BlockThreat - Week 49, 2025
React | Yearn | USDP | Goldfinch | WaveX | Kroll | Binance
Greetings!
Almost $11M were stolen this week across four incidents. The majority of losses came from the Yearn Finance compromise where an attacker exploited an integer underflow to steal $9M. The key lesson is that this was yet another legacy codebase that had not been audited for years and contained a deep vulnerability in its math logic. As I mentioned in my recent talk, this is emerging as a real threat to many protocols and to the broader ecosystem that relies on them. Simply isolating or derisking these codebases may not always be feasible, so the practical path forward may require reauditing them with modern tools, improved techniques, and highly experienced auditors that simply did not exist when much of this code was written.
Another incident this week involved an exploit class I also highlighted in the same DSS talk. The USDP initialization hijacking allowed attackers to insert a malicious backdoor, resulting in a one million dollar theft. Attackers are becoming more sophisticated in how they place these backdoors, which is creating ideal conditions for a future watering hall contract scenario.
And just as we were getting a break from two mass supply chain attacks, the web2 world delivered another reminder of its fragility. The mass React compromise is one of the most severe exploitation campaigns in recent memory. Please patch your instances immediately!
Let’s dive into the news!
News
- Who Has Security? - A list of blockchain companies with in-house security. You can’t fully outsource security and internal ownership is key to long-term success.
- CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation. Easy to exploit vulnerability in React resulted in thousands of compromised hosts running cryptominers.
- Cloudflare outage on December 5, 2025. Another week, another Cloudflare outage knocking out major wallets and exchanges.
- Ledger researchers flag Android chip flaw enabling full device takeover, exposing smartphone-based web3 wallets to physical attack.
- AI agents find $4.6M in blockchain smart contract exploits by Anthropic.
- Hats Finance is shutting down.
Crime
- How We Caught Lazarus’s IT Workers Scheme Live on Camera by Mauro Eldritch (BCA) and Heiner García (NorthScan).
- Exclusive Look Inside a Compromised North Korean APT Machine Linked to The Biggest Heist in History.
- Crypto sleuth ZachXBT claims British threat actor tied to $243 million Genesis creditor theft ‘likely arrested’. Danish Zulfiqar aka Danny was linked to the $243M Genesis theft and Kroll SIM swaps.
- Operation Olympia. Europol and partners shut down ‘Cryptomixer’. The service was responsible for laundering €1.3B in BTC since 2016.
- United States, United Kingdom, and Australia Jointly Target Russian Cybercrime Infrastructure: Media Land and Aeza Group by Slowmist.
- Binance post confirming insider trading sends ‘year of the yellow fruit’ meme token even higher.
- Tracing firms say Binance’s claims of improving financial crime left out key crime stats.
- Police arrest two Ukrainian men after Vienna killing linked to crypto wallet theft.
- Gunmen Steal $85,800 in Trinidad Crypto Ambush as Attacks on Holders Rise.
Policy
- Operation Choke Point 2.0: Biden’s Debanking of Digital Assets by US House Committee on Financial Services. The report documents systematic discouragement and disruption of banking relationships with crypto industry.
- Connecticut issues cease-and-desist to Kalshi, Robinhood, and Crypto.com over ‘illegal sports wagering’.
- UK Passes Bill Formally Recognizing Crypto as a New Category of Property.
Phishing
- Beware of Solana Phishing Attacks: Wallet Owner Permissions May Be Altered by SlowMist.
- Report of a massive $27M theft from a user Babur on Solana and Ethereum by Slowmist.
- Pepe memecoin website exploited, redirecting users to malware.
Scams
Media
Contests
Research
- The state of off-chain security in Ethereum and a primer on how to improve it — 1TS Initiative by Matta (The Red Guild).
- How Fuzzing the Aligned Layer Batcher Uncovered a Critical DoS Vulnerability in a Core Ethereum ZK Library by Fuzzing Labs.
- How I found a critical vulnerability in @zora’s ERC20Z contract via a little known Uniswap v3/v4 property by 0xKaden.
- Unbundling at the Relay Level for frontrunning protocol hacks by meridian.
- Blockchain Interoperability Part-1 : Interoperability Problem And Bridges by Charan Nomula.
- Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts.
- Detection of Crowdsourcing Cryptocurrency Laundering via Multi-Task Collaboration.
