The Web3 ecosystem faced significant security challenges in March 2025, with a total of 33 reported security incidents resulting in approximately $139 million in losses. These breaches stemmed from various attack vectors including smart contract vulnerabilities, insider threats, flash loan exploits, private key leaks, and account takeovers. As decentralized technologies continue to evolve, so do the tactics of malicious actors. This comprehensive analysis dives into the most impactful events of the month, highlights critical vulnerabilities, and offers insights to strengthen future defenses.
Key Security Incidents in March 2025
WOOFi: Flash Loan Exploits Manipulate Pricing
On March 5, WOOFi, a decentralized exchange operating on Arbitrum, suffered an exploit targeting its sPMM (single-sided Proactive Market Making) algorithm responsible for price discovery. Attackers executed a series of flash loans to artificially manipulate WOO token prices in low-liquidity pools. By inflating prices temporarily, they were able to swap assets at favorable rates and repay the loans while pocketing the difference.
The attacker repeated this process three times in rapid succession, ultimately walking away with $8.75 million in profits. This incident underscores the persistent risks associated with dynamic pricing models in DeFi protocols, especially when exposed to flash loan-based price manipulation.
👉 Discover how real-time market analysis could prevent such exploits.
Unizen: External Call Vulnerability Exploited
On March 9, Unizen, a multi-chain DeFi platform, lost around $2.1 million in USDT due to a vulnerability in its smart contract involving unsafe external calls. The flaw allowed an attacker to intercept and redirect funds during cross-contract interactions.
In a positive development, Unizen’s CTO, Martin Granström, announced on March 12 that $185,000 had been recovered from four hackers who returned the funds voluntarily. While partial recovery is encouraging, the incident highlights the importance of rigorous testing for inter-contract dependencies.
Mozaic: Insider Threat Leads to $2 Million Theft
On March 15, DeFi yield aggregator Mozaic was compromised by an insider — a former developer who gained unauthorized access to core team members’ private keys. The breach resulted in the theft of approximately $2 million in digital assets.
Mozaic confirmed that nearly 90% of the stolen funds were frozen on MEXC, limiting further damage. This case serves as a stark reminder that human factors remain one of the weakest links in blockchain security. Proper access control, key management protocols, and employee offboarding procedures are essential.
Remilia: Compromised Password Manager Exposes Hot Wallet
On March 17, Remilia — the company behind the popular Milady NFT collection — fell victim to a sophisticated attack. The breach originated from a compromised password manager used to store private keys for its hot wallet and multi-signature treasury.
Despite using multi-sig security, the centralization of sensitive credentials created a single point of failure. Attackers drained approximately 490 ETH (~$1.8M)**, **$58,000 in USDC, over 130 Milady NFTs, 320 Remilio NFTs, and numerous derivative tokens from NFTX. The total value exceeded $6 million at floor prices.
Charlotte Fang, founder of Milady, confirmed she had been hacked, emphasizing the need for air-gapped storage solutions and hardware-based key management.
Dolomite: Legacy Contract Exploit on Ethereum
On March 20, Dolomite, a lending and trading protocol on Arbitrum, was attacked through an outdated contract deployed on Ethereum Mainnet. A vulnerability in the legacy system enabled attackers to drain funds from about 187 users, totaling approximately $1.8 million in USDC, DAI, and WETH.
Thanks to swift collaboration between Dolomite’s team and security firms like SlowMist, 90% of the stolen assets were recovered by March 24. The team publicly acknowledged SlowMist’s support, highlighting the growing importance of post-breach response coordination.
Super Sushi Samurai: White Hat Returns $4.6M
On March 22, Super Sushi Samurai — a new blockchain game built on Blast L2 — experienced a critical vulnerability in its token contract, leading to a loss of roughly $4.6 million.
However, in a rare positive turn of events, the attacker contacted the project shortly after the exploit, identifying themselves as a white hat researcher. They returned all funds and accepted a 5% bug bounty ($230,000). This case illustrates how ethical hacking and clear bounty programs can mitigate damage and foster trust.
