In July 2023, the cryptocurrency market experienced it’s largest losses in the year, with a total of $486.35m
The largest exploit this month within the Multichain cross-chain bridge resulted in $231.1m in losses
Most of the losses happened on the Ethereum chain and only $7,630,757 was recovered in July 2023.
As we move into the second half of the year, July 2023 proved to be a notable period filled with significant cyber-incident-related losses. The tally for the month reached an alarming $486.35 million in funds lost, eclipsing the figure for the same period in 2022, which stood at $80.08 million.
Despite these alarming figures, the recovery rate for the month was dismally low, standing at a mere $7,630,757. In this article, we delve into the details of the month’s losses, highlighting the top ten incidents and examining the context behind these disturbing figures.
While the July 2023 losses significantly exceeded the same month the previous year, they serve as a stark reminder of the continuous challenges the DeFi industry grapples with to ensure robust platform security. Actions taken to fortify security protocols and heighten awareness about potential frauds and scams are progressively crucial in this high-stakes landscape.
Regrettably, the recovery efforts in July 2023 were woefully inadequate, with only $7,630,757 recouped from the vast $486.35 million lost. The ability to recover stolen or lost funds is a pivotal element in alleviating the impact of these unfortunate incidents and crucially, in reinstating faith in the DeFi ecosystem. This highlights the continued challenges that the emerging financial sector faces, even during a period of greater development and interest.
DeFi Exploit Trends: July 2023 Overview
The DeFi landscape in July 2023 witnessed an alarming surge in the total funds lost, a whopping $486,355,481. Ethereum stood as the most targeted platform, with a total loss of $447,331,170 across 36 cases. Binance, another frequently targeted chain, reported a loss of $10,882,471 across 18 cases.
Among the top 10 cases, Multichain experienced the most severe loss of $231m due to an access control exploit. The AlphaPo exploit on the Ethereum platform resulted in a loss of $100m, also due to an access control issue. Over $70m was lost to Vyper Exploit caused by a reentrancy attack .
Other notable cases included GMETA on Binance suffering a loss of $3.7m from a rugpull, Era Lend on zkSync with losses of $3.4m and Conic Finance on Ethereum losing $3.3m to a reentrancy attack, among others.
Types of Exploit
Various types of exploits were employed by crypto criminals in July 2023. Access control issues took the lead, accounting for three major cases but resulting in a staggering loss of $364,182,449.
Rugpulls, despite being the most common with 38 reported cases, resulted in significantly lower losses totaling $35,997,134. Reentrancy attacks, although less frequent with six cases, still led to substantial losses amounting to $77,617,898.
Other exploit types, such as oracle issues and flash loan attacks, were less frequent but contributed to the total loss. However, this period saw no reports of exit scams.
Funds Recovered
Unfortunately, the recovery of exploited funds in July 2023 was drastically low, with only $7,630,757 recouped from the vast total lost.
This continues the unfortunate trend of low recovery rates in recent months, highlighting the urgent need for enhanced security measures and investor vigilance in the DeFi landscape.
Attack Vectors
Among the different categories of targets, Tokens were the most frequently attacked, with 39 cases reported leading to losses totaling $35.9m.
Borrowing and Lending protocols were targeted once, with a loss of $3,400,000. Decentralized Exchanges (DEX) reported losses of $2,010,934 from three incidents.
Notably, the Bridge category was hit hardest, reporting a loss of $241,330,645 from two incidents. Other categories, including CeFi, Yield Aggregators, Stablecoins, and NFTs, were targeted less frequently but still contributed to the total losses.
Top Exploits in July 2023Let’s take a look at the top 5 cases this month:
1. Multichain — $231.1m Lost (Access Control)On July 10, 2023, the Multichain project, a cross-chain bridge, fell victim to a major exploit. An unauthorized entity successfully gained access to the system, leading to an immense loss of funds across various blockchain networks. The transferred assets were funneled into a single externally owned account (EOA) spread across nine different chains.
The casual pace at which the assets were moved suggested that the perpetrator maintained full control over the funds and was not pressed for time to shift them elsewhere. This behavior fueled speculation that the incident could potentially be an inside job.
The fact that this took place on a cross chain bridge that many smaller chains depended on meant that many ecosystems were severely destabilized.
Here’s an overview of the losses, broken down by blockchain network:
– On the Arbitrum chain, $14,371,766 USD in assets, including USDC, WETH, and WBTC, were lost.
– Fantom reported a loss of $48,560,731 USD in assets, including USDC, WETH, DAI, WBTC, and over 60 million non-liquid fUSDT tokens.
– On the Optimism network, assets lost totaled $11,080,749 USD, consisting of USDC, DAI, and WBTC.
