CEXs Are Under Threat? Q2 2024 De.Fi Hacks a Report Analysis

During Q2 of 2024, we noticed a significant increase in crypto losses caused by hacks and scams – the total was $430,118,000, which is much higher than what we observed during this period last year (a loss of $204,308,280). In today’s instalment of the De.Fi Rekt Reports, we look at trends seen over the quarter significant events that occurred throughout this time frame. Comparisons to what was observed last year are also highlighted before we go into the top 10 largest losses.

Analysis of Loss Trends

Year-on-Year Comparison

When we look at Q2 2024 and compare it to Q2 2023, we see that the amount of funds lost has increased significantly – more than doubling from last year. This shows an upward trend in how often and how severe attacks are becoming. There has been a small improvement in trying to claw back these funds as well: $22,300,000 was recovered during Q2 2024 compared with $4,500,189 during Q2 2023. However even though this marks an increase in recovering stolen funds, the fraction of assets returned stays quite small, which highlights how hard it can be to get stolen crypto-assets back.

Monthly Breakdown

– April 2024: $27,796,000 lost, $0 recovered

– May 2024: $353,893,000 lost, $22,300,000 recovered

– June 2024: $48,729,000 lost, $0 recovered

In the month of April 2024, we observed a much lower loss when compared to the outlier amount lost in May – the reason for this big spike in May was mainly because of a few major incidents like the DMM Bitcoin exploit, among others, for June there was a comparatively moderate level of losses at $48,729,000, but no recoveries recorded yet.

Analysis by Blockchain

As in previous quarters, Ethereum is still the blockchain that gets targeted most. There have been 13 incidents on this chain, which have resulted in losses of $5,384,500. This large number of attacks shows how important Ethereum is as a central part of the DeFi ecosystem – it’s attractive for hackers because many people use it frequently and widely, and it is by far and away the chain with the highest total value locked. Likewise, Binance Smart Chain comes next with 11 incidents, causing a loss worth $3,310,000. The attractiveness of BSC stems from its lower fees per transaction and faster transaction speeds when compared to Ethereum

Moving to the non-EVM side of the house: Solana, despite having fewer incidents, saw three attacks resulting in $1,423,000 lost. Solana’s high throughput and low fees make it an attractive platform for developers, but these same features also draw attackers looking to exploit its vulnerabilities – the Base network experienced two incidents with a total loss of $2,050,000, highlighting the risks associated with newer or emerging blockchain networks as they continue to develop and expand their user bases; finally, Arbitrum, a layer-2 solution for Ethereum, reported one incident with $300,000 lost – this incident indicates that even solutions designed to enhance scalability and efficiency are not immune to security breaches. 

Overall, the distribution of incidents across these blockchains demonstrates that the most popular and widely used platforms remain prime targets for malicious actors due to their extensive use and large user bases.

Types of Exploits

Exploits in Q2 took many different forms; for starters, Rug pulls, and other unclassified exploit types were particularly prevalent in Q2 2024 – there were a total of 6 incidents resulting in $3,158,000 lost to rug pulls alone. Rug pulls involve developers or insiders withdrawing a project’s liquidity, effectively stealing investors’ funds and leaving them with worthless tokens – this type of exploit not only results in direct financial losses but also severely undermines trust in DeFi apps. Unclassified types of exploits accounted for $3,859,500 across seven incidents, indicating a wider range of vulnerabilities that attackers are seeking to exploit, moving beyond methods that have been previously well-documented.

Access control breaches led to $3,100,000 lost in 2 incidents – the fact that we still have access control issues leading to financial losses today highlights the importance of end-to-end security, whether it be at the Web3 layer, or the Web2 front end – these breaches happen when unauthorized individuals are able to get their hands on access credentials like passwords or private keys, gaining access to investor assets. 

Third on the list would be flash loan attacks – these account for $2,350,000 lost across two incidents. Such attacks involve the manipulation of DeFi lending protocol features, which allow users to take out a large loan, use that loan to manipulate the prices of a token, profit from the trade, and then repay the loan within a single block – these attacks exploit a long-standing feature of DeFi protocols like Aave and Compound for uncollateralised, single-transaction loans, demonstrating that features can prove to have unintended consequences.

Top 10 Exploits in Q2 2024

Losses in Q2 2024 were concentrated among a few large incidents – the top 10 exploits made up around 95% of all losses this quarter. With that being said, let’s have a look at some of these incidents.

