In the rapidly evolving realm of Web3 blockchain technology, security and regulation have consistently remained focal points of concern. Given this context, gaining a comprehensive understanding of the Web3 blockchain security landscape and regulatory frameworks within the cryptocurrency industry has become imperative for ensuring the security and stability of blockchain applications. This research report is a collaborative effort between the Blockchain Security Alliance, jointly initiated by Beosin and SUSS NiFT. Its aim is to provide a thorough exploration of the global blockchain security landscape, prominent Web3 events, and critical regulatory policies in the cryptocurrency industry during Q3 2023.
Within this report, we will delve deep into an extensive analysis of the global blockchain security landscape, encompassing security vulnerabilities, attack incidents, and noteworthy Web3 events from Q3 2023. Simultaneously, we will meticulously review and summarize crucial regulatory policies in the cryptocurrency industry. This endeavor is designed to facilitate readers' comprehension of legislative and regulatory dynamics, both at the governmental and regulatory body levels, across the global blockchain arena, as well as to elucidate their impacts on industry advancement.
Through the dissemination of this report, our aspiration is to provide readers with valuable references and insights, empowering them to gain a better understanding of the dynamic evolution of the Web3 blockchain security landscape and the salient aspects of regulatory policies within the cryptocurrency industry.
I. Q3 2023 Global Web3 Security Statistics & AML Analysis
Authors: Beosin research team - Mario & Donny
Data Source (As of Sept 25): Footprint Analytics: Crypto Analysis Dashboards
1 Q3 2023 Web3 Security Overview
According to statistics from Beosin EagleEye, the total losses from hacks, phishing scams, and rug pulls in Web3 reached $889.26 million in Q3 2023. Among them, 43 major attacks resulted in a total loss of approximately $540.16 million. Phishing scams accounted for a total loss of approximately $66.15 million, and there were 81 rug pulls with a total loss of approximately $282.96 million.
The losses in Q3 2023 exceeded the total for the first half of 2023. The losses were about $330 million in Q1 2023 and $333 million in Q2 2023, while reaching $889.26 million in Q3.
In terms of project types, DeFi remains the most frequently attacked type. There were 29 attacks in the DeFi field, accounting for 67.4% of the total number of incidents. Public chains suffered the highest amount of losses among project types.
In terms of blockchain types, Ethereum accounted for the most losses overall, totaling $227 million. Ethereum also saw the highest number of attacks, reaching 16 times.
In terms of attack types, there were 9 private key compromise incidents this quarter, resulting in losses reaching $223 million, the most among attack types.
In terms of stolen fund flows, $360 million (67%) still remained in hacker addresses. Only 10% of stolen funds were recovered this quarter.
In terms of audit status, the proportion of audited and non-audited projects was roughly equal, at 48.8% and 46.5% respectively.
2 Overview of Hacks
$540.16 million Lost in 43 Major Attacks
In Q3 2023, Beosin EagleEye monitored a total of 43 major attacks in Web3, with total losses reaching $540.16 million. Among them, there was 1 security incident with losses exceeding $100 million, 7 incidents with losses between $10 million to $100 million, and 9 incidents with losses between $1 million to $10 million.
Attacks with losses over $10 million (in order of amount):
● Mixin Network - $200 million
On September 25, Mixin officially tweeted that a database of Mixin Network's cloud service provider was hacked, resulting in partial mainnet asset loss of about $200 million.
● Curve/ Vyper - $73 million
On July 30, due to a reentrancy vulnerability in an old version of the Vyper compiler, multiple Curve pools were attacked with losses reaching $73 million, of which around $52.3 million was returned by the hacker afterwards.
● CoinEx - $70 million
On September 12, due to a private key compromise, the hot wallet of crypto exchange CoinEx was stolen across 211 chains, with total losses reaching $70 million. This attack was caused by North Korean's Lazarus group.
● Alphapo - $60 million
On July 23, the hot wallet of crypto payment service provider Alphapo was stolen with total losses of $60 million. This attack was caused by North Korean's Lazarus group.
● Stake - $41.3 million
On September 4, the hot wallet of crypto casino platform Stake was hacked with losses of $41.3 million. This attack was caused by North Korean's Lazarus group.
● CoinsPaid - $37.3 million
On July 22, crypto payment platform CoinsPaid was hacked with $37.3 million assets stolen. The hacker spent six months tracking and studying CoinsPaid's systems, trying various forms of attacks including social engineering, DDoS, brute force, phishing, etc. This attack was caused by North Korean's Lazarus group.
● Fortress IO - $15 million
On August 29, blockchain infrastructure provider Fortress IO lost $15 million due to a hack on their third-party cloud vendor.
● Polynetwork - $10.1 million
On July 2, cross-chain bridge PolyNetwork was attacked due to a private key compromise, with the hacker profiting $10.1 million.
3 Attacked Project Types
Public blockchain suffered the highest losses among project types
This quarter, public blockchain accounted for the highest losses among project types, stemming from the $200 million Mixin Network hack event. This single security incident took up 37% of the total losses for the quarter.
Out of the 43 attacks, 29 occurred in the DeFi field, accounting for about 67.4%. These 29 DeFi attacks led to total losses of $98.23 million, ranking second among all project types.
The third highest losses came from payment platforms. Two security incidents at payment platforms caused combined losses of $97.3 million (Alphapo $60 million, CoinsPaid $37.3 million).
Other attacked project types also included: exchanges, casino, infrastructure, cross-chain bridges, unverified contracts. From the types, hackers targeted platforms with high funds such as public chains, payment platforms, and casino.
4 Loss By Chain
The highest losses and the most incidents are both from Ethereum
This quarter, Ethereum accounted for total losses of $227 million, ranking first among all chain platforms. Ethereum also saw the highest number of security incidents, reaching 16 times.
Ranking second in losses was Mixin Network, with a single event causing $200 million in losses, ranking it second among blockchains.
Ethereum and Mixin combined accounted for 79% of total losses.