According to the latest Web3 industry security report from Gate Research, a total of 27 security incidents occurred in December, resulting in losses of approximately $4.11 million. The types of incidents were diverse, with contract vulnerabilities remaining the primary threat, accounting for 72% of the total losses. The report also provides a detailed analysis of key security events, including the FEG vulnerability, Clober contract vulnerability, Clipper DEX contract vulnerability, and the HarryPotterObamaSonic10Inu flash loan attack. Contract vulnerabilities and account hacks were identified as the major security risks for the month, highlighting the ongoing need for the industry to strengthen its security measures.

Key Takeaways

• In December 2024, the Web3 industry experienced 27 security incidents, resulting in losses of approximately $4.11 million, a significant decrease compared to the previous month.
• The security incidents this month primarily involved contract vulnerabilities and account hacks.
• Contract vulnerabilities remain a major threat, accounting for 72% of the total losses in the cryptocurrency industry’s security incidents.
• Most of the losses occurred across major blockchains, including BSC, Ethereum, Cardano, and Base.
• Key incidents this month included the FEG security vulnerability (loss of $1 million), Clober contract vulnerability (loss of $500,000), Vestra DAO contract vulnerability (loss of $500,000), Moonhacker account hack (loss of $320,000), and the HarryPotterObamaSonic10Inu flash loan attack (loss of $243,000).

Overview of Security Incidents

According to data from Slowmist, December 2024 saw a total of 27 hacking incidents, resulting in losses of $4.11 million. The attacks primarily involved contract vulnerabilities, account hacks, and other methods. Compared to November, both the number of incidents and the total losses saw a significant decline, indicating that industry security measures and awareness have improved. Contract vulnerabilities remain the leading cause of attacks, with nine incidents accounting for over $2.98 million in losses, or 72% of the total. Official X accounts and cryptocurrency project websites continue to be hackers’ primary targets [1].

This month’s distribution of security incidents across public blockchains reveals that most losses were concentrated on several mature and popular blockchains, particularly Ethereum and Base, with losses of $2.01 million and $950,000, respectively. This highlights that, despite the strong foundational security of public blockchains, vulnerabilities in the application layer and smart contracts still pose significant risks to user funds.

Several blockchain projects experienced major security incidents this month, resulting in significant financial losses. Notable incidents include the FEG security vulnerability, which caused a loss of $1 million; the Clober contract vulnerability, which led to a loss of $500,000; the Vestra DAO contract vulnerability, resulting in $500,000 in losses; and the Clipper DEX contract vulnerability, which caused a loss of $457,000.

Major Security Incidents in December

According to official disclosures, the following projects suffered losses exceeding $3.22 million in December. These incidents underscore that contract vulnerabilities continue to pose a significant threat.

• Attackers exploited a vulnerability in the smart contract used by Clipper, manipulating the single-asset deposit/withdrawal function. This operation impacted liquidity pools on the Optimism and Base networks, causing an imbalance in the pool assets and allowing attackers to withdraw more than their deposited amount. The attack resulted in a loss of approximately $457,878.
• Vestra DAO tweeted that a hacker exploited a vulnerability in the locked staking contract, manipulating the reward mechanism to acquire excessive rewards beyond what was due. The incident led to the theft of 73,720,000 VSTR tokens. The stolen tokens were gradually sold on Uniswap, causing a liquidity loss of around $500,000 in ETH. To protect the VSTR tokenomics and the stability of the project, the remaining 755,631,188 VSTR tokens were permanently removed from circulation.
• The liquidity vault on Clober DEX, built on the Base Network, was attacked, resulting in a loss of 133.7 ETH (approximately $501,000). The team also offered 20% of the stolen funds as a bounty for identifying the vulnerability, hoping to recover the remaining assets. However, negotiations did not reach a consensus.
• HarryPotterObamaSonic10Inu was targeted in a flash loan attack on Ethereum, involving a series of exploitative trades targeting the liquidity pool of the HarryPotterObamaSonic10Inu 2.0 token. The attacker profited approximately $243,000 and deposited the funds into Tornado Cash.
• The FEG project suffered a security vulnerability attack, resulting in a loss of around $1 million. Analysis suggests that the root cause was a composability issue when integrating with the underlying Wormhole cross-chain bridge, which is used for cross-chain messaging and token transfers. The team has suspended all FEG transactions on centralized exchanges, and the SmartDeFi protocol has also been paused.

Clipper DEX

Project Overview: Clipper is a decentralized exchange (DEX) designed to provide the best rates for small cryptocurrency traders (less than $10,000). It achieves this by limiting liquidity and reducing impermanent loss.

