Bad actors stole roughly $2.3 billion from web3 projects, with Ethereum accounting for more than half of the total losses.
According to the state of Web3 security in 2024 report of Cyvers, 51% of stolen funds came from Ethereum-based projects, largely due to its role as the leading blockchain for DeFi and its extensive liquidity.
BNB Chain was the second most targeted blockchain, accounting for 24% of the losses, while Bitcoin, XRP and Arbitrum accounted for 5%, 4% and 3% respectively.
Access control errors were responsible for 81% of total monetary losses by 2024, due to weak authentication and permission mechanisms. Vulnerabilities in smart contracts, while responsible for 19% of losses, exploited loopholes in the code to siphon off funds.
The three biggest Web3 hacks of 2024 included the $305 million DMM Bitcoin exploit, the $290 million PlayDapp breach, and the $235 million WazirX attack. Each of these incidents resulted from vulnerabilities in the access control mechanisms.
Other multi-million dollar incidents include the exploitation of Ethereum-based Muchables, which lost $97 million after a rouge developer exploited smart contract vulnerabilities. Meanwhile, the attacks caused $68 million in losses.
“Many Web3 projects still do not implement the proper security protocols to protect user assets. Even a single mistake in a smart contract can be catastrophic, and 2024 was proof of that,” the report said.
Cryptocurrency losses increased quarter-over-quarter through 2024, with the third quarter being the most damaging, accounting for $669 million in losses. The fourth quarter saw the fewest incidents, with losses of $130 million.
Recovery efforts yielded mixed results: $620 million recovered in the first quarter and $562 million in the second quarter. However, recovery declined sharply in the second half of the year, with a recovery of only $93 million in the third quarter and $25 million in the fourth quarter.
“While early intervention can help recover stolen assets, delays often mean money disappears before authorities and security teams can act,” the report said.
To combat growing threats, Cyvers pushed for the standardization of continuous monitoring and real-time vulnerability testing and advocated the use of AI-powered detection mechanisms.
An earlier report from Web3 security firm PeckSheild highlighted that crypto hacks and scams will increase by more than 15% in 2024, and that decentralized financial protocols were the biggest targets.
