Security Flaws Dominate as $302M Drained from Web3 in May 2025
Blockchain security firm CertiK has revealed that over $302 million was lost to Web3 scams, hacks, and exploits in May 2025—a 17% drop from April’s $364 million. However, losses due to code vulnerabilities surged, becoming the leading cause.
Flawed code accounted for $229.6 million in losses—an explosive 4,483% increase from April’s $5 million. CertiK’s Natalie Newson warned that despite a multi-year decline in such incidents, this spike highlights a pressing need for rigorous code audits and formal verification.
Phishing losses dropped sharply to $47.6 million (down from $337 million in April), but it remained the second-most damaging threat. Other attack vectors included private key compromises ($11.6M) and price manipulation ($1M).
DeFi platforms were the hardest hit, losing over $241 million. Major incidents included the Cetus hack ($225.6M), Cork Protocol ($11.9M), and BittoPro ($11.1M).
CertiK's report underscores the evolving tactics of attackers and the need for stronger, ongoing security efforts across Web3.