CertiK (Hack3d: 2024 Annual Security Report) has been released, providing an in-depth analysis of the security situation in the Web3.0 field in 2024. The total losses exceeded $2.3 billion, with a year-on-year increase of 31.61%; among which, December had the lowest loss amount. Over the past year, phishing attacks and private key leaks have frequently occurred, becoming the most significant attack methods affecting the industry.
Key Data
Total Losses: In 2024, the Web3.0 industry experienced a total of 760 on-chain security incidents, with total losses of approximately $2.363 billion. Compared to 2023, total losses in 2024 increased by about 31.61%, and the number of security incidents increased by 29.
Average Loss: The average loss per security incident in 2024 was approximately $3.1089 million (an increase of 23.04% compared to last year), with a median loss amount of approximately $150,900 (year-on-year increase of 46.83%).
Monthly Data: May was the month with the highest losses of the year, with a total of 63 incidents and total losses reaching $444 million. December had the lowest loss amount, totaling $26.7 million.
Quarterly Data: Similar to the third quarter of 2023, the third quarter of 2024 also experienced the most severe losses, with a total of 157 attacks, fraud, and exploitation incidents, leading to total losses of approximately $753 million. The total loss amount in the fourth quarter decreased by 46.65%.
Main Attack Methods: Phishing attacks became the most damaging attack method in 2024, with a total of 296 incidents causing losses of approximately $1.05 billion, of which 3 had individual losses exceeding $100 million. Losses from phishing attacks accounted for nearly half of the total stolen amount for the year and 39.1% of the total attack incidents. This indicates that, on average, individual losses from phishing incidents are far higher than those from other vulnerabilities.
Ranked second is private key leakage, with a total of 65 incidents occurring this year, resulting in total losses of approximately $855 million. Throughout 2024, phishing and private key leakage incidents occurred frequently in each quarter.
Distribution of on-chain security incidents: Ethereum is the blockchain most affected by security incidents, with a total of 403 attacks, fraud, and exploitation incidents, resulting in losses of approximately $749 million, averaging $1.8578 million per incident. Bitcoin and Tron chains follow closely, with losses of about $567 million and $136 million, respectively. There were a total of 39 security incidents involving multiple chains, causing losses of $435 million.
Security Trends
Phishing has become the attackers' preferred method due to its simplicity and efficiency: unlike attacks that rely on technological breakthroughs, phishing exploits human weaknesses. Attackers use fake emails, counterfeit websites, or fraudulent information to entice victims to voluntarily disclose sensitive information such as passwords, private keys, or wallet addresses. In the Web3.0 field, the irreversibility of transactions further amplifies the destructive power of phishing—once funds are transferred, they are almost impossible to recover unless the attacker voluntarily returns them.
However, if losses caused by phishing attacks are excluded, the overall security of the ecosystem has improved. For instance, in 2024, only one security incident (WazirX, with a loss of $231 million) is listed among the top 20 incidents from 2021 to the present. This indicates that significant incidents with losses exceeding $100 million are gradually decreasing.
Industry Trends
In 2024, the Web3.0 industry achieved milestone progress, significantly enhancing its acceptance and integration in mainstream finance. However, this development also underscored the importance of strengthening security measures to protect the growing capital.
With the recovery of market confidence, the long-term stagnation of the 'Web3.0 winter' saw a gradual rebound throughout the year. The return of institutional investors to the market brought a wave of capital inflow, laying the groundwork for Bitcoin to break the historic $100,000 milestone. This event occurred after the 2024 U.S. presidential election and also drove prices of other major digital currencies like Ethereum and Solana to rise in sync.
Trump's re-election as president has evidently become a turning point for the U.S. Web3.0 industry and may influence other global markets.
Despite the varying impacts of global regulatory strategies on the Web3.0 industry, one thing remains constant: security is paramount. As the market continues to develop and gradually integrate into the traditional financial system, risks such as non-compliance, fraud, and asset theft are also on the rise.
