SlowMist September Security Report: Estimated Total Loss of ~$170 Million
Q3 Overview
According to the SlowMist Security Hacked Archives, Q3 of 2024 witnessed a continued surge in Web3 security incidents, with the threat landscape remaining severe:
- A total of 93 hacking incidents were recorded this quarter, with over 33,000 phishing victims.
- The cumulative loss from these security incidents amounted to approximately $784 million, of which $27.54 million was reported recovered.
- July’s losses reached around $300 million, followed by an increase in August, with losses climbing to $316 million, largely due to a single scam involving $243 million.
- In September, the losses decreased compared to the previous two months, though the security landscape remained tense. Three major security incidents in September resulted in losses exceeding $100 million, while the number of hacking incidents remained the same as in August. Phishing activity and associated losses also remained elevated.
September Overview
In September 2024, Web3 security incidents led to a total loss of approximately $170 million. Based on statistics from SlowMist’s Hacked Archives, there were 28 recorded hacking incidents in September, resulting in a loss of $124 million, with $4.9 million successfully recovered. The causes of these incidents included contract vulnerabilities, account breaches, and private key leaks. Additionally, according to Web3 anti-phishing platform Scam Sniffer, there were 10,525 phishing victims in September, with a total loss of $46.43 million.
Most Impactful Events in September 2024
Major Security Incidents in September
- BingX
On September 20, 2024, Singapore-based cryptocurrency exchange BingX suffered a hot wallet attack, resulting in losses of approximately $45 million. The SlowMist security team assisted in investigating the incident, helping freeze $1 million of the stolen funds. A dedicated monitoring group was also established to track the movement of the remaining funds.
2. Penpie
On September 4, 2024, decentralized liquidity project Penpie was attacked, leading to a loss of nearly $30 million. SlowMist’s analysis revealed that the vulnerability stemmed from Penpie’s incorrect assumption that all markets created by Pendle Finance were legitimate. The attacker exploited this by creating a malicious market contract, adding liquidity via a flash loan, and artificially inflating reward amounts. Detailed analysis: “SlowMist Incident Analysis — Penpie Attack”
3. Indodax
On September 11, 2024, Indonesian cryptocurrency exchange Indodax was attacked, resulting in the theft of $22 million in tokens from its hot wallet. SlowMist’s investigation suggested that the breach was more likely due to a vulnerability in the withdrawal system rather than the hot wallet itself.
4. DeltaPrime
On September 16, 2024, DeFi protocol DeltaPrime suffered a loss of $6 million due to a private key leak. The attacker minted an enormous quantity of DPUSDC tokens, which could be redeemed 1:1 for USDC stablecoins, and subsequently cashed out a portion of the forged assets.
5. Truflation
On September 26, 2024, Truflation was hacked, resulting in a loss of approximately $5 million. According to blockchain investigator ZachXBT, the attacker exploited malware to steal funds from both treasury multisig wallets and individual wallets.
Key Findings and Security Recommendations
This month, there were 9 incidents caused by contract vulnerabilities, accounting for $41 million, or 33.06% of the total $124 million in hacking losses. The number of account compromise incidents dropped to 8 from 18 in the previous month, with most of these cases involving platforms such as X (formerly Twitter) and Discord.
The SlowMist Security Team advises projects to remain vigilant and conduct regular security audits to detect and mitigate emerging threats. It is essential to have a comprehensive incident response plan to minimize losses and increase the chances of fund recovery in the event of an attack. Users should also remain cautious of phishing attempts, regularly review account permissions, verify information through multiple channels, avoid clicking on unknown links, and never input private keys or seed phrases. Installing antivirus software (e.g., Kaspersky, AVG) and phishing protection plugins (e.g., Scam Sniffer) can enhance device security.
For more information on this month’s major security incidents, visit SlowMist’s Hacked Archive.
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.