Top 10 Web3 Security Incidents of 2024: A Review by Beosin

In 2024, the blockchain industry is facing increasingly severe security challenges while innovating technology and expanding its ecosystem.

Despite the rapid technological advancements and expanding ecosystem in the blockchain industry, 2024 has witnessed a surge in severe security challenges. According to the Alert platform of security audit company Beosin, Web3-related losses due to hacker attacks, phishing scams, and project party "Rug Pulls" have reached an alarming total of US$2.491 billion by press time.

These incidents not only highlighted technical vulnerabilities such as private key mismanagement and smart contract flaws but also brought to light the potential risks posed by social engineering and internal management. In this article, we will delve into the top ten Web3 security

incidents of 2024 to help the industry learn from past experiences and better prepare for future threats.

No.1 DMM Bitcoin

Amount of Loss: $304 million

Attack Method: Private key leakage

On May 31, 2024, a long-established cryptocurrency exchange in Japan, DMM Bitcoin, fell victim to a massive attack. The attacker, having obtained the leaked private key, directly transferred Bitcoin valued at over $300 million and swiftly dispersed the stolen funds across 10 different addresses.

This attack exposed DMM Bitcoin's critical deficiencies in private key management and multi-layer security protection. Despite the exchange's attempt to track the stolen Bitcoin on-chain and freeze the funds, the attacker's use of mixing tools to disperse and clean the funds posed a significant challenge.

On December 24, Japanese police concluded that the DMM Bitcoin theft was perpetrated by the North Korean hacker organization Lazarus Group.

No.2 PlayDapp

Amount of Loss: $290 million

Attack Method: Private key leakage

A devastating blow was dealt to PlayDapp on February 9, 2024, when hackers stole the project's private keys and minted 2 billion PLA tokens, initially valued at $36.5 million. Following failed negotiations between the project and the hackers, the attackers minted an additional 15.9 billion PLA tokens, valued at $253.9 million, in a short span of time.

After some of these tokens entered the Gate exchange, PlayDapp was compelled to suspend the PLA contract and migrate to the PDA token contract. This incident underscored the shortcomings in private key protection and incident emergency response among blockchain projects.

No.3 WazirX

Amount of Loss: $235 million

Attack Methods: Cyberattack, phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely targeted by hackers. The attacker employed social engineering tactics to manipulate a multi-signature signer into approving a contract upgrade transaction, which was then exploited to siphon off all the assets in the wallet.

This case highlighted the potential risks associated with multi-signature wallets in terms of management authority configuration and operational transparency. It also sparked industry-wide introspection on the internal risk control and security mechanisms of the project.

For an in-depth analysis of the incident and fund tracking, please refer to "Beosin | Analysis of the $235 million theft from Indian exchange WazirX".

No.4 Gala Games

Amount of Loss: $216 million

Attack Method: Access control vulnerability

A privileged address of Gala Games was compromised on May 20, 2024. The attacker exploited a vulnerability in the token contract's mint function to generate 5 billion GALA tokens at once. Subsequently, the attacker exchanged the additional tokens for ETH in batches, directly leading to a loss of 216 million US dollars.

In the aftermath of the incident, the Gala Games team promptly activated the blacklist function to block several hacker accounts and recovered the losses through legal channels.

No.5 Chris Larsen (Ripple's co-founder)

Amount of Loss: $112 million

Attack Method: Private key leakage

Four personal wallets belonging to Chris Larsen, co-founder of Ripple, were hacked on January 31, 2024, resulting in the theft of $112 million in XRP. These wallets are suspected to have become targets of attack due to the lack of dual protection for hardware devices.

Binance successfully froze XRP valued at $4.2 million and assisted Larsen in tracking the stolen assets, but the majority of the funds had already been laundered through decentralized exchanges and currency mixing services.

No.6 Munchables

Amount of Loss: $62.5 million

Attack Method: Social engineering attack

On March 26, 2024, Munchables, a Web3 game platform built on Blast, encountered a rare internal penetration attack. The attacker, a North Korean hacker, posed as a blockchain developer and managed to obtain the core code and sensitive keys through a prolonged period of lurking.

Despite the attack causing substantial