BlockThreat - Week 19, 2025

Greetings!

More than $2.4M was stolen this week across seven incidents. As usual, the full spectrum of attack vectors showed up — from smart contract exploits to operational security failures. Let’s dive into the most notable smart contract hack.

The majority of losses stemmed from a closed-source contract on BSC, deployed by Mobius DAO. The project had launched just days earlier and included roughly the following code to calculate token prices for the BNB/USDT pair:

function getBNBPriceInUSDT(address bnbToken, address usdtToken) external view returns(uint256 price) {

    address pair = IPancakeFactory(PANCAKE_FACTORY).getPair(bnbToken, usdtToken);

    require(pair != address(0), "Pair does not exist");
    IPancakePair pancakePair = IPancakePair(pair);

    (uint112 reserve0, uint112 reserve1, ) = pancakePair.getReserves();

    address token0 = pancakePair.token0();
    address token1 = pancakePair.token1();

    uint8 decimals0 = IERC20(token0).decimals();
    uint8 decimals1 = IERC20(token1).decimals();

    // Normalize reserves to 18 decimals
    uint256 normReserve0 = uint256(reserve0) * (10 ** (18 - decimals0));
    uint256 normReserve1 = uint256(reserve1) * (10 ** (18 - decimals1));

    // VULN: Extra 1e18 multiplication !!!
    if (token0 == bnbToken) {
        price = (normReserve1 * 1e18) / normReserve0;
    } else {
        price = (normReserve0 * 1e18) / normReserve1;
    }
}

There are several problems here: reliance on spot prices, no liquidity checks, and possible mishandling of non-standard decimals (like with USDT). But none of that even mattered for the exploit — the final price calculation included an extra 1e18 multiplier, applied after reserves were already normalized to 18 decimals!

That simple mistake allowed the attacker to mint quadrillions of MBU tokens for just 0.001 BNB. They immediately used those tokens to drain $2.157M from a BUSD-T CakeSwap liquidity pool.

A completely preventable disaster, had the developers implemented basic tests or run a single round of audits.

And speaking of audits and testing — don’t miss this week’s sponsor, Recon, and their exclusive discount for readers!

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back. Use promo code BLOCKTHREAT for a 5k discount on your first engagement.

See our portfolio: https://getrecon.xyz/blockthreat

The week began with a private key compromise affecting one of the Lido Oracle quorum members — Chorus One. The breach was only revealed when the attacker, apparently lacking a better plan, simply drained 1.46 ETH from the wallet.

Kudos to the Lido team for implementing multiple security layers — including a 5-of-9 quorum and additional sanity checks — which effectively limited the blast radius. That said, the ecosystem is still awaiting a detailed post-mortem to understand the exact TTPs (Tactics, Techniques, and Procedures) used to get so close to such a critical piece of Ethereum infrastructure.

As a reminder, Lido currently controls 26.3% of all staked ETH, a concentration that is still pretty close to not pose existential risks to Ethereum’s long-term health.

On the same day, Ledger’s Discord server was compromised, with attackers launching a key-stealing campaign, while Curve’s X account blared out yet another fake airdrop scam.

On that note, now’s a great time to brush up on your opsec. Reach out to the good folks at Opsek, who also happen to be this week’s sponsor:

Is your team safe from sophisticated threat actors?

More than 98% of stolen funds in the Web3 ecosystem are hacked without breaking code but by breaking people. Opsek will train your team to become paranoid, and harden your complete operational security stack.

You are already a target, don't get rekt.

Link: https://opsek.io/

On a more positive side, German law enforcement has finally shut down eXch, the preferred laundering hub for DPRK, ransomware groups, and other threat actors. But that’s not all — over 8TB of data is now in the hands of law enforcement agencies around the world, who are carefully analyzing it to unravel long-running criminal enterprises. We can likely expect arrests to follow in the near future.

Let’s dive into the news!

News

• Germany Shuts Down eXch Over $1.9B Laundering, Seizes €34M in Crypto and 8TB of Data.
• Lido ‘secure’ after oracle compromise sparks emergency DAO vote. Luckily Lido was secured by 5/9 consensus which prevented an ecosystem-wide hack.
• Samourai Wallet’s Lawyers Say Prosecution Suppressed Critical Evidence, Call for Dismissal.

