BlockThreat - Week 7, 2025
Libra | zkLend | Four Meme | MEV | BTC-e | Vinnik
Greetings!
More than $10M were stolen this week across 9 incidents. Most of the losses stemmed from the zkLend hack, the first large hack on the Starknet chain. May be someone should take JohnnyTime’s Cairo hacking class ;-) After the hack, attackers quickly bridged funds to EVM chains and attempted to launder them through Railgun. However, Railgun was quick to flag malicious transactions and returned the funds back to attackers. That’s a great anti-money laundering mechanism which denies bad actors the ability to abuse the platform while enabling the use of the protocol for legitimate privacy reasons.
Insufficient access control bugs accounted for most of the remainders of hacks including a $183K hack of Four Meme and someone slaughtering closed source MEV bots across EVM chains.
To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.
However, it was the Libra memecoin incident that really captured the wild west spirit of the ecosystem. It seems that presidential rugs are all the rage these days. What made this case truly special was the shameless revelation by the team behind the rug of openly sniping coins, manipulating markets, and committing other crimes. You can find these brazen interviews in the Scams section below.
Let’s dive into the news!
News
- The Company Man: Binance exec detained in Nigeria breaks his silence. Tigran Gambaryan went through hell. If you are not familiar with Tigran’s work to secure the ecosystem check out a related Wired article by Andy Greenberg. The story reveals a lot of details about corrupt Nigerian politicians demanding bribes, setting a trap to hold Tigran a hostage, and gruesome conditions that almost cost him his life.
- US releases Russian cybercriminal as part of exchange for teacher Marc Fogel. The cybercriminal is Alexander Vinnik where as a founder of BTC-e helped launder $4B+ obtained through ransomware and hacking attacks. It took years of work by multiple agencies including Tigran Gambaryan to catch Vinnik.
- Brit hunts for lost $768 million bitcoin treasure, seeks to buy garbage dump.
- The 2025 Crypto Crime Report by TRM.
Crime
- Alabama Man Pleads Guilty in Connection with Securities and Exchange Commission X Account Hack.
- California Teenager Sentenced to 48 Months in Prison for Nationwide Swatting Spree.
- 6 men accused of kidnapping family from Chicago townhouse and forcing a transfer of $15 million in cryptocurrency.
- Kidnapped crypto trader breaks ankles jumping from 30-foot balcony.
- Three Arrested in Spain Over Plot to Kidnap and Extort Crypto Broker.
- HashFlare cloud mining operators plead guilty to $577 million crypto fraud following FBI investigation.
- Binance’s Billion-Dollar Settlement Fuels Record DOJ Criminal Recoveries.
- BitConnect crypto scam ringleader tracked to India while authorities seize $190M.
- Phobos Ransomware Affiliates Arrested in Coordinated International Disruption.
- Arizona woman pleads guilty to running laptop farm for N. Korean IT workers, faces 9-year sentence.
- CFTC Secures $128 Million Judgment Against Crypto and Forex Fraudsters.
- US Customs and Border Patrol expands Bitcoin mining machine seizures to MicroBT and Canaan units.
- Teen on Musk’s DOGE Team Graduated from ‘The Com’ by Brian Krebs/
- Supreme Court lawyer Tom Goldstein arrested again over crypto transfers - Reuters.com.
- Blast Exposes Illegal Bitcoin Mining Setup in Malaysia.
Policy
- Crypto Expert Brian Quintenz of Andreessen Horowitz Selected to Lead the CFTC.
- Congressman Emmer: Gensler’s suppression of the crypto industry was ‘illegal’.
- Former SEC Chief Talks Dismantling of Crypto Enforcement: ‘C’est La Vie and to the Moon’.
Phishing
- Central African Republic ‘CAR’ memecoin info pages plagued with phishing links.
- Scammer is using fake Cloudflare captcha verification pages to trick users into executing malicious code by SlowMist.
- Safeguard Scams: Amos Stealer in Sight by Zero Shadow.
- X account of World Liberty Financial co-founder hacked, promotes fake Barron Trump memecoin project.
- How do scammers use fake transaction simulation sites to steal crypto?.
Scams
- The Libra Incident: Examining Argentine President Javier Milei’s Confusing Token Endorsement and Its Destructive Aftermath. It started as yet another Solana memocoin rug, but then the story got stranger, stranger, stranger, and just as you begged for no more it got wild.
- Operation Level-Up: How the FBI Is Saving Victims from Cryptocurrency Investment Fraud.
