Crypto Security Incidents- March 2025

March 2025 was marked by a range of significant security incidents in the crypto ecosystem, underscoring the persistent and evolving risks facing decentralized platforms and token projects. Common attack types included smart contract vulnerabilities, private key compromise, protocol logic flaws and market manipulation tactics. Reentrancy attacks and private key leaks were especially prominent, highlighting the critical importance of contract auditing, private key security and robust slippage protections in DeFi protocols. 

THe total losses from major attacks this month exceeded $34 million, spanning across many chains and platforms. Attackers exploited flaws in smart contract designs, bypassed signature checks, manipulated oracles and in some cases, insider operators may have assisted the breaches. Many of these incidents serve as a harsh reminder that basic compliance practices remain a key defense in protecting user assets. 

Major attacks: 

Zoth- 01/03/2025 

Type: Lack of Slippage Protection - Smart contract vulnerability 

Zoth, a DeFi protocol with the native stablecoin ‘ZeUSD’ suffered an attack when an attacker exploited the Uniswap V3 price manipulation to deceive Zoth’s system, causing it to incorrectly record collateral values. This allowed them to mint extra ZeUSD and withdraw overvalued collateral, gaining a sizeable profit. 

Impact: $286,000.00

Hegic - 04/03/2025

Type: Protocol Logic 

Hegic, a p2p options trading protocol, suffered an attack in late February 2025 on an old test contract, created in January 2022. The contract was funded by the Deployer address, but the contract seemingly was not decommissioned n full - as funds were still sitting in it. This contract therefore was a ‘soft target’. While no user funds or live contracts have been compromised, a hacker managed to steal 1.1 WBTC (Wrapped Bitcoin). Hegic revealed that the attack took place and shared important details, as well as links to security reports, in early March. 

Impact: $94,000.00

1inch - 06/03/2025

Type: Reentrancy attack 

1inch, a DeFi aggregator helps users find the best prices for token swaps across different DEXs, suffered an attack in early March. 1inch’s system included a vulnerable contract, with a function FillOrderInteraction() that would blindly trust a user-supplied value ‘takingAmount’ and return it without validation. The function fillOrderTo() would then use this unchecked value to transfer tokens - meaning the attacker could trick the contract into sending large unauthorized amounts. The attacker used a re-entrancy attack to call the vulnerable logic multiple times in a single transaction. 638 ETH and $1.2M USDC was drained, with some of the ETH being traced to a wallet moving funds to Binance, potentially in an attempt to launder the assets, or obscure the trace of funds. 

Impact: $2,600,000.00

$MODELPI token - 10/03/2025 

Type: Suspected rug pull 

$ModelPi is a BEP-20 token on the Binance Smart Chain (BSC). The token suffered a suspected rug pull where a burn mechanism targeted the swap pair’s address, tampering with the AMM’s price logic, aka the ‘K value’, a fixed, constant number retaining balance. This enabled price manipulation and draining of liquidity. The root cause may have been caused by a flawed contract design, insider abuse, or an external exploit, however so far it appears unconfirmed. 

Impact: $107,000.00

DPRK - 11/03/2025 

Type: Rug Pull 

Investigator ZackXBT shared the information of a high-confidence demixing analysis has linked Democratic People’s Republic of Korea (colloquially known as North Korea) to the purchase of 437.6B $PEPE, following the withdrawal of ETH from Tornado Cash. Upon further analysis it appears that DPRK may have fallen victim to a rug pull, as it may have interacted with a compromised Tornado Cash front-end. The original purchase of $PEPE linked to the DPRK was obfuscated through specific Tornado Cash deposits, with matching withdrawals occurring a few minutes later. THis pattern is consistent with laundering or obfuscation tactics. 

Impact: $3,100,000.00

$MAID token - 13/03/2025

Type - Private Key compromise 

According to a reliable security research account on X, an old project, $MAID , suffered an attack when the private key to the deployer wallet - the original wallet used to launch the token - was compromised. Additionally, at least one multisig signer key from the project’s treasury, or governance setup, was compromised. This allowed the attacker to mint 1.1 trillion $MAID tokens, send them to the deployer’s address, and swap them for approximately 89 ETH. Assets left in the deployer wallet, amounting to about 12.4 ETH, was also stolen. The stolen money was then lost, split across 4 different wallets, creating a case demonstrating the critical importance of private key security and multisig hygiene, even for older or inactive wallets. 

