Foreword
This research report was initiated by the Blockchain Security Alliance and co-authored by alliance members Beosin and Footprint Analytics. It aims to comprehensively explore the development of global blockchain security in 2024. Through the analysis and evaluation of the current status of global blockchain security, the report will reveal the current security challenges and threats, and provide solutions and best practices.
Through this report, readers will be able to have a more comprehensive understanding of the dynamic evolution of Web3 blockchain security. This will help readers evaluate and respond to the security challenges faced by the blockchain field. In addition, readers can also obtain useful suggestions on security measures and industry development directions from the report to help them make wise decisions and actions in this emerging field. Blockchain security and regulation are key issues in the development of the Web3 era. Through in-depth research and discussion, we can better understand and respond to these challenges and promote the security and sustainable development of blockchain technology.
1. Overview of Web3 blockchain security situation in 2024
According to the Alert platform of security audit company Beosin, the total loss of Web3 in 2024 due to hacker attacks, phishing scams and project party Rug Pull reached US$2.513 billion. Among them, there were 131 major attack incidents with a total loss of approximately US$1.792 billion; there were 68 Rug Pull incidents with a total loss of approximately US$148 million; the total loss of phishing scams was approximately US$574 million.
In 2024, the amount of hacker attacks and phishing scams increased significantly compared with 2023, among which phishing scams surged by 140.66% compared with 2023. The amount of loss in the Rug Pull incident of the project party decreased significantly, down by about 61.94%.
In 2024, the types of projects attacked include DeFi, CEX, DEX, public chains, cross-chain bridges, wallets, payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV robots, TG robots and other types. DeFi is the most frequently attacked project type, with 75 attacks on DeFi causing a total loss of approximately US$390 million. CEX is the project type with the highest total loss amount, with 10 attacks on CEX causing a total loss of approximately US$724 million.
In 2024, more public chains were attacked, and there were multiple security incidents of theft on multiple chains. Ethereum is still the public chain with the highest amount of losses. 66 attacks on Ethereum caused a loss of about $844 million, accounting for 33.57% of the total losses for the year.
From the perspective of attack methods, 35 private key leaks caused a total loss of about $1.306 billion, accounting for 51.96% of the total losses, which is the attack method that caused the most losses.
Contract vulnerability exploitation is the most frequent attack method. Among the 131 attacks, 76 were from contract vulnerability exploitation, accounting for 58.02%.
About $531 million of stolen funds were recovered throughout the year, accounting for about 21.13%. About $109 million of stolen funds were transferred to the mixer throughout the year, accounting for about 4.34% of the total stolen funds, a decrease of about 66.97% compared with 2023.
2. Top Ten Security Events in Web3 Ecosystem in 2024
In 2024, there were 5 attacks with losses of over 100 million: DMM Bitcoin ($304 million), PlayDapp ($290 million), WazirX ($235 million), Gala Games ($216 million) and Chris Larsen was stolen ($112 million). The total loss amount of the top 10 security incidents is about 1.417 billion US dollars, accounting for about 79.07% of the total amount of annual attack incidents.
No.1 DMM Bitcoin
Loss amount: 304 million US dollars
Attack method: private key leakage
On May 31, 2024, the Japanese cryptocurrency exchange DMM Bitcoin was attacked and more than 300 million US dollars worth of Bitcoin was stolen. The hacker dispersed the stolen funds to more than 10 addresses in an attempt to launder them.
No.2 PlayDapp
Loss: $290 million
Attack method: Private key leakage
On February 9, 2024, the blockchain gaming platform PlayDapp was attacked, and hackers minted 2 billion PLA tokens worth $36.5 million. After negotiations with PlayDapp failed, on February 12, hackers minted another 15.9 billion PLA tokens worth $253.9 million and sent part of the funds to the Gate exchange. The PlayDapp project team subsequently suspended the PLA contract and migrated the PLA tokens to PDA tokens.
No.3 WazirX
Loss: $235 million
Attack method: Cyber attack and phishing
On July 18, 2024, more than $230 million was stolen from a multi-signature wallet of the Indian cryptocurrency exchange WazirX. The multi-signature wallet was a Safe wallet smart contract wallet. The attacker induced the multi-signature signer to sign a contract upgrade transaction. The attacker directly transferred the assets in the wallet through the upgraded contract, and eventually transferred out all the assets of more than $230 million.
No.4 Gala Games
Loss: $216 million
Attack method: Access control vulnerability
On May 20, 2024, a privileged address of Gala Games was controlled. The attacker used the mint function of the token through the address to directly mint 5 billion GALA tokens, worth about $216 million, and exchanged the additional tokens for ETH in batches. Subsequently, the Gala Games team used the blacklist function to block the hacker and recovered the loss.
