BlockThreat - Week 44, 2025
Garden Finance | Peapods | 402 Bridge | 0xc0ffee | MEV | Thodex | LastPass
Greetings!
More than $11.2M were stolen this week across eleven incidents. Among the more notable exploits was the 0xc0ffee MEV bot hack which lost $218K due to an exposed uniswapV3SwapCallback method. These have been popping up a few times this year so be sure to check out Giovanni Di Siena’s article on hook security in the Research section on how to lock down these callbacks.
Garden Finance lost almost $11M after one of its solvers was compromised and private keys stolen. The irony here is that Garden Finance was previously implicated as a laundering venue for multiple Lazarus-linked hacks like Bybit, SwissBorg, and others. In a classic moment of frontier justice, ZachXBT refused to offer any support and even discouraged attackers from returning any of the illicitly obtained funds.
Oh an be on a lookout for phishing emails from LastPass!
Let’s dive into the news!
News
- Our presence at the biggest security Latin American conference, Ekoparty by The Red Guild.
- Introducing Aardvark: OpenAI’s agentic security researcher. AI audit space is getting hot.
Crime
- A thread on US v Peraire-Bueno trial by Inner City Press.
- An unlikely couple, a doomed affair and their €64mn ransomware scam. An inside view of the CryLock (Cryakl) ransomware operators Vadim Sirotin and Elena Timofeeva.
- Interview with the Chollima III by Mauro Eldritch and Ulises (Bitso).
- Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs by Kaspersky. Details of a new GhostCall campaign targeting crypto community over telegram with macOS malware.
- Indiana Police Recover Stolen Bitcoin Mining Rigs—And $75K Worth of Frozen Turkeys.
- NBA Gambling Scandal: at least $400,000 in ETH seized.
- Royal Thai Police Arrest Fugitive Chinese National Behind Multi-Million Dollar Crypto Fraud Scheme by TRM.
- Chinese Man Arrested in Bangkok Over Alleged $14M Crypto Ponzi Scheme.
- CEO of collapsed Thodex exchange found dead in Turkish prison while serving 11,196-year sentence.
Phishing
- Possible CryptoChameleon Social Engineering Campaign Targeting LastPass Customers, Crypto Exchange Customers, Passkeys, and More. A new phishing campaign using requests for victim’s death certificate as a lure.
- Thread on malicious Merkl campaigns with high APRs and unverified Euler vaults by YAM. Attackers are using fake markets with high oracle prices to drain any supplied liquidity.
Scams
- House Of Cards by Rekt. A story of two stablecoins caught in the mutual backing loop. What could go wrong?
Malware
- Infostealers Disguised as Free Video Game Cheats by vxdb.
- From Dream Job to Malware: DreamLoaders in Lazarus’ Recent Campaign by Lab52.
Media
- bountyhunt3rz - Episode 29 - j4x.
- Governance Futures S.1 Ep.17 - Security, DAOs, and Human Error: Threat Modeling Web3 with Isaac Patka.
Contests
Research
- Uniswap V4 Hooks Security Deep Dive by Giovanni Di Siena (Solodit).
- Multisig Security Analysis by engn33r (Electisec).
- Securing the Blockchain: AI and Staying Ahead of the Curve + Ethena Yield Theft by Bountyhunt3rz.
- How you can be drained years after the protocol’s hack? thread by Ye in Web3 on the victims.
- Bad Vibes by Rekt. An excellent analysis on the future of AI-augmented code development, its risks and pitfalls. As the article mentions: “When will we see our first crypto exploit where we found out the root cause was due to vibe coding?”.
- New physical attacks are quickly diluting secure enclave defenses from Nvidia, AMD, and Intel by Dan Goodin (Ars Technica).
- Oracle Infrastructure: The Backbone of Lending Protocols by Noveleader and Francesco (Castle Labs).
- Core Architecture and Positioning of DeFi’s Top Money Markets by Noveleader and Atomist (Castle Labs).
- Uniswap v1 explained: How it changed DeFi forever by M3D (Zealynx).
- Vibe Fuzzing Guide for Wake’s Manually-Guided Fuzzing by Naoki Yoshida (Ackee).
- Top 7 Findings in Off-Chain Components by Damian Rusinek (Composable Security).
- Detecting Various DeFi Price Manipulations with LLM Reasoning.
- FLAMES: Fine-tuning LLMs to Synthesize Invariants for Smart Contract Security.
- LLM-Powered Detection of Price Manipulation in DeFi.
- DeepTx: Real-Time Transaction Risk Analysis via Multi-Modal Features and LLM Reasoning.
Tools
- Multisig Security Checker by engn33r. Analyze your Safe multisig contract for security best practices.
- Localsafe.eth is officially launched. Enjoy always available IPFS or local hosted multisig without relying on large cloud infrastructure.
- Device hardening & factory reset guides by Opsek.
- Orb Explorer now includes Solana program source code.
