Top 10 Web3 Security Incidents of 2024: Lessons Learned and Future Threats

ce: Beosin

Top 10 Web3 Security Incidents in 2024: A Review and Analysis

In 2024, the blockchain industry faced severe security challenges as it advanced technologically and expanded its ecosystem. According to the Alert platform of security audit company Beosin, at the time of writing, total losses in the Web3 sector due to hacker attacks, phishing scams, and project party Rug Pulls amounted to a staggering US$2.491 billion.

These incidents not only highlighted technical vulnerabilities such as private key mismanagement and smart contract exploits but also brought to light the potential risks associated with social engineering and internal management. In this article, we will delve into the top ten Web3 security incidents of 2024 to help the industry learn from these events and better prepare for future security threats.

1. DMM Bitcoin

Amount of loss: $304 million

Attack method: private key leakage

On May 31, 2024, DMM Bitcoin, a long-standing cryptocurrency exchange in Japan, suffered a historic attack. The attacker used the leaked private key to directly transfer more than $300 million worth of Bitcoin and quickly dispersed the stolen funds to over 10 different addresses. This attack exposed DMM Bitcoin's serious deficiencies in private key management and multi-layer security protection. Despite the exchange's efforts to track the hacker through on-chain monitoring and freezing funds, the stolen Bitcoin was dispersed, transferred, and cleaned using mixing tools, presenting significant challenges to tracking.

On December 24, Japanese police concluded that the DMM Bitcoin theft was perpetrated by the North Korean hacker organization Lazarus Group.

2. PlayDapp

Amount of loss: $290 million

Attack method: private key leakage

On February 9, 2024, PlayDapp suffered a devastating blow. Hackers minted 2 billion PLA tokens, initially valued at $36.5 million, by stealing private keys. As negotiations between the project and the hackers fell through, the hackers further minted 15.9 billion PLA tokens, valued at $253.9 million, over a short period. Following the flow of some of these tokens into the Gate exchange, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident underscores the shortcomings of blockchain projects in private key protection and incident emergency response.

3. WazirX

Amount of loss: $235 million

Attack methods: Cyber attacks and phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely targeted by hackers. The attacker employed social engineering to manipulate a multi-signature signer into approving a contract upgrade transaction, subsequently using the upgraded contract permissions to extract all the assets in the wallet. This case highlights the potential risks of multi-signature wallets in terms of management authority configuration and operational transparency and has also triggered in-depth reflection within the industry on the internal risk control and security mechanisms of the project.

For a detailed analysis of the incident and fund tracking, read "Beosin | Analysis of the $235 million theft from Indian exchange WazirX".

4. Gala Games

Amount of loss: $216 million

Attack method: Access control vulnerability

On May 20, 2024, a privileged address of Gala Games was compromised. The attacker minted 5 billion GALA tokens at once by calling the mint function in the token contract. Subsequently, the hacker exchanged the additional tokens for ETH in batches, directly causing a loss of 216 million US dollars. In the aftermath of the incident, the Gala Games team swiftly activated the blacklist function to block some hacker accounts and began recovering the losses through legal channels.

5. Chris Larsen (Ripple's co-founder)

Amount of loss: $112 million

Attack method: private key leakage

On January 31, 2024, four personal wallets of Chris Larsen, co-founder of Ripple, were compromised, leading to the theft of $112 million in XRP. These wallets are suspected to have become targets of attack due to the lack of dual protection of hardware devices. After the incident, Binance successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but most of the funds had been laundered through decentralized exchanges and currency mixing services.

6. Munchables

Amount of loss: $62.5 million

Attack method: social engineering attack

On March 26, 2024, Munchables, a Web3 game platform built on Blast, encountered a rare internal penetration attack. The attacker, a North Korean hacker, posed as a blockchain developer and obtained the core code and sensitive keys through prolonged lurking. Despite the substantial losses, the hacker eventually returned all the stolen funds under pressure from the community and the