Professional Documents
Culture Documents
Summary 2
Introduction 8
01
SUMMARY
02
State Of Web3 Security: A
2023 Perspective
03
4. Targeted Attacks on Established Protocols: Even high-
security protocols like Curve and Balancer faced attacks
despite undergoing extensive security code audits. This
highlights an alarming shift where even well-secured
systems are susceptible to breaches.
04
1. Incident Impact By Month
$500M 100
$450M 90
$400M 80
71 73 72
$350M 67 $325.22M 70
$304M
$300M 60
$256.34M
$250M 49 50
$216.72M
$200M 40
$164.70M
$167.70M
$150M 30
28
$100M 24
16
20
$106.56M 15 15
10 12
$50M $66.57M 10
$15.05M
$39.97M $32.41M 4.46M
$0M 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Amount Lost
YEAR 2023 Hacks Recorded
2. Yearly Losses
2021 67 $2.25B
06
3. Chain-specific Security Breaches
No. of hacks
180 173
160
140
No. of Hacks
120
120
100
80
60
40
25
20 11 10 5 5 3 2 2
0
BNB Ethereum Arbitrum Polygon Solana Avalanche ZKSync Tron Algorand Optimism
C Chain
Chain
Avalanche
BNB Ethereum Arbitrum Polygon Solana C Chain ZKSync Tron Algorand Optimism
$0
$200M
Amount Lost
$250M
$300M
$400M
$450M
$500M
$550M
$600M
$650M
$641.36M
Amount Lost
07
Introduction
2022 hit the crypto world so hard—hacks, scams, collapses—it felt like
a relentless rollercoaster of losses. From Web3 breaches to FTX's
sudden downfall, the industry felt the tremors.
But 2023 brings a different vibe—a glimmer of hope amidst the chaos.
This year, losses dropped to $1.7 billion, almost half of the $3.32 billion
lost in 2022. Although it's a sigh of relief, the surge in hacks paints a
contrasting picture. Challenges persist, with 440 hacks in 2023,
surpassing the 376 recorded hacks in 2022.
With the total market cap of the Web3 industry skyrocketing from
$927 billion in 2022 to $1.7 trillion in 2023, the demand for robust
solutions intensifies more than ever.
08
Welcome to our Web3 Security Report 2023—a journey through the
year's biggest security breakouts, the tales and trends shaping the
web3 course, expert insights dissecting the nuances of smart contract
security, and a backstage pass to the ever-evolving security landscape
where you’ll find the mitigation strategies and recommendations to
combat the evolving threats.
09
Top Hacks Of The Month
$3.6M FCS
Token Project
$3.2M FUT Yield
$2.8M Robot
$2.6M $2.5M
Amount Lost
$2.4M
$2.1M
$2.0M
$1.6M
$1.2M
800k
January
400k
0
2023
FCS Token Project FUT Yield Robot
Protocol Name
$180M
$160M
$140M
$120M
Amount Lost
$120M
$100M
$80M
$60M
February $40M
$9.2M
$20M $9M
2023 0
BonqDAO My Algo Platypus DeFi
Protocol Name
11
Top Hacks Of The Month
$180M $200M
$160M
$140M
Amount Lost
$120M
$100M
$80M
$60M
$40M March
$20M
0
$8.9M $4M 2023
Euler Finance Safemoon Kokomo Finance
Protocol Name
$36M
$32M
$28M
Amount Lost
$24M $21.9M
$20M
$16M $14.3M
$12M $11.5M
April $8M
2023 $4M
0
Bitrue GDAC Yearn Finance
Protocol Name
12
Top Hacks Of The Month
$90M
$80M
$70M
Amount Lost
$60M
$50M $45M
$40M
$31.7M
$30M
$20M
$7.5M
May
$10M
0
2023
CoinDeal Fintoch Jimbos Protocol
Protocol Name
$180M
$160M
$140M $127M
Amount Lost
$120M
$100M
$80M
$60M
June $40M
$20M
$35M
2023 0
$1.3M
Blockchain for dog Atomic wallet Atlantis Loans
nose wrinkles
Protocol Name
13
Monitor Web3 Attacks in Real Time
14
Top Hacks Of The Month
$180M
$160M
$140M
$126.3M
Amount Lost
$120M
Alpha
$100M
Po
$80M
$60M
$60M $60M
$40M
July
$20M
0
2023
Multichain Anubis DAO AlphaPo
Protocol Name
$36M
$32M
$28M
Amount Lost
$24M
$20M
$16M
$21.9M
$12M
$7.3M
August
$8M
$6.4M
$4M
2023 0
Pepe Coin Exactly Protocol Magnate Finance
Protocol Name
15
Top Hacks Of The Month
$180M $200M
$160M
$140M
Amount Lost
$120M
$100M
$80M
$60M $52M
$40M
$40M
$20M
September
0
Mixin Kernel CoinEx Stake
2023
Protocol Name
$9M
$8M
$7M
$7M
$6M
Amount Lost
$6M
$5M $4.4M
$4M
$3M
October
$2M
$1M
2023 0
