During the third quarter of 2022, crypto-currency losses as a result of hacks and theft amounted to $383 million (R6.9 billion).
This is according to a new report by crypto intelligence firm CipherTrace, which tracks the major losses encountered by digital currencies.
It says most of the hacks were witnessed on cross-bridges.
According to CoinWorld, crypto bridges were originally intended to make sending tokens between blockchains seamless and safe.
It explains that while bridges are essential for cross-chain communication, they have become a significant concern in Web3.
Blockchain research firm Chainalysis estimates crypto bridge hacks now account for about 70% of the total cyber attacks in the blockchain industry.
CipherTrace notes that in Q3, the most notable bridge exploit was Nomad, a crypto-currency bridge that lets users swap tokens between blockchains.
Decentralised finance crimes define crypto hacks in 2021
South Africans lose ‘billions’ in Africrypt crypto scam
Nomad was plundered of $190 million due to hundreds of users opportunistically taking advantage of a single typo in the code, says CipherTrace, a Mastercard company.
It explains the issue in Nomad’s armour was in the way the code prevented itself from accurately authenticating a message was accepted before the transaction was executed.
“Once the hack was pulled off, it was easy for users to replicate the original theft by copying the transaction call data and changing it to their own personal address,” says the firm.
In the case of Nomad, it notes, code exploits are a reminder that protocols are only as strong as the code underwriting them.
“While it is encouraging that there was only one major bridge exploit in Q3, bridges seem to have a way to go before they are accepted to be as safe as crypto-currency exchanges in the court of public opinion.”
The other notable loss was at Acala, a decentralised finance (DeFi) platform. It issues the aUSD stablecoin and operates by leveraging the functionality of the Polkadot blockchain.
Acala allows for DeFi operations on the Polkadot network, including borrowing, lending and stablecoin activities.
CipherTrace explains that an on-chain setup error allowed attackers to mint aUSD (amount of loss: $52 million).
It adds the vulnerability caused aUSD to lose its peg to the US dollar, initially falling to $0.60 and hovering around $0.90.
Acala suspended the protocol shortly after the attack on 14 August 2022 and disabled the transfer of the stolen aUSD.
Also hacked during the period was Crema Finance, a centralised liquidity DeFi application on the Solana chain, which announced an $8.8 million hacker flash loan attack.
According to CipherTrace, hackers bypassed contract checks by creating a fake price change data account (Tickaccount) and then used fake price data and flash loans to steal huge fees from the fund pool (3 July 2022).
Following a long negotiation, Crema Finance attackers agreed to collect 45 455 SOL ($1.7 million) as a white hat bounty (eventually the amount of loss) and returned 6 064 Ethereum and 23 967.9 SOL ($8.1 million).
Nirvana, a stablecoin project on the Solana chain, was also attacked by a flash loan.
The Mastercard firm says the attacker used a flash loan to borrow $10 250 000 USDC from Solend by deploying a malicious contract, and then called the Nirvana contract method to acquire a large amount of ANA tokens.
Eventually, the hacker sold the ANA tokens and passed all the dirty money through the cross-chain bridge transfer before it could be detected as a flash loan.
The community treasury of Audius, a Web3 music streaming service platform, was hacked, losing 18.5 million AUDIO Tokens (amount of loss: $1.1 million), due to contract vulnerabilities, says CipherTrace.
It points out the hackers exchanged the funds for about 705 ETH on Uniswap. Audius officially stated the problem has been found and is being repaired.