
Web3 Security Monthly Report | Phishing Incidents Surge in May – How Are On-chain Tools Responding?
TechFlow Selected TechFlow Selected

Web3 Security Monthly Report | Phishing Incidents Surge in May – How Are On-chain Tools Responding?
Total losses across the entire network for this month amounted to approximately $140 million, an increase of 27.27% compared to April.
This month, total losses from security incidents across the web increased by 27.27% month-on-month, with phishing and fraud events accounting for over 60%. Security awareness is your first line of defense in protecting digital assets. OKLink provides access to 40+ leading blockchain explorers through a single unified interface, along with tools such as address monitoring, token approval checks, and address health analysis to safeguard your assets.

1. Total losses this month amounted to approximately $140 million, an increase of 27.27% compared to April.
2. Official social media channels suffered 27 phishing and fraud incidents, accounting for 60.08% of total losses. These primarily occurred on platforms such as X (formerly Twitter), Discord, and various phishing websites.
3. REKT and RugPull incidents accounted for 16.89% and 1.37% of losses respectively, while other security incidents made up 21.66%.
Case Analysis
On May 15, Sonne Finance was attacked, resulting in losses of approximately $20 million. The cause was the protocol adding a new VELO market via governance vote; however, the project team failed to deposit initial funds into the VELO market in time. This allowed hackers to exploit a classic rounding issue to manipulate the collateralization ratio of the VELO market for profit.
OKLink has tagged the attacker's address with #Hack: https://www.oklink.com/zh-hans/optimism/address/0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43

Attack Flow:
1) The attacker called the attack contract 0xa78aef to make an initial deposit into the soVELO market, receiving 2 WEI of soVELO;

2) The main attack contract 0x02fa26 front-ran the timelock contract to set the collateral factor, enabling assets in the soVELO market to be used as collateral for borrowing in other markets;

3) Took a flash loan of about 35M VELO and donated it to the soVELO market contract to manipulate the exchange rate, making 2 WEI of soVELO represent a large amount of VELO—and thus a large amount of collateral value;

4) Created a sub-attack contract 0xa16388, transferred 2 WEI of soVELO to it, borrowed 265 WETH, then redeemed approximately 35M VELO using only 1 WEI of soVELO. Here, the manipulated exchange rate caused the calculated soVELO amount to be ~1.9999 WEI, which due to rounding down became exactly 1 WEI;

5) Liquidated the loan of sub-attack contract 0xa16388 to retrieve 1 WEI of soVELO and return it to the main attack contract 0x02fa26. Since the exchange rate had decreased, only a small amount of WETH was needed to acquire 1 WEI of soVELO;

6) Re-minted 1 WEI of soVELO and again donated to the soVELO market to re-manipulate the exchange rate, repeating the above steps to borrow increasing amounts of WETH, USDC, and other assets.

Vulnerable Code:

Largest Security Incident - RugPull
On May 23, a fake TON token project executed a RugPull, causing losses of approximately $600,000.
Largest Security Incident - Phishing Scam
On May 3, a whale user fell victim to a phishing attack, losing approximately $70 million (1,155 WBTC). However, on May 10, the hacker returned 90% of the stolen funds to the victim.
Largest Security Incident - Private Key Leak
On May 21, Gala Games was attacked, with suspected private key leakage. The attacker minted 5 billion GALA tokens worth about $200 million and ultimately profited around $21 million by selling them. On May 22, the attacker returned all assets.
OKLink Security Tips
Phishing attacks and private key leaks were major threats this month. OKLink reminds all users to protect personal information carefully—never disclose your private keys or recovery phrases to anyone, and avoid storing them simply via screenshots or unsecured methods. Additionally, always double-check recipient addresses before transferring funds. When copying addresses from transaction histories or chat logs, ensure they are accurate. Security awareness is your strongest shield in the Web3 world and the first line of defense for protecting your digital assets.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News











