FailSafe Web3 Security Report 2025

The year 2024 saw a significant number of security breaches across the web3 ecosystem, with smart contract exploits and access control failures emerging as primary attack vectors. These incidents led to substantial financial losses, highlighting recurring vulnerabilities in decentralized applications and blockchain infrastructure.

Amidst these security challenges, the crypto market experienced unprecedented growth. The global crypto market cap surpassed $3 trillion, driven by increased institutional adoption and expanding DeFi activity. Bitcoin reached an all-time high of $108,000, while Total Value Locked (TVL) in DeFi exceeded $137 billion. This surge in capital created a lucrative target for malicious actors, leading to a wave of sophisticated attacks that exploited vulnerabilities in smart contracts, wallet security, and access controls across various blockchain ecosystems.

This report analyzes the major hacks of 2024, identifying patterns, trends, and key attack methodologies. By examining these breaches, we aim to provide a comprehensive overview of the risks associated with smart contract vulnerabilities and access control misconfigurations.

Key Findings

• Total losses exceeded $2.6 billion USD across 192 incidents. A significant portion of these losses resulted from unauthorized access and smart contract-level vulnerabilities.
• The large majority of attacks exploited access control failures. Smart contract exploits were primarily due to contract logic flaws, reentrancy vulnerabilities, and improper upgrade mechanisms were among the most common.
• Ethereum and BNB Chain were the most affected networks, with a combined 83% of total incidents. Arbitrum, Solana, and Optimism also experienced a notable share of attacks.
• The largest individual exploit of 2024 resulted in a loss of $308 million USD. Other major incidents included governance exploits, compromised private keys, and oracle manipulation attacks.
• Recurring attack patterns were observed across multiple cases. Several incidents in 2024 exploited vulnerabilities that had been previously documented in past years, indicating a persistent challenge in securing web3 protocols.

This report serves as a resource for blockchain developers, security teams, and industry participants to better understand the evolving threat landscape and the critical need for enhanced security measures.

Introduction to Smart Contract Exploits and Access Control Hacks

Understanding the Threat Landscape

As the adoption of blockchain technology grows, so does the sophistication of attacks targeting decentralized applications (dApps), protocols, and exchanges. Two of the most prevalent forms of web3 security breaches are smart contract exploits and access control hacks. These attack vectors have been responsible for billions of dollars in losses, often exploiting vulnerabilities that have been repeatedly observed in past incidents.

What Are Smart Contract Exploits?

Smart contracts are self-executing agreements written in code and deployed on blockchains. While they enable decentralized finance (DeFi) and other web3 innovations, they also present security risks due to their immutable nature. Once a smart contract is deployed, vulnerabilities in its code can be exploited indefinitely unless mitigated through contract upgrades or external security measures.

Common Types of Smart Contract Exploits

• Reentrancy Attacks – Exploiting recursive calls to drain funds from a contract before its balance updates.
• Integer Overflows and Underflows – Manipulating arithmetic operations to produce unintended results.
• Flash Loan Attacks – Using uncollateralized loans to manipulate on-chain prices and drain liquidity pools.
• Oracle Manipulation – Falsifying price feeds to exploit contracts that rely on external data sources.
• Logic Errors and Flawed Permissioning – Exploiting poorly designed smart contract logic to bypass intended restrictions.

What Are Access Control Hacks?

Access control mechanisms determine who can interact with smart contracts and critical infrastructure components. When improperly configured or compromised, they provide attackers with unauthorized control over funds, governance structures, or private data.

Common Access Control Vulnerabilities

• Phishing – Attackers trick administrators into granting access to unauthorized.
• Private Key Compromise – Attackers gaining control of admin wallets or multisig signers.
• Misconfigured Roles and Permissions – Excessive privileges granted to unauthorized entities.
• Insufficient Multisig Security – Exploiting weak governance structures to seize control over protocol functions.
• Front-end Hijacking – Redirecting users to malicious interfaces that sign transactions on their behalf.
• Backdoor Functions – Hidden functions within contracts that allow developers or attackers to withdraw funds.

