Top 10 Security Incidents in the Web3 Field of 2024

In 2024, while the blockchain industry is thriving, it also faces increasingly severe security challenges. According to data statistics, by the end of 2024, the total losses in the Web3 sector due to hacker attacks, fraud, and project exit scams have reached as high as $2.491 billion. These incidents not only expose technical vulnerabilities, such as private key management and smart contract security issues, but also highlight the importance of social engineering attacks and internal management risks. This article will review the ten most impactful Web3 security events of 2024, aiming to provide references and warnings for the industry.

1. DMM Bitcoin: Private key leakage leads to a loss of $304 million

On May 31, 2024, DMM Bitcoin, a well-known cryptocurrency exchange in Japan, suffered a major security incident. Attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the funds to multiple addresses. This incident exposed serious flaws in the exchange's private key management and multi-layer security measures. Although the exchange took measures such as on-chain monitoring and freezing of funds, the recovery efforts faced significant challenges due to the hackers using mixing tools. By the end of the year, Japanese police confirmed that the attack was carried out by an international hacking organization.

2. PlayDapp: $290 Million Loss Due to Private Key Leak

On February 9, 2024, the PlayDapp project suffered a severe blow. Hackers illegally minted a large number of PLA tokens by stealing private keys, initially causing a loss of $36.5 million. Due to failed negotiations with the hackers, the attackers further minted tokens worth $253.9 million. This incident forced PlayDapp to suspend its original contract and migrate to a new token contract, highlighting the deficiencies in private key protection and emergency response in blockchain projects.

3. An Indian trading platform: Cyberattacks and phishing result in $235 million loss

On July 18, 2024, India’s largest cryptocurrency exchange was subjected to a targeted attack. Hackers used social engineering techniques to persuade the signers of a multi-signature wallet to approve a contract upgrade transaction, and then exploited the upgraded contract's permissions to transfer assets from the wallet. This incident revealed the potential risks of multi-signature wallets in terms of permission management and operational transparency, sparking in-depth discussions within the industry about the internal risk control mechanisms of projects.

4. Gala Games: Access Control Vulnerability Leads to $216 Million Loss

On May 20, 2024, a privileged address of Gala Games was breached by hackers. The attackers exploited the mint function in the token contract to mint 5 billion GALA tokens in one go, and exchanged them for ETH in batches, resulting in a direct loss of $216 million. Although the project team urgently activated the blacklist feature and recovered part of the losses through legal means, this incident still exposed significant vulnerabilities in contract design and permission management.

5. Founder of a well-known cryptocurrency: personal wallet attacked, resulting in a loss of $112 million

On January 31, 2024, a personal wallet of a co-founder of a well-known cryptocurrency project was hacked, resulting in the theft of $112 million worth of cryptocurrency. These wallets may have become targets of the attack due to the lack of dual protection from hardware devices. Although a major trading platform successfully froze some of the stolen funds and assisted in tracking, most of the funds have already been laundered through decentralized exchanges and mixing services.

6. Munchables: Internal penetration attack caused a loss of 62.5 million dollars

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal infiltration attack. The attacker disguised as a blockchain developer and gained access to core code and sensitive keys through long-term infiltration. Although all stolen funds were eventually returned under pressure from the community and the team, this incident highlighted the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. A Turkish trading platform: Private key leak leads to a loss of 55 million dollars

On June 22, 2024, Turkey's largest cryptocurrency exchange experienced a private key leak, resulting in a loss of over $55 million in crypto assets. Although some of the stolen funds were successfully frozen with the assistance of other exchanges, most of the assets remain unrecovered. This incident has further deepened concerns in the market about the private key management capabilities of centralized exchanges.

8. Radiant Capital: Multi-signature wallet breached, resulting in a loss of $53 million

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to the adoption of a lower threshold 3/11 signature verification model, the hacker was able to initiate an off-chain signature by mastering the private keys of 3 signers, successfully transferring the ownership of the wallet contract to a malicious address, ultimately resulting in a theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets. It is worth noting that Radiant Capital had previously lost $4.5 million due to a contract vulnerability, highlighting the project's insufficient emphasis on security.

9. Hedgey Finance: Contract vulnerabilities lead to a loss of $44.7 million

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in the approval of the ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, resulting in a total loss of $44.7 million. This incident once again highlights the importance of code audits, particularly the strict verification of token approval logic.

10. A Cryptocurrency Exchange: Hot Wallet Hacked, Losing $44.7 Million

On September 19, 2024, the hot wallet of a well-known cryptocurrency exchange was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly initiated asset transfer and withdrawal freeze mechanisms, the hackers still successfully extracted assets worth $44.7 million. This attack once again reflects the high risks associated with the management of hot wallets in centralized exchanges, prompting the industry to explore safer asset storage solutions.

The frequent security incidents in 2024 remind us once again that the healthy development of the blockchain industry relies on strong security guarantees. From private key management to contract design, from internal controls to external defenses, each incident has sounded the alarm for the industry. In the face of increasingly complex attack methods, all parties in the industry need to continuously invest in technology research and development, management standards, and risk prevention and control. In the future, we look forward to collaboratively building a more secure and reliable blockchain ecosystem through industry cooperation and technological innovation, providing stronger guarantees for users and investors.