2024, though not finished yet, already underscored the crypto industry’s ongoing security challenges. With over $2.43 billion already lost to hacks, the total already exceeds the $2.1 billion lost in 2023 (sources: AMB Crypto, Cyvers). The frequency and scale of attacks continue to expose vulnerabilities and threaten the Web3 ecosystem's trust and growth.
2024 in numbers
In the first nine months of 2024, 131 hacks resulted in $2.114 billion in losses, according to BeInCrypto. That’s a sharp contrast to the 44 hacks and $1.23 billion lost during the same period in 2023. This 197% increase in incidents and 72% rise in stolen funds underscore both the escalating sophistication of attackers and the growing total value locked (TVL) in DeFi protocols.
Q3 2024: a costly quarter
According to CertiK’s October 2024 report, $753 million was stolen across 155 incidents in Q3 alone, which make it the costliest quarter of 2024 (yet).
The Ethereum network was hit hardest, with 86 hacks causing losses of over $387 million.
A single Bitcoin whale lost 4,064 BTC valued at $238 million in the largest attack of the quarter and second-largest attack of the year.
India-based exchange WazirX saw $235 million drained in another significant breach.
CeFi and DeFi: both at risk
Centralized Finance platforms experienced a 984% increase in attacks this year, making them the hardest-hit sector. The largest loss of this year also belongs to this sector, when DMM Bitcoin lost $320 million in one of the most devastating CeFi breaches of all time. While CeFi offers user-friendly services, its centralized nature creates attractive targets for attackers.
Decentralized Finance also remains a major target; despite November seeing a 79% year-over-year drop in losses, 100% of the month’s hacks targeted DeFi protocols (Bitget). Exploits of smart contract flaws, private key thefts, and price manipulation attacks remain common tactics.
Other notable incidents of 2024
The Ronin bridge was attacked again; although this time it’s a whitehat attack, this hack received probably the broadest media coverage. Ronin already suffered hard losses in 2022 with damage about $615 millions, and to this date it’s the #1 in the list of largest cryptocurrency hacks so far. Naturally, the second Ronin attack reignited concerns about the fragility of bridges in cross-chain ecosystems.
Single points of failure
A vast part of crypto exploits stem from inherent vulnerabilities in centralized components of Web3 infrastructure, often referred to as single points of failure (SPOFs).
Bridges: cross-chain transfer tools are frequent targets due to their complexity and the significant assets they handle. The Ronin bridge remains the largest cryptocurrency exploit ever, with $615 million stolen in 2022.
Oracles: flawed oracles are a leading cause of price manipulation attacks, for example they accounted for 49% of such losses in 2023 (Halborn). The hardest hit was Beanstalk Finance with $182 million lost in 2022, according to the list of oracle manipulation exploits/hacks by ImmuneBytes.
Relayers: these entities facilitate cross-chain communications between blockchains, so they are both critical to interoperability and highly vulnerable when compromised. One of the largest relayer-associated exploits is the FixedFloat hack in February 2024, where attackers stole approximately $26 million in ETH and BTC.
These SPOFs undermine the very promise of decentralization, exposing both CeFi and DeFi platforms to immense risks.
The path forward: strengthening Web3 security
Addressing these vulnerabilities requires a paradigm shift in how the crypto industry approaches security:
Trustless systems: eliminating reliance on centralized intermediaries can reduce attack vectors.
ZK-based solutions: leveraging zero-knowledge proofs ensures integrity and privacy without exposing sensitive information.
Decentralized infrastructures: removing SPOFs enhances system resilience and scalability.
At Diffuse, we’re advancing the frontier of Web3 security with our zkServerless protocol. By eliminating the need for bridges, oracles, and relayers, we foster trustless, automated anteractions, building the foundation for a safer, more resilient ecosystem. Learn more in the Diffuse Manifesto.
Join the conversation
Be part of the change to reshape Web3 security, connect with us in:
LinkedIn: linkedin.com/company/diffuse-fi
Let’s create a Web3 where trustless, secure interactions are built into the fabric of the ecosystem. Together, we can make crypto hacks a thing of the past. 🚀
Comments