De.Fi REKT Report: November 2024 — Over $69 Million Lost in Crypto Exploits

Despite the current bull run and Bitcoin getting past the $100k mark, November 2024 was a quiet month in terms of losses in both the DeFi and the wider crypto ecosystem compared to the same period last year. In contrast to November 2023’s $400,743,638 lost in thefts, December 2024 has managed a quite modest figure – $69,770,000 lost across 11 incidents. Recoveries showed greater improvement this year with stolen funds amounting to about $25,000,000 recovered compared to only $264,000 in recovered funds in November 2023. Losses driven in November 2024 were underpinned by a mix of oracle manipulation, access control, rug pulls, and flash loan exploitation, again testifying that protocol vulnerabilities continue to present a leading attack vector to funnel funds out of a protocol’s treasury.

Month-on-Month Comparison

Total losses in November 2024 stand at $69,770,000, which is a significant drop from the $94,417,000 recorded in October, indicating a 26% month-on-month decrease. But that does not necessarily indicate the ecosystem is any safer. The nature of the exploits and the projects targeted indicate a tactical shift by the attackers-from high-profile, large-scale breaches in October to a mix of opportunistic attacks and targeted exploits in November.

The losses in October were driven by some major access control breaches and cross-chain exploits against high-profile protocols with large user bases and liquidity. For instance, Radiant Capital lost $58,000,000, and Essence Finance lost $20,000,000, to show the scale of some of the incidents. These attacks were sophisticated and pinpointed weaknesses in the most used protocols.

In contrast, November’s losses were more dispersed, with incidents targeting smaller protocols and platforms. The largest loss, at $25,000,000, occurred due to an exploit at Thala Labs on the Aptos blockchain. Next was the losses at DEXX for $13,000,000 and a rug pull by Gifto on Binance Smart Chain for $10,000,000. While these incidents were big, the attacks themselves were relatively less complex: they exploited issues in oracle systems, access controls, and flash loan mechanisms. Such a fragmentation of losses across chains and platforms suggests that the attackers are diversifying targets away from more centralized, high-profile protocols into newer, less secure environments.

Analysis of Exploit Trends in November 2024

November 2024 saw a total of $69.77 million lost across 11 incidents, a significant decrease compared to $400.74 million lost in November 2023. This reduction highlights a shift in the types of exploits and targeted platforms. While $25 million of the stolen funds were recovered this month, the losses indicate persistent vulnerabilities, particularly in lending protocols, token projects, and decentralized exchanges (DEXs). 

Oracle manipulation was responsible for $8.7 million, primarily due to the Polter Finance exploit, making it a major contributor this month. 

Other significant losses stemmed from rug pulls ($10 million) and access control issues, which accounted for $7.7 million across three incidents. Exploits categorized as “other” caused the largest losses, totaling $42.95 million, driven by high-profile cases like the Thala Labs breach ($25 million) and the DEXX exploit ($13 million). 

Flash loan attacks contributed $420,000, and centralized exchanges (CEXs) faced losses of $1.7 million, marking their continued vulnerability despite increased scrutiny.

Incidents this month were heavily concentrated in DEXs and gaming platforms. DEX exploits, led by Thala Labs and DEXX, accounted for $38 million, making this category the most affected. Gaming platforms like Metawin and Coin Poker contributed $16 million, underscoring the ongoing risk in entertainment-focused blockchain applications. Lending protocols were also significant targets, with Polter Finance and Delta Prime collectively losing $9.15 million, or roughly 13% of the total.

Breakdown of Funds Lost by Chain

• Aptos: 1 incident, $25,000,000
• Ethereum/Solana: 2 incidents, $17,000,000
• Fantom: 1 incident, $8,700,000
• Binance Smart Chain (BSC): 3 incidents, $12,420,000
• Arbitrum/Avalanche: 1 incident, $4,500,000
• Ethereum: 1 incident, $450,000
• Centralized Exchanges (CEXs): 1 incident, $1,700,000

The Aptos blockchain saw the largest individual loss due to the single Thala Labs exploit, while Ethereum/Solana collectively accounted for substantial losses stemming from the DEXX and Metawin breaches. Binance Smart Chain experienced the highest number of incidents (three), including the Gifto rug pull and two flash loan attacks, collectively contributing over $12.4 million.

