Preface

This research report is initiated by the Blockchain Security Alliance and jointly created by its members Beosin and Footprint Analytics. It aims to provide a comprehensive exploration of the global blockchain security landscape in 2024. Through an analysis and evaluation of the current state of blockchain security worldwide, the report will unveil the security challenges and threats faced today, while offering solutions and best practices. With this report, readers will gain a more complete understanding of the dynamic evolution of Web3 blockchain security. This will help readers assess and address the security challenges faced in the blockchain space. Additionally, the report provides valuable insights on security measures and industry development trends, assisting readers in making informed decisions and actions within this emerging field. Blockchain security and regulation are key issues in the development of the Web3 era. Through in-depth research and discussion, we can better understand and tackle these challenges, advancing the security and sustainable development of blockchain technology.

1. 2024 Web3 Blockchain Security Landscape Overview

According to monitoring by the Alert platform under the security audit company Beosin, the total losses in the Web3 space in 2024 due to hacker attacks, phishing scams, and rug pulls by project teams reached $2.513 billion. Among these, there were 131 major attack incidents, causing losses of approximately $1.792 billion; 68 rug pull incidents by project teams, with losses totaling about $148 million; and phishing scams caused a total loss of approximately $574 million.

In 2024, both hacker attacks and phishing scams saw a significant increase compared to 2023, with phishing scams rising by 140.66%. The losses from rug pull incidents by project teams notably decreased, dropping by about 61.94%.

In 2024, the types of projects affected by attacks included DeFi, CEX, DEX, public chains, cross-chain bridges, wallets, payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, TG bots, and others. DeFi was the most frequently attacked project type, with 75 attacks on DeFi causing total losses of about $390 million. CEX had the highest total loss amount, with 10 attacks on CEX leading to losses of approximately $724 million.

In 2024, attacks occurred across more public chain types, with multiple security incidents involving theft across different chains. Ethereum remained the public chain with the highest loss amount, with 66 attacks on Ethereum resulting in losses of around $844 million, accounting for 33.57% of the total losses for the year.

From the perspective of attack methods, 35 private key leakage incidents caused losses of approximately $1.306 billion, accounting for 51.96% of the total losses, making it the most damaging attack method.

Exploitation of contract vulnerabilities was the most frequent attack method, with 76 of the 131 attacks originating from contract vulnerabilities, making up 58.02% of the total incidents.

Approximately $531 million in stolen funds were recovered, accounting for about 21.13%. Around $109 million of stolen funds were transferred to mixers, accounting for about 4.34% of the total stolen funds, a decrease of about 66.97% compared to 2023.

2. Top 10 Web3 Security Incidents in 2024

In 2024, there were 5 major attack incidents with losses exceeding $100 million: DMM Bitcoin ($304 million), PlayDapp ($290 million), WazirX ($235 million), Gala Games ($216 million), and Chris Larsen’s theft ($112 million). The total losses from the top 10 security incidents amounted to approximately $1.417 billion, accounting for about 79.07% of the total annual attack losses.

No.1 DMM Bitcoin

Loss: $304 million

Attack Method: Private Key Leakage

On May 31, 2024, the Japanese cryptocurrency exchange DMM Bitcoin was attacked, and over $304 million worth of Bitcoin was stolen. The hackers dispersed the stolen funds across more than 10 addresses in an attempt to launder them.

No.2 PlayDapp

Loss: $290 million

Attack Method: Private Key Leakage

On February 9, 2024, the blockchain gaming platform PlayDapp was attacked, with hackers minting 2 billion PLA tokens worth $36.5 million. After failed negotiations with PlayDapp, on February 12, the hackers minted another 15.9 billion PLA tokens worth $253.9 million and sent part of the funds to the Gate exchange. PlayDapp then paused the PLA contract and migrated the PLA tokens to PDA tokens.

No.3 WazirX

Amount of loss: $235 million

Attack Method: Network Attack and Phishing

On July 18, 2024, the multi-signature wallet of the Indian cryptocurrency exchange WazirX was stolen, resulting in a loss of over $235 million. The multi-signature wallet was a Safe wallet smart contract. The attacker tricked the multi-signature signers into signing an upgrade transaction, and through the upgraded contract, transferred the assets directly from the wallet.

No.4 Gala Games

Amount of loss: $216 million

Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was compromised. The attacker used this address to call the mint function and directly minted 5 billion GALA tokens worth approximately $216 million, converting the minted tokens into ETH in batches. The Gala Games team then used the blacklist function to block the hacker and recover the losses.

No.5 Chris Larsen (Ripple’s co-founder)

Amount of loss: $112 million

Attack Method: Private Key Leakage

On January 31, 2024, Ripple’s co-founder Chris Larsen reported that four of his wallets were breached, resulting in a total loss of approximately $112 million. Binance’s team successfully froze $4.2 million worth of stolen XRP tokens.

