Rob Behnke
April 1st, 2024
In March 2024, DeFi hackers had a standout month. This month, eleven hacks netted attackers over $1 million apiece with losses totalling over $100 million.
March 2024 included a variety of large-scale DeFi hacks. Some of the most significant hacks include the following:
WOOFi: WOOFi suffered a flashloan attack targeting the project’s sPMM algorithm to steal $8.75 million. This attack took advantage of vulnerabilities in the algorithm that were made exploitable by the combination of low liquidity and a WOO token market on Arbitrum.
Unizen: The Unizen DeFi platform suffered $2.1 million in losses. An external call vulnerability in the project’s smart contracts left it vulnerable to attack.
Polyhedra Network: Polyhedra Network — a Web3 full-stack interoperability project — suffered a $1.4 million hack. The attacker stole private keys, enabling them to transfer value from the project’s hot wallets.
Mozaic: The Mozaic DeFi project suffered a $2 million hack performed by one of the project’s developers. They stole private keys held by a team’s core member that provided access to its security module and enabled the attacker to drain value from the project.
Remilia: Remilia — the parent company of the Milady project — suffered a private key attack for $6 million in crypto. While the project used multi-sig wallets, all keys were stored in a single password manager.
Dolomite: The Arbitrum-based Dolomite decentralized trading protocol suffered a $1.8 million hack in March 2024. Some of the project’s old smart contracts contained vulnerabilities that enabled the attacker to drain value from wallets with existing approvals.
AirDAO: The AirDAO hack resulted in losses of $1.05 million. The attacker performed a social engineering attack that enabled them to drain the project’s liquidity pool.
Super Sushi Samurai: Super Sushi Samurai suffered a $4.8 million hack of its liquidity pool. The attacker exploited a bug where users could double their account balance by sending their tokens to their own address.
Curio: The Curio hack exploited access control vulnerabilities within the contract’s MakerDAO contracts. The attacker manipulated the governance mechanism to deploy a malicious contract and perform a mint of 1 billion tokens for a profit of $16 million.
Munchables: The largest hack of March 2024 was performed by a malicious developer. By controlling the deployment address, the attacker was able to modify the contract’s storage to falsely credit crypto to their account. This was later withdrawn for $62.5 million in profit.
Prisma Finance: Prisma Finance, a liquid restaking platform, suffered an $11.6 million hack in March 2024. The attacker performed a flashloan attack to drain about 3,257.7 ETH from the protocol.
March 2024 included major hacks with a variety of different causes. Some exploited compromised private keys, while others took advantage of vulnerabilities in the project’s smart contracts.
One unfortunate trend was the fact that multiple attacks were performed by malicious insiders associated with a project. Developers took advantage of their access to steal private keys or inject malicious logic into contracts.
Protecting against major DeFi hacks requires comprehensive security testing and protocols. To learn more about protecting your project against these threats, get in touch with Halborn.