- Crypto Scam Revenue 2024: Pig Butchering Grows Nearly 40% YoY as Fraud Industry Leverages AI and Increases in Sophistication by Chainalysis.
- State of Deception by Rekt. Central African Republic’s president launched a CAR memetoken which followed a familiar pattern of crashing within a few hours.
Malware
- North Korea targets crypto developers via NPM supply chain attack. The campaign targets owners of Exodus and Atomic wallets.
- Safeguard Scams: Amos Stealer in Sight by ZeroShadow. Discusses a malicious Safeguard bot campaign on Telegram with more than $1.8M stolen in a single month.
Media
- Bountyhunt3rz Podcast - Episode 4 - blockian (ControlZ_1337 & pwnmansh1p).
- Bountyhunt3rz Podcast - Episode 3 - zachobront.
- Deep Dive into Ethereum 7702 Smart Accounts: security risks, footguns and testing by tincho (The Red Guild).
Contests
- Your Safe wallet Guard might not be enough by flacko. A solution for the Mini CTF by Antonio Viggiano.
Research
- The Right Way To Multisig by Nican0r (Recon).
- Deterministic signatures are not your friends by Paul Miller. A new vulnerability in elliptic.js that can lead to key extraction.
- ERC-6492 Deployment Vulnerability: Leveraging isValidSignature Bypass via Pre-compiled contract by TK (Verichains).
- The call for invariant-driven development by Josselin Feist (Trail of Bits).
- Unleashing Medusa: Fast and scalable smart contract fuzzing by Josselin Feist, Anish Naik (Trail of Bits).
- Breaching Ethereum’s Privacy and Exploiting DEXs Using a Simple Cloud Vulnerability by Elad Ernst (0d).
- From Stage 0 to Stage 1: Security Council Best Practices in Rollup Governance by Bram Hoogenkamp (OpenZeppelin).
- What Are The Most Common Types of Blockchain Replay Attack? by Ciara Nightingale (Cyfrin).
- AAVE V2 Security Audit Checklist by flush (SlowMist).
- Why Is Everyone in Ethereum Talking About TEEs? by Jason Chaskin.
- EVM Fuzzing Resources by Perimeter Security.
- Roadmap to CosmWasm Security/Auditing by JCSec Security.
- Choosing a DeFi Protocol: Risks, Red Flags, and Recommendations by Nipun (Zellic).
- The Top Blockchain Education & Tutorials Projects On Solana by Solana Compass.
- Solana Smart Contract Security Best Practices by Slowmist.
- Hitchhiker's Guide to Aptos Fungible Assets by OtterSec.
- The Ultimate Guide to Cross-Chain Bridges in DeFi 2025 by Johnny Time.
- Blockchain Amplification Attack.
- FTSmartAudit: A Knowledge Distillation-Enhanced Framework for Automated Smart Contract Auditing Using Fine-Tuned LLMs.
- AiRacleX: Automated Detection of Price Oracle Manipulations via LLM-Driven Knowledge Mining and Prompt Generation.
- SC-Bench: A Large-Scale Dataset for Smart Contract Auditing.
- Serial Scammers and Attack of the Clones: How Scammers Coordinate Multiple Rug Pulls on Decentralized Exchanges.
- AiRacleX: Automated Detection of Price Oracle Manipulations via LLM-Driven Knowledge Mining and Prompt Generation.
- Smart Contract Fuzzing Towards Profitable Vulnerabilities.
Tools
- EIP7702 Goat by The Red Guild. Intentionally flawed code with potential pitfalls in custom contracts for EIP-7702 delegate accounts.
- VigilSeek - Crowdsourced Audits Timeline. The project tracks ongoing contests across Cantina, Sherlock, HackenProof, CodeHawks, and code4rena platforms.
- Foundry v1.0 released. The release includes plenty of cheatcodes and a very useful —decode-internal flag to call trace deep dives.
- Hummingbot is an open-source framework that helps you design and deploy automated trading strategies, or bots, that can run on many centralized or decentralized exchanges.
