TL;DR March 2024 was a pretty quiet month with a relatively low amount of stolen funds ($124M vs. $398M in February), even more so when considering that $62 million from the Munchables hack was returned by the attacker, lowering the total losses for March to $62 million.
The Munchables attack was particularly interesting due to its use of social engineering. The project, which runs on Blast, had a team of anonymous developers, one of whom appears to have impersonated the other three and controlled the keys for the main contract. This individual stole the funds and
demanded $1M. After negotiations, all of the funds were returned to the project.
Attack Vectors
Regarding attack vectors, March has had seen mostly smart contract attacks, followed by rug pulls. The following is a summary of security incidents by categories, that took place this month:
- 8 Smart contract vulnerabilities
- 6 Rug puls
- 3 Flash Loan Attacks
- 3 Social Engineering attacks
- 3 X accounts compromised
- 2 Compromised private keys
- 1 DNS Hijacking Attack
- 1 Newsletter compromised
- 1 Phishing attack
Attack Vectors Behind Major Funds Lost
From the lost funds’ point of view, social engineering is the number one attack vector for this month, followed by smart contracts’ vulnerability:
• Social Engineering: $65M
• Contract vulnerability: $36M
• Flash Loan Attack: $9M
• Phishing attack: $4.3M
• Rug pull: $2.9M
• Compromised private keys: $2.7M
• DNS Hijacking Attack: $100K
• Newsletter compromised: $3K
Security Incidents Classified by Attack Vectors
We have classified the most relevant security incidents by attack vectors:
– Smart contract vulnerability: Unizen, BLASTOFF, MOBOX, ParaSwap, Dolomite, Super Sushi Samurai, Curio Ecosystem, Prisma Finance.
– Rug pull: OrdiZK, ClosedAI (ClosedAI), HumanizedAi (HMZ), FLOKIAI (FLOKIAI), Fake ETHFI, Lucky Star Currency.
– X Account compromised: Sherlock, beoble, Pendle Finance.
– Compromised private keys: Polyhedra Network, Mozaic.
– Social engineering: Ansem, AirDAO, Munchables.
– Flash loan attack: WOOFi, ZongZiFa, Lava
Funds Lost by Network
Blast is the network that suffered the most, but 95% of those funds account to the Munchables attack, which were later returned by the rogue developer.
– Blast: $66.360.000
– Ethereum: $39.293.000
– Arbitrum: $9.090.000
– Solana: $3.600.000
– Other: $1.810.000
– Base: $900.000
– BSC: $808.000
– Optimism: $750.000
Attack Incidents per Network
Regarding the most attacked network by the number of incidents, not surprisingly, we have Ethereum at the top of the list due to having the biggest TVL of all:
– Ethereum: 12
– BSC: 4
– Other: 3
– Arbitrum: 2
– Blast: 2
– Solana: 2
– Base: 1
– Optimism: 1
– Unknown: 1
Most Prominent Attacks of the Month
The biggest attacks during March 2024, were:
- Munchables (Blast): Social Engineering > $62.300.000
- Curio Ecosystem (Ethereum): Smart contract vulnerability > $16.000.000
- Prisma Finance (Ethereum): Smart contract vulnerability > $11.600.000
- WOOFi (Arbitrum): Flash Loan Attack > $8.750.000
- $ALI, $PUSH (Ethereum): Phishing attack > $4.390.000
- Super Sushi Samurai (Blast): Smart contract vulnerability > $4.060.000
Most Prominent Rug Pulls
- OrdiZK (Ethereum): $1.400.000
- HumanizedAi (HMZ) (Ethereum): $665.000
- Fake ETHFI (Ethereum): $354.000
- Lucky Star Currency (BSC): $300.000
- FLOKIAI (FLOKIAI) (BSC): $148.000
- ClosedAI (ClosedAI) (BSC): $131.000
Most Prominent Smart Contract Attacks
- Curio Ecosystem (Ethereum): Smart contract vulnerability > $16.000.000
- Prisma Finance (Ethereum): Smart contract vulnerability > $11.600.000
- WOOFi (Arbitrum) Flash Loan Attack > $8.750.000
- Super Sushi Samurai (Blast): Smart contract vulnerability > $4.060.000
- Unizen (Ethereum): Smart contract vulnerability > $2.100.000
- Dolomite (Ethereum): Smart contract vulnerability > $1.800.000
The Bottom Line: $124M stolen
March stolen funds were $124M, 60% less than previous month (February 2024). Over the past twelve months (April 2023 – March 2024), the total amount of stolen funds amounts to USD 2.5 billion, indicating a declining trend compared to the USD 3.5 billion stolen during 2022.
$2.9 billion lost since February 2023
Over the past fourteen months (February 2023 – March 2024), the stolen funds amount to USD 2.9 billion.
82% detected by Blockfence
Our engine detected $16.5M out of $20.3M total relevant compromised funds. This does not include compromised private keys and centralized exchanges, which can not be detected in advance.
Download the Full Report (PDF)
Download a full copy of our report in PDF here
Monthly Security Report by Eyal Mor & Pablo Sabbatella.