Crypto projects experienced a significant increase in financial losses during Q3 2023, amounting to $685.5 million, driven largely by major exploits on key cross-chain protocols.
The third quarter of 2023 saw a significant financial setback for the crypto industry, with reported losses amounting to $685.5 million. According to a study released today from web3 bug bounty platform Immunefi, these Q3 losses have surged by 59.9% compared to the $428.7 million recorded in Q2. Year-over-year, incidents rose by a staggering 153%.
Of the Q3 setbacks, notable exploits on cross-chain protocols – Mixin Network and Multichain – constituted almost half the total losses. These two incidents led to a loss of $326 million, with Mixin Network’s unfortunate $200 million exploit in September and Multichain’s loss of $126 million in July.
Mitchell Amador, Immunefi’s CEO, highlighted that this quarter marked the highest loss for the year, accentuating the influence of state-backed actors.
Furthermore, the North Korean-supported Lazarus Group, suspected of orchestrating attacks on platforms like CoinEx, Alphapo, Stake, and CoinsPaid, managed to abscond with a total of $208.6 million, which constitutes 30% of Q3 losses.
In terms of network vulnerability, Ethereum (ETH) bore the brunt, registering 42.7% of the losses across 35 incidents. BNB Chain and the Coinbase-incubated layer-2 network Base also saw significant losses, with the latter experiencing losses in projects like LeetSwap, SwirlLend, Magnate Finance, and RocketSwap since its launch on Aug. 9.
Decentralized finance (defi) platforms appear to be the primary targets, incurring $499.8 million (72.9% of Q3 losses), which is an 18.5% rise year-over-year. In stark contrast, centralized platforms reported losses amounting to $185.7 million, marking a concerning 3,400% increase from Q3 of the previous year.
Recovery has been minimal but noteworthy: $61.2 million has been reclaimed from six incidents, a mere 8.9% of Q3 losses. Among these, Curve Finance was successful in retrieving $5.3 million out of the $24 million taken. Mixin Network’s proactive measure to offer a $20 million “bug bounty” for the return of their stolen funds is still pending.