Why Do These Attacks Keep Happening?

Despite advancements in blockchain security, smart contract exploits and access control hacks persist due to increasing protocol complexity, high-value targets in DeFi and exchanges, and a lack of standardized security measures. Many projects launch with minimal auditing and outdated protection models, while the rapid pace of innovation often prioritizes growth over thorough security testing, leaving vulnerabilities exposed.

Overview of Major Hacks in 2024

The hacks throughout the year can be categorized into two primary attack vectors:

• Private Key Exploits – Unauthorized access due to compromised private keys, weak multi-signature implementations, or misconfigured admin privileges.
• Smart Contract Exploits – Vulnerabilities within protocol logic, including reentrancy attacks, price oracle manipulation, and general contract flaws.

Access Control Breaches: Private Key Exploits

One of the largest security concerns in 2024 stemmed from private key compromises, where attackers gained control of administrative wallets or multisignature (multisig) accounts to drain funds.

May: The DMM Bitcoin Exchange / Ginco hack resulted in a $308 million loss. According to the FBI report, hackers gained access to the wallet management systems by compromising an executive at Ginco, the custody partner of the crypto exchange. 

June: BTC Turk Exchange suffered a $55 million loss, The attack targeted ten hot wallets linked to the exchange, enabled by compromised private keys.

July: WazirX, one of India’s largest exchanges, was compromised via a multi-signature and contract upgrade attack, leading to $230 million in losses.

September: The DeltaPrime protocol was exploited for $6 million, with Lazarus Group suspected of orchestrating the attack. Similarly, BingX suffered a $52 million loss due to compromised private keys, allowing attackers to withdraw funds from the exchange.

October: Radiant Capital lost $50 million through a contract upgrade and private key compromise, while Tapioca DAO saw $4.4 million drained after attackers gained access to vesting contract keys.

November: M2 Exchange lost $13.7 million due to compromised private keys, enabling attackers to drain funds from the platform. Additionally, Metawin suffered a $4 million loss after hackers accessed its hot wallet, facilitating unauthorized withdrawals.

Smart Contract Exploits: Reentrancy, Price Oracle Manipulation, and Logic Vulnerabilities

Another major trend in 2024 was smart contract vulnerabilities, which included reentrancy attacks, price oracle manipulation, and general contract flaws that allowed attackers to exploit faulty logic.

July: Rho Markets lost $7.6 million due to a price oracle manipulation attack, where attackers manipulated on-chain price feeds to execute profitable trades at artificially altered rates.

September: PenPie suffered a $27 million reentrancy attack, where attackers repeatedly called a vulnerable function within the contract before the balance could be updated, draining funds in the process.

November: Polter Finance was exploited for $8.7 million using price oracle manipulation, altering external price feeds to execute unfair transactions. Whereas, Thala lost $25.5 million due to a smart contract vulnerability, where flawed logic within the protocol’s code enabled attackers to bypass intended restrictions and withdraw funds.

The recurrence of smart contract exploits and private key breaches in 2024 underscores persistent security gaps in web3. Reentrancy attacks, price oracle manipulation, and flawed contract logic continued to plague DeFi, while private key compromises led to some of the year’s largest losses. These patterns highlight the need for stronger security frameworks, stricter access controls, and proactive threat monitoring to prevent future exploits.

Case Study 1: Radiant Capital Hack

Overview of Radiant Capital

Radiant Capital is a decentralized finance platform offering cross-chain borrowing and lending services, enabling users to lend and borrow assets across multiple blockchains. 

Details of the Hack

In October 2024, Radiant Capital suffered a sophisticated attack resulting in the loss of approximately $58 million. 

