Web3 Hacks Drop to Three-Year Low, Though Major Threats Persist

Hacks targeting the Web3 sector have decreased significantly over the past years, reaching their lowest level in three years.

According to a new report by Hacken, a blockchain security auditor, in collaboration with crypto compliance security and monitoring platform Extractor, only 28 incidents targeting Web3 projects were recorded in Q3 2023, marking a notably decline from 41 the prior quarter. The total value of stolen assets has also been falling steadily, declining 10% quarter-over-quarter (QoQ) to US$464 million in Q3 2024.

Released on October 04, the report provides an analysis of the current security landscape in Web3, highlighting improved Web3 security and growing resilience of these protocols. This positive trend is attributed to the adoption of stronger security solutions and best practices across the industry.

Security landscape of the Web3 industry, Source: Q3 2024 Web3 Security Report, Hacken and Extractor, Oct 2024

Smart contract vulnerabilities, access control attacks and reentrancy attacks dominate

Despite these advancements, certain threats continue to pose significant risks, requiring ongoing vigilant and proactive measures. The most prevalent attack types during the period included vulnerabilities in smart contracts, access control breaches, and reentrancy attacks.

Smart contract vulnerabilities are weaknesses or flaws in the code of blockchain-based contracts that are exploited by attackers. These flaws may arise from mistakes in the code, poor design, or insufficient testing of smart contracts. In Q3 2024, there were nine incidents involving smart contract vulnerabilities, leading to approximately US$42.3 million in losses.

Reentrancy attacks, meanwhile, involve a flaw in a smart contract where attackers can repeatedly call a function before the contract has finished executing. This allows the attackers to exploit the contract’s logic and drain funds. Though only three reentrancy attacks were recorded in Q3 2024, they resulted in over US$33 million in losses.

Notable attacks involving smart contract vulnerabilities that took place in Q3 2024 include the Terra Luna hack, which exploited a vulnerability first disclosed in April but resurfaced during a June upgrade, resulting in a US$6.5 million loss; as well as the Minterest hack, which exploited a reentrancy vulnerability on the Mantle Network, causing a US$1.4 million loss.

Access control attacks were another prominent threat to Web3 industry in Q3 2024. These attacks occur when a malicious actor gains control over the seed or functions, enabling them to arbitrarily withdraw funds from wallets or smart contracts.

Q3 2024 recorded eight such incidents, resulting in US$316 million worth of stolen funds. The amount represents nearly 70% of all stolen assets during the period.

One notable attack in this category was the WazirX exchange hack in July, which led to the loss of approximately US$230 million in investor funds. The hack targeted a multi-signature wallet belonging to WazirX, and managed with the services of a digital asset custody company called Liminal.

Worst quarter for recovered funds

Another concerning trend observed in Q3 2024 was the minimal recovery of stolen funds. Only 5% of all losses, or US$23.5 million, were recovered or frozen during the quarter, marking the worst quarter in recent times. In comparison, Q2 2024 saw US$347 million being recovered or frozen (68%), while Q1 2024 had US$440 million (53%).

Lost versus recovered:frozen funds, Source: Q3 2024 Web3 Security Report, Hacken and Extractor, Oct 2024

Looking at regional trends, the study found that most of the losses in Q3 2024 occurred in Asia. Though the region recorded just three incidents, these attacks netted a staggering US$264 million, representing 57% of total losses.

Centralized exchanges were the most lucrative target in Q3 2024, with criminals siphoning off US$295 million, or 64% of the total, through just three attacks.

Yield aggregators were the second-largest target, generating a total of US$35.4 million (8%) in stolen funds in Q3 2024. Yield aggregators are platforms that automate the process of staking and collecting the generated rewards on behalf of users.

Bridges were also a popular target in Q3 2024, with hacks on PolyNetwork, Li.Fi and the Ronin Bridge collectively netting US$28.7 million, or 6.2% of total losses.

Project types affected in Q3 2024, Source: Q3 2024 Web3 Security Report, Hacken and Extractor, Oct 2024

Hacking activities have witnessed a resurgence this year in both the Web3 sector and the broader crypto industry. According to Chainalysis’ 2024 Crypto Crime Mid-year Update, cumulative value stolen through hacks this year through the end of July crested US$1.58 billion. That’s around 84.4% greater than the value stolen over the same period last year.

Additionally, the average amount of value compromised per event increased by a remarkable 79.46%, rising from US$5.9 million per event from H1 2023 to US$10.6 million per event in H1 2024, based on the value of the assets at the time of theft.