– Cronos reported a loss of $10,911,004 USD in assets, including USDC, WETH, and DAI.
– The Polygon network experienced a loss of $10,990,882 USD in assets, comprising USDC, WETH, and WBTC.
– Avalanche saw losses of $3,190,649 USD, specifically in DAI and WBTC.
– Binance Smart Chain reported a loss of $1,770,304 USD in USDC and BTCB assets.
– The Moonbeam network lost $237,657 in USDC.
– Finally, on the Ethereum network, there was a loss of $15,291 USD in DAI.
In total, the theft of liquid assets amounted to approximately $101,129,033 USD, leading to an estimated total loss for Multichain of $231,000,000 USD.
Delving into the details of the exploit, it was discovered that around $130 million was extracted from various token bridges. The assets held in the Multichain multi-party computation (MPC) address were unusually moved to an EOA address.
The unexpected withdrawals resulted in the depletion of the entire holdings of Multichain’s Fantom Bridge, which included wBTC, USDC, USDT, and a selection of altcoins, amounting to over $130 million in total. Similar withdrawals were witnessed from the Multichain’s Moonriver and Dogecoin bridge contracts.
The transferred assets from the Fantom bridge of Multichain comprised DAI, LINK, USDT, wBTC, wETH, and USDC. Following the incident, the Multichain team announced their uncertainty regarding the cause of the exploit. Although a compromised wallet was speculated to be the most likely cause, the possibility of an insider hack has not been ruled out.
Block Data Reference
Suspicious Addresses:
https://etherscan.io/address/0x418ed2554c010a0c63024d1da3a93b4dc26e5bb7
https://etherscan.io/address/0x027f1571aca57354223276722dc7b572a5b05cd8
Fund Movement Transactions:
https://etherscan.io/tx/0xda80a8c8d5a8fdf0208a6fd01c39af018e400763b1d08f3543f52353345fe62e
https://etherscan.io/tx/0xbd29fe07555c28527fb0207aa0ac2b67d4afef0426793c35b76d005613477fc4
2. AlphaPo — $100m Lost (CeFi, Access Control)
In July 2023, the crypto payment platform AlphaPo suffered a significant security breach. This resulted in a substantial loss of approximately $100 million across Bitcoin, Tron, and Ethereum blockchains. AlphaPo, which processes payments for multiple gambling services, experienced an exploit that targeted their hot wallets on the Bitcoin, Tron, and Ethereum chains. The breach was primarily attributed to a compromised private key.
As part of the exploit, the stolen assets were initially converted into 5,742 ETH. These funds were then routed to the Avalanche blockchain via several addresses. Upon reaching Avalanche, the assets were exchanged once again for BTC and subsequently bridged to the Bitcoin chain.
Simultaneously, on the Tron chain, the looted funds were swapped for 118,482,405 TRX and then distributed through multiple addresses.
The confirmed loss of $22,851,804 USD spanned across the Ethereum and Tron blockchains as follows:
On the Ethereum chain, approximately $10,716,942 USD worth of assets were stolen.
Simultaneously, the Tron chain saw losses amounting to $12,134,862 USD.
Although the confirmed loss is currently estimated at around $23 million, it is worth noting that this figure could potentially reach up to $100 million. This is due to the fact that the exact extent of the losses incurred on the Bitcoin chain has not yet been revealed.
Block Data Reference
Attacker Addresses:
https://etherscan.io/address/0x040a96659fd7118259ebcd547771f6ecb9580d17
https://etherscan.io/address/0x6d2e8a20b8afa88d92406d315b67822c01e53c38
https://etherscan.io/address/0x8dc4f02e620fb24d07208c09950b9cba343805e8
https://tronscan.org/#/address/TKSitnfTLVMRbJsF1i2UH5hNUeHLDrXDiY
https://tronscan.org/#/address/TDoNAZHa7WxarUAFbQUhiijTGtd7EpbzRh
3. Poly Network — $10.2m Lost (Access Control)
On 1 July 2023, Poly Network, a cross-chain bridge, fell victim to a security exploit. This led to the loss of 5,196.95 ETH, which amounted to approximately $10,201,612 USD.
The incident at Poly Network was triggered by a security lapse in access control. The attacker managed to generate signatures, likely using the project’s wallets, which led to a significant drain of diverse assets across multiple chains. These chains included Ethereum, Binance Smart Chain, Avalance, and Metis.
Following the initial attack, the exploiter executed a large-scale swap of SHIB and other liquid assets for ETH. They also managed to drain USDC and USDT in two subsequent attacks, which were then exchanged for ETH. Cumulatively, the exploit resulted in the theft of 5,196.95 ETH, equivalent to approximately $10,201,612 USD.
