Extropy Security Bytes: w38–39 2025

Welcome to our security roundup, where we track the latest threats shaping the web3 landscape.

The last two weeks in crypto security brought a wave of incidents spanning presale missteps, protocol exploits, phishing at scale, and a major exchange data leak.

From operational oversights that locked millions to hackers targeting one another, the common thread is clear: crypto’s attack surface is vast and constantly evolving.

GriffinAI Cross-Chain Minting Exploit — $3 Million Paid, Billions at Stake

Less than 24 hours after launching on Binance Alpha, GriffinAI’s tokenomics collapsed when an attacker exploited a compromised admin key to register a fake Ethereum contract as a trusted peer on the cross‑chain bridge.

The attacker deployed a decoy ERC‑20 on Ethereum, used the compromised admin key to call the bridge’s setPeer/trusted‑remote function on BSC, then sent a crafted cross‑chain message that the bridge honored the destination contract interpreted the message as a legitimate deposit and minted 5 billion unauthorised $GAIN tokens.

A small dump of ~2.8% (~$3M) wiped out 90% of the token price, while the remaining supply hung over the market like a Sword of Damocles; proceeds were laundered across chains using deBridge and mixers, leaving the bulk of the counterfeit tokens under attacker control.

Impact:
$GAIN’s price dropped over 90%, devastating holders and freezing expansion plans. This incident highlighted the fragility of cross-chain bridges, showing that even small admin misconfigurations can lead to massive inflation and token devaluation.

Lessons Learned:

• Cross-chain trust assumptions must be rigorously verified; fake peer nodes can bypass safeguards.
• Admin and bridge keys require stringent protection; phishing or social engineering can have exponential consequences.
• Transparency and timely communication with users can mitigate panic during multi-chain exploits.

The Bruce Lee Proxy Disaster and $20M POL Frozen Forever

In mid-September, Ethereum Security Telegram lit up with one of the strangest spectacles in recent memory: a user named Bruce Lee publicly begged for help after realising he had permanently frozen 77 million POL tokens worth $20 million in a botched presale contract upgrade.

The problem? The project deployed a proxy contract holding investor funds but failed to reinitialise it after an implementation change.

This wiped out admin privileges, leaving the contract in a state where tokens could no longer be withdrawn. What should have been a routine upgrade turned into an irreversible freeze, an expensive digital tomb where millions in tokens now sit untouched.

Impact:

• $20M in liquidity effectively frozen, disrupting both investor expectations and the token’s early market momentum.
• Undermines confidence in presales as a fundraising mechanism, where trust in contract reliability is paramount.

Lessons Learned:

• Even “simple” token sale contracts demand rigorous auditing before launch.
• Operational errors can carry the same reputational weight as malicious exploits.
• Teams should build contingency plans for rapid remediation when presales go wrong.

New Gold Exploit: $1.5M Drained Through Price Manipulation

On September 17th, New Gold Protocol (NGP) collapsed almost as quickly as it launched. The project lost $2 million in an exploit that highlighted nearly every rookie mistake in DeFi contract design: broken price feeds, exploitable transfer logic, and no contingency plan.

The attacker flash-loaned $211 million, used it to manipulate the PancakeSwap pool that NGP’s getPrice() function relied on, and tricked the protocol into thinking tokens were worthless.

This bypassed buy limits, allowing massive accumulation of NGP. Then came the real kill shot: the transfer function’s “fee mechanism” intended to burn tokens, actually nuked pool reserves when tokens were sent to a whitelisted dead address.

In one transaction, the pool balance collapsed from 477,000 tokens to just 0.035.

Security firms like Blockaid, PeckShield, and CertiK confirmed the exploit, while NGP’s official channels went silent.

Even 24 hours later, the team hadn’t acknowledged the attack, continuing to promote their roadmap as if $2 million hadn’t just evaporated.

Impact:

• $1.5M drained, leaving liquidity providers exposed.
• Oracle manipulation remains one of the most persistent vulnerabilities across DeFi.

Lessons Learned:

• Oracle design must include safeguards against rapid, single-source price manipulation.
• Protocols should deploy real-time anomaly detection to identify suspicious collateral changes.
• Over-reliance on automation without monitoring creates exploitable blind spots.

UXLINK Hack and Hacker’s Phishing Loss

In a twist of poetic justice, the attacker who exploited UXLINK in late September became a victim of crime himself.

After minting and dumping billions of UXLINK tokens worth tens of millions, the hacker reportedly lost 542 million UXLINK tokens (~$50M) to a phishing scheme.

