BlockThreat - Week 21, 2025

Greetings!

Over $260 million was stolen across five separate incidents this week, with the bulk of the losses stemming from a single ecosystem-wide compromise on the Sui blockchain.

But before we dive into the details of that hack, a quick word from this week’s sponsor — Almanax. It’s a critical tool for any smart contract developer, designed to help you avoid becoming yet another statistic in the relentless wave of DeFi exploits.

Almanax is an AI security engineer designed to help security teams prevent hacks. It plugs into CI/CD pipelines to identify security issues in every commit with LLMs. It also triages alerts from static analyzers and dependency checks, suppressing false positives and surfacing exploitable issues in real time—including hidden backdoors in third‑party packages.

Scan your codebase for free with Almanax at app.almanax.ai.

The recent $260M+ exploit of Cetus Protocol on the Sui chain is a reminder of the catastrophic bugs that may appear in reimplementations of critical code while porting from a different language or chain. Much like the infamous Curve Finance hack, which resulted from an incorrect implementation of a reentrancy check in certain versions of the Vyper compiler, the Cetus incident demonstrates that even thoroughly audited code can be hacked if the underlying library code is flawed.

At the core of the Cetus compromise was a bug in Sui’s Move compiler implementation of the checked_shlw(u256) function. This function was intended to prevent overflow during left-shift operations, but it was implemented with a constant that was too large, rendering the check ineffective.

This subtle error enabled an attacker to mint pool liquidity with negligible input, depositing a single token and then draining the pool by withdrawing the full value. The vulnerability went undetected in multiple audits by reputable firms likely because the affected library math code was out of scope or assumed to be safe.

In response to the exploit, Sui validators acted swiftly, freezing the majority of the stolen funds by censoring all transactions from the attacker’s addresses. Simultaneously, a governance proposal was introduced and approved to issue two special transactions that recovered funds from two of the attacker-controlled wallets. This coordinated, chain-wide intervention is now a recurring pattern in blockchain crises—a centralized remedy in systems designed to be decentralized.

On a related note, make sure to check out Recon’s testing suite — especially their invariant checks, which would have likely caught this exploit before it happened.

Get a Recon Invariant Audit: a powerful testing suite plus world-class auditors to catch what others miss. Open-source, no vendor lock-in, and proven to find severe bugs. Before spending millions on audits, invest in tests that evolve over time that catch bugs and keep them from coming back. Use promo code BLOCKTHREAT for a 5k discount on your first engagement.

See our portfolio: https://getrecon.xyz/blockthreat

Let’s dive into the news!

News

• Coinbase breach hit almost 70k users. Interestingly Coinbase hackers decided to troll ZachXBT onchain after $42.5M THORChain swap. It's a bold strategy, Cotton. Let's see if it plays out for them.

Crime

• Crypto Trader’s Convictions Vacated in Mango Markets Fraud Case. Commodities fraud, commodities manipulation, and wire fraud convictions by a jury trial were dismissed by the judge because prosecution failed to prove fraudulent or manipulative conduct. The ruling essentially reaffirms the “code is law” defense recently adopted by a court in France. A misguided ruling by an ill-informed judge that undermines safety of an entire industry.
• Australian Police Seize Hacker’s Bitcoin, Mansion and Luxury Car. The “French cryptocurrency exchange” hack likely refers to the 2013 hack of Bitcoin Central where a few hundred BTC has been stolen.
• Crypto Investor Charged With Kidnapping and Torturing Man for Weeks. A wild story to steal crypto from an Italian national involving a group of crypto bros and an actress.
• A Crypto Billionaire Who Feared Arrest in the U.S. Returns for Dinner With Trump. Justin Sun received a Trump branded watch at the dinner.
• American tourist claims $123K in bitcoin and XRP stolen in fake Uber ‘Devil’s Breath’ attack in London.
• Europol Busts 'Hawala Banking' Network Cashing Crypto for Criminals.
• Justice Department Seizes Domains Behind Major Information-Stealing Malware Operation. The action disrupts operation of LummaC2 crypto and banking credential stealer.
• Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme. More than $24M in crypto were ceized from Rustam Rafailevich Gallyamov, a resident of Moscow, Russia.
• Feds charge Amalgam founder with stealing $1M via ‘sham’ blockchain.

Phishing

• “Customer Support” in the Dark Forest: Social Engineering Scams Target Coinbase Users by SlowMist.
• Demystifying Phishing Contracts on Ethereum and How to Avoid Them by BlockSec Team.

Scams

• ‘Hawk Tuah’ girl says FBI, SEC cleared her of legal wrongdoing in memecoin fiasco.
• Road to Nowhere by Rekt. The slow rug pull of Chainge Finance.

