Blog
Unpacking $1.7B of DeFi exploits: what went wrong in Q1 2025?
Back

Unpacking $1.7B of DeFi exploits: what went wrong in Q1 2025?

We break down the most critical DeFi exploits of 2025 so far, what went wrong, and what lessons must be internalized. Whether you’re a protocol founder, security lead, or community contributor this is for you.
Guardrail
Jun 4, 2025

2025 is shaping up to be the most turbulent year in DeFi security to date. Within just three months, we’ve witnessed incidents that not only broke records in monetary loss, like the $1.46 billion Bybit breach but also in the sheer diversity of attack vectors used.

From insiders retaining admin access, to nation-state-level social engineering campaigns, and even subtle bugs in accumulator math, no corner of the DeFi stack has remained untouched. We've seen protocols that rebranded after past hacks fall victim again. We've seen plug-ins, dev infrastructure, and repo keys used as new entry points. What once were edge-case exploits are now becoming playbooks.

A particularly telling trend this year is the rise of supply chain and off-chain infrastructure vulnerabilities: developer environment compromises, poisoned updates, API key leaks all of which bypass traditional on-chain defenses. Pair that with still-too-common issues like private key leakage and under-secured admin control, and you get a volatile mix.

This isn't just a wake-up call. It’s a full-blown alarm.

In this report, we break down the most critical DeFi exploits of 2025 so far, what went wrong, and what lessons must be internalized. Whether you’re a protocol founder, security lead, or community contributor this is for you.

Incident summary on how protocols were  exploited in Q1 2025

This year's incidents have revealed more than just technical oversights; they've exposed the fragility of critical systems when operational security is neglected. Attackers often exploited stale multisigs, overlooked key permissions, and poorly secured infrastructure, highlighting systemic weaknesses in DeFi's operational security.

1. Bybit exploit

Overview: 

In late February 2025, Bybit suffered one of the largest crypto heists in history, losing approximately $1.46 billion. The breach originated through social engineering attacks where employees were tricked into executing malicious Python-based code disguised as legitimate projects. This malware provided remote code execution via the compromised open-source library pyyaml.

Bybit exploit - February 2025

After gaining initial access, attackers escalated their privileges through manipulation of Docker configurations, conducted internal reconnaissance, and laterally moved into Bybit's wallet infrastructure. Significant portions of the stolen funds were swiftly laundered, raising alarms about potential involvement from nation-state actors, with North Korea cited by investigators.

Impact: 

The attack caused significant damage to Bybit's reputation. However, due to swift action and real-time blockchain monitoring, security teams were able to recover approximately $43 million. This recovery highlighted the importance of real-time monitoring and thorough vetting of third-party libraries.

2. Infini exploit

Overview:

Infini experienced a significant breach when a former developer retained administrative access post-deployment. Utilizing these hidden privileges, the attacker withdrew USDC, converting it rapidly into DAI and then ETH to evade asset freezing mechanisms. The meticulous planning, including use of anonymizing tools like Tornado Cash, highlighted severe oversight in Infini’s access control management.

Infini exploit - February 2025

Impact: 

The Infini exploit highlighted the critical need for robust off-boarding processes and consistent access privilege reviews to mitigate insider threats.

3. Zoth Protocol exploit

Overview:

The Zoth Protocol was exploited twice in March 2025. The first incident on March 6th exploited a bug in the platform's collateral calculations, resulting in a loss of around $285,000. The second, more severe, attack on March 21st involved the compromise of the deployer wallet. This allowed the attacker to upgrade a proxy contract to a malicious version, enabling the theft of approximately $8.4 million in USD0++ tokens. These tokens were quickly swapped for DAI and then ETH to obscure the attacker's trail.

Zoth Protocol exploit - March 2025

The attack was meticulously planned, involving trial-and-error over weeks, initial funding via ChangeNOW, and preliminary failed attempts at executing the exploit. This incident highlighted the severe risks associated with single points of failure in contract admin controls.

