Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Extropy Security Bytes: w11 2025

Extropy.IO
7 min readMar 14, 2025

Welcome to this week’s security news roundup, covering March 11th to 18th. The cybersecurity landscape remains as dynamic as ever, with fresh threats emerging. From high-profile DeFi exploits to Lazarus Group’s latest npm attack methods and critical hardware wallet vulnerabilities, we’ve got all the key insights to keep you informed and secure. Let’s dive in.

1inch $5 million Hack

The decentralised finance (DeFi) aggregator 1inch suffered a security exploit on or around March 5, 2025, resulting in losses exceeding $5 million. Security firm SlowMist reported the incident after detecting suspicious transactions. The root cause of the exploit was an outdated smart contract, specifically the resolver smart contract that was still using the deprecated Fusion v1. Resolvers play a crucial role in the 1inch ecosystem, acting as automated algorithms that assess which orders to fulfil and provide liquidity to swappers.

The vulnerability has been described as a calldata corruption vulnerability in the settlement contract, leading to an arbitrary call vulnerability. It was discovered that by setting an interaction length to a negative 512, an attacker could induce an integer underflow of memory pointers and redirect suffix data. This allowed the hacker to forge resolveOrders calls to the market maker contracts associated with the resolvers and drain their funds. Despite the vulnerability residing in code that was supposed to be retired (settleOrder function), it remained active and was exploited.

In the aftermath of the attack, 1inch took the following actions:

  • Encouraged all resolvers to audit and update their contracts immediately to prevent further attacks.
  • Launched efforts to assist impacted resolvers in securing their systems.
  • Introduced a bug bounty program offering rewards between $100 and $500,000 to gather more insights into the incident. By the time of reporting, they had received 58 submissions and paid $200 in bounties.
  • Reportedly negotiated with the attacker, leading to the recovery of most of the stolen assets minus a bug bounty fee. Interestingly, the hacker initially incorrectly transferred half of the stolen funds back to the 1inch settlement contract.

Security analysis firm Decurity released a detailed post-mortem analysis, highlighting the surprising simplicity of the buffer overflow vulnerability that was exploited.

Vulnerability Found in Trezor Safe Devices

Ledger’s open-source research arm, Ledger Donjon, discovered a security vulnerability in Trezor’s Safe 3 and Safe 5 hardware wallet models. Trezor has since patched the flaw.

Summary:

  • Ledger found that cryptographic operations could still be performed on the microcontroller of the Trezor Safe 3 model, potentially making it “vulnerable to more advanced attacks”.
  • Another potential attack vector stemmed from the microcontroller in both the Safe 3 and 5 models.
  • Trezor implemented a firmware integrity check to detect modified software, but Ledger demonstrated that this security check could be bypassed.
  • Ledger’s analysis highlighted that the new Trezor devices remain vulnerable to specific supply chain attacks due to their reliance on a microcontroller for cryptographic operations.
  • The microcontroller used in Trezor Safe devices, labeled TRZ32F429 (a customised STM32F429 chip), is vulnerable to voltage glitching attacks.
  • This allows a sophisticated attacker with physical access to read and modify the firmware stored in the device’s flash memory.
  • Since Trezor uses a pre-shared secret between the Secure Element and the microcontroller for authenticity verification, an attacker could potentially extract this secret via a glitching attack and reprogram the device while appearing genuine.

Exploitation:

  • The attacks described require physical access to the Trezor device.
  • A supply chain attack could involve implanting malicious firmware during production or distribution, potentially leading to the remote theft of user funds without their knowledge.
  • The demonstrated attack involved voltage glitching, requiring desoldering the microcontroller and applying precise voltage changes to reveal the flash memory contents. This is considered a highly technical attack.

Responses and Mitigation:

  • Trezor has patched up the security flaw after Ledger reported it. However, the method of the patch was not disclosed. When asked if the issue was patched via firmware, Trezor responded, “Unfortunately not”.
  • Trezor stated that the discovered exploit is a previously known attack.
  • Trezor reassured users that funds remain safe and no action is required, especially if the device was purchased from official sources.
  • Ledger’s CTO noted that Trezor addressed the vulnerabilities, highlighting the importance of continuous improvement and cooperation in crypto security.
  • To mitigate risks, users are advised to only purchase devices directly from official sources to ensure the integrity of the supply chain.
  • Newer Trezor models include a “passphrase” as an extra layer of security. The Trezor Safe 5 uses an upgraded microcontroller that is resistant to voltage glitching.
  • Users can check their wallet firmware using the official Trezor Suite and should keep their devices updated. If there are signs of tampering, users should reset the device and restore it in a secure environment.

