*This report is co-produced by Beosin and Footprint Analytics. Reply "2025" in the WeChat public account backend to obtain the full report.

*This article is the 2025 Web3 Security Situation Report. We will release reports on virtual asset anti-money laundering compliance and more in the future. Please continue to follow the Beosin WeChat public account.

Introduction

This research report is initiated by the Blockchain Security Alliance and co-created by alliance members Beosin and Footprint Analytics. It aims to comprehensively explore the global blockchain security situation in 2025. Through analysis and assessment of the current state of blockchain security worldwide, the report will reveal the security challenges and threats faced today, and provide solutions and best practices. Blockchain security and regulation are key issues in the development of the Web3 era. Through in-depth research and discussion in this report, we can better understand and address these challenges to promote the security and sustainable development of blockchain technology.

1. Overview of the Web3 Blockchain Security Situation in 2025

According to monitoring by Beosin's Alert platform, a blockchain security and compliance technology company, the total losses in the Web3 sector due to hacker attacks, phishing scams, and project Rug Pulls reached $3.375 billion in 2025. There were a total of 313 major blockchain security incidents, including 191 hacker attacks with total losses of approximately $3.187 billion; project Rug Pull incidents caused total losses of about $11.5 million; and there were 113 phishing scams with total losses of approximately $177 million.

The losses in Q1 2025 were the most severe, with the majority of losses stemming from the Bybit hacking incident. The amount lost due to hacker attacks has continued to decline each quarter, but has significantly increased compared to 2024, with a growth rate of 77.85%; losses from phishing scams and project Rug Pull incidents have significantly decreased compared to 2024, with phishing scam losses dropping by approximately 69.15% and Rug Pull losses decreasing by about 92.21%.

The types of projects attacked in 2025 include various categories such as DeFi, CEX, public chains, cross-chain bridges, NFT, Memecoin trading platforms, wallets, browsers, third-party code packages, infrastructure, and MEV bots. DeFi remains the most frequently attacked project type, with 91 attacks resulting in losses of approximately $621 million. CEX has the highest total loss amount among project types, with 9 attacks resulting in losses of about $1.765 billion, accounting for 52.30% of the total loss amount.

In 2025, Ethereum remains the public chain with the highest loss amount, with 170 security incidents on Ethereum causing losses of approximately $2.254 billion, accounting for 66.79% of the total losses for the year.

In terms of attack methods, the Bybit incident caused losses of approximately $1.44 billion due to a supply chain attack, accounting for 42.67% of the total losses, making it the most damaging attack method. Additionally, contract vulnerability exploitation is the most frequently occurring attack method, with 62 out of 191 attack incidents stemming from contract vulnerabilities, accounting for 32.46%.

2. Top 10 Security Incidents of 2025

In 2025, there were 3 security incidents with losses exceeding $100 million: Bybit ($1.44 billion), Cetus Protocol ($224 million), and Balancer ($116 million), followed by Stream Finance ($93 million), BTC Whale ($91 million), Nobitex ($90 million), Phemex ($70 million), UPCX ($70 million), Ethereum users ($50 million), and Infini ($49.5 million).

Unlike previous years, this year’s top 10 security incidents included 2 cases of significant losses for individual users, with the losses attributed to social engineering/phishing attacks. Although such attacks are not the most damaging in terms of loss amount, their frequency has been on the rise each year, becoming a major threat faced by individual users.

*Details of the top 10 security incidents can be found in the full report.

3. Types of Attacked Projects

Centralized exchanges have the highest loss amount among project types

The project type with the highest losses in 2025 was centralized exchanges, with 9 attacks on centralized exchanges resulting in losses of approximately $1.765 billion, accounting for 52.30% of the total loss amount. The exchange with the largest loss was Bybit, with losses of about $1.44 billion. Other exchanges with significant losses include Nobitex (approximately $90 million), Phemex (approximately $70 million), BtcTurk ($48 million), CoinDCX ($44.2 million), SwissBorg ($41.3 million), and Upbit ($36 million).

DeFi is the project type with the highest frequency of attacks, with 91 attacks on DeFi resulting in losses of approximately $621 million, ranking second in terms of loss amount. Among them, Cetus Protocol was hacked for approximately $224 million, accounting for 36.07% of the stolen funds in DeFi. Balancer lost about $116 million, while other DeFi projects with significant losses include Infini (approximately $49.5 million), GMX (approximately $40 million), Abracadabra Finance ($13 million), Cork Protocol (approximately $12 million), Resupply (approximately $9.6 million), zkLend (approximately $9.5 million), Ionic (approximately $8.8 million), and Alex Protocol (approximately $8.37 million).

