This month, we've observed two significant losses totaling almost $74 million from centralized exchanges (CEXs). These incidents highlight the ongoing risks associated with asset concentration in CEXs and the varying levels of security across platforms. With $636 million of the $1.19 billion stolen in 2024 stemming from centralized finance (CeFi) vulnerabilities, hackers are increasingly drawn to these exchanges, which often house large pools of assets but may have inconsistent security measures. This trend underscores the urgent need for stronger security protocols and tighter regulatory compliance to deter large-scale attacks.
Additionally, some blockchain projects seem to be manufacturing fake exploit incidents, where funds are allegedly lost but then mysteriously refunded, all to generate attention before launching new products. This "boy who cried wolf" tactic raises questions about whether it’s an innovative marketing strategy or simply misleading.
We've also seen a rise in individual losses, primarily due to "permit" phishing signatures—an attack where malicious actors trick users into granting unauthorized permissions to their crypto wallets. Unlike typical phishing, which aims to steal credentials, permit phishing leads users to approve harmful transactions, allowing attackers to empty wallets or perform other malicious actions.
Finally, money continues to be stolen from DeFi protocols through logic-based hacks, often due to developer incompetence, coding mistakes, misuse of third-party protocols, or errors in business logic. Since smart contracts are open source, hackers can easily copy and make minor alterations to exploit these vulnerabilities, which then propagate across numerous cloned projects if the original code is flawed.
Key Incidents Overview
Penpie - September 3, 2024
Type: Security Compromise
Description: Penpie, a decentralized app built on Polygon (MATIC) blockchain fell victim to a significant security breach. A reentrancy flaw in a particular function of the staking contract - _harvestBatchMarketRewards - enabled attackers to repeatedly call the function, before critical stake changes could be updated and take effect.
Inadequate reentrancy safeguards allowed attackers to artificially boost their reward balance, leading to a theft of 27 million dollars from the protocol. The stolen funds were eventually laundered through Tornado cash and were not returned.
Impact: $27 million
Caterpillar Coin ($CUT) - September 10, 2024
Type: flash loan attack
Description: Due to $CUT’s weaknesses in their price protection system, attackers were able to manipulate reserves and rewards, causing a huge 99% slippage in the token’s value. The attacker took out a flash loan of 4.5 million USDT (the cryptocurrency Tether), swapped a portion for CUT tokens, and added liquidity. Concurrently, the attackers manipulated the token prices, creating a flaw in the reward system. Upon exchanging the CUT tokens back to USDT, the attackers could receive a significantly inflate the value of their CUT tokens. Ultimately, they drained the entire reserve of the rewards pool and withdrew their profits, walking away with almost one and a half million dollars profit.
Impact: $1.4 million
Indodax - September 10, 2024
Type: Security Compromise
Description: Indodax, anIndonesian crypto exchange platform, suffered a huge security incident when various tokens were stolen from hot wallets and transferred to suspicious addresses. The hacker successfully stole and exchanged various tokens, including ETH, POL, TRX and BTC.
Impact: $21 million
Omnipus - September 11, 2024
Type: Contract Vulnerability
Description: During the pre-sale of the OPUS token, tens of thousands of dollars were drained from Omnipus contracts due to a contract vulnerability. The contract generally assists users in staking their tokens and earning rewards from fees related to cross-chain transactions. In a specific transaction, the attacker manipulated a function in the code and set their own fee, while also preventing a check which validates the fee, and then refunded profits of the pre-sale of the token to their own address. Since the check was bypassed, the contract did not ensure that the address was deserving of profits, and the attackers obtained $30,000 in ETH.
Impact: $30,000
DeltaPrime - September 16, 2024
Type: Protocol Logic
Description: DeltaPrime, the decentralized borrowing protocol and crypto brokers suffered a security breach on their Arbitrum version of the platform, when a hacker gained control of the Delta Prime admin proxy, upgraded it, and drained multiple liquidity pools. DeltaPrime had only just re-audited its codebase following a separate security breach amounting to a $1 million hack, that took place in July 2024.
Impact: $5.98 million
Rivus DAO - September 16, 2024
Type: Rugpull
Description: Rivus DAO, a liquid staking cryptocurrency protocol, contracted a developer to work on their migration contract. The developer added a ‘backdoor function’ to it, and the supply of funds reserved for migration was drained. Given that Rivus DAO has his ‘full dox’, the team were able to return and refund the stolen supply.
