Web3 Losses Cut By 23% in Q1 2024, Hackers May Be Eyeing $100 Billion in Locked Funds – Immunefi
The first quarter of this year has seen $336 million lost to Web3 hackers and fraud, with nearly half of the capital stolen in January alone. Nonetheless, the number represents a 23% decrease compared to the first quarter of 2023, according to the latest report by bug bounty and security services platform Immunefi.
Notably, said the team, almost $100 billion in capital has been locked across Web3 protocols as of March 2024, adding:
“That capital represents an unparalleled and attractive opportunity for blackhat hackers.”
It is also worth noting that $73,885,000 has been recovered from stolen Web3 capital in 7 specific situations.
More specifically, $62 million was from the Munchables exploit and $5.3 million from the Seneca exploit.
This makes up 22% of the total losses in the first quarter, the report remarked.
$336.3 Million Lost in 61 Web3 Incidents
The report looked at the volume of crypto funds the community has lost due to hacks and scams in the first three months of this year.
More precisely, the Immunefi team reviewed all instances in Web3 where:
- blackhat Web3 hackers exploited crypto protocols;
- protocols allegedly performed a rug pull.
They found 61 such incidents. This includes successful and semi-successful hacks and alleged fraud.
In total, the team discovered that $336,311,217 was lost in Q1 2024.
Out of this number, hacks were responsible for $321,645,400 across 46 specific incidents.
Fraud was behind another $14,665,817 stolen across 15 specific incidents.
The total number represents a 23.1% decrease compared to Q1 2023, when hackers and fraudsters stole $437,483,543, the report noted.
Also, most of this loss occurred in January alone, when more than $133 million was stolen.
Mitchell Amador, Founder and CEO at Immunefi, commented that “while it’s positive that overall losses have decreased, it’s essential to note that DeFi faced significant challenges, accounting for 100% of total losses in Q1 2024.”
“Particularly,” he said, “the ecosystem witnessed a considerable volume of losses due to private key compromises, emphasizing the critical need to secure both code and protocol infrastructure.”
DeFi and Ethereum Are Main Targets
Speaking of decentralized finance (DeFi), it comes as no surprise that the sector remains the main target for exploits.
“DeFi represented 100% of the total losses, while CeFi has not witnessed a single attack,” the report said.
To put it in context, that $336.3 million in total losses in Q1 across 61 incidents mentioned above – it was all lost in DeFi.
That said, it’s still a 22.8% decrease compared to Q1 2023. DeFi losses at the time totaled $435,675,543.
Meanwhile, in Q1 last year, centralized finance (CeFi) lost $1,808,000.
Back to the first quarter of this year: Ethereum “once again surpassed” BNB Chain as the most targeted chain.
Ethereum witnessed the most individual attacks: 33 incidents, or 51% of the total losses across targeted chains.
In the second place, BNB Chain suffered 14 incidents, or 22% of total losses.
Together, these two chains accounted for over half of the chain losses in Q1 2024, totaling 73%.
Other affected chains include Arbitrum, Solana, Optimism, Bitcoin, Blast, Polygon, Conflux Network, and Base, respectively.
Meanwhile, most of the $336 million was lost by two projects.
In January, Orbit Bridge, the bridging service of the cross-chain protocol Orbit Chain, suffered a whopping $81.7 million exploit.
In March, Munchables, a non-fungible token (NFT) game on the Ethereum layer 2 Blast, suffered an exploit resulting in $62.8 million in losses.
These two projects lost $144,480,000 in total, representing 43% of Q1 losses, the report said.
Web3 Hackers Lead the Way
Compared to fraud, hacks are still the leading cause of fund loss in the scamming world.
Hacks accounted for 95.6% of losses in Q1 2024, while fraud accounted for only 4.4%.
In total, hackers stole $321,645,400 in Q1 2024 across 46 specific incidents. This is a 23.1% decrease compared to Q1 2023, when losses caused by hacks totaled $418,589,089.
On the other hand, $14,665,817 was lost to fraud in Q1 2024 across 15 incidents. It’s a 22.4% decrease compared to Q3 2022, when losses caused by frauds, scams, and rug pulls totaled $18,894,454, Immunefi said.
Meanwhile, Immunefi, which protects over $60 billion in Web3 user capital, offers over $155 million in available bounty rewards.
It has paid out over $95 million in total bounties, saving over $25 billion in user funds, the team said.