Featured

BlockThreat - Week 5, 2026

Step Finance, CrossCurve Bridge, Gyroscope Bridge, XPlayer, PGNLZ, Revert Finance, Holdstation, dYdX, USMS, Lick, Address Poisoning

Peter Kacherginsky

02 Feb 2026 • 8 min read

About $30M was stolen this week across eight incidents. Two bridges were exploited in the same week using very similar attack vectors. The CrossCurve hack drew most of the attention with roughly $2.76M in losses and a wave of copycat attacks across nine different chains. The Gyroscope bridge hack, however, is even more concerning. The underlying vulnerability had the potential to enable far more devastating attacks, making it worth a closer look at the exact root cause and, more importantly, what not to do when designing cross chain messaging.

On January 31, 2026, Gyroscope disclosed that its cross chain contract had been exploited. Within minutes, the Ethereum bridge began transferring roughly $7M worth of GYD to an attacker controlled address.

The key clue to the root cause appears in what initially looks like a benign transaction on January 30, 2026 at 20:27:59 UTC. This transaction transfers a tiny amount of GYD to the GYD token contract itself. At first glance, nothing seems out of the ordinary. However, a closer inspection reveals a concerning event.

What looked like an innocuous transfer concealed a malicious payload that granted an infinite token approval to address 0x7dd407. With this approval in place, the attacker was then able to drain the bridge.

The transaction in question originated as a routine cross chain transfer from Arbitrum. So how did the attacker manage to coerce the bridge into executing an unlimited approval on the GYD token? To answer that, we need to examine the Arbitrum side transaction that preceded the Ethereum transfer.

At a high level, the call appears to be a standard bridgeToken invocation. But inspecting the payload reveals the real problem. The recipient on Ethereum is set to 0xe07f9d, which is the GYD token contract itself!

More importantly, the data field contains a carefully crafted calldata payload:

% cast 4byte-calldata 0x095ea7b30000000000000000000000007dd4075a6eae9f18309f112364f0394c2dfa8102ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
1) "approve(address,uint256)"
0x7DD4075A6eAe9f18309F112364f0394C2DfA8102
115792089237316195423570985008687907853269984665640564039457584007913129639935 [1.157e77]

This is a direct call to approve(address,uint256) with the maximum possible allowance. Because the bridge performed no validation on either the target contract or the calldata, it blindly forwarded this payload to the GYD token contract. The result was an infinite approval granted to the attacker address.

The underlying issue becomes obvious when looking at the bridge implementation on the Arbitrum end. The bridgeToken function accepts an arbitrary recipient and arbitrary data, and forwards both as part of the CCIP message without any verification of what is being called or why:

function bridgeToken(
  uint64 destinationChainSelector,
  address recipient,
  uint256 amount,
  bytes memory data
) public payable virtual {
  ChainMetadata memory metadata = chainsMetadata[destinationChainSelector];
  if (metadata.targetAddress == address(0)) {
    revert ChainNotSupported(destinationChainSelector);
  }

  _burn(msg.sender, amount);
  Client.EVM2AnyMessage memory evm2AnyMessage = CCIPHelpers.buildCCIPMessage(
    metadata.targetAddress, recipient, amount, data, metadata.gasLimit
  );

The same issue exists on the receiving side in ccipReceive(), which performs no validation to prevent dangerous calls. Due to the bridge’s trust relationship with the token contract, it was able to invoke the privileged approve function.

💡

If your bridge or messaging layer can execute arbitrary calldata, you must strictly constrain the allowed targets and function selectors. Otherwise, a simple bridge transaction quietly becomes a remote code execution primitive.

The attacker quickly drained approximately $7M in tokens and appears to have gotten away with around 300 ETH in liqudity. Far more troubling is that the same arbitrary call injection could have been weaponized against users, leading to significantly broader ecosystem losses. We must do better!

In other news, there was yet another mass compromise event by someone hunting for vulnerable contracts with burn pools on BSC. PGNLZ and XPlayer were hit so far, but likely more contracts will surface.

Supply chain attacks also continued. Both PyPI and NPM packages for dydx-v4-clients were recently backdoored. Please check if you downloaded PyPI (version 1.1.5.post1) and NPM (versions 3.4.1, 1.22.1, 1.15.2, 1.0.31) immediately!

Let’s dive into the news!

Events

darkMode 2026 registration is live! February 16, 2026 in Denver, Colorado. Fantastic event schedule here.
REKT Security Summit — March 27, 2026 — Cannes, France. Speaker application here.

News

TheDAO Security Fund: Activating 75,000+ ETH for Ethereum Security by Griff Green. A great way to use now $220M in unclaimed funds from TheDAO hack in 2016 to combat hacks 10 years later. There is also an added benefit of helping legitimize the use of Tornado Cash and others.
Malicious versions of dydx-v4-clients were recently uploaded to PyPI.
The Inverted Panopticon by Shanaka Anslem Perera. Beijing Weaponized the West’s Own Wiretap Infrastructure to Execute the Greatest Intelligence Coup Since Cambridge Five.
2026 Crypto Crime Report by TRM.
2025 EVM Smart Contract Exploit Analysis by Olympix.