No.5 Chris Larsen (Ripple's co-founder)
Amount of loss: $112 million
Attack method: Private key leakage
On January 31, 2024, Chris Larsen, co-founder of Ripple, said that his four wallets were hacked, resulting in a total loss of approximately $112 million. The Binance team successfully froze $4.2 million worth of stolen XRP tokens.
No.6 Munchables
Loss: $62.5 million
Attack method: social engineering attack
On March 26, 2024, the Web3 game platform Munchables based on Blast was attacked and lost about $62.5 million. The project was attacked because it hired North Korean hackers as developers. All stolen funds were eventually returned by the hackers.
No.7 BTCTurk
Amount of loss: 55 million US dollars
Attack method: private key leakage
On June 22, 2024, the Turkish cryptocurrency exchange BTCTurk was attacked and lost about 55 million US dollars. Binance assisted in freezing more than 5.3 million US dollars in stolen funds.
No.8 Radiant Capital
Loss: $53 million
Attack method: Private key leakage
On October 17, 2024, the multi-chain lending protocol Radiant Capital was attacked, and the attacker illegally obtained the permissions of three owners in the Radiant Capital multi-signature wallet. Since the multi-signature wallet uses the 3/11 signature verification mode, the attacker used these three private keys to sign off-chain, and then initiated an on-chain transaction to transfer the ownership of the Radiant Capital contract to a malicious contract controlled by the attacker, causing a loss of more than $53 million.
No.9 Hedgey Finance
Amount of loss: 44.7 million U.S. dollars
Attack method: Contract vulnerability
On April 19, 2024, Hedgey Finance was attacked multiple times by attackers. The attackers exploited the token approval vulnerability and stole a large number of tokens from the ClaimCampaigns contract, of which the Ethereum chain stole tokens worth more than 2.1 million U.S. dollars and the Arbitrum chain stole tokens worth about 42.6 million U.S. dollars.
No.10 BingX
Loss: $44.7 million
Attack method: Private key leakage
On September 19, 2024, the hot wallet of BingX exchange was hacked. Although BingX launched an emergency plan, including emergency transfer of assets and suspension of withdrawals, according to Beosin statistics, the total loss of abnormal outflow of assets from the hot wallet was as high as $44.7 million, and the stolen assets involved multiple blockchains such as Ethereum, BNB Chain, Tron, Polygon, Avalanche, and Base.
3. Types of attacked projects
In addition to common types such as DeFi, CEX, DEX, public chains, cross-chain bridges, wallets, etc., the types of projects attacked in 2024 also appeared in payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV robots, TG robots and other project types.
In 2024, there were 75 attacks on DeFi projects, which was the type of project with the most attacks (about 50.70%). The total loss amount of DeFi attacks is about 390 million US dollars, accounting for about 15.50% of all losses, which is the fourth largest project type in terms of loss amount.
The first place in terms of loss amount is CEX (centralized exchange), with 10 attacks causing a total loss of about 724 million US dollars, which is the project type with the largest loss amount. In general, exchange types have frequent security incidents in 2024, and exchange security is still the biggest challenge for the Web3 ecosystem.
The second largest loss amount is personal wallets, with a total loss of about 445 million US dollars. 12 attacks on crypto whales and a large number of phishing attacks and social engineering attacks on ordinary users have caused the total loss of personal wallets to surge by 464.72% compared to 2023, becoming the second biggest challenge after exchange security.
4. Amount of losses on each chain
Compared with 2023, the types of public chains attacked in 2024 are also more extensive. The top five in terms of loss amount are Ethereum, Bitcoin, Arbitrum, Ripple, and Blast:
The top six in terms of the number of attacks are
Ethereum, BNB Chain, Arbitrum, Others, Base, and Solana:
As in 2023, Ethereum is still the public chain with the highest loss amount. 66 attacks on Ethereum caused a loss of approximately US$844 million, accounting for 33.59% of the total losses for the year.
Note: The total loss data does not include on-chain phishing losses and some CEX hot wallet losses
Bitcoin network losses ranked second, with a single security incident loss of $238 million. Arbitrum ranked third with a total loss of approximately $114 million.
5. Analysis of attack methods
The attack methods in 2024 are very diverse. In addition to the common contract vulnerability attacks, there are many other attack methods, including: supply chain attacks, third-party service provider attacks, man-in-the-middle attacks, DNS attacks, front-end attacks, etc..
