Month in Review: Top DeFi Hacks of December 2024

DeFi hackers closed out 2024 with very few major hacks. Across the entire month of December, there were only two hacks — and one older one — with losses of over $1 million. In total, approximately $15 million was lost across the three incidents. In contrast, November 2024 had six major DeFi hacks with about $78 million in losses.

December was also notable for the alleged rug pull of the Hawk Tuah memecoin. Within minutes of the token’s loss, mass selloffs by early investors caused the token’s price to fall dramatically while allowing these early buyers to walk away with $3 million in profits.

Biggest DeFi Hacks of December 2024

In December 2024, only three DeFi hacks resulted in at least $1 million in losses. These include the following:

• LastPass: In 2022, LastPass suffered a security incident in which multiple encrypted vaults were stolen from the company’s cloud storage. Since then, the attackers have worked to crack the Master Passwords protecting these vaults to extract the passwords and private keys stored within. An estimated $45 million has been stolen in total, with $12.38 million drained from crypto wallets on December 16 and 17, 2024.
  

• GemPad: GemPad is a platform that allows projects to deploy tokens using pre-audited smart contracts. However, in December 2024, users of the platform lost an estimated $1.9 million in locked assets when an attacker exploited a reentrancy vulnerability in the collectFees function of the GemPad smart contract.
  

• FEG: Feed Every Gorilla (FEG) was the victim of a $1.3 million hack in December 2024. The attacker exploited an input validation vulnerability in how the relayer in the project’s SmartBridge processed Wormhole bridge messages to perform unauthorized withdrawals.

Lessons Learned from the Attacks

December 2024 was one of the quietest months for DeFi hacks in several months. Unusually, both of the major hacks that occurred that month involved attackers exploiting “out of scope” issues in audited smart contracts.

For GemPad, this was the project’s underlying smart contracts that supported the audited token contracts deployed by its users. In FEG’s case, the interactions between the project’s audited SmartBridge and Wormhole bridge introduced an exploitable security flaw.

These incidents underscore the importance of auditing smart contracts in the context of their larger ecosystem with a focus on cross-contract interactions. For help with protecting against these types of threats in your projects, reach out to Halborn.