SlowMist Monthly Security Report| Total Losses for January ~$160 Million

SlowMist
8 min readFeb 1, 2024

Overview

Based on the data from the SlowMist Hacked Archive, in January 2024, there were a total of 56 security incidents, with total losses amounting to approximately $160 million. The causes included contract vulnerabilities, DDoS attacks, flash loan attacks, price manipulation, theft, and among others malicious activities.

Key Events

Radiant Capital

On January 3, 2024, the multi-chain lending protocol Radiant Capital was attacked, resulting in a loss of 1,900 ETH (approximately $4.5 million). Analysis indicates that the hacker exploited a timing window when a new market was activated in the lending market (derived from Compound / Aave). The vulnerability also relied on a known rounding issue in the current Compound / Aave codebase.

On January 4, Radiant Capital announced that this attack caused the protocol to incur bad debt in the WETH market, amounting to approximately 1.3% of the protocol’s Total Value Locked (TVL). On January 5, Radiant Capital initiated Proposal RFP-27, aimed at reaching a consensus on the strategic plan and timeline for capital restructuring in the Arbitrum lending market and the repayment of excessive debt in the WETH market through Radiant DAO.

(https://twitter.com/RDNTCapital/status/1742638364933714112)

Gamma

On January 4, 2024, the liquidity management protocol Gamma was attacked, resulting in a loss of approximately $6.18 million. Gamma stated that its vaults had four main deposit protections against flash loans, one of which was “setting a price movement threshold that would not allow deposits when the price movement exceeds a certain amount.” The main issue was that the setting for this price change threshold was too high, resulting in a price movement range for some LST and stablecoin vaults of -50% / +100%. This allowed attackers to manipulate prices up to the threshold and mint a large amount of LP tokens.

(https://medium.com/gamma-strategies/post-mortem-remediation-plan-9a62f10d90f3)

Narwhal

On January 5, 2024, the liquidity mining project Narwhal’s protocol was attacked, resulting in a loss of approximately $1.5 million. All NRW tokens were exchanged for USDT and bridged to ETH via Stargate. The majority of the stolen funds have been transferred to Tornado Cash.

(https://twitter.com/Narwhal_fyi/status/1744042646954488145)

Coinspaid

On January 6, 2024, the cryptocurrency payment service provider Coinspaid experienced multiple unauthorized transactions. Hackers stole approximately $7.5 million worth of cryptocurrencies, including 4.8 million USDT, 500 ETH, 97 million CPD, 106,000 USDC, 24,000 BSC-USD, and 268.5 BNB.

Socket

On January 16, 2024, the interoperability protocol Socket reported a security incident on Twitter. The attackers exploited a vulnerability in a newly added module within the Socket aggregator system, which was responsible for token swaps on behalf of users. The vulnerability in this module allowed attackers to steal funds from users who had given unlimited approval to the Socket Gateway contract. The attack was carried out through two malicious transactions on Ethereum, with a total theft amounting to approximately $3.3 million. On January 23, with the assistance of the SlowMist security team and other partners, Socket successfully recovered 1,032 ETH, valued at approximately $2.2 million. Additionally, the Socket team expressed their gratitude to the SlowMist security team.

(https://twitter.com/SocketDotTech/status/1749734794320363802)

Manta Pacific

On January 18, 2024, according to a tweet from Manta Network, the Manta Pacific chain experienced an RPC (Remote Procedure Call) attack around 9 AM UTC. Kenny Li, co-founder of Manta Network, @superanonymousk, updated on Twitter regarding the attack on Manta Network. He mentioned that at 9:30 AM UTC, coinciding with the start of their TGE (Token Generation Event), Manta Network was subjected to a well-orchestrated DDoS (Distributed Denial of Service) attack. The RPC nodes faced over 135 million requests, indicating that this was a highly intense and planned attack.

(https://twitter.com/superanonymousk/status/1747968680686993800)

HTX

On January 19, 2024, HTX alerted its users on social media that its application was currently experiencing a disruption, and the technical team was working diligently to resolve the issue. Tron’s founder, Justin Sun, tweeted that Htx.com and HTX_DAO had been subjected to a DDoS attack.

