Hackers and scammers have managed to steal more than $2 billion from Web3 projects in the first half of 2022, already more than the sum lost for the whole of 2021.
A report from CertiK found that while virus (opens in new tab) attacks, hacks, scams, phishing, identity theft (opens in new tab), and other social engineering attacks, are all quite popular among threat actors, there’s a new rising threat that’s grown into quite the monster – flash loan attacks.
A flash loan is just as it sounds – a loan that people can take, and need to return, in a flash. But given the fact that people can get enormous amounts of money in flash loans, these can be abused to attack certain protocols and drain the funds.
Millions lost
Something similar happened to the Beanstalk protocol in April 2022. Entities with large amounts of the BEAN token get voting rights, allowing them to vote on important events, like fund withdrawals. With the help of a flash loan, an attacker managed to obtain large amounts of BEAN, and then use their newfound voting power to vote in favor of withdrawing almost $200 million from the protocol.
According to CertiK, the second quarter of 2022 saw 27 flash loan attacks, resulting in losses of $308 million – but just a few months earlier, “only” $14 million had been lost that way.
The analysts are also saying that phishing attacks rose between the two quarters, from 106 in Q1, to 290, in Q2.
Most of the time, the attackers would try and compromise endpoints (opens in new tab) via Discord, as that’s one of the most popular social networking platforms for crypto and Web3 developers and enthusiasts.
“Rug pulls”, a practice in which the “developers” would pull the rug on investors and disappear with their money, seem to be losing popularity. One of the reasons why rug pulls are no longer that popular is the deep bear market that’s currently being manifested.
Despite the good news, there were still more than $37 million lost that way in Q2 this year (down 16% quarter-on-quarter).