Crime

• Personal and physical security for founders, operators, and investors by Carl Agnelli (a16z crypto).
• Florida teens kidnap Las Vegas man, drive him to Arizona desert, steal $4M in cryptocurrency. If only GTA VI had been released on time, kids would be busy doing kid stuff.
• When Hackers Get Hacked: Analyzing the Breach of LockBit by SlowMist. The hack exposed 60,000 bitcoin addresses, a treasure trove for law enforcement around the world.
• Celsius founder Alex Mashinsky sentenced to 12 years for “unbank yourself” scam. Following the sentencies, Mashinsky asked to travel to his daughter’s wedding in Memphis, Tennessee. Will they play “Jailhouse Rock” for the father-daughter dance?
• A crypto founder faked his death. We found him alive at his dad’s house. The story behind Zerebro’s Jeffy Yu faked suicide on Pumpfun and of course a token release.
• Movement Labs ‘terminates’ co-founder Rushi Manche following controversial MOVE token deals.
• Thai Police Arrest Five in Major Crypto Laundering Crackdown by TRM.
• Grinex’s Footprint in Global Exchanges: What the Flows Reveal by Global Ledger. A deep dive into Garantex successor operating on Tron chain.
• Crypto sleuth ZachXBT says wrong suspect detained in Bored Ape NFT theft.

Phishing

• What to do when your device is completely compromised by SEAL.
• North Korean spy slips up, reveals ties in fake job interview. An in-depth investigation by Heiner Garcia (Telefonica) to unravel a DPRK operative with a fake Japanese developer personae.
• $45 million stolen from Coinbase users in the last week according to ZackXBT.
• 38,000+ FreeDrain Subdomains Found Exploiting SEO to Steal Crypto Wallet Seed Phrases.
• Reports of the official Cointelegraph X account sending phishing DMs.
• Ledger secures Discord after hacker bot tried to steal seed phrases.
• Tron says DAO X hack cost victims $45K, Curve Finance also hit.
• ZKsync X account hijacked with a message about a fake SEC action.
• Curve Finance's front-end targeted in DNS attack on website.
• Pectra lets hackers drain wallets with just an offchain signature.
• AI-enabled Fraud: How Scammers Are Exploiting Generative AI by TRM.
• First Pectra-based whitehat rescue for a poor soul affected by a wallet drainer by elyx0. Rescue repo and tx.
• Pectra lets hackers drain wallets with just an offchain signature.
• ElizaOS Vulnerability Shows How AI Can Be Gaslit Into Losing Millions.

Scams

• All the Wrong Moves by Rekt. The story behind Movement Labs’ token dump.
• Dystopian Dairies by Rekt.
• Meet Trump’s memecoin dinner guests by Molly White.

Malware

• Inferno Drainer Reloaded: Deep Dive into the Return of the Most Sophisticated Crypto Drainer by Checkpoint.

Media

• bountyhunt3rz - Episode 12 - tpiliposian.
• Pectra: The DANGERS of the Ethereum EIP-7702 by Patrick Collins (Cyfrin).
• Justin Drake (Ethereum Foundation) at CBER Forum. In-depth discussion of consensus security in bitcoin and ethereum.

