# Extropy Security Bytes: w49, 2025 **Welcome to week 49 of our weekly security roundup, where we discuss the latest incidents shaping the Web3 landscape.** This week, the threats shifted from simple code exploits to systemic traps. We are witnessing the dawn of authorized control where "freeze and seize" capabilities are baked into the law, while on-chain, sophisticated actors are turning financial engineering into invisible rug pulls. From the final wash of stolen funds to the silent freezing of millions of accounts, the message is clear: in the new economy, access is conditional, and liquidity is an illusion. --- ### Yearn Finance: The Zombie Math Exploit **"When legacy math can mint infinity, is the real exploit the code - or the culture that ships it?"** On December 2, a forgotten relic of Yearn’s past—the yETH stableswap pool—woke up to mint **235 trillion tokens** out of thin air. This wasn't an attack on Yearn’s active V2 or V3 vaults (which remain safe); it was a surgical strike on an abandoned product running novel, unmaintained math. The attack began when the perpetrator broke the pool's reality by hammering it with `remove_liquidity(0)` calls—withdrawals of nothing that triggered internal recalculations, slowly drifting the pool's invariant further from sanity. Once the relationship between the balance sum and product was sufficiently corrupted, the attacker deposited "dust"—literal pocket change consisting of 1 wei of various tokens. This tiny deposit forced the contract's **Newton-Raphson solver** to attempt to solve for a value that satisfied the broken invariant, pushing it into a catastrophic edge case. The result was a textbook **unchecked arithmetic underflow**. When the solver attempted to calculate the new supply, the numerator `(AΣ - sr)` went negative. In the EVM, negative numbers wrap around to the maximum integer ($2^{256}$), resulting in a calculated mint amount of roughly $10^{77}$. The contract obediently minted **235,443,031,407,908,519,912,635,443,025,109,143,978,181,362,622,575,235,916 yETH** directly to the attacker. In a single atomic transaction block, the attacker used these counterfeit tokens to drain the pool of **$9 million** ($8M from the yETH pool and $0.9M from Curve), instantly swapping the loot for real assets before self-destructing the helper contracts to erase the bytecode trail. The aftermath revealed the stark dangers of "zombie" code. While Yearn spun up a war room and coordinated with the Plume and Dinero teams to successfully claw back **$2.33 million**, the attacker managed to funnel **1,000 ETH** (~$3 million) into **Tornado Cash** in the very same block as the exploit. The remaining funds sit in the attacker's wallet, a testament to a product that was so abandoned even the team forgot to turn it off. The incident serves as a brutal reminder that isolation protects active products, but it leaves legacy code vulnerable. The yETH pool was a "loaded gun" waiting in the repository, proof that if code is valuable enough to keep running, it must be valuable enough to maintain. **Lessons Learned:** * **Legacy Code is Technical Debt:** Isolation protects active products (V2/V3 were safe), but it abandons legacy users. If a contract holds value, it must be maintained or deprecated. * **Unchecked Math is Fatal:** The exploit relied on an unchecked underflow. Modern Solidity handles this natively, but legacy contracts running on older compiler versions remain vulnerable. * **The "Zombie" Vector:** Attackers are increasingly targeting abandoned pools where monitoring is lax and "novel math" hasn't been stress-tested by years of traffic. --- ### USPD — The "Invisible Admin" Attack On December 5, the USPD protocol fell victim to one of the most sophisticated supply-chain attacks seen this year, losing approximately **$1 million**. The attack vector, dubbed "CPIMP" (Clandestine Proxy In the Middle of Proxy), was not a standard code exploit but a deployment hijacking that went undetected for nearly three months. The attacker didn't break the door down; they planted a key under the mat before the house was even built. Back on September 16, during the protocol's initial deployment, the attacker front-ran the team's proxy initialization with a Multicall3 transaction, silently seizing admin rights before the legitimate team could claim them. What makes this attack particularly chilling is the level of camouflage employed. The attacker installed a "shadow" implementation that forwarded calls to the legitimate, audited code, ensuring that the protocol functioned normally for users. Crucially, they utilized **event payload manipulation** and **storage slot spoofing** to trick block explorers like Etherscan into displaying the correct, audited contract verification. To the outside world, and even to the developers, the contract looked perfect, verified, audited, and secure. In reality, the malicious admin privileges were hidden in the storage layer, waiting for the pot to grow. After lying