More Than $22M Stolen from Web3 Platforms in October

Nov 7, 2023

7 minutes

In October 2023, the blockchain sector, usually lauded for its solid security layers, was hit by a harsh reality check. A series of advanced hacks resulted in a loss of $22.54 million, a figure that’s notably less than September’s massive $400 million in crypto-related thefts. This suggests a strengthening in the industry’s security stance, yet October’s breaches still highlight a critical fact: security is a paramount concern, and companies are learning this the hard way.

As cybercriminals continually adapt and seek out new weaknesses to exploit, ranging from the theft of private keys to the deceit of rug pulls, it becomes evident that the battle for cybersecurity is ever-escalating. It’s a dynamic battleground, with security experts relentlessly innovating to stay ahead of hackers’ next moves.

Despite the underlying technology’s promise of decentralization and security, the complex interplay between human error, system vulnerabilities, and advanced attack methodologies can create a fertile ground for exploitation.

In this article, these particular hacks strikingly illustrate a critical truth in the realm of Web3 security: none of these incidents are novel, and each one could have been mitigated, if not entirely avoided, with a more vigilant and informed approach towards cybersecurity.

These breaches, including key leaks and smart contract vulnerabilities, were not groundbreaking in their methods; instead, they repeated known patterns of security lapses that continue to challenge the digital space. This recurring theme underscores the essential need for continuous education and awareness in the security domain.


BigWhale Hack

On October 3rd, 2023, BigWhale.io experienced a security breach (a private key leak of a company Ledger wallet) where unauthorized individuals gained access and compromised the integrity of the platform. As a result of this breach, approximately $1.5 million dollars worth of BNB were illicitly withdrawn and transferred from the platform’s smart contract on the Binance Smart Chain (Contract Address: 0x30054BB89EDD62F9A57E6d7F02bdff25Db30751e)

BigWhale.io acknowledges its responsibility to its investors and is committed to taking all reasonable and necessary actions to recover the hacked funds. BigWhale.io will cooperate fully with any investigation and recovery efforts led by law enforcement and cyber intelligence agencies.

How to avoid

Multi-Signature Wallets: In a multisig setup, transactions require authorization from multiple parties before they can be executed. This means that even if one private key is compromised, unauthorized transactions cannot occur unless the attackers also have access to the additional keys required.

Decentralized Control: Multisig wallets distribute control among several parties (e.g., different team members or departments within the company). This decentralized approach reduces the risk of a single point of failure, where the compromise of one key could lead to a security breach.

Customizable Security Protocols: With multisig wallets, a project could customize the number of signatures required for different transaction types. For instance, larger transactions could necessitate more signatures, adding an extra layer of security for significant movements of funds.


Stars Arena Hack

According to SlowMist, Stars Arena appeared to have been hacked due to a major security breach in its smart contract. The hacker transferred 266,103 AVAX ($2.9M) to the address (0xa2Eb…ad7A), which then transferred 50.32 AVAX to FixedFloat on October 6. On October 12, Stars Arena tweeted that they had recovered approximately 90% of the lost funds. It was said that the hacker exploited Stars Arena through a reentrancy attack.

Stars Arena reached an agreement with the individual responsible for the recent security breach and has recovered approximately 90% of the lost funds.

How to avoid

For this incident, where a reentrancy attack on their smart contract led to significant fund theft, these mitigation strategies could have been effective:

High-Quality Security Audit: Before deploying any smart contract, especially those handling substantial financial transactions like Stars Arena, it’s crucial to have the contract thoroughly audited by a reputable blockchain security firm. These firms specialize in identifying vulnerabilities, including those that can lead to reentrancy attacks. An expert audit could have identified and addressed the reentrancy vulnerability before the contract went live.

Bug Bounty Program: Establishing a bug bounty program invites white hat hackers and security researchers to find and report vulnerabilities in exchange for a reward. This approach often uncovers issues that internal teams and even external audits might miss.

Engagement with the Developer Community: Platforms like CodeArena can be utilized to host contests where developers and security experts are challenged to find vulnerabilities in the smart contract. This approach not only identifies potential security issues but also fosters community involvement and trust.


