CertiK Crypto Report Counts $2.9B in Assets Stolen in 2022

Cryptocurrency security company CertiK wants you to be aware that it is not secure. The most recent analysis from the organization explores the murky underbelly of the world of digital assets in 2022.

Sadly, the dark underbelly of the industry is more powerful than crypto enthusiasts would want to accept. In only the first three quarters of the year, cyber thieves have seized over $2.9 billion. Additionally, CertiK claims that the methods used by these crooks are only improving.

According to CertiK's mid-year study released at the end of June, cryptocurrency thieves were on pace to siphon off about $1 billion in assets per quarter. As of today, when they released their third-quarter report, it is proving to be true. But the study contains a wealth of information beyond the startling figures on the front. In the previous three months, the firm has recorded 171 escapades. Decentralized finance (DeFi) flash loan assaults and rug-pull scams are only two examples of the vulnerabilities that may be used to steal from projects from inside. The analysis also finds that while being rare, multi-chain attacks have easily caused investors the greatest harm. Only six vulnerabilities were used in Q3 across different chains, yet they are responsible for more than $440 million of the $504 million in theft.

The rise in rug-pull or "exit" frauds in Q3 is one particular finding in this study that merits special attention. 89 scams were reported to have stolen $37 million in the company's Q2 report; in the Q3 report, 98 of these scams took a total of $57 million, a 54% increase. Hugh Brooks, Director of Security Operations at CertiK, explains to InvestorPlace that despite being simple to carry out, these frauds are not going out of style in the middle of a market slump. As Brooks warns investors, "A project being unaudited should raise a significant red alert." "A project could provide a novel approach to a problem or fill a market need, but if it puts your money at risk, it usually isn't a very smart investment."

As report case studies demonstrate, audits are not a panacea.

An exit fraud is one difficulty, but as CertiK notes, they only make up a small portion of 2022's losses.

Projects get a seal of approval from audits, which also provide confirmation that the smart contracts for the project are not in jeopardy. They are not, however, a failsafe method of project security.

The Slope wallet, Wintermute market maker, and Nomad bridge's respective adventures are three of the biggest ones from the quarter, according to CertiK's research. The $8 million in damages suffered by Slope were caused by a flaw in the way the seed words for users' wallets were kept. Once these words were discovered, hackers were able to steal money from victims' wallets one at a time. The creators of Wintermute made the decision to build its market maker on a wallet address that reduces transaction gas costs, which led to the game's vulnerability. Transactions required less CPU resources to settle when addresses had a lot of zeros in them. However, this choice of address allowed a hacker to quickly open the wallet. The losses suffered by Nomad are the result of hackers taking advantage of a weakness in the process of moving assets from one chain to another.

According to Brooks, "[The projects'] losses were not brought on by flaws in the audited smart contract code." In fact, the smart contracts for Wintermute and Nomad have both been reviewed and fixed. They yet fell prey to two of the greatest hacks of the year.

Projects to Secure Web 3.0: Next Steps

These three instances show that audits are insufficient to address an issue that is just becoming worse as time passes. Auditing is a crucial first step, according to Brooks. But a genuine commitment to security also calls for continuing testing, hardening, and monitoring techniques after implementation.

The issue of exit frauds is real. They keep stealing money from investors. However, as Brooks notes, they don't pose the same threat as the more profitable code attacks. The overall market slump has decreased asset prices and reduced the influx of novice investors, who are more prone than average to become victims of an exit scam.

While rug-pullers continue to use the same old techniques, hackers are growing more sophisticated. Rug-pullers rely on a steady supply of less experienced investors to approach them. On the other side, hackers are targeting large projects with many wallets and high liquidity, which makes them a larger danger to the whole crypto ecosystem.

As a result, according to Brooks, initiatives must do more than just get a smart contract audit. "The sector is developing at an incredible rate. To safeguard users and encourage the creativity that makes this sector so unique, we must enhance the degree of security across the whole Web3 ecosystem if we want this pace to continue. Additionally, CertiK notes in its report that it is striving to compile a group of tools and resources for projects that go beyond the straightforward tasks of auditing and into the world of real-time monitoring and bug hunting.