In 2024, 35 private key leaks caused a total loss of US$1.306 billion, accounting for 51.96% of the total losses, which is the attack method that caused the most losses. The private key leaks that caused the biggest losses include: DMM Bitcoin ($304 million), PlayDapp ($290 million), Ripple co-founder Chris Larsen ($112 million), BTCTurk ($55 million), Radiant Capital ($53 million), BingX ($44.7 million), and DEXX ($21 million).
Contract vulnerability exploitation is the most common attack method. Among the 131 attacks, 76 were from contract vulnerability exploitation, accounting for 58.02%. The total loss caused by contract vulnerabilities was about $321 million, ranking third in terms of loss amount.
According to the vulnerability breakdown, business logic vulnerabilities are the most common and cause the most losses. About 53.95% of the losses in contract vulnerability incidents came from business logic vulnerabilities, causing a total loss of about $158 million.
6. Analysis of typical anti-money laundering events
6.1 Polter Finance security incident
Event Summary
On November 17, 2024, according to Beosin Alert monitoring and early warning, the FTM chain lending agreement Polter Finance was attacked. The attacker manipulated the token price in the project contract through flash loans to make a profit.
Vulnerability and Fund Analysis
The LendingPool contract (0xd47ae558623638f676c1e38dad71b53054f54273) attacked in this incident uses 0x6808b5ce79d44e89883c5393b487c4296abb69fe as the oracle, which uses the recently deployed feed contract (0x80663edff11e99e8e0b34cb9c3e1ff32e82a80fe). This feed contract uses the token reserves in the uniswapV2_pair (0xEc71) contract, which can be used by attackers for flash loans, to calculate the price, so the contract has a price manipulation attack vulnerability.
The attacker used flash loans to falsely push up the value of $BOO tokens and lend other crypto assets. Subsequently, the stolen funds were converted into FTM tokens by the attacker and then cross-chained to the ETH chain, storing all funds on the ETH chain. The following is a schematic diagram of the flow of funds on the ARB chain and the ETH chain:
On November 20, the attacker continued to transfer more than 2,625 ETH to Tornado Cash, as shown in the figure below:
6.2 BitForex Security Incident
Event Summary
Fund Analysis
The Beosin security team conducted an in-depth tracking and analysis of the BitForex incident through Trace:
Ethereum
At 6:11 (UTC+8) on February 24, 2024, the Bitforex exchange began to transfer 40,771 USDT, 258,700 USDC, 148.01 ETH and 471,405 TRB to the Ethereum runaway address (0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f).
Then on August 9th, Beijing time, the absconded address transferred all tokens except TRB (including 147.9 ETH, 40,771 USDT and 258,700 USDC) back to the Bitforex exchange account (0xcce7300829f49b8f2e4aee6123b12da64662a8b8).
Then from November 9 to November 10, Beijing time, the runaway address transferred 355,000 TRB to four different OKX exchange user addresses through 7 transactions:
0x274c481bf400c2abfd2b5e648a0056ef34970b0a
0x45798ca76a589647acc21040c50562dcc33cf6bf
0x712d2fd67fe65510c5fad49d5a9181514d94183d
Polygon
On February 24th, Beijing time, Bitforex exchange withdrew 99,000 MATIC, 20,300 USDT and 1,700 USDC to the POL chain address: 0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f.
Among them, 99,000 MATIC were transferred to the address 0xcce7300829f49b8f2e4aee6123b12da64662a8b8 on August 9 and have been deposited to date, and the remaining USDT and USDC tokens have been deposited to date.
TRON
On February 24, Bitforex exchange withdrew 44,000 TRX and 657,698 USDT to the TRON chain address TQcnqaU4NDTR86eA4FZneeKfJMiQi7i76o. On August 9, all the above tokens were transferred back to the Bitforex exchange user address: TGiTEXjqx1C2Y2ywp7gTR8aYGv8rztn9uo.
Bitcoin
Starting from February 24, 16 Bitforex addresses transferred a total of 5.7BTC to the BTC chain address 3DbbF7yxCR7ni94ANrRkfV12rJoxrmo1o2. This address transferred all 5.7BTC back to the Bitforex exchange address on August 9: 11dxPFQ8K9pJefffHE4HUwb2aprzLUqxz.
