Over $718 Million Lost to Web 3 Hacks in Q2 2022: Report

Web 3 security firm Beosin recently released its 2022 Q2 Web 3 Security Report, analyzing the latest hacks and exploits to impact the blockchain sphere. It found that over $718 Million were lost to related schemes during that time – most of which occurred in the defi space.

Breaking Down the Numbers

The report – produced in collaboration with Footprint Analytics – cited 48 major “attacks” as responsible for those losses. These attacks were far from equal: three alone  (Beanstalk Farms, Elrond, and Harmony) each accounted for over $100 million in losses, with 28 making up between $1 million and $10 million lost.

Last quarter’s losses are technically a 40% drop from the near $1.2 million lost in Q1, 2022, but is still a 2.42 times increase from the $296.56 million lost in Q1 2021. Furthermore, losses in Q1 2022 were likely dominated by the infamous Ronin Bridge hack, which netted over $600 million for the attacker.

Data shows that April was the most active month for hacking, with “19 major security incidents” and over $374 million lost. Losses significantly decreased in May alongside Bitcoin’s price, but saw an interesting spike in June despite the market’s continued decline.

“All chains and attacked projects saw a significant decrease in TVL values in May,” reads the report. “Most projects experienced a decrease in TVL immediately after they were attacked.”

The Most Common Attacks

Decentralized finance (defi) was the overwhelming target among web 3 hackers. Defi allows crypto users to access financial services like borrowing and lending in a decentralized manner using self-executing smart-contract programs.

About 79.2% of attacks occurred in this space last quarter, accounting for 63.3% of losses. The most common attack method was to exploit vulnerabilities in smart contract code, netting hackers $138 million in total. These comprised 45.8% of attacks, compared to 50% of attacks in Q1.

The next most common attack method involved the use of flash loans – defi loans that don’t require collateral but must be paid back in short order. Hackers often use flash loans to amass vast control of a given protocol’s governance token, allowing them to pass malicious protocol changes. Such attacks netted $233 million in Q2 – more than any other hacking method.

Another $131.15 million were lost to compromised private keys, around which security “continues to be a concern.”

52% of attacked projects had reportedly been audited. Audited projects still accounted for the vast majority (76.2%) of stolen funds.

BNB Chain: King of Hacks

As the longtime king of defi, Ethereum was home to $381.35 million in losses last quarter – more than any other chain. According to Defi Llama, nearly $48 billion is still locked in defi protocols on Ethereum, out of $77.11 billion across the entire ecosystem.

The network saw a significant recovery in defi’s market share following Terra’s collapse – the former number 2 defi network. The new runner-up is Binance Smart Chain (BSC; aka BNB Chain), which holds just $6.21 billion locked.

However, when broken down by the volume of major attacks, BNB chain accounted for 26 – more than half of them. The chain joins Ethereum, Fantom, and Cronos as having suffered major attacks for two quarters in a row. By contrast, Solana was walloped with $374 million in losses across two exploits in Q1 but suffered no major attacks in Q2.

Unsurprisingly, over half of the stolen funds in Q2 ($418.89 million) were transferred to Tornado Cash – a cryptocurrency mixing service that helps thieves cover their tracks on the blockchain. Of those funds, $131 million in assets were recovered.