Top 10 Security Incidents in the Web3 Field of 2024

In 2024, the blockchain industry is facing increasingly severe security challenges while achieving technological innovation and ecological expansion. According to data from security monitoring platforms, as of now, the total losses in the Web3 space due to hacker attacks, phishing scams, and project team absconding have reached as high as $2.491 billion.

These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight the potential risks of social engineering and internal management. This article will review the top ten security events in Web3 for 2024, with the hope that the industry can learn from them and better respond to future security threats.

1. DMM Bitcoin: Private Key Leak Caused $304 Million Loss

On May 31, 2024, DMM Bitcoin, a well-known cryptocurrency exchange in Japan, suffered a major security incident. Attackers exploited leaked private keys to directly transfer over $300 million worth of Bitcoin, quickly dispersing the stolen funds across multiple addresses. This attack revealed serious vulnerabilities in the exchange's private key management and multi-layer security defenses. Although the exchange attempted to track the hackers through on-chain monitoring and freezing funds, the dispersed transfer and mixing operations of the stolen Bitcoin posed significant challenges to the recovery efforts.

It is worth noting that on December 24th, the Japanese police confirmed that the attack was carried out by an international hacker organization.

2. PlayDapp: $290 million loss due to private key leakage

On February 9, 2024, PlayDapp experienced a serious security incident. Hackers illegally minted 2 billion PLA tokens by stealing private keys, with an initial value of 36.5 million USD. After negotiations between the project team and the hackers failed, the hackers subsequently minted 15.9 billion PLA tokens, valued at 253.9 million USD. After some of the stolen tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.

3. An Indian Exchange: Network Attacks and Phishing Cause $235 Million Losses

On July 18, 2024, the multi-signature wallet of India's largest cryptocurrency exchange was the target of a precise attack. The attackers used social engineering techniques to induce the multi-signature signers to approve a contract upgrade transaction, and then exploited the upgraded contract permissions to transfer all assets from the wallet. This case reveals the potential risks of multi-signature wallets regarding permission configuration and operational transparency, and has sparked in-depth reflections within the industry on internal risk control and security mechanisms of projects.

4. Gala Games: Access Control Vulnerability Leads to $216 Million Loss

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker minted 5 billion GALA tokens at once by calling the mint function in the token contract. Subsequently, these illegally minted tokens were exchanged for ETH in batches, resulting in a direct loss of $216 million. The Gala Games team quickly activated the blacklist feature to block some hacker accounts after the incident and recovered part of the losses through legal means.

5. Co-founder of a cryptocurrency project: Private key leak leads to $112 million loss

On January 31, 2024, four personal wallets of a co-founder of a well-known cryptocurrency project were hacked, resulting in the theft of $112 million in cryptocurrency. These wallets were targeted due to the lack of dual protection from hardware devices. After the incident, a major exchange successfully froze $4.2 million of the stolen assets and assisted in tracking, but most of the funds had already been cleaned through decentralized exchanges and mixing services.

6. Munchables: Social engineering attack leads to $62.5 million loss

On March 26, 2024, the Blast-based Web3 gaming platform Munchables experienced a rare internal infiltration attack. The attacker disguised themselves as a blockchain developer and gained access to core code and sensitive keys through long-term infiltration. Despite the attack causing significant losses, under pressure from the community and the team, the hacker ultimately returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. A Turkish Exchange: Private Key Leak Results in $55 Million Loss

On June 22, 2024, Turkey's largest cryptocurrency exchange suffered a private key leakage attack, resulting in a loss of over $55 million in crypto assets. With the assistance of a major exchange, $5.3 million of the stolen funds was successfully frozen, but other assets have yet to be recovered. This incident has further deepened market concerns about the private key management capabilities of centralized exchanges.

8. Radiant Capital: Private Key Leak Leads to $53 Million Loss

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to its low-threshold 3/11 signature verification model, the hacker initiated an off-chain signature by gaining control of the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital lost $4.5 million due to a contract vulnerability before this attack, with over 1,900 ETH stolen. This once again highlights the need for Web3 projects to improve their emphasis on security.

9. Hedgey Finance: Contract vulnerabilities lead to a loss of $44.7 million

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract approval, successfully extracting tokens from both the Ethereum and Arbitrum chains, with a total loss amounting to $44.7 million. This incident highlights the importance of code auditing, especially the rigorous verification of token approval logic.

10. A Cryptocurrency Exchange: Private Key Leak Leads to $44.7 Million Loss

On September 19, 2024, a well-known cryptocurrency exchange's hot wallet was hacked, involving multiple public chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hacker successfully extracted assets worth $44.7 million. This attack once again exposed the high risks associated with the management of hot wallets in centralized exchanges and further propelled the industry to explore more secure asset storage solutions.

The frequent security attack incidents in 2024 once again remind us that the development of the blockchain industry cannot be separated from security guarantees. From private key leaks to contract vulnerabilities, from internal management oversights to upgrades in external attack methods, each incident has brought profound lessons to the industry. To cope with increasingly complex attack threats, all parties in the industry need to continuously increase their investment in technological research and development, management standards, and risk prevention and control. In the future, we look forward to jointly building a more secure and reliable blockchain ecosystem through industry collaboration and technological innovation, providing stronger protection for users and investors.