Web3 security incidents in November: 36 in total, with losses of $590 million

The number of major Web3 hacker attacks decreased slightly in November, but the average loss of the attacks increased significantly.

Written by: CertiK

Since 2022, security incidents caused by fraud, scams and vulnerabilities in the Web3.0 field have caused losses of approximately US$3.4 billion, and a total of 573 attacks have been recorded this year.

In November 2022, CertiK recorded a total of 36 large-scale attack incidents. Although it was a slight decrease compared with the previous month, the loss of each attack increased significantly. The average loss of large-scale attacks in November was approximately US$16.551 million, while the average loss in October was approximately US$7.267 million.

The number of exit scams also rose sharply this month, up 375.5% from October. A total of 35 events were recorded in November, with a total loss of approximately $29.877 million, compared to 26 events in October with a loss of approximately $7.2 million.

The number of flash loan attacks was 8, which was half the amount compared to last month, but the losses increased: $5 million was lost this month, compared to only $1 million in October.

We can also see that the number of Discord and related scam projects has decreased in recent months: 12 incidents were recorded this month, compared to 97 in August and 57 in September.

Of the 62 incidents recorded this month, 35 were exit scams, 8 were flash loan attacks, and 19 were classified as "other."

Large-scale attacks

There were 36 large-scale attacks in November, the same number as in June. The average loss per attack was about $16.551 million, a significant increase compared to the average loss of $7.267 million in October.

The largest attack this month was the FTX hack, which resulted in a total loss of $477 million. Shortly after FTX filed for bankruptcy on November 11, 2022, FTX's general counsel Ryne Miller tweeted that they were "investigating anomalies." The next day, Ryne Miller reported on Twitter that the company "initiated preventive measures" and moved all its project assets to cold storage wallets, which means that the project asset wallets are no longer connected to the Internet.

There are many theories about how the hack occurred, but most reports indicate it was an inside job. FTX was the second largest hack of the year, second only to the Ronin Bridge ($624 million) hack in March. The FTX incident is still under investigation and is expected to take quite some time to be resolved.

The second largest attack this month was the theft of the hot wallet of the Deribit exchange on November 2, 2022. Due to the leakage of private keys, a loss of up to $28 million was caused, which was also the third largest private key leakage incident in 2022. The Deribit exchange stated that the loss will be paid from the company's reserves, so user funds will not be affected. The Deribit exchange claims to keep "99% of user funds in cold wallets to limit the impact of these incidents." In addition to this, they also stated that operations were not affected by the incident because additional manual confirmation is required and it is now impossible for any hacker to withdraw funds.

The third largest loss in November 2022 was caused by the Flare exit scam that took place on November 13, with a total loss of $18.5 million. The project does not have any social media accounts and has no connection with Flare Networks. As of now, the scam's operators are laundering funds in Tornado Cash.

Exit scam

In November 2022, losses due to exit scams amounted to $29.877 million, an increase of 375.5% from October. These losses came from 35 incidents confirmed by CertiK, which means that the number of exit scams increased by 40% from the previous month.

Looking back at the 11 months of this year, 6 of them have seen exit scam losses between $6 million and $8 million. That said, November’s high exit scam losses are unusual. This is because FLARE ’s $18.5 million losses account for the majority of November’s exit scam losses.

In addition, according to the data recorded by CertiK, as in previous months, there are still many cases of money laundering of project assets this month, but such incidents are not included in our monthly statistics.

Flash Loan Attack

Compared to October, there were fewer flash loan attacks this month, but the amount of losses was higher. There were 8 flash loan attacks totaling $6 million in losses, compared to 16 flash loan attacks in October, with a total loss of $1 million. In addition, the average loss per attack in November was $637,000, compared to an average loss of $98,000 per attack in October.

The largest flash loan attack this month was the DFX Finance attack.

At 4 a.m. on November 11, 2022, the DFX Finance swap contract was attacked, resulting in a loss of approximately US$5 million.

The attacker took advantage of a flash loan mechanism with a vulnerability in the swap contract, bypassing the flash loan repayment check by depositing tokens into the contract, and then withdrawing tokens from the contract after the flash loan was completed. The vulnerability was caused by a contract design problem, that is, the contract did not take into account that flash loan tokens could be used to deposit and eventually "repay" the flash loan.

Discord and related scams

Discord attack incidents declined for the fifth consecutive month in November, with only 12 incidents recorded, but we still need to remain vigilant.

Final Thoughts

On a monthly basis, the amount of funds lost in November due to hacker attacks, vulnerabilities, and runaway projects ranked second in the past 11 months of 2022.

The main reason for the high loss amount is the $477 million loss caused by the hack of the FTX exchange, which alone accounted for 79% of the total fund losses this month. Without this incident, the total loss amount in November was $119.5 million, ranking third from the bottom in the 11 months of this year.

In addition, every month in 2022 saw one or two extremely high-loss events occur, resulting in a relatively large total loss amount in a single month.

Overall, November was the second-highest month this year for the amount of money lost to large-scale attacks, a result that is inseparable from the "hard work and dedication" of extreme attacks.