According to the Defiyield Rekt database, since March 2012, the Web 3.0 industry has lost $4.78 billion to hacks, exploits, and scams. A little over a billion (about 21 percent) of these funds were later returned to the victims. Thbis means businesses and customers paid the high cost of $3.74 billion for lagging in cybersecurity.
This trend is accelerating: by today, Web 3.0 hacks have shown unprecedented growth in the number and the volume of stolen funds
In the piece below, we will revise facts and figures, explore the causes of this explosion — and reflect on their impact on the industry.
Web3 hacks of the past decade: statistics and tendencies
2012 to 2019 — in the first seven years of the reviewed period — approximately $700 million was lost to hackers. Only $2 million were recovered. The low 0.2 percent recovery rate indicates that, during this period, cybersecurity experts were virtually powerless to return the stolen money. In 2020, we saw a promising increase in the effectiveness of returning stolen funds. $300 million were lost, and $55 million returned, with the recovery rate reaching 18 percent. Yet, the number and intensity of hacks also increased.
The end of 2020 was the first time the volume of the stolen funds passed the symbolic mark of $1 billion. Yet, in the following months, the damages exploded. During the past 18 months, the number and total volume of hacks, exploits, and cons have skyrocketed. Summer 2021 saw a significant uptick: from June to August, hackers and scammers stole another billion. In total, 2021 saw an immense loss of $2.3 billion. Still, $652 million of these funds were returned to the victims, which was the highest recovery rate to date.
And lastly, in 2022, Web 3.0 projects lost more funds to hacks, scams, and exploits than for the whole period between 2012 and 2019. As the data from Defiyield's Rekt database shows, the year-to-date (YTD) total funds lost as of May 2022 is $1.5 billion: close to the GDP of countries such as the Solomon Islands or San Marino. Alarmingly, only $68 million (4,5 percent) was recovered. A far cry from the 28 percent of 2021, it indicates that hacks and scams have grown in complexity.
Now, let's review some of the most notable hacks of the past year to pinpoint the key vulnerabilities.
The figures above show that most hacks and scams were small (under $1 million in damage) to medium (under $10 million in damage): these comprise 83 percent of all attacks with the total loss of $106,5 million. Therefore, the unprecedented increase in the total funds lost to hacks in the first five months of 2022 can be credited to four super attacks: on Ronin ($615 mil), Wormhole ($326 mil), Beanstalk ($181 mil), and Qubit Finance ($80 mil).
Our overview of the attacks shows that, on top of the losses, the market cap and price of the tokens tend to drop on the news about the breach. As a result of the Qubit Finance attack on January 27th, $QBT lost 75 percent of its value, dropping from $0.006 to $0.002 and then even lower: $0.00015 at the time of this writing. $DEUS dropped from $604 to $413 in three days. After suffering a $1.5m flash loan, FEG lost a third of its market cap, from $48m to $29m.
It’s important to note that most of these attacks happened to projects that had undergone third-party audits. Such an alarming tendency once more emphasizes the importance of security testing for Web 3.0 projects. As far as our research shows, the general concern is that the market lacks proper tests, accountability, and transparency in cryptocurrency rankings — which has become an issue serious enough to damage the whole space.
Regular audits and ethical HaaS: a new must?
So, how reliable are the smart contracts audits and the risk assessment methods in the Web3 space today? Not as much, it turns out. First, not all projects understand the importance of thorough audits. Second, no existing Web3 cybersecurity companies would offer detailed, regular audits.
Returning to the cases described above, a full-scale audit of any of the bridges mentioned above could have likely prevented the disaster. The problem is that market participants did not have enough data on the projects' vulnerabilities. This way, Web3 projects, and cybersecurity vendors are failing the cryptocurrency industry, as white spots in market practices are affecting investor behavior.
However unfortunate this trend may be, it reflects the growth of Web 3.0, as retail and institutional investors continue pouring their money into the blockchain, crypto, and DeFi. It also revealed the issues that could have led to far greater losses later: ones we can now fix by introducing new quality standards in performing audits, as well as adopting HaaS (ethical hacking-as-a-service) as an essential part of Web3 security.
HaaS can offer 24/7 protection against the majority of security risks and even act as the B2B solution focused on long-term expansion. Alongside new audit standards, it can help prevent new major hacks and contribute to the substantial growth of the recovery rate — boosting user and investor confidence and, in turn, the future growth of the whole Web3 sector.