Greetings!

This week, nearly $670K was stolen across seven incidents. The recurring theme? Carelessness. With prices surging over the past few weeks, projects are rushing to deploy to capitalize on the bull market—often with disastrous consequences. This week alone, we’ve seen half-baked oracles, risky changes to ERC-20 library code, last-minute unaudited additions, and easily exploitable price and reward manipulations.

Please stay vigilant. The post-election tailwinds could quickly shift into another storm of punitive regulations if we’re not cautious.

Labubu made a boo boo

Labubu lost $120K to a preventable exploit. An incorrectly implemented transfer function failed to handle identical source and destination transfers, allowing attackers to double their assets with every deposit:

function _transfer(address sender, address recipient, uint256 amount) internal {
    require(sender != address(0), "Xfer from zero addr");
    require(recipient != address(0), "Xfer to zero addr");

    uint256 senderBalance = _balances[sender];
    uint256 recipientBalance = _balances[recipient];

    uint256 newSenderBalance = SafeMath.sub(senderBalance, amount);
    if (newSenderBalance != senderBalance) {
        _balances[sender] = newSenderBalance;
    }

The smart contract was exploited just nine hours after deployment. The attacker likely identified the vulnerability immediately and waited patiently for sufficient Pancake liquidity before striking.

More Unnecessary Hacks:

• Alpaca Finance: Lost funds due to manually updating prices using CoinGecko—an ill-advised practice exploited after one token pumped following a CeFi listing.

• Clober: Suffered a $500K reentrancy exploit after introducing post-audit code changes.

• Doge Chain: Hit by a previously disclosed bug that most nodes failed to patch, resulting in hundreds of thousands in avoidable losses.

Haven Protocol’s Shutdown

Haven Protocol, a Monero fork, announced its shutdown after an audit revealed an infinite minting vulnerability in its XHV token dating back to 2023. While the first signs of the exploit appeared in August 2024, when $10M xUSD was burned beyond the circulating supply, it took three months to confirm that attackers controlled 94% of the supply. This marks an unrecoverable death blow to the project.rol 94% of the supply. Blockchains rarely die, but an infinite mint exploit of this magnitude is an unrecoverable death blow.

It’s not the first time Haven was hacked. Over the period of 7 days in June, 2021, the chain lost $4.5M from four different vulnerabilities all resulting in incorrect mints.

This wasn’t Haven’s first brush with vulnerabilities. In June 2021, it lost $4.5M in seven days due to four separate minting exploits. Interestingly, a similar project, Zeph, discovered and quietly patched the same vulnerability in September but failed to share it with Haven.

Want to learn more?

Get the full details of this week’s compromises and many others by subscribing to the premium section of this newsletter. Support the publication and stay informed by signing up below!

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!