BlockThreat - Week 43, 2025
Doodi Pals | Sharwa Finance | LuckyCode | ETH Strategy | Zap
Greetings!
A relatively quiet week with under $1 million in losses is a welcome relief. Weeks like these often keep me up at night as calm often precedes big events, so let us hope that pattern does not repeat. To help you enjoy the lull, I have assembled a curated collection of research, with a focus on off-chain and multisig security, interviews with industry leaders, and the latest entries in the criminal chronicles.
Paid subscribers will get the deep dives on the price oracle exploit at Sharwa Finance, the key compromise at Doodi Pals, and other incidents. I am also tracking an attacker probing older contracts across multiple chains, which has pulled a handful of five-figure wins here and there.
Let’s dive into the news!
Events
- Ultimate Security Games by RareSkills. November 20, 2025. The Ultimate Security Games brings the world of smart contract auditing to the main stage turning web3 security into an esport.
News
- SEAL Launches Global Real-Time Phishing Defense Network.
- We Have a Centralization Issue by Rekt. On the crypto meltdown caused by AWS outage. Coinbase, Metamask, L2s, and other supposedly decentralized projects went dark due to over reliance on centralized infrastructure.
- Ledger’s new native multisig rollout sparks criticism over ‘cash cow’ fee model. Interestingly the service was announced as a free and later corrected as a typo in the original post.
- Trump Pardons Binance Founder. The pardon will allow CZ to return to his role as CEO of Binance, reenter US market, and lifts a number of other restrictions.
- Decentralized Exchange Bunni Pulls the Plug Following $8.4M Flash Loan Exploit. Caught in the cycle of audits with too many finds and incomplete fixes it may be best to start over.
- Withdraw your funds from Venus Protocol on BSC thread on a pattern of security lapses, failed bounty payouts, and other concerning behavior from the protocol that was compromised one too many times.
- Unseeable prompt injections in screenshots: more vulnerabilities in Comet and other AI browsers by Brave.
Crime
- Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks by Picus Labs.
- Inside Ethereum’s Shadow Economy: New Research Unmasks the $135M Drainer-as-a-Service Industry by BlockSec.
- Europol Takes Down Cybercrime Network in Latvia, Seizes $330,000 in Crypto.
- FCA sues Justin Sun-linked HTX in London High Court over alleged illegal crypto promotions.
- Canada Fines Cybercrime Friendly Cryptomus $176M.
- Crypto has become Kim Jong-Un’s lifeline — and Russia’s secret weapon.
Phishing
- X (Twitter) Phishing Account Takeovers by Security Alliance (SEAL).
- Understanding Address Poisoning on the TRON Blockchain by TRM.
- Hackers siphon $3 million in XRP from US user’s wallet.
- How I Almost Got Hacked By A ‘Job Interview’ by David Dodda.
- How a fake AI recruiter delivers five staged malware disguised as a dream job by Shantanu.
Scams
- Sell The News by Rekt. On the demise of Kadena.
Malware
- Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet Keys by Kirill Boychenko (Socket).
- GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace by Idan Dardikman (Koi).
- Analysis of the Lumma infostealer by Genians.
Media
- DC Privacy Summit 2025 - How to Fight the Lazarus Group with Mike Orcutt (Project Glitch), Casey G. (zeroShadow), Michael Mosier (Arktouros), and Samczsun (SEAL).
- Reverse Engineering Solana Programs | ulexec + seecoalba by radare.
- bountyhunt3rz - Episode 28 - tim.
- Edge Podcast - Code Is Law: Inside The New Documentary On DeFi’s Biggest Hacks.
Research
Aave Borrow Rate Tuning: A Practical Guide by Olesia Bilenka (Hacken).
Tracing Zashi and Near Intents shielded transactions by ZachXBT.
State of the Art of Private Key Security in Blockchain Ops series by Mario Rivas (NCC Group).
Thoughts After Auditing Multiple Off-chain Components by Damian Rusinek (Composable Security).
Is the Move Language Secure? The Typus Permission-Validation Vulnerability by SlowMist.
Bonding Curve Mathematics: From Theory to Pump Fun by The Accelerated Curve.
Analysis of Input-Output Mappings in Coinjoin Transactions with Arbitrary Values.
On-Chain Decentralized Learning and Cost-Effective Inference for DeFi Attack Mitigation.
RiskTagger: An LLM-based Agent for Automatic Annotation of Web3 Crypto Money Laundering Behaviors.
