Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Extropy Security Bytes: w16 2025

Extropy.IO
6 min readApr 17, 2025

The past week has laid bare the ongoing security challenges facing the crypto ecosystem, with attackers targeting both DeFi infrastructure and individual users through diverse and increasingly sophisticated vectors. From backdoors embedded during contract deployment to oracle manipulation and open-source software supply chain abuse, these incidents illustrate the broad attack surface and high stakes in Web3. This report examines three notable security events — the ROAR staking exploit, the KiloEx DEX breach, and the GitVenom malware campaign — revealing how architectural flaws, inadequate access controls, and social engineering continue to drive major losses across the space.

ROAR Staking Contract Exploited via Backdoor for $780K Loss

Based on the flow of funds used by the attacker, a security incident likely occurred on or after April 13, 2025, affecting the ROAR staking contract. The estimated loss amounts to approximately $780,000, with 493.1 ETH being traced to Tornado Cash.

Root Cause: Malicious Backdoor in Smart Contract

The primary vulnerability that enabled this exploit was the presence of a pre-existing backdoor embedded within the R0ARStaking smart contract.

Attack Breakdown:

  1. Storage Slot Manipulation: During the initial deployment of the R0ARStaking contract, the attacker manipulated storage slots to directly alter the balance (user.amount) associated with a specific address. This suggests a deliberate insertion of a backdoor during the contract creation process.
  2. Emergency Withdrawal Abuse: Subsequently, the attacker leveraged an emergency withdrawal function within the contract to extract the entirety of the funds held within. This function, likely intended for exceptional circumstances, was maliciously used to drain user assets due to the manipulated balance.

Attacker Address:

Further details regarding the attacker’s transactions can be found at the following Etherscan address: https://etherscan.io/address/0x8149f77504007450711023cf0ec11bdd6348401f#tokentxns

Summary:

The ROAR exploit highlights a critical security risk: the presence of hidden backdoors in smart contracts. By directly manipulating storage during deployment, the attacker gained an unfair advantage, ultimately leading to the complete draining of contract funds via an emergency withdrawal function. This incident underscores the paramount importance of rigorous smart contract auditing and secure development practices to prevent the introduction and exploitation of such vulnerabilities.

KiloEx DEX Suffers $7.5M Exploit Due to Price Oracle Vulnerability

On April 14, 2025, at approximately 18:53 UTC, the decentralised exchange (DEX) KiloEx experienced a significant security breach, resulting in the loss of roughly $7.5 million across the Base, opBNB, BSC, and Manta chains. The most substantial loss, amounting to $3.4 million, occurred on the Base network.

Root Cause Analysis:

The primary vulnerability exploited was a critical access control flaw within the KiloEx project’s KiloPriceFeed contract, specifically within the setPrices function. Compounding this issue was the absence of proper validation checks in the user-facing MinimalForwarderContract. This lack of validation allowed attackers to execute arbitrary calls using a fabricated from address.

Attack Vector:

The attacker’s methodology involved a sequence of carefully orchestrated steps:

  • Funding via Tornado Cash: The attacker’s initial funding originated from Tornado Cash on April 13, 2025, obscuring their identity.
  • MinimalForwarderContract Exploitation: The attack was initiated by calling the execute function of the MinimalForwarderContract. The absence of robust input validation in this contract allowed the attacker to provide a forged signature and a manipulated from address.
  • Circumventing Access Controls: By exploiting the MinimalForwarderContract, the attacker could trigger a chain of function calls that ultimately accessed the vulnerable setPrices function within the KiloPriceFeed contract.
  • Price Oracle Manipulation: The inadequate access controls on the setPrices function allowed the attacker to artificially inflate and deflate the perceived value of various tokens.
  • Value Extraction: This manipulation of the price oracle enabled the attacker to purchase tokens on the exchange at significantly discounted prices, effectively draining value from KiloEx’s vaults across multiple blockchains.
  • Multi-Chain Exploitation: The attacker successfully executed this exploit pattern on both the Base and BSC chains, with similar attacks occurring on opBNB and Manta.
  • Fund Laundering via Bridging: The stolen funds were subsequently routed through various bridging protocols, including zkBridge, deBridge, and Meson, likely in an attempt to obscure their movement and destination.

