2024 年十大 Web3 安全事件：Beosin 回顧

2024年，區塊鏈產業在創新技術、拓展生態的同時，面臨日益嚴峻的安全挑戰。

Despite the rapid technological advancements and expanding ecosystem in the blockchain industry, 2024 has witnessed a surge in severe security challenges. According to the Alert platform of security audit company Beosin, Web3-related losses due to hacker attacks, phishing scams, and project party "Rug Pulls" have reached an alarming total of US$2.491 billion by press time.

儘管區塊鏈產業技術進步迅速，生態系統不斷擴大，但2024年，嚴峻的安全挑戰激增。根據安全審計公司Beosin的Alert平台顯示，截至發稿，因駭客攻擊、網路釣魚詐騙、專案方「Rug Pulls」等原因導致的Web3相關損失總額已達到驚人的24.91億美元。

These incidents not only highlighted technical vulnerabilities such as private key mismanagement and smart contract flaws but also brought to light the potential risks posed by social engineering and internal management. In this article, we will delve into the top ten Web3 security

這些事件不僅凸顯了私鑰管理不善、智慧合約缺陷等技術漏洞，也揭露了社會工程和內部管理帶來的潛在風險。在本文中，我們將深入探討十大 Web3 安全性問題

incidents of 2024 to help the industry learn from past experiences and better prepare for future threats.

2024 年發生的事件，幫助產業吸取過去的經驗，更好地應對未來的威脅。

No.1 DMM Bitcoin

No.1 DMM 比特幣

Amount of Loss: $304 million

損失金額：3.04億美元

Attack Method: Private key leakage

攻擊方式：私鑰洩露

On May 31, 2024, a long-established cryptocurrency exchange in Japan, DMM Bitcoin, fell victim to a massive attack. The attacker, having obtained the leaked private key, directly transferred Bitcoin valued at over $300 million and swiftly dispersed the stolen funds across 10 different addresses.

2024 年 5 月 31 日，日本歷史悠久的加密貨幣交易所 DMM Bitcoin 遭受大規模攻擊。攻擊者在獲得洩漏的私鑰後，直接轉移了價值超過3億美元的比特幣，並將被盜資金迅速分散到10個不同的地址。

This attack exposed DMM Bitcoin's critical deficiencies in private key management and multi-layer security protection. Despite the exchange's attempt to track the stolen Bitcoin on-chain and freeze the funds, the attacker's use of mixing tools to disperse and clean the funds posed a significant challenge.

這次攻擊暴露了DMM比特幣在私鑰管理和多層安全防護方面的嚴重缺陷。儘管交易所試圖在鏈上追蹤被盜的比特幣並凍結資金，但攻擊者使用混合工具來分散和清理資金構成了重大挑戰。

On December 24, Japanese police concluded that the DMM Bitcoin theft was perpetrated by the North Korean hacker organization Lazarus Group.

12月24日，日本警方得出結論，DMM比特幣竊盜案是北韓駭客組織Lazarus Group所為。

No.2 PlayDapp

Amount of Loss: $290 million

損失金額：2.9億美元

Attack Method: Private key leakage

攻擊方式：私鑰洩露

A devastating blow was dealt to PlayDapp on February 9, 2024, when hackers stole the project's private keys and minted 2 billion PLA tokens, initially valued at $36.5 million. Following failed negotiations between the project and the hackers, the attackers minted an additional 15.9 billion PLA tokens, valued at $253.9 million, in a short span of time.

2024 年 2 月 9 日，PlayDapp 遭受了毀滅性打擊，駭客竊取了該專案的私鑰並鑄造了 20 億枚 PLA 代幣，最初價值 3,650 萬美元。在該項目與駭客之間的談判失敗後，攻擊者在短時間內額外鑄造了 159 億枚 PLA 代幣，價值 2.539 億美元。

After some of these tokens entered the Gate exchange, PlayDapp was compelled to suspend the PLA contract and migrate to the PDA token contract. This incident underscored the shortcomings in private key protection and incident emergency response among blockchain projects.

