BlockThreat - Week 31, 2025

Greetings!

The spotlight remains on the Samourai Wallet and Tornado Cash trials, with the Samourai defendants pleading guilty while Roman Storm continues to fight for the freedom to write code. A new trend is emerging as chain operators like Base and Arbitrum begin investing in ecosystem security, subsidizing code audits for projects building on their networks. Just a couple of compromises this week, both stemming from careless bugs and netting attackers just over $2M. Let’s take a closer look.

Users continue to fall victim to exploits long after major breaches because permission revocation is often neglected. The Multichain Router (formerly AnySwap) vulnerability from 2022 allowed attackers to bypass intended permission checks and drain funds from wallets that still had lingering approvals, even on chains where the router was no longer active. In one recent case a well-known MEV bot front-ran the theft and inadvertently rescued 401 ETH. Someone got really lucky here! So pretty please, with a sugar on top, revoke your approvals at revoke.cash.

Speaking of user and wallet security be sure to thank this week’s sponsor Coinspect.

Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.

Link: https://www.coinspect.com/wallets/

You’d think after countless smart contract disasters, fundamentals like permission checks would be bullet proof but SuperRare’s staking contract proves otherwise. A simple mistake in the updateMerkleRoot function allowed anyone to hijack critical staking logic and drain $730K worth of RARE tokens:

function updateMerkleRoot(bytes32 newRoot) external override {
    if (
        (msg.sender != owner() &&
            msg.sender !=
            address(0xc2F394a45e994bc81EfF678bDE9172e10f7c8ddc))
    ) revert NotAuthorized();

It took attackers about two weeks to discover and exploit this completely preventable and careless vulnerability.

Let’s dive into the news!

Events

• Defcon - Cryptocurrency Village. August 8-10. Featuring awesome talks on wallet, exchange, DeFi security.

News

• Arkham uncovered a $3.5B in BTC hack of LuBian, a Chinese mining pool, back in 2020. Unlike traditional hotwallet or infrastructure CeFi compromises, this one was caused by weak private key generation algorithm. Better late than never to discover and learn from the largest (in USD) crypto hack in history.
• Monero Faces Looming 51% Attack Threat From Rival Blockchain Qubic.
• Founders Of Samourai Wallet Cryptocurrency Mixing Service Plead Guilty. According to DoJ court documents, the two developers were actively promoting the wallet for concealing criminal proceeds on darknet forums and private chats.
• Coinbase reports data theft cost $307 million as spot volumes and revenue dip in Q2.
• Introducing free security reviews for Base builders by Base Engineering Team. A complementary service to the already free Hexagate monitoring service to onchain projects.
• Arbitrum Foundation plans to allocate $14 million in ARB to subsidize security audits for network projects.
• SlowMist Monthly Security Report: July Estimated Losses at $147 Million.
• The Hacken 2025 Half Year Web3 Security Report.
• 2025 Crypto Crime Mid-year Update: Stolen Funds Surge as DPRK Sets New Records by Chainalysis.
• The Anatomy of a Breach Report - 2025 by Lab1. An interesting report into bad actor practices to correlate leaked creds, KYC, private keys, and other data to execute attacks.
• 2025 GenAI Code Security Report - Assessing the security of using LLMs for coding by Veracode. Only 55% of produced code was safe.
• Amazon AI coding agent hacked to inject data wiping commands.

Crime

• CoinDCX Employee Arrested Over $44M Exchange Hack. An interesting case-study, where an employee may be arrested and prosecuted for negligence even if they did not intend to be malicious.
• North Korea sent me abroad to be a secret IT worker. My wages funded the regime. A rare look into the operation by a regime defector.
• N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto.
• Cameron Redman aka Canadian was convicted for the June 2022 mass X account compromise. ZachXBT was involved in the investigation leading to the arrest.
• Satoshi Nakamoto Statue Stolen From Lugano’s Parco Ciani.
• South Florida crypto money launderer sought grisly kidnappings involving amputations.
• FBI seizes $2.4M in Bitcoin from new Chaos ransomware operation.
• Virtual theft of crypto assets remains unpunished. An outdated legal framework in Germany allowed a thief to get away with $2.9M.
• Cyprus Police Probe Crypto Heist: Over $448,000 Vanishes After Email Hack.

Policy

• GENIUS or Gimmick by Rekt. An exploration of unwanted centralization effects of the GENIUS act.

Phishing

• ScamSniffer July 2025 Phishing Report. Losses increased by 153% with $7.09M in losses and 56% more victims (9,143 victims).
• A new pattern by scammers to make compromised wallets completely break so you can't send any funds to it for any rescues using EIP-7702 by pcaversaccio.
• How to protect yourself from Google Forms scams by Kaspersky.
• This Fake Bitcoin ATM Scheme Has Wasted 4,000 Hours of Scammers' Time. Kitboga strikes again.
• Possible targeted attack using 1-click RCE in Telegram Desktop.

