Month in Review: Top DeFi Hacks of August 2024

In recent months, DeFi hackers have engaged in numerous high-value exploits. For example, July 2024 involved eight $1M+ hacks racking up over $265 million in losses.

However, in August 2024 DeFi hackers seemed to take a break. Two DeFi protocols and a crypto whale were the victims of high-value hacks, resulting in under $60 million in losses.

Biggest DeFi Hacks of August 2024

August 2024 was the month with the lowest number of DeFi hacks in recent history. The three biggest hacks of this month include:

• Ronin: The Ronin cross-chain bridge — famous for being the target of the biggest DeFi hack to date — suffered another security incident in August 2024. During a protocol update, an important initialization function wasn’t called in the revised code, disabling the protocol’s protection against malicious transactions. The vulnerability was exploited by a MEV bot for $12 million, which was later returned to the protocol in exchange for a bug bounty.

• Vow: Like the Ronin hack, the Vow exploit was made possible by errors made by the team behind the project. While testing changes to rate formulas, the protocol opened a window where an attacker could mint tokens at an inflated rate. As a result, they were able to mint 2 billion tokens, some of which were dumped for profits of about $1.2 million.
  

• Crypto Whale: A crypto whale on the Ethereum blockchain was the victim of a targeted social engineering hack in which $55.47 million was stolen from their Maker Vault. The attacker likely tricked the whale into signing a malicious transaction that transferred ownership of the DSProxy that controlled the vault, enabling the attacker to siphon out the stolen funds.

Lessons Learned from the Attacks

The biggest DeFi hacks of August 2024 deviated significantly from the norm. Most months have several instances of security incidents caused by compromised private keys or overlooked vulnerabilities in smart contracts. This month, the closest to this was the hack of a crypto whale who was tricked into signing a malicious transaction through a phishing scheme.

The common thread in this month’s DeFi hacks was poor development and testing practices. Ronin forgot to call a crucial function, and Vow tested functionality live on chain where an attacker could exploit the changes in the rate setting formula.

The main takeaway from August 2024 is that all changes to smart contracts should be tested as part of a formal, secure process that incorporates a smart contract audit. For help in securing your project against similar threats, reach out to Halborn.