April 2025 Monthly Report

April 2025 witnessed a surge in complex and multi-faceted attacks across the crypto ecosystem, highlighting once again that vulnerabilities are not just technical, they can be systematic. This month’s incidents revealed a large variety of types of attacks, from smart contract flaws and private key compromises to insider attacks and oracle manipulations. As last month, attackers demonstrate alarming technical and strategic sophistication to carry out these attacks. Losses span across several chains from Solana to Arbitrum. Multiple projects this month including Kiloex, UPCX and Loopscale opted to negotiate with the hackers for partial recovery, often offering bug bounties in exchange for stolen assets. White hat interventions, like the one seen with Morpho Blue, offer rare bright spots, but also underscores how difficult it can be to intercept an attack in real time. 

From backdoor manipulation and price oracle attacks to insecure admin privileges and tokenomics-based collapses, the breadth of threats continues to expand. April’s breaches serve as a reminder that strong private key management, rigorous smart contract auditing, and ongoing behavioural monitoring via KYT is not optional, they are foundational in combatting these increasingly adaptive threat actors. 

April 2025: Major attacks

• UPCX - 01/04/2025

Type: Compromised Private Key 

Blockchain payment platform UPCX reported a security breach, involving unauthorized access to one of its internal management accounts. According to some assessments, it is speculated that this hack via a compromised private key manipulated the smart contract using the privileged access of the key. The attacker executed the withdrawByAdmin function built into the smart contract. 18.4 million UPC tokens were drained from multiple management accounts. In announcements on X, UPCX warned advisers against initiating new staking while internal assessments took place. 

Impact: $7,000,000.00

• AIRWA - 04/04/2025 

Type :Smart Contract Vulnerability 

The AIRWA token, available on the BSC, was exploited when a smart contract manipulation took place. The function setBurnRate() was publicly accessible, allowing anyone to change the burn rate. The attacker set it to 980, and then triggered a transfer which, due to faulty logic, burn liquidity pool tokens despite no tokens actually being transferred. This manipulation let the attacker drain value from the pool. The root cause was the lack of access control and unsafe logic affecting LP tokens. 

Impact: $34,000.00

• Morpho Blue - 10/04/2025

Type: Access Control Issue 

Morpho Blue, a noncustodial lending protocol, made a front-end change on their app on April 10, unknowingly introducing a vulnerability in how certain transactions were built. The following day, a hacker took advantage of this bug, attempting to steal approximately $2.6 million. However, a white hat hacker, c0ffeebabe.eth, who according to sources, specialises in MEV, (maximal extractable value) recognised the attack and acted faster than the malicious hacker. The white hat hacker intercepted the attack and secured funds before they were stolen. 

Morpho rolled back the update and confirmed that the main protocol was never at risk. The white hat hacker returned the funds and the bug was fixed. 

Impact: (A potential) $2.6 million 

• Mantra - 13/04/2025 

Type: Emissions/tokenomics-based manipulation

In April 2025, Mantra’s OM token crashed over 90%, wiping out more than $5 billion in market value, after on-chain data showed over 43 million tokens, which made up about 4.5% of the supply, were moved to exchanges, sparking allegations of insider dumping. A suspicious 14 million token transfer drew further scrutiny, though Mantra’s CEO claimed the drop was due to forced liquidations by a centralized exchange and insisted that team tokens remained locked. The community pushed back citing the project’s high concentration and lack of proof for the team’s claims. Mantra launched a recovery plan including a 150 million OM token burn and promised greater transparency. 

Impact: $5,500,000.00

• KiloEx - 14/04/2025

Type: Contract Vulnerability

KiloEx, a decentralized exchange, experienced a security breach causing massive losses across multiple chains. The exploit involved a vulnerability in a permissionless function, allowing the exploiter to manipulate price oracles and execute trades at artificial prices. In response, KiloEx suspended the platform to contain the attack, and started an investigation. They offered a 10% bounty to the hacker for the return of the stolen funds, who agreed and returned the majority of the assets. 

