58 mins ago
6,204
Foreword
This research report is initiated by the Blockchain Security Alliance. Co-created by alliance members Beosin and Footprint Analytics, it aims to comprehensively explore the development of global blockchain security trends in 2024. Through analysis and assessment of the current status of global blockchain security, the report will reveal current security challenges and threats and provide solutions and best practices.
Through this report, readers will be able to more comprehensively understand the dynamic evolution of the Web3 blockchain security situation. This will help readers assess and address security challenges facing the blockchain space. In addition, readers can also obtain useful suggestions on security measures and industry development directions from the report to help them make informed decisions and actions in this emerging field. Blockchain security and supervision are key issues for the development of the Web3 era. Through in-depth research and discussion, we can better understand and respond to these challenges and promote the security and sustainable development of blockchain technology.
1. Overview of Web3 blockchain security situation in 2024
According to monitoring by the Alert platform of the security audit company Beosin, the total losses caused by hacker attacks, phishing scams and project side Rug Pull in the Web3 field in 2024 will reach $2.513 billion. Among them, there were 131 major attack incidents, with a total loss of approximately US$1.792 billion; 68 Rug Pull incidents by project parties, with a total loss of approximately US$148 million; and phishing scams, with a total loss of approximately US$574 million.
In 2024, the amount of hacker attacks and phishing fraud will increase significantly compared with 2023. Among them, phishing scams increased by 140.66% compared with 2023. The amount of losses incurred by the project side in the Rug Pull incident dropped significantly, by approximately 61.94%.
The types of projects that will be attacked in 2024 include DeFi, CEX, DEX, public chains, Cross-chain bridge, wallet,Payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, TG bots and many more types. DeFi is the most frequently attacked project type, with 75 attacks on DeFi causing a total loss of approximately US$390 million. CEX is the project type with the highest total loss. The 10 attacks against CEX caused a total loss of approximately US$724 million.
There will be more types of public chains with attacks in 2024, and there will be many security incidents involving theft on multiple chains. Ethereum is still the public chain with the highest amount of losses. 66 attacks on Ethereum caused losses of approximately US$844 million, accounting for 33.57% of the total losses for the year.
From the perspective of attack techniques, 35 private key leak incidents caused a total loss of approximately US$1.306 billion, accounting for 51.96% of the total loss, which caused the most losses. Attack method.
Contract vulnerability exploitation is the most frequent attack method. Among the 131 attacks, 76 came from contract vulnerability exploitation, accounting for 58.02%.
About US$531 million of stolen funds were recovered throughout the year, accounting for approximately 21.13%. Approximately US$109 million of stolen funds were transferred to coin mixers throughout the year, accounting for approximately 4.34% of the total stolen funds, a decrease of approximately 66.97% compared to 2023.
2. Top ten security incidents in the Web3 ecosystem in 2024
In 2024, there were 5 attacks with losses exceeding 100 million US dollars: DMM Bitcoin (US$304 million), PlayDapp (US$290 million), WazirX (US$235 million), Gala Games (US$216 million) and Chris Larsen stolen ($112 million). The total loss amount of the top 10 security incidents is approximately US$1.417 billion, accounting for approximately 79.07% of the total annual attack incident amount.
No.1 DMM Bitcoin loss: US$304 millionAttack method: private key leakage
May 2024On the 31st, the Japanese cryptocurrency exchange DMM Bitcoin was attacked and more than $300 million worth of bitcoins were stolen. The hackers dispersed the stolen funds to more than 10 addresses in an attempt to clean them.
No.2 PlayDappAmount of loss: US$290 million
Attack method: Private key leakage
On February 9, 2024, the blockchain gaming platform PlayDapp was attacked, and hackers minted 2 billion PLA tokens worth US$36.5 million. After negotiations with PlayDapp failed, on February 12, hackers minted an additional 15.9 billion PLA tokens worth $253.9 million and sent some of the funds to the Gate exchange. The PlayDapp project team subsequently suspended the PLA contract and migrated PLA tokens to PDA tokens.
