Skip to main content

Web3 projects have lost more than $2 billion to hacks this year

Web3 projects have lost more than $2 billion to hacks this year


A new report from CertiK flags major losses and a growing threat from flash loan attacks

Share this story

Illustration by Alex Castro / The Verge

In the first six months of 2022, Web3 projects have lost more than $2 billion to hacks and exploits — more than all of 2021 combined.

That’s according to research from blockchain auditing and security company CertiK, which on Thursday released its quarterly Web3 security report covering Q2 of this year. The report paints a sobering picture of a cryptocurrency space still plagued by hacks, scams, and phishing schemes while also facing relatively new threats like flash loan attacks.

CertiK puts particular focus on this last category of threat, which has been created by the invention of flash loans: a decentralized finance mechanism that lets borrowers access extremely large amounts of cryptocurrency for very short periods of time. If used maliciously, flash loans can be used to manipulate the value of a certain token on exchanges or buy up all of the governance tokens in a project and vote to withdraw all of the funds, as happened to Beanstalk in April.

In total, CertiK’s report claims that a total of $308 million was lost across 27 flash loan attacks in Q2 2022 — an enormous increase compared to just $14 million lost to flash loans in Q1.

Phishing attacks also increased in frequency between Q1 and Q2 of this year, with CertiK recording 290 in the most recent quarter compared with 106 in the first three months of the year. Discord was the vector for the vast majority of phishing attempts, a signal of its continuing popularity as the social network of choice for the cryptocurrency and NFT scene, despite ongoing security concerns.

In slightly more positive news, so-called “rug pulls” — where the founders of a project halt development and abscond with the funds — are becoming less common, though tens of millions of dollars were still lost in this way. CertiK found that a total of $37.46 million was lost to rug pulls in Q2 of this year, down 16.5 percent from the previous quarter, though the report attributes much of this decrease to the current crypto winter, which may be driving away the less experienced investors who are likely to be fooled by scam projects.