Review of the Top 10 Security Incidents in Web3 of 2024

In 2024, the blockchain industry is facing severe security challenges while rapidly developing. According to data platform monitoring, by the end of the year, the total losses in the Web3 field caused by hacker attacks, scams, and project exits reached as high as $2.491 billion. These incidents not only exposed technical vulnerabilities but also highlighted potential risks in social engineering and internal management. Let us review the top ten most impactful security incidents in the Web3 field in 2024, in hopes of drawing lessons from them to better address future security threats.

1. DMM Bitcoin: Loss of $304 million due to private key leakage

On May 31, 2024, Japan's well-known cryptocurrency exchange DMM Bitcoin suffered a severe blow. Attackers exploited leaked private keys to transfer over $300 million in Bitcoin and quickly dispersed the funds to multiple addresses. This incident exposed serious flaws in the exchange's private key management and multi-layer security protections. Although the exchange attempted to track the hackers through on-chain monitoring and freezing of funds, the stolen funds had already been dispersed and laundered through mixing tools, greatly increasing the difficulty of recovery.

At the end of the year, Japanese police confirmed that the attack was carried out by a certain hacker organization.

2. PlayDapp: $290 million loss due to private key leak

On February 9, 2024, PlayDapp experienced a serious security incident. Hackers minted a large number of PLA tokens by stealing private keys, with an initial value of $36.5 million. After failed negotiations with the hackers, the attackers subsequently minted more tokens, bringing the total value to $253.9 million. After some of these tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.

3. An Indian Exchange: Cyber Attacks and Phishing Result in $235 Million Loss

On July 18, 2024, the Safe Wallet multi-signature wallet of India’s largest cryptocurrency exchange was subjected to a targeted attack. The attacker used social engineering techniques to induce multi-signature signers to authorize a contract upgrade transaction, and then leveraged the upgraded contract permissions to transfer assets from the wallet. This incident exposed potential risks in permission configuration and operational transparency of multi-signature wallets, sparking in-depth reflection within the industry on internal risk control and security mechanisms of projects.

4. Gala Games: Access Control Vulnerability Leads to $216 Million Loss

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker minted 5 billion GALA tokens in one go by invoking the mint function of the token contract. Subsequently, these tokens were exchanged for ETH in batches, resulting in a loss of $216 million. The Gala Games team urgently activated the blacklisting feature to block some hacker accounts and recovered part of the loss through legal means.

5. Co-founder of a cryptocurrency: Private key leak caused a loss of $112 million

On January 31, 2024, four personal wallets of a co-founder of a well-known cryptocurrency project were hacked, resulting in the theft of $112 million worth of tokens. These wallets were targeted due to a lack of dual protection with hardware devices. Afterwards, a certain exchange successfully froze $4.2 million worth of tokens, but most of the funds had already been laundered through decentralized exchanges and mixing services.

6. Munchables: Social Engineering Attack Leads to $62.5 Million Loss

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal penetration attack. The attacker disguised as a blockchain developer and obtained core code and sensitive keys through long-term infiltration. Despite causing significant losses, under pressure from the community and the team, the hacker ultimately returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. A Turkish Exchange: Private Key Leak Causes $55 Million Loss

On June 22, 2024, Turkey's largest cryptocurrency exchange suffered a private key leakage attack, resulting in losses exceeding $55 million in cryptocurrency assets. With the assistance of a certain exchange's team, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident has heightened market concerns regarding the private key management of centralized exchanges.

8. Radiant Capital: Private Key Leak Leads to $53 Million Loss

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to the adoption of a 3/11 signature verification model, the hacker initiated an off-chain signature by obtaining the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of 53 million dollars. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital previously lost 4.5 million dollars due to a contract vulnerability, with over 1900 ETH stolen, indicating that Web3 project teams still need to improve their focus on security.

9. Hedgey Finance: Contract vulnerabilities cause a loss of $44.7 million

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in the approval of the ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, with total losses amounting to $44.7 million. This incident highlights the importance of code auditing, especially the rigorous verification of token approval logic.

10. A Cryptocurrency Exchange: Private Key Leak Leads to $44.7 Million Loss

On September 19, 2024, the hot wallet of a certain exchange was hacked, involving multiple public chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated the asset transfer and withdrawal freeze mechanism, the hacker successfully extracted assets worth $44.7 million. This attack once again reflects the high risk of hot wallet management in centralized exchanges, prompting the industry to explore safer asset storage solutions.

The frequent security incidents in 2024 remind us once again that the development of the blockchain industry cannot be separated from security guarantees. From private key management to contract vulnerabilities, from internal management lapses to the upgrading of external attack methods, each incident has brought profound lessons. To cope with increasingly complex security threats, all parties in the industry need to continuously strengthen their investment in technological research and development, management norms, and risk prevention. In the future, we look forward to building a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.