Malware

• Destructive malware available in NPM repo went unnoticed for 2 years.
• Dero miner zombies biting through Docker APIs to build a cryptojacking horde by Kaspersky.
• “Anti-Ledger” malware: The battle for Ledger Live seed phrases by Moonlock.
• Chihuahua Stealer Malware Targets Browser and Wallet Data by Picus Security.
• Bitcoin stealer malware found in official printer drivers. Attackers already stole more than 9 BTC.

Media

• bountyhunt3rz - Episode 14 - bytes032.
• OpenSense - Success is for those who deserve it with Julien Klepatch.

Contests

• Bug Bounty Web3 - Daily Challenges by Thomas EDET.

Research

• Halting Cross-chain: Axelar Network Vulnerability Disclosure by Marco Nunes.
• How memory works under the hood in the EVM and how this knowledge led me to recently discover a critical vulnerability by kaden.eth.
• How EIP-7702 Transforms Account Security and Functionality by Three Sigma.
• The Hidden Threats of Web2 Vulnerabilities in Web3 Systems by Mujtaba Raza (Blockapex).
• Deep Dive into DeFi Derivatives by Viktor Yurov (MixBytes).
• Let's talk LLMs for vulnerability research by P.M.
• Understanding Perpetual Derivatives Protocols: A Primer for Web3 Security by QuillAudits.
• Stablecoin intro - What are stablecoins and why is the context important for a security researcher by Delvir0.
• Model Checking the Security of the Lightning Network.
• Adaptive Plan-Execute Framework for Smart Contract Security Auditing.
• An Empirical Analysis of EOS Blockchain: Architecture, Contract, and Security.
• Adaptive Plan-Execute Framework for Smart Contract Security Auditing.
• Timestamp Manipulation: Timestamp-based Nakamoto-style Blockchains are Vulnerable.

Tools

• Revela Move decompiler by Verichains. Decompiler for the Move smart contract language used on Aptos and Sui chains.

Hacks

Unkn_0851ae

Date: May 21, 2025
Attack Vector: Insufficient Function Access Control
Impact: $144,800
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1925374163797053778https://x.com/TikkalaResearch/status/1925239924300947609

Exploit:

https://bscscan.com/tx/0x3278b9ee1391269a22742d6b4a1289426d1245220ce8994fe32837cd251598f1

Shiro

Date: May 21, 2025
Attack Vector:
Impact: $500,000
Chain: Ethereum

References:

https://x.com/CyversAlerts/status/1925514793827320070https://x.com/shiro/status/1925312720888635852

Exploit:

https://etherscan.io/tx/0x24b50c451ecbc592cdb8fef98f33ae12d02dfc6e2ac7a47568185d5e174e2ae3

Venus

Date: May 22, 2025
Attack Vector: Price Oracle Manipulation
Impact: $200
Chain: BSC

References:

https://x.com/TikkalaResearch/status/1925603266903384379

Exploit:

https://bscscan.com/tx/0x703c3c0d750281bc6124f76c26d9dc0e508bdacd9445f2bc3f01803fbde2dd6f

Cetus, Kriya, Flow X, Turbo Finance, Move, Sui

Date: May 22, 2025
Attack Vector: Integer Overflow
Impact: $260,000,000 (Recovered $160,000)
Chain: Sui

References:

https://x.com/CetusProtocol/status/1926021460214026568

https://blog.verichains.io/p/cetus-protocol-hacked-analysis

https://dedaub.com/blog/the-cetus-amm-200m-hack-how-a-flawed-overflow-check-led-to-catastrophic-loss/

https://blog.verichains.io/p/multiple-sui-projects-previously

Tracing:

https://www.elliptic.co/blog/cetus-protocol-hacked-for-more-than-200-million
https://x.com/SuiNetwork/status/1925572334054002774

Return:

https://www.dlnews.com/articles/defi/how-hacker-used-fake-tokens-to-syphon-220m-sui-dex-cetus/

Exploit:

https://revela.verichains.io/sui/0x714a63a0dba6da4f017b42d5d0fb78867f18bcde904868e51d951a5a6f5b7f57?rpc=mainnet&module=math_u256
https://suivision.xyz/txblock/ETCaBBiffASZ3oXBBcoM6VYd3NcTb5T1Sqo4xLECKZws?tab=Overview
https://suivision.xyz/txblock/DVMG3B2kocLEnVMDuQzTYRgjwuuFSfciawPvXXheB3x?tab=Overview

YDT Token

Date: May 25, 2025
Attack Vector: Insufficient Function Access Control
Impact: $41,400 (Recovered $41,400)
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1926587721885040686
https://x.com/BitFinding/status/1927018557096829116

Exploit:

https://bscscan.com/tx/0x233b21d0355108593c3f136797aed886ae1d4655384b33d67b1fccee88cdfbc2
https://bscscan.com/tx/0x298fdcb6a522af6d32aa12c1966bf7bee05e45a2e80fec207b2ebac0316be79c