Impact: 

The Zoth Protocol incident highlighted the importance of implementing multi-signature governance for critical administrative tasks, maintaining strict key management protocols, and implementing continuous monitoring of all privileged operations within the protocol.

4. zkLend Protocol exploit

Overview:

zkLend an L2 money market built on starkent, was exploited when an attacker leveraged negligible rounding errors, dramatically inflated by flash-loan-induced accumulator manipulation. Small initial deposits were strategically amplified, causing significant discrepancies between user balances and actual withdrawals. The exploit underscored critical vulnerabilities stemming from minor, overlooked arithmetic operations within smart contracts.

zkLend Protocol exploit - February 2025

Impact: 

This attack highlighted the critical need for precise mathematical modeling and thorough security audits,  especially those focused on arithmetic operations and edge cases, during protocol design.

5. Ionic Money exploit

Overview:

Attackers masqueraded as Lombard Finance to manipulate Ionic Money into accepting fake collateral tokens, facilitating the withdrawal of substantial genuine assets. This incident reinforced how devastating social engineering attacks can be, especially without rigorous partner validation.

Ionic Money exploit - February 2025

Impact: 

Huge loss due to social engineering, it’s important to implement rigorous checks and approvals for third-party integrations before providing any access.

6. 1inch Fusion exploit

Overview:

On March 6, 2025, 1inch’s Fusion v1 Settlement Contract was exploited due to a re-entrancy vulnerability in the fillOrderInteraction() function. This vulnerability allowed the attacker to repeatedly gain unauthorized approvals for asset transfers. 

1inch Fusion exploit - February 2025

Specifically, the function accepted arbitrary user inputs without proper validation, enabling the attacker to execute multiple fraudulent approvals far exceeding legitimate transaction amounts. Approximately $1.2 million in USDC and 638 ETH were stolen, highlighting critical flaws in contract input validation and the risks associated with re-entrancy attacks.

Impact: 

This incident underscored the critical importance of rigorous smart contract audits, robust input validation, and proactive measures to identify and mitigate re-entrancy vulnerabilities.

7. Moby Trade exploit (Arbitrum)

Overview:

The attacker compromised a private key, enabling unauthorized upgrades of Moby Trade’s smart contract. They stole $2.5 million worth of crypto assets, but rapid intervention by white-hat hacker Tony Ke, who exploited a vulnerability in the attackers’ own contract, recovered $1.5 million.

Moby Trade exploit - January 2025

Impact: 

This incident underscored the importance of swift incident response and proactive security measures in mitigating the financial impact of the exploit.

8. Orange Finance exploit

  • Date: January 8, 2025
  • Severity: Medium
  • Vulnerability: Compromised admin key and improper multisig configuration.
  • Loss: $840,000

Overview:

An attacker gained control over Orange Finance's admin keys due to improper multisig wallet configuration, allowing unauthorized upgrades and fund transfers.

Orange Finance exploit - January 2025

Impact: 

The Orange Finance exploit, due to improper multisig wallet configuration and compromised admin keys,  highlighted systemic weaknesses in access controls and emphasized the necessity for robust, layered defense strategies.

9. AdsPower Browser Plugin exploit

  • Date: January 21-24, 2025
  • Severity: Medium
  • Vulnerability: Malicious software update (supply chain attack).
  • Loss: $4.7 million

Overview:

The attackers replaced AdsPower's legitimate browser plugin with a malicious version, gaining unauthorized access to users' wallets and stealing approximately $4.7 million.

AdsPower Browser Plugin exploit - January 2025

Impact: 

The AdsPower exploit demonstrated the critical importance of secure software supply chains and the need for heightened user awareness regarding the risks of malicious software updates.

10. Wemix exploit

  • Date: February 28, 2025
  • Severity: Medium
  • Vulnerability: Theft of authentication keys for monitoring system access.
  • Loss: Over $6 million

Overview:

The Attackers gained unauthorized access to Wemix’s service monitoring system for NILE, its NFT platform, by stealing authentication keys stored insecurely in a shared repository. The attackers executed thirteen successful withdrawals, netting approximately 8.6 million WEMIX tokens, swiftly laundered through various exchanges.