Platypus Finance Hack

On October 12th, decentralized finance (DeFi) protocol Platypus Finance suffered yet another hack this year, with around $2 million stolen. The Platypus team has confirmed the incident, saying it has “temporarily suspended all pools” due to “suspicious activities in our protocol”.

According to security firm PeckShield, the protocol was exploited on the Avalanche blockchain as attackers discovered a vulnerability, allowing them to withdraw Wrapped Avax (wAVAX) and Staked Avax (sAVAX). The nature of the hack remains unclear. “Further updates will be communicated to the community in a timely manner”, Platypus stated.

Platypus reached out to the hacker; following successful negotiations, 90% of the funds stolen from the sAVAX pool have been successfully returned by the exploiter.

How to avoid

Comprehensive Security Assessment by a Blockchain Security Firm: Prior to launching any smart contract, particularly for platforms like this which handle significant monetary transactions, it is imperative to undergo a rigorous security assessment conducted by a well-regarded firm in the blockchain security domain. These specialized firms have the expertise to pinpoint potential security flaws, including those that might lead to reentrancy attacks. A detailed and expert-led assessment at this stage could pinpoint and rectify the reentrancy flaws before the smart contract becomes operational.

Implementation of a Vulnerability Reporting Incentive Program: Setting up a program that incentivizes ethical hackers and security researchers to identify and report security flaws can be incredibly effective. This kind of program, commonly known as a bug bounty program, can reveal security gaps that might not be evident to the internal team or even through external audits. Such initiatives encourage the discovery of vulnerabilities, thereby enhancing the overall security of the system.


LastPass Hack

On October 25, 2023, another ~$4.4M was drained from 25+ victims as a result of the LastPass hack. Monahan, along with other on-chain sleuths like the pseudonymous blockchain analyst ZachXBT, have implored crypto users to immediately migrate their assets if they ever, even for a brief period, used LastPass to store their wallet seed phrases or keys. As the attacks continue with no end in sight, Monahan has publicly recounted the stories of numerous friends and associates who — upon news of the hacks — considered changing wallets but didn’t move fast enough, only to be targeted by the hackers themselves.

How to avoid

To mitigate the risk of wallet draining campaigns like the one involving compromised seed phrases stored in LastPass, the following strategy should be implemented:

Secure Storage of Seed Phrases: Avoid storing seed phrases or private keys in cloud-based password managers, especially those that have experienced breaches. Instead, use offline methods like hardware wallets, paper written notes, or encrypted drives for storing these critical pieces of information.

Regular Password Manager Audit: If a password manager is used for other credentials, regularly audit its security, update passwords, and enable multi-factor authentication. Be particularly vigilant if the provider has a history of security incidents.

Increased User Awareness: Educate users about the risks of storing sensitive information like seed phrases in online platforms. Highlight the importance of offline and physical backup methods for critical cryptocurrency credentials.

Real-Time Monitoring of Wallets: Implement or utilize services that offer real-time monitoring of crypto wallets. Any unauthorized transactions can be quickly detected, allowing for faster response to potential breaches.


Onyx Protocol Hack

Onyx Protocol was exploited on the Ethereum Mainnet due to a precision loss vulnerability, which resulted in a loss of 1,164 ETH, worth approximately $2,100,794. The attack vector is a known issue on all of the Compound V2 forks. The attack is similar to the earlier exploit on Hundred Finance, which suffered a loss of approximately $7 million.

Midas Capital was also exploited due to the same issue, resulting in a loss of $600,000. Essentially, the exploiter targeted empty pools that lacked lending activity, thereby gaining control over the liquidity.

How to avoid

To mitigate risks similar to those faced by Onyx Protocol, where a precision loss vulnerability led to significant losses, the following steps should be implemented:

Rigorous Security Audits by Reputable Firms: Before deployment, protocols should undergo thorough security audits conducted by renowned firms specializing in blockchain security. These audits should specifically focus on known vulnerabilities, like precision loss issues, especially for projects based on forked codebases such as Compound V2.

Staying Informed on Vulnerability Trends: Regularly updating knowledge on the latest vulnerabilities and attack vectors in the DeFi space is crucial. Teams should actively monitor security reports, community forums, and bulletins to stay informed about common pitfalls and emerging threats, especially those relevant to their protocol’s architecture.

