Gate Research’s latest Web3 industry security report, based on data from SlowMist, recorded eight security incidents in March 2025, resulting in total losses of approximately $14.43 million. The incidents varied in type, with account hacks and smart contract vulnerabilities accounting for the majority, 62.5% of the total. The report provides detailed analysis of key events, including the smart contract vulnerability attack on 1inch and the Zoth incident involving contract flaws and private key leakage. Account breaches and contract vulnerabilities have been identified as the primary security threats for the month, underscoring the ongoing need for enhanced security measures across the industry.

Abstract

• In March 2025, the Web3 industry experienced eight security incidents, resulting in total losses of $14.43 million—a significant decrease compared to the previous month.
• Most of these incidents involved attack methods such as smart contract vulnerabilities and account breaches, which together accounted for 62.5% of all security cases in the crypto industry.
• Major incidents this month included a smart contract vulnerability exploit targeting 1inch (resulting in $5 million in losses, of which 90% have been recovered) and two separate attacks on Zoth—one involving a contract vulnerability and the other a private key leak—leading to a combined loss of $8.575 million.
• Regarding blockchain distribution, only one project suffered losses on the public chain BSC this month.

Security Incident Overview

According to data from SlowMist, eight security incidents were recorded between March 1 and March 30, 2025, resulting in total losses of approximately $14.43 million. The attacks primarily involved smart contract vulnerabilities, account compromise, and other exploit methods. Compared to February 2025, the total loss dropped by 99% month-over-month. Smart contract flaws and hacked accounts were the leading causes of these attacks, with five such incidents accounting for 62.5%. Official X (formerly Twitter) accounts remain key targets for hackers.[1]

This month, the only security incident on a public blockchain occurred on BSC, where Four.meme suffered losses of over $180,000. This highlights the need for ongoing improvements in smart contract auditing, risk control mechanisms, and on-chain monitoring within the BSC ecosystem.

Several blockchain projects faced major security breaches this month, resulting in significant financial damage. Among the most notable was the RWA staking platform Zoth, which suffered two separate attacks: one involving a hack that led to $8.29 million in losses, and another due to a smart contract vulnerability that caused $285,000 in damages. Additionally, DEX aggregator 1inch lost $5 million due to a contract vulnerability.

Major Security Incidents in March

According to official disclosures, over $13.5 million in losses were reported from key security breaches in March. The primary threats were private key leakages and smart contract vulnerabilities.

• Attackers exploited a vulnerability in the outdated Fusion v1 contract, stealing around $5 million in USDC and wETH. The funds were taken from resolvers, not directly from end-user wallets.
• The RWA staking platform Zoth suffered two security incidents in March: on March 6, a collateral calculation flaw resulted in a loss of approximately $285,000; on March 21, a hacker gained admin privileges and upgraded the contract to a malicious version, stealing around $8.29 million worth of USD0++, which was eventually converted into 4,223 ETH.

1inch

Project Overview: 1inch is a decentralized exchange (DEX) aggregator that uses smart algorithms to identify optimal trading routes across multiple DEXs, improving trading efficiency and capital usage. According to its official website, 1inch has integrated over 3.2 million liquidity sources, facilitated more than $596 billion in cumulative trade volume, and served over 21.7 million users through more than 134 million transactions.[2]

Incident Overview：

On March 5, a vulnerability in the legacy Fusion v1 smart contract led to the loss of approximately $5 million. The attacker crafted a malicious transaction path to exploit the outdated contract and drained funds—specifically USDC and wETH—from resolvers rather than individual users. Post-incident investigations revealed that the vulnerability existed only in the outdated smart contracts. By crafting a specific transaction path, the attacker invoked functions that transferred funds from the resolver. The current version of the agreement does not contain this vulnerability.

According to a post-incident analysis by Decurity, the 1inch team entered negotiations with the attacker. Currently, around 90% of the stolen funds have been recovered, with the remainder retained by the attacker as a bug bounty. The attack mainly affected legacy resolvers that hadn’t been upgraded. No direct user assets were impacted, and no significant outflow from user wallets was detected. This incident highlighted the critical need to deprecate and upgrade outdated contracts in a timely manner.[3][4][5]

Post-Incident Recommendations:

• Strengthen Legacy Contract Management and Access Controls: Deprecated smart contracts (such as Fusion v1) should be fully decommissioned, with permissions frozen or forcibly migrated, to eliminate potential attack surfaces left for backward compatibility. Access control logic should also be improved by verifying call sources and enforcing stricter permission checks to prevent exploitation through unintended call paths.
• Improve Audit Processes and Coverage: Peripheral modules related to core contracts (e.g., resolvers) should be included in formal audit scopes, with clearly defined risk boundaries for each component. Any structural refactoring, language upgrades, or interface changes should trigger re-auditing processes, and historical risk assessments for legacy versions should be retained.
• Build Real-Time Monitoring and Emergency Response Systems: On-chain security monitoring systems should be deployed to detect real-time abnormal transaction behavior. A rapid response mechanism—such as permission freezing, emergency communication channels, and rollback strategies—should be in place to minimize the time window for asset loss.
• Establish Incentive Mechanisms to Encourage White-Hat Collaboration: Bug bounty programs and responsible disclosure agreements with gray-hat hackers can incentivize ethical reporting of vulnerabilities, contributing to a stronger overall security posture for the project.