1. DMM Bitcoin ($300,000,000) – Access Control – BTC

In May 2024 DMM Bitcoin, a centralized cryptocurrency exchange, faced a security breach resulting in a loss of $300 million – this incident marks the largest blockchain hack since December 2022. It was initially identified through a massive transfer of 4502.9 BTC. Stolen Bitcoin was quickly dispersed across multiple addresses, confirming the theft. DMM Bitcoin has since been working to secure its deposits and investigate the breach. Potential causes include exposed private keys, compromised signing processes, or address poisoning. Despite the significant loss the exact method of the hack remains undetermined.

2. Gala Games ($22,300,000) – Access Control – ETH

On May 20, Gala Games suffered a security incident. A hacker was able to exploit an access control vulnerability in the GALA token contract – the attacker gained control of an admin address allowing them to mint 5 billion GALA tokens. This incurred a loss of $22.3 million – following this the hacker sold a portion of the tokens on decentralized exchanges, causing the token’s price to drop by 20%. Gala Games responded by activating their blocklist function to freeze the rogue wallet and prevent further damage.

3. Lykke CEX ($22,000,000) – Other – CEX

Lykke, a centralized cryptocurrency exchange based in Switzerland, halted withdrawals following a security breach on June 4, 2024, which resulted in the loss of over $22 million in crypto assets – the Lykke team acknowledged the incident publicly on June 10, assuring users that their funds were safe and would be recovered. 

4. Sonne Lending ($20,000,000) – Other – Optimism

Sonne Finance on Optimism was exploited on May 14, 2024 resulting in a $20 million loss – the attacker leveraged a known vulnerability in Compound v2 forks to execute multiple transactions, exploiting the protocol. Despite previous precautions the recent proposal to add VELO markets introduced a new vulnerability – the attacker added a collateral factor to the markets and used a rounding error to drain the soUSDC and soWETH markets. 

5. Holograph ($14,400,000) – Other – ETH

In June 2024, the NFT protocol Holograph suffered a $14.4 million hack when a former developer exploited a vulnerability in the smart contract to mint 1 billion HLG tokens – the attacker bypassed access controls and bridged tokens to the Ethereum mainnet. Then they proceeded in dumping them and causing an 80% drop in the token’s value. Exchanges froze a significant portion of the minted tokens, but not before losses were incurred.

6. Rain Exchange ($14,000,000) – Other – CEX

On April 29, 2024, Rain Exchange experienced a significant exploit, resulting in the loss of $14 million – the stolen funds, including BTC, ETH, SOL and XRP, were quickly transferred to instant exchanges and swapped for BTC and ETH.

7. Velocore ($6,800,000) – Other – zkSync

On June 2, 2024, Velocore, a DEX on zkSync, was targeted in an exploit, ending in a $6.8 million loss – the breach was due to vulnerabilities in the Balancer-style CPMM pool contract, including faulty logic in the velocore__execute() function – the attacker exploited these vulnerabilities, before proceeding and bridging the stolen funds through Across Bridge and redepositing them into Tornado Cash. 

8. ALEXLabBTC ($4,300,000) – Access Control – BSC

ALEXLabBTC on Binance Smart Chain was exploited on May 14, 2024, resulting in a $4.3 million loss – the attacker executed upgrades on a proxy contract linked to ALEXLabBTC and withdrew funds via compromised private keys obtained through phishing. The XLink team paused smart contracts and the bridge and most of the stolen funds were later recovered with the help of a whitehat hacker. 

9. Sportsbet.io ($3,500,000) – Access Control – TRON

On June 21, 2024, Sportsbet.io, an online crypto sports betting platform, was hacked, resulting in a $3.5 million loss in USDT and TRX tokens. Crypto investigator zachxbt linked the theft to the same attacker responsible for a recent $55 million heist from BtcTurk exchange – this incident highlights the persistent risks to centralized platforms and the necessity for robust security measures to protect digital assets.

10. CoinStats ($2,000,000) – Phishing – Other

On June 22, 2024, cryptocurrency portfolio manager CoinStats was hacked, with these events resulting in the theft of over $2 million from 1,590 wallets – the attack involved phishing messages directing users to a malicious phishing website. CoinStats shut down its application to mitigate the attack and advised users with affected wallets move their funds immediately – the incident, linked to the North Korean Lazarus Group, drives home the point that phishing attacks remain abound and the importance of user education and robust security practices in the crypto space cannot be understated.

Closing Thoughts

The increasing losses seen from Q2 2023 to Q2 2024, combined with the variety of attack vectors, highlight how threats in the crypto world are becoming more and more sophisticated. Even though recovery attempts have gotten better, it is still important for DeFi community to concentrate on security actions like audits and teaching users about risks. To protect the Web3 system from harmful people who can cause damage, it’s crucial that we are more watchful and take active steps like using Web3 antivirus platforms such as De.Fi.