Impact: $166,000.00

Berally - 14/03/2025

Type: Private  Key Compromise

In mid-march, Berally shared on their X account that the project had experienced a security breach involving their deployer key, which led to a large-scale token dump and liquidity drain. It seems the key still had on-chain permissions, meaning, it retained the ability to control vesting contracts or interact with the token contract directly. The attacker withdrew all these tokens by bypassing the vesting schedule, and dumped them into a liquidity pool, crashing the token price and simultaneously draining the ETH from the pool. Berally confirmed that dApp contracts were not affected and remained secure, meaning user funds were not touched. They also suggested in a follow up tweet that users should ‘revoke access from the dApp and Staking’ . 

Impact: $90,000.00

WebKeyDao - 15/03/2025 

Type: Contract vulnerability 

WebKeyDAO was exploited due to an unprotected buy() function in one of its contracts, allowing an attacker to manipulate internal pricing via the SetSaleInfo()function. By setting the purchase cost to just 1,159 BUSD and the mint amount to 230 wKeyDao tokens, the attacker acquired tokens at a heavily discounted rate and quickly sold them on a decentralized exchange for 13,167 BUSD, making a 10x profit. A built-in 67-token sale cap prevented the full liquidity pool, containing $11 million in assets, from being drained.

Impact: $737,000.00

$BHB Token on BSC - 17/03/2025 

Type: Contract Vulnerability 

DeHub (DHB) the crypto currency token that powers a decentralised entertainment ecosystem suffered an exploit, due to an insecure implementation of public signer verification, in its smart contract. The contract was vulnerable to signature replay attacks, allowing the attacker to reuse valid signatures to perform unauthorized token mints or transactions. This flaw enabled the draining of funds and highlights the critical needs for proper signature validation and replay protection in smart contract design. 

Impact: $5,000.00

Four.meme - 18/03/2025 

Type: Sandwich attack

Four.meme, a decentralized launchpad on the BNB chain, suffered an exploit due to an exposed liquidity addition transaction on PancakeSwap, a decentralized exchange. The attacker executed a sandwich attack, bundling their own transactions around the leaked launch, to manipulate pricing and profit from the early exposure. This incident underscores the dangers of leaking private transaction data and reinforces the need for secure and careful token launch practices. 

Impact: $120,000.00

Voltage Finance - 18/03/2025 

Type: Contract vulnerability - possible inside job

In mid-March Voltage Finance was exploited on the Fuse network, resulting in the theft of approximately $322,000 in USDCE and WETH from its Simple Staking pools. The attacker gained control over the SimpleChefStaking()proxy contract and replaced it with a malicious implementation, allowing unauthorized withdrawals via the forceWithdraw() function. After draining the funds, the attacker quickly reverted the contract to original state to cover tracks. 

The stolen assets were bridged to Ethereum, converted into ETH, and ultimately put into a wallet currently holding around 147.2 ETH. Investigations showed suspicious behaviour from a developer hired in September 2024, who deployed the vulnerable contract and failed to transfer ownership. While they have not been confirmed as the perpetrator the developer’s access has been revoked. This case acts as a stark reminder of the importance of KYE (Know Your Employee) as inside jobs are possible and frequent. 

Impact: $300,000.00

BBX Token - 20/04/2025

Type: Liquidity Pool Manipulation

The BBX token, also known as ‘beatbox’, a decentralized social community token on the BNB Smart Chain suffered a liquidity pool manipulation attack that led to a huge loss. The exploit was due to a flaw in the BBX token’s _transfer() function, triggering a token burn and then synchronizing values on PancakeSwap’s liquidity pool, even during a transfer of zero-value. This was repeated 252 times, allowing the attacker to skew the token price. Once sufficiently altered, the attacker transferred the stolen funds to their own wallet and used a mixer to obscure the trail. The poor handling of liquidity pool interactions, together with the lack of safeguards around token burns and syncing led to the attacker’s ability to hack the token. 

Impact: $12,000.00

Zoth - 21/03/2025 

Type: Private key leak

Zoth, an Ethereum real-world asset platform, suffered an attack when a private key was leaked. USD0++ stablecoins were stolen from a proxy address, and transferred to the attackers wallet, after which they quickly exchanged the stolen funds for DAI. They were moved to a different address and later converted to ETH. This was the second attack Zoth suffered this month, with the first a result of poor slippage protection. 

