The monthly security incident highlights of Zero Hour Technology have begun! According to statistics from some blockchain security risk monitoring platforms, the amount of losses from various security incidents in December 2024 has dropped significantly compared to November. More than 23 typical security incidents occurred in December, and the total loss amount caused by hacker attacks, phishing scams and rug pulls reached 28.6 million US dollars, a decrease of about 55% from November.
Hacker attacks
7 typical safety incidents
(1) On December 1, @shoucccc, co-founder of security agency fuzzland, tweeted that the decentralized trading platform Clipper was hacked due to an API vulnerability (such as private key leakage). The current loss is more than US$500,000, and US$6.5 million is at risk. Users are advised to withdraw cash immediately. The next day, the decentralized exchange (DEX) Clipper clarified that there was a vulnerability in its withdrawal function, which led to its protocol being hacked recently, with a loss of US$450,000, rather than a private key leakage as claimed by a "third party".
(2) On December 3, according to the monitoring of the SlowMist security team, RunWay (BYC) was suspected to have been attacked on BSC, with a loss of approximately US$100,000.
(3) On December 4, Chaofan Shou, co-founder of security company Fuzzland, said on the X platform: “Vestra DAO has just been hacked and the attack is still ongoing. $480,000 has been lost and more may be lost in the future. It is recommended to withdraw the stake and liquidity immediately.”
(4) On December 10, the Lingshi Technology project team monitored an on-chain attack against the CloberDEX project on Base. The cause of this vulnerability was mainly because the CloberDEX project contract did not perform reentrancy detection and protection in the code for obtaining and destroying LP Tokens, and the state variables were updated after the contract was called, which eventually led to the attacker exploiting the reentrancy vulnerability to empty the project's WETH.
For a detailed attack analysis, please click this link:
https://mp.weixin.qq.com/s/ff0YJBuZiaVBIIUZlarXRQ
(5) On December 15, the Lingshi Technology project team monitored an on-chain attack on the DCFToken project on BnbSmartChain. The attacked project was DCFToken, and the attacker made a profit of approximately USD 8,800 through this attack. The main cause of this vulnerability was that the DCFToken project contract used a single source, PancakeSwapV2, to calculate the price of DCFToken, resulting in the price being manipulated by the attacker, who ultimately used the price difference to arbitrage.
For a detailed attack analysis, please click this link:
https://mp.weixin.qq.com/s/DDadR1nOyYl-dPi5zwLLSQ
(6) On December 24, according to Scam Sniffer, a victim lost $1 million due to fake Zoom malware, which was related to the us04-zoom[.]us threat actor. Currently, private key theft malware cases are on the rise. The source should be strictly verified and a security scan should be performed before installation. Previously, X platform user Lsp (@lsp8940) posted that "the wallet was stolen and 1 million Usd0++ was lost. The hacker disguised a Twitter account and pretended to be my friend through my Twitter interaction information. Then the other party said that he wanted to have a meeting with me to discuss project development and sent me a zoom link. I have zoom on my computer, but there were always problems when I used zoom before, so I needed to reinstall it. So when the webpage prompted that I needed to reinstall it, I reinstalled it, and when I woke up, I found that it had been stolen."
(7) On December 29, the FEG project was attacked, resulting in a loss of approximately US$1 million. According to analysis, the root cause of the incident appears to be a composability issue that occurred when integrating with the underlying Wormhole cross-chain bridge, which is used for the transmission of cross-chain messages and tokens.
Rug Pull / Phishing Scam
9 typical safety incidents
(1) On December 1, the address starting with 0x32b8 lost $1.45M of Aave USDC after signing a phishing “license” signature.
(2) On December 3, the address starting with 0x95d1 lost $1.41M after signing a phishing “approval” transaction.
(3) On December 5, the address starting with 0x30f8 lost 2.77 BTC ($284K+) due to a phishing attack. Less than an hour after exiting MEXC, it fell into the "Increase Approval" phishing signature.
(4) On December 8, the $PEPE holder with address starting with 0x16f5 lost $135 by signing the malicious “increaseAllowance” transaction.
(5) On December 9, a victim lost $2.2M after clicking on a phishing link to a compromised WallStreetBets X account. Analysis showed that the phishing website used XSS vulnerabilities from some websites.
(6) On December 11, the address starting with 0x7a12 lost SolvBTC worth $7.8M after signing a phishing transaction.
(7) On December 18, the address starting with 0xae4f lost aEthWETH and aPolWMATIC worth $492K after signing a “License” phishing signature.
(8) On December 20, the address starting with 0x8458 lost 1 Doodle after signing the “setApprovalForAll” phishing transaction.
(9) On December 20, the address starting with 0x61ccc lost $200K after signing the “increaseAllowance” phishing transaction.
Summarize
Losses from cryptocurrency scams, vulnerabilities, and hacks tapered off in the final months of 2024, with December being the month with the fewest hacks of the year. Vulnerabilities were responsible for the bulk of the losses, with attackers stealing $26.7 million in December.
The Zero Time Technology security team recommends that project owners always remain vigilant and reminds users to beware of phishing attacks. Users are advised to fully understand the background and team of the project before participating in the project and carefully choose investment projects. In addition, internal security training and authority management should be carried out, and professional security companies should be found to conduct audits and conduct project background investigations before the project goes online.