(https://twitter.com/justinsuntron/status/1748319971837710471)

Concentric Finance

On January 22, 2024, the DeFi protocol Concentric Finance, built on the Camelot V3 protocol, was attacked, resulting in a loss of approximately $1.7 million. Concentric Finance announced on social media that a team member holding the contract deployer wallet was targeted in a social engineering attack. The attackers exploited a vulnerability to upgrade the vault, mint new LP tokens, and then drain the platform’s assets.

(https://mirror.xyz/concentrictreasury.eth/duXXwBErblGw4CjbsA2JPoRAJqVNsDtiUsK4R6_vhD0)

GMEE

On January 23, 2024, the blockchain gaming platform GMEE tweeted that a few hours earlier, the GMEE token contract on Polygon had been accessed without authorization through GitLab, leading to the theft of 600 million GMEE tokens, amounting to a loss of approximately $7 million. The attacker then exchanged the tokens for Ethereum and MATIC. Over the next few hours, the attacker swapped the stolen tokens through various DEXs, affecting the GMEE token price across exchanges.

(https://twitter.com/GAMEEToken/status/1749652962849464727)

Nebula Revelation

On January 25, 2024, the staking contract of the space-themed open-world Web3 game Nebula Revelation was subjected to a reentrancy attack. On January 28, Nebula Revelation announced a compensation plan, promising full compensation to users based on the pre-theft coin price to ensure fairness.

(https://twitter.com/NBLGAME/status/1751580737768456594)

Somesing

On January 27, 2024, the South Korean Web3 social music service Somesing announced that the platform had been hit by a vulnerability attack the previous Saturday, resulting in the loss of 730 million native tokens SSX, equivalent to approximately $11.58 million. Somesing stated, “It has been confirmed that this hacking incident has no relation to any members of the Somesing team and, considering the method of the attack, it was likely carried out by hackers specializing in digital asset attacks.” The platform has reported the hacking incident to the National Police Agency for investigation and announced that it would notify Interpol.

Goledo Finance

On January 28, 2024, the Conflux ecosystem lending protocol Goledo Finance was attacked, resulting in a loss of 7.9 million CFX, equivalent to approximately $1.7 million. The Goledo team completed a preliminary investigation of a large loan in the lending pool and confirmed that the attack was related to a flash loan.

(https://twitter.com/GoledoFinance/status/1751442740200517984)

Abracadabra Money

On January 31, 2024, the DeFi protocol Abracadabra Money (MIM_Spell) was attacked, resulting in a loss of approximately $6.5 million. Following the attack, Abracadabra.Money (MIM_Spell) updated on Twitter that its technical team had identified the cause of the vulnerability, which targeted specific Cauldrons V3 and V4, allowing unauthorized MIM borrowing. The borrowing limits for these cauldrons have been set to zero to mitigate the issue. The team also stated that the DAO’s treasury would fully collateralize the affected $6.5 million to ensure secure operations.

(https://twitter.com/MIM_Spell/status/1752723973891059807)

Ripple

On January 31, 2024, chain analyst ZachXBT revealed that Ripple had been hacked, with 213 million XRP stolen, equivalent to approximately $112.5 million. Ripple’s co-founder, Chris Larsen, tweeted, “Yesterday, some of my personal XRP accounts (not @Ripple) were compromised — we quickly identified the issue and notified exchanges to freeze the affected addresses. Law enforcement has been involved.”

(https://twitter.com/chrislarsensf/status/1752702297971532258?s=20)

Summary

This month, there were 5 DDoS attack incidents. Projects should deploy network monitoring tools, regularly analyze traffic, and timely identify abnormal traffic and potential attacks. There were 17 Rug Pull incidents, accounting for about 30% of this month’s security events, causing approximately $5.26 million in losses. Users should fully understand the background and team of a project before participating, and choose investment projects cautiously. There were also 3 flash loan related attacks, resulting in approximately $6.35 million in losses. The SlowMist security team advises teams to remain vigilant and conduct routine security audits to track and resolve new security threats and vulnerabilities, maximizing the protection of projects and assets. Finally, this article covers the primary security events of the month, excluding most individual scams or attacks. For additional information, please visit the SlowMist Hacked Archive.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.