CertiK Monthly Security Report: Latest December Data Revealed

01-07

This article is machine translated

Show original

MetaEra partners with CertiK to release the December 2024 Security Report, conveying critical security information to the industry.

Author: 0x9999in1, MetaEra

In December 2024, the Web 3.0 industry faced a series of security challenges, including flash loan attacks, vulnerability exploits, and exit scams. Compared to the previous month, the cumulative loss amount has decreased significantly, but still reached $28.64 million, the lowest monthly loss of the year.

The major security events in December were Gempad and FEG, both of which were vulnerability exploitation incidents, with losses of $2.14 million and $1.07 million, respectively. The report also delves into and analyzes the top 10 security incidents in December, representative cases of the three major security incident categories, and the loss amounts of the three major security incident categories each month, in order to strengthen user security awareness, achieve user education, and prevent attacks. The specific data and analysis results are as follows.

Top 5 Flash Loan Attack Security Incidents in December

CloberDex

On December 10, 2024, the CloberDex liquidity insurance pool was attacked by hackers, resulting in a loss of 133 ETH (worth about $500,000). The attacker has transferred the stolen funds from Base to Ethereum. The root cause of this vulnerability was that the CloberDEX project team's contract did not perform re-entry detection and protection when obtaining the code to destroy the LP Token, and the state variable was updated after the contract call, ultimately allowing the attacker to exploit the re-entry vulnerability to drain the project's WETH.

Clipper DEX

On December 1, 2024, the attacker exploited a vulnerability in the smart contract used by Clipper, manipulating the single-asset deposit and withdrawal function. This operation affected the liquidity pools on the Optimism and Base networks, causing an imbalance in the pool assets, allowing the attacker to withdraw assets exceeding their deposited amount. This attack resulted in a loss of approximately $450,812.

Moonwell DeFi

On December 25, 2024, Moonwell DeFi, a decentralized lending protocol running on the Optimism network, was hit by a flash loan attack, resulting in a loss of $320,000. The attacker used a malicious contract address disguised as an "mToken" to attack the USDC lending contract of the protocol. This granted unauthorized token approvals, allowing the attacker to drain funds from Moonwell users.

BYC

On December 3, 2024, RunWay (BYC) was allegedly attacked on BSC, resulting in a loss of approximately $100,000.

ZeroLend

The lending platform ZeroLend was hit by a flash loan attack, resulting in a loss of approximately $77,000.

Top 5 Vulnerability Exploitation Security Incidents in December

Gempad

On December 17, 2024, GemPad was exploited due to a platform vulnerability, and the attacker stole $2.1 million. According to the analysis, the attacker drained resources from GemPad's security lock and then converted them into ETH and BNB, consolidating these resources. GemPad stated that only a few projects were affected, but the platform is now secure and has relaunched.

FEG

On December 29, 2024, the FEG project was attacked, resulting in a loss of approximately $1.07 million. According to the analysis, the root cause of this incident seems to be a composability issue that arose when integrating with the underlying Wormhole cross-chain bridge, which is used for cross-chain message and token transmission.

Vestra DAO

On December 4, 2024, Vestra DAO tweeted that a hacker exploited a vulnerability in the lock-up staking contract, manipulating the reward mechanism to obtain a large amount of rewards beyond their entitlement. This incident resulted in the theft of a total of 73,720,000 VSTR tokens. The stolen tokens were gradually sold on Uniswap, leading to a loss of approximately $400,000 in ETH liquidity.

Spectral

On December 1, 2024, Spectral tweeted that they received an alert about a vulnerability in the bonding curve contract on Syntax, which was used to remove approximately $250,000 in liquidity.

HarryPotterObamaSonic10Inu 2.0

On December 18, 2024, a series of exploitative transactions targeting the HarryPotterObamaSonic10Inu 2.0 token liquidity pool appeared on Ethereum. The attacker profited approximately $243,000 and deposited the funds into Tornado.

About CertiK

CertiK has always been committed to continuously tracking security trends in the Web 3.0 domain, having conducted over 70 white hat actions, reported more than 4,000 security incidents, discovered over 115,000 code vulnerabilities, and protected over $360 billion in digital assets from potential losses. Through annual and quarterly security reports, CertiK conveys critical security information to the industry.

About MetaEra

MetaEra is a leading information platform and brand & growth expert in the Web 3.0 industry. Leveraging comprehensive advantageous resources across global regions, MetaEra provides creative solutions and customized services for your brand management and business growth.

Source

Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.

Add to Favorites

Comments

Relevant content

PANews

An entrepreneur's account: From beginning to end, why I stopped developing Web3 payments.

CryptoNewsZ

Trust Wallet Hack: $7M Drained, Scammer Exposed by ZachXBT

TWT

6.06%

Coingape

Cardano Price Eyes a 40% Surge as Key DeFi Metrics Soar After Midnight Token Launch

ADA

2.34%