4. Loss Amounts by Chain

Ethereum is the chain with the highest loss amount and the most security incidents

As in previous years, Ethereum remains the public chain with the highest loss amount and the most security incidents. The 170 security incidents on Ethereum caused losses of approximately $2.254 billion, accounting for 66.79% of the total losses for the year.

The second-ranked public chain in terms of the number of security incidents is BNB Chain, with 64 security incidents resulting in losses of approximately $89.83 million. BNB Chain has a high number of on-chain attacks, but the loss amount is relatively small, yet compared to 2024, both the number of security incidents and the loss amount have significantly increased, with the loss amount increasing by 110.87%.

Base ranks third in terms of the number of security incidents, with a total of 20 incidents. Solana follows closely with 19 security incidents.

5. Analysis of Attack Methods

Contract vulnerability exploitation is the most frequently occurring attack method

Out of 191 attack incidents, 62 were due to contract vulnerability exploitation, accounting for 32.46%, with total losses reaching $555.6 million, making it the second most damaging type of attack after the Bybit supply chain attack.

In terms of specific contract vulnerabilities, the most damaging vulnerability was the business logic flaw, with total losses amounting to $464 million. The top three contract vulnerabilities by occurrence were business logic flaws (53 incidents), access control flaws (7 incidents), and algorithm defects (5 incidents).

This year, there were a total of 20 private key leakage incidents, with total losses of approximately $180 million, significantly decreasing in both occurrence and loss amount compared to last year. Exchanges, project teams, and users have improved their awareness of private key protection.

6. Analysis of Typical Security Incident Attacks

6.1 Analysis of the Cetus Protocol $224 Million Security Incident

Incident Overview

On May 22, 2025, the DEX Cetus Protocol on the Sui ecosystem was attacked, with the vulnerability stemming from an implementation error in the left shift operation in the open-source library code. Taking one of the attack transactions (https://suivision.xyz/txblock/DVMG3B2kocLEnVMDuQzTYRgjwuuFSfciawPvXXheB3x?tab=Overview) as an example, the simplified attack steps are as follows:

1. Enable flash loan: The attacker borrowed 10 million haSUI through a flash loan.

2. Create liquidity position: A new liquidity position was opened with a price range of [300000, 300200].

3. Increase liquidity: Only 1 unit of haSUI was used to increase liquidity, but it gained a liquidity value of up to 10,365,647,984,364,446,732,462,244,378,333,008.

4. Remove liquidity: Immediately remove liquidity from multiple transactions to deplete the liquidity pool.

5. Repay flash loan: Repay the flash loan and retain approximately 5.7 million SUI as profit.

Vulnerability Analysis

The root cause of this attack lies in the incorrect implementation of checkedshlw in the getdelta_a function, leading to a failure in overflow checks. The attacker only needed a small amount of tokens to exchange for a large amount of assets in the liquidity pool, thus executing the attack.

As shown in the figure, checkedshlw is used to determine whether left-shifting a u256 number by 64 bits will cause an overflow. Input values less than 0xffffffffffffffff 192 can bypass the overflow check, but the input value may exceed the maximum value of u256 (overflow) after being left-shifted by 64 bits, while checkedshlw will still output that no overflow has occurred (false). As a result, subsequent calculations will severely underestimate the required amount of tokens.

Additionally, in Move, the safety of integer operations is designed to prevent overflow and underflow, as these can lead to unexpected behavior or vulnerabilities. Specifically, if the result of addition and multiplication is too large for the integer type, the program will terminate. If the divisor is zero, the division will terminate.

The uniqueness of left-shifting is that it does not terminate when an overflow occurs. This means that even if the number of shifted bits exceeds the storage capacity of the integer type, the program will not terminate, potentially leading to erroneous values or unpredictable behavior.

6.2 Analysis of the $116 Million Balancer Security Incident

On November 3, 2025, the Balancer v2 protocol was attacked, resulting in losses of approximately $116 million across multiple projects, including its forked protocols, on various chains. Taking the attack transaction by the attacker on Ethereum as an example: 0x6ed07db1a9fe5c0794d44cd36081d6a6df103fab868cdd75d581e3bd23bc9742

1. The attacker first initiated the attack transaction through the batch swap function, using a large amount of BPT to exchange for liquidity tokens from the pool, causing the liquidity token reserves of the pool to become very low.

2. The attacker then began swapping liquidity tokens (osETH/WETH).

3. The attacker then swapped the liquidity tokens back to BPT tokens and repeatedly performed the above operations across multiple pools.

4. Finally, the attacker withdrew the funds to realize profits.

Vulnerability Analysis

ComposableStablePools uses Curve's StableSwap invariant formula to maintain price stability between similar assets. However, scaling operations during invariant calculations introduce errors.

The mulDown function performs integer division with rounding down, and this precision error propagates into the invariant calculations, leading to an abnormal reduction in calculated values, thus creating profit opportunities for the attacker.

