September 30, 2022

Web3 Security Recap: $164.32 million lost in attacks in September

According to Beosin EagleEye, the number of security incidents and the amount of money involved in September 2022 decreased compared to August. 14 typical security incidents occurred in September, of which the total amount lost in attacks was about $164.32 million.

The $160 million stolen from Wintermute in September was the largest loss in Web3 in recent memory. This month also saw a number of security incidents of fraud with the use of trendings, such as Elizabeth tokens and Ethereum Mergers.

DeFi 『10』 Typical Security Incidents

№1 On September 2, the exchange Kyber Network suffered a front-end attack and lost about $265,000.

№2 On September 2, ShadowFi suffered an attack that caused SDF tokens to plummet, and the attackers made a profit of about $300,000.

№3 On September 5, DAO Officials project on BNBChain suffered a lightning loan attack, and the attackers made a profit of about $580,000.

№4 On September 7, Nereus Finance, a project on the Avalanche chain, was attacked by a lightning lending attack, and the attackers made a profit of about USD 380,000.

№5 On September 8, New Free Dao project was attacked by flash loan, and the attackers made $1.25 million.

№6 On September 10, the DPC token contract on BNBChain was hacked and lost about $103,755.

№7 On September 18, Gnosis Omni Bridge cross-chain bridge project was attacked due to a contract-level replay vulnerability after the Ether merger and fork of ETHW, resulting in an attacker profit of about $6,000.

№8 On September 20, crypto market maker Wintermute lost $160 million due to a private key breach caused by the use of the Profanity tool to generate pretty addresses.

№9 On Sep. 27, a MEV bot was attacked and lost about $1.4 million.

№10 On Sep. 28, BXH’s contracts updated after the last attack were attacked again by Lightning Lending, with a loss of about $40,000.

Fraud / Crypto Scam『3』 Typical Security Incidents

№1 On September 9, Elizabeth token took advantage of the Queen Elizabeth event fever to make a coin offering and set up a backdoor in the contract, with the risk of fraud.

№2 On September 15, as the Ethereum Merge approached, more fake fraudulent live streams appeared on YouTube. Fraudsters are faking historical videos of crypto celebrities as official live streams with fraudulent links.

№3 Lazarus Group North Korea hackers offer fake job postings through cryptocurrency exchanges to attract macOS users.

Others『1』 Typical Security Incidents

№1 The SDK of dydx exchange used a malicious third-party component that could lead to the leakage of user credentials.


The losses caused by private key leaks this month were huge. Project need to improve security awareness, do risk assessment and security audit of wallets, off-chain system services, smart contracts and other related modules, and use third-party tool components or services with caution. In addition, 50% of the attacks this month still originated from contract vulnerability exploitation, so it is recommended that project parties look for a professional security company to conduct contract audits before the project goes online.


If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin, SUSS NiFT, NUS AIDF and Other Partners Launched the “Blockchain Security Alliance” in Singap

    September 29, 2022

  • BNB Chain’s $850 Million Hack — Using Beosin Trace to Investigate the Stolen Funds

    October 09, 2022

  • How Did the BNB Chain Exploiter Pass IAVL Proof Verification? — An In-depth Analysis by Beosin

    October 09, 2022

  • Blockchain Security Alliance Held Its First Meeting to Secure the Web3 Ecosystem

    October 11, 2022

Join the community to discuss.