Welcome back to our monthly Web3 security recap, a regular update spotlighting the latest hacks, exploits and vulnerabilities in the crypto landscape from the past month to help raise awareness of the security risks within Web3. These reports also emphasize our belief that the industry needs more, and better options for users, which include our Haven1 ecosystem—a REKT-resistant multi-app blockchain that’s meticulously designed to protect you from onchain scams, hacks and rug-pulls.

October might not have broken records, but the hacks that did occur were high-stakes and underscored some serious vulnerabilities. 

North Korean Lazarus hack on Tapioca DAO

There’s been a lot of focus on how North Korea mobilizes its hacker army to attack crypto companies—Coindesk has a great feature exploring this topic in detail—and we got a reminder last month.

Tapioca DAO lost more than $4.5 million after it was hit by what it claims was a North Korean unit, known as Lazarus. The attackers compromised a senior Tapioca developer through a series of fake interviews, through which the person downloaded software that allowed Lazarus to access their private keys.

That’s already bad, but things were worse for Tapioca because the victim had admin controls for two token contracts, which Lazarus members used to mint new tokens and drain two liquidity pools. Had the Tapioca developer followed security protocol and shifted the admin controls to a multisignature wallet—which would require multiple members to approve changes—this incident wouldn’t have happened, or at least Lazarus would have needed to compromise more members of the Tapioca team.

Kudos to the Tapioca team, though, for its full and uncomfortable recap of exactly what happened.

Mystery hack on US Govt. wallet holding $20 million in crypto

Speaking of governments, here’s a bizarre story about a US government wallet that was hacked for around $20 million in tokens—only to end with most of the funds being returned.

A wallet that’s controlled by the US government, which houses $20 million recovered from the Bitfinex hack in 2016, was hit by a mystery attacker who stole the funds. Strangely, most of the money, minus $1.2 million, was returned to the wallet the very next day.

Blockchain allows us to look at money transfers and hacks at a level that’s not possible in traditional finance, but it doesn’t give us answers—who knows what happened with this US government wallet!

One of the “most sophisticated” Web3 attacks yet

There was yet more mystery with a hack on DeFi project Radiant Capital last month which is being labeled one of the most “sophisticated” attacks ever seen in Web3.

Radiant lost $50 million to the incident, which it says came about after the hardware wallets belonging to at least three employees were compromised using “a sophisticated malware injection.”

“The devices were compromised in such a way that the front-end of Safe {Wallet} (f.k.a. Gnosis Safe) displayed legitimate transaction data while malicious transactions were signed and executed in the background,” Radiant explained in a post mortem report.

In other words, the attackers had somehow manipulated these hardware wallets—the safest method for fortifying access to a crypto wallet—so that they ran a decoy display which meant that the user couldn’t see that they had been compromised.

So when these Radiant contributors thought they were signing transactions they’d initiated, they were actually authorizing the malicious transactions, which were going undetected even despite multiple layers of verification being required to complete them.

Radiant has since increased its checks and doubled its verification but the attack raises worrying at how the intruder was able to manipulate hardware wallets and bypass security software.

Other noteworthy incidents

In other hack news worth highlighting include:

• Tokenized gold market on Morpho lost $230K after an Oracle misconfiguration mishap‍
• A crypto whale lost $35M after a phishing attack compromised their wallet

- In proof that any attack can be crypto-motivated, the Lego website was hacked and defaced to promote a scam coin but it doesn’t appear that anyone fell victim to it

For further reading: Crypto hacks surge to $2.1B in 2024, CeFi hit hardest

Be part of the REKT-Resistance

October’s incidents serve as another reminder of the need for comprehensive security in Web3. As hacks and scams continue to target both high-profile and niche players, Haven1 remains committed to making Web3 by setting network-wide security standards that offer users true peace-of-mind. 

Stay safe out there, and make sure to sign up to the Haven1 testnet at haven1.org.