Extropy Security Bytes: W37 2025

Welcome to week 37 of our security roundup.

The crypto ecosystem never slows down, and Week 37 was no exception. This week delivered another heavy dose of exploits, mismanagement, and new malware strains targeting digital assets.

From a precision bug draining millions out of liquidity pools, to fake job ads planting undetectable wallet-stealers, the stories reinforce one uncomfortable truth: crypto’s attack surface is getting bigger by the day.

Five major incidents dominated headlines this week, Let’s break them down.

Bunni Exploit — When Math Betrays You

Bunni’s downfall this week looked less like a hack and more like a cruel math joke. The protocol had been experimenting with its own custom Liquidity Distribution Function (LDF), aiming to optimize profits for liquidity providers beyond Uniswap’s standard design. But what was supposed to be an innovation turned into an $8.4 million hole in its treasury.

On September 1st, an attacker exploited rounding and precision issues inside Bunni’s rebalancing logic across Ethereum and Unichain. With nothing more than carefully sized trades, no flash loans, no oracle tricks, they triggered incorrect calculations in liquidity pool shares.

The result?

Each cycle allowed them to withdraw more tokens than they should, turning rounding errors into real money.

Security firms quickly pieced the incident together.

BlockSec first spotted $2.3M stolen from Ethereum pools, and within hours, CertiK confirmed the same exploit was draining Unichain’s ETH/weETH pool.

By the time Bunni hit the panic button and paused contracts, $8.4M was already consolidated into attacker wallets.

Funds were bridged back to Ethereum in neat 100 ETH chunks, as if the thief was writing a laundering manual.

Audits had even flagged this possibility. Trail of Bits warned about arithmetic and rounding risks in January, and Cyfrin’s June audit cautioned Bunni not to scale until more fuzz testing was done.

Instead, the team ignored the warnings, scaling TVL from $2.4M to nearly $24M overnight. Predictably, the exact “complex bug” auditors warned about was what caused the collapse.

The lesson here is obvious: clever math without bulletproof testing is a time bomb. Bunni’s exploit wasn’t flashy, but it was devastating, proving once again that the smallest decimals can drain the biggest pools.

SwissBorg Hit for $41.5M Through Compromised API Keys

If Bunni’s mistake was self-inflicted, SwissBorg’s incident was a textbook case of third-party risk. On September 8th, attackers stole 192,600 SOL (worth $41.5M) from SwissBorg’s infrastructure after compromising API keys tied to Kiln, a staking-as-a-service provider.

The exploit showed how a single weak link in crypto’s service stack can bring down major players. With access to the API keys, the attackers bypassed normal protections, authorized withdrawals, and drained SwissBorg-controlled wallets.

SwissBorg acted quickly once the theft was spotted, but the damage was already done. To calm fears, the company reassured users that no customer funds were impacted, since the stolen assets belonged to SwissBorg itself. The firm pledged to cover the losses and continue operations without disruption.

Still, the case raises bigger questions. Staking and custody providers like Kiln are becoming essential infrastructure, yet they concentrate risk. If attackers compromise keys at this layer, protocols and platforms relying on them are all exposed.

The SwissBorg theft serves as a warning: the security of staking ecosystems depends not only on protocols but also on the vendors plugged into them.

npm Supply Chain Attack $1K Clipper That Could’ve Been Worse

Just days before the SwissBorg theft, developers were dealing with a different threat vector: supply-chain manipulation. On September 7th, attackers pushed malicious updates to widely used npm packages including chalk, debug, and others, slipping in a crypto-clipper designed to hijack wallet addresses.

The malicious code swapped out crypto addresses in transactions across multiple chains including Ethereum and Solana in hopes of diverting funds. This kind of attack, though not new, is particularly dangerous because it piggybacks on trusted developer dependencies. Even experienced teams often fail to notice tampering until it’s too late.

