According to statistics from the Slowmist Blockchain Hacked Archive (https://hacked.slowmist.io), in February 2024, a total of 28 security incidents occurred, with a total loss of approximately US$404 million. The reasons involved contract vulnerabilities, DDoS attacks, Flash loan attacks, private key leaks, account theft, etc.
Phantom
On February 2, 2024, the crypto wallet Phantom stated that it was subject to a DDoS attack. Someone tried to overload its system. Some services may be temporarily interrupted, and user assets are safe. Later, Phantom tweeted that all services had returned to normal and were running smoothly again.
(https://twitter.com/phantom/status/1753100432145318116)
Starlay Finance
On February 8, 2024, Starlay Finance, the lending protocol of the Polkadot ecosystem, was attacked, resulting in a loss of approximately US$2.1 million. On February 9, Starlay Finance tweeted that preliminary analysis showed that the attack was due to an error in the calculation of the liquidity index being exploited, resulting in unauthorized withdrawals.
(https://twitter.com/starlay_fi/status/1755856271184654360)
PlayDapp
On February 10, 2024, the blockchain gaming platform PlayDapp was attacked, and the hacker’s address was added as a minter to mint 200 million PLA tokens (approximately $36.5 million). Shortly after the incident, PlayDapp sent a message to the hacker through an on-chain transaction, demanding the return of the stolen funds and a $1 million white hat reward, but the negotiations ultimately failed. On February 12, PlayDapp suffered a second attack, and hackers minted an additional 1.59 billion PLA tokens (approximately $253.9 million) and began transferring them through cryptocurrency trading platforms. According to statistics, hacking attacks resulted in losses of approximately $290 million.
(https://twitter.com/playdapp_io/status/1756060784692736038)
Duelbits
On February 14, 2024, the hot wallet of the encrypted gambling platform Duelbits was attacked, resulting in a loss of approximately US$4.6 million. The reason for the theft was suspected to be the leakage of private keys.
(https://twitter.com/Duelbits/status/1758159495807541459)
FixedFloat
On February 17, 2024, the cryptocurrency trading platform FixedFloat was attacked, losing approximately $26.1 million in Bitcoin and Ethereum, according to on-chain data. FixedFloat clarified in response to this attack: This hacking attack was an external attack caused by a loophole in the security structure, and was not carried out by employees. User funds were not affected by an "external attack." On February 18, FixedFloat said on Twitter: “Confirming that a hack and funds were stolen, we are not yet ready to comment publicly on this matter as we work to eliminate all potential vulnerabilities, improve security, and investigate. .FixedFloat's service will be restored soon and details about this incident will be provided at a later date."
(https://twitter.com/FixedFloat/status/1759216185185288653?s=20)
Blueberry Protocol
On February 22, 2024, the DeFi lending protocol Blueberry Protocol was attacked, resulting in a loss of approximately 457.7 ETH (approximately $1.35 million). The attack was intercepted by a white hat hacker c0ffeebabe.eth, and 366 ETH was returned to Blueberry Protocol. According to Blueberry Protocol’s incident analysis report, the attack was caused by an oracle deployment error.
(https://medium.com/@blueberryprotocol/2-22-24-exploit-post-mortem-6f6be7c1dcc3)
BitForex
On February 23, 2024, Hong Kong-based BitForex cryptocurrency trading platform shut down access to the platform after suspicious outflows of approximately $56.5 million across multiple blockchains. On-chain sleuth ZachXBT, who first noticed the withdrawal changes at the exchange, noted that the trading platform had stopped processing withdrawals and was not responding to customers. The company faced regulatory scrutiny in Japan in mid-2023 for operating without a license and was accused of inflating trading volumes. Its chief executive resigned in January, promising a new team would take over.
(https://twitter.com/zachxbt/status/1762028433574650347)
Device
On February 23, 2024, Axie Infinity co-founder Jihoz tweeted: Two personal addresses have been leaked. The scope of this attack is only his personal account and has nothing to do with the verification or operation of the Ronin chain. Furthermore, the leaked keys have nothing to do with the operations of Sky Mavis. He wanted to assure everyone that strict safety measures are in place for all chain-related activities. According to statistics, the attack resulted in approximately $10 million in losses.
(https://twitter.com/Jihoz_Axie/status/1760845078757511562)
Seneca
On February 28, 2024, the full-chain CDP protocol Seneca was attacked by hackers due to contract vulnerabilities. The hacker uses the constructed calldata parameter to call transferfrom to transfer the tokens authorized to the project contract to his own address, and finally exchange them for ETH. Seneca was hacked and more than 1,900 ETH were stolen, worth about $6.5 million. On February 29, Seneca hackers returned 1,537 ETH (approximately $5.3 million) to the Seneca deployer address.
(https://twitter.com/SlowMist_Team/status/1762865505042645010)
Shido Network
On February 29, 2024, Shido Network, the decentralized cross-chain protocol on the Ethereum chain, was suspected of running away. The owner of the SHIDO token staking contract first upgraded the staking contract, then withdrew a large amount of SHIDO, and finally sold a large amount of SHIDO at a price of 692 ETH (approximately $2.1 million).
Among the 28 major security incidents this month, 2 projects (Blueberry Protocol and Seneca) recovered a total of approximately US$6.38 million in stolen funds; the losses from the 3 private key leak incidents this month amounted to approximately 304 million, accounting for approximately 304 million US dollars in total. 75% of the total losses from monthly security incidents. The SlowMist security team recommends that users and project parties strengthen the protection measures for private keys, such as using hardware wallets, offline storage, etc. to improve the security of private keys; 4 contract vulnerabilities were exploited this month The incident resulted in a loss of approximately US$7.25 million. The SlowMist security team recommends that project parties always remain vigilant and conduct regular security audits to track and resolve new security threats and vulnerabilities to protect project and asset security to the greatest extent. Finally, the incidents included in this article are the main security incidents of this month, and the incidents of personal user theft are not included in the statistics. More blockchain security incidents can be viewed in the Slowmist Blockchain Hacked Archives (https://hacked.slowmist.io/). Click to read the original text to jump directly.