Ethereum hacks in 2025

An oracle upgrade created an 18-vs-8 decimal precision mismatch in Aevo's legacy Ribbon DOV vaults, draining $2.7M. Aevo shut down vaults hours later.

USPD, a newer decentralized stablecoin, lost ~$1M via a mint/collateral flaw that allowed minting against insufficient backing, briefly depegging the token.

Yearn's yETH StableSwap pool minted 235 septillion yETH from a 16-wei deposit after a liquidity removal reset supply to zero but left cached virtual balances.

Likely private-key theft gave attackers control of GANA Payment's BSC contract; they manipulated reward rates and drained $3.1M via the unstake function.

Access-control oversight and rounding error in Balancer v2's invariant logic drained ~$120M across stable pools, the largest DeFi exploit of 2025.

SBI Crypto, SBI Holdings' mining arm, lost $24M across BTC, ETH, LTC, DOGE and BCH. Undetected for 7 days until ZachXBT flagged a pattern matching DPRK Lazarus.

GriffinAI, an AI-agent crypto project, lost ~$3M after a bridge/mint flaw let an attacker mint unbacked GAIN tokens and dump them, collapsing the price.

UXLINK, a Web3 social protocol, lost roughly $41M after attackers compromised the project's multi-sig keys and exploited an unrestricted delegatecall path.

Rounding error in Bunni DEX's withdraw function drained $8.4M on Ethereum and Unichain after devs misjudged how idle balances would move. Protocol shut down.

A hot-wallet compromise across 7 chains drained $48M from Turkish exchange BtcTurk, its second major hack in 14 months. Cold storage was untouched.

Attackers drained $44M from CoinDCX's internal liquidity account for partner-exchange reserves; the exchange absorbed the loss from treasury.

Attackers compromised BigONE's backend and rewrote risk-control logic to auto-approve any withdrawal, draining $27M from the hot wallet without exposing keys.

$9.8M drained from Resupply in under 90 minutes when a $4,000 flash loan exploited a 2-hour-old wstUSR vault via an ERC-4626 donation attack.

$90M+ drained from Iran's largest exchange by Predatory Sparrow, then burned to addresses tagged with anti-IRGC messages — a destruction-not-profit hack.

Access-control flaw drained $3.76M from Nervos's Force Bridge on Ethereum and BNB Chain; loot was swapped to ETH and routed via Tornado Cash and FixedFloat.

Attacker drained $12M (3,761 wstETH) from Cork Protocol by creating a market referencing another's DS, bypassing auth via a malicious Uniswap v4 hook.

Overflow-guard flaw in Sui's largest DEX let an attacker inject a tiny liquidity position that read as gigantic, draining $223M before validators intervened.

Zunami Protocol lost ~$500K in a second incident, 2 years after its 2023 Curve-pool exploit, again from manipulable price derivation in its stablecoin strategy.

UPCX lost roughly $70M from its treasury after a compromised admin account on the open-source payments platform pushed a malicious smart-contract upgrade.

$355K (entire TVL) drained from leveraged-trading protocol SIR.trading via transient-storage misuse that spoofed the uniswapV3SwapCallback caller check.

$8.4M drained from Zoth, an RWA restaking protocol, after its deployer/upgrade key was compromised and used to push a malicious proxy implementation.

A legacy Fusion v1 resolver bug let an attacker craft calldata to drain $5M from 1inch resolver TrustedVolumes. Core protocol and user funds were unaffected.

$49.5M drained from Infini's Morpho MEVCapital USDC vault by the address that built the contract and quietly retained admin authority after launch.

Malicious JavaScript injected into Safe{Wallet}'s signing UI drained 401,000 ETH ($1.46B) from a Bybit cold-wallet transfer, the largest crypto theft ever.

~$73M drained from Phemex hot wallets across 16 blockchains in a coordinated sweep — the first major exchange hack of 2025, with TTPs consistent with Lazarus.

The Idols NFT lost ~$324K when a staking-rewards accounting flaw let an attacker repeatedly claim weighted rewards far beyond entitlement, draining the pool.