Bad actors have stolen approximately $2.3 billion from web3 projects, with Ethereum being responsible for over half of the total losses. According to a report titled “State of Web3 Security in 2024” by Cyvers, 51% of the stolen funds came from Ethereum-based projects, primarily due to its prominent role in the DeFi sector and its high liquidity.
The second most targeted blockchain was BNB Chain, accounting for 24% of the losses. Bitcoin, XRP, and Arbitrum accounted for 5%, 4%, and 3% of the losses respectively.
In terms of the causes of the losses, access control failures accounted for 81% of the total funds lost in 2024, which were linked to weak authentication and permission mechanisms. Smart contract vulnerabilities were responsible for 19% of the losses, as they exploited loopholes in the code to extract funds.
The three largest Web3 hacks of 2024 were the DMM Bitcoin exploit, which resulted in a loss of $305 million, the PlayDapp breach, which led to a loss of $290 million, and the WazirX attack, which caused a loss of $235 million. All of these incidents were a result of vulnerabilities in access control mechanisms.
There were also several other incidents involving multimillion-dollar losses. For example, Muchables, an Ethereum-based project, lost $97 million due to a rogue developer exploiting smart contract vulnerabilities. Additionally, address poisoning attacks resulted in $68 million in losses.
The report emphasized the lack of proper security protocols in many Web3 projects, stating that even a single flaw in a smart contract can have catastrophic consequences, as evidenced by the events of 2024.
Crypto losses increased quarter by quarter throughout the year, with the most damaging period being Q3, which accounted for $669 million in losses. Q4 saw the fewest number of incidents, with losses amounting to $130 million.
Recovery efforts yielded mixed results, with $620 million recovered in Q1 and $562 million in Q2. However, recoveries decreased significantly in the second half of the year, with only $93 million recovered in Q3 and $25 million in Q4.
The report added that early intervention is crucial for recovering stolen assets, as delays often allow the funds to disappear before authorities and security teams can take action.
To combat the growing threats, Cyvers called for the standardization of continuous monitoring and real-time vulnerability testing, as well as the adoption of AI-powered detection mechanisms.
An earlier report from Web3 security firm PeckShield highlighted a 15% surge in crypto hacks and scams in 2024, with decentralized finance protocols being the primary targets.