According to the statistics of some blockchain security risk monitoring platforms, in March 2024, the amount of losses from various security incidents decreased significantly compared with February 2023. In March, there were more than 30 more typical security incidents, and the total loss caused by hacking, phishing scams and Rug Pull reached US$158 million, a decrease of about 62.5% from February. Among them, the number of attacks was about 116 million US dollars, a decrease of about 66.4%, and the number of phishing fraud was about 36.85 million US dollars, an increase of about 129%. The Rug Pull incident was about $8.12 million, a decrease of about 91.4%.
In addition, there are some specific security incidents and new news, which will be described in detail below.
Hacking aspect
There were 15 typical security incidents
(1) On March 5, the WooFi project on the Arbitrum chain was attacked due to a contract vulnerability, losing about $8.75 million. This exploit consists of a series of flash loans, with the attacker taking advantage of low liquidity to manipulate the price of WOO and then repay the flash loan at a lower price. The attacker repeated the attack three times in a very short period of time and made a profit of about $8.75 million after repaying the flash loan.
(2) On March 6, the BNB Chain on-chain TGBS project was attacked due to a contract vulnerability, losing about $150,000.
(3) On March 9, DeFi trading platform unizen was attacked by an external call vulnerability, losing about $2.6 million. On March 12, Unizen's CTO, Martin Granström, tweeted that $185,000 worth of stolen funds had been recovered from four hackers.
(4) On March 11, BLASTOFF on the Blast chain was attacked due to a contract vulnerability, losing about $600,000.
(5) On March 13, Polyhedra Network, a Web3 full-stack interoperability infrastructure, suffered a wallet access vulnerability on the BNB Chain, where the attacker withdrew $1.4 million, including $700,000 worth of THE tokens, and then swapped all the tokens for BNB.
(6) On March 15, about $2 million was stolen from the Mozaic project on the Arbitrum chain due to a leak of private keys. According to Mozaic, the theft was carried out by a developer who managed to obtain the private keys held by the core team members. Mozaic also said that about 90% of the stolen funds have been frozen on MEXC.
(7) On March 15, the DeFi protocol MOBOX was attacked due to a contract vulnerability, losing about $750,000.
(8) On March 16, the founder of Milady claimed that his system had been hacked, and all the wallets that had been imported were stolen, resulting in a loss of about $3 million.
(9) On March 20, Dolomite Exchange's old contract was attacked, resulting in a loss of approximately $1.9 million.
(10) On March 22, a vulnerability was exploited in the Blast ecosystem project Super Sushi Samurai, resulting in the theft of $4.6 million. Shortly after the theft, the attackers contacted the project, claiming to be a white hat. Subsequently, Super Sushi Samurai confirmed that the funds had been returned, 5% of which went as a bounty.
(11) On March 21, hackers gained access to AirDAO LP through a social engineering scam, resulting in the theft of about $1 million from AirDAO.
(12) On March 24, the Curio Ecosystem, an RWA infrastructure, suffered an attack due to an access control vulnerability, causing losses of $16 million.
(13) On March 27, Munchables, a Web3 gaming platform based on the Blast chain, was attacked, losing about $62.3 million. The attack is suspected to have been caused by the project team hiring North Korean hackers as developers.
(14) On March 28, DeFi protocol Prisma Finance suffered a flash loan attack, losing about $11.6 million. The attack is caused by the lack of input validation of the onFlashloan function of the MigrateTroveZap contract, which allows the attacker to forge the migration data to achieve unauthorized collateral transfers, resulting in the loss of legitimate Prisma Finance users.
(15) On March 29, DeFi protocol LavaLending suffered a price manipulation attack, losing about $340,000.
Rug Pull / 钓鱼诈骗
9 typical security incidents
(1) On March 1, an address starting with a 0x7653 was attacked by a phishing attack, resulting in a loss of US$4.39 million.
(2) On March 4, an address starting with a 0x6f5e was attacked by a phishing attack, with a loss of about $1.72 million.
(3) On March 5, a Rug pull occurred for the OrdiZK project on the Ethereum chain, with a loss of about $1.4 million.
(4) On March 7, a Rug pull occurred on the Ethereum on-chain Humanized_AI project, with a loss of about $660,000.
(5) On March 14, an address starting with a 0x39b2 was attacked by a phishing attack, resulting in a loss of about $2 million.
(6) On March 17, a fake Twitter account stole about $2.6 million in assets through phishing scams.
(7) On March 18, an address starting with a 0x0ffe was attacked by a phishing attack, with a loss of about $2.48 million.
(8) On March 20, an address starting with a 0xef49 was attacked by a phishing attack, with a loss of about $3.05 million.
(9) On March 24, an address starting with a 0x954d was attacked by a phishing attack, with a loss of about $2.9 million.
Crypto crime aspect
3 typical security incidents
(1) On March 11, Argentina arrested a couple accused of plotting a Ponzi scheme worth $400 million in Brazil.
(2) On March 21, it was reported that a British woman was convicted of money laundering for helping a Chinese fugitive launder between 2017 and 2022, who planned an investment fraud of nearly $6 billion.
(3) On March 23, it was reported that the police in Sichuan, China, smashed a criminal gang under the guise of speculating on "air coins", and the funds involved amounted to more than 200 million yuan.
summary
From the analysis of the above multiple incidents, although the amount of losses from various blockchain security incidents decreased significantly in March, the number of incidents increased significantly.
More than $10 million in attacks this month include: Blast Chain gaming platform Munchables ($62.3 million), RWA infrastructure Curio Ecosystem ($16 million), and DeFi protocol Prisma Finance ($11.6 million). Phishing scams have increased significantly this month, with multiple incidents of personal addresses losing more than $1 million.
The Zero Time Technology security team recommends that the project team remain vigilant and conduct regular security audits in a professional security company. Due to the number of phishing scams this month, users are advised not to click on suspicious links and store their private keys securely.
Annotation:
The content of this article is from the public data collation and collection.
Important reminder: This article is only for industry information and does not constitute any investment advice or guarantee.