SlowMist Monthly Security Report: April Estimated Losses at $26.4 Million
Overview
In April 2025, the total loss from Web3 security incidents reached approximately $26.4 million. According to statistics from SlowMist’s Hacked database (https://hacked.slowmist.io), a total of 18 hacking incidents occurred, resulting in losses of around $21.11 million. Of this, $17.89 million was frozen or recovered. The causes of these incidents include contract vulnerabilities, social engineering, insider misconduct, and private key leaks. In addition, according to the Web3 anti-scam platform Scam Sniffer, there were 7,565 phishing victims this month, with a total loss of $5.29 million.
Major Security Incidents
KiloEx
On April 15, 2025, decentralized perpetual contract trading platform KiloEx was attacked, resulting in losses of approximately $8.44 million. Following the incident, SlowMist promptly conducted an investigation and issued a security alert. Fortunately, with the proactive efforts of the project team and coordinated response from SlowMist and others, all stolen assets were successfully recovered within 3.5 days, bringing the incident to a satisfactory conclusion.
According to KiloEx’s analysis report, the attack stemmed from a flaw in the contract’s permission validation mechanism. The TrustedForwarder contract inherited from OpenZeppelin’s MinimalForwarderUpgradeable contract. However, the execute method was not overridden in TrustedForwarder, making it an accessible function without proper permissions. The attacker exploited this by directly calling OpenZeppelin’s original execute method. The payload of the execute method involved calling the delegateExecutePositions function, which only validated whether msg.sender == trustedForwarder, without verifying whether the actual initiator was a keeper. As a result, the attacker bypassed permission checks and executed a sequence of trades—opening positions at extremely low prices and closing them at higher prices—to complete the attack.
Loopscale
On April 26, 2025, the modular DeFi lending protocol Loopscale, built on Solana, was attacked, resulting in the theft of approximately 5.7 million USDC and 1,200 SOL — about 12% of the platform’s total funds. The root cause of the incident was identified as an isolation issue in Loopscale’s pricing mechanism for RateX-based collateral. On April 29, according to Loopscale’s official Twitter, after successful negotiations, the 5,726,725 USDC and 1,211 SOL stolen on April 26 were fully returned, and no user deposits were lost.
ZKsync
According to the incident analysis report published by ZKsync (https://zksync.mirror.xyz/W5vPDZqEqf2NuwQ5x7SyFnIxqqpE1szAFD69iaaBFnI), on April 13, a compromised admin account minted unclaimed tokens from the Merkle distribution contract for the June 17, 2024 ZK token airdrop. The attacker successfully controlled 111,881,122 ZK tokens, valued at approximately $5 million at the time. This incident was limited to three specific Merkle distribution contracts related to the June 2024 ZK airdrop. The root cause was the compromise of an admin key. On April 23, following a “safe harbor” proposal by the ZKsync Security Council, the attacker returned all funds, resolving the incident.
R0AR
On April 16, 2025, R0AR was attacked, resulting in losses of approximately $780,000. According to analysis by the SlowMist security team, the root cause was a backdoor in the contract. During deployment, the R0ARStaking contract directly modified storage slots to tamper with the balance (user.amount) of a specified address. The attacker then used an emergency withdrawal function to drain all funds from the contract. R0AR founder and CEO Dustin explained the incident during an AMA, stating that the developer in question had embedded malicious code into the staking contract, enabling them to execute the emergency withdrawal and drain the liquidity pool. Around 490 ETH worth of tokens were stolen. According to on-chain AML and tracing tool MistTrack, the stolen funds were transferred into Tornado.
Pattern Analysis and Security Recommendations
This month, stolen funds from three hacking incidents were fully recovered. It is clear that post-incident on-chain tracing and negotiation remain among the most critical response strategies. Effective on-chain communication in a timely manner often leads to a more efficient recovery of losses. We previously published Establishing On-Chain Communication After an Incident and SlowMist: Emergency Response Guide for Stolen Funds — On-Chain Messaging (BTC Edition). Readers interested in these resources can click to view.
On another note, with the rapid development of large models, various new AI tools are continuously emerging. Tools implementing the currently representative MCP (Model Context Protocol) standard are gradually becoming key bridges between large language models (LLMs) and external tools and data sources. However, the rapid adoption of MCP has also introduced new security challenges. This month, the SlowMist security team released a series of MCP security-themed articles. Project teams are advised to refer to these articles for self-assessments and risk mitigation, and to prepare defenses in advance.
- MCP Security Checklist: A Security Guide for the AI Tool Ecosystem
- Malicious MCP Parsing: Covert Poisoning and Manipulation in the MCP System
- Wallet Security Audit Update: Addition of MCP Wallet Security Audit Items
The widespread application of AI in blockchain has also introduced new potential risks. In 2024, SlowMist disclosed the first real-world case in history of asset theft caused by AI poisoning, indicating that AI-based attacks are no longer theoretical. Such attack methods may continue to evolve in the future. Moreover, in the dark forest of blockchain, it is essential not only to defend against AI-driven attacks but also to have the capability to determine whether an attack was AI-driven. This is not just an extension of external threat prevention, but also a crucial step in identifying and managing internal behavior and potential sources of risk.
In conclusion, the events covered in this article represent the major security incidents of the month. For more blockchain security incidents, please visit the SlowMist Hacked database (https://hacked.slowmist.io).
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
