CredShields’ Bombshell H1 2025 Web3 Security Report: $2.72B Evaporates in 56 Hacks—Exchanges & Access Control Under Fire

Web3's security crisis deepens as $2.72 billion vanishes into thin air—exchanges and access control flaws fuel unprecedented hemorrhage.

The Breakdown: Where Billions Disappeared

Fifty-six separate exploits ripped through digital asset protocols like shrapnel. Centralized exchanges took the hardest hits—their aging infrastructure proving no match for sophisticated attacks. Access control vulnerabilities became the hackers' master key, bypassing security measures with alarming ease.

Security Gaps Become Floodgates

Smart contract audits missed critical flaws while privilege escalation attacks ran rampant. Once-trusted bridges became digital highway robberies. The old guard's security playbook—written for Web2—crumbled under Web3's asymmetric threat landscape.

The Irony of 'Secure' Infrastructure

Traditional finance preaches compliance while losing more to paper-based fraud than Web3 loses to code exploits—but try telling that to regulators clutching their pearls. Meanwhile, the 'secure' exchanges charging premium fees became the very single points of failure they promised to eliminate.

Wake-up Call or Death Knell?

Either the industry hardens its infrastructure now—embracing zero-trust architectures and decentralized security solutions—or these numbers become the new normal. The technology promises decentralization, but the security practices remain dangerously centralized. Time to put the 'crypto' back in cryptocurrency.

What the Report Found

A massive $2.72B was taken in 56 separate attacks in the first half of 2025. Most of the damage came from exchange-related stuff.

How hackers got in:

• Messed up systems ($1.45B gone)
• Bad permissions ($1.3B gone)
• Simple coding mistakes ($350M gone)
• Oracle tricks/overflows ($230M gone)
• Stolen private keys ($74M gone)
• Scams ($300M gone)
• Social engineering ($35M gone)

Where the losses happened: Ethereum was hit hardest (about 65% of the losses). BNB Chain and Solana each had around $250M lost. Sui was hit for $223M, and Arbitrum lost $56M.

Some of the biggest messes: Bybit (hacked user interface, $1.45B), LIBRA (insider scam, $250M lost by normal users, $110M gained by insiders), Cetus Protocol (integer overflow, $223M), Nobitex (hack burned around $90M), Phemex (hot wallet breach, $70–73M), UPCX (admin upgrade gone wrong, $70M), and Infini (shady backdoor, $49.5M).

Shashank, Co-founder at CredShields, said, ‘Think about security from the start to avoid fixing problems later. Easy access happens through bad user interfaces, roles with too much power, unsafe third-party stuff, and quick listings. Secure your permissions, always scan for problems. If you’re pushing updates every week, check your security every day.’

What to Do Now, According to the Report

What Could Happen Next

Hackers might bypass multisigs by messing with systems and interfaces (like Bybit).

Fast listings and insider deals can hurt regular people (like LIBRA, Ionic).

Problems with third-party code can still cause issues (like the Cetus overflow).

About the Report:

The State of Web3 Security report for the first half of 2025 uses data from Web3HackHub, over 2.5M SolidityScan runs, and CredShields’ reviews to show where money’s being lost, how, and what to do.

Read the full report →

About CredShields:

CredShields helps secure Web3 with checks and security tools. Their SolidityScan tool checks for common issues, maps to the OWASP Top 10, and works with development to stop hacks. Web3HackHub is CredShields’ collection of past and present incidents to help everyone learn how to better protect themselves.

Media Contact: [email protected]