Top Incidents in November 2024

1. Thala Labs Exploit — $25,000,000 Lost

On November 16, 2024, Thala Labs, a major DeFi platform operating on the Aptos blockchain, fell victim to a critical vulnerability in one of its v1 farming contracts, resulting in $25.5 million in losses. The exploit stemmed from the protocol’s failure to properly validate withdrawal requests for staked assets. Specifically, the system did not check whether a user’s unstaking request exceeded their remaining staked balance, leaving a glaring loophole for attackers to exploit.

The attacker initiated the exploit by depositing liquidity into a vulnerable pool and receiving THALA-LP tokens as a reward. They proceeded to stake and then unstake these tokens, creating a situation where the system recognized them as stakers but failed to retain an accurate staked balance. Leveraging this discrepancy, the attacker was able to submit unstaking requests for an inflated number of THALA-LP tokens, which were then swapped into lzUSDC, enabling the draining of $25.5 million.

Thala Labs acted quickly following the breach, freezing approximately half of the stolen funds thanks to the inherent properties of the Move programming language, which allowed for swift intervention. Subsequently, negotiations with the attacker led to the return of the remaining assets in exchange for a $300,000 white-hat bounty. While the funds were successfully recovered, the incident highlighted the importance of comprehensive audits before rolling out new code. Additionally, the ease with which Move-based contracts can be decompiled raises concerns over the exploitability of vulnerabilities in protocols using the language.

2. DEXX Exploit — $13,000,000 Lost

On November 16, 2024, DEXX, a memecoin trading platform operating on the Ethereum and Solana blockchains, suffered a $13 million breach caused by a private key vulnerability. The exploit exposed the private keys used to secure wallets, granting the attacker access to thousands of Solana-based addresses and enabling them to siphon off millions in user funds.

The attack was first detected when users began reporting unauthorized withdrawals from their wallets. Blockchain analysis revealed that the incident affected over 8,600 Solana addresses, impacting at least 900 users. While most victims lost smaller amounts, one individual reported a staggering $1 million loss. The hacker systematically transferred assets into external wallets, leveraging the growing volatility in the price of meme tokens to maximize their gains.

In response, DEXX issued a public statement acknowledging the breach and its severity. However, unlike Thala Labs, which successfully negotiated the return of stolen assets, DEXX has yet to make significant progress in recovering the funds. Efforts to freeze the assets were unsuccessful, and the attacker has continued to move the funds through obfuscation tools like Tornado Cash.

The incident has exacerbated concerns surrounding Solana wallet security, particularly in light of similar breaches earlier this year. 

3. Gifto Rug Pull — $10,000,000 Lost

On November 26, 2024, the team behind Gifto, a token operating on Binance Smart Chain (BSC), executed a rug pull that led to losses of $10 million. The incident coincided with Binance’s announcement to delist the GFT/USDT trading pair by December 10, 2024, triggering panic among investors. While the delisting news alone caused a 25% price drop, the situation escalated when the Gifto team minted 1.2 billion new GFT tokens over an eight-hour period and dumped them into the market.

The mass token minting and subsequent sell-off resulted in a 40% crash in GFT’s market value, wiping out investor holdings. Web3 analytics firm Lookonchain tracked the minting activity and confirmed that the Gifto team deposited the tokens directly into major exchanges, including Binance. This deliberate action led many to accuse the team of using the delisting as an exit strategy, with investors bearing the brunt of the losses.

Critics pointed to the centralized nature of Gifto’s token management as a root cause, highlighting the risks of project teams retaining unchecked control over token supply. Binance’s regular review process for delisting underperforming tokens was aimed at maintaining market integrity, but it also exposed the fragility of smaller projects reliant on centralized exchanges for liquidity. The Gifto incident has prompted renewed calls for decentralized alternatives and greater transparency in token governance.

For GFT holders, the future remains bleak as the combination of Binance’s delisting and the team’s actions have shattered market confidence. Retail investors, often slow to react, were left holding the bag as the token’s price collapsed.

