Cybersecurity firm CertiK wants you to know that your crypto is not safe. The company’s newest report delves into the seedy underbelly of the digital asset world in 2022. And unfortunately, that seedy underbelly has more power than crypto evangelists care to admit. Over $2.9 billion has been repossessed by crypto criminals in the first three quarters of the year alone. And moreover, CertiK says these criminals are only becoming more sophisticated in their approaches.
At the end of June, CertiK’s mid-year report revealed that crypto criminals were on track to steal almost $1 billion in assets every quarter. That’s proving correct as they release their third-quarter report today. But outside of the astonishing numbers on the cover, there is lots to dissect within the report. The company counts 171 exploits in the last three months. These exploits range from things like rug-pull scams and decentralized finance (DeFi) flash loan attacks to more complex methods of infiltration to rob projects from within. The report also reveals that while few and far between, multi-chain exploits have been easily the most painful for investors. Q3 saw only six exploits take place across multiple chains, but these six exploits account for over $440 million of the $504 million stolen.
One thing especially worth noting within this report is the increase in rug-pull or “exit” scams in Q3. In its Q2 report, the company saw 89 scams taking $37 million; in Q3, 98 of these scams stole a total of $57 million — a 54% increase. As CertiK Director of Security Operations Hugh Brooks tells InvestorPlace, these scams are not falling out of vogue in the midst of a market downturn due simply to their ease of execution. “A project being unaudited should raise a major red flag,” Brooks reminds investors. “A project could offer an exciting new way to solve a problem or fill a niche in the market, but if it’s at risk of losing all your money then it probably isn’t a very wise investment.”
Audits Aren’t a Cure-All, as Report Case Studies Prove
An exit scam is one challenge, but as CertiK points out, they account for a tiny percentage of 2022’s losses. Audits give projects a stamp of legitimacy, and assurance that the project’s smart contracts aren’t at risk of failure. But, they aren’t a foolproof way to secure a project.
CertiK’s report details three of the quarter’s largest exploits: the Slope wallet, Wintermute market maker and Nomad bridge’s respective exploits. Slope’s $8 million in losses came from a vulnerability in which the seed phrases for users’ wallets were improperly stored. When these phrases were found, hackers could go into the wallets one by one and drain their assets. Wintermute’s exploit comes from the developers’ choice to center its market maker around a wallet address that minimizes gas fees for transactions. By making an address with a long string of zeroes in it, transactions took less computing power to settle. However, a hacker was able to easily crack the wallet because of this choice of address. Nomad’s losses come after hackers exploited a vulnerability in the process of transferring assets from one chain to another.
“[The projects’] losses were not due to errors in the audited smart contract code,” says Brooks. Indeed, both Wintermute and Nomad have had their smart contracts audited and patched up. And yet, they were victims of two of the biggest hacks of the year.
Next Steps for Projects to Secure Web 3.0
As these three examples prove, audits aren’t enough to take on a problem that’s growing still as each month goes by. “Auditing is an essential first step,” says Brooks. “But, a meaningful commitment to security also involves post-deployment monitoring and ongoing testing and hardening practices.”
Sure, exit scams are a problem. They continue to rob investors of their money. But, they aren’t nearly a problem in the same way the more lucrative code exploits are, as Brooks points out. “The broader market downturn has lowered asset valuations and slowed the flow of newer investors who are disproportionately likely to fall victim to an exit scam.”
Hackers are becoming more sophisticated, while rug-pullers rely on the same old tricks. Rug-pullers depend on a stream of less knowledgeable investors to come to them. Hackers, on the other hand, are going after big projects with lots of wallets and lots of liquidity, making them a bigger threat to the greater crypto ecosystem.
As such, Brooks says that projects have more tasks at hand than simply getting a smart contract audit. “The industry is progressing at breakneck speed. But, for this pace to continue, we need to raise the level of security across the entire Web3 world to protect users and foster the innovation that makes this space so special.” And as CertiK points out in its report, it is working on aggregating a collection of tools and resources for projects which go beyond the simple duties of auditing and into the realm of real-time monitoring and bug hunting.
On the date of publication, Brenden Rearick did not have (either directly or indirectly) any positions in the securities mentioned in this article. The opinions expressed in this article are those of the writer, subject to the InvestorPlace.com Publishing Guidelines.