Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Extropy Security Bytes: w18 2025

Extropy.IO
4 min readMay 13, 2025

Week 18 of 2025 highlighted the dynamic security landscape within the DeFi and blockchain ecosystems, with Term Finance navigating a protocol upgrade challenge and the XRPL JavaScript library experiencing a targeted supply chain attack. These incidents underscore the importance of proactive security measures and timely responses in maintaining asset integrity and user trust across the space.

Term Finance Protocol Upgrade Leads to $1.6M Liquidation Event

Term Labs, the team behind a fixed-rate lending and borrowing protocol, experienced a significant incident due to a misconfigured protocol upgrade. This resulted in the liquidation of approximately $1.6 million worth of user positions, totalling 918 ETH.

Technical Cause: Misconfigured Price Oracle

The root cause of the liquidations was a poorly executed protocol upgrade that introduced a misconfigured ETH price oracle. The new oracle supplied inaccurate price data to the Term Finance system, which subsequently triggered automated liquidations of user positions. The Term Finance team has characterised this as an oversight during the upgrade process rather than a direct smart contract exploit or user-targeted attack.

Impact and Recovery Efforts:

The incorrect liquidations led to a substantial loss of 918 ETH. Following the incident, Term Finance initiated immediate recovery efforts and successfully retrieved 556 ETH. This recovery involved the internal seizure of 223.197 ETH (approximately $400,000) by the platform and the return of an additional 333 ETH (roughly $600,000) after negotiations. On-chain data indicates that the recovered funds were returned to the Term Finance smart contract address (0x8f0ea6dc39336edb3e538718c16df0308ea69a22), as evidenced by transactions 0x0ddf030a567809018358961930c4f4c279b80ec61c252bfa423546863f7a2327, 0x8da015d7c362a082fd23736b08dc17d3a9794086b713590273c9535a4c47a7e2, and 0xaa10cc076f27fcf7fc0b0a83ad170983e6791f5349d097ef4db0592a55d640483. In total, the team secured 695 wETH and commenced distribution to affected users.

The remaining unrecovered loss for Term Finance stands at 362.03 ETH, estimated to be around $650,000.

Response and Future Actions:

Term Finance’s public acknowledgement of the incident occurred following media coverage. The company has since announced its commitment to a thorough review of its oracle integration process to prevent similar occurrences in the future. They have also indicated that users impacted by the erroneous liquidations may be eligible for further compensation, although a formal decision on this matter is pending.

Security Vulnerability in XRPL JavaScript Library (xrpl.js) on npm

A significant supply chain security incident has been identified affecting the XRP Ledger (XRPL) JavaScript library, xrpl.js, hosted on npmjs.com. Several compromised versions of the package were published, containing malicious code designed to steal users’ private keys.

Technical Cause:

The vulnerability stemmed from a phishing attack against a Ripple employee who contributed to maintaining the xrpl.js package. The attacker gained control of the employee’s npm credentials and subsequently used this access to publish malicious versions of the xrpl.js library directly to the npm registry, bypassing standard code review processes.

Attack Mechanism:

The attacker injected malicious code into specific functions within the compromised xrpl.js versions (4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2), notably within generate(algorithm = DEFAULT algorithm) and fromRFC1751Mnemonic(mnemonic, opts). This injected code included a function named checkValidityOfSeed. When applications utilising these compromised versions executed this code, the checkValidityOfSeed function would transmit secret key material, necessary for assembling XRPL private keys, to a server under the attacker’s control. Further evidence of malicious activity included the removal of development tools from the package.json file in the affected versions.

Impact:

This vulnerability did not impact the core XRP Ledger network. However, any software that integrated the compromised versions of the xrpl.js library was at risk. Users who installed these infected versions should consider their wallets compromised, as the malicious code could lead to the theft of their funds or digital assets through private key exfiltration. While no downstream effects had been reported at the time of discovery, the potential for significant harm was substantial.

Discovery and Response:

The malicious activity was detected by a security researcher at Aikido Security through their automated threat monitoring platform. Ripple and the XRPL Foundation were promptly notified on April 22nd, 2025, at 08:14 UTC. Immediate investigation and mitigation efforts were undertaken. The affected npm packages were quickly deprecated, and new, secure versions (4.2.5 and 2.14.3) were published, advising users to avoid the compromised releases. The compromised maintainer’s access was revoked, the phishing attack root cause was identified and addressed, and two-factor authentication (2FA) was enforced for all npmjs.com users within Ripple and the XRPL Foundation. The attacker’s malicious domain was reported. A CVE (CVE-2025–32965) with a high severity score of 9.3 was issued for the vulnerability. Advisory notifications were distributed through the xrpl-announce channel, and the XRPL Foundation removed the malicious versions from the npm registry. Ripple and the XRPL Foundation are implementing enhanced security measures for their release processes and collaborator access.

The incidents involving Term Finance and the XRPL JavaScript library illustrate how rapid response and transparent communication can effectively mitigate potential risks and reinforce user confidence. As the blockchain sector evolves, these examples emphasise the value of continuous security assessments, strong access controls, and collaborative efforts to safeguard both projects and their communities.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

- Website: security.extropy.io

- Email: info@extropy.io

Get in touch today — let’s build safer smart contracts together!

Smart Contract Auditing
Smart Contract Security
Blockchain Security
Defi Security
Ethereum

--

--

Extropy.IO
Extropy.IO

Written by Extropy.IO

1.2K followers
24 following

Oxford-based blockchain and zero knowledge consultancy and auditing firm

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech