Month in Review: Top DeFi Hacks of September 2024

After a quiet August, DeFi hacks hit their stride again in September with ten hacks involving over $1 million in losses. In total, DeFi hackers managed to steal approximately $130 million in these top ten hacks.

Biggest DeFi Hacks of September 2024

In September 2024, ten DeFi hacks crossed the $1 million mark, including:

• Penpie: Penpie, a decentralized liquidity yield protocol hosted on Pendle, suffered a $30 million hack in September 2024. The attacker took advantage of the protocol’s implicit trust in markets to exploit a reenrancy vulnerability in the protocol.

• Caterpillar Coin: Caterpillar Coin suffered a $1.4 hack in September 2024. The attacker performed a flashloan attack to exploit bugs in the protocol’s price protection mechanisms to manipulate rewards.

• Indodax: Indodax is an Indonesian CEX that suffered a $22 million hack. Unlike many exchange hacks, this attack didn’t involve a compromised private key and was believed to be associated with the CEX’s withdrawal protocol.

• DeltaPrime: Arbitrum-based DeltaPrime suffered a hack due to compromised private keys. In this case, an estimated $5.98 million was stolen from the project.

• Banana Gun: Users of Banana Gun, a Telegram trading bot, suffered an estimated $3 million hack in September 2024. The attacker exploited a new vulnerability to drain funds from eleven users’ wallets.

• BingX: BingX, a Singaporean CEX, suffered a private key hack attributed to the Lazarus Group. The attacker accessed wallets across multiple chains to steal an estimated $52 million from the protocol.

• Shezmu: Shezmu is a crypto yield protocol that suffered a $4.9 million hack due to an access control vulnerability. The attackers were able to mint collateral, which could be used to borrow assets from the protocol.

• Onyx: Onyx was exploited via the Compound v2 fork vulnerability for the second time in a year. This time, the protocol lost an estimated $3.8 million.

• Truflation: In September 2024, Truflation, the blockchain-based inflation data provider, suffered a $5.2 million hack. The attacker infected computers with malware that stole private keys managing the project’s treasury wallet and other personal accounts.

• Bedrock: In September 2024, Bedrock was exploited due to an error in how it handled native tokens on non-native BTC chains. As a result, attackers were able to steal an estimated $2 million via malicious mints.

Lessons Learned from the Attacks

While several DeFi hacks in September 2024 involved compromised private keys, the most common problem was smart contract vulnerabilities. These ranged from repeat exploits of known issues to new flaws within smart contract code.

Before deploying any code on-chain, a smart contract audit is vital to identify and close security gaps before they can be exploited. For help with securing your project against attack, reach out to Halborn.