On April 13, Beosin, a blockchain security firm, released the Q1 b2023 Global Web3 Security Report and Crypto Regulatory Landscape, illustrating recent trends in the Web3 space. The data used in the statistics the company published in its report partially comes from events monitored by the Beosin EagleEye security risk monitoring platform.
According to the report, attackers were significantly less active in early 2023 than in the last quarter of 2022, when total damage from crypto exploits reached a staggering $1.3 billion. Crypto users and Web3 companies lost $295.2 million between January and March 2023, which is almost five times less than the total loss in the last quarter of 2022.
Still, the amount of stolen funds is impressive. Interestingly, most of the exploits took place in March. "March was a month with a high frequency of attack incidents, with total losses reaching $235 million, accounting for 79.7% of the total losses in the first quarter," the report states.
The most massive attack of Q1 2023 involved Ethereum-based protocol Euler Finance, which lost $196.9 million in various cryptocurrencies on March 13. In this exceptional case, Euler Labs, the protocol's development company, managed to return most of the funds with $29.9 million in DAI and 84,951 ETH worth $147.8 million at the time of the event.
Some other significant exploits affected myAlgo wallet, SafeMoon Web3 company, mortgage broker Platypus Finance, and Lendhub, a fintech company that specializes in small and medium-sized cash loans. Fortunately, none of these victims suffered losses as large as Euler Finance. For most of them, the stolen funds amounted to no more than $17 million. Beosin EagleEye tracked 61 major attacks between January and March.
DeFi projects were hit the hardest by the attacks. The report states, "In the first quarter of 2023, DeFi projects experienced 42 security incidents, representing 68.9% of all events. Total DeFi losses reached $248 million, accounting for 84% of total losses."
The second largest losses were related to NFTs and amounted to $18.52. Just like individual user losses, which came in third, losses related to NFTs were mainly the result of phishing incidents.
Surprisingly, there was a significant decrease in security incidents related to cross-chain bridges in early 2023. While such projects were the most affected by hacks in 2022, causing a total loss of nearly $1.89 billion, there was only a single exploit of this type in the first quarter of 2023, resulting in a loss of $130,000.
The report also mentions Ethereum as the network that was affected by the majority of attacks that took place in the first quarter of 2023. "There were 17 major attacks on Ethereum, resulting in total losses of approximately $238 million. Ethereum saw the highest loss of any blockchain, accounting for 80.8% of the total loss," the report said.
BNB Chain ranked second among the most affected blockchains with a loss of $19.48 million, followed by Algorand, Avalanche, HECO, Optimism, Polygon, and Arbitrum.
Beosin also provided key statistics on the types of vulnerabilities causing losses. The data shows that nearly 63% of security incidents in Q1 2023 happened due to improper function design on business logic. Permission issues were responsible for nearly 15% of attacks, while validation issues and reentrancy vulnerability, which allowed an unknown hacker to steal at least $7 million from Hundred Finance last Saturday, each caused 7.4% of attacks. Other popular vulnerabilities exploited by hackers in Q1 2023 were call injection and overflow.
Perhaps more importantly, Beosin pointed to the percentage of audited projects among those hacked in Q1 2023. "There were a total of 27 contract vulnerability exploits this quarter, with 15 audited projects (with losses of$31.19 million) and 12 unaudited projects (with losses of$7.86 million)," the report states, adding that the quality of audits of Web3 projects is insufficient.
"It is recommended that projects carefully compare auditors before choosing one, as selecting a professional auditor can effectively ensure the project's security," Beosin warned companies involved in the Web3 sector.