Rob Behnke
July 2nd, 2024
May 2024 was a tough act to follow, with seven $1M+ hacks with losses totaling over $600 million. In June, cybercriminals focused on quantity rather than quality with nine major hacks totaling approximately $165 million,
Unlike May 2024, June’s hacks primarily exploited smart contract vulnerabilities. Some of the biggest hacks of June 2024 included:
Velocore: Velocore, a DEX, experienced a $6.8 million hack in June 2024. The attackers exploited a logical vulnerability within the project’s smart contracts in which a multiplier was allowed to exceed 100%.
Lykke: Lykke is a zero-fee crypto exchange that suffered a $22.4 million hack. The attackers gained access to the project’s hot wallets and drained the cryptocurrency they contained.
Loopring: Loopring offers smart contracts with support for social recovery. The attacker exploited a vulnerability in the project’s 2FA to drain an estimated $5 million in value from wallets relying solely on the protocol’s own Official Guardian service.
YOLO Games: YOLO Games suffered a $1.5 million hack in June 2024 due to smart contract vulnerabilities. An access control vulnerability allowed the attacker to drain the project’s liquidity pools while posting as a liquidity provider.
UwU Lend: UwU Lend is a digital asset lending platform that suffered a $19.3 million hack in June. The attacker performed price oracle manipulation to create arbitrage opportunities that they could exploit.
BtcTurk: BtcTurk is a CEX that suffered a $90 million hack. The attackers targeted the organization’s hot wallets, draining them of value.
CoinStats: CoinStats is a cryptocurrency portfolio management company that suffered a $2 million hack. Approximately 1.3% of CoinStats wallets were affected by the incident, totaling about 1,590 wallets.
Sportsbet: Sportsbet is an online gambling protocol that suffered losses of approximately $3.5 million in June. The attack is suspected to have been performed by the same actor behind the BTC Turk hack.
The root causes of DeFi hacks can shift from one month to another. In June 2024, the most common cause was smart contract vulnerabilities. Some required privileged access, while others could have been exploited by anyone.
Protecting against these types of threats requires an in-depth security audit of smart contract code before launch. For help in securing your project against attack, get in touch with Halborn.