Join ACCESS EU, the first-of-its-kind digital assets security and DLT summit
JUNE 7TH, 2024 @ EURONEXT AMSTERDAM ⟶
Halborn Logo

// Blog

Month in Review

Month in Review: Top DeFi Hacks of April 2024


profile

Rob Behnke

May 1st, 2024


April was relatively tame in the DeFi space compared to March. There were only five hacks and a single rug pull with values exceeding $1 million. Those five hacks caused losses totaling approximately $48.9 million, less than half that of the previous month.

Biggest DeFi Hacks of April 2024

April 2024’s biggest hacks leaned toward smart contract vulnerability exploits. The major hacks of this month included the following:

  • FixedFloat: On April 1, FixedFloat suffered another hack by the same group that performed its February exploit. This attack took advantage of a vulnerability in a third-party service to steal $3 million from the protocol.

  • Zest Protocol: Zest protocol, a Bitcoin-native lending protocol, suffered a $1 million exploit. The attacker was able to artificially increase the value of their collateral, allowing them to take out a much larger loan.

  • Grand Base: Grand Base — a real-world asset (RWA) tokenization platform hosted on the Base Layer 2 — suffered a $2 million hack. The attackers stole the deployer wallet’s private key and used it in a malicious mint of 32.5 million GB tokens that it later sold.

  • Hedgey Finance: Hedgey Finance suffered a $42.9 million hack due to incomplete input validation. The attacker used flashloans to exploit the vulnerability and create malicious approvals, allowing them to drain deposits made by other users.

  • ZKasino: In March 2024, the team behind the decentralized betting platform ZKasino performed an exit scam for $33 million. The team transferred the stolen assets into Lido for yield farming.

  • Pike Protocol: The Pike Protocol suffered two hacks in April 2024 with values of $300,000 and $1.6 million respectively. The first attack exploited poor validation of cross-chain transfers, while the second took advantage of errors in memory mapping caused by the updates that addressed the first issue.


Lessons Learned from the Attacks

In April 2024, the two of the attacks took advantage of vulnerabilities in projects’ smart contracts, with the other two exploited private key security and a supply chain compromise. This combination highlights the importance of performing a comprehensive security audit of a protocol before launch. Smart contract audits are important for catching code errors, but supply chain risks and private key theft are threats that can only be managed via a comprehensive security and threat management program. For more information on securing your blockchain project, feel free to get in touch with Halborn.