- Malicious actors syphoned $313 million from DeFi in the second quarter of 2023, according to a report by CertiK.
- That marks a 58% drop from the $745 million stolen in the same period last year.
- The loss of money due to rug pulls significantly increased from April to June, whereas losses from flash loan and oracle manipulation exploits decreased during the same period.
Malicious actors drained $313 million from DeFi during the second quarter of 2023, according to a report released today by security firm CertiK.
While the latest figure closely aligns with losses incurred in the previous quarter, it reflects a 58% decline from the massive $745 million lost in the same period last year.
The CertiK report — Q2 2023 Web3 Security Report — also reveals a surge in exit scams, commonly called “rug pulls” in crypto, doubling the losses to investors, while other types of attacks such as flash loan and oracle manipulation exploits experienced a decline.
“As the crypto space matures and becomes more regulated, the ways attackers exploit it also evolve,” Hugh Brooks, director of security operations at CertiK, told DL News.
“If the measures against more complex exploits like flash loan attacks have been successful, attackers might resort to simpler methods like rug pulls.”
DeFi protocols have implemented stronger security measures, such as decentralised oracles and built-in protections, to mitigate flash loan and oracle exploits, potentially decreasing the success rate of these attacks.
As these attacks become harder to succeed at, digital thugs turn to other strategies, such as rug pulls.
“Unlike flash loans or oracle attacks, rug pulls rely more on social engineering and manipulation than technical prowess, which can make them more accessible to less sophisticated attackers,” he said.
The report sheds light on 212 distinct security incidents identified by CertiK in the second quarter of 2023, with an average loss of about $1.5 million per incident.
In April, there were 75 incidents resulting in a total loss of approximately $103.8 million. May saw 63 incidents and losses of around $74.6 million, while June had 74 incidents with losses amounting to approximately $135.2 million.
BNB Chain suffered the most losses
Different blockchains experienced varying degrees of security incidents.
Arbitrum faced losses of around $14 million in 14 incidents, while Avalanche encountered only one incident resulting in a minimal loss of about $3,500.
The BNB Chain saw over 100 incidents with losses of approximately $71 million, Ethereum recorded around 55 incidents costing users about $66 million, and Polygon faced four incidents resulting in approximately $2.4 million being stolen.
And there were five incidents with losses of about $10 million across multiple chains. The multichain data — unrelated to crypto bridge Multichain — excludes data separately reported under other chains.
More crypto lost to rug pulls than the previous quarter
One particular trend brought to the fore by CertiK’s report is the surge in exit scams — rug pulls.
A staggering 98 exit scams were documented during the second quarter, leading to a loss of about $70 million for unsuspecting investors, a dramatic jump from the $31 million lost through rug pulls in the first quarter.
“Rug pulls often occur in projects that haven’t undergone thorough security audits or where project founders hold excessive power without sufficient checks and balances,” Brooks said, urging users to think twice about the risk before “aping into a new memecoin.”
In May, DL News reported developers behind Swaprum made off with $3 million of investor funds, despite the project on Arbitrum having been audited by CertiK.
“As attacks become more sophisticated, we can expect the countermeasures to also evolve.”
Some of the rug pulls took place on recently-launched blockchains.
In April, investors in Merlin, a decentralised exchange on the buzzy zkSync blockchain, lost $1.82 million to a rug pull.
But flash loans and oracle exploits less costly
Security researchers noted a decline in flash loan and oracle manipulation exploits.
A DeFi strategy known as flash loans enables borrowers to access a significant amount of funds without collateral as long as it is repaid within the same transaction — it is possible to bundle several actions within one transaction on the blockchain.
Users typically use flash loans to take advantage of temporary market opportunities or execute complex financial strategies within a single transaction. But the appeal of no-collateral in this type of loans is also highly attractive to malicious actors.
Oracles — pieces of software that feed blockchains with real-world data — are another common target for attackers. If you can manipulate the price of cryptocurrencies, then you can use it to your advantage.
CertiK’s report finds that attackers only managed to net about $24 million through 54 such attacks in the second quarter, a notable drop from the previous quarter’s 52 oracle manipulation attacks, which amounted to $222 million.
But the data may be slightly skewed.
The Euler Finance exploit — almost $200 million, majority of which was returned — alone accounted for 85% of the previous quarter’s total, indicating the potential for isolated high-impact incidents.
“As attacks become more sophisticated, we can expect the countermeasures to also evolve,” Brooks said.
While DeFi protocols implement measures against risks from flash loan and oracle exploits, Brooks said, DeFi users can also do their own due diligence, such as reading audit reports and checking if they’ve undergone KYC — especially against potential rug pulls.