DeFi Exploits Surge: $6M Lost in Weekly Hacks as Smaller Projects Remain Vulnerable

Another week, another wave of decentralized finance (DeFi) exploits has drained millions from smaller projects, highlighting ongoing vulnerabilities despite their lower visibility compared to headline-grabbing attacks.

According to Protos’ hack tracker, 77 incidents have occurred so far in 2025, totaling over $1.1 billion in losses. While April was particularly devastating—with 33 incidents alone accounting for over $600 million—May has seen a resurgence in hacker activity, with nearly $6 million stolen from six projects in just the past week.

Monday, May 11: Two Exploits Detected

On the Polygon network, Ink Finance suffered a $140,000 loss due to an exploit in its Workspace Treasury Proxy contract. Security firm SlowMist attributed the breach to a lack of access control in the PayrollDistribution function.

Separately, Huma Finance lost $100,000 on the same day. The team clarified that the funds were taken from legacy v1 contracts, which have since been paused. They reassured users that their Solana-based v2 contracts are a "complete rewrite" and unaffected by the issue.

Tuesday, May 12: Four Separate Attacks Unfold

On Tuesday evening, TAC, a blockchain designed for EVM dApps to access TON, reported a "security incident" affecting its bridge. The protocol was paused, and third-party estimates placed losses at $3 million in USDT, BLUM, and other tokens.

The following day, security auditor PeckShield identified a $1.9 million exploit in Transit Finance, with the attacker draining DAI funds. The stolen assets were traced to the address:

0x8a634DfA2609358849D7D65FFA270C8A57a8abA5

Transit Finance attributed the loss to "historical vulnerabilities" in a deprecated TRON contract, stating that users "do not need to take any action" and affected parties would be compensated. Notably, the project was previously hacked in October 2022 for over $20 million, though most funds were later returned. According to Decurity, Tuesday’s exploit stemmed from the same vulnerability that caused the 2022 attack.

Also on Tuesday, Aurellion and BoostHook were reportedly targeted, with losses of approximately $455,000 and $200,000, respectively.

Wednesday, May 13: Another Exploit Emerges

As this article was being finalized, FOX Colony on the Arbitrum network fell victim to a $130,000 exploit, flagged by blockchain security firm Blockaid. A copycat attack then siphoned an additional $50,000 from similar contracts, with Blockaid warning that other exposed contracts remain at risk.

This latest incident follows the announcement by Code4rena, a long-running audit contest platform, that it would "wind down" operations. ImmuneFi, a bug bounty platform, will take over Code4rena’s ongoing bounty programs.