Impact: 

The Wemix exploit underscored the critical importance of secure credential management, timely and transparent incident communication, and swift action to mitigate damage and maintain stakeholder trust.

11. MIM Spell exploit

Overview:

The root cause of the MIM_Spell exploit lay in liquidating assets without properly updating collateral values within the order contract. Specifically, the inputAmount variable, used to track collateral values, was not correctly reduced during liquidation. 

MIM Spell exploit - March 2025

This oversight allowed attackers to bypass solvency checks implemented via the _isSolvent function, enabling additional borrowing and subsequent asset extraction after liquidation.

Impact: 

The abracadabra money exploit highlighted the critical need for comprehensive checks and real-time collateral valuation in liquidation protocols, emphasizing that even minor flaws in business logic can lead to substantial financial losses.

What do all these exploits have in common?

Over $2 billion in value has been lost in just the first quarter of 2025. And looking across these incidents, the root causes aren’t exotic — they’re depressingly familiar. Smart contract bugs, missing checks, admin key leaks, and weak off-chain hygiene continue to dominate. Let’s see what we have found in common:

  • Access control vulnerabilities: Exploits often stem from inadequate control over admin keys and privileges.
  • Private key mismanagement:  Poorly secured private keys continue to be a major point of failure.
  • Social engineering and phishing attacks: These tactics, used to manipulate protocol teams, are growing increasingly sophisticated.
  • Flash loan and oracle manipulation: These techniques are persistently exploited in high-impact incidents.
  • Re-entrancy and precision loss bugs: Smart contract coding errors, such as those leading to re-entrancy attacks or precision loss,  cause substantial, recurring losses.

These aren’t novel zero-days, they’re long-known risks that remain unresolved at scale.

The Guardrail blueprint for resilient protocols

At Guardrail, we offer customized security that’s purpose-built for your protocol’s infrastructure. That means tailored monitoring and alerting logic designed around your smart contracts, your economic model, and your architecture — not one-size-fits-all rules.

Based on what we learned from the exploits we’ve seen this year, some relevant protections we offer includes:

  • Multisig security: Ensure multisig wallets have stringent access rules and regularly audited controls.
  • Admin privilege controls: Clearly define, audit, and limit administrative rights within smart contracts.
  • Real-time monitoring: Deploy proactive blockchain monitoring solutions to detect suspicious activities immediately.
  • Regular security audits: Conduct periodic third-party security audits, perform risk assessments and penetration tests.
  • Incident response protocol: Establish clear incident response plans, emergency pause mechanisms, and swift communication strategies.
  • User education: Regularly educate protocol teams and users about phishing, social engineering, and secure key management.
We partner with customers deeply to build custom protections, ensuring complete coverage and seamless integration into your core systems. This is what makes Guardrail not just a tool, but an extension of your security and ops team.

The security mindset DeFi needs next

If 2025 has shown us anything, it’s that DeFi security can’t rely solely on static audits or reactive incident response. The threat landscape is evolving fast and so must our defenses.

Security needs to be continuous, adaptive, and tightly woven into the day-to-day operations of every protocol. This means monitoring beyond smart contracts deployment, into runtime dev environments, and team operations. It means building guardrails, not just walls.

The exploits in this report aren’t just case studies, they’re a blueprint for what not to repeat. Let them serve as a map for how to move forward securely.

Ready to secure your protocol with custom-fit security blueprints? Book a DeFi security consultation with Guardrail and see how we can tailor real-time protection, monitoring, and operational security around your critical business workflows.

Prevent headlines. Protect what matters.

Start Monitoring
Get Started - Book ConsultationAboutBlogContactDocs
Real-time security for onchain finance
Privacy Policy
Terms of use
Design by Klad
Privacy Policy
Terms of use
Design by Klad