7. Analysis of Typical Anti-Money Laundering Cases

7.1 U.S. Sanctions Against Drug Trafficking Group Led by Ryan James Wedding

According to information disclosed by the U.S. Department of the Treasury, Ryan James Wedding and his team smuggled several tons of cocaine through Colombia and Mexico to the United States and Canada. Their criminal organization used cryptocurrency for money laundering to clean large amounts of illegal wealth.

Using Beosin's on-chain tracking and investigation tool, Beosin Trace, an analysis of cryptocurrency addresses associated with Wedding's drug trafficking group was conducted, with the results shown below:

The three addresses held by Wedding, TAoLw5yD5XUoHWeBZRSZ1ExK9HMv2CiPvP, TVNyvx2astt2AB1Us67ENjfMZeEXZeiuu6, and TPJ1JNX98MJpHueBJeF5SVSg85z8mYg1P1, transacted a total of 266,761,784.24 USDT, with some assets already frozen by Tether, but most assets have been laundered through high-frequency trading addresses and multi-level transfers, deposited into platforms such as Binance, OKX, Kraken, and BTSE.

Their gang member Sokolovski holds addresses across multiple blockchain networks (BTC, ETH, Solana, TRON, BNB Beacon Chain), and the analysis of their fund flows can be found in the full report.

7.2 GMX $40 Million Theft Case

On July 10, 2025, GMX was attacked due to a reentrancy vulnerability, resulting in the hacker profiting approximately $42 million. Beosin Trace tracked the stolen funds and found that the attacker’s address 0x7d3bd50336f64b7a473c51f54e7f0bd6771cc355 exchanged various stablecoins and altcoins for ETH and USDC through a DEX protocol after profiting, and transferred the stolen assets to the Ethereum network through multiple cross-chain protocols.

Subsequently, approximately $32 million worth of ETH from the stolen GMX assets was stored in the following four Ethereum network addresses:

0xe9ad5a0f2697a3cf75ffa7328bda93dbaef7f7e7

0x69c965e164fa60e37a851aa5cd82b13ae39c1d95

0xa33fcbe3b84fb8393690d1e994b6a6adc256d8a3

0x639cd2fc24ec06be64aaf94eb89392bea98a6605

Approximately $10 million of assets were stored in the address 0xdf3340a436c27655ba62f8281565c9925c3a5221 on the Arbitrum network.

The laundering path of the funds in this incident is very typical, as the hacker obscured and hid the path of the funds through DeFi protocols, cross-chain bridges, etc., to evade tracking and freezing by regulatory agencies and law enforcement.

8. Summary of the 2025 Web3 Blockchain Security Situation

In 2025, the monetary losses caused by phishing scams and project Rug Pulls significantly decreased compared to 2024; however, hacker attacks were frequent, with losses exceeding $3.1 billion, and the project type with the highest losses remained exchanges. The number of security incidents related to private key leaks has decreased, and the main reasons for this change include:

After rampant hacker activities last year, the entire Web3 ecosystem has placed greater emphasis on security this year, with efforts made by project teams and security companies in various aspects, such as internal security operations, real-time on-chain monitoring, increased focus on security audits, and actively learning from past contract vulnerability exploitation incidents, thereby continuously strengthening security awareness in private key management and project operational security. As the difficulty of exploiting contract vulnerabilities and stealing private keys has increased, hackers have begun to deceive users into transferring assets to hacker-controlled addresses through other means, such as supply chain attacks and front-end vulnerabilities.

Moreover, with the integration of the crypto market and traditional markets, attack targets are no longer limited to DeFi, cross-chain bridges, and exchanges, but have shifted towards attacking payment platforms, gambling platforms, crypto service providers, infrastructure, development tools, MEV bots, and various other targets, with the focus of attacks also shifting towards more complex protocol logic flaws.

For individual users, social engineering/phishing attacks and potential violent coercion have become significant threats to personal asset security. Currently, many phishing attacks involve small amounts and target individual users, which have not been publicly reported or recorded, resulting in loss data often being underestimated; however, users should enhance their awareness of such attacks. Additionally, physical methods of coercion, such as kidnapping targeting crypto users, have occurred multiple times this year, necessitating that users protect their personal identity information and minimize the public exposure of their crypto assets.

Overall, the Web3 security landscape in 2025 still faces severe challenges, and both project teams and individual users should remain vigilant. In the future, supply chain security may become a top priority for Web3 security. How to continuously protect various infrastructure service providers in the industry and monitor and alert threats present in the supply chain is a significant challenge that all parties in the industry need to address together. Furthermore, AI-driven social engineering/phishing attacks may continue to increase, necessitating the establishment of a multi-layered, real-time, and dynamic defense system that encompasses personal awareness, technical barriers, and community collaboration to respond effectively.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。