Intel from NOMINIS Vue asserted the wallet of the exploiter who attacked KiloEx was a risk level 'critical'.

Impact: $8,400,000.00

• ZKSync - 15/04/2025 

Type: Private Key Leakage 

In mid April the security team of ZKSync, a blockchain network, discovered that a compromised admin account had gained access to about $5 million in unclaimed ZK airdrop tokens. The compromised key was allegedly tied to the admin account managing the airdrop contract. The breach was limited to only affect the airdrop distribution contract, meaning user funds were not affected, neither were the ZKsync protocol or the ZK token contract. The incident led to a 20% drop in the price of ZK token immediately following the disclosure of the compromise. 

Impact: $5,000,000.00

• R0AR - 16/04/2025

Type: Insider Manipulation 

R0AR, a DeFi platform with a native token $1ROR, was exploited due to a hidden back door in its staking contract. This allowed a developer to manipulate a user’s balance during deployment by modifying storage slots, and allowed the attacker to drain funds using the emergency withdrawal function. The exploit was potentially committed by a rogue developer, who has seemingly had their access revoked. 

Impact: $780,000

• NUMA - 18/04/2025

Type: Price Manipulation

Numa, a ‘non custodial and decentralized synthetics protocol’, with its own token $NUM on the Arbitrum network, suffered an exploit when an attacker drained a wallet, worth approximately half a million dollars, and swapped the stolen funds to ETH. The ETH were bridged to the Ethereum mainnet and were laundered through Tornado Cash. 

Impact: $530,000.00

• BTCMapp Contracts - 22/04/2025 

Type: Smart Contract vulnerability 

BTCMapp, a DeFi project on the arbitrum blockchain, was targeted in an exploit due to a vulnerable lity in its smart contract, with the function overPaper()allowing the attackers to repeatedly withdraw funds and drain roughly half of the contract’s balance. The attackers laundered the stolen assets via cross-chain bridges to ethereum, with investigators actively tracking the movement.  

Impact: $1.300,000.00

• ACB- 24/04/2025

Type: Contract vulnerability 

ACB, a token deployed on the BSC as a BEP-20 asset was exploited, when the attacker exploited a cash claim vulnerability. This allowed them to repeatedly claim an airdrop, draining the contract’s funds. 

Impact: $60,000.00

• $Zora Token - 24/04/2025

Type: Business Logic Flaw

Zora, a token that only launched on 23/04/2025, suffered an attack when an attacker stole about 5,500 ZORA tokens the following day. The attacker leveraged a permissionless contract called 0x Settler, which allows arbitrary function calls, to  execute a claim function on a Zora Claim Token contract. By invoking the execute() function with attacker-controlled parameters, they made the contract call claim() with the _claimTo address set to the attacker’s wallet. Once the assets were stolen, the attacker traded them for ETH, and bridged them off the Base network to Ethereum. 

Impact: $128,000

• Grafana - 26/04/2025

Type: Security Vulnerability

Towards the end of April, Grafana, a data visualisation and monitoring tool suffered a security flaw within their Github workflow. The nature of the vulnerability was not disclosed in Grafana’s blog, however they did explain the attacker’s process. The attacker apparently gained access by forking a Grafana Github repository and running a malicious script using curl to insert malicious code. The attacker encrypted some sensitive tokens found and saved them to a file, and finally deleted the forked repository afterwards. The attacker repeated this method on four different repositories but this was limited to automated systems, and did not affect any live production systems or software releases. Grafana did not disclose the particular damage caused, however they did confirm that they immediately removed the compromised GitHub Action and disabled all workflows in public repositories. THey also performed internal audits to ensure no similar weaknesses exist elsewhere. 

