De.Fi REKT Report: October 2024 — Over $94 Million Lost to DeFi Exploits

While the wider crypto community has rallied around the renewed bull market, the month of October 2024 proved to be a challenging period for the decentralized finance (DeFi) and broader crypto ecosystem, with a total of $94,417,000 lost to various hacks and exploits. This marked a stark increase compared to the $21,765,015 lost in October 2023. Unlike last year, when $2,677,077 of lost funds were successfully recovered, there were no recoveries in October 2024, illustrating the increasing sophistication of attacks and the ongoing difficulty of asset recovery efforts. The significant year-on-year rise in losses underscores the evolving nature of threats in the crypto landscape and the need for enhanced security measures.

Comparing October 2024 to Previous Months

October 2024’s losses were relatively muted, both by amount and frequency. While they were the lowest since August but were still significant. In September 2024, for example, losses totaled $114,130,000, and August 2024 saw the year’s highest monthly loss at $306,859,000. The relative decrease in October however does not indicate a reduction in threat levels, as the attacks became more targeted and high impact, focusing on access control breaches and complex cross-chain exploits where rewards to exploiters are the highest.

Analysis of Exploit Trends in October 2024

The most common type of exploit this month was access control breaches, accounting for $71.7 million in total losses across two incidents. These breaches often involve gaining unauthorized access to key accounts or system functionalities, as seen in the Radiant Capital and M2 incidents. Cross-chain exploits, such as the Essence Finance breach, also featured prominently, highlighting the risks associated with bridging assets across different networks.

Phishing accounted for a significant incident as well, with a single case leading to a $2.47 million loss. Oracle manipulation was responsible for one incident, causing $130,000 in losses. The diverse range of attack vectors underscores the complexity of security challenges facing DeFi protocols and centralized platforms alike.

Breakdown of Funds Lost by Chain

In October, Arbitrum experienced the highest losses, as well as the most frequent, with three incidents totaling $58,223,000. Ethereum was impacted twice this month – the chain saw two incidents with a total loss of $2,494,000. Scroll was affected by one incident, resulting in an unenviable $20 million loss. Finally, centralized exchanges faced a single major incident, accounting for $13.7 million.The concentration of incidents on Arbitrum and Ethereum reflects their prominence in the DeFi space and the high value of assets they secure, making them attractive targets for attackers. Meanwhile, we also note that losses this month have been concentrated among a few high profile names, showing how attacks are becoming more targeted than ever. With that being said, let’s have a look at the Top Exploits of October 2024.

Top Incidents in October 2024

1. Radiant Capital Breach — $58,000,000 Lost
On October 16, 2024, the DeFi lending protocol Radiant Capital-operating on the Binance Smart Chain and Arbitrum-suffered a significant access control exploit through which it lost $58 million. The attackers had access to three of Radiant’s eleven private keys, thereby giving them control over the protocol’s smart contracts. They capitalized on that to drain liquidity pools holding popular tokens such as USDC, WBTC, WETH, and BNB. The funds siphoned across both chains saw the BSC network lose $18 million. This breach, which has prompted Radiant to freeze the markets on Ethereum and Base, is also working with firms like SEAL911 and Chainalysis for investigations.

2. Essence Finance Exploit — $20,000,000 Lost
The CHI token, the Scroll ecosystem’s stablecoin offered by Essence Finance, collapsed 98% of its value on 24 October 2024. Coming at a loss pegged at $20 million, this incident occurred just hours after swift large-scale withdrawals of its collateral were made – something many have described as a possible rug pull. The centralized nature of Essence’s multisig-controlled collateral contracts allowed key project members to drain collateral into USDC and DAI pairs, restricting redemptions and causing a liquidity crisis. Months of silence from the project since September fueled suspicions, making massive investor backlash likely after CHI market activity continued despite the crash.

3. M2 Centralized Exchange Breach — $13,700,000 Lost
On October 31, 2024, Abu Dhabi-based centralized exchange M2 was hacked, amounting to $13.7 million of losses from hot wallets. The assets compromised in this steal include Bitcoin, Ether, and Solana. According to blockchain investigator ZachXBT, this attack occurred in the wake of a weakness in the wallet infrastructure of this exchange. M2 reacted by freezing the wallets affected, returning the user money, and working with cybersecurity investigators and law enforcement to find the culprit behind the breach. Shortly after, the exchange opened its operations and limited further damage.

4. Phishing Attack — $2,470,000 Lost
On October 10, 2024, approximately $2.47 million of Aave Ethereum sDAI was stolen through phishing. The user signed a malicious “permit” transaction, which enabled the attacker to take ownership of the user’s sDAI tokens. Fake addresses had already been computed through the function CREATE2; these were the addresses which the scammer utilized to deceive the user into giving up and making the transfer. This case of phishing underlines the fact that such an attack is very focused and often successfully compromises users’ assets with relatively innocuous-looking interactions.

5. Lending Platform Exploit — $130,000 Lost (Oracle Manipulation)
On October 3, 2024, some unknown lending platform on Arbitrum was hacked to a loss of $130,000 due to an oracle manipulation exploit involving the WETH-USDC liquidity pool. In its detail, an attacker faked a price feed in UniswapV3Pool and sent the value of LP tokens higher. Later, the attacker deposited LP tokens and manipulated their prices to borrow some more LP tokens and sucked all the assets in the pool.

6. Ramses DEX Exploit — $93,000 Lost
On October 24, 2024, the Arbitrum-based decentralized exchange – Ramses DEX – recorded a loss of $93,000 due to its flawed reward distribution function. The attacker exploited the Ramses FeeDistributor contract by repeatedly claiming rewards with a set of token IDs such that the total supply of rewards would not be reduced. With this, the attacker used the _getReward() function to drain excessive rewards based on the manipulation of the reward period without affecting the liquidity provider fund or funds related to user assets.

7. Fire Token Incident — $24,000 Lost
Fire Token was exploited 24 seconds into its release for a sum of $24,000 on 1st October 2024. This bug was related to the token’s burn mechanism, reducing the reserves of liquidity pools with every transfer. By this very mechanism, an attacker could make sure to create an imbalance in price on Uniswap to manipulate the constant product formula and make ETH more valuable against the token. This bug enabled the attacker to drain the pool of liquidity and profit from this fake price movement.

Closing Words

The overall losses this month amount to $94,417,000, showing how much the threats are changing in the crypto space as hackers find more polished ways to exploit both decentralized and centralized platforms. A lack of recoveries this month shows the difficulty with which this can be reclaimed and the rising task of containing the financial loss. Going into the final months of 2024 and a new crypto bull market, there is a great deal for the crypto industry to pay attention to and to place at the forefront in terms of security measures with the purpose of avoiding further great losses.