April was a hectic month for the web3 security landscape, including significant rug pulls and security hacks totaling over $103 million in losses. Read on as we dive into three major security incidents and some of the trends from last month 👇

‍

🔒 Overview of Web3 Security Breaches

Here’s a breakdown of the losses experienced due to various incidents, for a total of over $103 million.

- Smart Contract Hacks: Over $51 million

- Rug Pulls/Scams: More than $47 million

- Compromised Keys: Approximately $2 million

‍

🕵️ Incident Analysis

Hedgey Finance’s Contract Hack

On April 19th, Hedgey Finance's ClaimsCampaign contract, used for community token claims, was hacked across Ethereum, Arbitrum, Fantom, Polygon, BNB Chain, and Shimmer, resulting in a $45 million loss. The attack involved over 17 transactions within 2 hours, with each theft requiring two transactions. A MEV bot operator front-ran some attacks, recovering some funds. Hedgey successfully alerted the BonusBlock project, allowing them to remove liquidity and freeze deposits. The team sent an onchain message to the attacker without receiving a response. To enhance security, Hedgey announced that they plan to have five new audits in May and a new bug bounty program.

‍

Pike Finance Protocol Hacked (Twice!)

Pike Finance, a cross-chain lending protocol that integrates with Wormhole, Circle’s CCTP, and Gelato, was hacked twice in April. The first hack, on April 26th, was caused by insufficient validation or access control and resulted in a $300K loss. Four days later, on April 30th, a second hack occurred due to a bug in the fix for the first hack, leading to a $1.6M loss. These incidents affected multiple chains, including Ethereum, Arbitrum, and Optimism. In response, the teams paused all operations, sunsetting Pike Beta, and announced their plans to compensate users. They recently posted a fund restitution update, included below.

‍

XBridge Protocol Hack

XBridge, a cross-chain protocol by SaitaChain for bridging tokens between Ethereum and BNB without a transfer tax, was hacked on April 24th for $1.4 million due to insufficient validation. The bridge primarily supported tokens associated with the SaitaChain ecosystem, including STC, SRLTY, and MAZI. The hack involved two transactions per asset: the first set the attacker as the token owner, and the second withdrew the tokens from the bridge. The SaitaChain team acknowledged the attack in a statement on X. As of May 8th, the XBridge website remains down.

‍

📉 Vulnerability and Auditing Trends

Vulnerabilities

• Two of the largest hacks were caused by insufficient validation on address parameters
• At least five hacks were caused by broken/insufficient validation
• The vulnerable code had been audited for two of the three largest smart contract hacks
• Two of the three largest smart contract hacks involved multiple transactions

Trends and Outliers

• All three of the largest smart contract hacks happened on multiple chains
• April was the second consecutive month where:some text
  • Smart contract hacks accounted for more than 30% of the overall losses
  • Compromised private keys accounted for less than 5% of the losses
  • Half of the four largest scams were by teams involved in previous scams

‍