Hacks
VaultManager
Date: October 27, 2025
Attack Vector:
Impact: $3,710
Chain: Ethereum
References:
https://x.com/DefimonAlerts/status/1982799887596241406
Exploit:
https://etherscan.io/tx/0x957114ab6ae267b53822bc70e7c9320072191e2a34e351109a6a185eb9141f9a
Unkn_25f593
Date: October 27, 2025
Attack Vector: Governance
Impact: $2,078
Chain: Ethereum
References:
https://x.com/DefimonAlerts/status/1982850945018147072
https://x.com/DefimonAlerts/status/1982797724111319543
Exploit:
https://etherscan.io/tx/0x49b872b4025c0f4f844ee45f3b29bd9c7075979d86be5c196cde3a0782020c99
402 Bridge
Date: October 27, 2025
Attack Vector: Key/Signer Compromise
Impact: $17,000
Chain: Base
References:
https://x.com/402bridge/status/1982860168464650534
https://x.com/GoPlusZH/status/1983015854859338167
https://x.com/402bridge/status/1983042581190853022
https://x.com/m13_digital/status/1983040577366040855
Exploit:
https://basescan.org/tx/0x089a6336425c6ee6d8954923763cbaeef1173ce44b5c0ab853c85863726e46e2
CAPY Token
Date: October 29, 2025
Attack Vector: Function Parameter Validation
Impact: $20,000
Chain: Base
References:
https://x.com/DefimonAlerts/status/1983488316465938603
Exploit:
https://basescan.org/tx/0x5cf888d4c20f04c29fb4d6ab2a117316599a9c98f05f48e30e62531b1d5d3d73
Peapods
Date: October 29, 2025
Attack Vector:
Impact: $120,000
Chain: Ethereum
References:
https://x.com/DefimonAlerts/status/1983646311963615733
https://x.com/DefimonAlerts/status/1985262112034443586
https://x.com/DefimonAlerts/status/1985262007407554674
https://x.com/DefimonAlerts/status/1985261957432373319
Negotiating:
https://etherscan.io/tx/0xd5008433c94131e390d3b89f1d70bd61ee9d62520f2f9d2658c54ef7f7ea8e85
Exploit:
https://etherscan.io/tx/0x2f768a318a76d4c934c331241f887b62178e3c3edf5e7c063a6e0a7b9190491b
https://etherscan.io/tx/0xa28b9fda2872634f358498ab80a61271b33eed79e05db0f5fee71faef981c2c5
https://etherscan.io/tx/0x655bdd8cfa38d05f1dd40ebf53a64e38effce134f8669463ab4024761f85f4fa
Housing Engine
Date: October 30, 2025
Attack Vector: Sybil Attack
Impact: $2,325
Chain: BSC
References:
https://x.com/DefimonAlerts/status/1983875325693169975
https://x.com/DefimonAlerts/status/1983879728751599770
Exploit:
https://bscscan.com/tx/0x31788fe3cdb307f98d932a5429149875d0f88408852704eab7971d1fade4aa9e
Garden Finance
Date: October 30, 2025
Attack Vector: Key/Signer Compromise
Impact: $10,800,000
Chain: Ethereum, Arbitrum, Solana
References:
https://x.com/gardenfi/status/1983949462507811095
https://x.com/DefimonAlerts/status/1983885979317424563
https://x.com/DefimonAlerts/status/1983884669834949066
https://x.com/WuBlockchain/status/1983897348901126513
https://x.com/punkaj__/status/1983952241578184907
https://x.com/tanuki42_/status/1984002768131252417
https://x.com/AMLBotHQ/status/1985413035708858825
https://x.com/zachxbt/status/1983959869674942662
Previous concerns:
https://x.com/zachxbt/status/1983114885795066354
Negotiations:
https://etherscan.io/tx/0x4dc7a65efa19ad957359352b6d71750641f38a21a95a3e0d4b470343fee83a2f
Exploit:
0xc0ffee MEV bot
Date: October 30, 2025
Attack Vector: Insufficient Function Access Control
Impact: $218,000
Chain: Base
References:
https://x.com/DefimonAlerts/status/1983810181302538377
https://x.com/CertiKAlert/status/1983742817022439822
Exploit:
https://basescan.org/tx/0x83da47641680d0cf0a0567e3bcd5961cd30dbd5f34007f0e26e54216ad20b439
https://basescan.org/tx/0x4449114ceaedd11e8f1363c5e53507198323a63cb6958dc26078fc016d0d4b27
Friendtech
Date: October 31, 2025
Attack Vector:
Impact: $15,000
Chain: Base
References:
https://x.com/DefimonAlerts/status/1984327915555958820
https://x.com/DefimonAlerts/status/1984703112020455754
Exploit:
https://basescan.org/tx/0xd89bc366d12df1361a5c65c16357eada27c4473feeaaf0a80081f56d116e3bbc
https://basescan.org/tx/0xa82fe9881528d24e5d3f979321b9d6d4535e7eee78538b93d8ea2f16de4e9b9a
BTS
Date: November 01, 2025
Attack Vector:
Impact: $1,859
Chain: BSC
References:
https://x.com/DefimonAlerts/status/1984805148892545091
Exploit:
https://bscscan.com/tx/0xce3776d66f1baf41205dbda3fc05e93fb9ad6f9b000a0a0ca27a9ed61c0adcb0
Ideal Protocol
Date: November 01, 2025
Attack Vector:
Impact: $4,636
Chain: BSC
References:
https://x.com/DefimonAlerts/status/1984692584451883202
ttps://x.com/DefimonAlerts/status/1984701966539505705
Exploit:
https://bscscan.com/tx/0xf7fbc4ba85558528c00db608bd55d792ed7aacbd3ec5e8878ff4c10af1ee4c17