Annual Review
For CertiK, 2024 was also a milestone year, achieving numerous accomplishments and continuously contributing to Web3.0 security:
Technological Breakthroughs:
Completed formal verification of zkWasm circuits containing 144 instructions, marking the first fully completed formal verification work in the zero-knowledge proof ecosystem.
Conducted rigorous penetration testing on Bybit's non-custodial wallet component with over 1 million users.
Conducted a security assessment of the first public SDK for GalaChain and used the SDK for performance testing, identifying some system efficiency issues and assisting its team in optimizing the codebase.
Vulnerability Discoveries:
Discovered a critical vulnerability in CosmWasm that allows untrusted Wasm to run on application chains across more than 20 Cosmos ecosystems.
Received acknowledgment from ByteDance for successfully identifying and mitigating significant security risks in the system.
Reported a potential risk in Ant Group's system to the Ant Security Response Center and assisted them in swiftly implementing necessary security measures.
Received recognition from Apple for the sixth time due to the discovery of a vulnerability in the Apple Vision Pro eye-tracking technology.
Discovered a high-risk vulnerability in Samsung's Blockchain Keystore and received acknowledgment from Samsung for the third time.
Customer Service:
Upgraded CertiK's products and services, launching a full lifecycle security solution aimed at covering all stages of a project's journey from startup to becoming a star project; also launched various free security tools led by Token Scan and Wallet Scan to help users secure their assets.
Launched CertiK Ventures, announcing its $45 million investment plan.
Proposed a new brand slogan 'Elevating Your Entire Web3 Journey,' articulating our commitment to providing innovative and full-cycle products and services.
Industry Impact:
Conducted in-depth research on decentralized physical infrastructure networks (DePIN), helping projects like APhone and Aethir reduce security risks, and shared experiences and insights about the DePIN field at the 2024 Qualcomm Product Security Summit.
Provided audit services for 6 of the top ten projects in Forbes' 2024 mid-year digital asset ranking, including TON, Core DAO, PEPE, FLOKI, FET, and Bitget.
Professor Gu Ronghui, co-founder and CEO of CertiK, attended the 2024 Singapore Fintech Festival and was interviewed by several international media outlets, including Money FM, Lianhe Zaobao, Hong Kong Ming Pao, Hong Kong Sing Tao and Bloomberg Businessweek.
Professor Gu Ronghui engaged in a fireside chat with Binance founder CZ (Zhao Changpeng), discussing key topics such as Web3.0 security challenges, blockchain innovation, and shaping the future of the ecosystem.
Regulatory Recommendations:
Recommendations provided for the Monetary Authority of Singapore (MAS) stablecoin framework were recognized.
Submitted two stablecoin regulatory recommendations to the Hong Kong Monetary Authority (HKMA) and the Hong Kong Financial Services and the Treasury Bureau (FSTB), both of which were approved.
Market Position:
By July 2024, CertiK holds nearly 50% of the global Web3.0 audit market share.
Ranked first on the official list of security service providers for TON.
Conclusion
CertiK is committed to continuously tracking security trends in the Web3.0 field, having conducted over 70 white-hat actions to date, reported more than 4,000 security incidents, discovered over 115,000 code vulnerabilities, and protected over $510 billion in digital assets from potential losses; and through annual and quarterly security reports, provides key security information to the industry. Once the security report is released, it receives significant attention from the industry and is quickly reported and referenced by core media in the Web3.0 field, such as CoinDesk and Cointelegraph.
CertiK's annual report also deeply analyzes the relationship between the blockchain platforms frequently attacked in 2024, stolen amounts and total locked value (TVL), significant annual security events, key industry developments, and provides best security practices for Web3.0 participants.
Everyone is welcome to copy and open the original link at the end of the article to read the complete (Hack3d: 2024 Annual Security Report) for a more comprehensive analysis, insights, and recommendations.
Original link: https://indd.adobe.com/view/ef25ad7c-8c1c-47b0-91f8-a9c18c49cfd3
