Crypto hacks have already surpassed $3.1 billion in losses for 2025, and the year isn’t over yet. According to a new report by Chain Retrieval, the biggest culprit remains unchanged: access control flaws.
Despite years of warnings, many Web3 projects continue to leave admin keys unprotected, smart contracts unchecked, and APIs poorly secured. The result? More than 190 successful attacks this year alone, with over 55% tied to weak or mismanaged access permissions.
The “State of On-Chain Security 2025” report by Chain Retrieval reveals that attackers continue to exploit the same gaps: leaked private keys, unverified smart contract logic, and outdated access control systems.
The biggest targets? No surprise here — Ethereum and BNB Smart Chain. These two ecosystems alone saw over $2 billion in losses, largely due to their popularity and volume of DeFi activity. Cross-chain bridges were also hit hard, suffering dozens of breaches that often went undetected for days.
Chain Retrieval’s warning is clear: as long as access flaws persist, hackers will keep winning.
DeFi Security Still Weak Despite Rising Threats
Access control flaws were responsible for 58% of all on-chain losses in 2025, according to the report. These include stolen admin keys, exposed multisig credentials, and improperly restricted smart contract functions.
In one high-profile case, an attacker used a leaked private key to drain $290 million from a Layer 1 protocol’s treasury wallet — all within 17 minutes.
Chain Retrieval’s research shows that even well-funded projects are skipping vital security practices. Less than 35% of hacked protocols had completed a full smart contract audit in the past year, and many still rely on outdated access management systems.
Here’s what the report highlights:
-
Cross-chain bridges accounted for 38% of total funds stolen
-
DeFi protocols were the second-most targeted category
-
Only 27% of victims had bug bounty programs in place
-
Average time to detect a hack was 11 hours
The report also notes that many teams fail to rotate keys or restrict internal access, making it easier for insider threats or phishing attacks to succeed.
While some platforms are improving — with growing use of hardware wallets and multi-signature control — the pace of change is still too slow.
Chain Retrieval recommends:
-
Mandatory third-party security audits
-
Regular access permission reviews
-
Comprehensive incident response plans
-
Wider use of on-chain monitoring tools
They stress that Web3’s growth depends on trust — and that trust is easily broken when millions vanish overnight due to avoidable security lapses.
If these issues aren’t addressed urgently, the total loss in 2025 could surpass $4 billion, setting a record for the highest single-year total in crypto history.