Lazarus Group Linked to 6 Fresh NPM Packages

A recent report has linked North Korea’s Lazarus Group to six new malicious npm packages. This attack attempts to deploy backdoors to steal credentials. This discovery was made by The Socket Research Team. Here are the key details:

  • The attack involves six malicious npm packages: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator.
  • These packages employ a technique called typosquatting, using deliberately misspelled names to deceive developers into installing them.
  • The infamous Lazarus Group, a North Korean state-sponsored hacking organisation, is suspected to be behind this activity. They have been linked to numerous significant cryptocurrency hacks, including the recent $1.4 billion theft from the crypto exchange Bybit.
  • Cybersecurity researchers noted that the tactics, techniques, and procedures (TTPs) observed in this npm attack closely align with Lazarus’s known operations.
  • The malicious code within these packages is designed to extract cryptocurrency data, targeting sensitive information stored in Solana and Exodus crypto wallets.
  • The attack specifically targets files associated with Google Chrome, Brave, and Firefox browsers, as well as keychain data on macOS, suggesting that developers are the primary targets.
  • The threat actors created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open-source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows. This is a tactic similar to the “GitVenom” campaign, where fake GitHub repositories were used to distribute malware.
  • Collectively, these six packages have been downloaded over 330 times.
  • The Socket Team has reported these packages and the associated GitHub repositories to GitHub, requesting their removal.
  • Lazarus activities extend beyond npm attacks, as they have also been observed using sophisticated LinkedIn recruiting scams to deliver malware and capture credentials from targeted organisations.

While definitively attributing this specific attack to Lazarus can be challenging, the strong alignment in TTPs and their established history of targeting the cryptocurrency sector strongly suggests their involvement. This incident highlights the ongoing threat posed by state-sponsored hacking groups to the software development and cryptocurrency communities.

Crypto Trader Loses 98% of Value in Sandwich Attack

A cryptocurrency trader attempting a stablecoin swap of approximately $220,764 worth of USD Coin (USDC) on Uniswap v3’s USDC-USDT liquidity pool lost nearly 98% of the value, amounting to around $215,5005. An MEV bot front-ran the transaction by temporarily removing USDC liquidity and then replaced it after the victim’s trade. The attacker tipped the Ethereum block builder “bob-the-builder.eth” $200,000 from the swap and profited $8,000 themselves.

DeFi researcher “DeFiac” speculates that the same trader, using different wallets, may have fallen victim to a total of six sandwich attacks on the same day, with funds originating from the borrowing and lending protocol Aave. These other two identified attacks resulted in losses of $138,838 and $128,0038.

Another report indicates that in total, the “unknown entity” swapped $732,583.429405 USDC for 18636.232611 USDT, suggesting a total loss of over $700,000 across these six swaps.

There is speculation that these “bad swaps” could potentially be part of a money laundering scheme.

It has been suggested that the trader might have inadvertently caused the severity of the attack by using a high slippage tolerance (potentially set to 100% via an older Uniswap router).

Mitigation Strategies for Users:

While DeFi platforms struggle to fully mitigate sandwich attacks due to the permissionless nature of blockchain transactions, users can take some precautions:

  • Set Low Slippage Tolerance: This can limit the price movement allowed for your transaction, reducing the potential profit for sandwich attackers.
  • Use MEV-Resistant Platforms: Some platforms are developing built-in protections against MEV strategies.
  • Stay Informed: Understanding trading mechanics and risks is crucial.

Sandwich attacks explained:

A sandwich attack is a type of Maximal Extractable Value (MEV) strategy that exploits the transparency of blockchain transactions on Decentralised Exchanges (DEXs) like Uniswap. It occurs when malicious bots, often referred to as MEV bots, identify a pending large transaction and place two of their own transactions around it. The bot’s first transaction is placed just before the victim’s transaction. This “front-running” pushes up the price of the asset being bought. The victim’s transaction then executes at this inflated price, resulting in them receiving less of the desired asset and experiencing artificial slippage. The bot’s second transaction is placed immediately after the victim’s transaction. This “back-running” sells the asset bought in the first transaction at the higher price caused by the victim’s purchase, allowing the bot to extract a profit.

That wraps up this week’s security updates. As always, staying vigilant and informed is crucial in an ever-evolving threat landscape. Whether you’re a developer, trader, or security enthusiast, proactive security measures can make all the difference. Stay safe, and see you next week for more updates on the latest threats and defenses in the crypto and cybersecurity world!

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

- Website: security.extropy.io

- Email: info@extropy.io

Get in touch today — let’s build safer smart contracts together!

Smart Contract Security
Defi Security
Smart Contract Auditing
Blockchain
Ethereum

--

--

Extropy.IO
Extropy.IO

Written by Extropy.IO

1.2K followers
24 following

Oxford-based blockchain and zero knowledge consultancy and auditing firm

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech