Access Control Vulnerabilities Cause $1.7B in Losses Across CeFi, DeFi, and Gaming

Access control vulnerabilities have emerged as the leading cause of crypto hack losses in 2024, accounting for a whopping 75% of total damages across decentralized finance (DeFi), centralized finance (CeFi), and gaming/metaverse sectors, excluding phishing attacks.

According to Hacken, this marks a significant increase from 50% in 2023, with losses tied to unauthorized access and private key theft surging to $1.7 billion, up from less than $1 billion the previous year. In contrast, exploits targeting smart contract vulnerabilities contributed just 14% of total losses.

Access Control Exploits Surge in 2024

Hacken’s report revealed that access control attacks were particularly pervasive across all categories of Web3 in 2024, with CeFi, DeFi, and gaming/metaverse projects being severely impacted. In CeFi, major incidents at DMM Exchange and WazirX resulted in combined losses exceeding $500 million. The DeFi sector also suffered from compromised smart contract management, as seen in the Radiant Capital hack, which caused $55 million in losses.

The gaming/metaverse space faced significant damage too, exemplified by the $290 million PlayDapp exploit. At the core of these attacks was private key compromise, stemming from weak key management practices, social engineering, and insecure backup methods.

To safeguard against these threats, Hacken outlined that businesses must implement advanced multisig management, automated incident response, and adhere to the Cryptocurrency Security Standard (CCSS) to ensure stronger private key security and reduce operational vulnerabilities across Web3.

DeFi Losses Drop But Gaming and Metaverse Still Struggling

The DeFi sector saw a notable reduction in total losses in 2024 compared to the previous year. While DeFi-related losses in 2023 climbed $787 million, the 2024 figure saw a 40% reduction which can largely be attributed to improved security measures across the sector, most notably within decentralized bridges.

In 2024, DeFi witnessed the improvement of cross-chain operability, which played a crucial role in mitigating bridge exploits. As bridges have historically been top targets for hackers, the reduction in losses – $338 million in 2023 compared to just $114 million in 2024 – demonstrated the growing effectiveness of new security protocols.

The report pointed to tools like Multi-Party Computation (MPC) and Zero-Knowledge (ZK) cryptography which have become essential for bridge developers, improving security and making attacks less impactful. These advancements have significantly reduced the frequency and severity of exploits targeting cross-chain bridges.

The same can’t be said for the gaming and metaverse sectors experienced significant losses. In 2024, this cohort of Web 3 recorded $389 million in losses which accounted for nearly 20% of all crypto hacks. A large portion of these losses stemmed from access control vulnerabilities.

Three major incidents were responsible for $358 million of the total losses which made up more than 80% of the gaming and metaverse hacks for the year. The concentration of these losses in Q1 emphasized the difficulty these projects face in securing access management, particularly on newer platforms like Blast, which also encountered multiple rug pulls.