February Web3 Security Incident Recap: Total Losses Amounted to $404 Million

According to the SlowMist Blockchain Security Incident Database, in February 2024, there were a total of 28 security incidents, resulting in approximately $404 million in losses. Reasons for these incidents included contract vulnerabilities, DDoS attacks, flash loan attacks, private key leaks, and account thefts.

Major Incidents

Phantom

On February 2, 2024, the

cryptocurrency

wallet Phantom reported a DDoS attack, with attempts made to overload its system. Some services may experience temporary interruptions, posing potential risks to user assets. Subsequently, Phantom tweeted that all services had been restored to normal operation and were running smoothly once again.

Starlay Finance

On February 8, 2024, the lending protocol Starlay Finance within the Polkadot ecosystem was attacked, resulting in losses of approximately $2.1 million. On February 9, Starlay Finance tweeted that preliminary analysis indicated the attack was due to exploitation of an error in liquidity index calculation, leading to unauthorized withdrawals.

PlayDapp

On February 10, 2024, the blockchain gaming platform PlayDapp was attacked, with the hacker's address being added as a minter, minting 200 million PLA tokens (approximately $36.5 million). Shortly after the incident, PlayDapp sent a message to the hacker via on-chain transaction, requesting the return of the stolen funds and offering a $1 million white-hat reward, but negotiations ultimately failed. On February 12, PlayDapp was subjected to a second attack, with the hacker minting an additional 1.59 billion PLA tokens (approximately $253.9 million) and beginning to transfer them via cryptocurrency trading platforms. According to statistics, the hacker's attacks resulted in approximately $290 million in losses.

Duelbits

On February 14, 2024, the hot wallet of the cryptocurrency gambling platform Duelbits was attacked, resulting in losses of approximately $4.6 million. The suspected cause of the theft was private key leakage.

FixedFloat

On February 17, 2024, according to on-chain data, the

cryptocurrency exchange

platform FixedFloat was attacked, resulting in losses of approximately $26.1 million worth of Bitcoin and Ethereum. FixedFloat clarified regarding the attack: “This hacking incident was an external attack caused by vulnerabilities in our security structure and was not carried out by employees. User funds were not affected by the 'external attack'.” On February 18, FixedFloat stated on Twitter: “We confirm that there was indeed a hacking attack and funds were stolen. We are not yet ready to make a public comment on this matter as we are working diligently to eliminate all potential vulnerabilities, enhance security, and conduct an investigation. Services of FixedFloat will be restored soon, and detailed information regarding this incident will be provided later.”

BitForex

On February 23, 2024, the Hong Kong-based cryptocurrency exchange BitForex was suspected of exiting operations (running away with investors' funds), as it closed access to its platform after approximately $56.5 million in suspicious funds outflows across multiple blockchains. On-chain investigator ZachXBT was the first to notice unusual withdrawals from the exchange. He pointed out that the exchange had ceased processing withdrawals and had not responded to customers. The company faced regulatory scrutiny in Japan in mid-2023 for operating without a license and was accused of inflating trading volumes. Its CEO resigned in January, promising that a new team would take over.

Summary

Among the 28 major security incidents in February, two projects (Blueberry Protocol and Seneca) collectively recovered approximately $6.38 million of stolen funds. The losses from a total of three incidents of private key leaks amounted to approximately $304 million, accounting for about 75% of the total losses in security events this month. Additionally, four incidents of contract vulnerabilities exploitation resulted in approximately $7.25 million in losses.