
Overview of "Hack3d: 2023 Annual Web3.0 Security Report"
TechFlow Selected TechFlow Selected

Overview of "Hack3d: 2023 Annual Web3.0 Security Report"
The report provides a comprehensive revelation of the latest trends in Web3.0 security through statistical analysis of security incidents in the Web3.0 sector over the past year.
Written by: CertiK
Full report available here: Hack3d: 2023 Annual Web3.0 Security Report
At the start of the new year, CertiK delivers its annual flagship publication — the release of Hack3d: 2023 Annual Web3.0 Security Report. This highly anticipated industry report offers a comprehensive analysis of security incidents across the Web3.0 landscape over the past year, revealing the latest trends in Web3.0 security.
As the most detailed and authoritative security report in the industry, Hack3d: 2023 Annual Web3.0 Security Report provides complete statistics and analysis of hacks, frauds, and vulnerability exploits that occurred throughout the Web3.0 ecosystem in 2023. It serves as an essential guide for developers, practitioners, regulators, users, and enthusiasts seeking to understand the current state, challenges, and opportunities in Web3.0 security.
Before diving into the full report, let’s quickly review the overall security landscape of the Web3.0 industry in 2023:
Annual Overview – Total Losses from Security Incidents Drop by Over Half
In 2023, there were 751 reported security incidents resulting in $1.84 billion in asset losses—down 51% from $3.7 billion in 2022. According to CertiK's statistical analysis, this decline can be attributed to multiple factors, including the evolution of smart contract protocols, changes in user behavior, improved and more effective security measures—all closely linked to the reduction in total losses. In addition, macro-level industry trends have also influenced both the number of incidents and their financial impact.
Data Insights
By categorizing security incidents based on timing, type, and ecosystem, CertiK uncovered several noteworthy insights:
1. The third quarter saw the highest losses, with November being the single costliest month. Q3 2023 experienced the greatest losses of any quarter, recording 183 security incidents and $686 million in damages. In November alone, 45 incidents caused $364 million in losses.

Monthly count of security incidents and associated losses (in USD) in 2023
2. Private key leaks caused the largest financial damage. Though these incidents accounted for only 6.3% of total cases, they resulted in $881 million in losses—nearly half of the annual total.

Count and financial impact (in USD) of different types of security incidents in 2023
3. Ethereum suffered the highest total losses. In 2023, Ethereum was impacted by 224 security incidents totaling $686 million in losses—an average of approximately $3 million per incident. While not the ecosystem with the most incidents, Ethereum incurred the highest cumulative loss among all platforms.
4. Cross-chain security incidents led to severe losses. Just 35 cross-chain incidents in 2023 caused $799 million in losses, highlighting interoperability vulnerabilities as an ongoing pain point for industry security.
Industry Trends
Additionally, through comparative analysis of major security events, CertiK identified several emerging and widely observed industry trends:
1. Increased "retroactive bug bounties," but “patching after breach” cannot replace “prevention before attack”
In 2023, 34 security incidents recovered $219 million via “retroactive bug bounty” negotiations with attackers—about 12% of the $1.8 billion in total losses. This represents a 54% increase compared to previous years. While such strategies can help projects recover some losses, CertiK emphasizes that Web3.0 projects cannot rely on negotiating with hackers to protect assets. Therefore, establishing robust bug bounty platforms that proactively incentivize white-hat security researchers to report vulnerabilities before attacks occur is crucial.
For deeper insights into how different projects approached retroactive bounty negotiations, refer to the report’s detailed analyses of post-incident solutions in the Euler Finance and KyberSwap cases.
2. Web2.0 risks spilling over into Web3.0 — a persistent and long-term challenge
On December 14, Ledger, a leading Web3.0 hardware wallet provider, faced a significant security crisis. A former employee fell victim to a phishing attack. Attackers gained control of their NPMJS account via GitHub, uploaded malicious code to Ledger’s NPMJS repository, and thereby compromised access to Ledger Connect Kit, redirecting wallet users to malicious websites. Ledger rapidly deployed an update within 40 minutes of detecting the issue, preventing further threats. The attack caused approximately $610,000 in direct losses—not massive in scale, but significantly damaging to Ledger’s reputation.
This Ledger incident, along with CertiK’s joint resolution with WalletConnect on an XSS vulnerability, reminds us that despite the decentralized ethos of Web3.0 and blockchain ecosystems, current Web3.0 applications still heavily rely on Web2.0 components such as account systems, QR codes, and code repositories. As a result, they inherit centralized risks from the Web2.0 era. If just one employee’s account is compromised via phishing, it could lead to substantial losses for countless Web3.0 users. Thus, Web3.0 security practitioners like CertiK must strike a balance between decentralization ideals and the practical realities of software development and maintenance—a long-term and ongoing challenge.
3. Industry regulation continues maturing
In 2023, CertiK welcomed the continued maturation of Web3.0 regulations, as more institutions actively explore integrating blockchain technology with traditional business operations. Initiatives such as Swift’s work on interoperability, global banks experimenting with asset tokenization, and internet finance giants like PayPal exploring stablecoins reflect growing institutional consensus around blockchain and the Web3.0 ecosystem.
On the regulatory front, regions including Hong Kong China, Singapore, Japan, the United States, the European Union, and the UK have introduced stablecoin regulatory frameworks or guidelines. Recently, the CertiK team served as a consulting expert in helping the Monetary Authority of Singapore (MAS) develop its stablecoin framework—a contribution that was officially recognized. CertiK has recently launched stablecoin security audit and compliance advisory services and will continue participating in regulatory consultations globally to support secure development in the stablecoin space and broader adoption of Web3.0.
CertiK in 2023
Thanks to collective efforts across the industry, Web3.0 security made significant progress in 2023. CertiK is honored to continue contributing to this field and advancing the future of Web3.0. Let’s look back at CertiK’s highlights from 2023:
-
April 2023: Launched Skynet for Community, providing users with an all-in-one information platform.
-
July 2023: Became the first Web3.0 security auditing firm to achieve SOC 2 Type I certification.
-
August 2023: Identified a security vulnerability in the Worldcoin system.
-
September 2023: Launched SkyInsights, a Web3.0 compliance and risk management product.
-
November 2023: Provided validation for TON network’s transactions per second (TPS) records.
-
November 2023: Discovered multiple critical security vulnerabilities in Web3.0 mobile applications.
-
December 2023: Published the Cosmos Ecosystem Security Guide.
-
December 2023: Discovered an XSS vulnerability in WalletConnect’s Verify API.
-
December 2023: Discovered vulnerabilities in Wormhole and OKX mobile apps.
These represent only a small fraction of CertiK’s efforts in securing the Web3.0 industry throughout 2023. Looking back at every line of code audited, every overnight investigation following an incident, and every research analysis published—they all reflect CertiK’s commitment and vision for the future of Web3.0.
We thank all Web3.0 practitioners, security experts, and users who have journeyed with us. We believe the lessons and achievements of 2023 will become invaluable assets in building a safer Web3.0 world.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News