No.6 Munchables

Amount of loss: $62.5 million

Attack Method: Social Engineering Attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, was attacked, resulting in a loss of about $62.5 million. The project was attacked because it employed North Korean hackers as developers. All the stolen funds were eventually returned by the hackers.

No.7 BTCTurk

Amount of loss: $55 million

Attack Method: Private Key Leakage

On June 22, 2024, the Turkish cryptocurrency exchange BTCTurk was attacked, resulting in a loss of about $55 million. Binance assisted in freezing over $5.3 million of the stolen funds.

No.8 Radiant Capital

Amount of loss: $53 million

Attack Method: Private Key Leakage

On October 17, 2024, the multi-chain lending protocol Radiant Capital was attacked. The attacker illegally gained the permissions of 3 owners of Radiant Capital’s multi-signature wallet. The multi-signature wallet used a 3/11 signature validation model, and the attacker used the 3 private keys for offline signing. The attacker then initiated an on-chain transaction to transfer the ownership of the Radiant Capital contract to a malicious contract under the attacker’s control, causing a loss of over $53 million.

No.9 Hedgey Finance

Amount of loss: $44.7 million

Attack Method: Contract Vulnerability

On April 19, 2024, Hedgey Finance was attacked multiple times by an attacker. The attacker exploited a token approval vulnerability to steal a large number of tokens from the ClaimCampaigns contract, including tokens worth over $2.1 million stolen from the Ethereum chain and tokens worth about $42.6 million stolen from the Arbitrum chain.

No.10 BingX

Amount of loss: $44.7 million

Attack Method: Private Key Leakage

On September 19, 2024, the hot wallet of the BingX exchange was attacked. Although BingX activated emergency measures, including asset transfer and withdrawal suspension, Beosin statistics show that the total loss from the abnormal outflow of assets from the hot wallet amounted to $44.7 million. The stolen assets involved multiple blockchains, including Ethereum, BNB Chain, Tron, Polygon, Avalanche, and Base.

3. Types of Attacked Projects

In 2024, the types of attacked projects not only included common types such as DeFi, CEX, DEX, public chains, and cross-chain bridges, but also extended to payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, TG bots, and various other project types.

In 2024, DeFi project attacks occurred 75 times, making it the most frequently attacked project type (about 50.70%). The total loss from DeFi attacks was approximately $390 million, accounting for about 15.50% of all losses, making it the fourth-largest project type in terms of loss amount.

The project type with the highest loss was CEX (centralized exchanges). Ten attacks on CEX led to losses of around $724 million, making it the project type with the highest loss amount. Overall, exchanges were the most frequently attacked project type in 2024, and exchange security remains the biggest challenge in the Web3 ecosystem.

The second-largest loss was from personal wallets, with a total loss of about $445 million. Twelve attacks targeting crypto whales, along with numerous phishing and social engineering attacks on regular users, led to a 464.72% surge in the total loss from personal wallets compared to 2023, making personal wallet security the second-biggest challenge after exchange security.

4. Loss Amount by Chain

Compared to 2023, the types of public chains attacked in 2024 were more diverse. The top five chains by loss amount were Ethereum, Bitcoin, Arbitrum, Ripple, and Blast.

The top six chains by the number of attack events were:

Ethereum, BNB Chain, Arbitrum, Others, Base, and Solana.

As in 2023, Ethereum remained the chain with the highest loss amount. Sixty-six attacks on Ethereum caused approximately $844 million in losses, accounting for 33.59% of the total annual loss.

Note: The total loss data does not include on-chain phishing losses and some CEX hot wallet losses. Bitcoin network losses ranked second, with a single security incident causing a loss of $238 million. Arbitrum ranked third, with a total loss of approximately $114 million.

5. Attack Method Analysis

The attack methods in 2024 were highly diversified. In addition to the common contract vulnerability attacks, several other methods were used, including supply chain attacks, third-party service provider attacks, man-in-the-middle attacks, DNS attacks, and front-end attacks.

In 2024, 35 private key leak incidents caused a total loss of $1.306 billion, accounting for 51.96% of the total loss, making it the most damaging attack method. Notable private key leak incidents included: DMM Bitcoin ($304 million), PlayDapp ($290 million), Ripple co-founder Chris Larsen ($112 million), BTCTurk ($55 million), Radiant Capital ($53 million), BingX ($44.7 million), and DEXX ($21 million).

Contract vulnerability exploitation was the most frequent attack method. Out of 131 attack incidents, 76 were due to contract vulnerabilities, making up 58.02% of the total. The total loss from contract vulnerabilities was approximately $321 million, ranking third in loss amount.