No.3 WazirXLoss amount: US$235 million
Attack method: cyber attack and Phishing
On July 18, 2024, a multi-signature wallet of the Indian cryptocurrency exchange WazirX was stolen for more than $230 million. This multi-signature wallet is a Safe wallet smart contract wallet. The attacker induced the multi-signature signers to sign a contract upgrade transaction. The attacker directly transferred the assets in the wallet through the upgraded contract, and eventually transferred out all assets of approximately US$230 million.
No.4 Gala GamesLoss amount: US$216 million
Attack method: Access control Vulnerability
May 20, 2024, Gala A privileged address in Games was controlled, and the attacker used the address to call the mint function of the token to directly mint 5 billion GALA tokens, worth approximately US$216 million, and convert the additional tokens into ETH in batches. Subsequently, the Gala Games team used the blacklist function to stop the hacker and recover the losses.
No.5 Chris Larsen (Ripple's co-founder)Loss amount: US$112 million
Attack method: private key leak
On January 31, 2024, Ripple co-founder Chris Ra Chris Larsen said four of his wallets were compromised, resulting in a total loss of approximately $112 million. The Binance team successfully froze $4.2 million worth of stolen XRP tokens.
No.6 MunchablesLoss amount: $62.5 million
Attack method: social engineering Attack
On March 26, 2024, the Blast-based Web3 game platform Munchables suffered an attack, causing a loss of approximately US$62.5 million. The project was attacked because North Korean hackers were hired as developers. All stolen funds were eventually returned by the hackers.
No.7 BTCTurkLoss amount: US$55 million
Attack method: Private key leakage
On June 22, 2024, the Turkish cryptocurrency exchange BTCTurk was attacked, resulting in a loss of approximately US$55 million. Binance helped freeze over $5.3 million in stolen funds.
No.8 Radiant CapitalLoss amount: US$53 million
Attack method: private key Leak
On October 17, 2024, the multi-chain lending protocol Radiant Capital was attacked. The attacker illegally obtained the personal data of three owners of the Radiant Capital multi-signature wallet. permissions. Since the multi-signature wallet adopts the 3/11 signature verification mode, the attacker uses these 3 private keys to perform off-chain signatures, and then initiates an on-chain transaction to transfer the ownership of the Radiant Capital contract to a malicious contract controlled by the attacker, causing more than $53 million in losses.
No.9 Hedgey FinanceLoss amount: US$44.7 million
Attack method: Contract vulnerability
On April 19, 2024, Hedgey Finance was attacked multiple times by attackers. The attackers used The token approval loophole stole a large number of tokens from the ClaimCampaigns contract. The tokens stolen from the Ethereum chain were worth more than $2.1 million, and the tokens stolen from the Arbitrum chain were worth about $4,260. Ten thousand US dollars.
No.10 BingXLoss amount: 44.7 million US dollars
Attack method: Private key leak
On September 19, 2024, the BingX exchange hot wallet was attacked by hackers. Although BingX launched an emergency plan, including emergency transfer of assets and suspension of withdrawals, according to Beosin statistics, the total loss of the abnormal outflow of assets from the hot wallet was As high as US$44.7 million, the stolen assets involved Ethereum, BNB Chain, Tron, Polygon, Avalanche, Base and other blockchains.
3. Types of attacked projects
The types of projects attacked in 2024 include DeFi, CEX, DEX, public chains, cross-chain bridges, In addition to common types such as wallets, it also appears on various project types such as payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV robots, and TG robots.
DeFi projects were attacked 75 times in 2024, making it the project type with the most attacks (about 50.70%). The total loss from DeFi attacks was approximately US$390 million, accounting for approximately 15.50% of all losses, and was the third largest loss amount. 4 more project types
The loss amount ranks No. 1. CEX (Centralized Exchange), 10 attacks caused a total loss of approximately US$724 million, making it the project type with the largest loss. Overall, exchange types will experience frequent security incidents in 2024, and exchange security remains the same.This is certainly the biggest challenge for the Web3 ecosystem.