Fortunately, this one was caught early. Only about $1,000 was successfully stolen, and package maintainers quickly rolled back updates and published security advisories. But the attempt shows how attackers are continuously probing developer ecosystems, waiting for moments of inattention to slip in malicious code.

As Web3 development becomes more interconnected, supply-chain risks like this will remain a top concern. All it takes is one poisoned dependency to compromise thousands of projects.

ModStealer Malware: Fake Jobs, Real Losses

As if developers weren’t already under siege, researchers uncovered a new cross-platform malware strain named ModStealer, which has been quietly active for nearly a month before detection.

Discovered on September 11th through a collaboration between Mosyle and 9to5Mac, ModStealer spreads via fake job recruiter ads targeting developers, a reminder that social engineering remains one of the most effective ways to breach security.

Once installed, the malware works on macOS, Windows, and Linux, stealing data from crypto wallets, credential files, and certificates.

What makes ModStealer especially concerning is its stealth. Written in NodeJS with heavy obfuscation, it evades traditional signature-based antivirus tools.

On macOS, it abuses Apple’s launchctl system to establish persistence, running silently in the background as a LaunchAgent. Data is funneled to a remote server in Finland, though infrastructure ties lead back to Germany, masking the attacker’s true location.

Mosyle’s analysis revealed ModStealer explicitly targets 56 different browser wallet extensions, including on Safari, to extract private keys. It can also capture clipboard data, take screenshots, and even execute remote code, effectively giving attackers full control of infected systems. Researchers believe it is being distributed as part of a Malware-as-a-Service (MaaS) operation, enabling even low-skilled criminals to deploy it.

While the attack hasn’t yet been linked to a large-scale crypto theft, its discovery highlights the evolving sophistication of malware campaigns aimed at digital assets. For developers and traders alike, the advice is clear: don’t trust random job offers, and don’t rely solely on antivirus software. Behavior-based defenses and strict operational hygiene are now non-negotiable.

SSV Labs Slashing Scare — Mismanagement, Not a Hack

Finally, what looked like a major protocol breach turned out to be a case of sloppy validator management. On September 10th, rumours swirled that SSV Labs, a leading distributed validator technology provider, had been hacked after 40 Ethereum validators were slashed.

At first glance, the incident sparked fears of a systemic issue. But SSV Labs quickly published a post-mortem clarifying that their infrastructure remained uncompromised. Instead, the slashing came from Ankr, one of their operator partners, mishandling validator keys during a migration.

Logs revealed that Ankr accidentally ran the same keys on two separate systems, one inside SSV, one outside. This triggered double-signing, which automatically slashes validators under Ethereum’s consensus rules. In total, one small validator and a cluster of 39 were penalised.

While costly for Ankr, the incident had no impact on the protocol itself or on stakers using SSV. CEO Alon Muroch emphasised that this was an operational error, not a protocol bug. Still, the event underscored a critical truth: distributed validator technology only works if operators respect its requirements. Running keys outside the system defeats its protections.

The scare also landed in a week where real hacks, from Nemo Protocol’s $2.59M loss to Bybit’s $1.5B breach, dominated headlines. Against that backdrop, the SSV incident served as a reminder that not every red flag signals a compromised protocol. Sometimes, the weakest link is simply bad operational hygiene.

Final Thoughts

Week 37 proved once again that crypto’s security landscape is as diverse as it is dangerous. From math errors in liquidity pools to API key compromises, from developer-targeted supply-chain attacks to socially engineered malware, the attack surface is sprawling in every direction. Even when the code is solid, human error in validator operations can cause losses.

The common thread across all these stories is trust, trust in math, in vendors, in developer tools, in job postings, and in operators. Each failure showed what happens when that trust is misplaced or misused. For projects and users alike, the message is blunt: security cannot be an afterthought.

As billions continue to flow through decentralised finance and staking protocols, the industry faces a stark choice, slow down and build securely, or race ahead and risk becoming the next cautionary tale.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards

- Website: security.extropy.io

- Email: info@extropy.io