Month in Review: Top DeFi Hacks of July 2024

In July 2024, DeFi hackers performed a series of high-value hacks, netting over $265 million in stolen crypto. However, the bulk of these losses were experienced by a single exchange, WazirX, which experienced an estimated $230 in losses.

Biggest DeFi Hacks of July 2024

In July 2024, eight DeFi hacks resulted in over $1 million in losses. These include:

• Bittensor Wallet: In July 2024, Bittensor wallet users suffered a supply chain attack using a malicious PyPI package. Affected users lost an estimated $8 million after executing the package that contained key-stealing malware.

• Dough Finance: Dough Finance experienced a hack exploiting a failure by its contracts to validate call data. The attackers stole an estimated $1.8 million from the project.

• Minterest: Minterest, a cross-chain lending protocol, suffered a $1.4 million flashloan attack. The attacker exploited a reentrancy vulnerability in the project’s contract to drain deposited funds.

• LI.FI: LI.FI experienced a July hack due to a vulnerability in its smart contracts. The cross-chain bridge lost an estimated $10 million to the attackers.

• WazirX: The WazirX cryptocurrency exchange was the victim of a sophisticated hack that netted the attackers an estimated $230 million. By exploiting an issue in how transaction data was displayed in Liminal, the attackers were able to trick the WazirX and Liminal teams into signing a malicious transaction, bypassing the exchange’s defenses.

• Rho Markets: The Rho Markets lending protocol suffered a $7.6 loss to an MEV bot exploiting a misconfiguration. The operator returned all of the funds after the incident was acknowledged by the Rho team.

• MonoSwap: MonoSwap, a Blast-based DEX, suffered a $1.3 million hack. This theft was enabled by a social engineering attack in which developers were tricked into installing malware by alleged VCs.

• Terra: In July 2024, the Terra blockchain suffered a supply chain attack, resulting in the theft of tokens moving between blockchains. By exploiting a vulnerability in IBC hooks, the attackers stole nearly $5.3 million.

Lessons Learned from the Attacks

The biggest DeFi hacks of July 2024 had a wide variety of root causes. Some exploited smart contract vulnerabilities, while others relied upon social engineering to gain the required access.

In many cases, the attackers exploited issues that could have been identified via a smart contract audit, such as reentrancy and unchecked call data vulnerabilities. Other incidents took advantage of poor security practices, such as allowing a single hot wallet to have wide-reaching control within the protocol.

Protecting against DeFi hacks requires both extensive smart contract audits and a robust security program designed to foil social engineering and similar threats. For help in protecting your project against attack, get in touch with Halborn.