👉 Learn how secure development practices can prevent costly exploits.
Curio Ecosystem: $16M RWA Protocol Breach
On March 24, Curio Ecosystem — a real-world asset (RWA) infrastructure platform integrated with MakerDAO — was exploited due to a suspected access control logic flaw. The attacker minted an unauthorized 1 billion CGT tokens, causing massive inflation and draining around $16 million from the ecosystem.
The scale of this attack emphasizes the high stakes involved when traditional finance assets are tokenized without robust governance and verification layers.
Munchables: $62.5M Blast Exploit with Full Recovery
One of the largest incidents occurred on March 27, when Munchables — a yield-focused project on Blast — lost approximately $62.5 million due to a critical vulnerability.
Surprisingly, full recovery followed almost immediately. Pacman, founder of Blast, announced that core contributors regained control via multi-sig and confirmed that the former developers chose to return all funds voluntarily — no ransom was paid. This outcome suggests internal accountability played a role, though details remain limited.
Prisma Finance: Unauthorized Collateral Transfer
Also on March 28, Prisma Finance — a decentralized borrowing protocol — was attacked due to insufficient input validation in its MigrateTroveZap contract. The onFlashloan function failed to verify migration data, allowing attackers to forge transactions and transfer collateral without authorization.
Total losses amounted to 3,257.7 ETH (~$11.6M). Interestingly, one address linked to the attack reached out claiming "white hat" intentions and offered to return funds. However, communication reportedly broke down, leaving recovery uncertain.
Solana Wallet Drains Linked to Trading Bots
Throughout March, multiple Solana wallet holders reported unauthorized transactions tied to third-party trading bots like Solareum. According to security researcher Plum, a flaw in Solareum’s Telegram-based trading bot led to the loss of nearly $1 million in SOL.
Users who connected their wallets to untrusted interfaces inadvertently granted signing permissions, enabling attackers to drain funds. This trend reinforces the need for user education on wallet permissions and app trustworthiness.
Security Trends and Insights
- Insider threats accounted for 46.9% ($65.4M) of total losses — the highest among all categories.
- Smart contract flaws caused $36.89 million across 8 incidents.
- Flash loans remained a popular tool for price manipulation attacks.
- Partial or full fund recovery occurred in 4 major cases (Munchables, Super Sushi Samurai, Dolomite, Unizen), totaling about $68.46 million returned.
- Projects leveraging multi-sig setups still faced breaches due to poor key storage practices.
Frequently Asked Questions (FAQ)
Q: What is the most common cause of Web3 hacks in March 2025?
A: Insider threats were the costliest, accounting for nearly half of all losses. Poor internal access controls and compromised credentials were key factors.
Q: Can stolen crypto funds be recovered after an attack?
A: Yes — though not guaranteed. In several cases this month (e.g., Dolomite, Munchables), collaboration between teams and white hat actors led to partial or full recovery.
Q: How can developers prevent flash loan attacks?
A: Implement price oracles with time-weighted average pricing (TWAP), add transaction limits, validate external inputs rigorously, and conduct stress tests under manipulated market conditions.
Q: Are multi-signature wallets always secure?
A: Not if private keys or recovery phrases are stored insecurely (e.g., in cloud password managers). True security requires both technical safeguards and operational discipline.
Q: Why are legacy contracts dangerous?
A: Older contracts may lack modern security features and are often forgotten or left unmonitored — making them low-hanging fruit for attackers.
Q: How can users protect themselves from wallet draining?
A: Avoid connecting wallets to unknown dApps; revoke unused token approvals; use burner wallets for testing; enable transaction simulation tools before signing.
Final Thoughts
March 2025 revealed both progress and persistent weaknesses in Web3 security infrastructure. While recovery efforts improved and ethical hacking played a constructive role, systemic risks remain — especially around access control and legacy systems.
Projects must prioritize regular audits, adopt zero-trust internal policies, and implement fail-safes for emergency fund protection. Meanwhile, users should stay vigilant about app permissions and wallet hygiene.
👉 Stay ahead with advanced blockchain threat intelligence and secure trading tools.