Impact: Uncertain - all stolen funds were refunded to relevant stakeholders.
Banana Gun - September 19, 2024
Type: Security Compromise
Description: Banana Gun’s Ethereum Virtual Machine (EMV) and Solana bots, which allow you to buy and sell tokens via Telegram, were both affected by a hack, in which 11 victims, who are said to be seasoned users, collectively lost assets worth $3 million. External and internal investigations suggested that the attack was most likely a result of a vulnerability in the Telegram message oracle used by Banana Gun.
Impact: $3 million
Shezmu -September 20, 2024
Type: Contract vulnerability
Description: Shezmu, a cryptocurrency yield platform, fell victim to a hack when an attacker took advantage of a vulnerability in a contract, allowing anyone to mint collateral and use it to borrow ShezUSD. Shezmu offered a 10% bounty to the hacker for the return of the funds and settled at 20%, and to consider the hack a ‘white hat’ incident.
Impact: $4.9 million - partial funds recovered after direct negotiation with the hacker
BingX - September 20, 2024
Type: Security Compromise
Description: Suspicious activity was detected from one of BingX’s hot wallets, a centralized exchange, indicating a potential security breach. The breach impacted multiple blockchains, including Ethereum, Binance Smart Chain, Base, Polygon, and Arbitrum. The hacker’s actions, particularly the rapid asset swaps before consolidation, bear a striking resemblance to tactics used by the North Korea-backed hacking group Lazarus.
Impact: $44 million
Bankroll Network - September 23, 2024
Type: Flash Loan attack
Description: Bankroll, a DeFi network, was the target of an attack in which a hacker transferred large amounts of Binance Coin from a Bankroll contract back to itself. Each transfer was worth approximately $9.6 million. Then, two other transfers moved funds from another pool to an account and back, totally $9.4 million. The difference in transactions, approximately $240,000, is close to the reported loss, leading investigators to believe that the hacker exploited a security weakness to withdraw more than deposited, using flash loans.
Impact: $230,000
Truflation- September 25, 2024
Type: Security Compromise
Description: Truflation, a decentralized infrastructure for RWA metrics platform, suffered an attack targeting multiple chains, exploiting both the treasury multisignature and personal wallets on Ethereum. According to the CEO, malware was injected into a computer, likely at the global Token 2049 event in Singapore, which allowed for assets to be stolen. Truflation used X (formerly twitter) to call for the hackers to engage in negotiation, and offered rewards for white hats offering assistance.
Impact: $5 million
OnyxDAO- September 26, 2024
Type: Protocol Logic
Description: OnyxDAO, a DeFi protocol, suffered a drain of $4 million when a common bug in the code base was exploited. It appears that Onyx was aware of an vulnerability issue and had not addressed this in their forked version, leaving it exposed to abuse. An additional vulnerability in the NFTLiquidation contract allows for user input and self-liquidation of a reward amount without validation checks, leaving it vulnerable to manipulation. The stolen assets included a variety of cryptocurrencies including VUSD, XCN, DAI, WBTC and USDT.
Impact: $4 million
Bedrock_DeFi - September 26, 2024
Type: Protocol Logic
Description: The restaking pool of Bedrock_DeFi, a Bitcoin-based DeFi protocol, was drained of almost $2 million in tokenized wrapped uniBTC through a smart contract. The hacker was able to mint uniBTC without limits, and within three hours an additional hacker minted excess uniBTC. The hack took place after researchers announced on X (formerly twitter) that they had identified potential vulnerabilities in the protocol.
Impact: $1.7 million
Major Crypto Incidents - September 2024 - Types
Major Crypto Incidents - September 2024
Individual use cases:
In addition to the major breaches, on-chain data analysis from Dune revealed several smaller incidents, including additional phishing attacks, address poisoning, and unauthorized transfers, with a combined total loss of $34,730,431.
Key takeaways:
The frequency of September’s attacks, which have risen by 200% compared to August 2024, emphasize the need for stronger security protocols, user education, and better monitoring of blockchain projects and platforms to protect against the ever-evolving cyber threats that continue to grow in sophistication.
As the cryptocurrency industry continues to evolve, it is crucial for stakeholders to prioritize robust security measures to mitigate these risks and protect against increasingly sophisticated attacks.