Impact: Unconfirmed

• Impermax V3 - 26/04/2025

Type: Protocol Logic

Impermax, a decentralized lending protocol, experienced a sophisticated exploit in its v3 code that enabled an attacker to steal sizable assets using a flash loan. The vulnerability lay in how uncollected and autocompounded feeds were misvalued when used as collateral; the attacker was able to create a collateral position on low liquidity Uniswap v3 pool, where the value could be easily manipulated. The price tick was manipulated, unbalancing the position and the fees could accumulate on one side. The attacker then performed about 50 swaps, allowing the ‘uncollected fees’ to pile  up, so the position looked very valuable. Then the attacker borrowed tokens from Impermax using these inflated fees as collateral. Finally, the attacker reinvested the feeds using the ‘auto-compound feature’ but at a manipulated price tick, and then returned the tuck to a normal level. Users were urged not to reduce or close positions until a fix had been confirmed. 

Impact: Approx. $400,000

• Loopscale - 26/04/2025

Type: Oracle attack

Loopscale, a modular DeFi lending protocol on Solana, was exploited due to a pricing vulnerability involving the RateX PT token-based collateral. This flaw allowed the attacker to manipulate collateral valuations and drain about 5.7 million USDC and 1,200 SOL - which was about 12% of the protocol’s total assets from its USDC and SOL Genesis vaults. The attacker exploited a loophole in Loopscale’s integration with RateX by deploying a fake RateX market program that mimicked the interface of a legitimate one. This malicious program fed Loopscale artificially inflated prices for RateX issued principal tokens (PT tokens), tricking the protocol into believing the attacker’s collateral was larger than it was. Using this inflated collateral value, the attacker was able to borrow huge amounts via several transactions without proper backing . The stolen funds were swapped, bridged across chains and dispersed to multiple wallets in an attempt to obfuscate their origin. Communications with the attacker allowed for the full return of the funds within 48 hours of the attack, with a 10% bug bounty remaining in the hands of the hacker. 

Impact: $5,800,000.00 (recovered) 

• QuantMaster - 27/04/2025

Type: Insider Manipulation

The DeFi project Quantmaster suffered a major security breach after an insider secretly embedded malicious code into one of its smart contracts, leading to the loss of ‘hundreds of thousands of dollars’. Investigators appeared to have traced the incident back to an employee using GitHub commit records and device tracking tools. Activity logs ruled our use of AI, affirming that the exploit was manually performed by the individual inside attacker.  

Impact: Unconfirmed 

• LIFE Protocol - 27/04/2025

Type: Price Manipulation

According to several security alert systems, LIFE protocol, a DeFi platform with $LIFE token, suffered a hack resulting in massive losses. Little has been confirmed about the attack and the perpetrator, and the protocol has not made mention of the attack on any social media platforms. 

Impact: $51,000

• Aventa - 27/04/2025

Type: Flashloan attack

In late April security system SlowMist recognised suspicious activity related to the Aventa Project, labeled as a flash loan attack. As with the case above, little more is known about the attack, perpetrator or efforts to recover funds. The attack was not mentioned by Aventa Project on their social media platforms. 

Impact: $7,000.00

Major attacks this month, by type:

Final thoughts:

April 2025 reinforces that threats in the crypto space are not only growing in scale, but also in creativity. With total losses in April exceeding $36,000,000, attack types have ranged from smart contract misfigurations and oracle abuse to private key compromises and insider manipulation; demonstrating that even minor oversights in access control, tokenomics, or deployment processes can lead to massive financial and reputational losses. 

This month also illustrated an interesting shift - attackers are targeting every layer of the crypto stack - from code, to governance, infrastructure and even Open-source workflows. While this was apparent previously, April’s attacks highlight the creativity demonstrated by attackers. 

April’s attacks demonstrate the critical necessity for continuous monitoring through Know Your Transaction (KYT) systems, which remains one of the most effective defences. KYT empowers platforms to detect abnormal behaviour in real-time, trace malicious fund flows across chains, and identify links to sanctioned or high-risk addresses.

While we strive for accuracy in our content, we acknowledge that errors may occur. If you find any mistakes, please reach out to us at contact@nominis.io Your feedback is appreciated!