- AtomGraph: Tackling Atomicity Violation in Smart Contracts using Multimodal GCNs.
- Large Language Model based Smart Contract Auditing with LLMBugScanner.
Tools
- coq-of-solidity - a tool to automatically translate Solidity smart contracts to the Rocq proof system. This allows to formally verify the correctness of the smart contracts.
- Antidrain by Zun. Claim airdrops, recover staked tokens & rescue NFTs from compromised wallets. Powered by EIP-7702, execute atomic batch operations before sweeper bots can react.
Hacks
Yearn
Date: December 01, 2025
Attack Vector: Rounding Error
Impact: $9,000,000 (Recovered $2,390,000)
Chain: Ethereum
References:
https://x.com/SlowMist_Team/status/1996771017310834869
https://x.com/Phalcon_xyz/status/1995430697478361268
https://x.com/TenArmorAlert/status/1995334980008894918
https://x.com/PeckShieldAlert/status/1995311852310675537
https://x.com/yearnfi/status/1995259652288729315
https://x.com/hklst4r/status/1995319273456009274
https://x.com/TikkalaResearch/status/1995728415702577551
https://x.com/andrewhong5297/status/1995388055595933723
Analysis
https://slowmist.medium.com/9-million-stolen-analysis-of-the-yearn-yeth-pool-vulnerability-557237092054
https://defimon.xyz/blog/yearn-yeth-hack-november-2025
https://quillaudits.medium.com/yearn-yeth-exploit-bece9e5bb3dd
https://rekt.news/yearn-rekt3
https://github.com/banteg/yeth-exploit/blob/main/report.pdf
https://github.com/yearn/yearn-security/blob/master/disclosures/2025-12-01.md
Recovery:
https://x.com/yearnfi/status/1995488425785659492
https://protos.com/yearn-hacker-loses-2-4m-of-9m-loot-as-tokens-burned-from-wallet/
Exploit:
https://etherscan.io/tx/0x53fe7ef190c34d810c50fb66f0fc65a1ceedc10309cf4b4013d64042a0331156
https://github.com/johnnyonline/yeth-hack
Goldfinch
Date: December 02, 2025
Attack Vector: Price Oracle Manipulation
Impact: $330,000
Chain: Ethereum
References:
https://x.com/TenArmorAlert/status/1995774987706188201
https://x.com/GoPlusZH/status/1995842787078475801
https://x.com/PeckShieldAlert/status/1995774198564966434
https://x.com/TikkalaResearch/status/1995901805306544474
Negotiations:
https://etherscan.io/tx/0x2a4d83d30f924ab8c617d45ba29230f1339d194c88900a81b9b2db8010599fa0
Exploit:
https://etherscan.io/tx/0x3a8bde0a17e04f6a119ae2f28e6b56ac736feb70761e2fa97cac25f816f751c2
https://etherscan.io/tx/0xd462ce892166e041f303af47340ae50d22b3cadc55be65cecbfcab8f5d48e149
https://github.com/DK27ss/0x0689a-330K-PoC
USPD.IO
Date: December 04, 2025
Attack Vector: Uninitialized Contract
Impact: $1,050,000
Chain: Ethereum
References:
https://x.com/USPD_io/status/1996711283446464598
https://x.com/PeckShieldAlert/status/1996826080741937213
https://x.com/CertiKAlert/status/1996897892481827220
https://x.com/BlockscopeCo/status/1996976887608881435
https://x.com/AstraSecAI/status/1996905647355437363
https://rekt.news/uspd-rekt
Negotiations:
https://etherscan.io/tx/0x71237c1a93331b51072717768ba660c137f0009effcad04033066d204c4b68cd
Exploit:
https://etherscan.io/tx/0xc0b7e490caac2b8cfa5e62d1b28a5e7dba7600e623c71352acbc9b23c2b65b7c/advanced
https://etherscan.io/tx/0xf9a493f061fbf17fe2cf7c26d6b03d85c6b43026500e61728933c2e218581079
WaveX
Date: December 06, 2025
Attack Vector:
Impact: $430,000
Chain: Soneium
References:
https://x.com/De_FiSecurity/status/1999143885235188025
https://x.com/DefimonAlerts/status/1998676082963456212
https://x.com/waveX_fi/status/1998645885409124636
https://x.com/waveX_fi/status/1998680217880244253