Author of this chapter: Eaton from Beosin research team
According to Beosin Alert monitoring and early warning, the total losses caused by hacker attacks, phishing scams and project party Rug Pull in the Web3 field in Q3 2024 reached 730 million US dollars. Among them, there were 23 major attack incidents with a total loss of about 430 million US dollars; there were 3 project party Rug Pull incidents with a total loss of about 4.24 million US dollars; the total loss of phishing scams was about 295 million US dollars.
The losses caused by phishing in Q3 2024 increased significantly, and the attacks and Rug Pull continued to decline compared with the first half of the year.
From the perspective of the types of projects attacked, the project type with the highest loss is CEX. The three attacks on CEX caused a total loss of about US$297 million, accounting for about 40.6% of all attack losses.
From the perspective of the amount of losses on each chain, Ethereum is still the chain with the highest amount of losses and the most attacks. 21 attacks and phishing incidents on Ethereum caused a loss of US$348 million, accounting for about 47.6% of the total losses.
From the perspective of attack methods, there were 5 private key leaks in Q3, causing losses of US$305 million, accounting for about 41.7% of the total attack losses, which is the highest proportion of attack types.
From the perspective of capital flow, only about US$16.9 million of stolen funds were frozen or recovered. The vast majority (about 78.9%) of the stolen funds are still stored in the attacker's on-chain address. From the audit situation, the proportion of audited projects has increased among the attacked projects. 2. Types of attacked projects CEX is the type of project with the highest loss In Q3 2024, the type of project with the highest loss was CEX. Three attacks on CEX caused a total loss of approximately US$297 million, accounting for 40.6% of all attack losses. Although there are not many CEX security incidents, the amount of money stolen each time is huge, highlighting that the security situation of the current exchange ecosystem is not optimistic. The second type of victim with the highest loss is the user wallet. Eight phishing and social engineering attacks on user wallets caused losses of approximately US$295 million to ordinary users, accounting for approximately 40.3%. Compared with the first half of 2024, the attacks on ordinary users and the losses caused in Q3 have increased significantly.
Of the 23 hacker attacks, a total of 12 incidents occurred in the DeFi field, accounting for approximately 52.1%, which is the project type with the most attacks. These 12 DeFi attacks caused a total loss of more than US$45.6 million, ranking fourth among all project types.
Other types of projects attacked include: infrastructure, tokens, etc. Among them, the amount of losses caused by attacks on public chains and cross-chain bridges reached US$85 million, ranking third among all project types.
Ethereum is the chain with the highest loss amount and the most attack incidentsSimilar to the first half of 2024, in Q3, Ethereum is still the public chain with the highest loss amount. 21 attacks and phishing incidents on Ethereum caused a loss of 348 million US dollars, accounting for 47.6% of the total loss.
The second public chain in terms of loss amount is BTC, with a total loss of 238 million US dollars, accounting for about 32.5% of the total loss. The BTC loss amount came from a social engineering attack against a whale address.
The third largest public chain in terms of loss is Luna (US$65 million). The attacker exploited the reentrancy vulnerability in the ibc-hooks timeout callback to attack Luna.
Ranked by the number of security incidents, the top two are Ethereum (21 times) and BNB Chain (4 times). The number of security incidents in each chain ecosystem has decreased compared with the first half of the year.
About 41.7% of the loss amount came from private key leakage incidents
In Q3 2024, a total of 5 private key leakage incidents occurred, causing losses of US$305 million, accounting for about 41.7% of the total attack losses. As in the first half of the year, the losses caused by private key leakage incidents are still the first among all attack types. The private key leakage incidents that caused large losses are: WazirX (US$230 million), BingX (US$45 million), and Indodax (US$22 million).
The second most common attack method in terms of loss is social engineering attack, with one social engineering attack causing a loss of $238 million.
Of the 23 attacks, 18 were from contract vulnerability exploits, accounting for about 78%. The total loss from contract vulnerability exploits reached $128 million, ranking third.
By breaking down the vulnerabilities, the top three vulnerabilities causing losses are: reentrancy vulnerability (93.46 million USD), business logic vulnerability (about $2.09 million USD), and verification vulnerability (10.01 million USD). The vulnerability with the highest number of occurrences is the business logic vulnerability, with 7 of the 18 contract vulnerability attacks being business logic vulnerabilities.
On July 16, Beosin Alert monitoring and early warning found that the cross-chain protocol LI.FI was attacked. The attacker used the call injection vulnerability in the project contract to steal the assets of users authorized to the contract.
The LI.FI project contract has a depositToGasZipERC20 function that can convert the specified token into platform currency and deposit it into the GasZip contract. However, the code in the exchange logic does not restrict the data of the call call, which allows the attacker to use this function to perform a call injection attack and extract the assets of the contract-authorized user.
In addition to the call injection contract vulnerability, there is another point worth noting in this incident, that is, the configuration problem of the Facet contract in Diamond mode. Further analysis found that the GasZipFacet contract was deployed 5 days before the attack, and was registered in the LI.FI main contract by the project's multi-signature administrator more than ten hours before the attack.
Therefore, through this incident, it can be found that for upgradeable models such as Diamond, the security of new functional contracts also needs to be highly valued.
Beosin Trace tracked the stolen funds and found that the loss amount included 6.3359 million USDT, 3.1919 million USDC, and 169,500 DAI, about 10 million US dollars.
Beosin Trace: Flow of stolen funds
On July 18, according to Beosin Alert monitoring and early warning, it was discovered that the Indian exchange WazirX was attacked. The attacker obtained the signature data of the exchange's multi-signature wallet administrator, modified the wallet's logical contract, and made the wallet execute incorrect logic to steal assets, involving more than $230 million.