Research

• Bit ByBit - emulation of the DPRK's largest cryptocurrency heist by Elastic Security Labs.
• Ethereum's Achilles' Heel : Attacking and Fuzzing EVMs for fun (and profits) by Mathieu Hoste & Bryton Bernard (Fuzzing Labs).
• Audit Contests Are Dead, Long Live Audit Contests by Jack Sanford (Sherlock).
• Complete Audit Competitions Guide & Strategies: Cantina, Code4rena, Sherlock & More by Johnny Time.
• From Ethereum to Solana: How Developer Assumptions Can Introduce Critical Security Vulnerabilities by Calvin Azzopardi (Dedaub).
• Common Vulnerabilities: Oracles and Pricing - Smart Contracts by Kree Dotcom (Sigma Prime).
• Ton VM vulnerability: RUNVM instruction may contaminate the smart contract execution environment by TonBot.
• EIP-7688 To be, or not to be? by Dmitry Zakharov, Pavel Morozov, Tim Savon, Oleg Trenkin (Mixbytes).
• MistTrack Cross-Chain Protocol Analysis Series: Bitget Swap by Slowmist.
• EIP-7702 for Hardware Wallet vendors by zknox.
• Pectra’s EIP-7702: Redefining Trust Assumptions of Externally Owned Accounts (EOAs) in EVM by CertiK.
• Exploring the Ethereum Pectra Upgrade: Enhancing the Web3 Experience by Sarthak Rawat (Eik).
• Exploit Uniswap V4 integrators and liquidity providers by Electisec.
• Balancing Security and Liquidity: A Time-Weighted Snapshot Framework for DAO Governance Voting.
• Moneros Decentralized P2P Exchanges: Functionality, Adoption, and Privacy Risks.
• Formal verification in Solidity and Move: insights from a comparative analysis.
• Commitment Attacks on Ethereum's Reward Mechanism.
• SolPhishHunter: Towards Detecting and Understanding Phishing on Solana.

Tools

• Wise Signer by Cyfrin. A series of challenges to identify safe and dangerous wallet transactions.
• How to Multisig by Fredrik Svantes. Best practices on how to implement secure standard operation procedures for multisigs.

Hacks

Crosswise Finance

Date: May 06, 2025
Attack Vector: Function Parameter Injection
Impact: $3,000
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1919791152833999313https://crosswise.medium.com/post-exploit-update-2a24c3370466

Nalakuvara, LotteryTicket50

Date: May 09, 2025
Attack Vector: Price Oracle Manipulation
Impact: $105,000
Chain: Base

References:

https://x.com/TenArmorAlert/status/1920816516653617318

Exploit:

https://basescan.org/tx/0x16a99aef4fab36c84ba4616668a03a5b37caa12e2fc48923dba4e711d2094699

Lido

Date: May 10, 2025
Attack Vector: Stolen Private Key
Impact: $3,800
Chain: Ethereum

References:

https://x.com/ChorusOne/status/1921650493866324220

https://x.com/0xngmi/status/1921545287211864359

https://www.coindesk.com/tech/2025/05/12/ethereum-staking-giant-lido-loses-just-14-eth-in-hacking-attempt

https://protos.com/lido-oracle-key-compromise-was-23b-really-at-risk/

https://x.com/LidoFinance/status/1921534362232787004

https://research.lido.fi/t/emergency-rotation-of-compromised-chorus-one-oracle/10037

Exploit:

https://etherscan.io/tx/0xd081065af4621af128f24ec9ef10d4a023c2366c2626dccabbe16334d5232c3d

Ledger

Date: May 10, 2025
Attack Vector: Discord Server
Impact: Assets Stolen

References:

https://x.com/SekureD/status/1921400219331158033

https://www.theblock.co/post/353880/ledger-restores-control-of-discord-after-hacker-compromised-moderator-account

Exploit:

X3

Date: May 11, 2025
Attack Vector:
Impact: $131,400
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1921517872720801991

Exploit:

https://bscscan.com/tx/0xebdf5fa7dddfa4d35567c8b12dd065e9e3a3242bacbcfa1de97beb2537264102

Unkn_efdf4f

Date: May 11, 2025
Attack Vector: Signature Verification
Impact: $1,400
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1921965851856560240

Exploit:

https://bscscan.com/tx/0x0a0757862fc102ae165b18144f249ad20d502b69407fb900a86ef7495a6cc988

Mobius

Date: May 11, 2025
Attack Vector: Bad Math
Impact: $2,160,000
Chain: BSC

References:

https://x.com/CyversAlerts/status/1921489580991119736

https://www.certik.com/resources/blog/mobius-token-incident-analysis

https://x.com/MobiusDAO123/status/1921847836548735142

https://rekt.news/mobiusdao-rekt

Exploit:

https://bscscan.com/tx/0x2a65254b41b42f39331a0bcc9f893518d6b106e80d9a476b8ca3816325f4a150