Hack3d: The Web3 Security Report 2024

Welcome to Hack3d: The Web3 Security Report for 2024. CertiK’s Hack3d reports offer deep dives into the exploits, vulnerabilities, and trends that define blockchain and smart contract security. They’re an invaluable resource for anyone seeking to understand the current landscape of Web3 security. Each report contains detailed incident analyses, technical insights, and the most comprehensive statistics on hacks, scams, and exploits in the entire Web3 industry.

Executive Summary

2024: Key Cybersecurity and Market Trends

1. Losses and Security Incidents:
• Monthly Highlights: May was the costliest ($444.4 million lost), and Q3 saw the most incidents, totaling $753.3 million.
• Attack Vectors:
• Phishing (296 incidents, $1.05 billion lost).
• Private key compromises (65 incidents, $855.4 million lost).
• Chain-Specific Impacts:
• Ethereum ($748.7 million stolen across 403 incidents).
• Bitcoin and Tron also experienced significant targeting.
• Global and Multi-Chain Losses: $435 million lost across 39 incidents affecting multiple blockchains.
2. Market Milestones:
• SEC approved Bitcoin and Ethereum ETFs, including offerings by BlackRock and Fidelity.
• Post-election policies by the Trump administration favored crypto, promising a national Bitcoin reserve and rejecting CBDCs.
• Regulatory strides varied globally:
• The EU implemented the MiCA framework for crypto market regulation.
• Asia saw stricter oversight (e.g., Japan’s Financial Services Agency warnings).
3. TVL vs. Security Risks: Total Value Locked (TVL) in DeFi surged, particularly in Ethereum liquid staking ($17 billion by year-end). Despite a moderate correlation (R² = 0.32) between TVL and stolen funds, improved security measures mitigated some risks.

Phishing: The Dominant Threat

• Phishing attacks led to the largest losses per incident ($2.8 million average), with Ethereum and Binance Smart Chain being prime targets. These attacks exploited human vulnerabilities, employing tactics like fake emails and websites.
• Notable Incidents:
• DMM Bitcoin Hack: $304 million lost to address poisoning phishing.
• Year-on-Year Trends: Phishing-related losses increased 331.03% from 2023.

Notable Security Breaches

1. DMM Bitcoin Hack: Address poisoning led to a $304 million loss. Speculations linked North Korea’s Lazarus Group to the attack.
2. Genesis Creditor Scam: Social engineering resulted in a $243 million theft. Quick recovery efforts led to suspect arrests and partial fund recovery.
3. U.S. Government Wallet Breach: A high-profile $20 million theft exposed vulnerabilities in handling seized crypto assets.

CertiK's 2024 Achievements

CertiK strengthened Web3 security by auditing major projects, uncovering critical vulnerabilities, and expanding services. Key accomplishments include:

• Tech Innovations:
• First formal verification of ZKWasm Circuit.
• Security assessments for GalaChain and Bybit Keyless Wallets.
• Regulatory Contributions:
• Stablecoin frameworks approved by Hong Kong regulators.
• Client Outreach: Secured $511 billion in assets, detected over 115,000 vulnerabilities, and retained nearly 50% of the Web3 auditing market.

• Penetration Testing and Bug Bounty Programs.
• Skynet Alerts for real-time monitoring of rugpulls and exploits.
• SkyInsights for compliance and risk management.

Conclusion

The crypto industry achieved significant adoption milestones in 2024 but faced escalating security challenges. Phishing, private key compromises, and social engineering underscored vulnerabilities amid rising TVL. CertiK’s ongoing efforts in auditing, compliance, and innovation play a pivotal role in fortifying the Web3 ecosystem. However, maintaining trust and mitigating risks remain paramount as the industry evolves.

Read the report for free here.