In summary, on February 24, Bitforex exchange transferred 40,771 USDT, 258,700 USDC, 148.01 ETH and 471,405 TRB to the ETH chain; 44,000 TRX and 657,698 USDT to the TRON chain; 5.7 BTC to the BTC chain; 166 ETH, 46,905 USDT and 57,810 USDC to the BNB Chain; and 99,000 MATIC, 20,300 USDT and 1,700 USDC to the Polygon chain. On August 9, all BTC chain tokens, all TRON chain tokens, and ETH chain tokens except TRB were transferred back to Bitforex Exchange, and all 471,405 TRB were transferred to 4 OKX accounts and 2 Binance accounts on November 9 and 10. So far, all tokens of ETH chain, TRON chain and BTC chain have been transferred, 166 ETH, 46,905 USDT and 57,810 USDC are deposited on BSC, and 99,000 MATIC, 20,300 USDT and 1,700 USDC are deposited on POL.
Attached is the exchange address for depositing TRB:
7. Analysis of the flow of funds of stolen assets
Of the funds stolen in 2024, about $1.312 billion remained in the hacker's address (including transfers through cross-chain and dispersion to multiple addresses), accounting for 52.20% of the total stolen funds. Compared with last year, hackers this year are more inclined to use multiple cross-chain to launder money and disperse the stolen funds to many addresses, rather than directly using mixers. The increase in addresses and the complexity of money laundering paths have undoubtedly increased the difficulty of investigation for project parties and regulators.
About $531 million of stolen funds were recovered, accounting for about 21.13%. In 2023, the recovered funds were about $295 million.
About $109 million of stolen funds were transferred to the mixer throughout the year, accounting for about 4.34% of the total stolen funds. Since the US OFAC sanctioned Tornado Cash in August 2022, the amount of stolen funds transferred to Tornado Cash has dropped significantly.
8. Project Audit Analysis
Among the 131 attack incidents, 42 of the project parties were not audited, 78 of the project parties were audited, and the audit status of the project parties in 11 incidents could not be confirmed.
Of the 42 unaudited projects, contract vulnerability incidents accounted for 30 (about 71.43%). This shows that unaudited projects are more likely to have potential security risks. In contrast, out of the 78 audited projects, 49 (about 62.82%) had contract vulnerabilities. This shows that auditing can improve the security of projects to a certain extent.
However, due to the lack of complete regulatory standards in the Web3 market, the quality of audits varies, and the final results are far from expectations. In order to effectively ensure the security of assets, it is recommended that projects must find a professional security company to conduct an audit before going online.
9. Rug Pull Analysis
In 2024, the Beosin Alert platform monitored 68 major Rug Pull events in the Web3 ecosystem, with a total amount involved of approximately US$148 million, a significant decrease from US$388 million in 2023.
In terms of the amount, among the 68 Rug Pull incidents, a total of 9 projects involved amounts of more than one million US dollars, namely Essence Finance (US$20 million), Shido Global (US$2.4 million), ETHTrustFund (US$2.2 million), Nexera (US$1.8 million), Grand Base (US$1.7 million), SAGA Token (US$1.6 million), OrdiZK (US$1.4 million), MangoFarmSOL (US$1.29 million) and RiskOnBlast (US$1.25 million), with a total loss of US$33.64 million, accounting for 22.73% of the loss amount of all Rug Pull incidents.
Rug Pull projects on Ethereum and BNB Chain accounted for 82.35% of the total number, with 24 and 32 respectively. Scroll had one Rug Pull of more than 20 million US dollars. A small number of Rug Pull incidents occurred on other public chains, including Polygon, BASE, Solana, etc.
10. Summary of Web3 blockchain security situation in 2024
In 2024, the number of on-chain hacker attacks and project Rug Pull incidents has decreased significantly compared with 2023, but the amount of losses is still increasing, and phishing attacks are more rampant. The attack method with the highest loss is still private key leakage. The main reasons for this change include:
After the rampant hacker activities last year, the entire Web3 ecosystem has paid more attention to security this year. From project parties to security companies, efforts have been made in various aspects, such as real-time on-chain monitoring, more emphasis on security audits, and active experience from past contract vulnerability exploitation incidents, making it more difficult for hackers to steal funds through contract vulnerabilities than last year. However, project parties still need to strengthen security awareness in terms of private key custody and project operation security.
With the integration of the crypto market and the traditional market, hackers are no longer limited to attacking DeFi, cross-chain bridges, exchanges and other types, but turn to attacking payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV robots, TG robots and other targets.
In 2024-2025, the crypto market will enter a bull market, and on-chain funds will be active, which will attract more hacker attacks to a certain extent. In addition, the regulatory policies for crypto assets in various regions are gradually being improved to combat various criminal activities using crypto assets. Under this trend, hacker attacks are expected to remain high in 2025, and global law enforcement agencies and regulators will still face severe challenges.