BlockThreat - Week 45, 2025

Greetings!

More than $132M were stolen this week across seven incidents. Smart contract exploits, systemic stablecoin depegs and liquidity crunches, kidnappings, and much more happened last week. However, this edition focuses on the largest smart contract exploit this year - the Balancer hack.

On November 3, 2025, Balancer experienced a highly coordinated attack across seven chains. A bad actor exploited a subtle rounding error to steal more than $128M. There are plenty of excellent writeups on the exploit itself and you can find much more in the premium section below. Instead, I want to focus on something positive amid all of this destruction. The story of how the community, blockchain security companies, chain and protocol operators worked together with remarkable coordination to fight back against the attacker and in many instances win!

Here are just some of the incident response actions by Balancer and many affected chains and protocols:

• Balancer paused affected pools, gauges, incentives across chains in 20min.
• Stakewise executed emergency multisig to claw back $20.7M in osETH and osGNO tokens.
• Monerium froze attacker’s 1.3M EURe.
• Berachain quickly disabled affected pools while coordinating gradual shutdown of bridges and eventually halting the chain.
• Sonic immediately froze* attacker’s addresses using a built-in safety mechanism.
• Polygon chain started to sensor attackers’ addresses.
• Gnosis chain partially halted canonical bridge.

*Simply freezing ERC20 transfers was not sufficient since attackers were able to bypass them with permit approvals.

Balancer responded within a twenty minute window by pausing pools. It slowed the attacker a bit, but they were still able to redeploy and continue a second wave almost an hour after the first attack. Protocols with centralized control over their tokens such as osETH, osGNO, and EURe were able to intervene and freeze specific stolen tokens. And that was when the nuclear option was activated. Multiple chains patched their validators to either censor the attacker’s transactions or halt their chain entirely. This level of control is normally frowned upon since the original Dao hack. However, these were exceptional measures for an exceptional scenario.

While the protocols were busy defending themselves, whitehats stepped in and began actively attacking the attacker:

• Bitfinding bot frontran exploiter on Base chain to recover almost $1M.
• A frontrunning bot operator on Berachain was able to intercept $12M worth of stolen funds and agreed to return funds.
• Another frontrunning bot operator on Base returned $150K.
• Yet another frontrunning bot operator on Arbitrum returned about $82K.
• SEAL/Certora rescue operation recovered $4.1M across Ethereum, Optimism (Beets), Arbitrum chains a few days after the hack.

Just as the attacker was trying to execute their exploit on different chains, various financial and a dedicated defensive bots activated to immediately intercept $13M. In one case, a Bitfinding bot was able to deploy an exploit contract on Base minutes before the attacker. SEAL and Certora teamed up to execute a separate $4.1M rescue for the yet unexploited vulnerability in Balancer.

After the dust settled, almost $18M were intercepted or returned relative to the $128M stolen. A disastrous incident, yet it offers ideas for what worked or could work in the future.

• Balancer had an emergency action script ready. If only it had triggered immediately after the first exploit on mainnet. There is an opportunity for projects to improve automation and perhaps err on the side of caution, pausing first and asking questions later.
• Warrooms worked perfectly with chains, protocols, and security researchers all coordinating the best possible actions to slow the exploit and fight back. Protocols should regularly practice fictional warroom scenarios to build up their incident response muscle.
• The real winners in this incident were the bots and Bitfinding’s bot in particular. Building dedicated defensive bots is truly the next frontier which is barely explored in our industry and yet already shows how effective it can be. The Berachain bot alone intercepted the majority of the attacker’s funds, an astounding $12.6M!

It is a dark day for the industry and Balancer in particular. But we will take time to patch ourselves up and most importantly learn valuable lessons from these incidents that will ultimately make the industry stronger and more resilient for the fights ahead.

In other news, a mistrial was declared in the case against Anton and James Peraire Bueno after the jury failed to reach a unanimous verdict and reported sleepless nights and crying. As you recall, the brothers used their validator to send a specially crafted block that exploited a vulnerability in a relay which tricked it into revealing normally hidden block transactions. They then used those transactions to sandwich other bots. The defense, and surprisingly Coin Center, chose to omit the small detail that a software flaw was exploited and instead framed the issue as nothing more than greedy MEV operators who should accept a bad trade. In other words, the classic Code is Law argument.

Unsurprisingly, all of this overwhelmed the jurors. Now we may end up with a legal precedent that could legitimize blockchain exploits. This is a case the entire industry should watch closely, since the wrong precedent could blur the line between fair trades and intentional exploitation in ways that would introduce significant long-term risks.

