Zero Hour Focus || Web3 Chain Security Situation Analysis Report for the First Half of 2025

Preface

In the wave of digital economy, Web3 blockchain technology, with its decentralization and transparency, has built a new trust and value circulation system. However, with the vigorous development of Web3 ecology, security threats are always around, impacting this emerging field. Today, let us deeply analyze the security situation of Web3 blockchain in the first half of 2025, gain insight into potential risks, and explore countermeasures.

1. Web3 Security Overview in the First Half of 2025

In the first half of 2025, there were 87 major security incidents in the Web3 blockchain field, and the economic losses caused by hacker attacks, phishing scams and the project party Rug Pull reached 2.29 billion US dollars , exceeding the total for the whole year of 2024. Among them, the total loss of Rug Pull was about 3.2 million US dollars ; the total loss of phishing scams was about 41.38 million US dollars . From the first half of the year, February and May were the peak months of losses: in February, the monthly loss due to the theft of Bybit Exchange exceeded 1.45 billion US dollars, and the Cetus Protocol attack in May caused a loss of 223 million US dollars. If these two extreme events are excluded, the average loss of the remaining attacks is about 3.5 million US dollars per incident, indicating that the basic security risks of the industry are still running at a high level.

II. Review of security incidents in the first half of 2025

Web3 security incidents in the first half of 2025 showed the characteristics of professional attack methods and concentrated loss scale. The Bybit and Cetus Protocol incidents accounted for 72% of the total losses, highlighting the vulnerability of centralized exchanges and DeFi protocols. It is worth noting that smart contract vulnerabilities (such as permission control and mathematical function defects) are still the main attack entry points, while cross-chain operations and oracle mechanisms have become new risk points.

Security incident review

1. Bybit cold wallet attack incident

• Loss amount: $1.45 billion (about 102,000 ETH)

• Attack method: phishing attack + smart contract permission control vulnerability

• Event details: On February 21, when the Bybit cold wallet was performing a regular fund transfer, the tampered front-end code transferred ETH worth $1.45 billion to an address controlled by hackers. The attack exposed the trust risk of centralized exchanges relying on third-party wallet tools and the security risks of static resource hosting. After the incident, Bybit suspended all on-chain operations, initiated asset freezing procedures, and cooperated with law enforcement agencies to track the flow of funds. This incident not only severely damaged user trust, but also triggered widespread market doubts about the security of the multi-signature mechanism.

2. Cetus Protocol smart contract attack

• Loss amount: US$223 million (including US$162 million in frozen assets)

• Attack method: mathematical function overflow vulnerability + flash loan manipulation

• Event details: On May 22, the largest DEX Cetus Protocol on the Sui chain was attacked, and hackers drained the core liquidity pool within a few hours. The attack caused the price of SUI to plummet by 7%, and the market value of related MEME tokens (such as Bulla) evaporated by more than 90%. Cetus urgently froze $162 million in assets and offered a reward of $6 million to redeem part of the stolen funds, but $60 million in funds were still laundered through the cross-chain bridge. The attack revealed the lack of experience of emerging public chain DeFi projects in the design of complex financial models.

3. Nobitex exchange attack

• Loss: Approximately $90 million

• Attack method: Cyber espionage + private key theft

• Event details: On June 18, an Israeli-linked organization launched an attack on Nobitex, Iran’s largest cryptocurrency exchange, transferring user assets by stealing private keys. The attack may involve intelligence acquisition, and Israel subsequently arrested three people suspected of espionage for Iran, two of whom received cryptocurrency as compensation. Chainalysis pointed out that Nobitex is an important hub in Iran’s sanctioned crypto ecosystem, and this incident highlights the impact of geopolitics on Web3 security.

4. UPCX smart contract attack

• Loss: Approximately $70 million

• Attack method: Unauthorized contract upgrade

• Event details: On April 1, the DeFi protocol UPCX was upgraded without authorization due to the ProxyAdmin contract. The attacker called the withdrawByAdmin function to transfer 18.4 million UPC (worth $70 million) from three management accounts. After the funds were transferred to the address starting with 0xFf7, no further operations were performed. The UPCX team confirmed the incident and jointly investigated with security agencies, but as of June, the funds had not been recovered.

5. Infini Permission Vulnerability Incident

• Loss: Approximately $49.5 million

• Attack method: Permission management vulnerability

• Details of the incident: On February 24, the former team member used the retained management authority to directly modify the contract parameters and stole all USDC in the fund pool (11.45 million + 38.06 million) in two batches, converted it into 17,696 ETH and transferred it through the mixer. The Infini team promised to fully compensate users within 48 hours and upgrade the multi-signature cold wallet system. The funds have not been recovered so far.