Establishing a Bug Bounty Program: Implementing a bug bounty program can encourage ethical hackers and security researchers to identify and report vulnerabilities. These programs should offer incentives commensurate with the severity of the discovered flaws, thereby ensuring thorough scrutiny of the protocol by external experts.

By incorporating these strategies, protocols can significantly bolster their defenses against known and emerging security threats, particularly those that stem from inherent vulnerabilities in forked codebases. This proactive and comprehensive approach to security is crucial in safeguarding assets in the evolving landscape of decentralized finance.


Copyright Disclaimer and Notice

All Rights Reserved.

All material appearing on the Zokyo's website (the “Content”) is protected by copyright under U.S. Copyright laws and is the property of Zokyo or the party credited as the provider of the Content. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any way exploit any such Content, nor may you distribute any part of this Content over any network, including a local area network, sell or offer it for sale, or use such Content to construct any kind of database. You may not alter or remove any copyright or other notice from copies of the content on Zokyo's website. Copying or storing any Content is expressly prohibited without prior written permission of the Zokyo or the copyright holder identified in the individual content’s copyright notice. For permission to use the Content on the Zokyo's website, please contact hello@zokyo.io

Zokyo attempts to ensure that Content is accurate and obtained from reliable sources, but does not represent it to be error-free. Zokyo may add, amend or repeal any policy, procedure or regulation, and failure to timely post such changes to its website shall not be construed as a waiver of enforcement. Zokyo does not warrant that any functions on its website will be uninterrupted, that defects will be corrected, or that the website will be free from viruses or other harmful components. Any links to third party information on the Zokyo's website are provided as a courtesy and do not constitute an endorsement of those materials or the third party providing them.

Copyright Disclaimer and Notice

All Rights Reserved.

All material appearing on the Zokyo's website (the “Content”) is protected by copyright under U.S. Copyright laws and is the property of Zokyo or the party credited as the provider of the Content. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any way exploit any such Content, nor may you distribute any part of this Content over any network, including a local area network, sell or offer it for sale, or use such Content to construct any kind of database. You may not alter or remove any copyright or other notice from copies of the content on Zokyo's website. Copying or storing any Content is expressly prohibited without prior written permission of the Zokyo or the copyright holder identified in the individual content’s copyright notice. For permission to use the Content on the Zokyo's website, please contact hello@zokyo.io

Zokyo attempts to ensure that Content is accurate and obtained from reliable sources, but does not represent it to be error-free. Zokyo may add, amend or repeal any policy, procedure or regulation, and failure to timely post such changes to its website shall not be construed as a waiver of enforcement. Zokyo does not warrant that any functions on its website will be uninterrupted, that defects will be corrected, or that the website will be free from viruses or other harmful components. Any links to third party information on the Zokyo's website are provided as a courtesy and do not constitute an endorsement of those materials or the third party providing them.

Copyright Disclaimer and Notice

All Rights Reserved.

All material appearing on the Zokyo's website (the “Content”) is protected by copyright under U.S. Copyright laws and is the property of Zokyo or the party credited as the provider of the Content. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any way exploit any such Content, nor may you distribute any part of this Content over any network, including a local area network, sell or offer it for sale, or use such Content to construct any kind of database. You may not alter or remove any copyright or other notice from copies of the content on Zokyo's website. Copying or storing any Content is expressly prohibited without prior written permission of the Zokyo or the copyright holder identified in the individual content’s copyright notice. For permission to use the Content on the Zokyo's website, please contact hello@zokyo.io

Zokyo attempts to ensure that Content is accurate and obtained from reliable sources, but does not represent it to be error-free. Zokyo may add, amend or repeal any policy, procedure or regulation, and failure to timely post such changes to its website shall not be construed as a waiver of enforcement. Zokyo does not warrant that any functions on its website will be uninterrupted, that defects will be corrected, or that the website will be free from viruses or other harmful components. Any links to third party information on the Zokyo's website are provided as a courtesy and do not constitute an endorsement of those materials or the third party providing them.