October Web3 Exploits Lead to Over $32 Million Losses

With the losses to October security incidents, the total damage this year has already surpassed $1.359 billion.

Hacker working in an autumn park
According to CertiK, the attack on the Fantom Foundation employee was the largest Web3 exploit in October.

The leading blockchain security firm CertiK has shared its monthly statistics on scams, exploits, and hacks that affected Web3 projects in October. As per CertiK’s experts, the overall financial damage surpassed $32.294 million, making the total losses in 2023 equal to over $1.359 billion.

Read also: Record $7 Billion in Crypto Laundered Through Decentralized Exchanges

Major damage was caused by exploits, totaling $22 million. CertiK mentions the attack on a Fantom Foundation employee resulting in nearly a $7 million loss, as well as the exploit of Coins.ph, which lost $6 million, and the attack on Burgel.eth, resulting in a $3 million loss, the most extensive exploits in October. They are followed by the attack on Stars Arena, which lost slightly less than $3 million, specifically $2.883 million, and BigWhale’s exploit with a financial damage of $1.557 million.

With these thefts, the total yearly damage from exploits has reached nearly $947.522 million.

CertiK's October Report
Source: CertiK

Exit scams were the second group of incidents when it came to financial losses. Approximately $8 million of investors' money was expropriated by scammers. The largest loots of $1.6 million and nearly $1.586 million were gained by malicious actors responsible for the exit scams of the Standard Cross Finance and Ivy projects. The following three top exit scams affected the users of Safereum, Lucky Star Currency, and the Moonlight Protocol.

CertiK also estimated the total damage caused by flash loan attacks in October. Altogether, around $1.7 million was stolen, with the greatest damage experienced by BH Token, which lost almost $1.276 million. In practice, the largest flash loan attack in October affected Platypus DeFi, which initially lost almost $2.224 million. However, $1.980 million was returned.

Although last month, the total damage inflicted by flash loan attacks was the smallest compared to exploits and exit scams, on the yearly scale, more money was lost to flash loan attacks ($264,354,511) than to exit scams ($145,792,582) so far.

Meanwhile, November has started with another flash loan attack affecting the Onyx protocol, a cross-token liquidity market supporting cryptocurrency and NFT trading.

"The Onyx protocol was exploited via a malicious flash loan resulting in nearly $2.1 million lost due to the exploit of a known rounding issue in CompoundV2 forks. The issue was outlined in Onyx’s audit and acknowledged by the Onyx team," CertiK reported on November 1.

Read also: Teenage Hacker Stole $5.2 Million In Bitcoin From Crypto Execs, Now He Has To Return The Money

Yesterday, CertiK’s team also shared with the X community the analysis of Maestro and Unibot, two Telegram trading bot platforms, which also have recently lost over $1 million due to the exploitation of their vulnerabilities, which are quite similar to each other according to CertiK.

For instance, in the case of Maestro, the exploit was possible due to a lack of security checks in a specific function within a smart contract. This function allowed an attacker to manipulate certain data, making it appear as if the attacker's requests were coming from the contract itself. Victims of the exploitation gave permission to the contract to spend their tokens, thinking it was needed to use a Telegram bot.

As a result of this attack, the malicious actor was able to take tokens from 106 users and exchange them for a significant amount of cryptocurrency, approximately 280 ETH. This same type of attack also targeted another contract, Unibot, where the attacker swapped stolen tokens for 355.5 ETH.