Incident Overview: According to an analysis report released by Clipper, on December 1, 2024, attackers exploited a vulnerability in the smart contract used by Clipper, manipulating the single-asset deposit/withdrawal function. This operation affected the liquidity pools on the Optimism and Base networks, causing an imbalance in the pool assets and allowing the attackers to withdraw more assets than they had deposited. The attack resulted in a loss of approximately $457,878.

Within a few hours, AdmiralDAO launched an emergency response plan, quickly taking measures to protect the remaining funds in the protocol and halt the attack. After the response, no additional funds were affected[2].

Post-Incident Recommendations:

• Expand Invariant Checks: Implement on-chain verification to ensure that invariants of the pool remain consistent during single-asset withdrawals, similar to the checks Clipper applied in the latest version of their contract for the exchange.
• Expand Oracle Price Verification: Integrate on-chain price oracles into the asset value validation for deposits and withdrawals, just as Clipper has executed in the latest version of their contract for the exchange.
• Consider Short-Term Locking of Deposits: If new deposits are subject to a lock-in period that exceeds the validity of the deposit signature (for example, a few minutes), this attack would not have been possible.

Vestra DAO

Project Overview: VSTR is a token developed by the NFT community “CMLE” (Crypto Monster Limited Edition) that offers semi-decentralized, Web2+Web3 hybrid services. It operates as a decentralized autonomous organization (DAO) project, providing DeFi solutions.

Incident Overview: On December 4, 2024, Vestra DAO tweeted that a hacker exploited a vulnerability in the locked staking contract, manipulating the reward mechanism to acquire excessive rewards beyond what was due. The incident led to the theft of a total of 73,720,000 VSTR tokens. The stolen tokens were gradually sold on Uniswap, resulting in a loss of around $500,000 in ETH liquidity.

The team quickly identified the issue and took immediate action by blacklisting the locked staking contract, thereby disabling further interactions with these contracts. As a result, 755,631,188 VSTR tokens in the staking pool were removed from circulation, and the funds in these contracts could no longer be withdrawn. On December 6, the team announced that to protect the VSTR tokenomics and the stability of the project, the remaining 755,631,188 VSTR tokens would be permanently removed from circulation[3].

Post-Incident Recommendations:

• Conduct Comprehensive Contract Security Audits and Optimization
  Hire a reputable third-party security audit firm to thoroughly review all smart contracts, especially the staking and locked contracts. The focus should be on permission management, boundary condition handling, and code logic security. After the audit, the contract code should be optimized based on the recommendations, and the audit report should be made publicly available to enhance transparency and user trust.

• Deploy Multi-layered Protection Mechanisms and Real-Time Monitoring

• Implement Timelock Functionality: Introduce time delays for key operations to ensure that there is sufficient time to pause operations or intervene in the event of an anomaly.
• Introduce Real-Time Monitoring and Alert Systems: Use on-chain data analysis to detect abnormal trading behaviors or contract interactions in real time, and implement alert systems to notify of suspicious activity, minimizing the potential losses caused by vulnerabilities.

Clober DEX

Project Overview: Clober is a fully on-chain order book DEX that allows on-chain order matching and settlement on decentralized smart contract platforms. With Clober, market participants can place limit and market orders fully decentralized and trustless at manageable costs.

Incident Overview:
On December 10, 2024, the liquidity vault of Clober DEX on the Base Network was attacked, resulting in a loss of 133.7 ETH (approximately $501,000). The root cause of the attack was a reentrancy vulnerability in the _burn() function within the Rebalancer contract.

The team offered 20% of the stolen funds as a bounty for identifying the security vulnerability, provided that the remaining assets could be returned. Additionally, the team assured that no legal action would be taken if the attacker cooperated. On December 31, 2024, the team stated that the negotiations had not reached a consensus, and the attacker had moved the stolen assets to Tornado Cash. The team cooperates with law enforcement agencies to trace the attacker’s origins[4].

Post-Incident Recommendations:

• Enhanced Smart Contract Security: The project team must strengthen the security review of smart contracts. All code should undergo rigorous audits before deployment, with regular vulnerability scans to reduce attack risks.
• Robust Fund Management Strategies: Implement multi-signature wallets and layered fund storage systems to prevent excessive concentration of assets in a single contract, thereby reducing potential losses in case of an attack.
• Collaboration with Security Organizations: Rapid collaboration with blockchain security teams and law enforcement agencies can effectively control damage and expedite asset recovery after an incident.

HarryPotterObamaSonic10Inu

Project Overview: HarryPotterObamaSonic10Inu is the ultimate form of crypto assets. Inspired by BITCOIN, the project encourages the creation of novel and fun meme content. With ownership relinquished and liquidity locked, the ever-growing community has taken the lead. Drawing inspiration from the legendary Bitcoin meme, the project is developing a unique website, exclusive merchandise, and an e-commerce platform. The goal is to create an ecosystem where active community members can interact and collaborate.

