SlowMist Monthly Security Report| Web3 Security Loss at Approximately $139 Million

SlowMist
6 min readApr 1, 2024

--

Overview

According to statistics from the SlowMist Hacked Archive, in March 2024, there were 33 security incidents within the Web3 ecosystem, resulting in total losses of approximately $139 million. The causes of these incidents spanned a range of vulnerabilities, including smart contract flaws, insider malfeasance, flash loan attacks, private key leaks, and account theft.

Main Incident

WOOFi Exploit

On March 5, 2024, the decentralized exchange (DEX) WOOFi, operating on the Arbitrum network, was exploited through its Smoothed Price Moving Mechanism (sPMM) algorithm that controls the pricing of WOOFi trades. This exploit was orchestrated using a series of flash loans, where the attacker manipulated the price of the WOO token due to low liquidity, and subsequently repaid the flash loans at a lower price. The attacker repeated this process three times in a very short span, ultimately stealing approximately $8.75 million after repaying the flash loans.

https://twitter.com/_WOOFi/status/1765150687166415129

Unizen

On March 9, 2024, the DeFi trading platform Unizen suffered a loss of approximately $2.1 million in USDT due to an attack that exploited a vulnerability in the platform’s smart contract’s external calls. By March 12, Unizen’s CTO, Martin Granström, announced via Twitter that $185,000 worth of stolen funds had been recovered from four hackers.

https://twitter.com/SlowMist_Team/status/1766311510362734824
https://twitter.com/MartinGranstrom/status/1767279080380973084

Mozaic

Mozaic, a DeFi project, was attacked on March 15, 2024, resulting in the theft of about $2 million. The project attributed the theft to a developer who managed to obtain private keys held by core team members. Mozaic also stated that about 90% of the stolen funds had been frozen on the MEXC exchange.

(https://twitter.com/Mozaic_Fi/status/1768754080271196178)

Remilia

On March 17, 2024, the hot wallet and multisig vault of Remilia, the parent company of Milady, were compromised, leading to the transfer and sale of multiple official Remilia wallet assets. Charlotte Fang, founder of Milady, reported being targeted by hackers. Despite the financial department’s use of multisig, the private keys stored in a password manager were compromised. The attackers stole approximately 490 Ethereum (about $1.8 million), $58,000 in USDC, over 130 Milady NFTs, 320 Remilio NFTs, and several hundred derivative tokens issued on the NFTX platform, valuing the assets at over $6 million at their lowest price.

https://twitter.com/CharlotteFang77/status/1769128702561198519

Dolomite

On March 20, 2024, Dolomite, a decentralized trading protocol within the Arbitrum ecosystem, experienced an attack on its old contracts on the Ethereum mainnet due to a vulnerability. This resulted in approximately 187 victims suffering asset losses, totaling around $1.8 million in 1,245,271 USDC, 94,423 DAI, and 165.9 WETH. By March 24, with assistance from the SlowMist security team and other partners, Dolomite had recovered 90% of the stolen funds and expressed gratitude towards the SlowMist team.

https://twitter.com/Dolomite_io/status/1773845966707454026

Super Sushi Samurai

The blockchain game Super Sushi Samurai, based on the Blast Layer 2 solution, was attacked on March 22, 2024, due to a vulnerability in its token contract, resulting in a loss of about $4.6 million. Shortly after the theft, the attacker contacted the project claiming to be a white hat hacker. Super Sushi Samurai confirmed that the funds had been returned, with 5% of the funds given as a bounty.

https://twitter.com/SSS_HQ/status/1771054306520867242

Curio Ecosystem

On March 24, 2024, the RWA infrastructure Curio Ecosystem suffered an attack resulting in a loss of about $16 million, involving its ecosystem’s MakerDAO-based smart contracts. The attack was suspected to be due to a permission access logic flaw, allowing the attacker to mint an additional 1 billion CGT tokens.

https://twitter.com/curio_invest/status/1771635979192774674

Munchables

The Blast ecosystem project Munchables was attacked on March 27, 2024, suffering a loss of approximately $62.5 million. On the same day, Pacman, founder of Blast, tweeted that Blast core contributors had secured $97 million in funds through multisignature. He thanked the former Munchables developer for choosing to return all funds without demanding any ransom.

https://twitter.com/PacmanBlur/status/1772871466935013701

Prisma Finance

The decentralized lending protocol Prisma Finance was attacked on March 28, 2024, with a total loss of about 3257.7 ETH (approximately $11.6 million). The attack was due to a lack of input validation in the MigrateTroveZap contract’s onFlashloan function, allowing the attacker to forge migration data and unauthorizedly transfer collateral, harming legitimate Prisma Finance users.

https://twitter.com/PrismaFi/status/1773316945430852058

On the same day, an address starting with 0x2d4, marked as one of the Prisma Finance attackers, messaged the project saying, “This action was a white hat rescue, who can I contact to refund?” However, subsequent communication between the two parties seemed to be challenging.

(https://etherscan.io/idm?addresses=0x2d413803a6ec3cb1ed1a93bf90608f63b157507a,0xd8531a94100f15af7521a7b6e724ac4959e0a025&type=1)

Solareum

The Solana ecosystem has recently been dealing with a series of wallet theft issues. While the exact cause has not yet been determined, some thefts are related to trading bots similar to Solareum. According to security researcher Plum, a vulnerability in the Solareum Telegram trading bot led to a loss of about $1 million in SOL.

https://twitter.com/Plumferno/status/1774549022813872164

Summary

In the 33 security incidents reported this month, four projects (Munchables, Super Sushi Samurai, Dolomite, and Unizen) successfully recovered approximately $68.46 million of stolen funds.

This month, three incidents of insider malfeasance resulted in losses of $65.4 million, accounting for 46.9% of the total funds stolen. The SlowMist security team stronly advises projects to thoroughly review their internal security measures and strengthen access controls for sensitive information and assets.

Additionally, eight incidents involving smart contract vulnerabilities led to losses of about $36.89 million. The SlowMist team recommends that project to remain vigilant, conduct routine security audits, and promptly address new security threats and vulnerabilities to limit potential losses.

Lastly, the incidents documented in this article represent the major security events of the month; incidents involving individual users are not included in this summary. For more information on blockchain security incidents, visit the SlowMist Hacked Archive.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.