DefiYield, the DeFi investing and yield farming platform, tracks exploited projects across the DeFi ecosystem through its REKT database. Since January 2022, it has tracked over $60 billion in lost or stolen funds across 1,195 events, including Terra Luna. Ronin, Nomad, and the Wormhole bridge.
Roughly $2.4 billion has been recovered throughout the same period, just under 5% of the total loss. Until August, the majority of exploits occurred outside of the Ethereum ecosystem. However, as shown in the chart below, since the start of August, over 90% of funds lost happened within the Ethereum network.
A staggering $212,927,092 was lost in August, with the Nomad bridge exploit accounting for $190 million. Other exploits included the Solana Slope wallet incident, ZBExchange, Reaper Farm, and Acala Swap. The most prominent exit scam in August totaled $3.5 million from Dragoma. Several high-value rug pulls were also from two NFT platforms, HeroCat and SudoRare.
September saw an 18% decrease in stolen or lost funds, yet $170 million was still ripped from the DeFi ecosystem through exploits and hacks. The Wintermute hack made up most of the lost funds at $160 million. A further $977,550 was lost through the same Profanity vanity address exploit, which DefiYield has categorized as an “access control” issue.
Unlike other exploits, such as the Boy X Highspeed exploit, which took advantage of issues with the project’s smart contract, the Wintermute/Profanity exploit resulted from poor account management.
Wintermute used a flawed tool to generate a vanity Ethereum address with reduced cryptographic security, prioritizing gas fee optimization over security. The Boy x Highspeed exploit was the second largest in September at $2,584,890.
Three flash loan attacks were present in the top 10 exploits of September. New Free DAO, DAO Officials, and Cauldron all suffered flash loan attacks for $2,001,622.
Many exploits saw funds transferred to Tornado Cash, potentially tainting the stolen funds by interacting with the sanctioned platform. However, several more significant hacks, including Wintermute, saw funds remain controlled by the hacker’s wallet.
So far in October, an average of $5.9 million per day has been lost in less than a week. Should the trend continue, October would break the downtrend.
The largest exploit in October was the Transit Swap smart contract hack which came to $29 million. However, $18.9 million has already been recovered, bringing DeFi’s net loss for October to just $10.1 million.
The chart below tracks the downtrend in DeFi losses throughout 2022. While both August and September saw nine-figure losses, these months mark two of the lowest on record for the year.