MyETHMeta: Your Web3 Profile, and Much More

The QuillAudits 2024 Web3 Security Report: Breaking Rugs unveils a reality that feels straight out of Breaking Bad — where innovation thrives alongside chaos and epic heists.

In 2024, the Web3 landscape saw $2.1 billion vanish in hacks, scams, and rug pulls, a stark reminder of the vulnerabilities still haunting the space. Access control exploits emerged as the Walter White of the ecosystem, responsible for $1.63 billion in losses — an eye-watering 78% of all hacks this year.

Let’s dive into the Breaking Rugs: 2024 Security Report for a closer look at Web3’s most turbulent year yet.

Spoiler alert: This might make you rewatch the season 1 of Breaking Bad.

$2.1B Lost: Walter White Is that You?

In 2024, the Web3 space bore witness to staggering losses as $2.1 billion disappeared in hacks, scams, and rug pulls, marking another turbulent year for blockchain security.

This isn’t just a number, it’s a harsh reality check for a sector that’s still grappling with its Achilles’ heels.

The worst of it came in May, a month that will go down in infamy as the bloodiest of the year.

In just 31 days, $350 million was wiped out across 17 incidents.

That’s an average of over $11 million lost per day, a grim record for 2024 and a stark reminder of the high stakes in Web3.

As expected, Ethereum, the undisputed king of blockchains, bore the brunt of the action.

With 100 incidents, the most on any chain, it racked up losses totaling $465 million, making it the biggest target for hackers and bad actors.

Ethereum’s vast ecosystem, despite its innovation, remains a double-edged sword, offering opportunities for both builders and exploiters.

The largest heists of the year read like a rogue’s gallery of criminal masterminds:

• DMM Bitcoin suffered a $300 million breach, one of the largest single losses in crypto history.
• Playdapp followed closely behind with $290 million vanishing in a hack that sent shockwaves through the community.
• WazirX, a major CeFi exchange in India, saw $230 million siphoned off, highlighting the vulnerabilities in centralized platforms.

But if Ethereum bore the weight of high-profile hacks, Solana took on a different & equally concerning role.

The blockchain became a hotspot for rug pulls, especially on platforms tied to the explosive rise of memecoins.

Case in point: Pump.fun, a memecoin platform that left its users anything but amused.

While some made generational wealth, most of the degens got their ass kicked.

Solana has often been touted as a rising star for its speed and low fees, these qualities also make it fertile ground for opportunistic developers with malicious intent.

The numbers tell a tale of a sector under siege, but they also highlight where the vulnerabilities lie.

Rug pulls on Solana, major heists on Ethereum, and glaring lapses in centralized platforms like WazirX paint a picture of an ecosystem still learning to defend itself.

Access Control Exploiters were like SAY MY NAME!

If one villain is running the crypto underworld in 2024, it’s access control exploits, the Heisenberg of Web3 security.

These vulnerabilities reigned supreme, snatching a staggering $1.73 billion in losses. That’s 78% of all crypto hacks this year, a figure that cements access control as the most dangerous Achilles’ heel in the ecosystem.

Think about that for a moment: nearly four out of five dollars lost in Web3 this year can be traced back to weak access control.

It’s the single biggest reason why platforms bled funds in 2024.

Major names fell victim, with Ethereum’s Playdapp hack leading the charge at a jaw-dropping $290 million in losses.

Even smaller incidents like Ronin Network’s $12.2 million breach added fuel to the fire, proving that no platform is immune when access control falls short.

And it’s not just about isolated incidents, it’s systemic.

In DeFi alone, $219 million was drained across H1 and H2, solely due to access control vulnerabilities.

The trend was clear: whether it’s the first half of the year or the second, these exploits continued to cripple the ecosystem.

The numbers aren’t just alarming; they’re a testament to the industry’s failure to implement even the most basic safeguards.

But why is access control such a weak spot?

Well, these breaches exploit the very mechanisms that allow users, developers, and platforms to interact securely.

When those mechanisms are poorly designed or implemented, attackers get free rein to drain wallets, manipulate protocols, and wreak havoc.

And it’s not just the platforms that suffer, the ripple effect damages trust in the entire ecosystem.

Beyond Playdapp, incidents like Gala Games losing $22.3 million showcased how even well-known projects can falter under weak access control measures.

Add in Ronin Network’s breach, and you’ve got over $324 million lost in just three hacks, all tied to the same vulnerability.

The problem isn’t confined to DeFi, either. CeFi platforms were hit hard, too.

With access control weaknesses being a primary culprit, CeFi losses doubled from $339 million in 2023 to $694 million in 2024, marking a sharp contrast to the relatively improved security trends in DeFi, where overall losses dropped by 39%.

Access control isn’t just a technical issue; it’s a critical failing that spans the entire Web3 landscape.

DeFi Improves While CeFi Crumbles: The Cousins?

2024 brought a mixed bag of security stories for Web3, with DeFi showing signs of progress while CeFi tumbled into chaos.