The attack unfolded as follows:​

1. Initial Compromise (September 11, 2024): A Radiant developer received a Telegram message from an individual impersonating a former contractor. The message included a ZIP file containing a decoy PDF and macOS malware named INLETDRIFT, which, when opened, granted the attacker backdoor access to the developer’s device. ​
2. Deployment of Malicious Contracts (October 2, 2024): The attacker deployed contracts on multiple blockchains, including Arbitrum, BSC, Base, and Ethereum. These contracts appeared benign and were funded in advance to avoid suspicion. 
3. Manipulation of Wallet Interface (October 16, 2024): With access to compromised devices, the attacker manipulated the Safe{Wallet} UI, presenting legitimate-looking transactions to collect the necessary signatures for malicious actions. 
4. Ownership Transfer and Fund Drainage: Using the collected multi-signature approvals, the attacker authorized a transfer of ownership of legitimate protocol contracts to malicious versions, subsequently draining approximately $50 million from core markets on Arbitrum and BSC. 

The breach led to a significant loss of user funds and raised concerns about the security of multi-signature schemes and the susceptibility of developer environments to sophisticated phishing attacks. 

Industry Best Practics for Access Control Security

The Radiant Capital hack exposed critical weaknesses in access control mechanisms, emphasizing the need for stricter protections on admin wallets, multi-signature approvals, and contract upgrade permissions. Below are industry best practices for access control security, along with how FailSafe’s solutions integrate to provide a comprehensive protection framework.

1. Strong Multi-Signature and Role-Based Access Control (RBAC)

• Require multi-signature (multisig) authentication for all high-risk transactions, governance changes, and contract upgrades.
• Implement role-based access control (RBAC) to limit administrative privileges and enforce the principle of least privilege (PoLP).
• Regularly rotate signers and permissions to reduce the risk of long-term access compromise.

2. Secure Admin Key Management & Distributed Access Control

• Store admin keys in secure hardware security modules (HSMs) or multi-party computation (MPC) wallets.
• Avoid single points of failure by distributing control among multiple trusted entities instead of relying on a single admin wallet.
• Use time-locked access for critical changes, requiring a delay period before execution to allow security intervention.

3.  Strong Authentication and Endpoint Security for Admins

• Enforce multi-factor authentication (MFA) and hardware security keys for all admin interactions.
• Monitor developer endpoints to prevent phishing attacks, malware infections, and unauthorized remote access.
• Limit access to signing wallets from pre-approved IP addresses and secured devices.

4.  Governance & Contract Upgrade Security

• Require on-chain governance approval before contract upgrades or administrative changes.
• Enforce immutable contract rules preventing unilateral control over upgrades.
• Implement time-locks on governance actions to allow for audits and community intervention.

5.  Real-Time Monitoring & Incident Response for Access Control Breaches

• Deploy real-time monitoring for admin transactions, with automated alerts for unusual access patterns.
• Implement circuit breakers that can freeze administrative actions in the event of an attack.
• Have predefined emergency response plans for revoking compromised admin privileges and migrating to new security protocols.

Security Recommendations

The Radiant Capital hack demonstrated how weak access control mechanisms can lead to catastrophic financial losses. While multi-signature wallets and governance models offer some protection, they are not foolproof against sophisticated social engineering, phishing, or compromised developer devices.

FailSafe Guard and Monitoring work together to provide comprehensive access control security, preventing unauthorized governance actions and admin breaches in real time. Guard continuously tracks multi-signature approvals, identifying irregularities in signer behavior, location, and transaction frequency, while enforcing real-time policies to block unauthorized contract upgrades or governance attempts. Monitoring enhances this by providing real-time tracking of administrative transactions, leveraging behavioral analytics and AI-driven threat detection to detect anomalies like unexpected contract modifications or wallet drainage. When a potential breach occurs, Monitoring triggers instant alerts and activates circuit breakers, allowing teams to freeze admin wallets, revoke compromised privileges, or halt malicious interactions before financial losses occur. Together, these tools deliver proactive, automated access control protection, ensuring only verified personnel can execute critical functions while preventing unauthorized access in real time.

