Gate Research Institute: Summary of Security Incidents in the Third Quarter of 2025

The latest Web3 industry security report from Gate Research Institute states that according to Slowmist data, there were 8 security incidents in March 2025, with a total loss of approximately $14.43 million. The types of incidents are diverse, with the highest number of events caused by account hacks and contract vulnerabilities, accounting for 62.5%. The report provides a detailed analysis of key security incidents, including the contract vulnerability attack on 1inch and the contract vulnerability and Private Key leak faced by Zoth. Account hacking and contract vulnerabilities have been identified as the main security risks of the month, highlighting the necessity for the industry to continuously strengthen security measures.

Summary

• In March 2025, the Web3 industry experienced 8 security incidents, with total losses amounting to $14.43 million, a significant decrease compared to the previous month.
• This month's security incidents mainly involve contract vulnerabilities, account hacking, and other attack methods, accounting for 62.5% of the total security incidents in the cryptocurrency industry.
• Major events this month include 1inch encountering a contract vulnerability attack (loss of 5 million dollars, 90% has been recovered), and Zoth suffering two attacks, namely contract vulnerability and Private Key leakage (total loss of 8.575 million dollars).
• From the perspective of the distribution of security incidents across chains, this month, only one project's loss occurred on the public chain BSC.

Overview of Security Incidents

According to Slowmist data, from March 1 to March 30, 2025, there were 8 security incidents recorded, with a total loss of $14.43 million. The attacks mainly involved contract vulnerabilities, account hacking, and other methods. Compared to February 2025, the total loss amount decreased by 99%. Contract vulnerabilities and account hacks were the main reasons for the attacks, with 5 related hacker incidents occurring, accounting for 62.5% of the total. The official X account remains a primary target for hackers. [1]

This month, only the BSC public chain experienced a security incident, with the Four.Meme project losing over $180,000, indicating that the BSC ecosystem still has room for continuous optimization in smart contract auditing, risk control mechanisms, and on-chain monitoring.

This month, multiple blockchain projects have encountered significant security incidents, resulting in severe financial losses. Among the more notable events is the RWA staking platform Zoth, which suffered two consecutive attacks—one due to a hacker attack resulting in a loss of 8.29 million USD, and another due to a contract vulnerability resulting in a loss of 285,000 USD; additionally, the DEX aggregator 1inch also incurred a loss of 5 million USD due to a contract vulnerability.

Major Security Incidents in March

According to official disclosures, the following projects suffered losses exceeding $13.5 million in March. Private Key leaks and contract vulnerabilities are the two main threats.

• 1inch suffered a loss of 5 million USD, with attackers exploiting a vulnerability in the old version of the Fusion v1 contract to steal approximately 5 million USD in USDC and wETH, with the funds involved coming from the parser rather than user assets.
• Zoth has suffered two attacks, with total losses reaching 8.575 million dollars. On March 6, due to a collateral calculation vulnerability, a loss of approximately 285,000 dollars occurred; on March 21, a hacker obtained admin privileges to upgrade the contract to a malicious version, stealing about 8.29 million USD0++, which was eventually converted to 4,223 ETH.

1inch

Project Overview: 1inch is a decentralized exchange aggregator designed to find the optimal price paths for users across multiple decentralized exchanges using smart algorithms, thereby improving trading efficiency and capital utilization. According to official website data, 1inch has integrated over 3.2 million liquidity sources, with a total trading volume exceeding $596 billion, and has over 21.7 million users, executing more than 134 million transactions. 【2】

Event Overview: On March 5, 1inch suffered a loss of approximately 5 million USD due to a vulnerability in the old Fusion v1 contract. The attacker exploited this vulnerability to steal around 5 million USD in USDC and wETH. The funds involved belonged to the parser (the entity representing users in executing orders) and were not terminal user assets. According to the subsequent investigation, the vulnerability existed in the outdated smart contract, and the attacker transferred funds from the parser by calling relevant functions through a carefully constructed transaction path, while the current version of the contract does not have this vulnerability.

According to Decurity's post-incident report, the 1inch team negotiated with the hacker after the incident, and most of the stolen funds have been returned (currently, 90% has been recovered), with the hacker retaining a portion as a bounty for the vulnerability. This attack mainly affected outdated parsers that were not upgraded in time, and ordinary users' assets were not directly impacted, nor was there a large-scale outflow of user funds. This incident highlights the importance of timely clearing and upgrading of old contracts.

Reflection after the incident:

• Strengthen old version contract management and permission control: For deprecated smart contracts (such as Fusion v1), thorough offline measures, permission freezing, or mandatory migration should be implemented to prevent potential attack surfaces caused by compatibility retention. At the same time, improve access control logic, strengthen calling source verification and permission restrictions to prevent unintended calling paths from being exploited.
• Improve the audit process and scope: Include peripheral modules related to core contracts (such as resolvers) in the formal audit scope and clarify the risk boundaries of each component. After code structure refactoring, language upgrades, or interface changes, the audit process must be re-triggered, and records of the old version's risk control must be retained.
• Establishing a real-time monitoring and emergency response system: Deploying an on-chain security monitoring system to capture abnormal trading behaviors in real-time, and setting up a rapid response mechanism (such as permission freezing, emergency communication, risk control rollback plans) to reduce the time window for financial losses.
• Establish a positive incentive mechanism to encourage white hat collaboration: By implementing a bug bounty program and a gray hat hacker negotiation mechanism, potential attackers are guided to report security vulnerabilities in a responsible manner, which helps to enhance the overall security protection level of the project.

