Companies working on platforms underpinning web3 – the notion that the future of the internet will be decentralised – have lost more than $2bn to hacks and scams since the start of 2022, according to a new report by web3 security firm CertiK. An analyst who spoke to Tech Monitor warned these companies are under assault from criminal gangs and nation state-backed groups from countries like Russia and North Korea.
The report suggests the cryptocurrency space is particularly prone to traditional methods of exploitation including hacking, scams and phishing, alongside newer crypto-specific attacks, and the amount of money being obtained by criminals is increasing.
Though $2bn may seem a large sum, it is a drop in the ocean compared to the overall value of decentralised assets that underpin web3, says Jared Klee, an analyst from Futurum Research. “The market cap for crypto is about $3tn overall, so $2bn against that is a lot smaller than $2bn on its own,” he says. “That’s no consolation for those whose money was stolen but there is a lot of money in the space at the moment.”
He explains: “You have an industry that has grown up very quickly and that has had an enormous amount of money flow into it in a relatively short period of time. With that you get the smartest, best and brightest people, but alongside the ones working on new ideas, you also have the smartest, best and brightest with ulterior motives.”
On top of that, he said nation states are also targeting the web3 and crypto space in a way that was inconceivable during previous iterations of the internet. He gave the example of North Korea using a fake job application phishing scam to gain access to crypto startups, collecting information on the companies from the inside.
Web3 hacks and scams: millions lost to flash loan attacks
By far the most common type of attack to hit web3 projects this year were flash loans. This is where a scammer borrows a large amount of cryptocurrency for a short time and uses it to manipulate the value of a certain token, allowing them to then buy up all the governance tokens and vote to withdraw any money available for that project to their own wallet.
Beanstalk Farms became one of the largest victims of this type of attack in April this year. The decentralised finance project was hit by an attacker who mounted the hostile takeover by buying up enough tokens in the project to take control, then voting to transfer tokens worth $182m to themselves.
This type of governance attack is often funded using the so-called flash loans. In the case of the Beanstalk attack it involved a $1bn cryptocurrency loan via Aave, giving them enough to buy 67% of Beanstalk, release the funds, return the loaned cryptocurrency and net the profit – in 13 seconds.
CertiK’s report revealed $308m had been lost in 27 flash loan attacks in the second quarter of 2022, significantly higher than the $14m lost to the same category of attack in the first quarter of this year.
“There is nothing inherently wrong with a flash loan,” Klee says. “There is no credit risk, you are guaranteed to get that money back. It lets people amplify the size of what they are doing and can be useful in arbitrage in increasing leverage.”
The problem, he explained, is that not only can it be used in arbitrage, but the same process can be used to give a scammer leverage to take over control of a project. “The type we are talking about is known as a 51% attack. This is where I get 50 plus 1% of voting power and rewrite the rules of the network. There is nothing inherently illegal in the fact somebody buys up 51% of the vote, the problem lies in what they do with that share.”
He expects that, in future, web3 projects will take out insurance against these types of hostile takeovers, or rules will be written into projects to make it harder to achieve. “We have rules in the public market that don’t prevent you buying 50%, they just assure that if you are going to do that the other shareholders are aware of what you are doing and I can see something like that being used in the web3 space," he adds.
Hedi Mesme, Commercial Manage and Partner, NOE Crypto Bank told Tech Monitor eradicating the issue of malicious attacks in the Web3 space involves a range of techniques. "We use institutional digital asset custody, settlement and issuance to insure the security of crypto assets, transfers and custodys under our entity. We utilize Fireblocks as our preferred software tool, and APIs to custody, and manage all digital asset operations."
Phishing attacks centred on Discord
The report also shows there was a spike in the number of phishing attacks between the first and second quarter of this year, almost trebling from 106 to 290. Most of these centred on the social networking and communications app Discord which is used widely within the crypto and NFT communities.
Klee said it wasn’t a surprise Discord was at the centre of the attacks, but that this didn't indicate a specific flaw with the platform. “It is just about where people hang out,” he says, explaining that it could just as easily have come from an email, tweet or Instagram post.
“I think Discord is making a real effort to try and help with this. Facebook has been around since 2004 and has been working against nation state actors for 15 years," Klee says. "Discord has been around since 2015 and is growing at a rapid rate, so needs time to update its systems.”