Case Study 2: Polter Finance Hack

Overview of Polter Finance

Polter Finance is a decentralized lending protocol on the Fantom blockchain, enabling users to borrow and lend assets within the DeFi ecosystem. ​

Details of the Hack

In November 2024, Polter Finance experienced a devastating exploit resulting in losses estimated between $8.7 million. The attack involved:​

1. Price Oracle Manipulation: The attacker exploited vulnerabilities in Polter Finance’s price oracle mechanism, specifically targeting the AaveOracle contract. By manipulating the price of the BOO token, the attacker artificially inflated its value.

2. Flash Loan Execution: Utilizing flash loans, the attacker borrowed a significant amount of BOO tokens and manipulated their price by trading across liquidity pools. This artificial inflation allowed the attacker to borrow assets worth much more than the actual collateral, leading to substantial losses for the protocol. ​

The exploit led to the draining of multiple lending pools, severely impacting the protocol’s liquidity and user trust. ​

Industry Best Practices for Smart Contract Security

The Polter Finance hack underscores the critical need for stronger smart contract security in DeFi and enterprise blockchain projects. As attackers exploit vulnerabilities in contract logic, execution flow, and external dependencies, builders must adopt a proactive approach to prevent, detect, and mitigate risks in real time. Below are the best practices for securing smart contracts.

1. Secure Development & Pre-Deployment Audits

• Conduct multiple independent security audits to detect vulnerabilities before deployment.
• Use formal verification to mathematically validate critical contract functions.
• Implement testnet simulations to stress-test contract behavior in adversarial conditions.

2.  Runtime Monitoring & Real-Time Threat Detection

• Deploy on-chain monitoring systems to track suspicious smart contract activity.
• Implement event-driven anomaly detection to flag irregular transaction patterns.
• Continuously validate external data inputs (e.g., price oracles) to prevent manipulation.

3.  Access Control & Permissioned Contract Execution

• Implement role-based smart contract permissions to restrict critical functions.
• Use multi-signature governance for contract upgrades and administrative changes.
• Enforce immutable constraints where feasible to reduce upgrade attack surfaces.

4.  Prevention of Common Smart Contract Exploits

• Prevent reentrancy attacks by using reentrancy guards and checks-effects-interactions patterns.
• Mitigate price oracle manipulation by aggregating multiple oracle sources and implementing time-weighted average price (TWAP) feeds.
• Ensure input validation to prevent integer overflows, unchecked external calls, and logical flaws.

5.  Automated Incident Response & Exploit Mitigation

• Design fail-safe mechanisms (pause functions, circuit breakers) to halt transactions in case of anomalies.
• Implement automated transaction analysis to detect and mitigate exploits before funds are drained.
• Ensure post-exploit forensic capabilities to analyze and recover from attacks.

Security Recommendations

The Polter Finance hack exposed the risks of smart contract vulnerabilities, demonstrating how attackers can exploit contract logic flaws, manipulate oracles, and bypass weak security mechanisms to drain funds. While pre-deployment audits help identify issues before launch, real-time monitoring and runtime security are essential to prevent exploits in live environments. 

FailSafe Guard and Monitoring work together to provide comprehensive smart contract security, actively detecting and blocking reentrancy attacks, oracle manipulation, and unauthorized contract interactions before they escalate into financial losses. Guard enforces real-time execution policies, preventing unauthorized function calls, unsafe contract upgrades, and malicious contract interactions. Monitoring enhances this with AI-driven behavioral tracking, identifying irregular transaction patterns, oracle anomalies, and exploit attempts in real time. When a suspicious transaction is detected, Monitoring instantly flags the activity, triggers risk mitigation protocols, and enables circuit breakers to halt contract execution, preventing further damage. Together, these solutions proactively secure smart contracts, reducing attack surfaces and mitigating exploits before funds can be compromised.