Fantom Foundation Coins.ph Last Pass
Protocol Name
16
Top Hacks Of The Month
$180M
$160M
$140M
Amount Lost
$120M
$100M $87M
$80M
$60M
$60M
$47M
$40M
$20M
November
0
HECO Bridge Poloniex Exchange KyberSwap
2023
Protocol Name
$1.8M
$1.6M
$1.4M
Amount Lost
$1.2M $1.1M
$1M
CKD
Token
$800k $769k
$600k $539K
December $400k
$200k
2023 0
StoicDAO BEARN DAO CKD Token
Protocol Name
17
Top 10 Security Incident Highlights
1 Attack Type:
Mixin Kernel
$200M
Cloud Service Database Compromise
Hack Analysis
The Mixin Network faced a staggering $200M loss due to a sophisticated
attack. It appears the breach occurred through the compromise of Mixin’s
cloud service provider's database. Hackers likely gained access to users'
private keys stored on the cloud, allowing them to conduct seemingly
straightforward transfers of assets, including ETH, USDT (later converted to
DAI), and BTC. There are suspicions that even Mixin’s hot wallets might
have been targeted.
18
Top 10 Security Incident Highlights
2 Attack Type:
Euler Finance
$196M
Flash loan Exploit
Hack Analysis
The $196M attack on Euler Finance, a renowned DeFi lending protocol,
involved an exploit linked to the donateToReserves function introduced via
EIP14. This function lacked a check on user position health, allowing
manipulation.
19
Top 10 Security Incident Highlights
3 Attack Type:
Blockchain for dog
nose wrinkles
$127M
Ponzi Scheme
Hack Analysis
A South Korean company's "Dog Nose Wrinkles" scam lured investors with
promises of extraordinary returns through a blockchain app supposedly
identifying dogs via their nasal folds.Promising up to 150% returns in 100
days, it amassed over $100M in investments.
However, the app was a complete scam, causing massive financial losses
for investors. This fraudulent scheme preyed on people's interest in
blockchain technology and their willingness to invest in novel concepts.
20
Top 10 Security Incident Highlights
4
Multichain
$126.3M
Attack Type:
Multichain bridge exploit
Hack Analysis
In this instance, the assets locked in the Multichain MPC address were
illicitly transferred to an unknown destination, triggering the alarm. The
root cause remains elusive, prompting concerns about potential insider
actions or vulnerabilities exploited by an external attacker.
21
Top 10 Security Incident Highlights
5 Attack Type:
BonqDAO
$120M
Oracle Manipulation
Hack Analysis
The attacker managed to exploit vulnerabilities in the Tellor price feed,
manipulating the value of (wrapped) WALBT collateral and resulting in
losses of up to $120M. By staking a small amount of TRB tokens worth
around $175, they inflated the WALBT price drastically. This manipulation
allowed them to mint 100M BEUR stablecoins against meagre collateral.
22
Top 10 Security Incident Highlights
6 Attack Type:
HECO Bridge
$87M
Private Key Compromise
Hack Analysis
HECO Chain’s Ethereum bridge suffered a loss of $86.6M, primarily
comprising assets like USDT, ETH, HBTC, SHIB, UNI, USDC, LINK, and TUSD.
This breach occurred via a compromised operator account, which illicitly
withdrew funds and transferred the majority to an accumulation wallet.
Simultaneously, HTX lost $12.5M from its hot wallets, involving assets like
ETH, USDT, USDC, and LINK. The breach involved direct transfers from
compromised hot wallet addresses to separate attacker addresses.
It's likely that vulnerabilities exploited in prior hacks, such as the Poloniex
exchange, were reused, given the interconnections between the affected
entities.
23
Top 10 Security Incident Highlights
7 Attack Type:
Poloniex Exchange
$60M
Hot Wallet Compromise
Hack Analysis
The Poloniex exchange faced a staggering loss of $60M from its hot
wallets. The incident began when 4900 ETH (approximately $10M) was
siphoned from one of the Poloniex addresses on Etherscan.
