Executive Summary

• In November 2024, the Web3 industry experienced 21 security incidents, resulting in losses of approximately $76.86 million, a decrease compared to the previous month.
• This month’s security incidents primarily involved contract vulnerabilities, account hacks, and other attack methods.
• Contract vulnerabilities remain the main threat, accounting for 39% of total losses.
• Most losses occurred on Ethereum and Polygon.
• Major incidents this month include the Thala contract vulnerability ($25.5 million loss), DEXX private key leak ($21 million loss), and Polter Finance flash loan attack ($12 million loss).

Security Incident Overview

According to Slowmist data, November 2024 recorded 21 hacking incidents with losses totaling $76.86 million. The attacks primarily involved contract vulnerabilities, account hacks, and other methods. Both the number of incidents and total losses decreased significantly from October, suggesting improvements in industry security measures and awareness. Contract vulnerabilities remained the leading cause of attacks, with seven incidents causing over $30 million in losses—39% of the total. Official X accounts and websites of crypto projects continued to be prime targets for hackers. [1]

According to Scam Sniffer data, the distribution of public chain security incidents this month indicates that losses were mainly concentrated on several mature and popular public chains, particularly Ethereum and Polygon, which saw security incidents causing losses exceeding $6.91 million and $1.05 million, respectively. This highlights that while the underlying security of public chains remains robust, vulnerabilities in the application layer and in smart contracts still pose significant risks to user funds. [2]

Several blockchain projects experienced significant security incidents this month, resulting in substantial financial losses. Notable incidents include the Thala contract vulnerability causing a $25.5 million theft, the DEXX private key leak leading to a $21 million loss, and the Polter Finance flash loan attack resulting in a $12 million loss.

Major Security Incidents in November

Based on official disclosures, the following projects suffered losses exceeding $1 million in November. These incidents underscore that contract vulnerabilities remain a significant threat.

• Thala experienced a contract vulnerability attack targeting its liquidity pool, resulting in a loss of $25.5 million. Although all user funds were eventually recovered, the incident highlighted critical risks in contract design.
• DEXX faced severe consequences from its practice of directly distributing private keys via its server, which led to the theft of $21 million in user funds. This operational method requires immediate and thorough improvement.
• Polter Finance’s SpookySwap suffered a flash loan attack, losing $12 million. Insufficient security testing following the launch of new markets may have been the root cause. This incident emphasizes the need for comprehensive security audits before deploying new features.
• Delta Prime was attacked due to contract vulnerabilities across multiple chains, incurring losses of approximately $4.75 million. This shows that even on mature chains, projects cannot fully eliminate security risks. Similarly, MetaWin was subjected to an unidentified attack, losing $4 million. The incident spanned multiple chains, reflecting the growing diversity and complexity of attack methods.
• CoinPoker’s hot wallet was compromised, leading to a loss of about $2 million. This attack involved multiple networks, with the stolen funds being laundered through privacy protocols. Additionally, XT Exchange fell victim to an unknown hack, losing $1.7 million. The attackers swiftly converted the funds into ETH and transferred them to specific addresses.

Thala

Project Overview: Thala is a decentralized stablecoin protocol built on Aptos, aiming to provide yield-generating stablecoins and a liquidity supply layer. The protocol supports various forms of collateral, including liquid staking derivatives, liquidity pool tokens, deposit receipt tokens, and assets tied to real-world assets (RWAs). This diversified collateral design ensures decentralization and censorship resistance while also enhancing capital efficiency.

Incident Overview:
On November 15, 2024, the Aptos-based DeFi project Thala experienced a security breach, resulting in a loss of $25.5 million. The attacker exploited a vulnerability in the smart contract. Following the incident, the team promptly suspended the affected contracts and froze some token assets. [3]
Upon investigation, the team successfully froze approximately $11.5 million of the stolen assets. Subsequently, they collaborated with law enforcement and multiple blockchain security teams to address the incident. Through negotiations, the team managed to recover the stolen funds, with the attacker receiving a $300,000 bounty as part of the agreement.

