Web3 Security Breaches
Weekly tracking of Web3 security incidents, sorted by value
Current Week:Week 51, 2025|December 15 - December 21, 2025
| Date | Incident | Value Lost | Description | Tags | Mitigation | Link |
|---|---|---|---|---|---|---|
| Week 51: Dec 15-21, 2025 | ||||||
| Dec 20, 2025 | Address Poisoning Attack | $50M USDT | A crypto trader lost $50 million in USDT through an address poisoning scam. After sending a $50 test transaction, the attacker created a wallet address matching the first and last characters of the legitimate destination and sent dust amounts to poison the victim's transaction history. The victim copied the poisoned address from their history and sent $49,999,950 USDT to the scammer's address. The stolen funds were swapped for ETH, moved across multiple wallets, and laundered through Tornado Cash. The victim offered a $1M bounty and threatened legal action. | PhishingSocial engineering | Wallets must implement full address verification features and warn users when copying addresses from transaction history. Users should always verify the complete address character-by-character, not just the prefix/suffix. Consider using address book features and ENS names. Implement transaction simulation to show the actual recipient before confirming large transfers. | View |
| Week 50: Dec 8-14, 2025 | ||||||
| Dec 13, 2025 | Exposso co-founder (Jill Gutener's wallet) | ~$30K | Wallet drained due to a vulnerability in a ThirdWeb smart contract. Occurred while preparing a cyber privacy presentation; funds in USDC were stolen. | Smart contract exploit | Immediately disclose any vulnerabilities to users if detected exploits in the smart contract. Immediately stop and cease all operation on the vulnerable contract. | View |
| Dec 10, 2025 | Yi He WeChat Compromise | Unknown | Yi He, Binance co-founder, suffered a WeChat account compromise in early December 2025. This Web2 security breach highlighted vulnerabilities in SIM-linked accounts and recovery exploits. The incident came weeks after a similar WeChat breach involving Tron founder Justin Sun, raising concerns about social engineering attacks targeting crypto executives. | Social engineeringAccount takeover | Communication platform vendors must invalidate old phone numbers from account recovery mechanisms immediately when users update their phone number. Implement mandatory time-based expiry for all recovery credentials (e.g., old phone numbers auto-expire after 30-90 days). Require multi-factor verification for account recovery requests (email + SMS + security questions, not just phone alone). Send real-time alerts to all registered devices when account recovery is initiated. Allow users to set additional security layers like recovery codes or trusted contacts. | View |
| Dec 8, 2025 | Malicious Permit Phishing | ~$440,000 USDC | A user signed a fake "permit" signature on a phishing site, granting an attacker full access to their USDC. Funds were drained immediately. This highlights the ongoing rise in "permit" scams targeting whales. Reported by Scam Sniffer; part of a broader surge in November/December phishing (total phishing losses up 137% MoM in Nov). Recovery unlikely without vigilance. | PhishingPermit exploit | Browser based wallet should implement feature to help user detect phishing website. | View |
| Week 49: Dec 1-7, 2025 | ||||||
| Dec 5, 2025 | USPD Stablecoin Protocol (Proxy Breach) | $1M | USPD protocol suffered a sophisticated CPIMP (Clandestine Proxy In the Middle of Proxy) attack. The attacker front-ran the proxy initialization on Sept 16 using a Multicall3 transaction, gaining admin control before deployment scripts completed. They created a 'shadow' proxy that forwarded calls to audited code while manipulating event payloads and spoofing storage slots to deceive Etherscan. After hiding for 3 months, the attacker minted ~98M USPD tokens (10x collateral ratio) using ~3,122 ETH collateral, stole ~237 stETH, and drained $1M+ liquidity via Curve DEX. Protocol offered 10% bounty and is cooperating with law enforcement. | Smart contract exploitDeFi exploit | Implement secure proxy initialization with time-locked deployment scripts that prevent front-running. Use CREATE2 with deterministic addresses to verify deployment integrity. Add proxy implementation verification checks that cannot be spoofed. Implement strict access control with multi-sig requirements for admin functions. Add circuit breakers for abnormal minting operations (>2x collateral ratio). Require mandatory delays between proxy upgrades. Use real-time monitoring with automated alerts for proxy implementation changes. | View |
| Week 48: Nov 30 - Dec 6, 2025 | ||||||
| Nov 30, 2025 | Yearn Finance yETH Pool Exploit | $9M | Yearn Finance's yETH pool suffered a sophisticated exploit on November 30 around 21:11 UTC, resulting in approximately $9 million in stolen assets. The attacker exploited a code weakness to mint near-infinite yETH tokens, pushing the pool's internal solver into a divergent state and triggering an arithmetic underflow. About $8M was drained from the main stableswap pool and $0.9M from the yETH-WETH pool on Curve. Approximately $3M was sent to Tornado Cash. With assistance from Plume and Dinero teams, 857.49 pxETH ($2.39M) was recovered. Yearn's v2 and v3 vaults were not affected. | DeFi exploitSmart contract exploit | DeFi protocol developers must implement strict limits and validation checks on token minting functions to prevent infinite minting attacks. Add circuit breakers that halt operations when detecting divergent states or unusual token supply changes. Perform comprehensive mathematical proofs and formal verification on arithmetic operations to prevent underflow/overflow vulnerabilities. Use real-time monitoring to detect abnormal pool state changes and automatically pause affected contracts. | View |
Data compiled from various Web3 security sources. Updated weekly.