Security Roundup: April 2024 Edition

Security Roundup: April 2024 Edition

Rivanorth's photo
Rivanorth
·

3 min read

Welcome to another edition of the latest blockchain security news. Last month we've witnessed a large amount of hacks with over $120M stolen and a wide variety of attack vectors, ranging from rogue developers to smart contract vulnerabilities.

Will this high pace of hacks persist throughout the year? We shall see...

Let's dive into the top hacks!

March 2024 Hacks

WooFi - $8.5M - The attacker exploited the WooFi v2 system's oracle on the Arbitrum network, enabling them to manipulate asset prices and withdraw funds significantly above their deposit value.

Unizen - $2.2M - The breach was caused by a vulnerability related to an unchecked external call within the newly upgraded DEX aggregation contract. The team engaged with the attacker through on-chain messages, offering a 20% bounty and later threatening legal action.

Super Sushi Samurai - $4.8M - An insecure transfer function in the smart contract was exploited in a double-spending attack.

Curio - $16M - The cause of the incident was traced back to a vulnerability in its smart contract governance system, which was manipulated to mint and steal funds.

Munchables - $62.5M - The attack was executed by an individual who had infiltrated the development team with potential links to North Korea. The attack was carried out by directly manipulating the smart contract's storage slots to unjustly assign a vast amount of Ether to the attacker's account. Proper vetting of your development team is crucial. Web3 security does not end with a smart contract audit.

PrismaFi - $11.6M - The exploit resulted from a vulnerability in the MigrateTroveZap contract and related to inadequate input validation which was exploited in a flash loan attack.

SLERF - $10M - This is potentially not even a malicious attack but still worth mentioning what happened to the Solana meme coin. While attempting to burn the liquidity pool and tokens set aside for the airdrop, the developer accidentally burned those. The mint authority was already revoked and the dev couldn’t undo the costly error.

Mozaic - $2.1M - The hack was caused by a private key compromise.

Beoble - The X account of @beoble_official was hacked. Should check out our guide on how to secure your X account.

Blast - $600k - The Blast dApp Blastoff, got hacked for 150 ETHs worth around $600k at the time.

Dolomite - $1.8M - One of its smart contracts lacked essential permission checks.

More Blockchain Security

The Ultimate Guide to Securing Your X/Twitter Account

ERC-4626 Vulnerabilities and How to Avoid Them in Your Project

Secure Proxy Models: Understanding Beacon Proxies

Rug Pullsand How to Avoid Them

Real-time hack alerts: https://twitter.com/rivanorthSec

Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit rivanorth.com to find out more.

You build the future. We help you secure it.

newsBlockchainCryptocurrencyEthereumSmart ContractshacksSecurity