Top 10 Web3 Hacks Of 2022

Top 10 Web3 Hacks Of 2022

Top 10 Web3 Hacks Of 2022

Top 10 Web3 Hacks Of 2022

Top 10 Web3 Hacks Of 2022

Read Time: 6 minutes

The hacked crypto assets in 2022 are likely to overshoot 2021’s $3.2 billion in stolen funds, states the crypto security firm Chainalysis. 

Web3 hacks

Image Source: Chainalysis.

Security breaches and code exploits are the centre of interest for attackers trying to steal cryptocurrency. Not to mention that DeFi protocols are making up to be irresistible targets for assault. 

Especially in 2022, cross-chain bridges are setting up the stage for the newest hack trend, accounting for 64% of fund thefts this year. 
Let’s examine what went wrong behind the largest crypto hacks of 2022 and have a taste of how to approach web3 security.

Unfolding The 2022’s Biggest Hacks

Axie Infinity Ronin Bridge

Stolen Funds: $62,40,00,000
Date: 23rdMar’22

Ronin network worked on the Proof-of-Authority model with nine validator nodes. Out of nine, five nodes need to approve for passing the transactions in the bridge. Four validator nodes are Sky Mavis’s internal team members, and it only requires one more signature to validate a transaction. 

In the Ronin exploit, the hacker managed to gain access to the fifth validator node by leveraging the RPC node. Gas-free RPC node was established a year before to reduce the cost for users during heavy network traffic.

Thus, the hacker made withdrawals in two transactions by comprising the nodes. 173,600ETH drained in the first transaction and 25.5M USDC in the second from the Ronin bridge contract. The largest fund theft in crypto history was identified only six days later the hack occurred.

BNB Bridge

Stolen Funds: $58,60,00,000
Date: 6thOct’22

The BNB bridge connects the old Binance Beacon chain and the Binance Smart chain. The hacker exploited a vulnerability and was able to mint two batches of 1M BNB each- a total of 2M BNB worth around $586M at the time of the hack. 

Here’s the attack plot. 

The attacker showed false proof for deposits in the Binance Beacon chain. The Binance bridge used a vulnerable IAVL verification to verify proofs that the hacker managed to forge and proceed with the withdrawal. 
The hacker then routed the funds to his wallet by depositing them on the Venus protocol, a BSC lending platform, as collateral instead of dumping BNB directly.  


Stolen Funds: $32,60,00,000
Date: 2ndFeb’22

Wormhole, the bridge between Ethereum and Solana, suffered a loss of 120,000 wrapped Ether which totalled $321 million at the time due to a code exploit. 

The hack took place in Solana by manipulating the bridge with information showing 120k ETH is submitted on the Ethereum chain. As a result, the hacker could mint an equivalent of 120k in wETH from Solana. 

The attacker used the ‘SignatureSet’ of the previous transaction to hinder the verification mechanism of the Wormhole bridge and leveraged the ‘Verify-signatures’ function in the main bridge contract. The discrepancies in the ‘solana_program::sysvar::instructions’ and ‘solana_program’ was exploited by the user to verify an address that contained only 0.1 ETH. 

Following this and through subsequent code exploit, the hacker fraudulently minted 120k whETH on Solana. 

Nomad Bridge

Stolen Funds: $19,00,00,000
Date: 1stAug’22

Nomad bridge experienced a fatal blow by becoming a juicy target for anyone to join the squad of hackers. 

During the bridge’s routine upgrade, the Replica contract was initialized with a coding flaw that severely impacted the assets. In the contract, the address 0x00 was set as trusted root, which meant all messages were valid by default. 

The exploit transaction by the hacker failed in the first attempt. However, the Tx address was copied by subsequent hackers who called the process() function directly as the validity is marked to be ‘proved.’

The upgrade read the ‘messages’ value of 0 (invalid) as 0x00 and hence passed the validation as ‘proven.’ This meant any process() function was passed to be valid. 

