Immunefi Crypto Losses Q1 2024 Report

The team at Immunefi, the leading bug bounty and security services platform for crypto, has assessed the volume of crypto funds lost by the community due to hacks and scams in Q1 2024.

Overview

There is nearly $100 billion in capital locked across web3 protocols as of March 2024. That capital represents an unparalleled and attractive opportunity for blackhat hackers.

We have reviewed all instances where blackhat hackers have exploited various crypto protocols, as well as cases of protocols that have allegedly performed a rug pull in Q1 2024. We have located 61 such instances, including both successful and semi-successful hacking attempts, as well as alleged fraud.

In total, we have seen a loss of $336,311,217 across the web3 ecosystem in Q1 2024. $321,645,400 was lost to hacks across 46 specific incidents and $14,665,817 was lost to fraud in across 15 specific incidents. Most of that sum was lost by two specific projects: Orbit Bridge, the bridging service of the cross-chain protocol Orbit Chain, suffered an attack that resulted in $81,680,000 lost and Munchables, a Web3 project on the Blast blockchain, which incurred a loss of $62,800,000.

This number represents a 23.1% decrease compared to Q1 2023, when hackers and fraudsters stole $437,483,543.

Key Takeaways in Q1 2024

• The 2 major exploits of the quarter totaled $144,480,000 alone, accounting for 43% of all losses in Q1 2024.
• In Q1 2024, hacks continued to be the predominant cause of losses at 95.6% in comparison to fraud, which accounted to only 4.4% of the total losses.
• DeFi remained the primary target of successful exploits in Q1 2024, comprising 100% of cases, while CeFi experienced no incidents.
• The two most targeted chains in Q1 2024 were Ethereum and BNB Chain. Ethereum suffered the most individual attacks with 33 incidents, followed by BNB Chain with 14 incidents, and Arbitrum with 6 incidents.
• In total, $73,885,000 has been recovered from stolen funds in 7 specific situations. This number makes up 22% of the total losses in Q1 2024.

Key Insights in Q1 2024

• Q1 2024 is marked by a considerable decrease in the total number of losses, down by 23.12% compared to Q1 2023, amounting to $437,483,543.
• Overall, January witnessed the highest loss in Q1 2024.
• The number of attacks decreased by 17.57% from 74 in Q1 2023 to 61 in Q1 2024.
• In Q1 2024, Ethereum once again surpassed BNB Chain and became the most targeted chain compared to the previous period.
• In Q1 2024, funds recovery has proven less effective than in the previous period. To date, 22% of stolen funds have been recovered, compared to the 40.5% recovered in Q1 2023.

Top 10 Losses in Q1 2024

• Orbit Bridge — $81,680,000
• Munchables — $62,800,000
• PlayDapp — $32,350,000
• FixedFloat — $26,100,000
• GMEE — $15,000,000
• WOOFi — $8,750,000
• Coinspaid — $7,500,000
• Abracadabra Money — $6,500,000
• Seneca — $6,500,000
• Gamma Strategies — $6,200,000

Major Exploits in Q1 Analysis

Most of that sum was lost by two specific projects: Orbit Bridge and Munchables, totaling $144,480,000. Together, these two projects represent 43% of Q1 losses alone.

Orbit Bridge, $81 Million

• On January 1, 2024, Orbit Bridge, the bridging service of the cross-chain protocol Orbit Chain, suffered an $81 million exploit. The attack was likely generated from compromised private keys, which the exploiter then leveraged to run unauthorized transactions.

Munchables, $62 Million

• On March 26, 2024, Munchables, an NFT game on the Ethereum layer 2 Blast, suffered an exploit resulting in over $62 million in losses*.

Hacks vs. Fraud Analysis

In Q1 2024, hacks continue to be the predominant cause of losses as compared to fraud. An analysis of the losses shows that fraud accounts for only 4.4% of the total losses in the Q1 2024 while hacks account for 95.6%.

Overview

• Hacks — In total, we have seen a loss of $321,645,400 to hacks in Q1 2024 across 46 specific incidents. These numbers represent a 23.1% decrease compared to Q1 2023, when losses caused by hacks totaled $418,589,089.
• Fraud — In total, we have seen a loss of $14,665,817 to fraud in Q1 2024 across 15 specific incidents. These numbers represent a 22.4% decrease compared to Q1 2023, when losses caused by frauds, scams, and rug pulls totaled $18,894,454.