Key Takeaways:

  • Price Oracle Security is Paramount: The KiloEx hack underscores the critical importance of rigorously securing access to price oracles. Insufficient access controls can create a direct pathway for devastating price manipulation attacks.
  • Input Validation is Essential: Robust input validation in all user-facing contracts is crucial to prevent attackers from executing unintended and malicious operations. The lack of validation in the MinimalForwarderContract was a key enabler in this incident.
  • Importance of Security Audits: This event highlights the indispensable role of thorough security audits in identifying and mitigating potential vulnerabilities before they can be exploited in a live environment.
  • Leverage Amplifies Risk: The use of leveraged positions within DEXs can significantly amplify the impact of price manipulation attacks, leading to more substantial losses for liquidity providers.

Response and Mitigation Efforts:

Following the discovery of the exploit, KiloEx publicly offered a $750,000 bounty for the return of the stolen funds, promising not to pursue legal action if 90% of the assets were recovered.

“GitVenom” Campaign on SourceForge Distributes Crypto-Stealing Malware

Security researchers have uncovered an ongoing malware campaign, dubbed “GitVenom,” that has been active for at least two years and continues to target cryptocurrency users in the first quarter of 2025. Kaspersky has reported over 4,600 incidents during this period, highlighting the scale of this threat.

Attack Vector: Weaponised Software on a Trusted Platform

Cybercriminals are exploiting the open-source software platform SourceForge to distribute malware. They are uploading deceptive Microsoft Office installers that contain hidden malicious payloads.

Malware Capabilities:

These seemingly legitimate installers are bundled with dangerous malware, including:

  • Crypto Miners: Software designed to secretly use the victim’s computer resources to mine cryptocurrencies for the attacker.
  • Clipboard Hijackers (“Clippers”): Malware that monitors the system clipboard for copied cryptocurrency wallet addresses and replaces them with addresses controlled by the attackers, redirecting funds during transactions.

Technical Breakdown:

  1. Malicious Uploads: Attackers upload weaponised software disguised as genuine Office-related tools to SourceForge project pages.
  2. Deceptive Presentation: These project pages can appear legitimate, and their auto-generated subdomains have even been indexed by search engines, increasing their credibility.
  3. Silent Payload Delivery: The installers contain embedded scripts that silently download additional malicious files from GitHub and perform reconnaissance by scanning the system for antivirus software.
  4. Multi-Stage Installation: A small initial archive file (vinstaller.zip) expands into a larger installer that executes the malicious scripts.
  5. Clipboard Manipulation: The “clipper” component actively swaps copied cryptocurrency wallet addresses, posing a direct threat to user funds.

Impact on Crypto Users:

While the exact financial losses resulting from this campaign remain unclear, the capabilities of the distributed malware — crypto mining and clipboard hijacking — present a significant and direct risk to the cryptocurrency assets of affected users.

Geographic Distribution:

Kaspersky’s data indicates that in the first quarter of 2025, 90% of the identified victims were located in Russia. However, it is crucial to note that the campaign has a global reach, and users worldwide should be vigilant.

Mitigation Strategies:

To protect against this and similar threats, users are advised to:

  • Code Review: Thoroughly analyse code before integrating it into existing projects, even from seemingly reputable sources.
  • Endpoint Security: Employ robust malware protection on all devices, including computers and smartphones.
  • Repository Scrutiny: Carefully examine less obvious indicators of repositories, such as contributor accounts, the number of stars, and the project’s creation date, as red flags.
  • Avoid Direct Downloads: Refrain from downloading files from direct GitHub links shared in chats, suspicious channels, or on unverified websites.
  • Report Suspicious Activity: Promptly report any suspicious repositories or projects to GitHub.

Key Takeaway:

The “GitVenom” campaign highlights the concerning trend of attackers exploiting trusted open-source platforms like SourceForge to distribute malware on a large scale, effectively bypassing traditional security measures that users might rely on when interacting with such platforms. The use of sophisticated social engineering tactics, such as well-crafted (and potentially AI-generated) README files, further enhances the credibility of these fake projects.

Together, these incidents underscore the urgent need for holistic security practices across smart contract development, infrastructure governance, and user awareness. Whether through on-chain exploits or off-chain social engineering, attackers are actively probing every weak point in the crypto stack. Protocol developers must adopt secure coding standards, enforce rigorous access control, and conduct thorough audits, while users remain vigilant against deceptive downloads and too-good-to-be-true software. As Web3 matures, the industry must move beyond reactive responses toward proactive, layered security strategies to safeguard user trust and capital.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

- Website: security.extropy.io

- Email: info@extropy.io

Get in touch today — let’s build safer smart contracts together!

Smart Contract Security
Smart Contract Auditing
Defi
Blockchain
Smart Contract Developers

--

--

Extropy.IO
Extropy.IO

Written by Extropy.IO

1.2K followers
24 following

Oxford-based blockchain and zero knowledge consultancy and auditing firm

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech