Greetings!

This week, over $2.3M was stolen across four incidents. With the year drawing to a close, we may narrowly avoid the much-dreaded mega holiday hacks. Credit for this goes largely to the hypervigilance of the security community, such as Tay’s early warning about North Korean actors probing the HyperLiquid protocol.

Instead, we’re witnessing a steady stream of relatively straightforward smart contract hacks. While far from ideal, these lack the ecosystem-wide impact of the devastating attacks typically seen around the New Year in recent years.

The notable exception is the $2M Gempad reentrancy exploit. Gempad, a platform for launching new tokens based on pre-existing templates, suffered a significant security failure. A flaw in one such template triggered a high-impact event, affecting 27 projects. Remarkably, losses were limited to just $2M—especially considering that over 3,000 projects were launched on the platform.

DCF also got hit with yet another price oracle exploit. I guess the $428K price oracle lesson back in November wasn’t sufficient.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!