The second largest loss was from personal wallets, with a total loss of approximately US$445 million. Twelve attacks against crypto whales and a large number of phishing attacks and social engineering attacks against ordinary users have caused the total loss of personal wallets to surge by 464.72% compared to 2023, making it the second largest challenge after exchange security.
4. Loss amount of each chain
and Compared with 2023, the types of public chains where attacks will occur in 2024 will also be more extensive. The top five in terms of loss amount are Ethereum, Bitcoin, Arbitrum, Ripple, and Blast:
The top six ranked by the number of attack incidents are
Ethereum, BNB Chain, Arbitrum, Others, Base, Solana:
Same as in 2023, Ethereum is still the public chain with the highest amount of losses. 66 attacks on Ethereum caused approximately $844 million in losses, accounting for 33.59% of the total losses for the year.
Note: The total loss data does not include on-chain phishing losses and some CEX hot wallets Losses
Bitcoin network losses ranked second, with losses from a single security incident reaching US$238 million. In third place was Arbitrum, with total losses of about $114 million.
5. Analysis of attack techniques
2024 Attack methods are very diverse. In addition to common contract vulnerability attacks, there are also many attack methods, including: supply chain attacks, third-party service provider attacks, and man-in-the-middle attacks.attacks, DNS attacks, front-end attacks, etc.
In 2024, 35 private key leak incidents caused a total loss of US$1.306 billion. Accounting for 51.96% of the total losses, it is the attack method that causes the most losses. Private key leaks that caused large losses include: DMM Bitcoin ($304 million), PlayDapp ($290 million), Ripple co-founder Chris Larson ($112 million), BTCTurk ($55 million), Radiant Capital ($53 million), BingX ($44.7 million), DEXX ($21 million).
Contract vulnerability exploitation is the most frequent attack method. Among the 131 attacks, 76 came from contract vulnerability exploitation, accounting for 58.02%. The total loss caused by contract loopholes was approximately US$321 million, ranking third in terms of loss amount.
According to the breakdown of vulnerabilities, the ones that occur most frequently and cause the most losses are business logic vulnerabilities. About 53.95% of the losses in contract vulnerability incidents come from business logic vulnerabilities. , causing a total loss of approximately US$158 million.
6. Analysis of typical anti-money laundering incidents
p>6.1 PolterFinance security incident summary
On November 17, 2024, according to Beosin Alert monitoring and warning, it was found that Polter Finance, the lending agreement on the FTM chain, was attacked, and the attacker manipulated it through flash loans Profit from the token price in the project contract.
Vulnerability and Funding AnalysisThe LendingPool contract (0xd47ae558623638f676c1e38dad71b53054f54273) that was attacked in this incident uses 0x6808b5ce79d44e89 883c5393b487c4296abb69fe serves as the oracle, which uses the recently deployed price feed contract (0x80663edff11e99e8e0b34cb9c3e1ff32e82a80fe). This price feed contract can be hacked when usedThe attacker uses the token reserves in the uniswapV2_pair (0xEc71) contract of flash loans to calculate the price, so the contract has a price manipulation attack vulnerability.
The attacker used flash loans to falsely push up the value of $BOO tokens and lend out other crypto assets. Subsequently, the stolen funds were converted by the attacker into FTM tokens, and then cross-chained to the ETH chain, storing all funds on the ETH chain. The following is a schematic diagram of the capital flow process on the ARB chain and ETH chain:
November 20 On the same day, the attacker continued to transfer more than 2,625 ETH to Tornado Cash, as shown in the figure below:
6.2 BitForex Security Incident Summary
On February 23, 2024, well-known on-chain detective ZachXBT disclosed through his analysis tools that BitForex’s hot wallet experienced an outflow of approximately US$56.5 million, and in the process, the platform suspended withdrawal services.
Fund AnalysisBeosin security team conducted in-depth tracking and analysis of the BitForex incident through Trace:
Ethereum
Bitforex exchange began to gradually transfer 40,771 USDT and 258,700 USDT at 6:11 on February 24, 2024 (UTC+8) USDC, 148.01 ETH and 471,405 TRB were transferred to the Ethereum escape address (0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f).
Subsequently on August 9, Beijing time, the running address transferred all tokens except TRB (including 147.9 ETH, 40,771 USDT and 258,700 USDC) back to Bitforex Exchange account (0xcce7300829f49b8f2e4aee6123b12da64662a8b8).
Then from November 9th to November 10th, Beijing time, the running address transferred 355,0 through 7 transactions.00 TRB transferred to four different OKX exchange user addresses:
0x274c481bf400c2abfd2b5e648a0056ef34970b0a
0x45798ca76a589647acc21040c50562dcc33cf6bf
0x712d2fd67fe65510c5fad49d5a9181514d94183d
0xe8ec263ad9ee6947bf773837a2c86dff3a737bba
The remaining address will then be 116,414.93 TRB was transferred to a transfer address (0xbb217bd37c6bf76c6d9a50fefc21caa8e2f2e82e), and then all TRB was transferred from this address to two different Binance exchange users in two transactions:
0x431c916ef45e660dae7cd7184e3226a72fa50c0c
0xe7b1fb77baaa3bba9326af2af3cd5857256519df
BNB Chain
On February 24, the Bitforex exchange withdrew 166 ETH, 46,905 USDT and 57,810 USDC to the BNB Chain address (0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f), which has been settled so far.
Polygon
On February 24, Beijing time, Bitforex exchange withdrew 99,000 MATIC, 20,300 USDT and 1,700 USDCTo the POL chain address: 0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f.
Among them, 99000 MATIC was transferred to the address 0xcce7300829f49b8f2e4aee6123b12da64662a8b8 on August 9 and has been precipitated so far, and the remaining USDT and USDC tokens have been precipitated so far.
TRON
On February 24, Bitforex exchange withdrew 44,000 TRX and 657,698 USDT to the TRON chain address TQcnqaU4NDTR86eA4FZneeKfJMiQi7i76o. On August 9, all the above tokens will be transferred back to the Bitforex exchange user address: TGiTEXjqx1C2Y2ywp7gTR8aYGv8rztn9uo.
Bitcoin
Starting from February 24, 16 Bitforex addresses have transferred a total of 5.7 BTC to the BTC chain address 3DbbF7yxCR7ni94ANrRkfV12rJoxrmo1o2. This address transferred all 5.7BTC back to the Bitforex exchange address on August 9: 11dxPFQ8K9pJefffHE4HUwb2aprzLUqxz.
To sum up, Bitforex exchange transferred 40,771 USDT and 258,700 USDC on February 24 , 148.01 ETH and 471,405 TRB are transferred to the ETH chain; 44,000 TRX and 657,698 USDT are transferred to the TRON chain; 5.7 BTC is transferred to the BTC chain; 166 ETH, 46,905 USDT and 57,810 USDC are transferred to the BNB Chain; 99,000 MATIC, 20,300 USDT and 1,700 USDC are transferred to the Polygon chain. On August 9, all tokens of the BTC chain, all tokens of the TRON chain, and the ETH chain except TRB tokens will beThe coins were transferred back to the Bitforex exchange, and all 471,405 TRB were transferred to 4 OKX accounts and 2 Binance accounts on November 9th and 10th. So far, all tokens of the ETH chain, TRON chain and BTC chain have been transferred. 166 ETH, 46,905 USDT and 57,810 USDC have been deposited on BSC, and 99,000 MATIC, 20,300 USDT and 1,700 USDC have been deposited on POL.
