Top 10 "Awesome" Security Incidents in 2025

To help the community learn from what happened, BlockSec selected ten incidents that stood out most this year. These cases were chosen not only for the scale of loss, but also for the distinct techniques involved, the unexpected twists in execution, and the new or underexplored attack surfaces they revealed.

#9 1inch Incident: From Calldata Corruption to Forged Settlement: Binary Exploitation Goes On-Chain

On March 5, 2025, a third-party resolver integrated with 1inch Fusion V1 was exploited for over $5M after an unsafe calldata reconstruction in the settlement flow allowed attacker-controlled interaction lengths to trigger a pointer underflow and inject forged settlement data. The impact was amplified by a broken trust boundary, where resolver contracts treated forwarded calldata as authoritative based only on msg.sender, letting attacker-crafted payloads inherit settlement-level privileges while still passing access control.

#10 Panoptic Incident: XOR Linearity Breaks the Position Fingerprint Scheme

On August 29, 2025, Panoptic disclosed a Cantina bounty finding and confirmed that, with support from Cantina and Seal911, it executed a rescue operation on August 25 to secure roughly $400K in funds. The issue stemmed from a flaw in Panoptic’s position fingerprint calculation algorithm, which could have enabled incorrect position identification and downstream fund risk.

#8 Bunni Incident: Repeated Small Withdrawals Compound a Rounding Error into an $8.4M Drain

On September 2, 2025, Bunni V2 was exploited for about $8.4M across the USDC/USDT pool on Ethereum and the weETH/ETH pool on Unichain after a rounding bug in liquidity removal misaccounted idle balances and undervalued total liquidity. The attacker then used a tightly timed sandwich strategy to arbitrage the gap between theoretical and actual pool liquidity, and the incident later contributed to Bunni’s bankruptcy filing on October 23, 2025.

#7 Trust Wallet Incident: A Stolen API Key Turns the Official Update Channel into a Backdoor

On December 25, 2025, Trust Wallet's Chrome extension (v2.68) was hit by a supply chain compromise that introduced a malicious backdoor, leading to the theft of about $8.5M in user funds. The injected code exfiltrated seed phrases to an attacker-controlled server, compromising wallets created or imported in that version, after which the attacker drained assets across multiple chains and laundered funds through non-KYC exchanges.

#5 Yearn Finance Incident: Unsafe Arithmetic in the Invariant Solver Earns Its Name

On November 30, 2025, Yearn Finance’s yETH Weighted Stable Pool was exploited for over $9M after unsafe arithmetic in the invariant solver _calc_supply() and a reachable bootstrap path allowed attackers to trigger supply inflation and drain funds. This report explains why the exploit worked at a mechanism level, bridging the gap between high-level summaries and transaction traces using Foundry and Python simulations.

#6 Cork Protocol Incident: Two Independent Flaws Combine into One Devastating Exploit Chain

On May 28, 2025, Cork Protocol on Ethereum was exploited for about $12M after attackers manipulated HIYA pricing near maturity and abused a missing access control check in a Uniswap v4 hook callback. By combining expiry-driven premium inflation with arbitrary beforeSwap calls using crafted parameters, the attacker obtained underpriced Cover Tokens and DS, then swapped them back to wstETH to drain protocol reserves.

#4 GMX Incident: Cross-Contract Reentrancy Bypasses a Four-Year-Old Guard

On July 9, 2025, GMX V1 on Arbitrum was exploited for about $42M when an attacker used cross-contract reentrancy to manipulate GLP pricing and drain underlying assets from GMX’s liquidity pools.

#3 Balancer V2 Incident: A Rounding Inconsistency Breaks the Invariant and Propagates Across Chains

On November 3, 2025, Balancer V2 Composable Stable Pools and multiple forks across several chains were exploited for over $125M (about $45M reportedly recovered) after precision loss in the invariant calculation enabled price manipulation, with inconsistent upscaling and downscaling rounding distorting BPT pricing and allowing attackers to drain liquidity across interconnected DeFi deployments.

#1 Cetus Incident: One Unchecked Shift Drains $223M in the Largest DeFi Hack of 2025

Cetus Protocol, the largest concentrated-liquidity DEX on Sui, was exploited on May 22, 2025, resulting in an estimated ~$223M loss across multiple liquidity pools. The attacker leveraged a flaw in checked_shlw(), a custom overflow-prevention helper used in fixed-point u256 math, where an incorrect constant and comparison failed to block unsafe left shifts and caused silent truncation of high bits during liquidity delta calculations. By crafting specific liquidity and tick/price-range parameters, the exploit made required deposits appear near-zero while minting an oversized liquidity position, which was later withdrawn to drain real pool reserves.

#2 Bybit Incident: A Web2 Breach Enables the Largest Crypto Hack in History

The largest crypto hack ever, the February 21, 2025 Bybit breach stole about $1.5B after attackers used social engineering to compromise a Safe{Wallet} workflow, injected malicious JavaScript into an AWS S3 bucket, tampered with the transaction signing process, and upgraded Bybit’s Safe{Wallet} contract to a malicious implementation that drained funds across multiple chains.

Weekly Web3 Security Incident Roundup | Feb 2 – Feb 8, 2026

During the week of February 2 to February 8, 2026, six blockchain security incidents were reported with total losses of ~$3.8M. These involved access control flaws, improper input validation, token design flaws, and user misuse across DeFi protocols on Ethereum and BNB Chain. The primary causes included permissionless cross-chain express execution bypassing gateway validation, unvalidated message payloads enabling arbitrary external calls, a flawed burn mechanism manipulating AMM pool reserves, unvalidated user-supplied calldata forwarded to external routers and Safe modules, and dangling ERC-20 approvals exploited through a permissionless batch executor.