Let’s dive into the news!

News

• Analysts map $285M in potential exposure across DeFi after Stream Finance’s $93M loss. The platform halted withdrawals shortly after the announcement leading to mass stablecoin depeging, liquidity crisis, and a chain of protocol of halts in multiple DeFi protocols.
• DWF Labs ‘Likely’ Exploited for $44M in 2022 Hack Linked to North Korea: Report.
• AMD confirms security vulnerability on Zen 5-based CPUs that generates potentially predictable keys.

Crime

• Mistrial declared for MIT brothers accused of $25M crypto heist as deadlocked jury complains of tears, sleepless nights.
• Keonne Rodriguez Sentenced to 5 Years in Prison, $250,000 Fine. Relevant thread on differences between Samourai and Tornado Cash by tanuki42.
• When the Defenders Become the Attackers: Cybersecurity Experts Indicted for BlackCat Ransomware Operations. The story of Kevin Ryan Clifford Goldberg (Sygnia), Tyler Martin (DigitalMint), and an unidentified party (DigitalMint) taking their ransomware negotiation skills to extort victims as part of a ALPHV BlackCat ransomware as a service operation.
• Convicted crypto felon behind $500m scam found butchered alongside wife in desert after a failed ransom attempt. Roman Novak previously raised $500M through a scam crypto project, Fintopio, and later fled with investors’ money. Russian police has seen arrested suspects in the gruesome murder.
• Spanish crypto influencer CryptoSpain detained on $300 million fraud, money laundering charges.
• China is sentencing pig butchering scammers to death.
• Treasury Sanctions DPRK Bankers and Institutions Involved in Laundering Cybercrime Proceeds and IT Worker Funds.
• From North Korean IT Workers to IT recruiters by Security Alliance and Heiner Garcia.
• CISO Playbook: North Korean IT Workers by Sophos.
• EU Arrests Nine in Connection with $689M Crypto Scam Network.
• FBI can’t be blamed for wiping hard drive with $345M BTC, say judges.
• Google Threat Report Links AI-powered Malware to DPRK Crypto Theft.
• Crypto Tracing Leads to Arrest in Global Child Abuse Network Takedown.
• Mastermind behind $300M crypto pyramid scheme arrested in Spain.

Policy

• Central Bank of Ireland fines Coinbase Europe $25 million for breaching anti-money laundering monitoring obligations.

Phishing

• Interview with the Chollima Part III, IV, V by Bitso Quetzal Team. The use of face altering AI tech is particularly concerning as well as the use of certain Latin American countries.
• Are you a freelancer? North Korean spies may be using you.
• A victim lost $1.25M to an address poisoning attack by Specter.

Scams

• stablewatch (@stablewatchHQ) on X - Over the past week, Yield Bearing Stablecoins saw their largest outflow since the UST collapse - totaling $1B. Of that, $411 million came from xUSD alone.
• Crypto’s $3.2 Trillion Scam: Just 489 People Behind Massive Telegram Pump-and-Dump.

Malware

• Blockchain malware’s neverending novelty by Taylor Monahan (Tay). A long history of malware using blockchains to retrieve secondary payloads.
• SleepyDuck malware invades Cursor through Open VSX by John Tuckner (Secure Annex). Interestingly this malware sample uses Ethereum as a backup C2 command channel.
• LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History by Vlad Pasca, Radu-Emanuel Chiscariu (Hybrid Analysis).
• Android Malware Mutes Alerts, Drains Crypto Wallets.

Media

• How a Canadian math prodigy allegedly stole millions in crypto by CBC - The Current. The story of Andean Medjedovic. Interestingly, the podcast mentioned that Andean was caught in Europe at one point but was let go.
• bountyhunt3rz - Episode 30 - mitchell amador.
• Consensus Protocols by CBER Forum with Ertem Nusret Taş (a16z Crypto), Joachim Neu (a16z Crypto), Jacob Leshno (University of Chicago).
• Crypto Market Wizards - Making $10M in DeFi with 0xlawlol. A particularly concerning interview with a greyhat on extorting protocols for post-hack bounty.

Contests

• Onchain CTF Solution Writeup by kaden.eth.