Malware

• Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal by CheckPoint. From Facebook ads to fake crypto apps which steal creds and drain wallets.

Media

• The Trial Against Tornado Cash Developer Roman Storm: Everything You Need to Know hosted by The Rage and includes Taylor Monahan, Molly White, Tim Clancy, and Amanda Tuminelli.

Research

• Lido Security Disclosure: CSVerifier weak validation of the historical block GIndex. User funds remain safe.
• Someone forgot to revoke approvals for Multichain Router V4, resulting in a 401 ETH instant hack by MEV bots by Chaofan Shou.
• Bitcoin Lightning bug allows remote theft of bitcoin via LND nodes.
• Modern invariant testing with halmos by karmacoma and Daejun Park (a16z crypto).
• zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits.
• Security Frameworks by SEAL - Wallet Security section by Piña (Coinspect).
• The State of Encryption in Web3 by Safe Research.
• Keeping secrets secure with secret scanning by Github.
• Agent Red-Teaming: The AI Jailbreak Showdown by Ayla Croft (Gray Swan). You can participate here.
• An implementation of "Commit-Reveal²: Randomized Reveal Order Mitigates Last-Revealer Attacks in Commit-Reveal" protocol for distributed consensus applications.
• My Smart Contract Auditing Mental Model - Not a checklist! by The Caliber.
• Optimistic Rollups.
• From Solana to Stylus: Introducing StylusPort by Oak Security.
• Compressed NFTs on Solana by 0xmahdirostami.
• Sui Move for EVM and SVM Developers: Part 1 - Mental Models by Ahmad Khan (Adevar Labs).
• AI Agent Smart Contract Exploit Generation.
• Program Analysis for High-Value Smart Contract Vulnerabilities: Techniques and Insights.
• "Blockchain-Enabled Zero Trust Framework for Securing FinTech Ecosystems Against Insider Threats and Cyber Attacks".
• SoK: Root Cause of $1 Billion Loss in Smart Contract Real-World Attacks via a Systematic Literature Review of Vulnerabilities.
• A Formal Rebuttal of "The Blockchain Trilemma: A Formal Proof of the Inherent Trade-Offs Among Decentralization, Security, and Scalability".
• DoS Attacks and Defense Technologies in Blockchain Systems: A Hierarchical Analysis.
• SAEL: Leveraging Large Language Models with Adaptive Mixture-of-Experts for Smart Contract Vulnerability Detection.
• ETrace:Event-Driven Vulnerability Detection in Smart Contracts via LLM-Based Trace Analysis.

Tools

• ape-safe - Account plugin for the Safe multisig wallet (previously known as Gnosis Safe) for the Ape Framework.
• Anchor - a framework providing several convenient developer tools for writing Solana programs by Solana Foundation.
• Introducing Solazy – A Solana Static Analyser & Reverse Engineering tool.
• hashcat v7.0.0 release including support for MetaMask and various wallet cracking.
• Keeping secrets secure with secret scanning - GitHub Docs.

Hacks

SuperRare

Date: July 28, 2025
Attack Vector: Insufficient Function Access Control
Impact: $730,000
Chain: Ethereum

References:

https://x.com/SlowMist_Team/status/1949770231733530682
https://x.com/CyversAlerts/status/1949766758635610276
https://x.com/PeckShieldAlert/status/1949764035408527414
https://x.com/Phalcon_xyz/status/1949780457786351991
https://x.com/SuplabsYi/status/1949782448017199517
https://x.com/AMLBotHQ/status/1949851459216150754
https://blog.solidityscan.com/superrare-hack-analysis-488d544d89e0

Exploit:

https://etherscan.io/tx/0xd813751bfb98a51912b8394b5856ae4515be6a9c6e5583e06b41d9255ba6e3c1

Unkn_670471

Date: July 29, 2025
Attack Vector: Insufficient Function Access Control
Impact: $2,000
Chain: Ethereum

References:

https://x.com/TikkalaResearch/status/1950254795815866867

Exploit:

https://etherscan.io/tx/0x6a2a9f48ff78966cb44772c3551a56d7c5b788168f81cae8d06006c79a86fc16

Multichain User, Multichain aka Anyswap

Date: July 29, 2025
Attack Vector: Forgotten approval
Impact: $1,500,000
Chain: Ethereum

References:

https://x.com/shoucccc/status/1950310650510791168
https://x.com/TalBeerySec/status/1950470423293886685
https://dune.com/talbeerysec/Multichain-hack
https://revoke.cash/exploits/multichain?chainId=1
https://dedaub.com/blog/phantom-functions-and-the-billion-dollar-no-op/

Exploit:

https://etherscan.io/tx/0x75316e0aac282c9db5c57d2abe74e29e072466114afb8d70cd8b7115196fca57