Recurring Attack Patterns in 2024: A Persistent Security Challenge

Explaining the Link Between Attack Types and Root Causes

Reentrancy Attacks → Security as an Afterthought and a Lack of Real-Time Monitoring.

Why does this attack happen?

Reentrancy attacks occur when a smart contract allows untrusted external calls before updating its internal state. This vulnerability lets attackers repeatedly call a contract before the previous execution is completed, draining funds.

Why is this a result of Security as an Afterthought?

Many protocols prioritize rapid deployment over security, failing to implement basic reentrancy protections like checks-effects-interactions patterns or reentrancy guards (e.g., OpenZeppelin’s ReentrancyGuard). Projects often assume that audits alone will prevent such attacks, rather than building robust security models from the start.

Why does Lack of Real-Time Monitoring contribute?

If a protocol had real-time exploit detection, reentrancy loops could be halted before funds were drained.

FailSafe Monitoring, for example, would detect rapid, repetitive contract calls and trigger an automated circuit breaker to freeze execution before major losses occur.

Without live transaction tracking, an attack can go unnoticed until it’s too late, leading to significant financial damage.

Price Oracle Manipulation → Inadequate Runtime Protection and a Lack of Real-Time Monitoring

Why does this attack happen?

Price oracle manipulation occurs when attackers exploit single-source oracles or manipulate thinly traded assets to create an artificial price spike or crash. This allows them to borrow more than they should or drain liquidity pools at a favorable rate.

Why is this a result of Inadequate Runtime Protection?

Many protocols fail to validate oracle inputs in real-time, assuming external price feeds are reliable. Without a fallback mechanism, if an attacker inflates the price of an asset, the smart contract will accept the manipulated value and allow unfair liquidations or massive borrowings. Proper runtime protections should enforce price deviation thresholds, multi-source oracles, and delayed execution mechanisms to detect and reject suspicious pricing behavior.

Why does Lack of Real-Time Monitoring contribute?

Attackers often manipulate prices within a very short window (seconds to minutes). Without constant on-chain monitoring, protocols only realize the attack when it’s too late.

FailSafe Monitoring could prevent this by continuously tracking oracle price deviations, detecting anomalous swings, and automatically pausing transactions if a manipulation pattern is detected.

Private Key & Access Control Breaches → Overreliance on Single Security Measures and Security as an Afterthought

Why does this attack happen?

Private key and access control breaches occur when admin keys are compromised, allowing attackers to upgrade contracts, change permissions, or directly withdraw funds. This often happens due to phishing attacks, poor key management, or insufficient access controls.

Why is this a result of Overreliance on Single Security Measures?

Many protocols assume that using a multi-signature wallet (multi-sig) is enough to prevent unauthorized access, but if the signers are compromised, the system is still vulnerable.

Protocols fail to implement additional security layers such as geofencing, hardware security modules (HSMs), time-based signing approvals, and behavioral transaction monitoring.

A single security measure cannot prevent all forms of attack—projects must implement multiple layers of protection.

Why does Security as an Afterthought contribute?

Access control and private key management often receive less attention than smart contract logic security, despite being a major attack vector.

Developers focus on code vulnerabilities but ignore off-chain risks, such as compromised admin devices, phishing attacks, and internal collusion.

FailSafe’s Co-Signer solution could prevent these attacks by requiring multi-factor authentication for approvals, behavioral analysis of admin transactions, and real-time risk assessment before executing critical actions.

Looking Ahead: 2025 Begins with a Record-Breaking Hack

While this report primarily examines the major exploits of 2024, it is crucial to acknowledge that the same attack patterns continue to emerge in early 2025. At the time of writing, one of the largest crypto heists in history—the $1.5 billion Bybit hack—has already surpassed the total losses recorded in 2024 alone. This incident serves as a stark reminder that the vulnerabilities exploited last year remain unresolved, underscoring the urgent need for proactive security measures across both DeFi and CeFi ecosystems.

