Monthly Hacks Roundup: March 2024

April 19, 2024
Quantstamp Announcements

Monthly Hacks Roundup: March 2024

March was a volatile month for the web3 security landscape, with significant security breaches totalling over $152 million in losses. Read on as we dive into four major security incidents and the trends from last month 👇

🔒 Overview of Web3 Security Breaches

Here’s a breakdown of the losses experienced due to various incidents:

- Smart Contract Hacks: Over $47 million

- Rug Pulls/Scams: More than $100 million

- Compromised Keys: Approximately $4 million

- Total: Over $152 million

🕵️ Incident Analysis

Curio ($16M)

An attacker managed to alter the governance system of CurioDAO by locking two governance tokens and using a malicious execution library. This allowed them to execute unauthorized actions including the mass minting of approximately 1 billion $CGT tokens, severely undermining the protocol's integrity.

Prisma Finance ($11M)

Prisma, a collateralized stablecoin platform, suffered an exploit involving the MigrateTroveZap contract. An attacker manipulated collateral amounts during a migration process, resulting in the improper adjustment of collateral values and the unauthorized opening of new financial positions. In a surprising twist, the white hat hacker reached out explaining that their aim is to raise awareness on serious contract audits, highlighting the need for rigorous contract audits and a serious attitude towards project responsibility.

WOOFi ($8.5M)

WOOFi lost $8.5 million due to a price manipulation exploit facilitated by a recent addition of a lending market by Silo Finance. Attackers inflated and deflated the price of the WOO token through strategic swaps, then exploited these manipulated prices to drain significant funds, exploiting weaknesses in WOOFi's Synthetic Proactive Market Making (sPMM) system and its misconfiguration of fallback oracles.

Super Sushi Samurai Hack ($4.8M)

This GameFi protocol was compromised due to a self-transfer bug in their SSS token, enabling infinite minting. The attacker drained $4.8 million worth of WETH from the SSS/ETH Thruster pool. Remarkably, the funds were returned in exchange for a bounty and the hacker was even brought onto the team as a security advisor.

📉 Vulnerability and Auditing Trends

Vulnerabilities

Auditing

Trends and Outliers

👋 See you next month!

To stay informed, secure, and ahead of the curve, follow us on Twitter @Quantstamp and keep an eye out for next month’s roundup! Together, we can secure the future of web3 💪

Quantstamp Announcements
April 19, 2024

Monthly Hacks Roundup: March 2024

March was a volatile month for the web3 security landscape, with significant security breaches totalling over $152 million in losses. Read on as we dive into four major security incidents and the trends from last month 👇

🔒 Overview of Web3 Security Breaches

Here’s a breakdown of the losses experienced due to various incidents:

- Smart Contract Hacks: Over $47 million

- Rug Pulls/Scams: More than $100 million

- Compromised Keys: Approximately $4 million

- Total: Over $152 million

🕵️ Incident Analysis

Curio ($16M)

An attacker managed to alter the governance system of CurioDAO by locking two governance tokens and using a malicious execution library. This allowed them to execute unauthorized actions including the mass minting of approximately 1 billion $CGT tokens, severely undermining the protocol's integrity.

Prisma Finance ($11M)

Prisma, a collateralized stablecoin platform, suffered an exploit involving the MigrateTroveZap contract. An attacker manipulated collateral amounts during a migration process, resulting in the improper adjustment of collateral values and the unauthorized opening of new financial positions. In a surprising twist, the white hat hacker reached out explaining that their aim is to raise awareness on serious contract audits, highlighting the need for rigorous contract audits and a serious attitude towards project responsibility.

WOOFi ($8.5M)

WOOFi lost $8.5 million due to a price manipulation exploit facilitated by a recent addition of a lending market by Silo Finance. Attackers inflated and deflated the price of the WOO token through strategic swaps, then exploited these manipulated prices to drain significant funds, exploiting weaknesses in WOOFi's Synthetic Proactive Market Making (sPMM) system and its misconfiguration of fallback oracles.

Super Sushi Samurai Hack ($4.8M)

This GameFi protocol was compromised due to a self-transfer bug in their SSS token, enabling infinite minting. The attacker drained $4.8 million worth of WETH from the SSS/ETH Thruster pool. Remarkably, the funds were returned in exchange for a bounty and the hacker was even brought onto the team as a security advisor.

📉 Vulnerability and Auditing Trends

Vulnerabilities

Auditing

Trends and Outliers

👋 See you next month!

To stay informed, secure, and ahead of the curve, follow us on Twitter @Quantstamp and keep an eye out for next month’s roundup! Together, we can secure the future of web3 💪

Quantstamp Announcements

Modular Account: How Audits Can Help Shape Standards And Catalyze Mass Adoption

Quantstamp recently conducted a smart contract audit for Alchemy’s Modular Account, a wallet implementation designed from the ground up for ERC-4337 and ERC-6900 compatibility including two plugins

Read more
Quantstamp Announcements

Quantstamp 2023 Web3 Security Year In Review

As the year comes to a close, we wanted to take a moment to reflect on this year’s biggest hacks, root causes, and noteworthy trends.

Read more