BlockThreat - Week 31, 2025
Multichain | SuperRare | Tornado Cash | Samourai Wallet | Monero
Greetings!
The spotlight remains on the Samourai Wallet and Tornado Cash trials, with the Samourai defendants pleading guilty while Roman Storm continues to fight for the freedom to write code. A new trend is emerging as chain operators like Base and Arbitrum begin investing in ecosystem security, subsidizing code audits for projects building on their networks. Just a couple of compromises this week, both stemming from careless bugs and netting attackers just over $2M. Let’s take a closer look.
Users continue to fall victim to exploits long after major breaches because permission revocation is often neglected. The Multichain Router (formerly AnySwap) vulnerability from 2022 allowed attackers to bypass intended permission checks and drain funds from wallets that still had lingering approvals, even on chains where the router was no longer active. In one recent case a well-known MEV bot front-ran the theft and inadvertently rescued 401 ETH. Someone got really lucky here! So pretty please, with a sugar on top, revoke your approvals at revoke.cash.
Speaking of user and wallet security be sure to thank this week’s sponsor Coinspect.
Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.
Link: https://www.coinspect.com/wallets/
You’d think after countless smart contract disasters, fundamentals like permission checks would be bullet proof but SuperRare’s staking contract proves otherwise. A simple mistake in the updateMerkleRoot function allowed anyone to hijack critical staking logic and drain $730K worth of RARE tokens:
function updateMerkleRoot(bytes32 newRoot) external override {
if (
(msg.sender != owner() &&
msg.sender !=
address(0xc2F394a45e994bc81EfF678bDE9172e10f7c8ddc))
) revert NotAuthorized();It took attackers about two weeks to discover and exploit this completely preventable and careless vulnerability.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.
Let’s dive into the news!
Events
Defcon - Cryptocurrency Village. August 8-10. Featuring awesome talks on wallet, exchange, DeFi security.
News
Arkham uncovered a $3.5B in BTC hack of LuBian, a Chinese mining pool, back in 2020. Unlike traditional hotwallet or infrastructure CeFi compromises, this one was caused by weak private key generation algorithm. Better late than never to discover and learn from the largest (in USD) crypto hack in history.
Monero Faces Looming 51% Attack Threat From Rival Blockchain Qubic.
Founders Of Samourai Wallet Cryptocurrency Mixing Service Plead Guilty. According to DoJ court documents, the two developers were actively promoting the wallet for concealing criminal proceeds on darknet forums and private chats.
Coinbase reports data theft cost $307 million as spot volumes and revenue dip in Q2.
Introducing free security reviews for Base builders by Base Engineering Team. A complementary service to the already free Hexagate monitoring service to onchain projects.
SlowMist Monthly Security Report: July Estimated Losses at $147 Million.
2025 Crypto Crime Mid-year Update: Stolen Funds Surge as DPRK Sets New Records by Chainalysis.
The Anatomy of a Breach Report - 2025 by Lab1. An interesting report into bad actor practices to correlate leaked creds, KYC, private keys, and other data to execute attacks.
2025 GenAI Code Security Report - Assessing the security of using LLMs for coding by Veracode. Only 55% of produced code was safe.
Amazon AI coding agent hacked to inject data wiping commands.
Crime
CoinDCX Employee Arrested Over $44M Exchange Hack. An interesting case-study, where an employee may be arrested and prosecuted for negligence even if they did not intend to be malicious.
North Korea sent me abroad to be a secret IT worker. My wages funded the regime. A rare look into the operation by a regime defector.
N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto.
Cameron Redman aka Canadian was convicted for the June 2022 mass X account compromise. ZachXBT was involved in the investigation leading to the arrest.
South Florida crypto money launderer sought grisly kidnappings involving amputations.
FBI seizes $2.4M in Bitcoin from new Chaos ransomware operation.
Virtual theft of crypto assets remains unpunished. An outdated legal framework in Germany allowed a thief to get away with $2.9M.
Cyprus Police Probe Crypto Heist: Over $448,000 Vanishes After Email Hack.
Policy
GENIUS or Gimmick by Rekt. An exploration of unwanted centralization effects of the GENIUS act.
Phishing
ScamSniffer July 2025 Phishing Report. Losses increased by 153% with $7.09M in losses and 56% more victims (9,143 victims).
A new pattern by scammers to make compromised wallets completely break so you can't send any funds to it for any rescues using EIP-7702 by pcaversaccio.
How to protect yourself from Google Forms scams by Kaspersky.
This Fake Bitcoin ATM Scheme Has Wasted 4,000 Hours of Scammers' Time. Kitboga strikes again.
Possible targeted attack using 1-click RCE in Telegram Desktop.
Malware
Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal by CheckPoint. From Facebook ads to fake crypto apps which steal creds and drain wallets.
Media
The Trial Against Tornado Cash Developer Roman Storm: Everything You Need to Know hosted by The Rage and includes Taylor Monahan, Molly White, Tim Clancy, and Amanda Tuminelli.
Research
Someone forgot to revoke approvals for Multichain Router V4, resulting in a 401 ETH instant hack by MEV bots by Chaofan Shou.
Bitcoin Lightning bug allows remote theft of bitcoin via LND nodes.
Modern invariant testing with halmos by karmacoma and Daejun Park (a16z crypto).
zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits.
Security Frameworks by SEAL - Wallet Security section by Piña (Coinspect).
The State of Encryption in Web3 by Safe Research.
Keeping secrets secure with secret scanning by Github.
Agent Red-Teaming: The AI Jailbreak Showdown by Ayla Croft (Gray Swan). You can participate here.
My Smart Contract Auditing Mental Model - Not a checklist! by The Caliber.
From Solana to Stylus: Introducing StylusPort by Oak Security.
Compressed NFTs on Solana by 0xmahdirostami.
Sui Move for EVM and SVM Developers: Part 1 - Mental Models by Ahmad Khan (Adevar Labs).
Program Analysis for High-Value Smart Contract Vulnerabilities: Techniques and Insights.
DoS Attacks and Defense Technologies in Blockchain Systems: A Hierarchical Analysis.
ETrace:Event-Driven Vulnerability Detection in Smart Contracts via LLM-Based Trace Analysis.
Tools
ape-safe - Account plugin for the Safe multisig wallet (previously known as Gnosis Safe) for the Ape Framework.
Anchor - a framework providing several convenient developer tools for writing Solana programs by Solana Foundation.
Introducing Solazy – A Solana Static Analyser & Reverse Engineering tool.
hashcat v7.0.0 release including support for MetaMask and various wallet cracking.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.