BlockThreat - Week 26, 2025

Greetings!

More than $12 million was stolen this week across four incidents, with Resupply and Silo Finance suffering multi-million dollar losses. The Resupply hack is particularly notable where $9.8 million was drained due to a recurring vulnerability in which an empty market is exploited via a rounding error to mint excessive protocol tokens. Since the 2023 Hundred Finance hack, this vulnerability class has now accounted for over $51 million in losses, as developers continue to learn the painful lesson that newly deployed markets demand extra care, especially around math precision and initial liquidity. The incident also triggered the now-familiar cascade of finger-pointing further fueling drama across the ecosystem.

The remaining compromises were just as easily preventable. An MEV bot called printMoney lost $2 million due to insufficient function access control, while Silo Finance lost over $500,000 because of poor function parameter validation. These are well-known and well-documented issues. If you haven’t already, check out the recently released DeFi Top 10 Attack Vectors where these two categories appear on the list year after year, consistently causing millions in damages.

If you’re a developer and don’t feel fully confident in preventing these types of bugs, check out this week’s sponsor - Oak Security, a trusted auditor behind some of the ecosystem’s most unique protocols and a long-time supporter of this newsletter.

Oak Security has operated in Web3 Security since 2017, providing security services throughout a project's lifecycle. audits. This includes audits, penetration testing, operational security training, and advisory services. Our signature blinded process emphasizes redundancy: Every line of code is reviewed by multiple auditors with a multi-disciplinary background in parallel.

Link: https://www.oaksecurity.io/

In other news, be sure to check out a new community-driven project Unphishable from the good folks at DeFi Hack Labs, ScamSniffer, and SlowMist. It’s a series of interactive challenges designed to teach users how to spot and avoid common Web3 phishing attacks. The project simulates real-world scams involving malicious signatures, spoofed dApps, and fake support agents, giving users a low-stakes environment to train their instincts before real money is on the line. Amazing!

And while you are at it be sure to thank this week’s sponsor Coinspect for helping uplevel wallet and user security.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

Let’s dive into the news!

News

• Cork hacker sends ETH to Tornado Cash, donates to Roman Storm’s fund causing even more unnecessary drama in the blockchain security industry.
• Spoils of $1.5 Billion Bybit Hack Traced to Greek Crypto Exchange.
• Ledger is discontinuing support for older Ledger Nano S devices.
• Dispute Between Immunefi and Spectra Finance Over Bug Bounty Payments.
• State of Crypto Security 2025 by Areta. High level overview of the blockchain security market including key players and holistic security programs.

Crime

• Monero-only hacker IntelBroker caught after accepting Bitcoin from FBI - dlnews.com. A story of a $250 BTC deposit that unraveled it all.
• An investigation into how the New York based social engineering scammer Daytwo/PawsOnHips (Christian Nieves) stole $4M+ from Coinbase users by impersonating customer support, bought luxury goods, and lost most of the funds gambling at casinos by ZachXBT.
• HyperLiquid: A New Route for Crypto Money Laundering? by Nefture Security.
• On-Chain Analysis of HuionePay: Unveiling the Over $55 Billion USDT in Fund Flows by Lisa (SlowMist).
• What Are Instant Crypto Exchanges, and Why Have They Become the Hotspot for Money Laundering? by BlockSec.
• Russian drug marketplace launches its token on Solana by Officer CIA.
• Bitcoin firm says police shouldn't saw open Bitcoin ATMs to seize cash for scammed customers, will seek damages for destroyed machines — firm claims seizures are criminal and victimize the company.
• Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace by Winnona DeSombre Bernsen. In case you want to learn about traditional infosec 0day supply chains and markets.

Policy

• US Attorney of the Southern District of New York filed a superseding indictment against Samourai Wallet with a number of factual errors including Samourai somehow making transfers on behalf of non-custodial wallets and while also breaking Whirlpool security.
• Ripple Stuck With $125 Million Penalty as Judge Denies XRP Settlement With SEC.
• Bitcoin ATM Giant Hit With $300K Penalty.

Phishing

• Unphishable - a series of educational challenges to help you understand and identify common Web3 phishing attacks.
• Trezor’s support platform abused in crypto theft phishing attacks.
• PhishingHook: Catching Phishing Ethereum Smart Contracts leveraging EVM Opcodes.

Scams

• Pepe meme creator’s NFT projects hit for $1 million as contract hijackers drain collections.

Malware

• Uncovering a Tor-Enabled Docker Exploit by Sunil Bharti, Shubham Singh (TrendMicro). A report on a mass campaign of exposed docker APIs for cryptomining.
• Cryptominers’ Anatomy: Shutting Down Mining Botnets by Maor Dahan (Akamai).
• SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play by Sergey Puzan (Kaspersky). Analysis of the cryptostealer campaign targeting mobile users.

Media

• bountyhunt3rz - Episode 18 - riptide.
• OpenSense - Stop Guessing. Start Proving. Formal Verification with Halmos with Shanzson (Zokyo).
• OpenSense - Starknet Cairo's Security with Talfao (Codespect).
• DPRK Civil Engineer Fake Profile Process. Actual DPRK instructional video on how to create their civil engineering profile(s). And here is a sample session with a DPRK Licensed Civil Engineer.

Research

• Bridge vulnerabilities collection by The Caliber.
• Trust, But Measure: A Friendly Intro to TEEs with Intel TDX by ZKSecurity.
• When Empty Means Valid: Exploiting MPT Proof Verification for an Alternative Truth by ChainSecurity.
• Live EigenLayer Bug Discovered During Sidecar Security Review by Andy Li (Sigma Prime).
• How Much Do Top Smart Contract Auditors Really Make? by Johnny Time.
• Common Circom Pitfalls and How to Dodge Them — Part 1 by Marco Besier (ZKSecurity).
• Maturing your smart contracts beyond private key risk by Benjamin Samuels (Trail of Bits).
• Analyzing Upgradability Patterns Across Blockchains by Shubhi Saran (Immunebytes).
• AI Agents for application security testing by Fuzzing Labs.
• CryptoGotchas - A collection of common (interesting) cryptographic mistakes and learning resources by Greg Rubin (SalusaSecondus).
• ETrace:Event-Driven Vulnerability Detection in Smart Contracts via LLM-Based Trace Analysis.
• Efficient Blockchain-based Steganography via Backcalculating Generative Adversarial Network.
• Smart-LLaMA-DPO: Reinforced Large Language Model for Explainable Smart Contract Vulnerability Detection.
• FORGE: An LLM-driven Framework for Large-Scale Smart Contract Vulnerability Dataset Construction.
• SCOOP: CoSt-effective COngestiOn Attacks in Payment Channel Networks.
• Decompiling Smart Contracts with a Large Language Model.

Tools

• Accretion Solana Data Reverser - A browser-based reverse engineering tool for analyzing hex data with deep Solana blockchain integration. Perfect for examining raw binary data, Solana account structures, and discovering patterns in blockchain data. Live tool here.

Hacks

printMoney MEV Bot

Date: June 25, 2025
Attack Vector: Insufficient Function Access Control
Impact: $2,000,000
Chain: BSC

References:

https://x.com/PeckShieldAlert/status/1937759696183873634
https://x.com/Phalcon_xyz/status/1937753560391004641

Exploit:

https://bscscan.com/tx/0x7708aaedf3d408c47b04d62dac6edd2496637be9cb48852000662d22d2131f44

Silo Finance

Date: June 25, 2025
Attack Vector: Function Parameter Validation
Impact: $546,000
Chain: Ethereum, Sonic

References:

https://x.com/CyversAlerts/status/1937894864659554680
https://silofinance.medium.com/post-mortem-unreleased-leverage-contract-exploitd-0ab8f37afcbb

Exploit:

https://etherscan.io/tx/0x1f15a193db3f44713d56c4be6679b194f78c2bcdd2ced5b0c7495b7406f5e87a
https://etherscan.io/tx/0x161a4e9bd777c81af4b2f2c4062281bf25ce460b9b04fbea83f09fba270c8b3b

Resupply

Date: June 26, 2025
Attack Vector: Rounding Error
Impact: $9,800,000
Chain: Ethereum

References:

https://x.com/Phalcon_xyz/status/1938061381288530243
https://x.com/peckshield/status/1938061948647817647
https://x.com/Phalcon_xyz/status/1938073001087652021
https://x.com/ResupplyFi/status/1938092252431036491
https://rekt.news/resupplyfi-rekt
https://mirror.xyz/0x521CB9b35514E9c8a8a929C890bf1489F63B2C84/ygJ1kh6satW9l_NDBM47V87CfaQbn2q0tWy_rtp76OI
https://blog.solidityscan.com/resupply-hack-analysis-d4e3baaa294a
https://quillaudits.medium.com/resupply-hack-how-a-donation-attack-led-to-9-5m-in-losses-91e4e34d3bf5
https://x.com/hklst4r/status/1938088811680174591

Drama:

https://x.com/HaowiWang/status/1939300119041716648
https://x.com/newmichwill/status/1939243733792252280
https://x.com/newmichwill/status/1938890462267396371
https://x.com/SlowMist_Team/status/1939938302469009683

Incident Response:

https://x.com/newmichwill/status/1938890462267396371

Exploit:

https://etherscan.io/tx/0xffbbd492e0605a8bb6d490c3cd879e87ff60862b0684160d08fd5711e7a872d3

Stead Token

Date: June 29, 2025
Attack Vector: Insufficient Function Access Control
Impact: $14,500
Chain: Arbitrum

References:

https://x.com/TenArmorAlert/status/1939508301596672036

Exploit:

https://arbiscan.io/tx/0x32dbfce2253002498cd41a2d79e249250f92673bc3de652f3919591ee26e8001