Last Week in Web3 Security: Smart Contract Exploits Surge ⚠️
Smart Contract Exploits Skyrocket, Telegram Teams Up with Elon Musk’s Grok AI, and Quantum-Resistant Blockchain Gains Momentum
May 2025 proved tough for Web3, with over $302 million lost to scams, hacks, and exploits. Though slightly down by 16.9% from April, it’s hardly comforting news. Most alarming is the explosion of smart contract vulnerabilities, skyrocketing losses from just $5 million in April to a staggering $229.6 million.
Phishing cooled slightly, yet still drained $47.6 million, with private key leaks costing another $11.6 million. Additionally, price manipulation accounted for around $1 million in losses.
🔥 Big Headlines
Dedge Security Raises €4M
Dedge Security secured €4M in seed funding from Tritemius, set to enhance its Web3 Application Security Platform (ASPM). Their goal? Integrate robust security into every stage—from code to blockchain.Naoris Protocol’s Quantum-Resistant Ambitions ($3M Raised)
Naoris Protocol secured strategic funding to build a quantum-resistant blockchain ecosystem, introducing plug-and-play cybersecurity meshes designed to protect blockchain and enterprise systems from the foundational level upwards.Chainlink’s VWAP Pricing Raises Concerns
A user’s $500,000 loss due to liquidation triggered by Chainlink’s VWAP pricing system sparked questions about oracle reliability, as minimal market activity led to disproportionately sharp liquidations.Telegram Partners with Elon Musk’s Grok AI
Telegram strikes a major deal with Grok AI—Elon Musk’s advanced AI project—worth $300 million in cash and equity, plus 50% of Grok subscription revenues. The partnership aims to enhance technology offerings for Telegram’s billion-plus user base.
🚨 Trending Hacks & Exploits
Cork Protocol ($11M Lost): A missing access control flaw in Uniswap v4 hook allowed attackers to fabricate deposits.
Ethereum’s Pectra Upgrade: Malicious contracts exploiting EIP-7702 largely failed, with attackers ironically losing more to gas fees than they gained.
Bybit Hack ($1.5B Stolen): Confirmed North Korean attackers (TraderTraitor) exploited compromised AWS tokens; 77% of stolen funds remain traceable, with some already frozen.
📌 Expert Insights and Commentary
Dedaub: How missing access control and other weaknesses turned depeg insurance into an unfortunate loss.
Wei Dai: The Onchain Privacy Trilemma.
Josep Chetrit: Recent ByBit exploit & learnings.
Charles Wang: Why Web3 security is broken (2025 edition)
Cyber Razz: Deployed a honeypot in a cloud environment to study brute-force threats that revealed 75k+ brute-force attacks.
Three Sigma XYZ: Network segmentation explained.
Three Sigma XYZ: An Operational Security Guide for companies and founders.
Acceleratooooor: The Crypto OpSec Bible.
DeFi Wonderland: $1.5M white-hat recovery from RAI before Global Settlement closed the doors forever.
Karolina Gorna: Exposing Go’s Hidden Bugs.
a16z Crypto: Full-stack security resources from our team.
mg_486662: 5 steps to protect yourself after a personal data breach in crypto.
Dev Dacian: Auditing Automation to convert markdown to good-looking PDF smart contract audit reports.
Jeff Security: A collection of guards for Safe accounts, including transaction restrictions, timelocks, and others.
0xhuy0512: Thread highlighting Awesome Solana Security Alphas.
Octane Security: ML to surface unseen threat patterns from thousands of real bugs.
Guardian Audits: Web2, the hidden layer of DeFi risks.
Ottersec: The hidden dangers of lamport transfers.
Zellic: Enumerating All 69,788,231 Ethereum Contracts.
Zhero: Race-Condition to Cache Poisoning CVE-2025-32421 on
nextjs
0xaudron: Security Guide to Proxies by electisec
guardrailai: A supply chain attack just compromised the official XRP SDK (v4.2.4) on NPM.
Practice Challenges 🚀
SANS Challenge Coins
Security Boulevard Challenges
Stay vigilant, informed, and secure in the fast-moving world of Web3!