WEB3-KILOEX-2025

On October 16, 2024, the cross-chain lending protocol Radiant Capital lost roughly $50M (about $53M across Arbitrum and BSC) after attackers compromised the devices of at least three of its multisig signers. Initial access began September 11, 2024 via a Telegram message spoofing a trusted former contractor, delivering a ZIP with a decoy PDF that was actually a macOS application carrying INLETDRIFT backdoor malware. The malware sat between the signers' browsers and their hardware wallets, so the Safe (Gnosis) UI and Tenderly simulations displayed correct data while the signers blind-signed a malicious transferOwnership() call on the LendingPoolAddressesProvider contract; the 3-of-11 threshold was met and the attacker then upgraded the pools to a malicious implementation and drained them. Mandiant assessed with high confidence the attack was conducted by North Korea-linked UNC4736 (aka Citrine Sleet/AppleJeus), part of the Lazarus cluster. Funds were not recovered and the protocol later wound down.

On August 10, 2021, an attacker exploited Poly Network's cross-chain contracts to steal about $611 million across Ethereum, BSC, and Polygon, the largest DeFi theft at the time. No keeper private keys were stolen; instead the attacker abused an access-control flaw. The EthCrossChainManager contract's verifyHeaderAndExecuteTx dispatched cross-chain calls through _executeCrossChainTx, which made an arbitrary contract call with no allowlist on target or method. The EthCrossChainData contract, which stores the bridge keeper public keys, was owned by the Manager, and its putCurEpochConPubKeyBytes setter was onlyOwner. Because Solidity derives a function selector from the first four bytes of a keccak256 hash, the attacker brute-forced the method string f1121318093, whose selector collides with putCurEpochConPubKeyBytes (0x41973cd9), and had the Manager call it as owner, replacing the entire keeper set with their own key and signing arbitrary withdrawals. The attacker, framing it as a white-hat demonstration, returned nearly all funds over about 15 days, with only about $33 million in USDT (frozen by Tether) initially outstanding.

A frontend hijack leaves the on-chain contracts untouched but replaces the Web2 surface serving the dApp UI with a wallet-drainer clone, so no Solidity audit can catch it. The recurring pattern: attackers take over the domain registrar or DNS provider account (or a CDN/tag-manager account), repoint the domain to a cloned site, and prompt visitors to sign malicious token approvals, EIP-2612 permit signatures, or transfers. Curve Finance was hit twice: on August 9-10, 2022 its curve.fi domain was DNS-hijacked via a compromised nameserver and drained ~$570K in USDC/DAI; and again around May 12, 2025 at the registrar level, after which Curve permanently migrated to curve.finance and announced an ENS move (Convex Finance and Resupply, which depend on Curve's data feeds, suffered dependency-driven outages but were not themselves compromised). In July 2024 a mass wave hit DeFi domains registered through Squarespace, whose forced migration off Google Domains stripped 2FA: Compound's frontend redirected to an Inferno Drainer clone and 100+ protocols were exposed (Celer blocked its takeover via domain monitoring). Ambient Finance's domain was hijacked through stolen registrar credentials on October 17, 2024. Most recently, on April 14, 2026 attackers used forged identity documents to social-engineer the registrar into handing over DNS control of CoW Swap's swap.cow.fi and cow.fi domains, redirecting users to a pixel-perfect drainer clone for about 90 minutes; over $1M was taken in roughly three hours, including 219 ETH (~$750K) from a single wallet, while CoW's contracts, backend APIs, and solver network were untouched. The same bucket includes CDN-account injections (KyberSwap's September 2022 Cloudflare/Google Tag Manager compromise, ~$265K) and BGP route hijacks that swap signed bundles for drainer code.

On February 21, 2025, Bybit lost roughly $1.5 billion (about 401,347 ETH plus stETH/mETH) in the largest crypto hack to date. The root cause was a supply-chain/front-end compromise: a breached Safe{Wallet} developer machine let attackers inject malicious JavaScript into the Safe UI served from Safe's S3-backed app.safe.global front end. The code was scoped to activate only for Bybit's cold-wallet Safe (and one other contract), so when the three signers reviewed a routine cold-to-hot transfer the UI showed legitimate data while their Ledgers were sent a different payload. Signers blind-signed a delegatecall (operation=1) to an attacker contract that, executing in the proxy's storage context, overwrote storage slot 0 (the masterCopy/singleton pointer) with an attacker-controlled implementation, after which sweep functions drained the wallet. The FBI and TRM Labs attributed the theft to North Korea's Lazarus Group (TraderTraitor/APT38); funds were rapidly laundered and not recovered.

On August 13, 2024 the Vow (Vowcurrency) protocol lost about $1.2 million (~452 ETH) when its own admin temporarily misconfigured a price setter and an MEV bot pounced. Vow's usdRateSetter admin key called setUSDRate and changed the VOW-to-vUSD exchange rate from 1 to 100 - the team later said it was testing the rate-setter while preparing a lending pool - then reverted it. The function had no input validation and no rate-change delay or timelock, and the inflated rate was readable on-chain for the window between the two transactions. An attacker-controlled MEV bot, its contract deployed 110 days earlier and funded via Tornado Cash, detected the change and within two blocks swapped VOW into vUSD at the 100x rate, minting roughly 148.7 million vUSD far above its backing, then dumped it for ETH and USDT on Uniswap. The VOW token fell 80-87%. The root cause was an unbounded, unprotected privileged setter exposed without a timelock, turning a careless admin action into instantly exploitable on-chain state.

On July 18, 2024 Indian exchange WazirX lost approximately $230M (about $234.9M) from a Safe (Gnosis) 4-of-6 multisig wallet held under a custody arrangement with Liminal (five WazirX keys plus one Liminal key). The attack was a blind-signing exploit: signers reviewed benign transaction details in the manipulated Liminal interface while the payload actually signed differed, authorizing a delegatecall (function selector 0x804e1f0a) that overwrote slot0 of the Safe proxy and repointed its implementation to an attacker-controlled contract (0xef279c2ab14960aa319008cbea384b9f8ac35fc6). Once the proxy pointed to attacker logic the wallet was fully controlled without further keys, and it was drained. The theft was attributed to North Korea's Lazarus Group, later confirmed in a joint statement by the US, South Korea and Japan in January 2025. Funds were laundered via Tornado Cash; victims are being repaid through a court-approved restructuring (resumed October 2025, BitGo custody) rather than direct recovery.