CertiK, recognized as the leading blockchain security firm globally, has released its May Security Report, offering a comprehensive assessment of on-chain Web3 security breaches recorded over the past month. The findings pointed to over $302 million in stolen funds linked to at least nine major incidents during May. Although this marked a 16.94% reduction compared to the $364 million lost in April, specific vulnerabilities saw alarming increases.
One of the most prominent developments reported was the sharp rise in financial damage stemming from code vulnerabilities. Losses from such flaws totaled approximately $229.67 million in May—an increase of nearly 4,484% compared to April’s $5.01 million. CertiK’s senior researcher in blockchain security observed that this trend, while unexpected, signaled a growing concern. Despite a long-term decline in vulnerability-related losses—from $1.35 billion in 2021 to $173 million in 2024—the sudden spike in May served as a critical reminder of the Web3 ecosystem’s ongoing fragility. The researcher emphasized the importance of proactive security practices such as formal verification, continuous monitoring, and a blend of human and AI-led auditing to prevent such breaches and ensure asset protection.
Meanwhile, phishing-related attacks showed a contrasting trend. Losses from phishing incidents fell drastically to $47.63 million in May, down from April’s staggering $337.38 million. While still significant, this sharp decrease suggests progress in phishing defense strategies or shifting attacker focus toward more technical exploits.
Private Key Compromises and Price Manipulation added to the month’s overall damage, resulting in losses of roughly $11.65 million and $1.05 million, respectively. These figures further illustrate the variety of attack vectors that continue to pose a threat to blockchain users and platforms.
When analyzed by incident type, DeFi (Decentralized Finance) platforms remained the most heavily targeted, with related losses amounting to approximately $241.29 million. Social Engineering attacks followed, responsible for $35.56 million in losses. Exchange-related incidents were next, tallying $11.17 million, while Wallet Drainer attacks accounted for around $8.58 million. Even niche attack categories such as Address Poisoning and Token Dumping saw financial impact, resulting in $3.49 million and $266,000 in respective losses.
The report also listed specific major incidents that contributed heavily to the monthly losses. The Cetus exploit emerged as the largest, with $225.68 million stolen. Cork Protocol and BittoPro followed, suffering damages of $11.96 million and $11.17 million, respectively. Other noteworthy cases included Mobius DAO with $2.16 million lost and Demex Nitron with just under $1 million in damages.
CertiK’s latest analysis reflects the shifting landscape of cybersecurity threats in the Web3 environment. While improvements in combating certain types of attacks, such as phishing, were evident, the unexpected surge in code-related losses highlighted the persistent need for innovation and vigilance in blockchain security. The report serves as a pointed warning to developers, investors, and ecosystem stakeholders to prioritize advanced security protocols.
As the Web3 sector continues to evolve, the May report stands as both a cautionary review and a strategic guide. It underscores the necessity for holistic security approaches that blend automation, formal validation, and human expertise to effectively manage risk and protect digital assets across decentralized platforms.