其中一些代幣進入 Gate 交易所後，PlayDapp 被迫暫停 PLA 合約並遷移到 PDA 代幣合約。這次事件凸顯了區塊鏈專案在私鑰保護和事件緊急應變方面的短板。

No.3 WazirX

No.3 瓦茲爾X

Amount of Loss: $235 million

損失金額：2.35 億美元

Attack Methods: Cyberattack, phishing

攻擊方式：網路攻擊、網路釣魚

On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely targeted by hackers. The attacker employed social engineering tactics to manipulate a multi-signature signer into approving a contract upgrade transaction, which was then exploited to siphon off all the assets in the wallet.

2024年7月18日，印度最大的加密貨幣交易所WazirX的Safe Wallet多重簽名錢包遭到駭客精準攻擊。攻擊者採用社會工程策略操縱多重簽名簽署者批准合約升級交易，然後利用該交易竊取錢包中的所有資產。

This case highlighted the potential risks associated with multi-signature wallets in terms of management authority configuration and operational transparency. It also sparked industry-wide introspection on the internal risk control and security mechanisms of the project.

此案例凸顯了多重簽名錢包在管理權限配置和操作透明度方面的潛在風險。也引發了全行業對專案內部風險控制和安全機制的反思。

For an in-depth analysis of the incident and fund tracking, please refer to "Beosin | Analysis of the $235 million theft from Indian exchange WazirX".

有關事件的深入分析和資金追踪，請參閱《Beosin | 印度交易所 WazirX 2.35 億美元被盜事件分析》。

No.4 Gala Games

第四屆聯歡會

Amount of Loss: $216 million

損失金額：2.16億美元

Attack Method: Access control vulnerability

攻擊方式：存取控制漏洞

A privileged address of Gala Games was compromised on May 20, 2024. The attacker exploited a vulnerability in the token contract's mint function to generate 5 billion GALA tokens at once. Subsequently, the attacker exchanged the additional tokens for ETH in batches, directly leading to a loss of 216 million US dollars.

2024年5月20日，Gala Games的一個特權地址被洩露。隨後，攻擊者將追加的代幣批量兌換成ETH，直接導致2.16億美元的損失。

In the aftermath of the incident, the Gala Games team promptly activated the blacklist function to block several hacker accounts and recovered the losses through legal channels.

事件發生後，盛大遊戲團隊及時啟動黑名單功能，封鎖多個駭客帳號，並透過法律途徑追回損失。

No.5 Chris Larsen (Ripple's co-founder)

No.5 Chris Larsen（Ripple共同創辦人）

Amount of Loss: $112 million

損失金額：1.12 億美元

Attack Method: Private key leakage

攻擊方式：私鑰洩露

Four personal wallets belonging to Chris Larsen, co-founder of Ripple, were hacked on January 31, 2024, resulting in the theft of $112 million in XRP. These wallets are suspected to have become targets of attack due to the lack of dual protection for hardware devices.

Ripple 聯合創始人 Chris Larsen 的四個個人錢包於 2024 年 1 月 31 日遭到駭客攻擊，造成 1.12 億美元的 XRP 被盜。這些錢包因缺乏硬體設備的雙重防護，疑似成為攻擊目標。

Binance successfully froze XRP valued at $4.2 million and assisted Larsen in tracking the stolen assets, but the majority of the funds had already been laundered through decentralized exchanges and currency mixing services.

幣安成功凍結了價值 420 萬美元的 XRP，並協助拉森追蹤被盜資產，但大部分資金已經透過去中心化交易所和貨幣混合服務進行了洗錢。

No.6 Munchables

No.6 咀嚼物

Amount of Loss: $62.5 million

損失金額：6250萬美元

Attack Method: Social engineering attack

攻擊方式：社會工程攻擊

On March 26, 2024, Munchables, a Web3 game platform built on Blast, encountered a rare internal penetration attack. The attacker, a North Korean hacker, posed as a blockchain developer and managed to obtain the core code and sensitive keys through a prolonged period of lurking.

2024 年 3 月 26 日，基於 Blast 建立的 Web3 遊戲平台 Munchables 遭遇罕見的內部滲透攻擊。攻擊者為北韓駭客，冒充區塊鏈開發者，透過長時間潛伏成功取得核心程式碼和敏感金鑰。

Despite the attack causing substantial

儘管此次襲擊造成嚴重後果