Research

• $1M Intercepted from the Balancer Hack by Bitfinding.
• Supply Chain Attacks: Prepare for Next Week by Franco Riccobaldi (Coinspect).
• Critical Security Risks associated with Telegram Trading Bots by Sebastian Lim (HashDit).
• Securing $29 199 014 133 – Methodology to Secure One of the Biggest Project on Ethereum by Damian Rusinek (Composable Security).
• Sticky Notes to Seed Phrases: How To Identify Crypto Artifacts in the Field by TRM.
• Mastering Wake Printers for Solidity Security Analysis by Naoki Yoshida (Ackee).
• LLM Vulnerabilities: Why AI Models Are the Next Big Attack Surface by Sai Krishna (Netlas).
• What is the Solana Virtual Machine (SVM)? by 0xIchigo (Helius).
• Move Vulnerability Database by MoveMaverick.
• Sample Arkham Bounty onchain investigation of an Aaron Shames wallet by Whistleblower007. Ever though
• Taming DeFi’s Ouroboros. A deep dive into quantifying recursive lending risk and why your “diversified” yield vault might be a ticking time bomb by totomanov.
• DeFi’s Contagion Loop: The Cost of Hidden Dependencies by Chaos Labs.
• ConneX: Automatically Resolving Transaction Opacity of Cross-Chain Bridges for Security Analysis.
• FTSmartAudit: A Knowledge Distillation-Enhanced Framework for Automated Smart Contract Auditing Using Fine-Tuned LLMs.
• Penetrating the Hostile: Detecting DeFi Protocol Exploits through Cross-Contract Analysis.
• 1 PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts.
• SoK: Design, Vulnerabilities, and Security Measures of Cryptocurrency Wallets.
• PoCo: Agentic Proof-of-Concept Exploit Generation for Smart Contracts.

Tools

• Fuck blind signing: Introducing Web3 Semantic Second Factor by Bitfinding.
• Unblind Second Factor is now available by Bitfinding.
• Unblind your Safe Dashboard by Bitfinding.
• Routescan Multichain Explorer. A unified explorer for 79 blockchains and a great way to track cross-chain transactions.

Hacks

Balancer, Beets Finance, Beethoven X

Date: November 03, 2025
Attack Vector: Rounding Error
Impact: $128,640,000
Chain: Ethereum, Arbitrum, Base, Polygon, Sonic, Optimism, Berachain

Ethereum: 0x506d1f9efe24f0d47853adca907eb8d89ae03207
Arbitrum: 0x506d1f9efe24f0d47853adca907eb8d89ae03207
Sonic: 0x506d1f9efe24f0d47853adca907eb8d89ae03207
Base: 0x506d1f9efe24f0d47853adca907eb8d89ae03207
Optimism: 0x506d1f9efe24f0d47853adca907eb8d89ae03207
Ethereum: 0xaa760d53541d8390074c61defeaba314675b8e3f
Base: 0x8bfe825b008d821278a7e0b6da3219b39bbd807c
Base: 0xeb179b0179836c6b634056db60855234d6af3338
Arbitrum: 0x310ebc4ffe858ab40b95343de0c2431b95892962
Arbitrum: 0xa783ca067914cde03acfa9cd2c871418e60e3688
Ethereum: 0x7bb284421d3eafde4d45ee5e420c3269f87fa4fb
Sonic: 0xf19fd5c683a958ce9210948858b80d433f6bfae2
Sonic: 0x045371528a01071d6e5c934d42d641fd3cbe941c
Ethereum: 0x766a892f8ba102556c8537d02fca0ff4cacfc492
Arbitrum: 0x872757006b6f2fd65244c0a2a5fdd1f70a7780f4

References:

https://x.com/peckshield/status/1985258403518992658
https://x.com/PeckShieldAlert/status/1985259843377308008
https://x.com/Phalcon_xyz/status/1985302779263643915
https://x.com/Phalcon_xyz/status/1985262010347696312
https://x.com/CertiKAlert/status/1987898759959699858
https://x.com/LefterisJP/status/1985300015548428789
https://x.com/The3D_/status/1985307154585203119
https://x.com/QuillAudits_AI/status/1985309997757317214
https://rekt.news/balancer-rekt2

Root Cause:

https://www.coinspect.com/blog/balancer-rate-manipulation-exploit/
https://blog.unvariant.io/balancer-hack-explained/
https://medium.com/coinmonks/balancer-hack-2025-f6273c36b81a
https://blocksecteam.medium.com/in-depth-analysis-the-balancer-v2-exploit-9552f6442437
https://slowmist.medium.com/when-small-flaws-collapse-a-giant-inside-balancers-100m-hack-85b9e92a9ae3
https://www.openzeppelin.com/news/understanding-the-balancer-v2-exploit
https://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/
https://www.certora.com/blog/breaking-down-the-balancer-hack
https://blog.weilinli.io/posts/balancer-attack-analysis
https://immunefi.com/blog/expert-insights/how-fragmented-security-enabled-balancer-exploit/
https://x.com/Balancer/status/1986104426667401241