In terms of specific vulnerabilities, the most frequent and highest-loss incidents were due to business logic vulnerabilities. About 53.95% of the losses from contract vulnerabilities were caused by business logic flaws, resulting in a loss of approximately $158 million.

6. Anti-Money Laundering Typical Event Analysis

6.1 Polter Finance Security Incident

Event Overview

On November 17, 2024, Beosin Alert monitoring detected an attack on Polter Finance, a lending protocol on the FTM chain. The attacker manipulated the token price in the project contract for profit using a flash loan.

Vulnerability and Fund Analysis

The attacked LendingPool contract (0xd47ae558623638f676c1e38dad71b53054f54273) used 0x6808b5ce79d44e89883c5393b487c4296abb69fe as an oracle. This oracle utilized a recently deployed price-feed contract (0x80663edff11e99e8e0b34cb9c3e1ff32e82a80fe), which calculates prices based on token reserves in the uniswapV2_pair (0xEc71) contract, a contract vulnerable to flash loan attacks.

The attacker used a flash loan to artificially inflate the $BOO token price and borrowed other crypto assets. The stolen funds were then converted into FTM tokens and cross-chained to the ETH chain, where all funds were stored. Below is a flow diagram illustrating the fund movement on the ARB and ETH chains:

On November 20, the attacker continued to transfer over 2,625 ETH to Tornado Cash, as shown in the diagram below:

6.2 BitForex Security Incident

Event Overview

On February 23, 2024, well-known blockchain investigator ZachXBT disclosed via his analysis tool that BitForex’s hot wallet experienced a $56.5 million outflow, and the platform suspended withdrawal services during this process.

Fund Analysis

Beosin’s security team conducted an in-depth tracking and analysis of the BitForex incident using Trace:

Ethereum

On February 24, 2024, at 6:11 AM (UTC+8), BitForex began transferring 40,771 USDT, 258,700 USDC, 148.01 ETH, and 471,405 TRB to an Ethereum exit address (0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f).

On August 9, the exit address transferred all tokens, except TRB, back to BitForex’s account (0xcce7300829f49b8f2e4aee6123b12da64662a8b8).

From November 9 to November 10, the exit address transferred 355,000 TRB to four different OKX user addresses through seven transactions:

0x274c481bf400c2abfd2b5e648a0056ef34970b0a

0x45798ca76a589647acc21040c50562dcc33cf6bf

0x712d2fd67fe65510c5fad49d5a9181514d94183d

0xe8ec263ad9ee6947bf773837a2c86dff3a737bba

Subsequently, the exit address transferred the remaining 116,414.93 TRB to an intermediate address (0xbb217bd37c6bf76c6d9a50fefc21caa8e2f2e82e), which was then split into two transactions and sent to two different Binance user addresses:

0x431c916ef45e660dae7cd7184e3226a72fa50c0c

0xe7b1fb77baaa3bba9326af2af3cd5857256519df

BNB Chain

On February 24, BitForex withdrew 166 ETH, 46,905 USDT, and 57,810 USDC to a BNB Chain address (0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f), where it remains.

Polygon

On February 24, BitForex withdrew 99,000 MATIC, 20,300 USDT, and 1,700 USDC to a Polygon chain address (0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f).

Of the 99,000 MATIC, 8,000 were transferred to the address 0xcce7300829f49b8f2e4aee6123b12da64662a8b8 on August 9, where they remain, and the rest of the USDT and USDC tokens also remain.

TRON

On February 24, BitForex withdrew 44,000 TRX and 657,698 USDT to a TRON chain address (TQcnqaU4NDTR86eA4FZneeKfJMiQi7i76o).

On August 9, these tokens were all transferred back to BitForex’s user address (TGiTEXjqx1C2Y2ywp7gTR8aYGv8rztn9uo).

Bitcoin

Starting on February 24, 16 BitForex addresses began transferring a total of 5.7 BTC to a BTC chain address (3DbbF7yxCR7ni94ANrRkfV12rJoxrmo1o2).

On August 9, the 5.7 BTC was fully transferred back to BitForex’s address (11dxPFQ8K9pJefffHE4HUwb2aprzLUqxz).

To sum up, on February 24, BitForex transferred 40,771 USDT, 258,700 USDC, 148.01 ETH, and 471,405 TRB to the Ethereum chain; 44,000 TRX and 657,698 USDT to the TRON chain; 5.7 BTC to the BTC chain; 166 ETH, 46,905 USDT, and 57,810 USDC to the BNB Chain; and 99,000 MATIC, 20,300 USDT, and 1,700 USDC to the Polygon chain.

On August 9, all tokens on the BTC chain, TRON chain, and Ethereum chain (except TRB) were transferred back to BitForex. On November 9 and 10, the full 471,405 TRB was transferred to four OKX accounts and two Binance accounts.