For the decentralized finance sector, it was a rare win.

Yes, rare.

Total losses dropped by 39% compared to 2023, shrinking from $653 million to $477 million.

This decline reflects a maturing ecosystem that’s starting to take security more seriously.

From enhanced audit practices to smarter contract designs, DeFi projects seem to be learning from past mistakes.

Take bridge hacks, for example, once the poster child for catastrophic failures in DeFi.

These exploits have been on a steady decline, dropping by a massive 94% since 2022 and another 70% from 2023.

Improved multi-signature mechanisms, stronger governance, and the adoption of advanced cryptographic techniques have made bridges far less attractive targets for attackers.

It’s a positive signal that decentralized protocols are no longer sitting ducks for cybercriminals.

But the narrative shifts dramatically when we turn to CeFi.

In stark contrast to DeFi’s cautious optimism, CeFi losses more than doubled, skyrocketing from $339 million in 2023 to a staggering $694 million in 2024.

That’s nearly one-third of all crypto incidents this year, a glaring indictment of the vulnerabilities that still plague centralized platforms.

While DeFi seems to be shedding its “wild west” reputation, CeFi is becoming the new battleground for hackers.

But what went wrong tho? The answer lies in a mix of complacency and outdated security architectures.

The massive amounts of funds concentrated in a single location make these platforms irresistible targets for attackers, who often exploit access control failures, poor key management, or insider threats.

Even the biggest players weren’t safe. Incidents like the $300 million DMM Bitcoin hack, the $230 million breach at WazirX, and countless smaller attacks exposed just how fragile CeFi can be.

The industry’s over-reliance on centralized solutions has created a single point of failure, and bad actors are cashing in big time.

If CeFi doesn’t learn from its mistakes, it risks becoming the weak link in the Web3 revolution.

And as the numbers show, that’s a cost no one can afford.

It’s Not All Games and…. Metaverse? Or is it?

In 2024, the gaming and metaverse sectors cemented their place in the Web3 ecosystem, but at a significant cost.

Together, they accounted for a staggering 17% of total losses, a reflection of both their growing popularity and their increasing susceptibility to hacks and scams.

As these sectors push boundaries with innovative blockchain applications, they’ve also become ripe hunting grounds for bad actors looking to exploit the buzz.

Gaming, in particular, faced an onslaught of vulnerabilities.

Projects rushing to capture market share often prioritized flashy mechanics over robust security, leaving the door wide open for exploiters.

The metaverse, still in its early days of mainstream adoption, also fell victim to its own set of unique challenges.

The interconnected nature of virtual worlds, where one breach could cascade across multiple assets and environments, made the metaverse ecosystem particularly vulnerable.

Well Now Someone Has Gotta Clean Up The Mess

Amid the whirlwind of losses, there’s a silver lining: innovation in Web3 security is catching up to the threats.

The Breaking Rugs report isn’t just a highlight reel of what went wrong — it also showcases tools like QuillShield and QuillCheck, alongside the unparalleled expertise of the QuillAudits team, who have completed over 1,000 audits, secured $30B in assets, and reviewed more than 1 million lines of code with a flawless record.

These AI-powered solutions are reshaping how the industry tackles security challenges:

• QuillShield stands out with its automated vulnerability detection and red-teaming capabilities. By identifying weaknesses before attackers can, it provides projects with a much-needed early warning system and even fixes. Its focus on making DevSecOps accessible ensures that even smaller teams can deploy enterprise-grade security measures without breaking the bank.
• QuillCheck, on the other hand, specializes in risk assessments and security audits. Leveraging AI to perform thorough and unbiased analyses, it helps teams build trust with their communities by proving their commitment to safety.

In an industry where a single exploit can erase years of progress, tools like QuillCheck are invaluable. Together, these innovations are moving Web3 security from a reactive to a preventative mindset.

But tools alone aren’t enough. It’s the expertise and dedication of the QuillAudits team that truly sets the standard. Their efforts, particularly through the QuillAI Network, powered by EigenLayer AVS, demonstrate how decentralized AI tools can integrate seamlessly into the ecosystem — not just to detect vulnerabilities but to redefine how Web3 security operates.

What Does This Mean for Web3?

The Breaking Rugs report paints a vivid picture of a rapidly evolving ecosystem: one that’s simultaneously becoming more secure and more dangerous.

DeFi is learning from its mistakes, bridges are getting safer, but centralized platforms and weak access controls remain major liabilities.

As the space matures, the focus has to shift from reactive to proactive security. Tools like QuillShield and QuillCheck, backed by the unmatched expertise of QuillAudits, are leading the charge — but mass adoption is crucial.

Because in this world, you’re either building the solution or becoming part of the problem.

Want the full scoop?

Download the Breaking Rugs: The State of Web3 Security in 2024 Report now and get the edge you need to stay ahead of the curve.

Breaking Rugs: The state of Web3 Security Report was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.