Zoth

Project Overview: Zoth is an Ethereum-based RWA restaking platform that bridges traditional finance and the DeFi ecosystem through asset tokenization. It allows users to stake compliant real-world assets to earn on-chain yields and participate in restaking mechanisms for greater capital efficiency. According to its official website, Zoth has a total value locked (TVL) of $35.4 million and over $250 million in registered assets—demonstrating its strong presence at the intersection of on-chain and traditional financial systems. The platform continues to expand its restaking ecosystem through partnerships with RWA issuers and liquidity protocols.[6]

Incident Overview:

In March 2025, Zoth experienced two major security breaches, resulting in total losses of approximately $8.575 million.

• March 6: A design flaw in Zoth’s collateral logic allowed attackers to exploit imprecise calculations in the contract’s collateral valuation process. The attacker bypassed collateral validation checks by repeatedly invoking specific functions and extracting roughly $285,000 in excess funds. This incident revealed weaknesses in how the contract handled asset valuation, collateral ratio thresholds, and boundary conditions.
• March 21: Zoth was targeted again in a highly coordinated and premeditated attack. After several failed attempts, the attacker successfully gained control of the deployer account and used it to upgrade the protocol via a proxy contract to a malicious version. This upgrade gave the attacker full control over the contract logic, enabling them to drain isolated vaults containing collateralized USD0++ tokens. The attacker stole approximately 845 million USD0++, which they quickly swapped to DAI and converted into 4,223 ETH—equivalent to around $8.29 million.

Following the incidents, the Zoth team immediately activated its emergency response protocol and partnered with blockchain security firm Crystal Blockchain BV to conduct an investigation. They also worked closely with asset issuer partners to secure approximately 73% of the platform’s TVL. In a public statement, Zoth announced a $500,000 bug bounty program to incentivize information that could help recover the stolen funds.

As of March 31, the stolen assets remain largely unmoved and are concentrated in two wallet addresses (holding a total of 4,223 ETH). The team has deployed on-chain monitoring systems and collaborates with global blockchain analytics firms, Web2 platforms, and law enforcement agencies to trace the attacker’s movements. Zoth has committed to releasing a full postmortem report and a recovery and rebuild plan once the investigation is complete.[7][8][9]

Post-Incident Recommendations:

• Strengthen Core Privilege and Upgrade Management: This incident stemmed from compromising the deployer’s private key, which allowed a malicious contract upgrade—revealing critical weaknesses in privilege control and the upgrade process. Going forward, it’s recommended to adopt multi-signature wallets, implement layered access permissions, establish upgrade whitelisting mechanisms, and enforce on-chain governance or security audit procedures to ensure upgrade safety.
• Implement Real-Time Monitoring and Automated Risk Controls: The rapid outflow of funds indicated a lack of timely detection. The platform should deploy real-time transaction monitoring, attack alert systems, and asset freezing mechanisms on-chain to reduce the response window in future attacks.
• Improve Asset Custody and Access Control Logic: The successful withdrawal from isolated vaults suggests insufficient access control within the custody mechanism. To ensure key asset contracts are protected by multiple layers of risk controls, dynamic call restrictions, abnormal behavior detection, and transaction path validation should be introduced.
• Institutionalize Emergency Response and Cross-Team Collaboration: The team responded quickly by coordinating with security firms and law enforcement, issuing progress updates, and launching a bounty program—effectively stabilizing the situation. For future incidents, a standardized emergency response protocol should be adopted, covering five key stages: monitoring, alerting, freezing, investigation, and communication, with a commitment to ongoing transparency.

Summary

In March 2025, multiple DeFi projects suffered security breaches, resulting in tens of millions of dollars in losses. Two notable incidents—the smart contract vulnerability exploit on 1inch and the privilege escalation attack on Zoth—again highlighted systemic risks such as legacy contract exposure, centralized admin privileges, flawed upgrade mechanisms, and insufficient risk response frameworks. While 1inch managed to recover most of the stolen funds through prompt negotiation with the attacker, and Zoth acted swiftly to initiate cross-team collaboration and safeguard 73% of its assets, both cases revealed areas for improvement in governance structures, access control, security auditing, and real-time monitoring across many DeFi protocols.

These incidents underscore the importance of implementing on-chain monitoring systems, automated asset freezing mechanisms, and incentive structures for gray-hat disclosures. For DeFi projects to maintain long-term user trust, security must be treated as a foundational design element from the outset—not as an afterthought. Gate.io reminds users to stay informed about security developments and actively protect their personal assets.


References：

1. Slowmist,https://hacked.slowmist.io/
2. 1inch,https://1inch.io/
3. X,https://x.com/SlowMist_Team/status/1897958914114879656
4. Decurity,https://blog.decurity.io/yul-calldata-corruption-1inch-postmortem-a7ea7a53bfd9
5. X,https://x.com/PeckShieldAlert/status/1906894141193376021
6. Zoth,https://zoth.io/
7. X,https://x.com/zothdotio/status/1906343855181701342
8. X,https://x.com/CyversAlerts/status/1903021017460600885
9. X,https://x.com/PeckShieldAlert/status/1903040662829768994

Gate Research
Gate Research is a comprehensive blockchain and cryptocurrency research platform that delivers in-depth content. This includes technical analysis, hot topic insights, market reviews, industry research, trend forecasts, and macroeconomic policy analysis.

Click here to visit now

Disclaimer
Investing in the cryptocurrency market involves high risk, and it is recommended that users conduct independent research and fully understand the nature of the assets and products they are purchasing before making any investment decisions. Gate.io is not responsible for any losses or damages caused by such investment decisions.