Post-Incident Recommendations:

• Enhanced Smart Contract Security: Project teams must strengthen the security review of smart contracts. All code should undergo rigorous audits before deployment, with regular vulnerability scans to minimize attack risks.
• Robust Fund Management Strategies: Implement multi-signature wallets and layered fund storage systems to prevent excessive asset concentration in single contracts, minimizing potential losses from attacks.
• Collaboration with Security Organizations: Prompt collaboration with blockchain security teams and law enforcement after an incident can effectively control damages and expedite asset recovery.

DEXX

Project Overview: DEXX is an on-chain token trading terminal designed specifically for memecoin trading, offering comprehensive functionality. The platform integrates precise data analysis tools, advanced trading strategies such as mobile stop-loss and take-profit, as well as smart wallet monitoring and real-time notifications to help users optimize their trading experience and efficiently manage assets.

Incident Overview:
On November 16, DEXX experienced a significant security breach due to mismanagement of the official private key, resulting in a private key leak. This led to the theft of user assets totaling over $21 million, affecting more than 500 victims. Impacted tokens included BAN, Banana, and LUCE, with BAN incurring the highest losses. [4]

The following is a timeline of the DEXX hacking incident:

• November 19: DEXX officially announced legal action in response to the security breach and stated that a compensation plan would depend on the recovered funds. SlowMist assisted law enforcement in investigating approximately 2,000 suspicious addresses.
• November 25: Over 1,000 victims submitted information via the SlowMist form. Collaborative efforts to analyze the affected data continued, with emphasis on avoiding false reports.
• November 26: The attacker began exchanging Solana-based tokens for SOL in bulk but had not yet moved them out.
• November 28: SlowMist disclosed 8,612 Solana addresses associated with the attacker and continued consolidating data from EVM chains.
• November 29: The attacker further converted tokens from Solana addresses into SOL and tested token swaps for ETH on EVM chains.
• November 30: The attacker converted tokens into ETH and BNB on EVM chains (ETH/BSC/BASE), but the assets remained unmoved.
• December 5: The attacker used Wormhole to bridge stolen funds from Solana to Ethereum. As of now, the attacker’s Ethereum address holds 4,400.74 ETH, valued at approximately $17.25 million, while their Solana address retains a balance of about $1.5 million. The investigation is ongoing.

Post-Incident Recommendations:

1. Ensure Private Key Security: Users should prioritize private key safety, regularly monitor wallet and account activities, and promptly identify unusual transactions or asset transfers. Utilizing real-time notification tools and smart wallet monitoring can aid in timely responses.
2. Responding to Theft: In the event of stolen assets, victims should take appropriate actions to protect their rights and stay updated on related developments to recover losses effectively.

Polter Finance

Project Overview: Polter Finance is a decentralized, non-custodial lending platform on the Fantom (FTM) blockchain, designed to provide proportional interest income to depositors.

Incident Overview:

The following is a timeline of the Polter Finance hacking incident:

• November 17: Polter Finance suffered an attack exploiting an “empty market” issue, resulting in losses of approximately $12 million. [5]
• November 18: The platform reported that crypto assets on the Fantom chain had been compromised, with losses exceeding $7 million. The attacker initially used Tornado Cash on Ethereum to source funds, bridged them to Fantom, and exploited the vulnerability. Operations were paused to control the breach, and wallets involved were traced to Binance-related addresses. Polter Finance publicly offered to waive legal action if the attacker returned the funds.
• November 19: The attacker transferred 120 ETH to Tornado Cash, equating to a loss of approximately $870,000. Additionally, 11.5 million FTM (around $8 million) was moved in batches to Arbitrum and Ethereum, later deposited into Tornado Cash. At this point, the attacker deposited 220 ETH (approximately $689,000) into an Ethereum address.
• November 20: The hacker continued to funnel funds through Tornado Cash, successfully transferring 2,625.7 ETH.
• November 21: Another 2,600 ETH was moved by the hacker to Tornado Cash.

