July 2025 saw more than 140 million dollars lost across high-profile Web3 exploits. That figure is nearly five times higher than June’s losses, where the largest event reached only around 16 million. This surge is not just a number. It reflects a dangerous spike in failures across contract design, audit coverage, and infrastructure security.
In this article, we break down every major exploit from July, with both technical and plain-language explanations. At the end, we outline how these breaches could have been prevented and why Softstack continues to maintain a zero exploit record across all audited contracts.
🚨 Exploit Breakdown
1. Cork Protocol – 12 million dollars
Date: July 2
Chain: Ethereum
Loss: 12 million dollars
Technical view:
Cork suffered from flawed state management during bonding curve transactions. Attackers manipulated these flows to extract funds. Afterward, the attacker posted technical critiques of the audit firm directly on-chain, calling out specific oversights including a missed reentrancy vector.
Dummy view:
Cork got hacked, then mocked. The hacker didn’t just steal money. They left comments pointing out everything the security firm missed, like a professor grading a failed exam.
How Softstack would have prevented this:
Our audits simulate bonding curve and pricing mechanisms under adversarial conditions. We also include reentrancy testing across all user-exposed entry points and price transition states.
2. Rowan Energy – Supply fraud and rug pull
Date: July 3
Chain: Ethereum
Loss: Unknown, team rug pull
Technical view:
The Rowan team advertised a limited 545 million token supply but kept a mint function active. A whitehat researcher exposed the lie by minting and burning one billion tokens, demonstrating the hidden supply.
Dummy view:
They told investors only a limited number of tokens existed but secretly kept the printer running. Someone called them out by minting a billion, then burning it as proof.
How Softstack would have prevented this:
We audit all ownership functions and verify total supply enforcement through formal checks. Our reviews catch mint functions, hidden privileges, and off-chain misrepresentations.
3. GMX V1 – 42 million dollar reentrancy attack
Date: July 9
Chain: Arbitrum
Loss: 42 million dollars (partially recovered)
Technical view:
Attackers used reentrancy to manipulate the globalShortAveragePrices variable during swaps. This allowed them to mint GLP at inflated prices and immediately exit at fair market value, creating artificial gains.
Dummy view:
They found a way to mess with price data mid-swap and cash out with free money. The bug had been introduced in an old update that nobody thought to double-check.
How Softstack would have prevented this:
Our regression tests simulate reentrancy across pricing flows and legacy patches. This type of exploit is exactly what our stress models are built to expose.
4. Kinto Protocol – 1.55 million dollar proxy backdoor
Date: July 15
Chain: Arbitrum
Loss: 1.55 million dollars
Technical view:
An outdated ERC-1967 proxy left an upgrade path open to unauthorized actors. The attacker used this to mint 110,000 tokens and drain the liquidity pool.
Dummy view:
A hidden upgrade feature gave someone the power to make new tokens out of thin air. The old codebase had a forgotten door that should have been locked.
How Softstack would have prevented this:
We verify all proxy paths and enforce upgrade authorization. Our analysis includes proxy storage layout validation and unintended access routes.
5. ArcadiaFi – 3.6 million dollar rebalancer attack
Date: July 17
Chains: Base and Ethereum
Loss: 3.6 million dollars
Technical view:
During a cooldown window, attackers passed crafted swapData into a trusted rebalancer contract. This contract allowed arbitrary external calls, which the attackers used to move funds without proper checks.
Dummy view:
The system trusted data it should not have. Someone used a carefully crafted message to trick it into sending money where it should not go.
How Softstack would have prevented this:
We test all delegate calls and injection vectors during paused or emergency states. Malicious swap inputs are included in our rebalancer and call injection scenarios.
6. BigONE Exchange – 27 million dollar infrastructure breach
Date: July 18
Scope: Backend servers and transaction logic
Loss: 27 million dollars
Technical view:
Attackers breached the production environment and altered backend withdrawal logic. Although hot wallet permissions remained untouched, backend APIs allowed the attackers to execute malicious transactions across multiple chains.
Dummy view:
This was not a smart contract hack. Someone got into the exchange’s backend and rewired how withdrawals worked, then took millions from user funds.
How Softstack would have prevented this:
Our security reviews go beyond code. We assess infrastructure, CI/CD pipelines, and production server controls. We would have flagged these backend gaps.
7. CoinDCX – 44.3 million dollar credential exploit
Date: July 22
Chains: Solana and Ethereum
Loss: 44.3 million dollars
Technical view:
Employee credentials tied to operational wallets were compromised. Using these, the attacker drained over 155,000 SOL and 4,400 ETH through laundering services like Tornado Cash.
Dummy view:
The attacker got into an employee account with too much access. From there, they moved funds out quickly before anyone could react.
How Softstack would have prevented this:
We include privileged account reviews in every infrastructure audit. Our process ensures keys are segregated, rotated, and stored with hardware-backed protections.
8. Woo X – 14 million dollar phishing breach
Date: July 28
Chains: Multiple
Loss: 14 million dollars
Technical view:
A team member clicked on a malicious link that gave attackers access to wallet credentials. They used these to drain assets across chains.
Dummy view:
It was a phishing email. One wrong click and the attackers got full access to critical wallets.
How Softstack would have prevented this:
We train teams in phishing response and recommend role-based wallet architectures that prevent full access from a single device or account.
Themes & Lessons
Audits ≠ Immunity
Most of these projects were “audited” — but many failed to catch critical paths, hidden permissions, or upgrade backdoors.Most dangerous bugs are invisible to static tools
From proxy paths to misused cooldowns, human context is still required.Backend security is catching up
Credential hygiene and infra ops are the new weak links. They’re rarely part of audit scopes.
Conclusion
The sheer variety of failures in July 2025 shows just how complex and unforgiving Web3 security has become. Some projects were taken down by old proxy code. Others missed reentrancy risks introduced years ago. A few were undone by simple human mistakes like phishing or poor key management. The one thing they all had in common? Every single exploit could have been prevented with deeper review, better assumptions, and a more complete audit process.
At Softstack, we believe audits should do more than scan for bugs. We simulate attackers, question protocol logic, stress test integrations, and review infrastructure end to end. That is how we have delivered over 1,200 audits since 2017 — with zero exploits.
If you are building in DeFi, stablecoins, bridges, or infrastructure, now is the time to rethink your security model. Let us help you stay out of headlines and off the rekt leaderboard.
Partner with Softstack
Softstack is a German Web3 development and auditing firm with over 1,200 zero exploit audits since 2017. We deliver transparent, hands-on support from scoping through verification. Whether you are a seed stage startup or an enterprise protocol, we help you launch with confidence.
Ready to get started?
📞 Book a free consultation at https://calendly.com/softstack
OR
📤 Email hello@softstack.io with a link to your code repository so we can review your codebase and get you an accurate quotation.
Would you recommend Softstack to fellow Web3 builders?
Join our Service Partner Program (SPP) and provide your network with a trustworthy partner.
Up to 20 percent referral commission Fast tracked onboarding Preferential rates Over 1 million dollars in partner savings via https://deals.softstack.io Lead sharing and co marketing support
https://softstack.io/service-partner-program-spp
