BlockThreat - Week 18, 2025

Peter Kacherginsky

05 May 2025 • 5 min read

Greetings!

Just a few minor exploits this week, with net losses under $100K. Quiet weeks like these are rare—but they give us the space to explore broader trends in the industry.

One such trend is particularly concerning: two infinite mint vulnerabilities were recently patched by the Solana and Scroll chains. While blockchain-wide exploitation is rare, its potential impact is devastating. As more chains launch—some with completely novel consensus or transaction logic, others built on existing infrastructure but with unique quirks and precompiles—the likelihood of a blockchain-level exploit grows. We may be approaching a major hack rooted in this attack vector.

Now’s the time to give your audits and testing the extra attention they deserve—and take advantage of an exclusive discount from our repeat sponsor: Recon!

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back. Use promo code BLOCKTHREAT for a 5k discount on your first engagement.

See our portfolio: https://getrecon.xyz/blockthreat

Last week I attended BSides and RSA in San Francisco, and it highlighted a persistent cultural divide between the blockchain security community and traditional infosec. Just glance at the talk lineups—or chat with attendees—and the contrast is obvious.

RSA and BSides focus on infrastructure defense, SecOps, endpoint protection, threat modeling, compliance, and now AI. It's about protecting large organizations at scale. Meanwhile, at the DeFi Security Summit, we’re deep into smart contract exploits, MEV, on-chain forensics, and protocol-specific bugs. Both sides aim to protect assets—but the threat models, assumptions, and priorities couldn’t be more different.

This gap has real consequences. Many traditional security folks dismiss crypto as hype-ridden and scam-prone, not worth their time. And in crypto security, we sometimes overlook classic attack surfaces—infra misconfigs, phishing, repo security —because we’re focused on contracts and formal verification. That’s how we end up getting rekt by old-school TTPs, while the traditional world misses how fast threat actors are evolving on-chain. Just ask SEALs what they’re dealing with every week.

It’s time to bridge the gap. If you're in DeFi security, consider bringing your insights to DEF CON or Black Hat. If you're in traditional infosec, dig into DeFi post-mortems and bring your infra/opsec skills to a space that needs them badly. We're all fighting the same fight—it’s time to do it together.

And speaking of stepping outside the smart contract bubble, protect your people and operations with help from this week’s sponsor: Opsek.

Is your team safe from sophisticated threat actors?

More than 98% of stolen funds in the Web3 ecosystem are hacked without breaking code but by breaking people. Opsek will train your team to become paranoid, and harden your complete operational security stack.

You are already a target, don't get rekt.

Link: https://opsek.io/

Let’s dive into the news!