SlowMist Monthly Security Report | Total Losses for August Approximate $316 Million

SlowMist
6 min readSep 2, 2024

--

Overview

In August 2024, the total losses from Web3 security incidents were estimated to be around $316 million. According to the SlowMist Hacked Archives (https://hacked.slowmist.io), 28 hacking incidents were recorded, resulting in approximately $253 million in losses, with $13.58 million being recovered. The incidents were caused by various factors, including contract vulnerabilities, account compromises, and frontend attacks. Additionally, data from the Web3 anti-fraud platform Scam Sniffer indicates that there were 9,145 phishing victims this month, with total losses amounting to $62.93 million.

https://dune.com/scam-sniffer/august-scam-sniffer-2024-phishing-report

Major Incidents

Convergence Finance

On August 1, 2024, Convergence Finance was attacked, with the attacker minting and selling 58 million CVG tokens, worth approximately $210,000 (equivalent to the entire token allocation designated for staking rewards). An additional $2,000 in unclaimed rewards from Convex was also stolen. According to the incident analysis report released by Convergence Finance, the root cause of the attack was the `claimMultipleStaking` function in the reward distribution contract, which lacked proper validation of user inputs.

https://medium.com/@cvg_wireshark/post-mortem-08-01-2024-e80a49d108a0

Ronin

On August 6, 2024, the gaming blockchain Ronin was attacked, with abnormal withdrawals of cross-chain assets occurring on the Ronin Bridge project. The SlowMist Security Team’s analysis revealed that the attack was due to a change in the weight settings, allowing funds to be extracted without passing any multisignature threshold checks. The attacker extracted approximately 4,000 ETH and 2 million USDC, valued at around $12 million. By August 7, a white hat hacker returned $12 million worth of assets and received a $500,000 bounty for identifying the vulnerability.

https://x.com/slowmist_team/status/1820783952145355247?s=46&t=DLwbX9Nw4QECiyZQ0av-fg

Nexera

On August 7, 2024, an external attacker gained access to the credentials managing the smart contracts on the Nexera Fundrs platform. Using these credentials, the attacker transferred NXRA tokens from the Fundrs staking contract on Ethereum, resulting in a loss of approximately $1.83 million. Out of the 47.24 million NXRA tokens stolen, the attacker sold only 14.75 million tokens (about $449,000). Nexera successfully removed the remaining 32.5 million NXRA tokens from the attacker’s wallet, preventing further losses.

Vow

On August 13, 2024, Vow suffered an attack due to a contract vulnerability, resulting in losses of about $1.2 million. According to VOW, the team was testing the USD exchange rate setting function of the v$ contract to mint v$ for a new lending pool and oracle function. The attacker exploited a brief time window and exchange rate fluctuations to purchase and send a large number of VOW tokens to the contract, generating nearly 2 billion v$ tokens and selling them back to the Uniswap pool for profit.

https://x.com/Vowcurrency/status/1823407231658025300

Unknown Transfer

On August 19, 2024, blockchain detective ZachXBT report a suspicious transfer involving 4,064 BTC (approximately $238 million) potentially linked to a victim. The funds were quickly moved to ThorChain, eXch, Kucoin, ChangeNow, Railgun, and Avalanche Bridge. As of August 27, $205,000 has been recovered.

https://x.com/zachxbt/status/1825499490956231021

User Error

On August 21, 2024, according to Scam Sniffer, a victim lost $55.43 million worth of DAI after signing a phishing transaction targeting their DeFi Saver Proxy. MistTrack analysis revealed that the funds were sent to multiple addresses and subsequently converted into ETH.

https://x.com/MistTrack_io/status/1826273448626356697

Aave

On August 28, 2024, a peripheral contract of the DeFi lending platform Aave was attacked, with the attacker exploiting an arbitrary call error, resulting in a loss of approximately $56,000. The affected peripheral contract, ParaSwapRepayAdapter, is not part of Aave’s core protocol. It is designed to allow users to repay loans using existing collateral through asset swaps on the decentralized exchange ParaSwap. Although the contract itself is not designed to hold user funds, some residual tokens accumulate over time due to positive slippage during transactions. Aave representatives emphasized that this attack posed no threat to user funds and did not impact the security of the core Aave protocol.

https://x.com/bgdlabs/status/1828736554262470792)

Summary

This month, account security issues became a significant risk area, with account compromise incidents accounting for 64.3% of all hacking incidents. Notably, hackers targeted not only well-known blockchain projects and members but also celebrities and traditional industry brands such as football star Kylian Mbappe and McDonald’s. After compromising high-profile accounts, hackers often post phishing links or promote specific tokens. The SlowMist Security Team advises users to beware of phishing attacks, verify the authenticity of messages, and exercise caution when investing. Most account compromises this month occurred on Discord. Previously, we discussed the Discord Token mechanism in the SlowMist article: “Revealing How Malicious Browser Bookmarks Steal Your Discord Token.”

Lastly, the incidents included in this article are the major security events of the month. More blockchain security incidents can be found in the SlowMist Hacked Archives.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.