Code Vulnerabilities Surge 4,483% in May 2025 Web3 Losses

Coin WorldMonday, Jun 2, 2025 3:26 pm ET

1min read

Blockchain security firm CertiK has released its May 2025 Security Report, revealing that over $302 million was lost across Web3 through scams, hacks, and exploits. This figure marks a 16.94% decrease from April’s $364 million, indicating a slight improvement in overall security. However, one attack vector—code vulnerability—saw a dramatic surge, with $229.6 million lost due to flawed code, a 4,483% increase from April’s $5 million. This vulnerability category became the top incident loss contributor, accounting for the majority of stolen funds.

CertiK Senior Blockchain Security Researcher Natalie Newson emphasized the

gravity

of this spike, noting that although losses from code vulnerabilities had been declining in recent years, from $1.35 billion in 2021 to $173 million in 2024, May’s figure shows an urgent need for heightened code auditing and formal verification processes. Newson stresses that the rise shows how even mature areas of the space must remain vigilant, employing both human and AI-driven security protocols.

Phishing scams, which had accounted for a large portion of April’s losses, saw a steep drop. In May, phishing-related incidents totaled $47.6 million—an 85% decrease from April’s $337 million. Despite the decline, phishing remained the second-most costly attack vector after code vulnerabilities, followed by private key compromises ($11.6 million) and price manipulation attacks ($1 million).

DeFi platforms remained the most-targeted sector, experiencing losses of over $241 million in May. This reflects a broader trend of DeFi being a prime target for hackers due to its open-source nature and large pools of capital. Social engineering scams accounted for $35.5 million in losses, while exchanges and wallet drainers lost $11.1 million and $8.5 million, respectively.

Among the nine major incidents identified in May, the most devastating was the attack on Cetus, which resulted in $225.6 million in stolen assets. Other breaches included Cork Protocol ($11.9 million), BittoPro ($11.1 million), Mobius DAO ($2.1 million), and Demex Nitron ($950,599).

CertiK’s latest report is a stark reminder of the persistent and evolving threats within the Web3 ecosystem. As attackers refine their strategies, so too must the security measures designed to defend against them. The report highlights the need for continuous vigilance and the implementation of robust security protocols to mitigate the risks associated with code vulnerabilities, phishing, and other attack vectors.

Comments

﻿

Add a public comment...

No comments yet

Disclaimer: The news articles available on this platform are generated in whole or in part by artificial intelligence and may not have been reviewed or fact checked by human editors. While we make reasonable efforts to ensure the quality and accuracy of the content, we make no representations or warranties, express or implied, as to the truthfulness, reliability, completeness, or timeliness of any information provided. It is your sole responsibility to independently verify any facts, statements, or claims prior to acting upon them. Ainvest Fintech Inc expressly disclaims all liability for any loss, damage, or harm arising from the use of or reliance on AI-generated content, including but not limited to direct, indirect, incidental, or consequential damages.