Preface

This research report is initiated by the Blockchain Security Alliance and co-authored by alliance members Beosin and Footprint Analytics. It aims to comprehensively explore the development of the global blockchain security situation in 2024. Through analysis and assessment of the current state of global blockchain security, the report will reveal the security challenges and threats faced today, and provide solutions and best practices.

Through this report, readers will gain a more comprehensive understanding of the dynamic evolution of Web3 blockchain security. This will help readers assess and respond to the security challenges in the blockchain field. Additionally, readers can obtain valuable advice on security measures and industry development directions from the report, assisting them in making informed decisions and actions in this emerging field. Blockchain security and regulation are key issues in the development of the Web3 era. Through in-depth research and discussion, we can better understand and address these challenges, promoting the security and sustainable development of blockchain technology.

1. Overview of the 2024 Web3 Blockchain Security Situation

According to monitoring by Beosin's Alert platform, the total losses in the Web3 sector due to hacker attacks, phishing scams, and project Rug Pulls reached $2.513 billion in 2024. Among these, there were 131 major attack incidents, with total losses of approximately $1.792 billion; 68 project Rug Pull incidents, with total losses of about $148 million; and total losses from phishing scams of approximately $574 million.

In 2024, the amounts lost due to hacker attacks and phishing scams significantly increased compared to 2023, with phishing scams surging by 140.66% compared to 2023. The losses from project Rug Pull incidents significantly decreased, dropping by about 61.94%.

In 2024, the types of projects attacked included DeFi, CEX, DEX, public chains, cross-chain bridges, wallets, payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, TG bots, and more. DeFi was the most frequently attacked project type, with 75 attacks resulting in losses of approximately $390 million. CEX had the highest total loss amount among project types, with 10 attacks resulting in losses of about $724 million.

In 2024, there were more types of public chains involved in attack incidents, with multiple security incidents occurring across several chains. Ethereum remained the public chain with the highest loss amount, with 66 attack incidents on Ethereum causing losses of approximately $844 million, accounting for 33.57% of the total losses for the year.

In terms of attack methods, 35 private key leakage incidents caused losses of approximately $1.306 billion, accounting for 51.96% of the total losses, making it the most damaging attack method.

Exploitation of contract vulnerabilities was the most frequent attack method, with 76 out of 131 attack incidents stemming from contract vulnerabilities, accounting for 58.02%.

Approximately $531 million of the stolen funds were recovered throughout the year, accounting for about 21.13%. About $109 million of the stolen funds were transferred to mixers, accounting for approximately 4.34% of the total stolen funds, a decrease of about 66.97% compared to 2023.

2. Top Ten Security Incidents in the 2024 Web3 Ecosystem

In 2024, there were 5 attack incidents with losses exceeding $100 million: DMM Bitcoin ($304 million), PlayDapp ($290 million), WazirX ($235 million), Gala Games ($216 million), and Chris Larsen's theft ($112 million). The total loss amount of the top 10 security incidents was approximately $1.417 billion, accounting for about 79.07% of the total loss amount from annual attack incidents.

No.1 DMM Bitcoin

Loss Amount: $304 million

Attack Method: Private Key Leakage

On May 31, 2024, the Japanese cryptocurrency exchange DMM Bitcoin was attacked, resulting in the theft of over $300 million worth of Bitcoin. The hackers dispersed the stolen funds across more than 10 addresses in an attempt to launder them.

No.2 PlayDapp

Loss Amount: $290 million

Attack Method: Private Key Leakage

On February 9, 2024, the blockchain gaming platform PlayDapp was attacked, with hackers minting 2 billion PLA tokens worth $36.5 million. After failed negotiations with PlayDapp, on February 12, the hackers minted an additional 15.9 billion PLA tokens worth $253.9 million and sent part of the funds to the Gate exchange. The PlayDapp project team subsequently paused the PLA contract and migrated the PLA tokens to PDA tokens.

No.3 WazirX

Loss Amount: $235 million

Attack Method: Network Attack and Phishing

On July 18, 2024, a multi-signature wallet of the Indian cryptocurrency exchange WazirX was hacked, resulting in the theft of over $230 million. The multi-signature wallet was a Safe wallet smart contract. The attackers induced multi-signature signers to approve a contract upgrade transaction, allowing them to directly transfer assets from the wallet through the upgraded contract, ultimately transferring all assets worth over $230 million.

No.4 Gala Games

Loss Amount: $216 million

Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was compromised, allowing the attacker to call the mint function of the token and directly mint 5 billion GALA tokens worth approximately $216 million, which were then exchanged for ETH in batches. Subsequently, the Gala Games team used a blacklist feature to block the hacker and recover the losses.

