2025The year in breaches

An oracle upgrade created an 18-vs-8 decimal precision mismatch in Aevo's legacy Ribbon DOV vaults, draining $2.7M. Aevo shut down vaults hours later.

USPD, a newer decentralized stablecoin, lost ~$1M via a mint/collateral flaw that allowed minting against insufficient backing, briefly depegging the token.

Yearn's yETH StableSwap pool minted 235 septillion yETH from a 16-wei deposit after a liquidity removal reset supply to zero but left cached virtual balances.

Likely private-key theft gave attackers control of GANA Payment's BSC contract; they manipulated reward rates and drained $3.1M via the unstake function.

Access-control oversight and rounding error in Balancer v2's invariant logic drained ~$120M across stable pools, the largest DeFi exploit of 2025.

SBI Crypto, SBI Holdings' mining arm, lost $24M across BTC, ETH, LTC, DOGE and BCH. Undetected for 7 days until ZachXBT flagged a pattern matching DPRK Lazarus.

GriffinAI, an AI-agent crypto project, lost ~$3M after a bridge/mint flaw let an attacker mint unbacked GAIN tokens and dump them, collapsing the price.

UXLINK, a Web3 social protocol, lost roughly $41M after attackers compromised the project's multi-sig keys and exploited an unrestricted delegatecall path.

~$2M rug-pulled from New Gold Protocol, a 'gold-backed' BNB Chain yield project whose privileged contract authority drained deposits before the team vanished.

SwissBorg's SOL Earn lost $41.5M (193,000 SOL) via a compromised API at staking vendor Kiln. SwissBorg itself wasn't breached; the third-party infra was.

Rounding error in Bunni DEX's withdraw function drained $8.4M on Ethereum and Unichain after devs misjudged how idle balances would move. Protocol shut down.

Odin.fun, a Bitcoin memecoin launchpad, lost ~$7M when attackers manipulated bonding-curve liquidity accounting to drain BTC pools. Founder paused trading.

A hot-wallet compromise across 7 chains drained $48M from Turkish exchange BtcTurk, its second major hack in 14 months. Cold storage was untouched.

A fee/reward-distribution flaw let an attacker repeatedly extract value from BetterBank's PulseChain liquidity pools, draining $5M with partial recovery later.

A flaw in Credix Finance's credit-token minting logic on BNB Chain let an attacker mint and redeem against fabricated positions, draining $4.5M from the pool.

Attackers drained $44M from CoinDCX's internal liquidity account for partner-exchange reserves; the exchange absorbed the loss from treasury.

Attackers compromised BigONE's backend and rewrote risk-control logic to auto-approve any withdrawal, draining $27M from the hot wallet without exposing keys.

Reentrancy-adjacent flaw in GMX v1's GLP pricing logic let an attacker drain ~$42M, most returned within days in exchange for a white-hat bounty.

$9.8M drained from Resupply in under 90 minutes when a $4,000 flash loan exploited a 2-hour-old wstUSR vault via an ERC-4626 donation attack.

$90M+ drained from Iran's largest exchange by Predatory Sparrow, then burned to addresses tagged with anti-IRGC messages — a destruction-not-profit hack.

A self-listing verification flaw drained $8.37M (up to $16.2M with ALEX tokens) from ALEX Protocol on Stacks, the team's second major incident in 13 months.

Access-control flaw drained $3.76M from Nervos's Force Bridge on Ethereum and BNB Chain; loot was swapped to ETH and routed via Tornado Cash and FixedFloat.

Attacker drained $12M (3,761 wstETH) from Cork Protocol by creating a market referencing another's DS, bypassing auth via a malicious Uniswap v4 hook.

Overflow-guard flaw in Sui's largest DEX let an attacker inject a tiny liquidity position that read as gigantic, draining $223M before validators intervened.

Zunami Protocol lost ~$500K in a second incident, 2 years after its 2023 Curve-pool exploit, again from manipulable price derivation in its stablecoin strategy.

$2.15M drained from MobiusDAO on BNB Chain after a double 10^18 scaling let the attacker mint 9.73 quadrillion MBU from 0.01 BNB; laundered via Tornado Cash.

Solana's Loopscale lost $5.8M 16 days post-launch via RateX PT token oracle manipulation enabling undercollateralized loans. All funds returned for 10% bounty.

$7.5M extracted from KiloEX perps on Base, opBNB and BSC after the MinimalForwarder skipped signature checks; positions opened at $100, closed at $10,000.

UPCX lost roughly $70M from its treasury after a compromised admin account on the open-source payments platform pushed a malicious smart-contract upgrade.

$355K (entire TVL) drained from leveraged-trading protocol SIR.trading via transient-storage misuse that spoofed the uniswapV3SwapCallback caller check.

Attacker drained $13M (6,260 ETH) from Abracadabra's GM Cauldrons by engineering a failing GMX deposit, self-liquidating, then reborrowing the collateral.

$8.4M drained from Zoth, an RWA restaking protocol, after its deployer/upgrade key was compromised and used to push a malicious proxy implementation.

A legacy Fusion v1 resolver bug let an attacker craft calldata to drain $5M from 1inch resolver TrustedVolumes. Core protocol and user funds were unaffected.

$49.5M drained from Infini's Morpho MEVCapital USDC vault by the address that built the contract and quietly retained admin authority after launch.

ZeroLend lost ~$371K to a classic empty-market share-inflation donation attack on a freshly-listed market that lacked a protective initial deposit.

Malicious JavaScript injected into Safe{Wallet}'s signing UI drained 401,000 ETH ($1.46B) from a Bybit cold-wallet transfer, the largest crypto theft ever.

$9.5M drained from zkLend on Starknet via a precision-rounding bug in its safeMath library; repeated rounding inflated raw_balance until pools emptied.

$8.6M extracted from Ionic Money on Mode after attackers impersonated Lombard Finance for weeks, got a fake LBTC listed, then borrowed against it.

~$73M drained from Phemex hot wallets across 16 blockchains in a coordinated sweep — the first major exchange hack of 2025, with TTPs consistent with Lazarus.

The Idols NFT lost ~$324K when a staking-rewards accounting flaw let an attacker repeatedly claim weighted rewards far beyond entitlement, draining the pool.

Moby Trade, an Arbitrum options protocol, lost ~$1M after a privileged key was compromised and used to rig option settlement. SEAL white-hats limited damage.