Extropy Security Bytes: w35 2025

Welcome to week 35 of our security roundup.

This week reminded the crypto world that vulnerabilities aren’t always about coding mistakes, they’re about oversight, assumptions, and the human factor.

Across protocols, wallets, and even individual investors, billions were at risk, and millions were lost, all in plain sight. From DeFi reward systems gone rogue to the creeping regulatory surveillance threatening permissionless finance, it has been a cautionary tale of both technical fragility and the psychological blind spots of the ecosystem.

Here’s a breakdown of the most notable incidents, their mechanics, and the lessons they carry.

BetterBank: $5 Million Lost to Reward Logic Flaw

Six weeks after launching, BetterBank’s promise of “better” DeFi ended in disaster. The PulseChain lending protocol lost $5 million when an attacker exploited its bonus minting system. Fake liquidity pairs were created, infinite rewards harvested, and real assets drained, all while the team watched their “revolutionary” maths crumble.

The exploit itself wasn’t complicated.
BetterBank rewarded users with ESTEEM tokens for purchasing Favor.
The catch?
Legitimate trading was never properly defined.
Anyone could spin up a custom liquidity pool combining one legitimate token (FAVOR) with a worthless token under their control.
BetterBank’s system treated these trades as valid, printing bonus tokens like a broken ATM.
Tax penalties, which should have discouraged bulk swapping, applied only to official LPs. Homemade LPs? Zero taxes, maximum rewards, and a protocol death spiral.

The attack was methodical.
A previously inactive wallet was funded via Tornado Cash, and three custom smart contracts orchestrated the exploit.
Assets were converted to ETH, routed through Ethereum, and laundered via Tornado Cash.
Surprisingly, the attacker returned 550 million pDAI, an uncommon “gesture of goodwill” in the DeFi world.

Pre-launch audits by Zokyo had flagged the vulnerabilities, including flash loan exploits and the risk of bogus tokens.
BetterBank dismissed these warnings as low priority, citing mismatched test scenarios.

That decision turned a documented risk into a $5 million reality.

This isn’t just a story about a flawed protocol, it’s a lesson on miscommunication, overconfidence, and the gap between theoretical audits and real-world consequences.

The U.S. Treasury Eyes DeFi: Privacy Under Threat

While BetterBank was bleeding millions, regulators were quietly shaping the future of financial oversight.

In August, the U.S. Treasury released a Request for Comment that read like a compliance manual and a wrecking ball. Buried in bureaucratic language about “portable digital identity credentials” and “innovative compliance tools” was a roadmap for controlling DeFi.

Imagine smart contracts checking government credentials before executing trades, protocols scanning biometrics for approval, and KYC evolving from “Know Your Customer” to “Know Your Citizen.”

Treasury envisioned every DeFi interaction stamped with proof that participants were compliant Americans. Existing protocols already have the admin keys to enforce these controls: role-based access, whitelist mappings, and upgrade mechanisms make the jump from optional compliance to mandatory oversight trivial.

Compound Treasury, JPMorgan’s JPMD token, and USDC’s blacklist functions illustrate the power already in place.

Even zero-knowledge proofs, once seen as privacy saviors, are vulnerable. Proposals from a16z reveal “involuntary selective de-anonymisation,” letting gatekeepers and authorities de-anonymise wallets on demand.

Privacy becomes conditional, and decentralisation feels increasingly illusory. Two paths now diverge: compliance heaven, where DeFi is institutionalised and surveilled, or the great forking, where developers strip identity requirements, fragment liquidity, and force privacy-focused users underground.

Either way, financial sovereignty hangs in the balance.

Two paths now diverge for crypto: compliance heaven, where DeFi becomes institutionalised, fully surveilled, and safe for mainstream adoption; or the great forking, where developers clone major protocols to strip identity requirements, fragmenting liquidity and forcing privacy-focused users into shadowed ecosystems.

Either way, financial sovereignty is on the line.

Weekend Wallet Drains: $582,000 in Two Attacks

Even when individual protocols are sound, wallet-level attacks continue to wreak havoc. Over a single weekend, approximately $582,000 was stolen in two separate wallet drain incidents. $452,000 in stETH and $130,000 in SPX were siphoned through prior malicious approvals, allowing attackers to empty balances in rapid succession.

