2020 Exchange attacks pick up, but remain below 2018 levels

This past week one of the largest centralized exchanges, KuCoin, was attacked resulting in the theft of between $150 and $200 million in digital assets. KuCoin’s bitcoin and several ERC-20 hot wallets were breached in the attack. In response to the attack, various other exchanges and companies froze assets to prevent the attacker from liquidating the stolen funds. With this most recent breach, 2020 has now seen an uptick in stolen assets yet it remains below the high water mark set in 2018 when nearly $1 billion in assets were stolen across exchanges.

In the figure below we diagram the number of attacks and the notional value (at the time of the attack) of assets stolen by year. While some decentralized exchanges (DEXs) have had smart contract breaches, the majority of large successful attacks are at centralized exchanges which custody users’ funds. Decentralized exchanges, in theory, do not custody users’ funds.

Figure 1: Exchange attacks and notional value stolen per year (placeholder for table)

Year Funds Stolen Attacks
2011 $8,800,000 2
2012 $865,000 4
2013 $3,290,000 3
2014 $475,574,000 9
2015 $7,180,000 3
2016 $80,870,000 4
2017 $6,300,000 2
2018 $863,500,000 6
2019 $279,000,000 10
2020 $155,000,000 4
Total $ 1,880,379,000 47

The recent rise in DEXs could lower the number of thefts and attacks in the coming years as accessing users’ funds becomes considerably more difficult. One of the main reasons for the inception of DEXs, is that DEXs can significantly reduce centralized attack points. Additionally, because funds are not custodied by DEXs, users’ funds are not at risk of theft. Users’ individual wallers interact with DEX platforms without custodying on those exchanges–our full report from 2018 details the extent of decentralization of DEXs. In recent months, DEX volumes have soared to such levels that they now rival the two largest centralized exchanges, Coinbase and Binance.

Figure 2: DEX volumes over time

Leave a Reply

Your email address will not be published. Required fields are marked *