2024 年十大 Web3 安全事件：Beosin 回顾

2024年，区块链行业在创新技术、拓展生态的同时，面临着日益严峻的安全挑战。

Despite the rapid technological advancements and expanding ecosystem in the blockchain industry, 2024 has witnessed a surge in severe security challenges. According to the Alert platform of security audit company Beosin, Web3-related losses due to hacker attacks, phishing scams, and project party "Rug Pulls" have reached an alarming total of US$2.491 billion by press time.

尽管区块链行业技术进步迅速，生态系统不断扩大，但2024年，严峻的安全挑战激增。据安全审计公司Beosin的Alert平台显示，截至发稿，因黑客攻击、网络钓鱼诈骗、项目方“Rug Pulls”等原因造成的Web3相关损失总额已达到惊人的24.91亿美元。

These incidents not only highlighted technical vulnerabilities such as private key mismanagement and smart contract flaws but also brought to light the potential risks posed by social engineering and internal management. In this article, we will delve into the top ten Web3 security

这些事件不仅凸显了私钥管理不善、智能合约缺陷等技术漏洞，也暴露了社会工程和内部管理带来的潜在风险。在本文中，我们将深入探讨十大 Web3 安全问题

incidents of 2024 to help the industry learn from past experiences and better prepare for future threats.

2024 年发生的事件，帮助行业吸取过去的经验，更好地应对未来的威胁。

No.1 DMM Bitcoin

No.1 DMM 比特币

Amount of Loss: $304 million

损失金额：3.04亿美元

Attack Method: Private key leakage

攻击方式：私钥泄露

On May 31, 2024, a long-established cryptocurrency exchange in Japan, DMM Bitcoin, fell victim to a massive attack. The attacker, having obtained the leaked private key, directly transferred Bitcoin valued at over $300 million and swiftly dispersed the stolen funds across 10 different addresses.

2024 年 5 月 31 日，日本历史悠久的加密货币交易所 DMM Bitcoin 遭受大规模攻击。攻击者在获得泄露的私钥后，直接转移了价值超过3亿美元的比特币，并将被盗资金迅速分散到10个不同的地址。

This attack exposed DMM Bitcoin's critical deficiencies in private key management and multi-layer security protection. Despite the exchange's attempt to track the stolen Bitcoin on-chain and freeze the funds, the attacker's use of mixing tools to disperse and clean the funds posed a significant challenge.

此次攻击暴露了DMM比特币在私钥管理和多层安全防护方面的严重缺陷。尽管交易所试图在链上追踪被盗的比特币并冻结资金，但攻击者使用混合工具来分散和清理资金构成了重大挑战。

On December 24, Japanese police concluded that the DMM Bitcoin theft was perpetrated by the North Korean hacker organization Lazarus Group.

12月24日，日本警方得出结论，DMM比特币盗窃案是朝鲜黑客组织Lazarus Group所为。

No.2 PlayDapp

Amount of Loss: $290 million

损失金额：2.9亿美元

Attack Method: Private key leakage

攻击方式：私钥泄露

A devastating blow was dealt to PlayDapp on February 9, 2024, when hackers stole the project's private keys and minted 2 billion PLA tokens, initially valued at $36.5 million. Following failed negotiations between the project and the hackers, the attackers minted an additional 15.9 billion PLA tokens, valued at $253.9 million, in a short span of time.

2024 年 2 月 9 日，PlayDapp 遭受了毁灭性打击，黑客窃取了该项目的私钥并铸造了 20 亿枚 PLA 代币，最初价值 3650 万美元。在该项目与黑客之间的谈判失败后，攻击者在短时间内额外铸造了 159 亿枚 PLA 代币，价值 2.539 亿美元。

After some of these tokens entered the Gate exchange, PlayDapp was compelled to suspend the PLA contract and migrate to the PDA token contract. This incident underscored the shortcomings in private key protection and incident emergency response among blockchain projects.