So the hackers were able to launder funds by making the copy/paste of the same process() function and replacing the previous exploiter address with theirs. 

This chaos led to a drain of $190M in liquidity from the bridge’s protocol. 


Stolen Funds: $18,10,00,000
Date: 17thApr’22

It was basically a governance attack that led the hacker to whip $181M. 

The hacker was able to take a flash loan sufficient enough to vote and push a malicious proposal. 

The Attack flow is as follows. 

The attackers acquired the voting power by taking a flash loan and immediately acted out to execute an emergency malicious governance proposal. The absence of the delay in proposal execution stood in favour of the attack. 

The hacker made two proposals. The first is to transfer the funds in the contract to themself, and the next proposal is to transfer $250k worth of $BEAN to the Ukraine donation address. 

The stolen funds were then used to repay the loan and directed the remaining to Tornado cash.


Stolen Funds: $16,23,00,000
Date: 20thSept’22

The hot wallet compromise resulted in a $160M loss for Wintermute. 

The profanity tool used for creating vanity addresses had a vulnerability. Wintermute’s hot wallet and DeFi vault contract both had vanity addresses. The weakness of the Profanity tool led to the compromise of the hot wallet’s private keys, followed by fund theft. 

Mango Markets

Stolen Funds: $11,50,00,000
Date: 11thOct’22

Mango markets fell for a price manipulation attack losing nine figures on the go. 

How did it happen?

The attacker deposited over $5M in Mango Markets and countertrade from another account against their position. This resulted in massive spiking in the price of MNGO tokens from $0.03 to $0.91. 

The attacker then used his position as collateral and drained funds from the liquidity pools. In brief, manipulating and pumping the token price led to the collapse of the protocol.

Harmony Bridge

Stolen Funds: $10,00,00,000
Date: 23rdJune’22

Harmony bridge fell for the grasp of a private key compromise, followed by a $100M loss. Let’s follow the flow of attack. 

Harmony bridge used 2 of 5 multisig addresses to pass transactions. The attacker managed to gain control of these addresses by compromising private keys. After gaining control of two addresses, the hacker was able to execute transaction that drained $100M. 

Fei Rari

Stolen Funds: $8,00,00,000 
Date: 1stMay’22

Rari uses a compound fork code that doesn’t follow the check-effect-interaction pattern. Failing to check the pattern leads to reentrancy attacks. 

In this reentrancy pattern, the attacker played around with the code using ‘call.value’ and ‘exitMarket’ functions. The attacker took a flash loan to borrow ETH, entered again through ‘call.value’ and called ‘exitMarket’ to withdraw the funds placed as collateral. 

Thus the hacker got the funds taken through a flash loan and retained the collateral placed for borrowing. 

Qubit Finance

Stolen Funds: $8,00,00,000
Date: 28thJan’22

Qubit allows locking funds in Ethereum and borrowing the equivalent on BSC. The contract’s ‘tokenAddress.safeTransferFrom()’  function was exploited in the Qubit hack.

It allowed the hacker to borrow 77,162 qXETH from the BSC without making any ETH deposits on Ethereum. And then, using it as collateral to borrow WETH, BTC-B, USD stablecoins, etc., the hacker made ~$80M in profits. 

Web3 hacks of 2022

How To Play Smart With Web3 Security?

The TVL in DeFi hit its all-time high of $303M in 2021. But the ever-rising exploits in the DeFi space are causing a decline in TVL value in 2022. This sends out a cautioning alarm to take Web3 security seriously. 

The largest theft of DeFi protocols was due to faulty code. Fortunately, a more rigorous approach to testing the code before deploying can curb these types of attacks to a great extent. 
With many new projects being built in the web3 space, QuillAudits intend to ensure maximum security for the project and work in the best interest of securing and strengthening web3 as a whole. In that way, we’ve successfully secured about 700+ Web3 projects and continue to extend the scope of shielding Web3 space through a broad range of service offerings.


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+