September 2024 was a brutal month for the crypto space. We saw over 20 hacks, and the total losses? A staggering $120 million+. If that doesn’t make you double-check your security measures, I don’t know what will. Let’s dive into some of the major incidents and see where things went wrong.
First up is BingX, a crypto exchange based in Singapore. On September 20th, they got hit hard. Initially, it looked like a $13 million outflow, but further checks showed losses between $44-$52 million. The exchange claimed they would cover all user losses and described the incident as “minor.” If this is minor to them, I’d hate to see what’s classified as major.
Then we have Penpie, which lost about $27 million on September 3rd. The attacker exploited a reentrancy vulnerability to manipulate the platform's reward system and walked away with over 11k ETH. What’s more interesting? The person suspected of the Euler hack congratulated him on Twitter! Just goes to show how interconnected these incidents can be.
Finally, Indonesia's largest crypto exchange Indodax got hit for about $21 million. The hacker breached their withdrawal system and made off with BTC, TRX, MATIC, and SHIB. This one really shows how crucial it is for exchanges to have top-notch security protocols in place.
And it wasn’t just these three that got hit. DeltaPrime lost nearly $6 million; Truflation was hit for $5.6 million; Onyx lost around $3.8 million (they had another breach last year too); and even smaller platforms like BananaGun and Bedrock suffered losses of around $4 million combined.
So where do we go from here? Smart contract audits are supposed to catch this stuff before it happens. But clearly something isn’t working because these hacks keep happening.
Audits involve code reviews and various testing methods designed to find vulnerabilities before bad actors do. And while they’ve proven effective in some cases (looking at you MakerDAO), recent history suggests we need something more comprehensive.
Frequent hacks are damaging crypto’s reputation faster than any FUD campaign could hope to achieve. They erode user trust and confidence in exchanges—especially when so many are getting hit—and without that trust there’s no market stability.
It seems clear at this point that we need better solutions than what we currently have… or at least better implementations of those solutions.
