Review of Major Security Incidents in the Web3 Field in 2024

In 2024, while the blockchain industry is experiencing technological innovation and ecosystem expansion, it also faces increasingly severe security challenges. According to data from a security monitoring platform, by the end of the year, the total losses in the Web3 space due to hacker attacks, phishing scams, and project teams absconding amount to as much as $2.491 billion.

These events not only expose technical flaws in areas such as private key management and smart contracts but also highlight the potential risks of social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, allowing the industry to learn lessons and better respond to future security threats.

1. A Major Attack on a Certain Japanese Exchange

Loss amount: $304 million Attack method: Private key leakage

On May 31, 2024, a well-known Japanese cryptocurrency exchange suffered a historic attack. The attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to multiple different addresses. This incident exposed serious deficiencies in the exchange's private key management and multi-layer security protections. Although the exchange attempted to track the hackers through on-chain monitoring and freezing of funds, the stolen Bitcoin was dispersed and laundered using mixing tools, posing significant challenges for tracking.

At the end of the year, local police determined that the incident was caused by an international hacker organization.

2. PlayDapp Suffered Severe Losses

Loss amount: 290 million USD Attack method: private key leakage

On February 9, 2024, PlayDapp suffered a severe blow when hackers minted 2 billion PLA tokens by stealing private keys, initially valued at $36.5 million. Due to failed negotiations between the project team and the hackers, the hackers further minted 15.9 billion PLA tokens in a short period, valued at $253.9 million. After some of these tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency incident handling.

3. India's Largest Cryptocurrency Exchange Attacked

Loss amount: $235 million Attack methods: network attacks and phishing

On July 18, 2024, the multi-signature wallet of India’s largest cryptocurrency exchange was precisely attacked by hackers. The attackers used social engineering to induce the multi-signature signers to sign a contract upgrade transaction, and then exploited the upgraded contract permissions to transfer all assets from the wallet. This incident highlights the potential risks of multi-signature wallets in managing permission configurations and operational transparency, and has prompted the industry to reflect deeply on internal risk control and security mechanisms of projects.

4. Gala Games Faces Token Inflation Attack

Loss Amount: 216 million USD Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked, and the attacker called the mint function in the token contract to mint 5 billion GALA tokens in one go. Subsequently, the hacker exchanged the minted tokens for ETH in batches, resulting in a direct loss of $216 million. After the incident, the Gala Games team urgently activated the blacklist function to block some hacker accounts and recovered part of the losses through legal means.

5. Ripple Co-founder Personal Wallet Attacked

Loss amount: 112 million USD Attack method: Private key leakage

On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets were targeted due to a lack of dual protection via hardware devices. Following the incident, a certain exchange successfully froze $4.2 million worth of XRP and assisted in tracking the stolen assets, but the vast majority of the funds have already been laundered through decentralized exchanges and mixing services.

6. Munchables Encounters Internal Penetration

Loss amount: 62.5 million USD Attack Method: Social Engineering Attack

On March 26, 2024, the Blast-based Web3 gaming platform Munchables experienced a rare internal infiltration attack. The attackers were hackers disguised as blockchain developers, who had long been lurking to obtain the core code and sensitive keys. Despite the attack causing significant losses, the hackers ultimately returned all the stolen funds due to pressure from the community and the team. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. Major Turkish Exchange Faces Private Key Leak

Loss Amount: 55 million USD Attack Method: Private Key Leakage

On June 22, 2024, Turkey's largest cryptocurrency exchange suffered a private key leak attack, resulting in losses of over 55 million USD in crypto assets. With the assistance of a certain exchange's team, 5.3 million USD of the stolen funds were successfully frozen, but other assets remain unrecovered. This incident has heightened market concerns about the private key management of centralized exchanges.

8. Radiant Capital Multi-Signature Wallet Breached

Loss amount: 53 million USD Attack Method: Private Key Leakage

On October 17, 2024, Radiant Capital's multi-signature wallet was compromised by hackers. Due to its low-threshold 3/11 signature verification model, the hackers initiated off-chain signatures by obtaining the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital lost 4.5 million dollars due to a contract vulnerability before this attack, with over 1,900 ETH stolen. This again highlights that Web3 project teams need to improve their emphasis on security.

9. Hedgey Finance Multi-Chain Contract Attacked

Loss Amount: 44.7 million USD Attack method: Contract vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, with total losses amounting to $44.7 million. This incident highlights the importance of code audits, particularly the rigorous verification of token approval logic.

10. A certain exchange's hot wallet was hacked

Loss amount: 44.7 million USD Attack method: Private key leakage

On September 19, 2024, the hot wallet of a certain exchange was hacked, involving multiple public chains including Ethereum, BNB Chain, Tron, and others. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hackers successfully extracted assets worth 44.7 million dollars. This attack reflects the high-risk nature of hot wallet management in centralized exchanges and further drives the industry to explore safer asset storage solutions.

Conclusion

In 2024, security attack incidents are frequent, reminding us once again that the development of the blockchain industry relies on secure protection. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrading of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investments in technology research and development, management standards, and risk prevention. In the future, we look forward to building a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.