Beets Finance

https://x.com/SonicLabs/status/1985401737096671549
https://x.com/beets_fi/status/1985281285816754179

Negotiations:

https://etherscan.io/tx/0xf462b894f3ac4d7883222f1db6aedddfb0402d51a71681da40427fe173231820

Incident Response Balancer:

https://x.com/Balancer/status/1986104426667401241

Incident Response Berachain (Chain Halt) ($12M):

https://x.com/berachain/status/1986952318068146323

Incident Response Sonic (Chain Freeze):

https://x.com/SonicLabs/status/1985401737096671549
https://x.com/SetteeCh/status/1985323623784054883

Incident Response Gnosis (Chain Freeze):

https://x.com/gnosisdotio/status/1985321081255891396

Incident Response StakeWise osETH and osGNO recovery ($20.7M):

https://x.com/stakewise_io/status/1985800079354060932

Incident Response Monerium ($1.3M)

https://x.com/monerium/status/1986036212138693006

**Incident Response Euler: **

https://x.com/gjaldon/status/1985684714561376393

Incident Response Notional:

https://x.com/NotionalFinance/status/1985751306078712094

Whitehat bitfinding on Base ($1M):

https://bitfinding.com/blog/balancer-exploit-interception

Whitehat frontruning on Berachain ($12.8M):

https://etherscan.io/idm?addresses=0xd276d30592be512a418f2448e23f9e7f372b32a2,0xf8bec8cb704b8bd427fd209a2058b396c4bc543e&type=1

Whitehat frontrunning on Arbitrum ($82K)

https://arbiscan.io/tx/0x48944ed1eee6f044ba48d2b89519fd33fcf08480e6535f50215af67ffbc476d8

Whitehat SEAL and Certora on Ethereum, Optimism (Beets), Arbitrum ($4.1M):

https://x.com/Balancer/status/1988685056982835470
https://x.com/Phalcon_xyz/status/1988899686397456607
https://balancer.fi/pools/ethereum/v2/0x1e19cf2d73a72ef1332c882f20534b6519be0276000200000000000000000112

Attacker bypasses freezes:

https://x.com/GoPlusSecurity/status/1988110998331662800

Copycats:

https://x.com/TikkalaResearch/status/1988462610313080923

Attribution:

https://x.com/jconorgrogan/status/1985347767795859898
https://x.com/AdiFlips/status/1985311134308573467
https://x.com/BrutalTrade/status/1985305307711504517
https://x.com/RaoulSaffron/status/1985485735118405966
https://x.com/apoorveth/status/1985282932156891267
https://x.com/theRaz0r/status/1986020656811770023

Misc:

https://x.com/mattaereal/status/1986034843638022166

Exploit:

https://etherscan.io/tx/0xd155207261712c35fa3d472ed1e51bfcd816e616dd4f517fa5959836f5b48569
https://etherscan.io/tx/0x47427bde6d5c183eb2ed17b5ab58a5cceca813ba17990ebfa3e9e29cf747cd39
https://arbiscan.io/tx/0x7da32ebc615d0f29a24cacf9d18254bea3a2c730084c690ee40238b1d8b55773
https://arbiscan.io/tx/0x4459a6c54ec792ce320135df466d0a429354d0c23609580e6a022bc55b59c8b0
https://arbiscan.io/tx/0xaf6a41a5d07c44b04477709328edaa2df86cf53ad8d9363f1cf876700514319c
https://arbiscan.io/tx/0x0169c01c3575f440f2867c8556601ca9beadb047261b109ecaab697e039a2a6d
https://polygonscan.com/tx/0x7c22aec178ce8a17f295e5f31db699797943fd69f9c2d2542256b953933e0db0
https://basescan.org/tx/0xb7f3d0ec4725bcfd11ddec02a8fc47cb2687e2a0a15652bfdeb71d913af9f69e
https://basescan.org/tx/0xab3d74b59122f7fb4d0969a866ae0aa4b4d7842a553aebcf100726c79a151a30
https://basescan.org/tx/0x5a69a68cd9360a5922c6cfc10c23c5ce5f9d080d03b20b4072faa7d1b24f1107
https://github.com/unvariantio/balancer-hack-explained/

