Year in Review: The Biggest DeFi Hacks of 2024

In 2024, DeFi hacks were known more for their quantity than quantity. While this year had the most hacks to date, the total value stolen was far lower than in 2021 or 2022.

However, 2024 did have several DeFi hacks with significant losses. In total, eight hacks had price tags in excess of $50 million this year.

Top DeFi Hacks

In 2024, many different DeFi security incidents had price tags in the millions. However, only a small number of them included losses exceeding $50 million.

DMM Bitcoin ($308M)

The biggest DeFi hack of 2024 occurred in May of that year and targeted DMM Bitcoin, a Japanese centralized exchange (CEX). An estimated $305 million in BTC was transferred out of the exchange’s accounts, likely due to a compromised private key.

PlayDapp ($290M)

The PlayDapp hack happened in February 2024 and caused the blockchain game app to lose an estimated $290 million due to vulnerabilities in its smart contract. The project’s contract included an access control vulnerability that allowed unauthorized minting of PLA tokens, which the attacker exploited twice to create 200 million and 1.59 billion PLA tokens with $36.5 million and $253.9 million, respectively.

WazirX ($235M)

WazirX was the target of a second major hack against a CEX in 2024. However, this attack was more sophisticated than the first, using malware to take advantage of differences between how transactions looked in the Liminal user interface and the actual transaction data. By exploiting these discrepancies, the attacker tricked four signers on WazirX’s multi-sig wallet into approving a transaction transferring control of the wallet to an attacker-controlled smart contract.

Gala Games ($216M)

Like PlayDapp, Gala Games was a blockchain-based game exploited via a malicious mint. In this case, the smart contract had access controls in place for the mint function, but a deployer account that had been unused for six months was one with access. The attacker compromised the private key for this account and used it to steal an estimated $216 million from the project. However, these funds were moved back to the deployed account after the team blocklisted the attacker’s address.

Munchables ($62.5M)

Blast-based Munchables was the victim of a rogue developer who exploited it in March 2024. The developer wrote the smart contract using an upgradeable proxy whose deployment address was controlled by the developer. The attacker used their access to assign themselves a 1 million balance within the contract and then upgraded the contract to a secure version while retaining the new balance. Later, the attacker drained $62.5M of ETH from the contract.

BtcTurk ($55M)

BtcTurk is a Turkish CEX that was the victim of a $55 million hack in June 2024. In this incident, the attacker gained access to the CEX’s hot wallets — most likely via compromised private keys — and used this to steal money from the exchange.

BingX ($52M)

BingX is yet another CEX on the list of 2024 hacks with values exceeding $50 million. In this case, the attacker gained access to hot wallets owned by the CEX across several different blockchains. In total, an estimated $52 million was stolen by the CEX and swapped to ETH by the attacker, who was believed to be the Lazarus Group.

Radiant Capital ($53M)

Radiant Capital suffered multiple attacks in 2024, including a $4.5 million flashloan attack and a $53 million exploit of its multi-sig scheme. In this case, the project had a 3-of-11 multi-sig scheme, and the attacker used malware to collect legitimate signatures on malicious transactions. This allowed the attacker to steal control over the protocol’s Pool Provider smart contract and use it to perform malicious upgrades to project contracts. These contracts used preexisting approvals to steal value from user wallets to the tune of $53 million.

Lessons Learned from the Attacks

The biggest hacks of a particular year often reveal significant trends. These could include common security mistakes made by several projects or a particular area of focus for DeFi hackers.

In 2024, attacks targeting centralized exchanges made up half of the biggest DeFi hacks of the year. While the root causes could differ (compromised keys, approving malicious transactions, etc.), attackers like the Lazarus Group were obviously focusing their efforts on these organizations. This makes implementing security controls designed to prevent these attacks — multi-sig wallets, cold storage, etc. — essential to protect against these threats.

However, this focus on CEXs doesn’t mean that other DeFi projects are invulnerable or that hackers won’t use other methods to exploit them. Smart contract audits and other security best practices are essential to prevent exploitable vulnerabilities from being deployed on-chain. For help in protecting your project against attack, get in touch.