Review and Reflection on the Top 10 Web3 Security Incidents of 2024

In 2024, while the blockchain industry is experiencing technological innovation and ecological expansion, it also faces increasingly severe security challenges. According to security monitoring data, the total loss in the Web3 field this year due to hacker attacks, phishing scams, and project team absconding amounts to as much as $2.491 billion.

These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities, but also highlight the potential risks of social engineering and internal management. This article will review the top ten security incidents in Web3 of 2024, aiming to learn lessons from them and provide references for the future security protection of the industry.

1. DMM Bitcoin: Private Key Leak Causes $304 Million Loss

On May 31, 2024, DMM Bitcoin, a well-known cryptocurrency exchange in Japan, suffered a major attack. Hackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to multiple addresses. This incident exposed serious deficiencies in the exchange's private key management and multi-layer security measures.

Despite the exchange's efforts to track the hacker through on-chain monitoring and freezing funds, the stolen bitcoins were quickly dispersed and washed through mixing tools, significantly increasing the difficulty of recovery. Notably, Japanese police confirmed on December 24 that the incident was perpetrated by the North Korean hacker group Lazarus Group.

2. PlayDapp: $290 million loss due to private key leak

On February 9, 2024, PlayDapp suffered a severe blow. Hackers minted 2 billion PLA tokens by stealing private keys, initially valued at 36.5 million USD. After negotiations with the project team failed, the hackers further minted 15.9 billion PLA tokens, valued at 253.9 million USD. After some of the stolen tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.

3. An Indian Cryptocurrency Exchange: Network Attacks and Phishing Result in $235 Million Loss

On July 18, 2024, the Safe Wallet multi-signature wallet of India’s largest cryptocurrency exchange was subjected to a targeted attack. The attackers used social engineering techniques to induce the multi-signature signers to approve a contract upgrade transaction, and then used the upgraded contract permissions to transfer all assets from the wallet. This case highlights the potential risks of multi-signature wallets in terms of permission management and operational transparency, and has sparked in-depth reflection within the industry on internal risk control and security mechanisms.

4. Gala Games: Access Control Vulnerability Leads to $216 Million Loss

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker minted 5 billion GALA tokens all at once by calling the mint function in the token contract. Subsequently, the hacker exchanged these tokens for ETH in batches, resulting in a direct loss of $216 million. After the incident, the Gala Games team urgently activated the blacklist function to block some hacker accounts and recovered part of the losses through legal means.

5. Ripple Co-founder Personal Wallet Attacked: $112 Million XRP Stolen

On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets may have become targets of the attack due to the lack of dual protection from hardware devices. After the incident, a certain exchange successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but most of the funds had already been laundered through decentralized exchanges and mixing services.

6. Munchables: Social engineering attacks caused a loss of $62.5 million

On March 26, 2024, the Blast-based Web3 gaming platform Munchables experienced a rare internal infiltration attack. The attacker was a hacker disguised as a blockchain developer who obtained the core code and sensitive keys through long-term lurking. Despite the attack resulting in huge losses, under pressure from the community and the team, the hacker ultimately returned all stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. A Turkish Cryptocurrency Exchange: Private Key Leak Causes $55 Million Loss

On June 22, 2024, Turkey's largest cryptocurrency exchange suffered a private key leak attack, resulting in a loss of over $55 million in cryptocurrency assets. With the assistance of a certain exchange team, $5.3 million of the stolen funds were successfully frozen, but other assets have not yet been recovered. This incident has deepened market concerns about the private key management of centralized exchanges.

8. Radiant Capital: Multi-signature Wallet Vulnerability Leads to $53 Million Loss

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to the use of a low-threshold 3/11 signature verification model, the hacker initiated an off-chain signature by gaining control of the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry-wide reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital had previously lost 4.5 million dollars due to a contract vulnerability before this attack, with over 1900 ETH stolen. This once again emphasizes the room for improvement in the security awareness of Web3 project teams.

9. Hedgey Finance: Contract Vulnerability Causes $44.7 Million Loss

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, resulting in a total loss of $44.7 million. This incident highlights the importance of code auditing, particularly the rigorous validation of token approval logic.

10. A cryptocurrency exchange: Hot wallet hacked, resulting in a loss of $44.7 million

On September 19, 2024, the hot wallet of a certain cryptocurrency exchange was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hackers successfully extracted assets worth $44.7 million. This attack reflects the high risks associated with the management of hot wallets by centralized exchanges and further drives the industry to explore safer asset storage solutions.

Conclusion

The frequent security attack incidents in 2024 remind us once again that the development of the blockchain industry cannot do without the protection of security. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrading of external attack methods, each incident has brought profound lessons. To cope with the increasingly complex attack threats, all parties in the industry need to continuously strengthen their investment in technological research and development, management standards, and risk prevention. In the future, we hope to jointly establish a safer blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.