CertiK Resources
Blogs, Latest News, Announcements, and more
Welcome to CertiK’s Hack3d report for Q1 of 2025! During this quarter, hackers stole more than $1.6 billion across 197 security incidents. These figures represent an approximate 303.38% increase in value lost compared to the previous quarter, the majority of which is due to the Bybit exploit, the largest crypto theft in history. In our report, we discuss the latest trends in Web3 security, including an analysis of the most prominent attack vectors and targeted chains. We also highlight a variety of our recently-published technical and educational resources.
4/1/2025
In this blog, we look at how Tornado Cash works, the history of its sanctions, and how its usage has shifted since the sanctions were lifted.
6/3/2025
On May 28, 2025, asset-pegged insurance CorK Protocol suffered a ~$12M security breach.
The attacker exploited a lack of parameter checks, to set up a fake market, and the relatively open access of its AMM extension (CorkHook) to induce double counting of derivative token weETH8DS-2 on two markets, and acquire a large amount of derivatives which they redeemed for 3,761 wstETH.
5/29/2025
This post introduces Distributed Key Generation (DKG), which allows multiple participants to jointly generate a secret key without ever reconstructing the full secret key, enhancing security and fault tolerance. It is fundamental to decentralized consensus, secure multiparty computation, and threshold signatures.
5/18/2025
In this post, we discuss how basic token standards are implemented across these platforms, focusing solely on minting, burning, and transferring functionalities. Advanced features such as pausing, whitelisting, and freezing will be discussed in detail in a subsequent series.
5/14/2025
On April 12 2025, an unverified contract, 0x623c, was exploited, leading to the loss of approximately $28,000 due to a lack of access control. The exploit was the fourth incident linked to this same attacker, who had already conducted exploits on Gemcy, OPC, and AIRWA, gaining around $181,000. On April 23, the attacker conducted a fifth attack on ACB.
5/12/2025
On 11 May 2025, our system detected a suspicious attack involving Mobius Token #MBU on Binance Smart Chain #BSC, which resulted in an approximate loss of $2.16M
5/11/2025
As a leading Web3 security company and an important sponsor of this conference, CertiK sincerely invites Web3 participants from all over the world to attend to learn more about our cutting-edge security research, discuss the future of Web3, and promote industry security. This guide will take you through CertiK’s exciting activities at Consensus 2025 and help you efficiently plan your interactive itinerary with us.
5/9/2025
This article discusses some of the new features of PancakeSwap Infinity, and explores the security considerations related to PancakeSwap Infinity hooks.
5/7/2025
In this post, we examine how EIP-7702 reshapes core EVM assumptions, spotlight mocked examples, and provide actionable guidance for developers to assess whether their existing contracts may be vulnerable.
5/6/2025
In this article, we look at how oracles work, why they matter, how they can be exploited, and more, with the goal of educating DeFi participants on how to better protect themselves from these types of threats.
5/6/2025
Ronghui Gu, Co-founder of CertiK and Associate Professor of Computer Science at Columbia University, delivered a Keynote speech at Unchained Summit Dubai 2025, emphasizing the important balance between Web3 innovation and security.
4/30/2025
Ethereum and Cosmos, two prominent blockchain protocols, have long pursued integration through solutions like EVM compatible chains built on Cosmos SDK (e.g. evmos/Ethermint), followed by the emerging consensus-layer (CL) swaps (e.g. Tendermint replacement for Ethereum PoS) in EVM compatible chains. This series unpacks their technical approaches and associated security trade-offs, providing an in-depth exploration of the convergence of these ecosystems.
4/17/2025
“Move for Solidity Developers” is a series created for experienced Solidity developers who already know a bit about Move. It helps you shift from writing Solidity contracts to developing on Move-based blockchains, such as Aptos and Sui. In this first installment, we’ll explore how Move’s approach to state storage and access control differs from the Solidity/EVM model. By drawing comparisons and analogies, we aim to make these new concepts feel familiar.
4/3/2025
Welcome to CertiK’s Hack3d report for Q1 of 2025! During this quarter, hackers stole more than $1.6 billion across 197 security incidents. These figures represent an approximate 303.38% increase in value lost compared to the previous quarter, the majority of which is due to the Bybit exploit, the largest crypto theft in history. In our report, we discuss the latest trends in Web3 security, including an analysis of the most prominent attack vectors and targeted chains. We also highlight a variety of our recently-published technical and educational resources.
4/1/2025
As CIP-113 advances toward finalization, CertiK is closely tracking its progress—a milestone that could reshape how developers build and enterprises engage with Cardano. This article explores the specification in depth, covering its background, the problems it addresses, its implementation, its impact on the Cardano ecosystem, comparisons with ERC-20, and security considerations.
3/31/2025
On 25 March 2025, MIM Spell was exploited for 6,261.13 ETH (~$12.9M) due to a vulnerability in the integration of the RouterOrder and Cauldron contracts. The attacker was able to borrow funds, liquidate themselves then borrow funds again without repaying them. This was due to the liquidation process not overwriting records in RouterOrder that counted as collateral, allowing exploiter to falsely borrow additional funds after liquidation.
3/27/2025
On 24 February 2025, 0xInfini was targeted by an attack that resulted in a loss of ~$49M. A key wallet used in the attack had previously been involved in the development of Infini contracts and had retained admin rights which were used to redeem all Vault tokens.
2/26/2025
On Feb-21-2025 at 02:16:11 PM UTC, the Bybit’s cold ethereum wallet was drained due to a malicious contract upgrade. This exploit resulted in an estimated loss of approximately $1.46 billion, marking the largest breach in Web3 history.
2/23/2025