其中一些代币进入 Gate 交易所后，PlayDapp 被迫暂停 PLA 合约并迁移到 PDA 代币合约。此次事件凸显了区块链项目在私钥保护和事件应急响应方面的短板。

No.3 WazirX

No.3 瓦兹尔X

Amount of Loss: $235 million

损失金额：2.35 亿美元

Attack Methods: Cyberattack, phishing

攻击方式：网络攻击、网络钓鱼

On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely targeted by hackers. The attacker employed social engineering tactics to manipulate a multi-signature signer into approving a contract upgrade transaction, which was then exploited to siphon off all the assets in the wallet.

2024年7月18日，印度最大的加密货币交易所WazirX的Safe Wallet多重签名钱包遭到黑客精准攻击。攻击者采用社会工程策略操纵多重签名签名者批准合约升级交易，然后利用该交易窃取钱包中的所有资产。

This case highlighted the potential risks associated with multi-signature wallets in terms of management authority configuration and operational transparency. It also sparked industry-wide introspection on the internal risk control and security mechanisms of the project.

该案例凸显了多重签名钱包在管理权限配置和操作透明度方面的潜在风险。也引发了全行业对项目内部风险控制和安全机制的反思。

For an in-depth analysis of the incident and fund tracking, please refer to "Beosin | Analysis of the $235 million theft from Indian exchange WazirX".

有关事件的深入分析和资金追踪，请参阅《Beosin | 印度交易所 WazirX 2.35 亿美元被盗事件分析》。

No.4 Gala Games

第四届联欢会

Amount of Loss: $216 million

损失金额：2.16亿美元

Attack Method: Access control vulnerability

攻击方式：访问控制漏洞

A privileged address of Gala Games was compromised on May 20, 2024. The attacker exploited a vulnerability in the token contract's mint function to generate 5 billion GALA tokens at once. Subsequently, the attacker exchanged the additional tokens for ETH in batches, directly leading to a loss of 216 million US dollars.

2024年5月20日，Gala Games的一个特权地址被泄露。攻击者利用代币合约铸币功能中的漏洞，一次性生成了50亿个GALA代币。随后，攻击者将追加的代币批量兑换成ETH，直接导致2.16亿美元的损失。

In the aftermath of the incident, the Gala Games team promptly activated the blacklist function to block several hacker accounts and recovered the losses through legal channels.

事件发生后，盛大游戏团队及时启动黑名单功能，封锁多个黑客账号，并通过法律途径追回损失。

No.5 Chris Larsen (Ripple's co-founder)

No.5 Chris Larsen（Ripple联合创始人）

Amount of Loss: $112 million

损失金额：1.12 亿美元

Attack Method: Private key leakage

攻击方式：私钥泄露

Four personal wallets belonging to Chris Larsen, co-founder of Ripple, were hacked on January 31, 2024, resulting in the theft of $112 million in XRP. These wallets are suspected to have become targets of attack due to the lack of dual protection for hardware devices.

Ripple 联合创始人 Chris Larsen 的四个个人钱包于 2024 年 1 月 31 日遭到黑客攻击，导致 1.12 亿美元的 XRP 被盗。由于缺乏对硬件设备的双重保护，这些钱包疑似成为攻击目标。

Binance successfully froze XRP valued at $4.2 million and assisted Larsen in tracking the stolen assets, but the majority of the funds had already been laundered through decentralized exchanges and currency mixing services.

币安成功冻结了价值 420 万美元的 XRP，并协助拉森追踪被盗资产，但大部分资金已经通过去中心化交易所和货币混合服务进行了洗钱。

No.6 Munchables

No.6 咀嚼物

Amount of Loss: $62.5 million

损失金额：6250万美元

Attack Method: Social engineering attack

攻击方式：社会工程攻击

On March 26, 2024, Munchables, a Web3 game platform built on Blast, encountered a rare internal penetration attack. The attacker, a North Korean hacker, posed as a blockchain developer and managed to obtain the core code and sensitive keys through a prolonged period of lurking.

2024 年 3 月 26 日，基于 Blast 构建的 Web3 游戏平台 Munchables 遭遇罕见的内部渗透攻击。攻击者为朝鲜黑客，冒充区块链开发者，通过长时间潜伏成功获取核心代码和敏感密钥。

Despite the attack causing substantial

尽管此次袭击造成严重后果