Hackers have stolen more than $2 billion from Web3 projects this year

In quarters 1 and 2 of 2022, Web3 projects have lost over $2 billion to hacks and exploits. This sum is far more than what was stolen over 2021. 214% more, to be exact. According to a quarterly report from blockchain security company CertiK, one of the key reasons for these astronomical figures is the recent uptick in flash loan attacks.

Learn more about Web3.

What are flash loan attacks?

A flash loan is a type of loan currently gaining popularity in decentralized finance that does not require collateral. Users can borrow large amounts of money for the purposes of completing a certain type of transaction, but the money must be paid back in full before the transaction ends. One common purpose of a flash loan is arbitrage, which is when traders buy and sell a particular type of cryptocurrency simultaneously in alternate markets where the value is different in order to make a profit. If the borrower does not pay back the loan within the blockchain transaction, the transaction is supposed to fail. 

Hackers are exploiting this new Web3 finance trend in several ways, including manipulating the value of exchange tokens and governance attacks. Governance attacks involve manipulating blockchain projects that use decentralized governance structures by gaining enough voting rights to change the rules and immediately send themselves all the funds on the blockchain. On The Verge, you can read about how this happened to decentralized finance project Beanstalk Farms, ultimately costing it over $182 million.

The impact of phishing and social media

While flash loans are a relatively new threat type, hackers also rely on more classic forms of cyber attack to steal money from Web3 projects. CertiK found that the current reliance on social media is Web3’s “achilles heel”. The vast majority of phishing attacks occur on Discord servers, which is a popular social media option among NFT projects. One of the critical risks of Discord is that it doesn’t support account verification. So hackers frequently clone accounts and exploit users with fake giveaways and “too good to

pass up” token offers.


As a technology and financial system still finding its feet, blockchain security will likely remain unstable for the foreseeable future. CertiK found that there has at least been a decline in the number of rug pull scams  — when a cryptocurrency developer invites new investors to a project and pulls out before it’s complete — as compared to last year, so it’s not all bad news. Still, if you engage with Web3 projects, it’s essential to exercise caution and ensure all your transactions and dealings are secure as can be.

Share on Twitter, Facebook, Google+