Professional Documents
Culture Documents
1. A Quick Summary 2
2. Introduction 3
3. Q1 & Q2 Key Statistics 4
01
A Quick Summary
02
Introduction:
Welcome to the QuillAudits Quarterly Report for 2023, a
deep dive into the Web3 security landscape across the first
two quarters. With the number of hacks in 2023 (351)
significantly surpassing the previous two years combined,
our mission to fortify digital assets against rising threats has
never been more critical.
03
01
Q1 & Q2 Key
Statistics
04
Q1 & Q2 Key Statistics :
$216.72M
80 $200M
70 73 72
67
$164.70M
60 $150M
49
$106.56M
40 $100M
$66.57M
20
$39.27M
20 $50M
$14.40M
0 $0M
Jan Feb Mar Apr May Jun
No. of Hacks
Amount loss
Exploits by Type
$225M
80 $200M
60 $150M
$43M $110M
39
40 36
$100M
$31M
20 $50M
$10M
6 4 4
0 $0M
Smart Rug Pull Flash Loan Logic Error Private Key
Contract Attack Compromise
Vulnerability
No. of Hacks
Amount loss
05
First Two Quarters of 2023 as compared to 2022 & 2021
351
$1.7B
200 $1.6B
150 $1.2B
100 $800M
$658M $605M
53
50 38 $400M
0 $0M
2021 2022 2023
No. of Hacks
Amount loss
06
https://quillaudits.substack.com/
07
02
The
$100M
Club
08
$200M Exploit: Understanding the Euler
Finance Attack
Liquidation event emitted during the Euler attack. Source: Ethereum blockchain data
The platform operates with two types of tokens - eTokens (assets) and
dTokens (debts). When users deposit crypto, they receive eTokens
equivalent to the deposited coins. As these eTokens accumulate
interest, they become more valuable than the original deposited
asset.
09
Users have a “health score” based on their eToken to dToken value
ratio. A user needs more eTokens than dTokens to maintain a health
score above 1. Falling below this score initiates a “soft liquidation”,
where the system transfers some eTokens and dTokens to the
liquidator until the borrower’s health score returns to 1.25
The exploit involved draining various tokens from the Euler protocol.
The attacker initiated a series of attacks using three different
Ethereum addresses. The first attack drained about $8.9 million worth
of Dai from the deposit pool, and this was repeated for other deposit
pools, leading to an aggregate loss of $197 million.
1. The attacker borrowed a large sum of DAI from Aave using a smart
contract.
2. They deposited a portion of this loan into Euler and received eDAI
coins in return.
3. The attacker then minted a substantial amount of eDAI, which led
to the generation of equivalent dDAI.
4. They paid off part of their debt by depositing more DAI into Euler,
reducing their dDAI debt.
5. This enabled the attacker to mint more eDAI, thereby increasing
their total eDAI minted.
6. After maximizing eDAI minting, the attacker destroyed a portion of
eDAI, which plummeted their health score, triggering the liquidation
process.
10
7. The liquidation process transferred debt from the attacker to the
liquidator account.
11
Mitigating Future Attacks
In Conclusion
While the Euler Finance exploit was a significant setback for the DeFi
community, it provided valuable lessons. The attacker's decision to
return the funds mitigated the immediate losses. However, the event
underscores the need for continued diligence and better risk
management practices to safeguard the rapidly expanding DeFi
ecosystem
12
$127M Ponzi scheme: The Canine
Cryptocurrency Scam
In an unconventional twist to the burgeoning cryptocurrency world, a
South Korean company introduced an innovative blockchain
application, claiming to identify dogs by their unique nose wrinkles.
The project was paired with a proprietary cryptocurrency and
promised high investment returns
13
Beware of "Too Good to be True" Offers: Promises of high returns
in a short span should raise red flags. A legitimate business will
never guarantee short-term, high profits.
14
BonqDAO's $120M Oracle Hack
BonqDAO, a decentralized autonomous organization (DAO), recently
fell victim to a sizable smart contract exploit, leading to an estimated
loss of $120 million. The exploit was orchestrated via an oracle hack,
which allowed the perpetrator to manipulate the price of the
AllianceBlock (ALBT) token within the Bonq protocol.
