So far in 2022, ~ $1.8bn has been lost to various scams and exploits in the Web3 world, however May 2022 saw the lowest amount lost this year at $98,597,311. May was the first month in 2022 whereby the total amount of assets lost was under $100 million. This is primarily due to the absence of major exploits (>$100M). Nevertheless, there were a total of 56 confirmed rugpulls, exit scams, and flashloan attacks just this month. Out of these 56 exploits, 38 were deemed as major incidents since they averaged over a $100,000 USD loss. Flashloan attacks have decreased significantly compared to April with a 97.9% drop in these sorts of attacks whereas rugpulls and exit scams have increased by 29% since last month.
Throughout the month of May, the total losses due to flashloan related attacks reached approximately $6,172,026 million USD with 10 registered attacks. The average USD lost per attack for the month is ~$617,203 USD. CertiK was the lead source and alerting entity on 8 of these cases.
Compared to last year, 2022 has seen an overall increase in flashloan attacks. However, May saw a 97.9% decrease in attacks compared to April. This is mainly due to April’s numbers being skewed due to the Beanstalk Farms flashloan exploit accounting for ~59% of all total lost $USD from flashloan attacks this year or ~$182,284,430.
FEG token is the main exploit of the month which was hacked twice in different attacks on 15&16 May. The DeFi project’s FEGexPRO contract was exploited on both Ethereum and BNB Chain for approximately 3,280 BNB and 145 Ethereum or ~$1.3 million USD via a flashloan attack. The next day, FEG was attacked again totaling a loss of approximately $1.9 million dollars.
Only flashloan attacks that have reached a threshold of being profitable attacks, over $100k or against a highly visible or popular protocol, have been included in this report. Many attacks resulted in small losses, and many losses or attacks are lost in the noise of simple arbitrage farming by bots. Sources shown in the graph have only accounted for attacks that resulted in over $100,000. Examples such as the SpaceDumplingToken that resulted in a $2,000 loss or Annulus attack with a $895 loss were left out. This report defines “attacks'' as manipulating a protocol in a manner with a flashloan that was unintended, opposed to simple arbitrage.
In the month of May, there were a total of 35 confirmed scams which resulted in $29.3 million USD stolen which is an increase from $22.7 million in April. CertiK was the lead source on initially reporting 33 exit scams. Of the 35 confirmed rugpulls in May, 24 classed as a major incident with profits over $100k which accounted for $28.8 M.
Rugpull and exit scams were the highest of the year with an average of $29.3 million USD loss or a ~29% increase compared to April’s attacks. BreedTech was one of the biggest exploit throughout the month with ~$9.4 million USD being rugged. The project owner minted 32 million CN which was transferred through a number of wallets before being sold. CertiK was the first one to warn about this exploit on social media.
With an average of 30 confirmed rugpulls over the last 3 months, there is a realistic possibility that if the trajectory continues, ~190 further exit scams will occur throughout the remainder of 2022. However, as the crypto market enters a more bearish stance, there is a realistic possibility that fewer exit scams profiting >$100k will take place during a bear market.
CertiK’s team is working hard to limit exit scams through a number of methods beyond contract auditing, including KYC, CDD, security score monitoring, and more, and continues fighting the fight with new methods to make it harder for threat actors and to expose them. Furthermore, one exit scam was accurately predicted by CertiK by analyzing associated wallets in a previous rugpull. We are looking to expand this capability throughout 2022 to detect and predict rugpulls before the event occurs.
There were 38 attacks which totaled $98,597,311 throughout the month of May. This is an average of $2,594,666 per attack, which is a 78.6% decrease from the $12,152,799 / attack from the month of April. The total amount of money lost in May compared to April’s exploits also dropped by 73.8% in overall recorded attacks. May’s largest recorded attack was Venus Protocol which suffered a $11.2 million loss. In April, the most recorded attacks were reported on the weekends occurring Thursdays through Friday. For the month of May, the most recorded attacks were occurring Tuesday through Thursday. There was not a single attack on any Friday of this month so, TGIF!
In the month of May, the top 10 major incidents totaled a loss of approximately $80,926,285 USD. Of those incidents, 7 were considered exploits and 3 were considered rugpulls. Three of these major incidents stood out as they showed the most significant reported losses. The largest exploit, which took place on May 16th and was entitled Scream, recorded a total loss of $35M. Scream suffered a $35 million loss due to failing to adjust the prices of both Fantom USD (fUSD) and DEI.The DeFi protocol had hardcoded the value of these two affected stablecoins, Fantom USD (fUSD) and DEI, to $1, meaning their decline did not reflect on its platform. As for Whales, they took advantage of this to drain the protocol. Post mortem, Scream would later announce a change in their policy. They would now be using Chainlink Oracles to get prices in real-time versus hardcoding them. The second most significant loss, Venus Protocol, occurred a few days prior on May 12th and reported a loss of $11.2M. Chainlink’s oracle suspension of LUNA’s price feed during the Terra-Luna incident had allowed some bad actors to take advantage of the price difference and profit illegitimately. This caused Venus to pause its protocol for 48 hours with no liquidations allowed. They would later use their Risk Fund to cover the shortfall. The third largest loss, Breedtech, which rugpulled $9,403,779 is a very interesting one because no social media were discovered after the rug. This attack occurred at the end of the month on May 28th. There is still some mystery surrounding this exploit.
Overall, May has seen a significant drop in terms of flashloans and major incidents compared to April. Although rugpulls and exit scams have increased slightly since last month, a new type of exploit is coming into play with phishing attacks and hacks that seem to be even more popular amongst threat actors on social media platforms like Telegram and Discord used by many crypto and NFT buyers. CertiK alerted using our Twitter @CertiKAlert about numerous Discord hacks and Phishing attempts and will be doing a more in-depth analysis soon.
The battle to secure the web3 space is greater now more than ever, and smart security auditing and KYC are services provided by CertiK help not only secure protocols, but also guide the average ‘hodler’ to safer projects.
Evaluating exact losses due to flashloan attacks is very difficult. While all of the data is “on-chain” the prices at the time of the attack, the manipulation of prices, as well as the loss to protocol, vs loss to gas and fees, and/or profit to the attacker makes specific numbers very hard. We’ve gone with the total loss to the protocol here, which differs from the profit the attacker actually walked away with.