The attack expanded across Ethereum, TRON, and BTC chains, resulting in
substantial losses across these platforms. The attacker utilized various
addresses to disperse stolen tokens, converting some to ETH and
dispersing others to new addresses.
24
Top 10 Security Incident Highlights
8 Attack Type:
Anubis DAO
$60M
DeFi Rug Pull
Hack Analysis
AnubisDAO promoted as a derivative of OlympusDAO, lured investors by
leveraging canine-themed imagery akin to successful meme coins like
Dogecoin. Despite lacking a website, the project attracted $60M in ETH
during its token sale.
25
Top 10 Security Incident Highlights
9 Alpha
Po
Attack Type:
AlphaPo
$60M
Smart Contract Vulnerability
Hack Analysis
The AlphaPo hack resulted in a loss of $60M across Ethereum (ETH), TRON,
and Bitcoin (BTC). The breach began by draining AlphaPo’s hot wallet, with
2464 ETH ($4.6M) and various other coins, including over 6M USDT,
siphoned off to the attacker's address. The stolen funds on TRON were
redirected to centralized exchanges.
26
Top 10 Security Incident Highlights
10
Attack Type:
CoinEx
$52M
Other Vulnerabilities
Hack Analysis
The CoinEx platform encountered a substantial breach, resulting in the
loss of $52M across various cryptocurrencies. The attack began with a
transfer of 4950 ETH, worth approximately $8M. Subsequently, multiple
wallets were systematically drained of ETH, TRON, MATIC, XRP, BTC, SOL,
XDAG, KDA, ARB, XLM, BCH, MATIC, and OP coins.
27
Mark Your Spot!
28
The Most Impactful Attack Types
137 $352.27M
Exit scams
103 $204.55M
Smart contract vulnerabilities
35 $222.42
Flash Loans
25 $15.3M
Price/Oracle manipulation
14 $174.5M
Private key compromise
29
Exit scams saw the highest frequency and most significant
financial losses, leading to $352.27M lost across 137 incidents
in 2023.
Rug Pulls
$200M 100
$180M 90
$160M 80
$140M 70
$129.5M
$120M 60
$100M 50
$80M $86.4M 40
$78.4M
$60M 27 27 30
21
$40M 15 20
13 13
7 $21.7M
$20M 6 1 1 10
$9.3M $8.5M $7.1M 1 5
$7.3M $0.17M $1.1M $1.7M $1.1M
$0M 0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Amount Lost
YEAR 2023 Hacks Recorded
30
Throughout 2023, rug pull incidents stood out with notable
characteristics:
31
Chain-specific loss
A total of 12 public chains experienced
security breaches in 2023. The most
No. of hacks targeted chains, in terms of the
180
number of hacks, were BNB Chain,
173
Ethereum, and Arbitrum. Meanwhile,
160
Ethereum, Polygon, and Tron suffered
140
the most significant losses in value
due to these breaches.
No. of Hacks
120
120
100
80
60
40
25 Ethereum faced over 120 attacks,
20
11
3
resulting in losses totaling $641.36
0
million. This accounts for nearly 38% of
Ethereum Polygon Tron BNB Arbitrum the total losses incurred throughout
the year.
Chain
$50M
BNB Chain encountered 173 attacks,
leading to losses ranging from a few
$93.04M $79.68M
$100M
$200M
Amount Lost
$250M
$300M
$400M
32
Get Rugpull Diligence with QuillCheck
Check
33
Audit Corner: Auditors’ Talk On Smart
Contract Security & Threat Prevention
To establish safety, developers need to code smart and check for security
issues to avoid hacks and cyber problems. It’s also crucial to ensure projects
can handle large volumes of transactions and users as well. That means
smooth coding, clever caching, and a scalable setup.
constant A I
M X MUM_ T A A TI
R NS C I IT 5000
ON_L M = ;
35
Clarity of ‘Require’ statements: Require statements should
always include an explanatory message. Instead of
36
Real-time data integration: Use a suitable off-chain
computation mechanism, such as an oracle or external API,
to provide real-time data to the smart contract.
C. Upgradeability
37
D. Function Composition
E. Inheritance
38
F. Events:
39
Avoid concentrating authority, especially the ability to
modify critical contract parameters. Instead, use governance
mechanisms, timelock contracts, or multi-signature
contracts to manage authority.