The phishing attack bore the hallmarks of Inferno Drainer, a “draining-as-a-service” group notorious for selling phishing kits and fake websites. According to SlowMist’s Yu Xian, the attacker fell for the same authorization traps he had deployed against UXLINK approving malicious signatures that handed over his tokens.

The irony was rich, but the underlying tragedy remained: UXLINK’s own community had already suffered.

The original breach (Sept. 22) used a delegateCall exploit to strip admin rights and steal $4M in USDT, $500K in USDC, 3.7 BTC, and 25 ETH, with later minting inflating the token supply to oblivion.

The attacker walked away with 6,732 ETH (~$28M) before falling victim himself.

Impact

• UXLINK investors lost tens of millions as token inflation and dumping obliterated market value.
• Exchanges scrambled to freeze stolen funds, while the team announced a token swap plan to salvage the ecosystem.
• The hacker’s downfall showed that even criminals are vulnerable to the same phishing tactics they exploit.

Lessons Learned

• DelegateCall remains a nuclear-level vulnerability and misuse can instantly hand control to attackers.
• Token swap plans may help communities recover but cannot fully restore trust.
• Hackers are not immune: phishing is the great equalizer in crypto crime. If you sign the wrong message, you’re just another victim.

Crypto Whale Loses $6M in Permit-Based Phishing Scam

A large-scale phishing campaign claimed a high-profile victim on Sept. 18, when a crypto whale lost $6.28M in stETH and aEthWBTC. The attack exploited “Permit” signatures which are designed to simplify transfers to trick the victim into authorizing malicious fund movements without paying gas fees.

The victim was tricked into thinking they were approving harmless wallet confirmations. In reality, they signed off-chain permits that allowed attackers to drain tokens via transferFrom(). Because the approval process required no gas fees, nothing looked suspicious until it was too late.

According to Scam Sniffer, phishing losses in August alone hit $12.17M across 15,200 victims, with EIP-7702 batch-signature scams contributing heavily. This whale joined a growing list of victims who didn’t lose funds to faulty contracts or failed protocols, but to deceptive wallet prompts.

Impact:

• Single-wallet loss of $6M, part of a broader $12.17M wave of phishing thefts in August alone.
• Highlights how user experience shortcuts (like Permit signatures) create exploitable attack surfaces.

Lessons Learned:

• Wallet users should treat every pop-up signature as a potential threat, regardless of gas cost.
• Projects and wallet providers must improve UI warnings for off-chain approvals.
• Education around phishing is as critical as contract security.

Crypto.com Data Breach: Scattered Spider’s Social Engineering Attack

Two years after the fact, Bloomberg revealed that Crypto.com suffered a serious data breach in 2023, orchestrated by teenage members of the cybercrime group Scattered Spider. The attackers used phishing and social engineering to impersonate IT staff, stealing employee logins and accessing sensitive accounts.

The breach, led in part by 18-year-old Noah Urban, compromised user data but, according to the exchange, did not affect customer funds. What shocked many wasn’t just the hack itself, but Crypto.com’s silence. Bloomberg’s reporting suggested that the company never properly disclosed the extent of the incident to customers, raising questions of transparency.

By 2025, the fallout intensified as law enforcement cracked down on Scattered Spider. Members including Thalha Jubair (18) and Owen Flowers (19) were arrested in the U.K. for related operations, while U.S. prosecutors tied them to 120+ ransomware attacks and over $115M in extortion payments. Crypto.com was just one of many victims, alongside MGM, Caesars, Coinbase, Reddit, and Transport for London.

CEO Kris Marszalek has denied any cover-up, insisting the company made appropriate regulatory disclosures. But for users, the bigger issue remains: how can they trust exchanges that reveal breaches only when investigative journalists force the matter?

Impact:

• Sensitive user data compromised, eroding trust in one of the industry’s largest exchanges.
• Exchange transparency questioned, with allegations of concealment compounding reputational damage.
• Demonstrates how young but sophisticated groups like Scattered Spider are reshaping cybercrime.

Lessons Learned:

• Social engineering remains a top-tier threat, bypassing even advanced technical defenses.
• Exchanges must adopt stronger internal authentication and employee security training.
• Transparent, prompt disclosure of breaches is essential to maintaining user trust.

This week’s incidents highlighted the multifaceted risks in crypto: misconfigured contracts, exploitable protocols, phishing attacks, and opaque corporate disclosures. The common thread across all five cases is trust, in code, in teams, and in platforms. Breaking that trust has immediate financial consequences and long-term reputational costs.

As attackers innovate, the burden is on both projects and users to evolve their defenses, question assumptions, and adopt a culture of verification at every layer.

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards

- Website: security.extropy.io

- Email: info@extropy.io