Incident Overview:
On December 18, 2024, a series of exploitative transactions targeted the liquidity pool of the HarryPotterObamaSonic10Inu 2.0 token on the Ethereum network. The attacker profited approximately $243,000 and transferred the funds into Tornado Cash.

Over the next four days, the token’s price saw a significant decline of around -33.42%, with its market cap dropping from $245 million to $168 million[5]. \

Post-Incident Recommendations:

• Enhance Smart Contract Security Audits and Optimization
  Engage a third-party professional organization to conduct a comprehensive security audit of the existing smart contracts, focusing on liquidity pool logic and access control. Vulnerabilities should be fixed, and the contract code should be optimized. Mechanisms like time-locks and rate-limiting should be added to prevent malicious operations in a short timeframe.

• Integrate On-Chain Price Oracles
  Integrate reliable on-chain oracles to verify asset prices during deposit and withdrawal transactions, ensuring that operations align with actual market values and preventing funds from being manipulated through price manipulation.

• Increase Community Transparency and Confidence
  Publish the results of the incident investigation and the remediation plan, ensuring transparency of information and building trust within the user community.

FEG

The FEG token is a deflationary governance token within the FEG ecosystem, which includes a decentralized exchange and passive income incentive mechanisms. Its goal is to reshape the operational model of decentralized trading networks. The token is available on both the Ethereum and Binance Smart Chain networks.

Incident Overview:
On December 29, 2024, the FEG project was targeted by a security vulnerability attack, resulting in a loss of approximately $1 million. The incident’s root cause appears to be a composability issue related to the integration of the underlying Wormhole cross-chain bridge, which facilitates cross-chain messaging and token transfers. The Wormhole Foundation later clarified that no issues were found within the Wormhole protocol, and the attack was unrelated to Wormhole.

Following the incident, the team suspended all FEG transactions on centralized exchanges and initiated a comprehensive investigation. While the SmartDeFi contract code was not directly affected, the SmartDeFi protocol was also paused as a precaution. However, all projects on the protocol have remained secure so far[6].

Post-Incident Recommendations:

• Conduct a Comprehensive Security Audit: Engage a third-party professional organization to perform a thorough security audit of the smart contracts and platform code, focusing on access control, logic flaws, and code vulnerabilities. Based on the audit results, promptly address and fix any identified issues, and make the audit report public to enhance user trust.
• Establish a Vulnerability Disclosure and Reward Program: Launch a continuous bug bounty program to encourage security researchers and ethical hackers to identify and report potential vulnerabilities. This will help in addressing vulnerabilities quickly to reduce future security risks.
• Enhance Asset Protection and User Compensation Mechanisms: Develop multi-layered asset protection systems, such as real-time monitoring of abnormal transactions, implementing time-lock functionalities, and using multi-signature wallets. For affected users, establish a fair and transparent compensation plan to restore user confidence and minimize financial losses.

Conclusion

In December 2024, multiple DeFi projects were targeted by security vulnerabilities, resulting in the loss of millions of dollars in assets. These incidents included the Clober DEX liquidity vault attack, a cross-chain exploit caused by the integration of FEG with Wormhole, the staking vulnerability in Vestra DAO, the manipulation of Clipper DEX’s single-asset withdrawal feature, and a flash loan attack on HarryPotterObamaSonic10Inu. These events highlighted critical risks in smart contract security, cross-chain protocol composability, and liquidity pool management. The industry urgently needs to strengthen smart contract audits, implement real-time monitoring, and adopt multi-layered protection mechanisms to improve platform security and user trust. Gate.io reminds users to stay updated on security developments, choose reliable platforms, and enhance personal asset protection.


Reference:

1. Slowmist,https://hacked.slowmist.io/zh/statistics
2. Clipper,https://blog.clipper.exchange/clipper-dec-24-exploit-post-mortem/
3. X,https://x.com/Vestra_DAO/status/1864677381459390781
4. X,https://x.com/CloberDEX/status/1874039225001377816
5. Gate.io,https://www.gate.io/zh-tw/post/status/8242569
6. X,https://x.com/FEGtoken/status/1873265905867866294

Gate Research
Gate Research is a comprehensive blockchain and crypto research platform, providing readers with in-depth content, including technical analysis, hot insights, market reviews, industry research, trend forecasts, and macroeconomic policy analysis.

Click the Link to learn more

Disclaimer
Investing in the cryptocurrency market involves high risk, and it is recommended that users conduct independent research and fully understand the nature of the assets and products they purchase before making any investment decisions. Gate.io is not responsible for any losses or damages caused by such investment decisions.