Halborn Logo

// Blog

Month in Review

Month In Review: Top DeFi Hacks of November 2024

profile

Rob Behnke

December 2nd, 2024

In terms of the number of high-value hacks, November was similar to October with six apiece. However, DeFi hackers in November had lower earnings on average with losses from major hacks totalling approximately $78 million. Additionally, nearly half of these losses were associated with a single hack.

Biggest DeFi Hacks of November 2024

November’s DeFi hacks with losses totalling over $1 million included the following:

  • MetaWin: MetaWin, a crypto gambling platform, suffered a $4 million hack across its Ethereum and Solana smart contracts. The attacker exploited security flaws in the protocol’s “frictionless withdrawal functions.”

  • DeltaPrime: DeltaPrime suffered its second hack in three months in November 2024. Unlike the previous incident, this attacker exploited a vulnerability in the protocol’s staking contracts to steal an estimated $4.75 million.

  • Thala: An input validation vulnerability in a recent update to Thala’s v1 farming contract was exploited in November 2024. The attacker tricked the contract into allowing them to take out a loan using non-existent collateral, resulting in $25.5 million in losses.

  • DEXX: Users of the DEXX crypto exchange suffered an estimated $30 million in losses. The attack impacted approximately 900 users of the exchange.

  • Polter Finance: Polter Finance was the victim of a $12 million price oracle manipulation attack. Using flashloans, the attacker was able to artificially inflate the value of the project’s BOO token, enabling them to take out a large loan while using a small amount of the token as collateral.

  • XT Exchange: XT Exchange is a Seychelles-based cryptocurrency exchange. In November 2024, an estimated $1.7 million was stolen from the exchange’s wallets including twelve different tokens.

Lessons Learned from the Attacks

The primary cause of major DeFi hacks tends to vary from one month to another. While private key compromise is a common winner, November’s hacks primarily involved smart contract vulnerabilities. Of these, there were two involving faulty input validation, one price oracle manipulation, and an unspecified issue with MetaWin’s code (either on-chain or off).

One common thread for protocols that experience these types of hacks is a failure to properly audit code before release. In the case of Polter Finance, for example, the code was largely a copy-paste of Geist’s smart contracts, so the team provided a link to Geist’s smart contract audit report instead of performing their own. However, this didn’t save them from an attacker exploiting a basic vulnerability to the tune of $12 million.

Comprehensive smart contract audits are essential for the security of DeFi protocols. To get started on yours, get in touch with Halborn.

© Halborn 2024. All rights reserved.