Zoth

Project Overview: Zoth is an RWA re-staking platform based on Ethereum, connecting traditional finance and the DeFi ecosystem through asset tokenization. Users can stake compliant real-world assets to earn on-chain yields and participate in the re-staking mechanism to enhance capital efficiency. According to data from the official website, Zoth's total locked value reaches 35.4 million USD, with registered assets of 250 million USD, demonstrating its establishment of a solid bridge between on-chain and traditional finance, and continuously expanding the re-staking ecosystem through partnerships with multiple RWA issuers and liquidity protocols.

Event Overview: Zoth encountered two serious security incidents in March 2025, resulting in a total loss of approximately 8.575 million dollars.

• On March 6, the Zoth platform experienced a design flaw in its collateral logic, allowing hackers to exploit the imprecise judgment mechanism in the contract for collateral value calculation to withdraw excess funds without meeting the actual collateralization ratio. The attacker successfully withdrew about $285,000 in assets by repeatedly calling relevant functions and bypassing the collateral verification logic. This incident exposed the inadequacies in asset valuation, collateral rate setting, and boundary condition checks within the contract.
• On March 21, Zoth experienced another highly premeditated attack incident. After multiple failed attempts, the attacker successfully gained control of the deployer's account and upgraded the protocol's core logic through a malicious proxy contract, replacing it with a malicious version that could execute unauthorized operations. The attacker used this to extract the collateralized USD0++ assets from the isolated treasury, stealing a total of approximately 8.45 million USD0++, which was quickly exchanged for DAI and then converted to 4,223 ETH, worth approximately 8.29 million USD.

After the incident, the Zoth team immediately activated an emergency response mechanism, collaborating with the blockchain security agency Crystal Blockchain BV to conduct an investigation, and working with the Asset Issuer partner to protect approximately 73% of the platform's TVL. In addition, the Zoth team has issued a public statement, establishing a $500,000 bug bounty program to incentivize effective leads in recovering the funds.

As of March 31, the attacker's funds have not been moved on a large scale, mainly concentrated in two wallet addresses (a total of 4,223 ETH), and the team has deployed an on-chain monitoring system and worked closely with global on-chain analytics firms, Web2 platforms, and law enforcement to fully track the attacker's on-chain footprint. Zoth promised to publish a full review report after the conclusion of the investigation, and to release the platform's asset recovery and redevelopment plan at the same time. 【7】【8】【9】

Reflection after the incident:

• Strengthen core permission and contract upgrade management: This incident originated from the deployer's Private Key being compromised and executing a malicious upgrade, exposing significant hidden dangers in permission control and upgrade processes. It is recommended to adopt a multi-signature mechanism, hierarchical permissions, upgrade whitelist mechanism in the future, and establish on-chain governance or security audit processes to ensure upgrade safety.
• Establish a real-time monitoring and automated risk control system: the rapid outflow of funds indicates that the monitoring response is not timely. In the future, on-chain transaction monitoring, attack warning systems, and asset freezing mechanisms should be deployed to shorten the time window for attack detection and response.
• Optimize asset custody and access control logic: The isolation of the vault being called indicates a lack of invocation permission restrictions in the custody mechanism. It is recommended to introduce dynamic invocation limits, abnormal behavior detection, and path verification mechanisms to ensure that key asset contracts have multiple risk control protections.
• Institutionalized emergency response and cross-team collaboration mechanism: After an incident, the team quickly connects with security agencies and law enforcement units, announces progress, and sets up a reward to effectively stabilize the situation. It is recommended to standardize the emergency response process, covering five stages: monitoring, reporting, freezing, investigation, and communication, while continuously maintaining transparency to the public.

Summary

In March 2025, multiple DeFi platforms suffered security vulnerabilities and lost tens of millions of dollars in assets. Two typical security incidents in the DeFi space—the 1inch smart contract vulnerability attack and the Zoth permission escalation attack—highlighted systemic risks such as legacy issues of old contracts, concentration of core permissions, flaws in upgrade mechanisms, and insufficient risk control responses. Although 1inch quickly negotiated with the attackers to recover most of the funds after the incident, and Zoth swiftly initiated cross-team collaboration to preserve 73% of its assets, both incidents also revealed that some current DeFi projects still have room for further optimization in governance mechanisms, permission management, security audits, and real-time monitoring.

These recent security incidents further emphasize the importance of establishing on-chain monitoring mechanisms, automated freezing processes, and gray hat incentive systems. In the future, if DeFi projects want to gain users' sustained trust, they must consider security as a core engineering element from the system design stage, rather than a remedial measure after the fact. Gate.io reminds users to pay attention to security dynamics and strengthen the protection of personal assets.
Reference:

1. Slowmist,https://hacked.slowmist.io/
2. 1inch,https://1inch.io/
3. X,https://x.com/SlowMist_Team/status/1897958914114879656
4. Decurity,https://blog.decurity.io/yul-calldata-corruption-1inch-postmortem-a7ea7a53bfd9
5. X,https://x.com/PeckShieldAlert/status/1906894141193376021
6. Zoth,https://zoth.io/
7. X,https://x.com/zothdotio/status/1906343855181701342
8. X,https://x.com/CyversAlerts/status/1903021017460600885
9. X,https://x.com/PeckShieldAlert/status/1903040662829768994

Click link to go now.

Disclaimer Investing in the cryptocurrency market involves high risks. Users are advised to conduct independent research and fully understand the nature of the assets and products being purchased before making any investment decisions. Gate.io does not bear any responsibility for losses or damages resulting from such investment decisions.