Impact: $8,850,000.00

Abracadabra - 25/03/2025 

Type: Contract Vulnerability 

In late March, DeFi platform Abracadabra suffered a significant security breach. The attacker exploited a vulnerability in Abracadabra’s cauldron lending markets, which were integrated with GMX V2 liquidity pools. Using a flash load, the attacker manipulated the liquidation process within these cauldrons. This manipulation allowed the attacker to artificially adjust collateral values, trigger liquidations, and siphon a profit. This is the second major exploit for Abracadabra - , with the first in January 2024 due to a similar attack. Abracadabra announced a 20% bounty on stolen funds , and announced they could cover half the losses immediately, with plans to recover the rest over time. 

Impact: $13,400,000.00

Jelly Token, Hyperliquid - 25/03/2025

Type: Market manipulation 

Decentralized exchange Hyperliquid suffered a significant exploit involving low-liquidity token Jelly-my-Jelly, resulting in a major loss from its Hyperliquidity Provider (HLP) vault. The attacker deposited $7 million across three hyperliquid accounts, establishing two long positions and a short position, together totalling $8.1 million on Jelly. The attacker then executed substantial on-chain purchases of Jelly, and artificially inflated its price by over 400% in a short period. The inflated price led to the short position’s liquidation, which was absorbed by Hyperliquid’s HLP vault, transferring the loss to the platform. Then the attacker withdrew profits from the long positions. 

Impact: $6,000,000.00

Venus Protocol - 29/03/2025

Type: Protocol Logic 

Venus Protocol suffered a sizeable loss due to an oracle manipulation exploit. The attacker targeted the wUSDM vault, on Venus’ zkSync deployment, exploiting a ‘donation attack’ vulnerability. They artificially inflated the vault’s exchange rate, spiking it from 1.07 to 1.76 by depositing assets without receiving shares. When the liquidity dropped, they manipulated the vault’s price in isolation, executing a series of borrowings and liquidations to walk away with profit. 

Impact: $902,000.00

SIR (Synthetics Implemented Right) Exchange - 30/03/2025 

Type: Storage Collision

SIR experienced a sophisticated attack, targeting a vulnerability in the Vault contract, which concerned how it verifies UniSwap V3 swap callbacks. While the contract would usually use transient storage, it temporarily stores the address of a legitimate Uniswap pool at storage slot 0x1, and checks during the uniSwapV3Callback that msg.sender matches this address. During the execution of uniSwapV3Callback , the vault overwrites slot 0x1 with the value of a variable called amount. 

The value of this variable could be edited by the hacker, allowing easy exploitation. The attacker found a special ‘vanity’ address that when interpreted as a number, could be used as a controlled pointer. They brute forced an address corresponding to a specific value to allocate to amount. And minted tokens with parameters to ensure that amount would be set correctly. Through manipulation of the flow the hacker forced the contract to overwrite slot 0x1 with the crafted amount , replacing the legitimate Uniswap pool address. They deployed the malicious contract at the pre-computed vanity address using create2 and triggered uniSwapV3Callback from this address, passing the Vault’s verification check and draining its funds. 

To understand more about Storage Collisions - you can read our blog on the topic here. 

Impact: $353,000.00

Major attacks of March 2025 by type

Crypto in the news - March 2025 

March 2025 saw major risk events in the crypto landscape, as well as other cases affecting individuals. Mt Gox, the long-defunct exchange, moved nearly $2 billion worth of bitcoin to unmarked addresses, raising concerns about potential market impact. Law enforcement arrested an alleged co-founder of sanctioned exchange Garantex in India, while new platform Grinex, believing to be linked to Garantex, launched in Russia. Security threats persisted throughout hte month, with a phishing atack resulting in a $1.82 million theft of cUSDCv3, and address poisoning scams draining $1.2 million from users. 

Conclusion 

March 2025 highlighted once again that even well-established crypto platforms are not immune to sophisticated attacks, insider threats and fundamental security oversights. Beyond securing contracts and private keys, this month’s incidents demonstrated the critical importance of implementing Know Your Transaction practices. 

KYT tools such as nominis.io allow platforms to continuously monitor on- and off- chain activity ,detect anomalies early and flag suspicious behavior before major damage occurs. In a landscape where exploits can drain millions within minutes, having real-time transaction intelligence is not a luxury, it’s a necessity. As attackers increasingly exploit transaction flow, liquidity movement, and obscure laundering patterns, adopting KYT measures is one of the strongest defenses DeFi protocols, exchanges and projects can deploy to protect their assets, their communities and their reputations. 

While we strive for accuracy in our content, we acknowledge that errors may occur. If you find any mistakes, please reach out to us at contact@nominis.io Your feedback is appreciated!