FailSafe’s Automated Threat Response (ATR): Real-Time Threat Monitoring & Mitigation for Web3

FailSafe’s Automated Threat Response (ATR) is an AI-driven, real-time security framework designed to detect, analyze, and neutralize threats before they escalate into full-scale exploits. Unlike traditional security measures that react after an attack, STR operates proactively, leveraging real-time monitoring, intelligent risk assessment, and automated threat mitigation to safeguard Web3 protocols from multi-step exploits, governance attacks, and smart contract vulnerabilities.

STR functions through three critical layers of security:

1. Predictive Threat Intelligence – Continuously scans on-chain transactions to identify irregular contract behaviors, suspicious wallet activity, and exploit signatures before attacks are executed.
2. Condition-Based Exploit Detection – Uses behavioral pattern recognition and anomaly detection to recognize pre-exploit activity, such as abnormal approvals, governance takeovers, and flash loan manipulations.
3. Automated Attack Prevention – Instantly executes security measures, including freezing malicious transactions, revoking unauthorized permissions, and activating emergency contract defenses to neutralize threats before assets are compromised.

Understanding Multi-Stage Web3 Exploits

Most high-profile Web3 hacks are not single-event transactions—they involve a structured series of exploitative steps that STR is built to detect and intercept:

• Step 1: Pre-Exploit Activity – Attackers fund wallets through crypto mixers, newly created accounts, or compromised admin keys to prepare for their attack.
• Step 2: Progressive Exploitation – Attackers conduct small test transactions, manipulate oracles, and exploit liquidity pools step-by-step, avoiding detection.
• Step 3: Governance or Proxy Takeover – Using admin key access, backdoor contract interactions, or governance loopholes, attackers escalate privileges before executing their main attack.

FailSafe’s Automated Threat Response (ATR) isn’t just reactive—it’s predictive, proactive, and adaptive. As DeFi, DAOs, and Web3 infrastructure continue evolving, STR ensures that protocols remain secure, resilient, and ahead of attackers in an increasingly sophisticated threat landscape.

Strengthening Web3 Security for the Future

The surge in Web3 exploits throughout 2024 highlights the growing complexity of security threats and the urgent need for a more adaptive and proactive approach to safeguarding blockchain ecosystems. While overall losses have not yet reached the highs of 2021 and 2022, the recurrence of well-known attack methods—such as smart contract exploits, price oracle manipulation, and access control breaches—exposes significant gaps in existing security frameworks. Addressing these vulnerabilities will require a shift from passive defenses to real-time threat detection, automated response mechanisms, and stronger human-focused security training.

To effectively combat these evolving threats, a collaborative industry-wide effort is essential. Protocols, security firms, and regulators must work together to implement data-sharing initiatives, real-time monitoring solutions, AI-driven exploit detection, and rapid response frameworks that can neutralize malicious actors before irreversible damage occurs. As crypto regulatory frameworks develop, scrutiny on platform security, governance controls, and customer asset protection will only increase. Industry best practices must evolve in parallel, ensuring both prevention and accountability in an increasingly high-risk environment.

Beyond technical defenses, security incidents remain largely tied to human error, with social engineering, malware, and phishing attacks continuing to be among the most effective vectors for attackers. While FailSafe and other security solutions can enforce on-chain security, prevent unauthorized transactions, and detect anomalies in real-time, organizations must also prioritize internal security training to educate teams on the risks of phishing, credential theft, and malicious software. A well-secured protocol is only as strong as its weakest link—combining cutting-edge security infrastructure with robust cybersecurity awareness will be key to reducing future attack success rates.

By strengthening security partnerships, fostering regulatory alignment, and equipping teams with both the tools and knowledge to combat threats, the Web3 industry can build a more resilient digital ecosystem. These efforts are not only critical for protecting user funds and protocol integrity, but also for establishing long-term trust in decentralized finance, digital ownership, and blockchain-based financial infrastructure.