Attached deposit TRB exchange address:
7. Fund flow analysis of stolen assets
Among the funds stolen throughout 2024 , about 13.12 100 million US dollars also remained in hacker addresses (including cases of cross-chain transfers and dispersion to multiple addresses), accounting for 52.20% of the total stolen funds. Compared with last year, this year hackers are more likely to use multiple cross-chains to launder money and spread the stolen funds to many addresses instead of directly using coin mixers. The increase in addresses and the complexity of money laundering paths will undoubtedly make investigations more difficult for project parties and regulatory agencies.
About US$531 million of stolen funds were recovered, accounting for approximately 21.13% . And in 2023, approximately $295 million will be recovered.
About $109 million of stolen funds were transferred to coin mixers throughout the year, accounting for approximately 4.34% of the total stolen funds. Since U.S. OFAC sanctioned Tornado Cash in August 2022, the amount of stolen funds transferred into Tornado Cash has dropped significantly.
8. Project audit situation analysis
131 onwards Among the attack incidents, the project parties in 42 incidents were not audited, the project parties in 78 incidents were audited, and the audit status of the project parties in 11 incidents could not be confirmed.
42 not passedAmong the audited projects, contract vulnerability incidents accounted for 30 cases (approximately 71.43%). This suggests that projects without audits are more susceptible to potential security risks. In comparison, contract vulnerability incidents accounted for 49 out of 78 audited projects (approximately 62.82%). This shows that auditing can improve project security to a certain extent.
However, due to the lack of complete regulatory standards in the Web3 market, the audit quality is uneven, and the final results are far from expected. In order to effectively ensure the security of assets, it is recommended that the project must find a professional security company to conduct an audit before going online.
9. RugPull analysis
2024, Beosin The Alert platform has monitored a total of 68 major Rug Pull incidents in the Web3 ecosystem, with a total amount involved of approximately US$148 million, a significant decrease from US$388 million in 2023.
In terms of amount, in the 68 Rug Pull incidents, the amount involved was in the millions There are a total of 9 projects above USD, namely Essence Finance (USD 20 million), Shido Global (USD 2.4 million), ETHTrustFund (USD 2.2 million), Nexera (USD 1.8 million), Grand Base (USD 1.7 million), SAGA Token (USD 1.6 million), OrdiZK (USD 1.4 million), MangoFarmSOL (USD 1.29 million) and RiskOnBlast (USD 1.25 million), the total loss amount is 33.64 million US dollars, accounting for the loss amount of all Rug Pull events 22.73%.
Rug Pull projects on Ethereum and BNB Chain accounted for 82.35% of the total number, 24 and 32 cases respectively. One case occurred on Scroll with more than 2,000 cases. Ten thousand dollar Rug Pull. A small number of Rug Pull events have occurred in other public chains, including: Polygon, BASE, Solana, etc.
10, 2024 Web3 BlockchainSecurity Situation Summary
In 2024, the number of on-chain hacking activities and project Rug Pull incidents has dropped significantly compared with 2023, but the amount of losses is still increasing. , and phishing attacks have become more rampant. The most costly attack method is still the leakage of private keys. The main reasons for this change include:
After last year’s rampant hacker activities, the entire Web3 ecosystem has paid more attention to security this year, from project parties to security companies. Efforts have been made in various aspects, such as real-time on-chain monitoring, paying more attention to security audits, and actively learning from past contract vulnerability exploitation incidents, making it more difficult for hackers to steal funds through contract vulnerabilities than last year. However, project parties also need to strengthen security awareness in terms of private key storage and project operation security.
With the integration of the encryption market and the traditional market, hackers are no longer limited to attacking DeFi, cross-chain bridges, exchanges, etc., but are turning to attacking payment platforms , gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, TG bots and many other targets.
In 2024-2025, the encryption market will enter a bull market, and funds on the chain will be active, which will attract more hacker attacks to a certain extent. In addition, the supervision of encrypted assets in various regions is gradually improving to combat various criminal activities using encrypted assets. Under such a trend, hacker attack activities are expected to remain at a high level in 2025, and global law enforcement agencies and regulatory authorities will still face severe challenges.