BlockThreat - Week 50, 2025
ThirdWeb | Ribbon Finance | 0G Labs | DMi | HTC | React
Greetings!
Almost $3.5M were stolen this week across eight projects. Unfortunately, the week also marked the appearance of all three emerging threat classes I discussed in my talk at DSS 2025.
Watering Hole Contracts are particularly dangerous because they target not the protocols themselves, but their users. Victims are users who previously approved their funds to a vulnerable or compromised contract, often long forgotten. That was the case this week with Jill Gunter, who had an old unlimited token approval to a ThirdWeb contract containing an insidious msgSender spoofing vulnerability from nearly two years ago. Attackers patiently waited for a user with a sufficiently large balance to appear, then exploited the vulnerability to drain the funds.
What makes this incident especially unfortunate is that Thirdweb could have prevented the loss by disabling the vulnerable contract, but it appears this step was overlooked. As I mentioned in my talk, users should regularly review and revoke token approvals that are no longer needed. Even better, they should avoid infinite approvals altogether for the massive security risk that it is.
Speaking of predicted threats, another legacy contract was attacked this week. Ribbon Finance lost $2.7M after an attacker successfully forged an update to its price oracle feed. This was a subtle and sophisticated exploit, emblematic of a new generation of attackers who specialize in uncovering deep vulnerabilities hidden in older codebases.
If we can’t reaudit every legacy project, then at the very least we should apply modern tooling capable of analyzing older codebases against latest attack patterns. This week’s sponsor, Ackee, has built exactly such a tool with Wake Arena, designed to hunt down deep and hard to find vulnerabilities. Be sure to check them out!
Wake Arena identified 43 of 94 high-severity vulnerabilities in benchmark tests on historical audit competitions. In 3 production Ackee audits in November 2025 for Lido, Printr, and Everstake, it discovered 26/79 (33%) of all findings, including 5/10 (50%) of the critical findings in Printr, and six unique vulnerabilities. Read the full report.
Let’s dive into the news!
News
- Two new RSC protocol vulnerabilities (one high, one medium) were uncovered while auditing the protocol following React2Shell. The massive React shitstorm continues. According to Security Alliance, drainers are already having a field day infecting legitimate crypto websites. Please update now!
- Meet the onchain crypto detectives fighting crime better than the cops.
- Circle tests privacy-preserving wrapped version of USDC on Aleo.
- Who moved $3M in Silk Road BTC? Dormant addresses spring back to life.
- Fusaka Mainnet Prysm Incident. Missed blocks cost validators of $1M.
- Jupiter exec acknowledges ‘zero contagion’ claim was ‘not 100% correct’ after backlash over vault design.
Crime
- Crypto-crasher Do Kwon jailed for 15 years over $40bn UST bust.
- Paxful Pleads Guilty as DOJ Imposes $4 Million Criminal Penalty.
- Ninth Defendant Pleads Guilty in $263M Crypto Social-Engineering Scheme.
- Spanish Police Dismantle Network Linked to Crypto ‘Wrench Attack’ Murder.
- ‘Bitcoin Rodney’ faces decades in prison as feds add wire fraud to HyperFund charges.
- Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor by Flashpoint.
- 7 suspects arrested in Irvine home invasion robbery targeting cryptocurrency.
- I Studied Hundreds of Crypto Kidnappings and Robberies, Here’s How to Stay Safe by Beau.
Policy
Phishing
- Binance co-CEO Yi He’s WeChat account hacked to promote and profit from memecoin.
- A wallet on BNBChain was drained of $700K according to Cyvers.
- Report of an ongoing drainer phishing attack on Limewire by VectorBits.
- Arrested by Phone: India’s Digital Nightmare by Bloomberg. A graphic novel about an all too common scam.
Malware
- Infostealer has entered the chat by Kaspersky. A new wave of ClickFix attacks injecting malicious commands into popular LLM chat clients.
Media
- The Contest Academy - Mentorship Series by 0xSimao. The Contest Academy is a series of deep dives into the best paying bugs in contests including methodology, tools, and workflows.
- 34 Auditing Tips for 2026 by Alex the Entreprenerd.
- bountyhunt3rz - Episode 32 - windhustler.