Hacks
OpenOcean
Date: February 11, 2025
Attack Vector: Unknown
Impact: $22,000
Chain: Base
References:
https://x.com/OpenOceanGlobal/status/1889739387484950697
Four Meme
Date: February 11, 2025
Attack Vector: Insufficient Function Access Control
Impact: $183,000
Chain: BSC
References:
https://x.com/SlowMist_Team/status/1889206331644789244
https://x.com/four_meme_/status/1889198796695044138
https://x.com/PeckShieldAlert/status/1889210001220423765
https://x.com/SlowMist_Team/status/1889210046518894595
https://x.com/CertiKAlert/status/1889204942193496340
https://x.com/BeosinAlert/status/1889243476858163210
https://x.com/exvulsec/status/1889264247403884770
https://x.com/TenArmorAlert/status/1889515007404286019
Exploit:
https://bscscan.com/tx/0x4235b006b94a79219181623a173a8a6aadacabd01d6619146ffd6fbcbb206dff
https://bscscan.com/tx/0xe0daa3bf68c1a714f255294bd829ae800a381624417ed4b474b415b9d2efeeb5
https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/2025-02/FourMeme_exp.sol
Liquidity Protocol
Date: February 12, 2025
Attack Vector:
Impact: Assets Stolen
References:
https://x.com/LiquityProtocol/status/1889685629681934789
https://x.com/CyversAlerts/status/1889691547496575351
zkLend
Date: February 12, 2025
Attack Vector: Rounding Error
Impact: $10,000,000
Chain: Starknet
NOTE: Interesting Railgun refund.
References:
https://x.com/CertiKAlert/status/1889507487491170625
https://x.com/exvulsec/status/1889922120731468085
https://x.com/SlowMist_Team/status/1889659563517026772
https://x.com/CyversAlerts/status/1889582024861663421
https://x.com/SlowMist_Team/status/1890351732313714882
https://slowmist.medium.com/in-depth-analysis-of-zklend-hack-linked-to-eralend-hack-fba4af9b66ef
https://rekt.news/zklend-rekt/
https://blog.solidityscan.com/zklend-hack-analysis-e494cb794f71
https://drive.google.com/file/d/10i1dh_J89tPPw7KRcmFIVM6iNrJZAyfi/view
Root Cause:
https://github.com/zkLend/zklend-v1-core/blob/master/src/libraries/safe_math.cairo
Negotiation:
https://x.com/zkLend/status/1889515118368829559
Tracking:
https://x.com/SlowMist_Team/status/1889945521512652964
Laundering:
https://x.com/CyversAlerts/status/1889582024861663421
Exploit:
https://starkscan.co/tx/0x0160a5841b3e99679691294d1f18904c557b28f7d5fe61577e75c8931f34a16f
Unkn_378c6a
Date: February 13, 2025
Attack Vector: Insufficient Function Access Control
Impact: $100,900
Chain: BSC
References:
https://x.com/TenArmorAlert/status/1890236360826532215
https://x.com/SlowMist_Team/status/1890232647240282153
Exploit:
https://bscscan.com/tx/0x619e1cae53f1e7f903344e8c0d2e4b1c160583c7ce1fc10eeb34fa3f21b570b1
Unkn_effca1
Date: February 13, 2025
Attack Vector: Insufficient Function Access Control
Impact: $54,500
Chain: Ethereum
References:
https://x.com/TenArmorAlert/status/1890220459742097895
Exploit:
https://etherscan.io/tx/0xf1119696cec427b2a145e15cb0c438c3120fb75cdca6fc948959e8e4c4ed65f3
Unkn_b86e49
Date: February 13, 2025
Attack Vector: Insufficient Function Access Control
Impact: $170,000
Chain: Ethereum, BSC, Avalanche, Base
References:
https://x.com/Phalcon_xyz/status/1890283371281997874
https://x.com/SlowMist_Team/status/1890232647240282153
https://x.com/0xNickLFranklin/status/1890395021569831261
Exploit:
https://etherscan.io/tx/0x6506f43d8bdf16c391b5f24d47f5efb3822f8c6710e40f6c1297839e1ebe66c0
https://bscscan.com/tx/0x619e1cae53f1e7f903344e8c0d2e4b1c160583c7ce1fc10eeb34fa3f21b570b1
https://snowscan.xyz/tx/0x599e252be0919c2a853ab5cc675d7244d7ed5e0c225acf9dd48027dc619c4731
https://basescan.org/tx/0xfa11f4897351a6389ad642f59846dd099f235013ff41dd8a725d4fd910aedee6
Unkn_d4f1
Date: February 15, 2025
Attack Vector: Uninitialized Contract
Impact: $15,200
Chain: BSC
References:
https://x.com/TenArmorAlert/status/1890776122918309932
Exploit:
https://bscscan.com/tx/0xc7fc7e066ec2d4ea659061b75308c9016c0efab329d1055c2a8d91cc11dc3868