Stream Finance, Elixir, MEV Capital, TelosC, Morpho, Euler, Silo Finance

Date: November 04, 2025
Attack Vector:
Impact: Depeg
Chain: Ethereum

References:

https://forklog.com/en/collateral-damage-from-stream-finance-hack-estimated-at-285-million/
https://x.com/stablewatchHQ/status/1986438113586258357
https://x.com/QuillAudits_AI/status/1986377632926273796
https://x.com/StreamDefi/status/1985556360507822093
https://x.com/elixir/status/1985371198210064474
https://x.com/elixir/status/1986443495351927257
https://x.com/Re7Labs/status/1985694621251387506
https://x.com/yieldsandmore/status/1985571764441579649
https://x.com/fluidkey/status/1986508086144577867
https://x.com/hklst4r/status/1986419422316134482
https://x.com/PeckShieldAlert/status/1986405601291751719
https://x.com/schlagonia/status/1982886179163791674
https://x.com/SiloFinance/status/1985976042868392186
https://x.com/lista_dao/status/1986392017589457261
https://x.com/Trevee_xyz/status/1986815227371905223
https://www.cryptopolitan.com/morpho-co-founder-illiquidity-in-defi-vault/
https://x.com/YeiFinance/status/1985904459571200079
https://www.theblock.co/post/377491/analysts-map-285m-in-potential-exposure-across-defi-after-stream-finances-93m-loss
https://www.theblock.co/post/377400/stream-finance-halts-withdrawals-93-million-loss
https://x.com/Togbe0x/status/1985817878298284181

Rescue Script:

https://x.com/hklst4r/status/1986467704904069284

Dexodus

Date: November 04, 2025
Attack Vector: Price Oracle Manipulation
Impact: $145,000
Chain: Base

References:

https://x.com/TenArmorAlert/status/1986016583873880198
https://x.com/hklst4r/status/1985778798193733977
https://x.com/DexodusFinance/status/1986418250935119961

Exploit:

https://basescan.org/tx/0x7501847c70d2cdcfbb8c6bd3585640f568cd287242b64027e5a829646e084257

Moonwell

Date: November 04, 2025
Attack Vector: Incorrect Price Oracle
Impact: $3,700,000
Chain: Base

References:

https://x.com/CertiKAlert/status/1985620452992253973
https://x.com/Phalcon_xyz/status/1985617123700289790
https://x.com/QuillAudits_AI/status/1985654917898649840
https://x.com/BlockscopeCo/status/1985651750917865486
https://x.com/LukeYoungblood/status/1985744006278758522
https://x.com/erickpinos/status/1986096368293687473
https://forum.moonwell.fi/t/wrseth-oracle-malfunction-11-4-25/2017
https://x.com/LukeYoungblood/status/1985855987958612452
https://x.com/omeragoldberg/status/1985770751429922905
https://x.com/SpecterAnalyst/status/1985666708686729323

Attribution:

https://x.com/SpecterAnalyst/status/1985680490242728392

Exploit:

https://basescan.org/tx/0x229caeb87e0b6c31afad950150d2ba05a8d7fe823c9e5c05af63b4150b8f6cc6
https://basescan.org/tx/0x77e308091f9eee86bb4e5571ee3bf8be001ce84208501c6aba3f251b5f9150d4
https://basescan.org/tx/0x190a491c0ef095d5447d6d813dc8e2ec11a5710e189771c24527393a2beb05ac

Dimo

Date: November 06, 2025
Attack Vector: Stolen Private Keys
Impact: $40,000
Chain: Ethereum

References:

https://x.com/CertiKAlert/status/1986740107190112715
https://x.com/DIMO_Network/status/1986847282889957391

Exploit:

https://etherscan.io/tx/0x274edfde9c12b1e9ec44d983b4fbe6ec2861fe78d2f46dd86ce5843f5f978950

DPC Token

Date: November 07, 2025
Attack Vector: Price Oracle Manipulation
Impact: $230,000
Chain: BSC

References:

https://x.com/TenArmorAlert/status/1987713039232074033

Exploit:

https://bscscan.com/tx/0x7be62536947d83ae962abfa4c491d736967dea8faf4a629090a49f72d529a297
https://bscscan.com/tx/0xc94143fd6e7e7f05790902d66956adcf39b60bdda1e555f9963d7b1d32188825

WeiDex

Date: November 09, 2025
Attack Vector: Logic Error
Impact: $7,000
Chain: Ethereum

References:

https://x.com/TikkalaResearch/status/1987755356488110235

Exploit:

https://etherscan.io/tx/0x68e900b88876974020ad0c3cfa0e96060b5976de18071f0fb6465944ac574319