No.5 Chris Larsen (Ripple's co-founder)

Loss Amount: $112 million

Attack Method: Private Key Leakage

On January 31, 2024, Chris Larsen, co-founder of Ripple, reported that four of his wallets were hacked, resulting in total losses of approximately $112 million. The Binance team successfully froze $4.2 million worth of stolen XRP tokens.

No.6 Munchables

Loss Amount: $62.5 million

Attack Method: Social Engineering Attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, was attacked, resulting in losses of approximately $62.5 million. The project was attacked because it had hired North Korean hackers as developers. All stolen funds were eventually returned by the hackers.

No.7 BTCTurk

Loss Amount: $55 million

Attack Method: Private Key Leakage

On June 22, 2024, the Turkish cryptocurrency exchange BTCTurk was attacked, resulting in losses of approximately $55 million. Binance assisted in freezing over $5.3 million of the stolen funds.

No.8 Radiant Capital

Loss Amount: $53 million

Attack Method: Private Key Leakage

On October 17, 2024, the multi-chain lending protocol Radiant Capital was attacked, with the attacker illegally obtaining the permissions of 3 owners of the Radiant Capital multi-signature wallet. Since the multi-signature wallet used a 3/11 signature verification model, the attacker utilized these 3 private keys for off-chain signing, then initiated on-chain transactions to transfer the ownership of the Radiant Capital contract to a malicious contract controlled by the attacker, resulting in losses exceeding $53 million.

No.9 Hedgey Finance

Loss Amount: $44.7 million

Attack Method: Contract Vulnerability

On April 19, 2024, Hedgey Finance was attacked multiple times by attackers. The attackers exploited a token approval vulnerability to steal a large number of tokens from the ClaimCampaigns contract, with tokens stolen from the Ethereum chain valued at over $2.1 million and tokens stolen from the Arbitrum chain valued at approximately $42.6 million.

No.10 BingX

Loss Amount: $44.7 million

Attack Method: Private Key Leakage

On September 19, 2024, the hot wallet of the BingX exchange was hacked. Although BingX initiated emergency measures, including urgent asset transfers and suspending withdrawals, Beosin reported that the total loss from the abnormal outflow of assets from the hot wallet reached $44.7 million, with stolen assets involving multiple blockchains including Ethereum, BNB Chain, Tron, Polygon, Avalanche, and Base.

3. Types of Attacked Projects

In 2024, the types of projects attacked included not only common types such as DeFi, CEX, DEX, public chains, and cross-chain bridges, but also various project types such as payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, TG bots, and more.

In 2024, there were 75 attack incidents on DeFi projects, making it the most frequently attacked project type (approximately 50.70%). The total losses from DeFi attacks amounted to approximately $390 million, accounting for about 15.50% of all losses, making it the fourth highest in terms of loss amount.

The project type with the highest loss amount is CEX (Centralized Exchange), with 10 attacks causing approximately $724 million in losses, making it the project type with the most significant losses. Overall, exchange types experienced frequent security incidents in 2024, and exchange security remains the biggest challenge in the Web3 ecosystem.

The second highest loss amount was for personal wallets, with total losses of approximately $445 million. Twelve attacks targeting crypto whales, along with numerous phishing attacks and social engineering attacks against ordinary users, led to a staggering 464.72% increase in total losses for personal wallets compared to 2023, making it the second biggest challenge after exchange security.

4. Loss Amounts by Chain

Compared to 2023, the types of public chains attacked in 2024 were more diverse. The top five chains ranked by loss amount are Ethereum, Bitcoin, Arbitrum, Ripple, and Blast:

The top six chains ranked by the number of attack incidents are Ethereum, BNB Chain, Arbitrum, Others, Base, and Solana:

As in 2023, Ethereum remains the public chain with the highest loss amount. There were 66 attack incidents on Ethereum, resulting in approximately $844 million in losses, accounting for 33.59% of the total losses for the year.

Note: This total loss data does not include on-chain phishing losses and some CEX hot wallet losses.

The Bitcoin network ranked second in losses, with a single security incident loss reaching $238 million. Arbitrum ranked third, with total losses of approximately $114 million.

5. Analysis of Attack Methods

The attack methods in 2024 were very diverse. In addition to common contract vulnerability attacks, there were various attack methods, including: supply chain attacks, third-party service provider attacks, man-in-the-middle attacks, DNS attacks, front-end attacks, etc.

In 2024, 35 private key leakage incidents caused a total loss of $1.306 billion, accounting for 51.96% of the total losses, making it the most damaging attack method. Significant losses from private key leakage incidents include: DMM Bitcoin ($304 million), PlayDapp ($290 million), Ripple co-founder Chris Larsen ($112 million), BTCTurk ($55 million), Radiant Capital ($53 million), BingX ($44.7 million), and DEXX ($21 million).

