2024 Web3 Security Incident Review: Top Ten Attack Cases Warn of Industry Risks

In 2024, while the blockchain industry is rapidly developing, it also faces increasingly severe security challenges. According to data from a certain security monitoring platform, as of now, the total losses in the Web3 field due to hacking attacks, phishing scams, and project team absconding have reached as high as $2.491 billion.

These incidents not only expose technical flaws in areas such as private key management and smart contracts but also highlight the potential risks of social engineering and internal management. This article will review the top ten security events in Web3 in 2024, hoping that the industry can learn from them and better cope with future security threats.

1. A Japanese exchange suffers a major attack

Loss Amount: $304 million Attack Method: Private Key Leakage

On May 31, 2024, a well-known Japanese cryptocurrency exchange suffered a historic attack. The attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This incident exposed serious shortcomings in the exchange's private key management and multi-layer security measures. Although the exchange attempted to track the hackers through on-chain monitoring and freezing of funds, the stolen Bitcoin had already been dispersed and laundered using mixing tools, posing a significant challenge to the tracking efforts.

On December 24th, Japanese police confirmed that the incident was caused by an international hacker organization.

2. PlayDapp Encounters Token Over-Minting Attack

Loss Amount: $290 million Attack Method: Private Key Leakage

On February 9, 2024, PlayDapp suffered a severe blow when hackers minted 2 billion PLA tokens by stealing private keys, with an initial value of $36.5 million. After failed negotiations between the project team and the hackers, the hackers subsequently minted an additional 15.9 billion PLA tokens, worth $253.9 million. After some tokens flowed into a certain exchange, PlayDapp was forced to suspend the PLA contract and migrate to a new token contract. This incident highlights the deficiencies of blockchain projects in private key protection and emergency response.

3. India’s largest crypto exchange multisig wallet attacked

Loss Amount: $235 million Attack Methods: Network Attacks and Phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of India's largest cryptocurrency exchange was precisely attacked. The attacker used social engineering tactics to induce the multi-signature signers to approve a contract upgrade transaction, and then exploited the upgraded contract's permissions to empty the assets in the wallet. This incident exposed the potential risks of multi-signature wallets in terms of permission configuration and operational transparency, and sparked an in-depth reflection within the industry on internal risk control and security mechanisms of projects.

4. Gala Games Privileged Address Breached

Loss Amount: $216 million Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker minted 5 billion GALA tokens at once by calling the mint function in the token contract. Subsequently, the hacker exchanged these newly minted tokens for ETH in batches, resulting in a direct loss of $216 million. After the incident, the Gala Games team urgently activated the blacklist feature to block some hacker accounts and recovered part of the losses through legal means.

5. The personal wallet of the founder of a well-known cryptocurrency project was hacked.

Loss Amount: $112 million Attack Method: Private Key Leakage

On January 31, 2024, four personal wallets of a well-known digital currency project's co-founder were hacked, resulting in the theft of $112 million in digital assets. These wallets were suspected to have become targets of the attack due to the lack of dual protection from hardware devices. After the incident, a major exchange successfully froze assets worth $4.2 million and assisted in tracking the stolen funds, but most of the funds had already been laundered through decentralized exchanges and mixing services.

6. Munchables Encounter Internal Penetration

Loss Amount: 62.5 million USD Attack Method: Social Engineering Attack

On March 26, 2024, the Blast-based Web3 gaming platform Munchables experienced a rare internal penetration attack. The attacker disguised as a blockchain developer and gained access to core code and sensitive keys through long-term infiltration. Despite the substantial losses incurred, under pressure from the community and the team, the hacker ultimately returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. A Turkish Exchange Experiences Private Key Leak

Loss Amount: 55 million USD Attack Method: Private Key Leak

On June 22, 2024, a major cryptocurrency exchange in Turkey suffered a private key leak attack, resulting in a loss of over $55 million in crypto assets. With the assistance of a large exchange, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident has heightened market concerns about the private key management capabilities of centralized exchanges.

8. Radiant Capital Multi-Signature Wallet Breached

Loss Amount: 53 million USD Attack Method: Private Key Leak

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to the lower threshold 3/11 signature verification model, the hacker gained control of the private keys of 3 signers to initiate an off-chain signature, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital had already lost 4.5 million dollars due to a contract vulnerability before this attack, with over 1,900 ETH stolen. This serves as a reminder for Web3 project teams to pay more attention to security issues.

9. Hedgey Finance Multi-chain Contract Attacked

Loss Amount: 44.7 million USD Attack Method: Contract Vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. Hackers exploited an authorization vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, with total losses reaching $44.7 million. This incident highlights the importance of code audits, particularly the rigorous verification of token authorization logic.

10. A well-known exchange's hot wallet was hacked

Loss Amount: 44.7 million USD Attack Method: Private Key Leakage

On September 19, 2024, the hot wallet of a well-known exchange was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freezing mechanisms, the hackers successfully extracted assets worth 44.7 million dollars. This attack once again exposed the high risks associated with the management of hot wallets by centralized exchanges, prompting the industry to explore safer asset storage solutions.

The frequent security incidents in 2024 remind us once again that the development of the blockchain industry cannot be separated from security guarantees. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrading of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technological R&D, management standards, and risk prevention. In the future, we look forward to collaboratively building a safer blockchain ecosystem through industry cooperation and technological innovation, providing more reliable protection for users and investors.