Extropy Security Bytes: w20 2025

Here’s a look at some of the security events that unfolded in the crypto space during the week of May 5th, 2025. These incidents highlight the ongoing need for robust security practices, both at the protocol level and for individual users.

LND.fi Protocol Suffers $1.2 Million Exploit via Access Control Vulnerability

On May 9, 2025, the Sonic-based DeFi lending protocol LND (LND.fi) experienced a security breach resulting in the loss of approximately $1.18 million to $1.27 million in user funds.

Technical Cause and Mechanism

The root cause of the incident was an access control vulnerability within the protocol’s smart contract code. This flaw was introduced through a modification made to the code, which is a fork of Aave. Specifically, the AToken and VariableDebtToken contracts included a modified version of the onlyPool access control modifier. This alteration expanded the privileges of the Pool Admin role, allowing it to invoke functions that were originally restricted only to the Pool itself.

The exploit was executed by an attacker who held the Pool Admin role. This individual, later identified as a DPRK IT worker, used these expanded privileges to call the transferUnderlyingTo function on the modified AToken contract. This enabled them to drain all assets from the protocol. Notably, the access control modification that facilitated this exploit had been present in the smart contract code for 41 days prior to the attack. The deployer (attacker) became the Pool Admin and initialised the modified contracts on March 29, 2025.

Response and Lessons Learned

Following the detection of the incident, LND took immediate action by freezing its website and revoking the privileges assigned to the compromised account. This incident serves as a significant reminder of the crucial need for strong off-chain security best practices in the DeFi space. The exploit highlighted how a compromised developer account with full control over a project’s deployment address could introduce malicious modifications to smart contracts. These modifications were publicly visible on-chain for over a month, emphasising the importance of continuous monitoring. Recommendations for preventing similar incidents include implementing robust private key security practices, such as using multi-sig or MPC wallets, and establishing stringent change management and monitoring processes for smart contracts.

Web3 User Loses $20k to Sophisticated Punycode Phishing Attack

On or around May 11, 2025, a Web3 user reportedly lost over $20,000 after interacting with a fake website designed to mimic the legitimate ChangeNOW platform. This incident underscores the increasing sophistication of phishing tactics targeting cryptocurrency users.

Attack Mechanism: Punycode Exploitation

The security firm SlowMist brought attention to this incident, highlighting it as a prime example of a Punycode attack. This technique involves attackers creating fraudulent website addresses that appear nearly identical to legitimate ones by incorporating special characters from other languages. In this particular instance, the attackers used a Cyrillic ‘e’ character in the fake website address to deceive the victim into believing they were on the genuine ChangeNOW site. This level of subtlety makes such attacks incredibly difficult to detect for the average user.

User Protection Measures

This incident stresses the urgent necessity for proactive user education regarding such evolving threats. To mitigate the risk of falling victim to such scams, users are strongly advised to be wary of generic browser recommendations. It is crucial to always verify the legitimacy of online accounts by meticulously checking factors like follower count, account age, and official verification badges. SlowMist particularly emphasises the importance of employing a multi-step verification strategy for all online interactions and remaining vigilant, trusting only thoroughly verified websites.

We hope this summary provides valuable insights into the recent security landscape. Staying informed about evolving threats and consistently applying robust security measures are key to navigating the dynamic world of web3 safely.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

- Website: security.extropy.io

- Email: info@extropy.io

Get in touch today — let’s build safer smart contracts together!