DeepTx: Real-Time Transaction Risk Analysis via Multi-Modal Features and LLM Reasoning.
TaintSentinel: Path-Level Randomness Vulnerability Detection for Ethereum Smart Contracts.
Tools
- Ethereum Context Copilot - a purpose trained LLM on all aspects of Ethereum code, operations, bugs, etc.
- Local Safe by Patrick Collins. A completely local version of Safe UI.
- Solana VS Code Extension - security-focused development tools by Ackee.
- Jetstreamer - a high-throughput Solana backfilling and research toolkit designed to stream historical chain data live over the network from Project Yellowstone’s Old Faithful archive, which is a comprehensive open source archive of all Solana blocks and transactions from genesis to the current tip of the chain.
Hacks
Sharwa Finance
Date: October 20, 2025
Attack Vector: Price Oracle Manipulation
Impact: $147,000 (Recovered $40,000)
Chain: Arbitrum
References:
https://x.com/DecurityHQ/status/1980159991991738793
https://x.com/Phalcon_xyz/status/1980220633335349598
https://x.com/SharwaFinance/status/1980152746373238990
https://x.com/sharwafinance/status/1980535243875463639
https://x.com/hklst4r/status/1980157251550670992
Reappeared bug:
https://x.com/DecurityHQ/status/1980211713870811213
https://github.com/pashov/audits/blob/master/team/pdf/SharwaFinance-security-review.pdf
Recovery:
https://x.com/De_FiSecurity/status/1981742701528670610
Exploit:
https://arbiscan.io/tx/0x9f8b4841f805ec50cc6632068f759216d85633fbbe34afde86b97bbc41c23ead
https://arbiscan.io/tx/0x35a523bdaf60a9e8b66ab92bb8b78d5012e102e462b665e98ce46f7e07addd36
https://arbiscan.io/tx/0x4d6606adb98852d85c4f4c1e11f51a313b8d1b7120db3d063f74a2f8f1efb3e5
https://arbiscan.io/tx/0xb0bf77475818b2501e78f0927f4131e52c6efd45bc4978992cbbe218a57e6f7f
Doodi Pals
Date: October 20, 2025
Attack Vector: Key/Signer Compromise
Impact: $171,000
Chain: Solana
References:
https://x.com/evilcos/status/1980443998461608427
https://x.com/DoodiPals/status/1980286066201600109
https://x.com/DoodiPals/status/1980547087390392409
Zap
Date: October 24, 2025
Attack Vector:
Impact: $16,804
Chain: Base
References:
https://x.com/DefimonAlerts/status/1981655692957335627
Exploit:
https://basescan.org/tx/0x8b38a06f183d31735fa8dd3b0f573706828cd587d978f4cc09b6ee5e16f1b9bf
Unkn_2cc409
Date: October 24, 2025
Attack Vector:
Impact: $28,760
Chain: Base
References:
https://x.com/DefimonAlerts/status/1981659673452491002
Exploit:
https://basescan.org/tx/0x0d9224d8ac83bbe9318b98add42b68095e00ccd3f2849fbdb8ff0c2e1409a941
LuckyCode
Date: October 24, 2025
Attack Vector: Bad Randomness
Impact: $56,000
Chain: Ethereum
References:
https://x.com/DefimonAlerts/status/1981671353674846591
Exploit:
https://etherscan.io/tx/0x7010b0d2e96fad1c41a925a1f6ab7cdc0da75ea87690d4bd3e4924829eeefdf2
https://etherscan.io/tx/0xd2d82d9cf81502e24a5382378e3070c3dfd0ca145127a508543a14df1e10b2a4
Unkn_D9f4a3
Date: October 24, 2025
Attack Vector:
Impact: $7,671
Chain: Base
References:
https://x.com/DefimonAlerts/status/1981722712637911417
Exploit:
https://basescan.org/tx/0x8a641e2442abdde9c063710553cf4140fc9f71f0a0c6faccc36eef01323e83bc
ETH Strategy
Date: October 24, 2025
Attack Vector: Insufficient Function Access Control
Impact: $31,544
Chain: Ethereum
References:
https://x.com/DefimonAlerts/status/1981670261352230929
https://www.notion.so/Post-Incident-Review-Redemption-Facilitator-Contract-1-29643c3c083480a282c5eab8c4bf21b3
Exploit:
https://etherscan.io/tx/0x4c2e4f19e8adb23f058749c64a5705e52f4ebc007b19ebed4c4c45150a112859