Cyfrin's Blockchain Security and Education Newsletter: May 2025

Just launched: ZKsync, Circle, and Cyfrin’s Full-Stack Web3 Crash Course! Learn to build blockchain-powered apps in just 8 hours and kickstart your journey as a full-stack web3 developer.
‍

Read on for the month's update from Cyfrin, security news, and industry insights. 
‍

From Cyfrin’s world

Aderyn v0.0.35 is live, featuring Hardhat/Soldeer support, faster startup, better false positive handling, and GitHub CI integration to catch issues before merging.
‍

‍

• Invest in your career and pick the right blockchain developer certification. Open doors that others only dream of by earning your SSCD+.
  ‍
• Cyfrin joins Circle’s Alliance Program to secure DeFi’s future and help bring the world on-chain.
  ‍
• Master staking, yield, re-staking, and DeFi integrations with Rocket Pool in Updraft’s rETH Integration Course. 
  ‍
• Check out our upcoming ambassador events and workshops!
  ‍
• CodeHawks Eagle success story: In just 18 months, Al-Qa'qa' went from frontend coding to securing billions in smart contracts. 
  ‍

And if you want to be a top security researcher, the Solodit Checklist Explained series teaches you how to:

• Use the Solodit Checklist as your foundation for secure smart contract development.
• Prevent DoS attacks (Part 1) with better gas and call management.
• Prevent DoS attacks (Part 2) by securing queues and external calls.
• Stop donation attacks with strict internal accounting.
• Defend against front-running by securing transaction flows.
• Block griefing attacks and protect the user experience.
• Stop validator exploits via timestamps, randomness, and transaction order.

‍

High-profile hacks and security incidents

Mantra ($5.5B): 17 wallet addresses moved $227M to exchanges, causing the OM token to plunge in value by 90%, fueling rumors of a classic rug pull and causing community outrage.

BTC ($330M): An elderly user was tricked into sending 3,520 BTC in a targeted phishing attack; funds were rapidly laundered through Monero.

UPCX ($70M): Attackers compromised the ProxyAdmin contract to add a backdoor, draining 18.4M UPC tokens. The stolen funds remain in a known wallet, unmoved, as the investigation continues.

KiloEx ($7.5M): A price oracle exploit allowed an attacker to manipulate asset prices and profit by opening and closing leveraged positions. The funds were returned, and KiloEx pledged full compensation plus a bonus APY for stakers.
‍

‍
‍Loopscale ($5.8M): A vault pricing flaw on Solana allowed an attacker to drain funds. $2.8M was later returned under a whitehat bounty deal.

BTCM App ($1M+): A logic flaw in the overPaper function is allowing hackers repeated fund withdrawals. The exploit is ongoing, with assets being transferred across chains.
‍

Industry news and resources

49% of vulnerable smart contracts are hacked within 30 days of deployment. See why pre-deployment security is critical.
‍

Protect your treasury with this multisig checklist to safeguard signer keys and stay audit-ready.

Master spec thinking to uncover hidden risks and speed up audits with fuzzing and formal verification.

Vitalik Buterin maps a pragmatic path for faster, more secure L2 finality by blending optimistic, ZK, and TEE proofs.

A hidden flaw in ETH validator deposits contracts could let attackers steal staked funds. Learn the defenses every developer must know.

Wallet bugs could silently drain your crypto without you even clicking. 

LLMs won't replace audit tools, but can turbocharge PoC builds and reports.

‍

Protocols recruit talent with Updraft Certifications

Schedule your certification exam today!

‍Start learning smart contract development and security on Cyfrin Updraft.

Participate in competitive audits on CodeHawks.

Did someone forward you this newsletter? Subscribe here!