40
Use standardized formats like ABI or JSON to ensure
compatibility and interoperability with dependencies.
H. Gas optimization
41
Pack function arguments for gas-sensitive functions: If
you need to represent two 128-bit numbers, consider
combining them into a single 256-bit number and splitting
them into two numbers within the contract. This technique
can save gas. However, it may reduce code readability and
should only be used for gas-sensitive functions.
42
Avoid initializing storage variables to default values:
Storage variables are initialized to their default values (zero,
false, etc.) automatically, so explicitly initializing them wastes
gas.
43
I. Testing and Verification
Write comprehensive unit tests for each function in the
contract.
44
Click Here to Check QuillAI
45
Security Secret: Pro Tips By Experts For
Builders In Web3
46
4. Actively utilize audit firms
47
Therefore, it is recommended to implement DevSecOps
fundamentals across all development stages, which involve
rigorous security measures such as smart contract audits pre-
release, vigilant post-release monitoring for potential threats,
and a well-prepared incident response strategy for optimal
protection.
48
Automated Threat Response Techniques: Secondly,
leveraging techniques that can automatically respond to
threats is crucial. Manual responses are often ineffective, as
the attack can rapidly drain all the assets in a few
transactions. Deploy systems like Falcon Block that can
automatically block hacks for this purpose.
49
Recent Developments in Web3
Security
51
Monumental adoption of layer2 scaling solutions
52
Zero-Knowledge proofs also made their space in layer2
blockchain.
beginners.
53
Strengthening defenses against rising threats
54
Predictions of Web3 Security
Landscape In The Coming Years
56
5. Surge in Web3 Security Demand: With more builders and
projects entering the Web3 space, the demand for security
measures is set to soar. Similar to the e-commerce boom in
the 1990s, significant investments are expected in
cybersecurity to mitigate potential threats and instil trust in
Web3 technologies.
57
9. Enhanced Data Security and Lineage: With the increasing
reliance on AI and machine learning models for critical
decision-making, ensuring the lineage of these models
becomes crucial. Blockchain's core technology, rooted in
immutability and cryptographic security, is expected to
integrate with enterprise AI systems.
58
“Web3's potential is immense, but so are the
risks. Security should be embedded in the DNA
of every project, from the code to the
governance model.”
~ Kathryn Haun, General Partner at Andreessen Horowitz
Re-entrancy Errors
Reentrancy exploits a contract's logic by allowing reentry
into a transaction during execution, typically triggered by an
external call. This can lead to unexpected and manipulative
behavior, making it a critical vulnerability to address in smart
contract coding.
Types of Reentrancies
60
This function does not follow the Checks Effects Interaction
pattern. It first retrieves the balance amount from the balances
mapping on the first line, then sends the amount to msg.sender
using the call function on the second line, and finally sets the
balances mapping for that msg.sender to 0.
Mitigation Steps
61
In the above example, the attacker can re-enter the system using
the fallback function
Mitigation Steps
62
Contract B has a `claim()` function that allows claiming B tokens
equivalent to A tokens held in contract A.
Mitigation Steps
63
Denial Of Service
DoS in smart contracts refers to disrupting the flow of the
contract, rendering it unworkable or consuming excessive
gas, which freezes the contract execution. This attack can
temporarily or permanently incapacitate the contract.
Mitigation Steps
64
Handle External Calls: Unforeseen behavior in external calls can
disrupt contract execution. Implement robust mechanisms to
handle unexpected outcomes from external calls to prevent
contract failures.
Voting/Governance Attacks
65
Here, because it allows voting at endTimeOfVoting, that is on the
last block.timestamp, a user can vote at the last timestamp and
then withdraw the deposited amount 'n' from the contract. As
shown in the withdraw function’s code, it allows withdrawals
when proposal.endTimeOfVoting is less than or equal to
block.timestamp.
In this way, the user utilized 'n' number of tokens to vote 'n*2'
times.
Mitigation Strategies:
66
Improper Function Modifiers: Function modifiers control access to
functions in a smart contract. If modifiers are implemented
incorrectly or omitted, unauthorized users may execute sensitive
functions.
Mitigation Steps
67
Centralization in Smart Contracts
Despite the decentralized promise, certain dApps grant
excessive control to a few entities, risking fund theft or
censorship. Centralization stems from contract owner
privileges, poor private key management, and founders'
malicious tactics.
