DeFi hacks of 2024

Getting your Trinity Audio player ready...

This year, an estimated $1.27 billion was stolen from digital currency exchanges and decentralized finance (DeFi) protocols, and that number rises even higher when you account for the unreported breaches that took place.

These breaches not only highlighted systemic weaknesses in many DeFi protocols but also called into question many of the industry’s startups’ ability to secure users’ funds. Unfortunately, this shows that some corners of the industry have a long way to go when it comes to security and earning public trust.

Initially, I planned to discuss every DeFi hack that occurred in 2024. However, with data from DeFi Llama showing that 90 distinct hacks took place in 2024, it quickly became clear that covering each hack was impractical. So, instead, I’ve decided to focus on the five largest hacks of the year and the trends they reveal about the current state of security in the DeFi sector.

The 5 largest DeFi hacks of 2024

1. DMM BTC exchange Hack: $305 million lost

On May 31, 2024, Japanese Bitcoin exchange DMM experienced a hack that resulted in the loss of 4,502.9 BTC, which was equivalent to $305 million at the time. The breach occurred when attackers compromised the private key of DMM’s Bitcoin wallet, allowing them to transfer funds from the exchange’s wallet to one the attacker owned.

Unfortunately, the hack had a significant impact on DMM and its operations. Customer withdrawals and spot-market purchases were restricted immediately after the hack. Eventually, the exchange announced it would transfer customer accounts and assets to another platform because DMM would be permanently shutting down operations.

2. WazirX phishing attack: $234.9 million stolen 

India’s WazirX exchange was hacked on July 18, 2024, resulting in the theft of $234.9 million. The stolen assets spanned over 200 types of digital currencies, including 5.43 billion SHIB tokens, 15,200 Ethereum, and 20.5 million MATIC.

The attack was linked to a phishing scheme targeting the platform’s multi-sig wallet. Notably, $229 million of the stolen funds were funneled through Tornado Cash, a digital currency mixer typically used for laundering stolen funds, and only $6 million of the funds remain unmoved. Despite the massive loss, which represented nearly half of all WazirX reserves at the time, WazirX continues to operate.

3. Munchables storage slot exploit: $62.5 million drained

Web3 gaming platform Munchables fell victim to a storage slot exploit, a type of smart contract exploit, losing 17,400 ETH worth $62.5 million at the time. Investigations revealed that the attack was likely carried out by a developer who had been hired to create the platform’s smart contract.

Munchables has been compromised. We are tracking movements and attempting to stop the the transactions. We will update as soon as we know more.

— Munchables (@_munchables_) March 26, 2024

Interestingly, nearly all the stolen funds were returned to the company within 24 hours, but regardless, this attack highlights the risks of outsourcing critical development work to third parties, especially in an industry as vulnerable as DeFi.

4. BTC Turk hot wallet hack: $54 million compromised

In June 2024, Turkish digital currency exchange BTC Turk experienced a $54 million loss after attackers compromised several of its hot wallets. Thankfully, the majority of the exchange’s assets were stored in cold wallets, limiting the damage.

Binance is assisting BtcTurk with investigations and have frozen over $5.3M in stolen funds so far.

Our investigations & security teams work around the clock as part of our proactive efforts to protect the ecosystem from bad actors. We will provide further updates as relevant. https://t.co/8j6uMgOPm6

— Richard Teng (@_RichardTeng) June 22, 2024

Approximately 10% of the stolen funds were sent to Binance, most likely for laundering purposes. However, Binance’s security team quickly identified and froze $5.3 million.

5. Radiant Capital: $53 million stolen

Lastly, Radiant Capital suffered from an attack in October 2024, which resulted in the loss of $53 million. The attacker manipulated the protocol’s signers into approving malicious transactions that granted access to Radiant’s lending pools.

Investigations revealed that a team member had been socially engineered by an individual posing as a trusted contractor. This allowed the hacker to infiltrate critical systems and drain the pools on both the BSC and ARB blockchains. Notably, this was the second time Radiant has been hacked this year.

Key trends in DeFi hacks

Beyond these five largest DeFi hacks of 2024, I looked at the top 20 hacks that took place in 2024 to see if there were any notable trends and patterns in regard to how the hacks took place, and two patterns stood out to me the most: (1) Private keys getting compromised and (2) smart contracts getting exploited.

Private key compromises

Ironically, the digital asset community often emphasizes the importance of safeguarding private keys, yet many hacks occur because private keys get compromised.

To be fair to the victims of these hacks, it doesn’t look like private key compromise was as easy as finding someone who made their private key very easy to find. Rather, these were the results of social engineering: attackers tricking key holders into revealing their credentials or approving fraudulent transactions. To me, this highlights that there is a noticeable attack vector in regard to human error.

Smart contract exploits

Another trend I noticed was all of the smart contract exploits. Years ago, many DeFi platforms recycled code from existing protocols, which meant that if you knew how to hack one, you probably inadvertently knew how to hack several other protocols.

While coding practices in the industry have (hopefully) improved since then, many breaches can still be traced back to developers having access that they really shouldn’t have to wallets, lending pools, and other critical areas of a smart contract.

Lessons learned from 2024’s DeFi hacks

Unfortunately, more money was stolen in 2024 than in 2023, which is arguably a step backward in terms of the safety and security of DeFi protocols. These losses for the year were in the billions, a significant amount of money.

These attacks show that there is still a desperate need for better security in the blockchain and digital asset industry, especially on DeFi platforms, which often operate like fast-paced startups with limited resources.

Watch: Breaking the misconception between ‘crypto’ & blockchain