The root cause of the hack was a crucial flaw in the oracle
updatePrice function of one of BonqDAO's smart contracts. This
loophole permitted the hacker to manipulate the price of the wALBT
token drastically, leading to the subsequent exploitation of wALBT and
BEUR. The exploiter was able to:
15
Precautionary Measures for other Web3 projects
16
$100M Atomic Wallet Hack
Atomic Wallet is a renowned cryptocurrency platform that offers a
desktop and mobile crypto wallet for multiple operating systems. It is
a repository for various digital currencies, spanning Windows,
Android, iOS, macOS, and Linux users.
17
Regrettably, the scale of this breach has escalated. Recent analysis
indicates that losses have now surpassed $100 million. It is believed
that over 5,000 crypto wallets were compromised in the attack. At
least ten crypto addresses suffered losses exceeding $1 million, while
at least 164 faced losses over $100,000. The average loss for each
compromised wallet is estimated at $2,800.
While the Atomic Wallet team works on mitigating the damage and
further investigating the hack, there are several important lessons for
other Web3 projects:
18
Proactive Threat Hunting: Instead of waiting for an issue to arise,
we actively seek out and rectify potential vulnerabilities.
19
03
DAO Hacks:
Causes,
Implications, and
Lessons
20
Decentralized autonomous organizations (DAOs) can revolutionize
how entities operate by providing a transparent and autonomous
management framework. However, with these innovations come new
threats.
The past few months have seen several DAOs fall victim to
cyberattacks, resulting in significant losses. Here's a deeper dive into
six such incidents, highlighting their causes, consequences, and the
necessary precautions to prevent such attacks.
21
"NFDAO's Rug Pull exploit illustrates the necessity for secure liquidity
protocols to protect community interests."
22
Lessons and Reminders
23
04
Navigating the
Future: Web3
Security Trends
and Projections
24
Web3 Security Trends and Projections
Trend Analysis
25
Comparative Analysis
Comparing the first two quarters of 2023 with the corresponding
periods in 2022 and 2021 reveals a substantial increase in hacks.
However, despite the more significant number of hacks in 2023, total
losses have reduced compared to 2022. This suggests that while
attacks are becoming more frequent, security measures may be more
effective at limiting financial damage.
26
5. Continued Need for Proactive Security Measures: Considering
these trends, the need for proactive security measures like regular
audits, stringent access controls, and continuous monitoring is likely
to increase by at least 50%.
27
05
Securing your
Investments with
QuillCheck: Your
Web3 Due
Diligence Partner
28
In an increasingly decentralized world where Rug Pulls have become
a significant threat to digital investments, there's a crucial need for
reliable safety measures. QuillCheck is a 'Web3 Due Diligence tool
with Rug Pull Detection', ensuring you can navigate the choppy
waters of crypto investments with confidence.
Meet QuillCheck
Why QuillCheck?
QuillCheck stands out with its advanced rug pull detection feature. It
uses interactive charts and risk indicators to provide a comprehensive
evaluation of token security, including market and code checks. Key
features include:
29
User-Friendly Interface: Enjoy an intuitive, easy-to-use platform that
makes due diligence a breeze.
30
06
Quill Red Team:
Reinventing Web3
Security
31
Addressing the rising tide of cyber threats, QuillAudits proudly
presents its latest initiative: the Quill Red Team (QRT). This
specialized team brings a dynamic, innovative approach to detect
and counteract overlooked vulnerabilities, taking Web3 security to a
new level.
32
Trust the Proven Track Record of QRT
33
07
QuillAudits:
Securing Your
Web3 Journey
34
As a global leader in Web3 security, QuillAudits presents its
comprehensive suite of services and tools, backed by innovative
programs designed to meet and overcome the challenges of the
rapidly evolving digital landscape.
Auditing Services
35
Web3 Security Suite
Our security suite features tools aimed at maintaining and enhancing
the security of your Web3 initiatives:
36
A Deep Dive into QuillAudits' Product Suite
Explore now
Check Now
37
QuillAudits Programs
We also run various programs to foster a secure and inclusive Web3
community:
38
Spotlight on Excellence (For Q1 and Q2)
Top Audited Projects & Voices of Trust
39
Our Voices of Trust
40
/ quillaudits quillaudits.com
2022 - 2023