Mitigation Strategies:
68
Web3 Development Resource Hub
Name: Solodit
Project Description:
List of all disclosed bugs at one place
70
Name: Audit Wizard
Project Description:
Online ide with inegrated tools essential for auditing
Link:
https://www.auditwizard.io/
Project Description:
List of all tool for on chain investigation
Link:
https://github.com/OffcierCia/On-Chain-
Investigations-Tools-List
Name: HackedWalletRecovery
Project Description:
Free service that specializes in recovering funds from
wallets that have fallen into the hands of hackers.
Link:
https://hackedwalletrecovery.com/
71
Our Partners
RareSkills Blocksec c4
Moledao
72
Our Collaborators
c4lvin Brian
Web3 Research Product Marketing
Analyst at Chainlight Manager
73
Explore Our QuillAcademy
Powered by QuillAudits
Explore
QuillCTF
Practice your Auditing
Skills
QuillCon
CodeQuest
76
Technical Risk vs Economic Risks
77
DeFi Loss Distribution by Risk
While technical factors are often the root cause of most DeFi attacks,
it's noteworthy that a larger amount of money has been lost due to
economic risks.
Economic:
51.3%
Tech+ Econ:
46.3% $2.7B
$2.4B
Technical: 46.3%
78
Why is Economic Security
Important?
While technical security is a fundamental requirement,
economic security gains significance when supported by
robust technical measures. Economic security focuses on
the economic design of DeFi protocols, requiring the
development of models for market equilibria and resilient
incentive structures, rigorously tested against potential
exploits. This comprehensive process enables developers to
gain a deeper understanding of how decisions related to
security, governance, and consensus mechanisms impact
network activity and asset value.
Case Studies:
KyberSwap Exploit
79
Attack Steps:
Flash Loan Acquisition: The attacker borrowed a large sum of
wstETH using a flash loan.
fi Ex x z B
Pro t traction and Ma imi ation: y capitalizing on the
artificially inflated liquidity, the attacker was able to withdraw
more wstETH than initially deposited, generating substantial
profit.
80
Case Studies:
Chain: Arbitrum
Attack Steps:
81
Economic Risk Mitigation
Strategies?
Economic security is a critical aspect of DeFi, ensuring
protocols are financially resilient against exploits and user
losses. Unlike traditional security threats, economic attacks
are often non-atomic, meaning they unfold over time,
making them harder to detect and mitigate.
82
And 1000 more
83
QuillAudits Security Solutions
QuillAI
85
For Auditors: QuillAI complements auditors’ skills by
providing advanced analytical capabilities. It accelerates
the identification of potential vulnerabilities, offering
comprehensive insights that optimize the auditing
process and enhance the thoroughness and accuracy of
audits.
For Non-technical stakeholders: By providing clear
explanations and highlighting potential risks, QuillAI
makes complex smart contracts more accessible and
understandable to non-technical users.
QuillCheck
86
The decentralized finance (DeFi) space faces rising
vulnerability to scams like rugpulls and honeypot schemes,
impacting investors financially. These scams have surged
from 5,000 rugpull incidents in 2020 to over 117,629 by 2022,
adversely affecting nearly two million investors. The financial
losses incurred have severely impacted investor confidence
in the DeFi market.
87
QuillAudits
88
Our expertise in meticulous code auditing ensures the
projects are well-guarded against any potential hacking
attempts or vulnerabilities. From Ethereum to BSC, Polygon
to dApp, QuillAudits employs a dedicated team that
scrutinizes and secures smart contracts, ensuring they are
resilient, safe and sound. Our services span across a
multitude of blockchains, such as:
89
QuillRedTeam (QRT)
90
How does QRT solve the challenge of poor
audit standards?
91
Get tailor-made audits suitable for your project’s
complexity and budget allocations through our QRT
Services!
QuillMonitor
Data scarcity, user awareness, trust, and the necessity to
learn from past mistakes pose significant challenges in
safeguarding digital assets from hacks and vulnerabilities.
Check QuillMonitor
93
Academic Nexus
QuillAcademy
QuillAcademy is a learning initiative established by
QuillAudits to help Web 3.0 developers acquire skills in smart
contract auditing and other Web 3.0 cybersecurity practices
through fun and engaging activities.
QuillCTF
94
Hashing Bits
It is one of the highest-rated Web 3.0 security newsletters,
sharing weekly insights into different hacks and the latest
information about events, research, and tools. We help the
community stay up-to-date with all the latest cybersecurity
techniques and the best tips for avoiding exploitation.
https://quillaudits.substack.com/
95