4. Polter Finance Oracle Exploit — $8,700,000 Lost

On November 16, 2024, Polter Finance, a DeFi lending platform on the Fantom network, fell victim to a devastating exploit that resulted in a loss of approximately $8.7 million. The attack exploited vulnerabilities in the protocol’s reliance on the AaveOracle contract for price feeds. Specifically, the attacker targeted the ChainlinkUniV2Adapter, which relied on spot prices without sufficient validation. By executing flash loans from SpookySwap’s liquidity pools, the attacker manipulated the price of the BOO token, artificially inflating its value. 

This manipulation caused a single BOO token, normally worth a few dollars, to be calculated at a staggering $1.37 trillion, enabling the attacker to use it as collateral to drain the lending pool. The attacker exploited multiple deficiencies in the protocol’s smart contract logic, particularly in functions like _fetchPrice and getRoundData, which lacked safeguards against extreme price fluctuations. Over the course of several transactions, they borrowed significant amounts of wFTM tokens, ultimately draining 9,134,844 wFTM from Polter’s pools. Attempts to retrieve the stolen funds included public messages to the attacker and filing police reports. However, the incident exposed critical gaps in Polter Finance’s price validation mechanisms and reliance on vulnerable oracles, raising concerns about the security of similar platforms.

5. Delta Prime Breach — $4,500,000 Lost

On November 11, 2024, Delta Prime, a DeFi protocol operating on both Arbitrum and Avalanche networks, suffered a sophisticated exploit that led to a loss of approximately $4.5 million. The breach stemmed from vulnerabilities in two key functions of the platform: swapDebtParaSwap and claimReward. In the first case, the attacker used 59.9 ETH as collateral to borrow 1.18 WBTC, bypassing repayment checks due to improper validation of the _repayAmount variable. 

They leveraged a malicious contract to transfer borrowed assets to external addresses without triggering the platform’s repayment mechanisms. In the second exploit, the attacker manipulated the claimReward function by passing a malicious contract as an external reward contract. This allowed them to extract unearned rewards by exploiting the platform’s wrapNative function to convert ETH collateral into WETH, inflating their balance and enabling multiple fraudulent reward claims. Rather than cashing out immediately, the attacker reinvested the stolen assets across Avalanche and Arbitrum, spreading funds across DeFi platforms like Stargate and liquidity pools. Delta Prime acknowledged the incident on social media and has since worked with security experts to analyze the exploit, but the attacker’s reinvestment strategy has complicated asset recovery efforts.

6. Metawin Access Control Exploit — $4,000,000 Lost

On November 3, 2024, MetaWin, an online crypto casino operating on Ethereum and Solana, experienced a security breach that resulted in a loss of approximately $4 million. The attack targeted MetaWin’s instant withdrawal mechanism, exploiting vulnerabilities in the system designed for rapid transactions. This frictionless withdrawal feature lacked adequate security checks, providing the attacker with direct access to MetaWin’s Ethereum and Solana hot wallets. 

By leveraging over 115 different addresses, the attacker systematically drained funds while bypassing traditional monitoring systems. MetaWin’s response involved disabling withdrawals and freezing operations, but the damage had already been done. The stolen funds were traced to centralized exchanges, including KuCoin and HitBTC, where they were likely mixed to obscure their origin. MetaWin collaborated with blockchain investigator ZachXBT to track the movement of assets, though recovery remains uncertain. This breach underscores the inherent risks of hot wallet systems in platforms requiring high transaction throughput, highlighting the trade-off between user convenience and security.

Closing Words

The total losses for November 2024 amount to $69,770,000, a significant increase compared to the previous month but still relatively moderate compared to earlier months of the year. This month’s exploits were driven primarily by vulnerabilities in lending protocols, centralized exchanges, and token-based projects. With December 2024 yet to unfold, the crypto investor community must remain vigilant as malicious actors continue to adapt their strategies, exploiting weaknesses wherever they arise. The closing months of the year will be a crucial test for platforms seeking to restore trust and fortify their defenses.