Crime

He Leaked the Secrets of a Southeast Asian Scam Compound. Then He Had to Get Out Alive by Andy Greenberg.
John Daghita aka Lick went wild after the recent revelation of a $40M theft from US Government by ZachXBT. As the walls are closing in, John rugged a newly launched token, drained funds from his MEXC account without getting stopped, moved stolen funds to Tornado Cash.
US Government Investigating Alleged $40 Million Crypto Theft by Federal Contractor’s Son.
Russia’s Largest Crypto Miner BitRiver Faces Bankruptcy as CEO Under House Arrest.
OFAC Sanctions Zedcex and Zedxion in First-ever Designation of an IRGC-linked Digital Asset Exchange by TRM.
Huione Group head ‘Boss Xi’ reportedly arrested then released.
China executes 11 members of Myanmar scam mafia.
Justin Sun's ex girlfriend shares significant fraud, insider trading and market manipulation allegations during early days of Tron.
Chinese Language Money Laundering Networks Emerge as Major Facilitators of the Illicit Crypto Economy, Now Driving 20% of Laundering Activity by Chainalysis.
South Korea Probes Theft of Seized Bitcoin Worth $48M in Suspected Phishing Heist.
$41M in Losses as Crypto Wrench Attacks Hit Record High in 2025.
Democrats Press DOJ Deputy Over Crypto Holdings, Enforcement Retreat.

Phishing

Scams

Trove of BS by Rekt. The case of Trove Markets and a familiar rug pull.
MolecularFinance has rug pulled after draining all liquidity and shutting down its online presence.
Former Mt Gox CEO’s cat memecoin has already crashed 90%.

Malware

DPRK's Konni Targets Blockchain Developers With AI-Generated Backdoor.

Media

Blockspace - The $300M Telegram Phishing Attack Nobody's Talking About with Taylor Monahan.

Contests

Damn Vulnerable Web by Rewrite Lab. Sharpen your web2 skills.

Research

Web3 Security Auditor's 2025 Rewind by Jainil Vora, Frank Lei, Kose Dogus & Ionut-Viorel Gingu (OpenZeppelin).
Update #16 - Investigating Weak Brainwallets by Milk Sad.
Update #17 - PHPCoinAddress Wallets - Part 1 by Milk Sad.
Fixed-Rate Lending in DeFi: A Design Review by Statemind.
Building Agentic Infrastructure for Zero-Day Vulnerability Research by ControlZ (Kritt).
AI Agents vs. Web3 Security Researchers: Threat or Hype? by Al-Qa'qa'.
Rust Security & Auditing Guide by Sherlock.
Solana Security Checklist: 45 Critical Checks for Anchor & Native Programs by Bloqarl (Zealynx).
Awesome Audits Checklists by TradMod.
Smart Contract Proxy Patterns: Security Guide 2026 by M3D (Zealynx).
The Web3 Operational Security Standard (W3OS) by AuditWare.
Supply Chain Security and DevSecOps for Web3 by Paul (Cantina).
The Math Needed for Trading on Polymarket (Complete Roadmap) by Roan.
Aave Liquidity Rate Mechanics: Economic & Security Implications by Olesia Bilenka (Hacken).
The OSINT Investigator’s Guide to AI: Prompting, Tools and Tradecraft by The OSINT Newsletter.
Eclipse Attacks on Ethereum's Peer-to-Peer Network.
Obfuscation as an Effective Signal for Prioritizing Cross-Chain Smart Contract Audits: Large-Scale Measurement and Risk Profiling.
Belobog: Move Language Fuzzing Framework For Real-World Smart Contracts.
Security Analysis of Ponzi Schemes in Ethereum Smart Contracts.
MemeChain: A Multimodal Cross-Chain Dataset for Meme Coin Forensics and Risk Analysis.
DoS Attacks and Defense Technologies in Blockchain Systems: A Hierarchical Analysis.
An Effective and Cost-Efficient Agentic Framework for Ethereum Smart Contract Auditing.
Understanding and Characterizing Obfuscated Funds Transfers in Ethereum Smart Contracts.
From Scores to Queues: Operationalizing Cross-Chain Obfuscation Signals for Smart-Contract Audits.
Prompt to Pwn: Automated Exploit Generation for Smart Contracts.
How to Serve Your Sandwich? MEV Attacks in Private L2 Mempools.
[2505.15242] Adaptive Plan-Execute Framework for Smart Contract Security Auditing.
Adaptive Plan-Execute Framework for Smart Contract Security Auditing.
[2505.15051] An Empirical Analysis of EOS Blockchain: Architecture, Contract, and Security.

Tools

The Solodit API is now live. Get instant access to 50,000 smart contract vulnerabilities.
Introducing WhoDis a Chrome extension that lets you impersonate any Ethereum address.
Assertions by BlossomLabs. On-chain assertions for securing DAO proposals and Safe transactions. Verify invariants atomically.