It is noteworthy that the stolen assets were not limited to ETH but also incorporated non-liquid ERC20 tokens. Consequently, the total value of the pilfered assets across various chains significantly surpassed the actual funds lost. However, due to low liquidity, the attacker was unable to cash out these assets. Nevertheless, assets worth approximately $18,444,696 USD were distributed amongst 17 EOA addresses, each alongside 1 ETH, suggesting a potential future cash out.
Block Data Reference
Attacker Addresses:
https://etherscan.io/address/0xe0Afadad1d93704761c8550F21A53DE3468Ba599
https://etherscan.io/address/0x8E0001966e6997db3e45c5F75D4C89a610255b2E
https://etherscan.io/address/0xdddE20a5F569DFB11F5c405751367E939ebC5886
Malicious Transaction Examples:
https://etherscan.io/tx/0xe280153aa5d9c6cc3aa2ae6713ad8f91889fa6007485eb54318bd957b74776da
https://etherscan.io/tx/0x0a751caedcf4a53f13d7343989a3380da48ff09412afcb144ce4c249fc99263d
https://etherscan.io/tx/0x3a6e5d7e1b9386940b1db81d4e514cbaf5986963f3124dd7eb2a06989890f993
4. GMETA — $3.7m Lost (Rugpull)
On 18 July 2023, GMETA, a BEP20 token, experienced a severe setback due to a rugpull by the token’s deployer and associated addresses, leading to an approximate loss of $3,675,612 USD.
Details of the exploit reveal a carefully orchestrated plan. On February 4, 2023, the deployer of GMETA token initiated the scam by transferring a considerable amount of GMETA tokens to an externally owned account (EOA). Subsequently, a fraction of these tokens was moved to a different EOA, which proceeded to sell the tokens, successfully draining over $2.3 million USDT from the PancakePool.
However, the exploit did not end here. The remaining tokens were distributed among various EOA addresses, one of which proceeded to drain the pool for an additional $1.3 million USDT. Interestingly, $1 million USDT out of this amount was transferred to an unverified contract.
Block Data Reference
Deployer Address:
https://bscscan.com/address/0x9f02c29ad35fd20a51cd48250512a7b7feeb8ed1
Scammer Addresses:
https://bscscan.com/address/0xd33D347d8f54EC3229A771F2092A6c6b6750D695
https://bscscan.com/address/0x97Ed15d9f86465f6079ef01779F6A546e19bd7DE
Funds Holder Contract:
https://bscscan.com/address/0xc95615e6711a356671f7deb408f689d6cc2bec20
Liquidity Removal Transactions:
https://bscscan.com/tx/0xb8c4220db882d3633347bcb723921499b2f2420557ba5ed34aa06c829afbf62f
https://bscscan.com/tx/0x444d119ae43d45d86234e2f9e5e35e8db74feeda600fd8bc0f6aad09148af4dc
5. Phishing — $3.6m Lost (Exploit)
On 21 July 2023, the Twitter account of prominent crypto figure Hayden Adams fell victim to a hacking attack. The hackers, linked to a series of phishing attacks, managed to steal approximately $3,600,000 USD.
The elaborate exploit involved malicious actors who had been active since April 2023. Over several months, these cyber criminals proved their relentless persistence by creating more than 23 phishing sites. Through these deceptive platforms, they managed to extract approximately $3,600,000 USD from approximately 358 unsuspecting victims.
The highest recorded loss from a single victim amounted to a staggering $2,280,000 USD. This theft was carried out through an ERC20 Permit phishing technique. The phishing scam enticed users into disclosing sensitive information under false pretenses, leading to the substantial loss of funds.
Block Data Reference
Attacker Addresses:
https://etherscan.io/address/0xca4ddffe50720292c9f0530b6f98ca5e40c046b5
https://etherscan.io/address/0xdd6CF6483FE5d948E0aEee94D94b8C98f055d1b0
Malicious Transactions:
https://etherscan.io/tx/0x9c02340896e238fc667c1d84fec78af99b1642c986fe3a81602903af498eb938
https://etherscan.io/tx/0x30e51b3ad654dba036b29a766d85098952704465a2f63e5d7d8a37138a2d0dc0
Conclusion
The substantial financial losses recorded in July 2023 underscore the critical need for enhanced risk management and vigilance when interacting with the Decentralized Finance (DeFi) landscape. It is incumbent upon investors to acquaint themselves with potential vulnerabilities and to strategize effectively to secure their investments. At De.Fi, we understand the pivotal role that guidance and support play in traversing the complex and evolving DeFi ecosystem. As such, we remain devoted to equipping our users with useful resources and data to empower informed investment decisions in the field.