6. Cork Protocol contract vulnerability incident

• Loss amount: about $12 million (3,762 wstETH)

• Attack method: Contract logic loophole (false market manipulation)

• Event details: On May 28, the attacker exploited the vulnerability of Cork Protocol's Depeg Swap mechanism to create a fake market and manipulate liquidity, stealing 3,762 wstETH (worth $12 million) and then exchanging it for 4,530 ETH. The team urgently suspended all contracts and launched an investigation, but the funds have not yet been recovered.

7. zkLend smart contract attack

• Loss amount: Approximately $8.5 million

• Attack method: integer overflow vulnerability

• Event details: In February, the Starknet chain DeFi protocol zkLend was repeatedly attacked by attackers to withdraw liquidity pool funds due to a rounding vulnerability in the safeMath library division calculation, stealing a total of 3,300 ETH (about 8.5 million US dollars). The project party proposed a settlement plan of "retaining 10% of the funds as a white hat bounty", but the hacker did not respond. In the end, zkLend reported the case to law enforcement agencies and monitored the flow of funds, but the possibility of recovery is low.

III. Types of projects attacked in the first half of 2025

In the first half of 2025, security incidents in the Web3 field showed the characteristics of centralized project types and polarized loss scales. From the perspective of attack targets, cryptocurrency exchanges have become the field with the highest losses by an absolute advantage, followed by DeFi protocols.

1. Centralized Exchange (CEX)

• Loss: 6 attacks in total, total loss of $1.591 billion, accounting for 74.4% of all attack losses

• Biggest event: Bybit was stolen for $1.44 billion (Safe wallet front-end was tampered with)

• Other cases: Nobitex ($90 million), Phemex ($70 million)

2. DeFi Protocol

• Loss amount: approximately $324 million (15.1%)

• Biggest event: Cetus Protocol (Sui Ecosystem DEX) lost $224 million

• Other cases: Abracadabra Finance ($13 million), Cork Protocol ($12 million)

3. Crypto Payment Platform

• Loss amount: Approximately $120 million (2 incidents)

4. Other types (cross-chain bridges, browsers, Memecoin, etc.)

• Lower single damage, but more attacks

IV. Types of projects attacked in the first half of 2025

Smart Contract Vulnerabilities

In the first half of 2025, smart contract vulnerabilities became the biggest threat to Web3 security, accounting for 60% (12 incidents) of all attacks, causing losses of $1.78 billion (80%) . Code problems such as permission defects and mathematical overflows occur frequently, and attackers often bypass risk control through phishing websites and signature deception. In the most serious Bybit incident, hackers used phishing attacks combined with contract permission vulnerabilities to steal 401,000 ETH (worth $1.46 billion), setting a record for the highest loss in a single attack in the history of Web3, highlighting the major security risks of smart contract permission management and multi-signature mechanisms.

Phishing Attacks

Phishing attacks accounted for 25% (over 200) of security incidents in 2025, causing $400 million in losses (16%) . Attackers steal assets through social engineering means such as fake airdrops and high-imitation platforms, and the loss of a single transaction is usually between $100,000 and $1 million. A typical case includes a phishing incident in a Discord group of a DeFi project, which resulted in the theft of $2.3 million, highlighting that users' awareness of prevention still needs to be strengthened.

Other attack methods

Other attack methods (30 incidents, accounting for 15%) caused $320 million in losses, mainly including:

• Oracle manipulation (e.g. KiloEx lost $7.4 million)

• Cross-chain bridge vulnerability

• Social Engineering Attacks

A typical case is the attack on Iran's Nobitex exchange (US$82 million), where hackers destroyed assets after stealing private keys, highlighting the superposition of national-level security threats and cross-chain protocol risks.

5. Summary of Web3 blockchain security situation in the first half of 2025

In the first half of 2025, the security situation of Web3 blockchain showed the characteristics of frequent attacks, wide-ranging project types, and complex and varied attack methods. Cryptocurrency exchanges, DeFi projects, and emerging Web3 application platforms have become the hardest hit areas, and smart contract vulnerability exploits and phishing attacks have become the main means of attack, causing huge economic losses and trust shocks to the industry.

Looking ahead, the Web3 blockchain industry needs the concerted efforts of multiple parties to jointly address security challenges. Project parties should strengthen the security audit and testing of smart contracts, improve code quality, and improve the security protection system; investors need to enhance risk awareness, be cautious about various investment projects, and improve the ability to identify phishing and other fraudulent means; regulatory agencies should further improve relevant laws and policies, regulate industry development, and increase the crackdown on illegal and criminal activities; at the same time, security technology companies should continue to innovate and develop more advanced security protection technologies and solutions to safeguard the healthy development of the Web3 blockchain ecosystem. Only in this way can Web3 blockchain technology continue to innovate and develop on a safe track and release greater value potential.