Crypto hacks are ongoing and have expanded in Q2, 2024, as the bull market returns. On average, even a small hack may affect a project deeply.
ImmuneFi, one of the widely used platforms for bug bounties, counted $509M in hacks and hacks during Q2 of 2024. Hacks vary wildly, from hundreds of millions of dollars in value for the largest bridge exploits to rug pulls that have an effect on a personal level.
After analyzing hacks from the 2021-2023 period, ImmuneFi noted that the repercussions may be very serious for some projects and networks. The period coincides with some of the biggest exploits, including those against bridges on Ronin, BNB Chain, and Wormhole.
During the 2022 bear market, there were only 134 hacks counted by ImmuneFi, of which a handful were the most high-profile cases in crypto history. In 2023, as the markets showed signs of recovery, a total of 247 exploits happened.
The exact count of crypto hacks is uncertain, as some researchers also count DeFi rug pulls and personal wallet attacks, while ImmuneFi mostly focuses on attacks against protocols. In its recent research, only about 100 hand-picked exploits were used to derive the trend patterns.
Hacks affect native crypto tokens for the long term
On average, a hacked protocol loses more than $16M. If there is a native token, its market price is slashed by up to 52% and stays depressed for up to six months. Some L2 platforms may lose credibility, and DeFi products may disappear, causing them to be unable to recover from the theft. The pattern of losses for the highest-profile hacks is similar to that of the token price chart.
Within the first days of a hack, a protocol token often survives with limited losses. Some token prices even rise, while others limit the loss to 10%. However, within six months, on average, all hacked projects continue to reel, never recovering to pre-hack levels. The full loss of 52% often arrives at the end of the six-month period.
The tokens most affected belong to small-scale protocols, where in the case of Impermax Finance the loss expanded to 99.6% immediately after the hack. Projects like Skyward Finance also erased all value, despite the relatively smaller hack of $3.2M.
Smaller protocols are often destroyed by exploits
Smaller protocols, especially in DeFi, are often vulnerable enough to be completely destroyed. At the same time, big platform tokens like BNB, and even ETH and SOL are largely unaffected by the hacks and exploits on their respective networks. In the case of SOL, even daily token rug pulls are seen as beneficial to the overall network value, and are not considered a threat.
Due to the exploration period by ImmuneFi, some of the price loss effects may be exacerbated by the bear market. Other factors may also put downward pressure on a token. ImmuneFi’s model suggests a rather predictable price slide after each attack.
ImmuneFi notes that the repercussions of a hacker attack are often much deeper compared to the actual sums stolen. Rare hacks compromise all assets on a platform, as in the case of the Wormhole or Ronin bridges. Exploits of financial operations are the costliest as they spread contagion across DeFi. ImmuneFi also noted that BNB Chain has lost some of its reputation due to repeated exploits.
According to ImmuneFi, 35% of all hacks are on Ethereum, though the influence and size of the platform help to avoid reputational damage. BNB Chain, despite its smaller traffic, was the venue for 23% of all exploits due to hosting riskier projects. The biggest hack so far belongs to the Ronin chain, where losses exceeded $600M.
Hacks are especially damaging to crypto startups with small teams, often coming with accusations of an inside job and reputational damage. Developers may also spend time discovering the hack, slowing down product roadmaps by three to four months. Additionally, hacked addresses are public and often the initial event regains visibility as the hacker launders or mixes the funds.
Auditing the protocols is also a mixed bag of success. Out of 211 recorded exploits in the past few years, 85 lacked any type of audit. The rest had some type of security on their smart contracts yet still missed a vulnerability. Additionally, research by ZachXBT shows malicious code may be added after the fact, especially by teams that inadvertently hire a hacker.
Cryptopolitan reporting by Hristina Vasileva
