to users falling prey to social engineering attacks and phishing scams, where attackers promise ‘too good to be true’ returns to steal crypto wallet keys,” he said.
Such attacks are reflected in CertiK’s report as well, which said that rug-pulls, which see attackers gain a user’s trust before disappearing with their investments, amounted to $37.5 million in losses in Q2 this year.