Exploitation of contract vulnerabilities was the most frequent attack method, with 76 out of 131 attack incidents stemming from contract vulnerabilities, accounting for 58.02%. The total loss caused by contract vulnerabilities was approximately $321 million, ranking third in loss amount.

By breaking down the vulnerabilities, the most frequent and damaging were business logic vulnerabilities, with approximately 53.95% of the loss amount from contract vulnerability incidents coming from business logic vulnerabilities, causing a total loss of about $158 million.

6. Analysis of Typical Anti-Money Laundering Incidents

6.1 PolterFinance Security Incident

Incident Overview

On November 17, 2024, Beosin Alert monitoring detected that the lending protocol Polter Finance on the FTM chain was attacked, with the attacker manipulating the token price in the project contract for profit through flash loans.

Vulnerability and Fund Analysis

The attacked LendingPool contract (0xd47ae558623638f676c1e38dad71b53054f54273) used 0x6808b5ce79d44e89883c5393b487c4296abb69fe as an oracle, which utilized a recently deployed price feed contract (0x80663edff11e99e8e0b34cb9c3e1ff32e82a80fe). This price feed contract used token reserves from the uniswapV2_pair (0xEc71) contract, which could be exploited by attackers for flash loans to calculate prices, thus exposing the contract to price manipulation attacks.

The attacker used flash loans to falsely inflate the value of the $BOO token, borrowing other crypto assets. Subsequently, the stolen funds were converted into FTM tokens by the attacker, then cross-chained to the ETH chain, where all funds were stored. Below is a diagram illustrating the flow of funds on the ARB chain and ETH chain:

On November 20, the attacker continued to transfer over 2,625 ETH to Tornado Cash, as shown in the following image:

6.2 BitForex Security Incident

Incident Overview

On February 23, 2024, well-known on-chain detective ZachXBT disclosed through his analysis tools that BitForex's hot wallet experienced a fund outflow of approximately $56.5 million, and during this process, the platform suspended withdrawal services.

Fund Analysis

The Beosin security team conducted an in-depth tracking analysis of the BitForex incident using Trace:

Ethereum

Bitforex began transferring 40,771 USDT, 258,700 USDC, 148.01 ETH, and 471,405 TRB to an Ethereum exit address (0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f) starting at 6:11 AM (UTC+8) on February 24, 2024.

Subsequently, on August 9, the exit address returned all tokens (including 147.9 ETH, 40,771 USDT, and 258,700 USDC) back to the Bitforex exchange account (0xcce7300829f49b8f2e4aee6123b12da64662a8b8), except for TRB.

Then, from November 9 to November 10, the exit address transferred 355,000 TRB to four different OKX exchange user addresses through seven transactions:

0x274c481bf400c2abfd2b5e648a0056ef34970b0a

0x45798ca76a589647acc21040c50562dcc33cf6bf

0x712d2fd67fe65510c5fad49d5a9181514d94183d

0xe8ec263ad9ee6947bf773837a2c86dff3a737bba

The exit address then transferred the remaining 116,414.93 TRB to a transit address (0xbb217bd37c6bf76c6d9a50fefc21caa8e2f2e82e), which subsequently transferred all TRB in two transactions to two different Binance exchange users:

0x431c916ef45e660dae7cd7184e3226a72fa50c0c

0xe7b1fb77baaa3bba9326af2af3cd5857256519df

BNB Chain

On February 24, Bitforex withdrew 166 ETH, 46,905 USDT, and 57,810 USDC to a BNB Chain address (0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f), which remains dormant to this day.

Polygon

On February 24, Beijing time, Bitforex exchanged 99,000 MATIC, 20,300 USDT, and 1,700 USDC to the POL chain address: 0xdcacd7eb6692b816b6957f8898c1c4b63d1fc01f.

Among them, 99,000 MATIC was transferred to address 0xcce7300829f49b8f2e4aee6123b12da64662a8b8 on August 9 and remains there, while the remaining USDT and USDC tokens are also still there.

TRON

On February 24, Bitforex exchanged 44,000 TRX and 657,698 USDT to the TRON chain address TQcnqaU4NDTR86eA4FZneeKfJMiQi7i76o. On August 9, all the above tokens were transferred back to Bitforex user address: TGiTEXjqx1C2Y2ywp7gTR8aYGv8rztn9uo.

Bitcoin

Starting on February 24, 16 Bitforex addresses gradually transferred a total of 5.7 BTC to the BTC chain address 3DbbF7yxCR7ni94ANrRkfV12rJoxrmo1o2. This address transferred all 5.7 BTC back to the Bitforex exchange address on August 9: 11dxPFQ8K9pJefffHE4HUwb2aprzLUqxz.