Beosin Trace tracks the stolen funds, and the flow chart of the stolen funds shows that the hacker has transferred part of the funds to Changenow and Binance exchanges, of which 0xf92949ab576ac2f8dc9e4650e73db083f1f9cd9f is the hacker's deposit address on Binance.
Beosin Trace: Flow chart of stolen funds
On the other hand, the hacker transferred 801 billion SHIBs to the address 0x35fe...745CA, worth up to 14.02 million US dollars, and sold them in batches.
According to the analysis of Beosin KYT anti-money laundering platform, only $16.9 million of the stolen funds in Q3 2024 were frozen or recovered. This proportion has dropped significantly compared with the first half of the year.
About $577 million (about 78.9%) of the stolen funds are still retained in the hacker's address. As global regulators increase their anti-money laundering efforts, it has become more difficult for hackers to launder stolen funds, so a considerable number of hackers choose to temporarily keep the stolen funds in the on-chain address.
About $102 million of stolen funds were transferred to various exchanges, accounting for about 13.9%, which is higher than the first half of 2024.
A total of $34.713 million (5.4%) were transferred to the mixer. Compared with the first half of the year, the stolen funds cleaned by the mixer in Q3 2024 have decreased again significantly.
The proportion of audited projects has increased
In Q3 2024, among the 23 attack incidents, 4 of the project parties were not audited, and 16 of the project parties were audited. The proportion of audited projects is higher than in the first half of the year, which shows that the entire Web3 industry project parties have increased their attention to security.
Of the 4 unaudited projects, contract vulnerability incidents accounted for 3 (75%). Of the 16 audited projects, contract vulnerability incidents accounted for 11 (68.75%). The overall proportion of the two is roughly the same. Compared with the first half of the year, the overall security audit quality in 2024 has declined.
Compared with the same period in 2023, the total losses caused by hacker attacks, phishing scams, and project party Rug Pull in Q3 2024 decreased slightly to US$730 million (the figure was US$889 million in Q3 2023). Factors such as the decline in coin prices in Q3 2024 have a certain impact on the reduction in the total amount, but overall, the situation in the field of Web3 security is still not optimistic.
As in the first half of the year, the most harmful attack type in Q3 2024 is still private key leakage. About 41.7% of the loss amount comes from private key leakage incidents. From the perspective of project type, private key leakage incidents are spread across all areas of Web3: game platforms, token contracts, personal wallets, infrastructure, exchanges, etc. All Web3 project parties/individual users need to be vigilant, store private keys offline, use multi-signatures, use third-party services with caution, and conduct regular security training for privileged employees.
Only 5.4% of the stolen assets were transferred to various mixers in Q3, and another 78.9% of the assets were still retained in the hacker's address, which further illustrates the increasing difficulty for hackers to launder stolen funds.
In Q3, 13.9% of the stolen funds were still transferred to various exchanges, which requires exchanges to identify hacker behavior in a timely manner and actively cooperate with law enforcement agencies and project parties to freeze funds and conduct evidence collection. At present, the cooperation between exchanges and law enforcement agencies, project parties, and security teams has achieved relatively obvious results. I believe that more stolen funds will be recovered in the future.
Of the 23 attacks in Q3, 18 were still from contract vulnerability exploits. It is recommended that project parties seek audits from professional security companies before going online.
In a bid to rally support from crypto enthusiasts, Trump has criticized President Biden, insinuating a lack of comprehension and backing for the industry.
CatherineThe U.S. House passed a resolution supporting digital asset innovation, but Biden's intent to veto it has sparked anger in the crypto community, highlighting ongoing regulatory uncertainties. Meanwhile, Trump's sudden pro-crypto stance amid legal battles has polarized opinions, leading to a surge in meme coin values associated with him and Biden.
WeatherlyBesides raising red flags on the stability of the stablecoin market, Deutsche Bank's research analysts expressed particular concern about Tether's prominent position in the stablecoin market, highlighting issues such as speculation and a perceived lack of transparency.
KikyoToncoin (TON) has surged in value due to the upcoming launch of Notcoin (NOT) on 16 May, supported by major exchanges like OKX, Bybit, and Binance, signaling significant excitement in the crypto community. With institutional investment, partnerships, and integration with popular platforms like Telegram, Toncoin's potential for further growth in the Web3 space is promising.
JoyBloomberg reveals that concerns over inflation and uncertainty have led to decreased trading volumes on cryptocurrency exchanges, causing Bitcoin, ETH, SOL, XRP, and SHIB prices to plummet.
AlexA dormant Bitcoin whale awakened after 10 years, releasing 500 Bitcoins, causing the price to fluctuate sharply, dropping below $61,000.
MiyukiBounceBit introduces airdrop checking, warns against phishing, and enhances Bitcoin value through CeFi and DeFi frameworks, providing secure, diversified yield opportunities for BTC holders.
WeiliangIn his first interview since entering prison, America’s most famous prisoner, SBF lamented on his diet of rice and beans, while maintaining his innocence and playing the blame game.
CatherineTrump's shift to support cryptocurrencies is reshaping political dynamics, potentially influencing the upcoming election and boosting the value of pro-Trump memecoins. Robert F. Kennedy Jr.'s pro-crypto stance offers an alternative vision, emphasising regulatory clarity and innovation in the industry's future.
AnaisRobert Kiyosaki warns of US dollar hyperinflation and advises investing in gold, silver, and Bitcoin as BRICS nations consider launching a gold-backed cryptocurrency.
Alex