BlockThreat - Week 50, 2025
ThirdWeb | Ribbon Finance | 0G Labs | DMi | HTC | React
Greetings!
Almost $3.5M were stolen this week across eight projects. Unfortunately, the week also marked the appearance of all three emerging threat classes I discussed in my talk at DSS 2025.
Watering Hole Contracts are particularly dangerous because they target not the protocols themselves, but their users. Victims are users who previously approved their funds to a vulnerable or compromised contract, often long forgotten. That was the case this week with Jill Gunter, who had an old unlimited token approval to a ThirdWeb contract containing an insidious msgSender spoofing vulnerability from nearly two years ago. Attackers patiently waited for a user with a sufficiently large balance to appear, then exploited the vulnerability to drain the funds.
What makes this incident especially unfortunate is that Thirdweb could have prevented the loss by disabling the vulnerable contract, but it appears this step was overlooked. As I mentioned in my talk, users should regularly review and revoke token approvals that are no longer needed. Even better, they should avoid infinite approvals altogether for the massive security risk that it is.
Speaking of predicted threats, another legacy contract was attacked this week. Ribbon Finance lost $2.7M after an attacker successfully forged an update to its price oracle feed. This was a subtle and sophisticated exploit, emblematic of a new generation of attackers who specialize in uncovering deep vulnerabilities hidden in older codebases.
If we can’t reaudit every legacy project, then at the very least we should apply modern tooling capable of analyzing older codebases against latest attack patterns. This week’s sponsor, Ackee, has built exactly such a tool with Wake Arena, designed to hunt down deep and hard to find vulnerabilities. Be sure to check them out!
Wake Arena identified 43 of 94 high-severity vulnerabilities in benchmark tests on historical audit competitions. In 3 production Ackee audits in November 2025 for Lido, Printr, and Everstake, it discovered 26/79 (33%) of all findings, including 5/10 (50%) of the critical findings in Printr, and six unique vulnerabilities. Read the full report.
Let’s dive into the news!
News
Two new RSC protocol vulnerabilities (one high, one medium) were uncovered while auditing the protocol following React2Shell. The massive React shitstorm continues. According to Security Alliance, drainers are already having a field day infecting legitimate crypto websites. Please update now!
Meet the onchain crypto detectives fighting crime better than the cops.
Circle tests privacy-preserving wrapped version of USDC on Aleo.
Who moved $3M in Silk Road BTC? Dormant addresses spring back to life.
Fusaka Mainnet Prysm Incident. Missed blocks cost validators of $1M.
Crime
Crypto-crasher Do Kwon jailed for 15 years over $40bn UST bust.
Paxful Pleads Guilty as DOJ Imposes $4 Million Criminal Penalty.
Ninth Defendant Pleads Guilty in $263M Crypto Social-Engineering Scheme.
Spanish Police Dismantle Network Linked to Crypto ‘Wrench Attack’ Murder.
‘Bitcoin Rodney’ faces decades in prison as feds add wire fraud to HyperFund charges.
Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor by Flashpoint.
7 suspects arrested in Irvine home invasion robbery targeting cryptocurrency.
I Studied Hundreds of Crypto Kidnappings and Robberies, Here’s How to Stay Safe by Beau.
Policy
Phishing
Binance co-CEO Yi He’s WeChat account hacked to promote and profit from memecoin.
A wallet on BNBChain was drained of $700K according to Cyvers.
Report of an ongoing drainer phishing attack on Limewire by VectorBits.
Arrested by Phone: India’s Digital Nightmare by Bloomberg. A graphic novel about an all too common scam.
Malware
Infostealer has entered the chat by Kaspersky. A new wave of ClickFix attacks injecting malicious commands into popular LLM chat clients.
Media
The Contest Academy - Mentorship Series by 0xSimao. The Contest Academy is a series of deep dives into the best paying bugs in contests including methodology, tools, and workflows.
34 Auditing Tips for 2026 by Alex the Entreprenerd.
bountyhunt3rz - Episode 32 - windhustler.
Inside The Coin Laundry: A live conversation and Q&A with ICIJ journalists.
Contests
Dev Cave CTF at Breakpoint 2025.
Web3 Security CTF by x0t0wt1w. A curated collection of intentionally vulnerable smart contracts designed to teach and practice real-world Web3 security.
Learn Huff by solving a CTF challenge by themj0ln1r.
Research
Post-Mortem: The Precompile
delegatecallIncident and Granite Resolution by Avalanche. Watch those chain precompiles.Advent of Bugs 2025 by Accretion. A series of 24 X threads covering Solana bugs including: PDA Impersonation, LaunchPool timing issues, Optional Accounts, Intention, and the State Machine, and many many others.
Blockchain bridge security - Part 4: Chain id spoofing and Hash Collision by Caliber.
Auditing Solana Anchor constraints by Alexey Posikera (Decurity).
Reverse Engineering EVM Storage by Wavey.
Higher Bug Bounties Won’t Stop Hacks by samczsun.
Explain First, Trust Later: LLM-Augmented Explanations for Graph-Based Crypto Anomaly Detection.
From Oracle Choice to Oracle Lock-In: An Exploratory Study on Blockchain Oracles Supplier Selection.
USCSA: Evolution-Aware Security Analysis for Proxy-Based Upgradeable Smart Contracts.
BugSweeper: Function-Level Detection of Smart Contract Vulnerabilities Using Graph Neural Networks.
Performance analysis of common browser extensions for cryptojacking detection.
Tools
Tornado Cash Withdrawal Viewer by IOCOfficial. Analyse withdrawals from Tornado Cash ETH pools using the Etherscan API. View recipient addresses with withdrawal counts, totals, and date ranges across all three ETH pools.
Slotscan. Human readable storage viewer.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.