DeFi vs. CeFi Analysis

In Q1 2024, DeFi continues to be the main target for exploits, compared to CeFi. DeFi represented 100% of the total losses, while CeFi has not witnessed a single attack.

Overview

• DeFi — DeFi has suffered $336,311,217 in total losses in Q1 2024 across 61 incidents. These numbers represent a 22.8% decrease compared to Q1 2023, when DeFi losses totaled $435,675,543.
• CeFi — CeFi has not suffered from an attack in Q1 2024, compared to Q1 2023, when CeFi losses totaled $1,808,000.

Losses by Chain

The two most targeted chains in Q1 2024 were Ethereum and BNB Chain. Ethereum suffered the most individual attacks with 33 incidents, representing 51% of the total losses across targeted chains. BNB Chain witnessed 14 incidents, representing 22% respectively.

Overview

• In Q1 2024, Ethereum and BNB Chain accounted for over half of the chain losses, totaling 73%.
• Arbitrum followed with 6 incidents, comprising 9.2%. Solana, Optimism, Bitcoin, and Blast had 2 incidents, each representing 3.1%. Other chains, including Polygon, Conflux Network, and Base, experienced 1 incident, each making up 1.5%.

Insights

• In Q1 2024, Ethereum once again surpassed BNB Chain and became the most targeted chain compared to the previous period.

Funds Recovery

Overview

In total, $73,885,000 has been recovered from stolen funds in 7 specific situations. This number makes up 22% of the total losses in Q1 2024.

• Munchables — Stolen: $62,800,000 — Recovered: $62,800,000
• Seneca — Stolen: $6,500,000 — Recovered: $5,300,000
• Blueberry Protocol — Stolen: $1,350,000 — Recovered: $1,080,000
• Socket Bungee Bridge — Stolen: $3,300,000 — Recovered: $2,300,000
• Mozaic — Stolen: $2,400,000 — Recovered: $2,160,000
• Unizen — Stolen: $2,100,000 — Recovered: $185,000
• Saga DAO — Stolen: $60,000 — Recovered: $60,000

In Focus: Crypto Losses YTD

Monthly Overview

In total, the ecosystem has witnessed $336,311,217 in losses year-to-date (YTD) across 61 specific incidents. Overall, the losses are primarily driven by over $133 million lost in January.

• January — $133,412,617
• February — $79,203,400
• March — $121,295,200

Total Losses YTD: Hacks vs. Fraud

January

• Hacks — $129,339,800
• Fraud — $4,072,817

February

• Hacks — $77,551,400
• Fraud — $1,652,000

March

• Hacks — $114,754,200
• Fraud — $6,541,000

In Focus: Q1 2023 vs. Q1 2024

Hacks vs. Frauds

• Hacks — Losses are down 23.1% when compared to the previous period.
• Fraud — Losses are down 22.4% when compared to the previous period.

DeFi vs. CeFi

• DeFi — Losses are down 22.8% when compared to the previous period.
• CeFi — Losses are down 100% when compared to the previous period.

Crypto Losses Q1 2024 — Summary

Total Losses in Q1: $336,311,217

Hacks vs. Fraud

• Hacks — $321,645,400
• Fraud — $14,665,817

DeFi vs. CeFi

• DeFi — $336,311,217
• CeFi — $0

Major Losses

• Orbit Bridge — $81.68M
• Munchables — $62.80M
• PlayDapp — $32.35M
• FixedFloat — $26.10M
• GMEE — $15.00M
• WOOFi — $8.75M
• Coinspaid — $7.50M

Top Losses by Chain

• Ethereum — 33
• BNB Chain — 14
• Arbitrum — 6

Download the full report here.

Get the full dataset here.

For questions about this study or Immunefi itself, reach out at press@immunefi.com

About Immunefi

Immunefi is the leading security platform for crypto, protecting more than $180 billion in user funds, and securing protocols across the full development lifecycle, from pre-deployment through production.