After the theft, the victim sent an on-chain message to the scammer, offering a $1 million "bounty" for the return of the remaining funds. They threatened, "We have officially filed a criminal case. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, we have already gathered substantial and actionable intelligence regarding your activities." However, there's been no activity from the wallet since the message, and the thief had long since begun laundering the funds via Tornado Cash.
Crypto trader loses $50 million to address poisoning attack
A crypto trader lost almost $50 million in the Tether stablecoin after falling victim to an address poisoning attack. Because blockchain wallet addresses are long, random alphanumeric strings, traders often use the first and/or last several characters to quickly recognize wallets, and copy and paste regularly used wallet addresses from their transaction history. This has given rise to a type of scam known as "address poisoning", where scammers generate wallet addresses that share similar beginning and end characters, and use them to send transactions to wealthy victims. If they're lucky, as they were in this case, the victim will accidentally copy the similar looking scammer's wallet address when making a transfer of significant size.
- Thief wallet, Etherscan [archive]
- On-chain message, Etherscan
Yearn Finance suffers fourth exploit only weeks after third
Only weeks after losing $6.6 million to an infinite mint exploit, a Yearn Finance smart contract has again been exploited, allowing an attacker to make off with around 103 ETH (~$300,000). The affected contract is a legacy contract that was part of the Yearn v1 project (once known as iearn). The attacker used a flash loan to manipulate the price of tokens in the vault, allowing them to withdraw the iearn assets, which they then swapped for ETH.
This is Yearn's fourth hack, following the $6.6 million theft in November, an $11 million exploit in 2023, and an $11 million exploit in 2021. Yearn also lost around $1.4 million in 2023 in connection to the Euler Finance attack.
Ribbon Finance suffers $2.7 million exploit, plans to use "dormant" users' funds to repay active users
Ribbon Finance, which has partially rebranded to Aevo, has lost $2.7 million after attackers exploited a vulnerability in the smart contract for legacy Ribbon vaults that enabled them to manipulate oracle prices and withdraw a large amount of ETH and USDC.
Ribbon has announced it will cover $400,000 of the lost funds with its own assets. However, Ribbon is also offering users a lower-than-expected haircut on their assets by assuming that some of the largest affected accounts will not withdraw their assets, having been dormant for several years. While this plan may benefit active users, it seems like it could get very messy if those dormant users do wish to withdraw their assets and discover they've been used to pay others.
Yearn Finance hacked for the third time
Yearn Finance, a defi yield protocol, has suffered another hack. The exploiter took advantage of bugs in the project's smart contract to drain assets from several of its pools by minting a huge number of yETH tokens and then withdrawing the corresponding asset in the pools.
$2.4 million of the stolen assets, which were denominated in pxETH, a liquid staking token issued by Redacted Cartel, were recovered after the issuer burned the stolen tokens and reissued them to the team's wallet — essentially, removing the tokens from the hacker's wallet. However, the hacker routed the remaining funds through the Tornado Cash cryptocurrency mixer, which makes recovery substantially more challenging.
This is the third time Yearn Finance has been hacked, following an $11 million exploit in 2023 and another $11 million exploit in 2021. Yearn also suffered around $1.4 million in losses in 2023 in connection to the Euler Finance attack.
Upbit hacked for $30 million
The Korean cryptocurrency exchange Upbit suffered a loss of around $30 million in various Solana-based assets due to a hack. Some entities have suggested that Lazarus, a North Korean state-sponsored cybercrime group, was behind the hack.
Upbit reimbursed users who had lost funds from company reserves. The exchange was able to freeze around $1.77 million of the stolen assets.
This theft occurred exactly six years after Upbit suffered a theft of 342,000 ETH (priced at around $50 million at the time).
Aerodrome and Velodrome suffer website takeovers, again
Attackers redirected users intending to visit the websites for the decentralized exchanges Aerodrome and Velodrome to their own fraudulent versions using DNS hijacking, after taking control of the websites' domains. The platforms urged users not to visit the websites as they worked to regain control.
This is the second time such an attack has happened to these same platforms, with another DNS hijacking incident occurring almost exactly two years ago. In that instance, users lost around $100,000 when submitting transactions via the scam websites.
GANA Payment hacked for $3.1 million
An attacker stole approximately $3.1 million from the BNB chain-based GANA Payment project. The thief laundered about $1 million of the stolen funds through Tornado Cash shortly after. The attacker was able transfer ownership of the GANA contract to themselves, possibly after a private key leak.
The theft was first observed by crypto sleuth zachxbt. Not long after, the project acknowledged on its Twitter account that "GANA's interaction contract has been targeted by an external attack, resulting in unauthorized asset theft."
Moonwell accrues almost $3.7 million of bad debt after oracle malfunction
The Moonwell lending protocol, built on the Base Ethereum L2, wound up with $3.7 million in bad debt after an attacker took advantage of an oracle malfunction that caused the price of wrsETH to be massively inflated. The Chainlink oracle used by the project erroneously reported that a single wrsETH token (Kelp DAO's wrapped restaked ETH) was priced at around 1.65 million ETH (~$5.8 billion). Within 30 seconds of the oracle reporting bad data, an attacker took advantage of the error to borrow huge amounts of tokens, which they then swapped to other tokens to cash out.
Ultimately the attacker profited around 295 ETH (~$1 million), but the protocol was saddled with significantly more bad debt that the team will now have to grapple with.
- wrsETH Oracle Malfunction 11/4/25, Moonwell forum
- Tweet by CertiK Alert [archive]
Stream Finance halts activity after $93 million loss
The Stream Finance defi yield project announced that "an external fund manager overseeing Stream funds disclosed the loss of approximately $93 million in Stream fund assets." Stream announced that they were in the process of withdrawing remaining liquid assets, and had halted all deposits or withdrawals. They also announced they had retained a law firm to investigate the "incident".
The project didn't disclose who the fund manager was, or the circumstances in which the "loss" occurred.
The Staked Stream USD token depegged on November 3, and crashed further following the announcement.
Balancer exploited for at least $110 million
The defi protocol Balancer suffered a major exploit that drained over $110 million across several blockchains, including Ethereum, Polygon, Base, and Sonic. Attackers exploited faulty access control in the
manageUserBalance function of Balancer's v2 smart contract, enabling unauthorized internal withdrawals. The stolen tokens included 6,850 osETH, 6,590 wETH, and 4,260 wstETH, later consolidated into new wallets likely for laundering.The exploit also impacted forked protocols like Beets Finance, which lost around $3 million. Balancer's BAL token dropped over 10% following the theft.
This was Balancer's third major security incident since 2020, despite prior audits by OpenZeppelin and Trail of Bits.