SlowMist Monthly Security Report: March Estimated Losses at $33.99 Million
Q1 Overview
According to statistics from the SlowMist security team, the number of Web3 security incidents in Q1 2025 remained generally stable. However, several major single-point incidents significantly increased the total quarterly losses, indicating that the overall security landscape remains severe:
- A total of 69 hacking incidents occurred this quarter, with phishing attacks affecting over 22,000 victims.
- The total losses caused by security incidents in this quarter amounted to approximately $1.783 billion, of which about $67.76 million was successfully recovered or frozen.
- Losses in January reached around $100 million. In February, due to the Bybit hack, monthly losses surged to $1.681 billion — the peak of the quarter. While March saw a decrease in losses compared to the previous two months, the overall security pressure remained high. Attackers adopted more complex vulnerability exploitation methods, posing greater challenges to emergency response and post-incident analysis.
- The scale of phishing incidents showed a month-on-month decline. In terms of financial loss, February saw a significant drop compared to January, but March experienced a slight rebound. Overall, the trend continues to decline.
March Overview
In March 2025, the total loss from Web3 security incidents amounted to approximately $33.99 million. According to statistics from SlowMist’s Blockchain Hacked Archive (https://hacked.slowmist.io), a total of 13 hacking incidents occurred, resulting in a loss of about $27.63 million, with $4.55 million successfully frozen or recovered. The causes of these incidents included contract vulnerabilities, insider manipulation, account hacks, and private key leaks. Additionally, according to data from the Web3 anti-scam platform Scam Sniffer, there were 5,992 victims of phishing incidents this month, with a total loss of $6.366 million.
Major Security Incidents
Abracadabra Money Incident
On March 25, 2025, according to the SlowMist security team’s monitoring, an attacker exploited a flash loan vulnerability to steal $13 million worth of Magic Internet Money (MIM) tokens. The attack stemmed from a vulnerability in the platform’s smart contract, with the attacker ultimately profiting approximately 6,262 ETH. On-chain analysis using MistTrack’s anti-money laundering and tracking tools revealed that the attacker’s initial funds came from Tornado.
On March 28, 2025, Abracadabra Money released a post-incident analysis report explaining that the attack originated from a vulnerability in the GmxV2CauldronV4 contract’s collateral accounting mechanism, specifically within its custom liquidate function. When a position is liquidated and the DegenBox collateral share is insufficient to repay the outstanding debt, this function attempts to extract additional collateral from the GmxV2CauldronRouterOrder contract (via OrderAgent) to settle the debt. However, the order in the Cauldron was not marked as closed, and the reported value of orderValueInCollateral was not updated. This discrepancy allowed the attacker to exploit "ghost collateral" (collateral that no longer exists but is still reported as having value) to borrow funds, thus receiving loans without proper collateral backing.
Zoth
On March 1, 2025, the RWA staking platform Zoth was attacked, resulting in a loss of approximately $285,000. The attacker exploited a logic vulnerability in the LTV (Loan-to-Value) validation within the mintWithStable() function. By manipulating the Uniswap V3 liquidity pool, the attacker caused a miscalculation in the collateral exchange, allowing them to mint ZeUSD without depositing sufficient collateral.
On March 21, according to monitoring by the SlowMist security team, Zoth was attacked again, likely due to an administrator privilege leak. This allowed the logical contract to be tampered with and replaced with a malicious contract. According to analysis from the blockchain anti-money laundering and tracking tool MistTrack, this incident led to a loss of approximately $8.32 million.
On March 22, according to official news from Zoth, the Zoth Protocol suffered a targeted attack via a malicious proxy upgrade. After several failed attempts, the attacker successfully gained unauthorized access to the deployer’s account and used it to upgrade the protocol to a malicious contract. This allowed the attacker to unauthorizedly withdraw funds from an isolated vault where USD0++ was stored as collateral.
1inch
On March 5, 2025, an attacker exploited a smart contract vulnerability in the 1inch DEX aggregator, stealing $5 million worth of USDC and wETH.
A post-mortem analysis report released by 1inch partner Decurity revealed that the older version of 1inch Settlement had a callback option that allowed traders to settle all matched orders after interaction processing. This callback was intended to be executed only when the solution contract itself acted on behalf of the trader. However, due to a calldata corruption vulnerability in the order suffix handling, the attacker was able to overwrite the solution address and call an arbitrary solution. This attack resulted in losses for the market maker TrustedVolumes.
On March 5, the attacker sent an on-chain message inquiring about the possibility of receiving a bounty. After negotiations, the majority of the stolen funds were returned, with the attacker retaining a portion as a bug bounty.
SIR.trading
On March 30, 2025, SlowMist’s MistEye security monitoring system detected an attack on SIR.trading (@leveragesir), a leveraged trading project on the Ethereum blockchain. The incident resulted in losses exceeding $300,000 in assets.
According to analysis by the SlowMist Security Team, the root cause of the hack was due to a vulnerability where a value written with tstore for transient storage was not cleared after the function execution ended. This allowed the attacker to exploit the residual value by crafting a malicious address to bypass the permission check and transfer tokens.
For more details, see: Fatal Residue | An On-Chain Heist Triggered by Transient Storage.
Voltage Finance
On March 18, 2025, the Simple Staking pool of Voltage Finance, a DeFi platform based on the Fuse Network, experienced an unauthorized fund withdrawal. The incident resulted in the loss of $171,027.20 in USDCE and $151,085.87 in WETH.
According to the postmortem report released by Voltage Finance, a developer who joined the team in September 2023 and was responsible for deploying the Simple Staking contract exhibited suspicious behavior. This individual deployed the SimpleChefStaking contract but did not transfer its ownership as expected.
While it has not yet been confirmed whether this developer was directly responsible for the attack, Voltage Finance has immediately revoked their access and filed a police report with law enforcement and centralized exchanges to assist in the ongoing investigation.
Analysis and Recommendations
This month’s Web3 security incidents highlight several emerging trends, including:
- Increasing precision in vulnerability exploitation
- Weaknesses in smart contract security management
- Growing internal risks
- Accelerated cross-chain asset escapes
To mitigate security risks, project teams are advised to adopt proactive defense strategies such as:
- Strengthening audit and monitoring mechanisms
- Timely upgrading of smart contracts
- Enhancing internal team management
- Implementing multi-signature mechanisms
In addition, the SlowMist security team has recently observed that some AI tools have returned polluted search results. When searching for official websites of crypto wallets via mainstream AI tools, many results pointed to phishing sites. We recommend users remain vigilant when using AI tools and avoid blindly trusting their outputs, in order to prevent losses from accidentally accessing phishing sites. For guidance on how to find official websites safely, please refer to our previous article: Beginner’s Guide to Web3 Security: Guide to Avoiding Fake Wallets and Private Key/Mnemonic Phrase Compromises.
Finally, this report covers key security incidents from this month. For a more comprehensive list of blockchain security breaches, please visit the SlowMist Hacked Archive at https://hacked.slowmist.io/.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