Thus, all tokens on the ETH, TRON, and BTC chains have been transferred, and on BSC, 166 ETH, 46,905 USDT, and 57,810 USDC remain, while on POL, 99,000 MATIC, 20,300 USDT, and 1,700 USDC remain.

Attached TRB Deposit Exchange Address:

7. Analysis of the Flow of Stolen Funds

In 2024, approximately $1.312 billion of the stolen funds remained in hacker addresses (including funds transferred across chains and dispersed to multiple addresses), accounting for 52.20% of the total stolen funds. Compared to last year, hackers this year have been more inclined to launder funds through multiple cross-chain transactions and spread the stolen assets across many addresses, rather than directly using mixers. The increase in addresses and complexity of laundering paths undoubtedly adds to the difficulty for project teams and regulatory authorities in investigating these activities.

Approximately $531 million of stolen funds were recovered, accounting for about 21.13%. In 2023, the amount of recovered funds was about $295 million.

Throughout the year, about $109 million of stolen funds were transferred into mixers, accounting for approximately 4.34% of the total stolen funds. Since the U.S. OFAC sanctioned Tornado Cash in August 2022, the amount of stolen funds transferred into Tornado Cash has significantly decreased.

8. Analysis of Project Audit Situation

Among the 131 attack incidents, 42 incidents involved projects that had not undergone an audit, 78 incidents involved projects that had been audited, and 11 incidents had an unclear audit status.

Among the 42 projects that had not been audited, 30 incidents (approximately 71.43%) were related to contract vulnerabilities. This indicates that projects without audits are more likely to have potential security risks. In contrast, among the 78 audited projects, 49 incidents (approximately 62.82%) were related to contract vulnerabilities. This suggests that audits can improve project security to some extent.

However, due to the lack of comprehensive standards in the Web3 market, the quality of audits is uneven, and the results often fall short of expectations. To effectively protect asset security, it is recommended that projects seek professional security companies for auditing before going live.

9. Rug Pull Analysis

In 2024, the Beosin Alert platform monitored a total of 68 major Rug Pull incidents in the Web3 ecosystem, with a total value of approximately $148 million. This represents a significant decrease compared to $388 million in 2023.

In terms of value, among the 68 Rug Pull incidents, 9 projects had losses exceeding $1 million. These were: Essence Finance ($20 million), Shido Global ($2.4 million), ETHTrustFund ($2.2 million), Nexera ($1.8 million), Grand Base ($1.7 million), SAGA Token ($1.6 million), OrdiZK ($1.4 million), MangoFarmSOL ($1.29 million), and RiskOnBlast ($1.25 million). The total loss for these 9 incidents was $33.64 million, accounting for 22.73% of the total loss from all Rug Pull incidents.

Rug Pull projects on Ethereum and BNB Chain accounted for 82.35% of the total, with 24 incidents on Ethereum and 32 on BNB Chain. Additionally, one incident exceeding $20 million occurred on Scroll. Other public blockchains, including Polygon, BASE, and Solana, also experienced a small number of Rug Pull events.

10. 2024 Web3 Blockchain Security Situation Summary

In 2024, on-chain hacking activities and Rug Pull incidents in the Web3 ecosystem significantly decreased compared to 2023. However, the amount of losses continued to rise, and phishing attacks became more rampant. The highest loss-causing attack method remained private key leaks. The main reasons for this shift include:

After the rampant hacker activities last year, the entire Web3 ecosystem focused more on security in 2024. Efforts from project teams to security companies have been made in various aspects, such as real-time on-chain monitoring, increased attention to security audits, and actively learning from past contract vulnerability exploits. This has made it harder for hackers to steal funds through contract vulnerabilities compared to last year. However, project teams still need to strengthen awareness of private key management and operational security.

With the integration of the crypto market and traditional markets, hackers are no longer limited to attacking DeFi, cross-chain bridges, exchanges, etc., but have shifted towards targeting payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, TG bots, and other diverse targets.

In 2024-2025, as the crypto market enters a bull market and on-chain funds become more active, this will attract more hacker attacks. Additionally, regional regulations on crypto assets are gradually improving to combat crimes involving crypto assets. Under this trend, hacker activities are expected to remain high in 2025, and global law enforcement agencies and regulatory bodies will still face severe challenges.

Disclaimer:

1. This article is reproduced from [Footprint Blockchain Analysis]. The copyright belongs to the original author [Beosin, Footprint Analytics], if you have any objection to the reprint, please contact Gate Learn Team, and the team will handle it as soon as possible according to relevant procedures.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute investment advice.
3. The Gate Learn team translated the article into other languages. Copying, distributing, or plagiarizing the translated articles is prohibited unless mentioned.