February Web3 Security Incident Review: Total Losses Amount to 404 Million USD

Written by: SlowMist Security Team

Overview

According to the SlowMist Blockchain Hacked Archive (https://hacked.slowmist.io), there were 28 security incidents in February 2024, with total losses of approximately $404 million, caused by contract vulnerabilities, DDoS attacks, flash loan attacks, private key leaks, and account thefts.

Major Incidents

Phantom

On February 2, 2024, the crypto wallet Phantom reported a DDoS attack, with attempts to overload its system, causing some services to be temporarily interrupted, but user assets remained secure. Subsequently, Phantom tweeted that all services had resumed normal operations.

(https://twitter.com/phantom/status/1753100432145318116)

Starlay Finance

On February 8, 2024, the lending protocol Starlay Finance in the Polkadot ecosystem was attacked, resulting in losses of approximately $2.1 million. On February 9, Starlay Finance tweeted that preliminary analysis indicated the attack was due to a liquidity index calculation error that was exploited, leading to unauthorized withdrawals.

(https://twitter.com/starlay_fi/status/1755856271184654360)

PlayDapp

On February 10, 2024, the blockchain gaming platform PlayDapp was attacked, with the hacker's address added as a minter, minting 200 million PLA tokens (approximately $36.5 million). Shortly after the incident, PlayDapp sent a message to the hacker via on-chain transactions, requesting the return of the stolen funds and offering a $1 million white hat reward, but negotiations ultimately failed. On February 12, PlayDapp was attacked again, with the hacker minting an additional 1.59 billion PLA tokens (approximately $253.9 million) and starting to transfer them through cryptocurrency exchanges. The total losses from the hacker's attacks were approximately $290 million.

(https://twitter.com/playdapp_io/status/1756060784692736038)

Duelbits

On February 14, 2024, the hot wallet of the crypto gambling platform Duelbits was attacked, resulting in losses of approximately $4.6 million, suspected to be due to a private key leak.

(https://twitter.com/Duelbits/status/1758159495807541459)

FixedFloat

On February 17, 2024, according to on-chain data, the cryptocurrency exchange FixedFloat was attacked, resulting in losses of approximately $26.1 million in Bitcoin and Ethereum. FixedFloat clarified that this attack was due to an external attack exploiting vulnerabilities in the security structure and was not perpetrated by employees, and user funds were not affected by the "external attack." On February 18, FixedFloat tweeted: "We confirm that there was indeed a hacker attack and funds were stolen. We are not yet ready to make a public comment on this matter as we are working to eliminate all potential vulnerabilities, enhance security, and conduct an investigation. FixedFloat's services will be restored soon, and further details about this incident will be provided later."

(https://twitter.com/FixedFloat/status/1759216185185288653?s=20)

Blueberry Protocol

On February 22, 2024, the DeFi lending protocol Blueberry Protocol was attacked, resulting in losses of approximately 457.7 ETH (about $1.35 million). The attack was intercepted by a white hat hacker c0ffeebabe.eth, who returned 366 ETH to Blueberry Protocol. According to Blueberry Protocol's incident analysis report, the attack was due to an oracle deployment error.

(https://medium.com/@blueberryprotocol/2-22-24-exploit-post-mortem-6f6be7c1dcc3)

BitForex

On February 23, 2024, Hong Kong-based BitForex cryptocurrency exchange was suspected of running away after experiencing approximately $56.5 million in suspicious fund outflows across multiple blockchains and subsequently shutting down access to the platform. On-chain detective ZachXBT first noticed the withdrawal anomalies at the exchange, pointing out that the trading platform had stopped processing withdrawals and had not responded to customers. The company faced regulatory scrutiny in Japan in mid-2023 for operating without a license and was accused of inflating trading volumes. Its CEO resigned in January, promising that a new team would take over.

(https://twitter.com/zachxbt/status/1762028433574650347)

Jihoz

On February 23, 2024, Axie Infinity co-founder Jihoz tweeted that two of his personal addresses had been leaked. The scope of the attack was limited to his personal accounts and was unrelated to the verification or operation of the Ronin chain. Additionally, the leaked keys were not related to Sky Mavis's operations. He wanted to assure everyone that strict security measures had been taken for all chain-related activities. The attack resulted in losses of approximately $10 million.

(https://twitter.com/Jihoz_Axie/status/1760845078757511562)

Seneca

On February 28, 2024, the full-chain CDP protocol Seneca was attacked due to a contract vulnerability. The hacker exploited constructed calldata parameters to call transferfrom, transferring tokens authorized to the project contract to their own address, which were then exchanged for ETH. Seneca lost over 1,900 ETH, valued at approximately $6.5 million. On February 29, the Seneca hacker returned 1,537 ETH (about $5.3 million) to the Seneca deployer's address.

(https://twitter.com/SlowMist_Team/status/1762865505042645010)

Shido Network

On February 29, 2024, the decentralized cross-chain protocol Shido Network on the Ethereum chain was suspected of running away. The owner of the SHIDO token staking contract first upgraded the staking contract, then withdrew a large amount of SHIDO, and finally sold a large amount of SHIDO for 692 ETH (approximately $2.1 million).

Conclusion

Among the 28 major security incidents this month, two projects (Blueberry Protocol and Seneca) recovered approximately $6.38 million of the stolen funds; the three private key leak incidents this month resulted in losses of approximately $304 million, accounting for about 75% of the total losses from security incidents this month. The SlowMist Security Team recommends that users and project parties strengthen the protection of private keys, such as using hardware wallets and offline storage, to enhance the security of private keys; the four contract vulnerability exploitation incidents this month resulted in losses of approximately $7.25 million. The SlowMist Security Team advises project parties to remain vigilant and conduct regular security audits, track and address new security threats and vulnerabilities to maximize the protection of project and asset security. Finally, the incidents recorded in this article are the major security incidents of the month, and personal user theft incidents are not included in the statistics.