- Inside The Coin Laundry: A live conversation and Q&A with ICIJ journalists.
Contests
- Dev Cave CTF at Breakpoint 2025.
- Web3 Security CTF by x0t0wt1w. A curated collection of intentionally vulnerable smart contracts designed to teach and practice real-world Web3 security.
- Learn Huff by solving a CTF challenge by themj0ln1r.
Research
- Post-Mortem: The Precompile
delegatecallIncident and Granite Resolution by Avalanche. Watch those chain precompiles. - Advent of Bugs 2025 by Accretion. A series of 24 X threads covering Solana bugs including: PDA Impersonation, LaunchPool timing issues, Optional Accounts, Intention, and the State Machine, and many many others.
- Blockchain bridge security - Part 4: Chain id spoofing and Hash Collision by Caliber.
- Auditing Solana Anchor constraints by Alexey Posikera (Decurity).
- Reverse Engineering EVM Storage by Wavey.
- Higher Bug Bounties Won’t Stop Hacks by samczsun.
- Explain First, Trust Later: LLM-Augmented Explanations for Graph-Based Crypto Anomaly Detection.
- From Oracle Choice to Oracle Lock-In: An Exploratory Study on Blockchain Oracles Supplier Selection.
- CKG-LLM: LLM-Assisted Detection of Smart Contract Access Control Vulnerabilities Based on Knowledge Graphs.
- An Explainable AI Model for the Detecting Malicious Smart Contracts Based on EVM Opcode Based Features.
- USCSA: Evolution-Aware Security Analysis for Proxy-Based Upgradeable Smart Contracts.
- BugSweeper: Function-Level Detection of Smart Contract Vulnerabilities Using Graph Neural Networks.
- Performance analysis of common browser extensions for cryptojacking detection.
Tools
- Tornado Cash Withdrawal Viewer by IOCOfficial. Analyse withdrawals from Tornado Cash ETH pools using the Etherscan API. View recipient addresses with withdrawal counts, totals, and date ranges across all three ETH pools.
- Slotscan. Human readable storage viewer.
Hacks
Eden Network
Date: December 08, 2025
Attack Vector: Insufficient Function Access Control
Impact: $54,000
Chain: Ethereum
References:
https://x.com/TikkalaResearch/status/1998149979958079782
DMi
Date: December 08, 2025
Attack Vector: Logic Error
Impact: $124,400
Chain: BSC
References:
https://x.com/TenArmorAlert/status/1998219552270766459
https://blog.solidityscan.com/dmi-token-hack-analysis-63c6cf552b84
HTC Token
Date: December 09, 2025
Attack Vector: Reward Manipulation
Impact: $45,000
Chain: BSC
References:
https://x.com/TikkalaResearch/status/1998486325943742513
Thirdweb
Date: December 10, 2025
Attack Vector: msgSender Spoofing
Impact: $30,000
Chain: Ethereum
References:
https://blog.thirdweb.com/smart-contract-incident-report-legacy-bridge-vulnerability/
https://protos.com/jill-gunter-has-wallet-drained-via-vulnerable-thirdweb-contract/
https://x.com/jillgun/status/1998928975088009426
https://x.com/m13_digital/status/2000046108228075822
Limewire
Date: December 11, 2025
Attack Vector: Uninitialized Contract
Impact: Assets Stolen
Chain: BSC
References:
https://x.com/DefimonAlerts/status/1999112229141246208
0G Labs
Date: December 11, 2025
Attack Vector: Stolen Private Keys
Impact: $517,000
Chain: BSC
References:
https://x.com/SpecterAnalyst/status/1999123271363518665
https://x.com/0G_Foundation/status/1999781517283737670
Cheese Bank
Date: December 12, 2025
Attack Vector: Rounding Error
Impact: Assets Stolen
Chain: Ethereum
References:
https://x.com/VectorBits/status/1999459049868525956
Exploit:
Ribbon Finance (Aevo)
Date: December 12, 2025
Attack Vector: Price Oracle Manipulation
Impact: $2,700,000
Chain: Ethereum
References:
https://x.com/ribbonfinance/status/2000003294563905765
https://x.com/SpecterAnalyst/status/1999532982411854109
https://x.com/lzhou1110/status/1999673530661945702