Rob Behnke
March 4th, 2024
In 2024, the shortest month of the year saw an outsized number of DeFi security incidents. This month, DeFi hacks were divided almost evenly between attacks, exploits of personal accounts, and large-scale rug pulls.
February 2024 included several major hacks of DeFi protocols. Some of the most significant targets included:
PlayDapp: In February 2024, the blockchain gaming platform PlayDapp suffered a malicious minting attack. The attacker’s address was added as an official minter, enabling them to create $1.79 billion PLA tokens worth about $290 million.
DuelBits: The cryptocurrency gambling platform DuelBits suffered $4.6 million in losses in February 2024. The attacker exploited a security vulnerability to drain the tokens from the project’s hot wallet.
FixedFloat: The FixedFloat cryptocurrency exchange suffered a security breach leading to about $26.1 million in losses. While the hack has been publicly acknowledged, no information has been shared regarding the root cause of the incident.
Blueberry Protocol: The Blueberry Protocol — a DeFi leverage project — contained a vulnerability related to incorrect handling of decimal values. An attacker exploited this vulnerability to steal an estimated $1.35 million; however, c0ffeebabe.eth frontrun the hack and returned most of the stolen funds.
This month also saw a couple of significant hacks of major players in the DeFi space. These include:
kirilm.eth: kirilm.eth suffered a phishing attack in which they lost 180.25 BEAM tokens worth an estimated $5.14 million. After the attacker traded the tokens for ETH, the value of BEAM dropped by about 7%.
Jihoz: Jihoz, a co-founder of Axie Infinity (the company behind Ronin Chain), suffered a hack of two of his personal blockchain accounts. In total, attackers stole an estimated $10 million, but company accounts and the Ronin chain were unaffected.
Unfortunately, February also saw a significant number of major exit scams as well. Some major rug pulls this month include:
BitForex: The Hong Kong-based cryptocurrency exchange performed a suspected rug pull in February 2024. The company’s webpage and socials went dark after an estimated $56.5 million was transferred from its wallets. This exit scam may have been precipitated by a regulatory investigation of the unlicensed exchange or the accusation that it artificially inflated trading volumes on its platform.
RiskOnBlast: The RiskOnBlast project on the Ethereum Layer 2 Blast performed a rug pull, stealing from about 750 user wallets. The first incident on the new platform involved a theft of about 420 ETH worth about $1.3 million.
Shido Network: The Shido Network — an Ethereum-based cross-chain platform — celebrated leap day with a suspected rug pull. The project’s staking contract was upgraded by its owner before they withdrew and dumped SHIDO tokens worth an estimated $2.1 million.
February 2024 included a mix of security incidents. The majority of hacks of DeFi protocols exploited smart contract vulnerabilities; however, there were also major hacks of personal wallets and several rug pulls as well.
These hacks and other incidents underscore the importance of implementing security best practices. Rug pulls can come with warning signs, and many smart contract hacks can be avoided by performing a security audit before launch. To learn more about securing your DeFi project against attack, get in touch with Halborn.