Bad actors stole roughly $2.3 billion from web3 projects, with Ethereum accounting for more than half of the total losses.
According to the State of Web3 Security in 2024 report from Cyvers, 51% of the stolen funds came from Ethereum-based projects, largely due to its role as the leading blockchain for DeFi and its extensive liquidity.
BNB Chain was the second most targeted blockchain, accounting for 24% of losses, while Bitcoin, XRP, and Arbitrum accounted for 5%, 4%, and 3%, respectively.
Access control failures accounted for 81% of the total funds lost in 2024, linked to weak authentication and permission mechanisms. Smart contract vulnerabilities, while responsible for 19% of the losses, exploited loopholes in code to siphon funds.
The top three biggest Web3 hacks of 2024 included the $305 million DMM Bitcoin exploit, the $290 million PlayDapp breach, and the $235 million WazirX attack. Each of these incidents stemmed from vulnerabilities in access control mechanisms.
Other multi-million dollar incidents include the exploit of Ethereum-based Muchables, which lost $97 million after a rouge developer exploited smart contract vulnerabilities. Meanwhile, address poising attacks accounted for $68 million in losses.
“Many Web3 projects still aren’t implementing proper security protocols to protect user assets. Even a single flaw in a smart contract can be catastrophic, and 2024 was proof of that,” the report stated.
Crypto losses grew quarter on quarter through 2024, with Q3 being the most damaging, accounting for $669 million in losses. Q4 saw the least number of incidents, with losses amounting to $130 million.
Recovery efforts bore mixed results, with $620 million reclaimed in Q1 and $562 million in Q2. However, recoveries dropped sharply in the latter half of the year, with just $93 million recovered in Q3 and $25 million in Q4.
“While early intervention can help recover stolen assets, delays often allow funds to disappear before authorities and security teams can act,” the report added.
To combat the growing threats, Cyvers urged for the standardization of continuous monitoring and real-time vulnerability testing and advocated for the use of AI-powered detection mechanisms.
An earlier report from Web3 security firm PeckSheild highlighted that crypto hacks and scams surged over 15% in 2024, and decentralized finance protocols were the biggest targets.