Post-Incident Recommendations:
Users are advised to exercise caution when using decentralized platforms, particularly those involving cross-chain operations and DeFi projects. Be vigilant about the platform’s security measures, especially during periods of significant market volatility. Project teams must prioritize regular vulnerability assessments and robust risk management practices to ensure the safety of smart contracts and cross-chain bridges.

DeltaPrime

Project Overview: DeltaPrime is a decentralized lending and investment platform designed to unlock restricted liquidity by enhancing capital efficiency. Users can easily deposit and borrow on the platform to amplify their DeFi investment capabilities. The platform offers a minimum collateralization rate of 20%.

Incident Overview:
DeltaPrime experienced multiple hacking incidents in September and November, as shown in the following timeline: \

• September 16: DeltaPrime was attacked on the ARB chain, possibly due to the compromise of an admin private key. This led to the theft of approximately $4.5 million in crypto assets. The attacker converted USDC to ETH and continued transferring the funds. Affected liquidity pools included DPUSDC, DPARB, and DPBTCb. [6]
• September 17: The hacker transferred about 1,200 ETH (valued at approximately $2.8 million) to a new address, bridged the stolen funds to the Ethereum network, and deposited them into Tornado Cash.
• November 11: DeltaPrime was attacked again on the ARB and AVAX chains, resulting in losses of approximately $4.8 million. The attacker exploited USDC farms through LFJ and Stargate, causing around $1.3 million in damages.

Post-Incident Recommendations:
DeFi projects and asset-related platforms must bolster security measures, particularly around critical functionalities like reward claiming. Implementing strict input validation and routine audits can help prevent similar attacks in the future.

MetaWin

Project Overview: MetaWin is a blockchain-based on-chain prediction gaming platform offering a variety of mini-games with prizes of up to $1 million.

Incident Overview:
On November 5, 2024, MetaWin’s crypto gambling platform suffered a hacking attack, resulting in over $4 million in asset losses. The attacker stole funds from hot wallets on Ethereum, Base, and Solana and partially transferred the stolen assets to KuCoin, HitBTC, Binance, and ChangeNow. The attacker distributed 331 ETH (approximately $800,000) across multiple wallets, with each transfer comprising 13, 19, and 21 ETH. Additionally, 115 theft-related addresses linked to the attacker were identified, and the stolen funds are still being transferred. [7]

Post-Incident Recommendations:
The MetaWin attack serves as a reminder to stay vigilant when using crypto platforms, particularly with hot wallets and cross-chain transfers. Users must verify that platforms have robust security measures in place. Regular checks of security announcements, avoiding suspicious addresses, and strengthening account security through multi-factor authentication can help minimize risks. Meanwhile, platforms need to strengthen user fund protection and implement systems for swift detection and response to potential security threats.

Summary

In November 2024, multiple DeFi platforms were hacked, resulting in millions of dollars in stolen assets. These incidents underscore the ongoing security risks in the DeFi sector, emphasizing the industry’s need to prioritize security measures and address vulnerabilities. Platform security and fund flow control remain critical areas of focus. As the industry continues to innovate, ensuring user asset safety and platform stability must be paramount. Gate.io reminds users to exercise caution in the market and safeguard their funds.


References:

1. Slowmist, https://hacked.slowmist.io/zh/statistics
2. Dune, https://dune.com/scam-sniffer
3. X, https://x.com/ThalaLabs/status/1857703541089120541
4. X, https://x.com/OneKeyCN/status/1857594520470425875
5. X,https://x.com/evilcos/status/1858011161062674739
6. X,https://x.com/peckshield/status/1855900790063607929
7. Tele, https://t.me/investigations/176

Gate Research
Gate Research is a comprehensive blockchain and cryptocurrency research platform that delivers in-depth content. This includes technical analysis, hot topic insights, market reviews, industry research, trend forecasts, and macroeconomic policy analysis.

Click here to visit now

Disclaimer
Investing in the cryptocurrency market involves high risk, and it is recommended that users conduct independent research and fully understand the nature of the assets and products they are purchasing before making any investment decisions. Gate.io is not responsible for any losses or damages caused by such investment decisions.