July Web3 Security Incident Review: Total Loss Approximately $279 Million

Author: SlowMist Security Team

Overview

According to the SlowMist Blockchain Hacked Archive (https://hacked.slowmist.io), there were 37 security incidents in July 2024, with total losses of approximately $279 million, of which $8.76 million was recovered. The causes of security incidents this month involved contract vulnerabilities, account hacks, exit scams, and domain hijacking.

Major Incidents

Bittensor

On July 2, 2024, the decentralized AI project Bittensor was attacked, with some Bittensor wallet users being hacked, resulting in the theft of approximately 32,000 TAO, valued at about $8 million. On-chain detective ZachXBT believes this attack may have been due to private key leakage, but Bittensor later stated that the affected users were actually attacked due to a malicious Bittensor package uploaded to Python's PyPi package manager.

Authy

On July 5, 2024, SlowMist's Chief Information Security Officer 23pds tweeted that the 2FA service Authy was attacked, resulting in the theft of phone numbers of 33 million users. The official developer Twilio has confirmed the vulnerability, and a large number of Web3 users utilize this 2FA software, so please pay attention to asset security.

(https://x.com/im23pds/status/1809047195750183257)

Doja Cat

On July 8, 2024, rapper Doja Cat's X account was hacked, and the attacker used her account to post tweets promoting a memecoin. Doja Cat later posted on her Instagram stating that her X account had been hacked.

Compound

On July 11, 2024, Compound DAO security advisor Michael Lewellen tweeted that the Compound Finance official website was attacked and is currently hosting a phishing site.

(https://x.com/LewellenMichael/status/1811303839888261530)

LI.FI

On July 16, 2024, the SlowMist security team monitored suspicious transactions involving the cross-chain bridge aggregation protocol LI.FI, resulting in user losses exceeding $10 million. On July 18, LI.FI released a security incident report stating that the vulnerability originated from issues during transaction verification, related to how the protocol interacted with the shared LibSwap codebase used by multiple decentralized exchanges and other DeFi protocols, caused by human error during the supervision of deployment. An estimated 153 wallets were affected, with losses valued at approximately $11.6 million in USDC, USDT, and DAI stablecoins.

(https://x.com/SlowMist_Team/status/1813195343057866972)

WazirX

On July 18, 2024, Indian cryptocurrency exchange WazirX released preliminary investigation results of a cyber attack on X, stating that a security vulnerability in one of its multi-signature wallets led to losses exceeding $230 million (approximately 45% of customer funds).

(https://x.com/WazirXIndia/status/1813843289940058446)

Rho Markets

On July 19, 2024, the lending protocol Rho Markets was exploited by an MEV bot due to oracle configuration errors, resulting in a profit of 2203 ETH, approximately $7.6 million. On the same day, on-chain detective ZachBXT monitored that the owner of the MEV bot communicated on-chain with the Rho Markets team, stating that the incident was due to their MEV bot profiting from the configuration error of the Rho Markets price oracle and expressed willingness to return the full amount.

(https://scrollscan.com/tx/0xd9c2e4f0364b13ada759f2dd56b65f5025e70cce4373e7c57ac31bf5226023e0)

Casper Network

On July 26, 2024, Casper Network was attacked, and Casper Network tweeted that to minimize the impact of this security vulnerability, they had collaborated with validators to suspend the network until the vulnerability was patched. According to a preliminary security incident report released by Casper Network on July 31, 13 wallets were affected, with total illegal transactions amounting to approximately $6.7 million. Casper Network discovered that the attackers exploited a vulnerability that allowed contract installers to bypass access checks for uref, enabling them to grant contracts access to uref-based resources.

(https://x.com/Casper_Network/status/1817145818631098388)

Terra

On July 31, 2024, the Terra chain was attacked, with attackers exploiting a known vulnerability related to the third-party module IBC hooks to mint several tokens on the Terra chain, resulting in losses of up to $5.28 million. The Terra team has taken emergency measures to prevent further losses and coordinated with validators to apply patches to fix the vulnerability. According to Zaki Manian, co-founder of Sommelier Finance, although the vulnerability was fixed in the Cosmos ecosystem in April, Terra did not include this patch in its June upgrade, leading to the vulnerability being exposed and exploited again.

(https://x.com/terra_money/status/1818498438759411964)

On the same day, the decentralized trading protocol Astroport released a security incident update on X: the attacker's ASTRO on Neutron has been seized in the Astroport Treasury; the attacker's Terra address has been blacklisted and cannot conduct any transactions; the IBC Hook vulnerability has been fixed; and the official team will continue to work closely with the Terra team to seek solutions.

Summary

Data security issues have returned to our attention this month. On July 1, Protos reported that the crypto-friendly bank Evolve Bank & Trust recently admitted that approximately 33 TB of user data was stolen a month ago. Such security incidents can lead to identity theft, account hacks, and financial losses. The SlowMist security team reminds users to be cautious of phishing attacks, regularly update passwords, and avoid using the same password across multiple platforms.

With the surge of memecoins, incidents of project parties/celebrity accounts being hacked have become frequent. Attackers exploit the influence of project parties/celebrities, stealing X accounts to post tweets containing phishing links or promoting certain tokens. Users are advised to be vigilant and invest cautiously. We have explained how to enhance X account security in SlowMist: X Account Security Inspection and Reinforcement Guide, and you can click the link to read.

Recently, there have been multiple incidents of domain hijacking. Project parties can take the following measures to prevent domain hijacking and ensure the safety of their websites and users:

• Choose reliable domain registrars to reduce the risk of domain hijacking;
• Regularly check and monitor the status of domains, DNS settings, and other related configurations;
• Ensure that relevant personnel understand the risks of domain hijacking and preventive measures, and have the ability to recognize common phishing tactics and social engineering attacks to prevent the leakage of sensitive information;
• Develop an emergency response plan to quickly react and control the impact in case of domain hijacking.