The pattern is familiar to security researchers: malicious approvals remain dormant until high-value assets appear. Then, in fast, coordinated pulls, the attacker drains the wallet. In this case, both attacks exploited standard ERC-20 approval mechanics, highlighting that even minor oversights in wallet management can result in significant losses.

Uniswap Scam Exploiting Ethereum’s EIP-7702: $1 Million Gone

Ethereum’s EIP-7702, designed to improve user experience by enabling wallets to batch multiple transactions, sponsor gas, or set spending limits, became a vector for exploitation. In August, a crypto investor lost nearly $1 million when signing a batch of malicious transactions disguised as legitimate Uniswap swaps.

The scam relied on a simple user action: a phishing site prompted a wallet signature, and the investor clicked confirm. That single confirmation allowed attackers to drain five tokens from the wallet instantly.

The issue stems from the delegation mechanics of EIP-7702. While technically revocable and network-specific, attackers have weaponized it by automating scripts that detect vulnerable wallets and drain funds. According to blockchain security firms, over 90% of EIP-7702 delegations were linked to malicious contracts in practice.

Security experts urge users to exercise caution: always verify domains, reject unclear signatures, and be wary of unlimited approvals or delegated contract upgrades. Even features designed to simplify blockchain interactions can become attack vectors if abused.

$163 Million Lost in August: The Growing Scope of Hacks

The month wasn’t just about regulatory risk. Across the ecosystem, 16 crypto hacks drained over $163 million, a 15% increase from July. Losses ranged from individual Bitcoin holders to exchanges and Real-World Asset (RWA) tokenisation projects.

The five largest breaches illustrate the breadth of vulnerability: an individual Bitcoin holder lost $91.4 million in a social engineering scam; Turkey’s BtcTurk lost $48–54 million from hot wallets; ODIN•FUN suffered a $7 million loss; BetterBank.io $5 million; and CrediXFinance $4.5 million. Poor private key management, smart contract weaknesses, and operational risks combined to create lucrative attack vectors.

Organised attack groups exacerbate the threat. Alleged North Korean hackers reportedly stole $1.6 billion in the first half of 2025 alone, accounting for nearly 70% of global crypto losses. Beyond technical exploits, attackers used fake identities to infiltrate IT teams, gaining access to internal systems and software supply chains. The strategy reflects a systematic, long-term approach to illicit capital accumulation, blending on-chain and human-targeted attacks.

RWA tokenization, bridging off-chain assets to on-chain infrastructure, proved especially vulnerable. Certik reported $14.6 million in losses during the first half of 2025 alone. These projects illustrate that the more connections a protocol has beyond the chain, the greater the exposure.

Lessons Learned

The previous events underscored a simple but brutal truth: crypto security is as much about human judgment as it is about code. From BetterBank’s reward logic flaw to EIP-7702 scams, from wallet-level approvals to the creeping regulatory surveillance threatening DeFi, losses aren’t accidents, they’re the product of technical gaps and overlooked warnings.

Audits alone aren’t enough. BetterBank ignored pre-launch warnings, investors fell for phishing attacks, and users left approvals open to malicious contracts. Even features designed to simplify blockchain interactions, like EIP-7702 delegations, became attack vectors in the wrong hands. Regulatory tools, meanwhile, show how quickly financial privacy can erode when identity verification and admin privileges are misapplied or expanded.

The ecosystem must adapt on multiple fronts:

1. Stronger custody and key management for individuals and institutions alike.
2. Rigorous audits, red-teaming, and bug bounties to identify and fix vulnerabilities before they’re exploited.
3. Careful governance and user awareness to prevent both technical oversights and the imposition of restrictive compliance measures.
4. Security-conscious adoption of new protocol features, especially delegation mechanisms or automated approvals.

The whole of last month’s events were harsh reminders that ignoring warnings, rushing confirmations, or assuming features are safe can have devastating consequences.

The attacks were real, the losses were real, and the lessons are clear:

In crypto, preparedness isn’t optional, it’s essential.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards

- Website: https://security.extropy.io

- Email: info@extropy.io