The weekly financial losses from exploits that occurred between November 12 and November 18, estimated by Web3 cybersecurity firm SlowMist, reached $35,291,069. While this figure is substantial and surpasses the total losses reported last month, it is significantly smaller than the damage caused by exploits between November 5 and November 11. During that period, the massive attack on the Poloniex crypto exchange alone led to losses of nearly $130 million.
Read also: Weekly Losses from Web3 Exploits Exceeded $138 Million
According to the statistics provided by SlowMist, the most significant damage occurred when cryptocurrency investment company Kronos Research faced unauthorized access to its API keys last weekend, resulting in estimated losses of $26 million. The Kronos Research team assures that these potential losses are not a substantial portion of their equity and pledges to "resume trading as soon as possible."
Another significant incident involved the price manipulation of dYdX, a DeFi protocol for advanced trading, resulting in a loss of $9 million.
"Last night about $9 million from the dYdX v3 insurance fund was used to fill gaps on liquidations processed in the YFI market. The v3 insurance fund remains well funded with $13.5 million in funds remaining," the dYdX team reported on November 18 claiming that "no user funds were affected."
dYdX is willing to reward "those most helpful in aiding the investigation" with bounties, emphasizing that the protocol’s team "will not pay bounties to, or negotiate with the attacker."
Read also: October Web3 Exploits Lead to Over $32 Million Losses
SlowMist's report also highlighted four rug pulls, with investors losing $89,296 and $81,400 to the Builders NFT and BABYFIDO projects, respectively. The PIPI exit scam incurred even greater losses, surpassing $121,000. Another rug pull affected the Lendora protocol’s investors, but the exact losses remain unknown.
Blockchain detective ZachXBT warned investors on November 14 to withdraw their assets from Lendora due to a high probability of an impending exit scam. ZachXBT noted that the group behind the project had been involved in other scams, totaling over $16.2 million in theft, including scams such as Magnate, Solfire, Hash DAO, Kokomo, Snowflake, and more. By November 15, the Lendora website had been offline, and contracts had been paused.
While SlowMist included two Web3 projects, the decentralized lending exchange Trader Joe XYZ and trader-focused DEX SpookySwap, in its weekly report, it emphasized that the losses experienced by these platforms had not been disclosed.
On November 18, Trader Joe XYZ reported that there was "a potential exploit in a 3rd party analytics plugin hacked JavaScript code used by our frontend."
"We have taken immediate action on this finding and the code has been removed, and our host remains secure with no other integrations at all," the team claims on X, adding that "the frontend has now been restored and it is marked safe to use for all activities such as trading, liquidity, staking, lending and more."
SpookySwap posted about investigating a frontend vulnerability on the platform's domain on the same day, advising users not to execute any transactions on the DEX. Unlike Trader Joe, which has already addressed the issue, SpookySwap has not updated its users about any progress.
SlowMist emphasized that the events listed in its post were officially reported, stating that "there could have been others that were not reported.