In summary, on February 24, Bitforex transferred 40,771 USDT, 258,700 USDC, 148.01 ETH, and 471,405 TRB to the ETH chain; transferred 44,000 TRX and 657,698 USDT to the TRON chain; transferred 5.7 BTC to the BTC chain; transferred 166 ETH, 46,905 USDT, and 57,810 USDC to the BNB Chain; and transferred 99,000 MATIC, 20,300 USDT, and 1,700 USDC to the Polygon chain. On August 9, all tokens from the BTC chain, all tokens from the TRON chain, and all tokens from the ETH chain except for TRB were transferred back to Bitforex, and on November 9 and 10, all 471,405 TRB were transferred to four OKX accounts and two Binance accounts. At this point, all tokens from the ETH chain, TRON chain, and BTC chain have been fully transferred, with 166 ETH, 46,905 USDT, and 57,810 USDC remaining on BSC, and 99,000 MATIC, 20,300 USDT, and 1,700 USDC remaining on POL.

Attached is the TRB recharge exchange address:

7. Analysis of the Flow of Stolen Assets

In 2024, approximately $1.312 billion of the stolen funds remained in hacker addresses (including cases where funds were transferred across chains and dispersed to multiple addresses), accounting for 52.20% of the total stolen funds. Compared to last year, hackers this year were more inclined to launder money through multiple cross-chain transfers and disperse stolen funds to many addresses, rather than directly using mixers. The increase in addresses and the complexity of laundering paths undoubtedly increased the difficulty of investigation for project parties and regulatory agencies.

Approximately $531 million of the stolen funds were recovered, accounting for about 21.13%. In 2023, the recovered funds were approximately $295 million.

Throughout the year, about $109 million of the stolen funds were transferred to mixers, accounting for about 4.34% of the total stolen funds. Since the U.S. OFAC sanctioned Tornado Cash in August 2022, the amount of stolen funds transferred to Tornado Cash has significantly decreased.

8. Analysis of Project Audit Status

Among the 131 attack incidents, 42 incidents involved projects that had not undergone audits, 78 incidents involved projects that had been audited, and the audit status of 11 incidents could not be confirmed.

Among the 42 projects that had not been audited, contract vulnerability incidents accounted for 30 (approximately 71.43%). This indicates that projects without audits are more likely to have potential security risks. In contrast, among the 78 audited projects, contract vulnerability incidents accounted for 49 (approximately 62.82%). This shows that audits can improve project security to some extent.

However, due to the lack of comprehensive regulatory standards in the Web3 market, the quality of audits varies significantly, and the results presented are far from expected. To effectively ensure asset security, it is recommended that projects seek professional security companies for audits before going live.

9. Rug Pull Analysis

In 2024, the Beosin Alert platform monitored a total of 68 major Rug Pull incidents in the Web3 ecosystem, involving a total amount of approximately $148 million, a significant decrease from $388 million in 2023.

In terms of amount, among the 68 Rug Pull incidents, there were 9 projects involving amounts over one million dollars, namely Essence Finance ($20 million), Shido Global ($2.4 million), ETHTrustFund ($2.2 million), Nexera ($1.8 million), Grand Base ($1.7 million), SAGA Token ($1.6 million), OrdiZK ($1.4 million), MangoFarmSOL ($1.29 million), and RiskOnBlast ($1.25 million), with a total loss amount of $33.64 million, accounting for 22.73% of all Rug Pull incident losses.

Rug Pull projects on Ethereum and BNB Chain accounted for 82.35% of the total number, with 24 and 32 incidents respectively, and one Rug Pull exceeding $20 million occurred on Scroll. Other public chains experienced a small number of Rug Pull incidents, including Polygon, BASE, and Solana.

10. Summary of the 2024 Web3 Blockchain Security Situation

In 2024, the number of on-chain hacker attacks and project Rug Pull incidents significantly decreased compared to 2023, but the loss amounts are still increasing, and phishing attacks have become more rampant. The highest loss attack method remains private key leakage. The main reasons for this shift include:

After the rampant hacker activities last year, the entire Web3 ecosystem has placed greater emphasis on security this year, with efforts made by project parties and security companies in various aspects, such as real-time on-chain monitoring, increased focus on security audits, and actively learning from past contract vulnerability incidents, making it more difficult for hackers to steal funds through contract vulnerabilities compared to last year. However, project parties still need to strengthen their security awareness regarding private key management and project operational security.

As the crypto market merges with traditional markets, hackers are no longer limited to attacking DeFi, cross-chain bridges, and exchanges, but are turning to attack payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, TG bots, and various other targets.

In 2024-2025, the crypto market is entering a bull market, with active on-chain funds, which will attract more hacker attacks to some extent. Additionally, regulatory policies targeting crypto assets are gradually improving to combat various criminal activities using crypto assets. In this trend, it is expected that hacker attack activities will remain high in 2025, and global law enforcement agencies and regulatory bodies will continue to face severe challenges.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。