dormant for months to allow the protocol to accumulate Total Value Locked (TVL), the attacker finally struck. They used their hidden access to upgrade the proxy implementation to a malicious version, allowing them to mint **98 million USPD tokens** out of thin air and drain 232 stETH. The team has offered a 10% bounty for the return of funds, but the incident stands as a terrifying example of how "verified" code on Etherscan can be a mirage if the deployment process itself is compromised. **Lessons Learned:** * **Deployment is a Critical Phase:** The moments between contract creation and initialization are the most vulnerable. Atomic deployment scripts (create + initialize in one tx) are mandatory to prevent front-running. * **Don't Trust the Explorer:** Etherscan verifies bytecode, but it can be tricked by proxy storage manipulation. Developers must verify the actual storage slots on-chain, not just rely on the UI. * **The "Sleep" Vector:** Attackers are increasingly planting backdoors and waiting months to use them, allowing protocols to build TVL before striking to maximize the payout. --- ### The Economy of Access: Code as Law Enforcement If you thought smart contracts were about removing the middleman, the latter half of 2025 has corrected that assumption permanently. We are living in the footnotes of prophecies we dismissed as fiction. In 1969, Philip K. Dick wrote about a door demanding payment to open. Today, that door is a smart contract, and it doesn't negotiate. The convergence of the **GENIUS Act** (signed July 18, 2025) and aggressive biometric mandates has built a "three-layer cage" that turns every asset into a permission request: **Layer 1: Physical Control (The Kill Switch)** The precedent was set years ago on Interstate 15, when **T. Candice Smith’s** car shut off at 70 mph due to a late subprime payment. The "smart" device didn't care about safety; it only cared about the contract. Now, with tokenized assets, this logic is being applied to everything you touch, if the payment fails, the physics of your daily life simply stop working. **Layer 2: Biometric Gating (The Authentication)** The tragedy of **Santoshi Kumari**, an 11-year-old in India who starved to death because her ration card failed to link to the Aadhaar biometric system, proved that automated indifference is lethal. The system voided 43.9 million cards not because people weren't hungry, but because the "Machine" saw an error code. When your face becomes your private key, an authentication failure is no longer an inconvenience; it is an erasure of your civil existence. **Layer 3: Financial Lock (The Mandate)** The final bar of the cage is the **GENIUS Act**, which now mandates that stablecoin issuers maintain "freeze and seize" capabilities. This infrastructure is already live. In September 2025—dubbed "Mandate Season"—Vietnam froze **86 million bank accounts** (43% of the population) for failing to meet new biometric standards. There were no riots, only silent compliance as citizens queued to scan their faces to regain access to their own money. **Lessons Learned:** * **The "Freeze" Feature is a Bug:** If a protocol can freeze assets to comply with the GENIUS Act, it can freeze *your* assets. * **Biometrics are the New Private Keys:** Your face is now your seed phrase, but unlike a seed phrase, you can't rotate it when it's compromised. * **TVL is a Vanity Metric:** As Stream Finance proved, if liquidity is built on recursive loops, it is not liquidity—it is leverage waiting to implode. --- ### Bunni, The Final Wash The saga of the **Bunni** protocol has reached a grim, irreversible conclusion. Originally hacked in September 2025 for roughly $8.4 million due to a devastating rounding error in its Uniswap v4-based withdrawal logic, the protocol’s hope for asset recovery effectively died this week. On December 5, on-chain investigators confirmed that the attacker moved **2,295 ETH** (approx. **$7.3 million**) into **Tornado Cash**. This deposit signals the final stage of laundering; once funds enter the mixer, the trail goes cold, and the probability of recovery drops to near zero. The team, which had already ceased operations in October citing an inability to afford the "6-7 figure" costs of professional re-auditing, is now left with nothing but a post-mortem. The timing is significant. The attacker waited months, letting the initial heat die down before executing the wash. This calculated patience, combined with a sequence of smaller "layering" transactions to obfuscate the source, demonstrates a professional level of operational security that far outmatched the protocol's defenses. It serves as a final, brutal reminder that in 2025, transparency alone is not a security strategy. **Lessons Learned:** * **Trustless ≠ Safe:** A "trustless" protocol just means there is no human to call when the code fails. * **The Laundering Window:** Attackers are increasingly patient, sitting on stolen funds for months to bypass immediate "white hat" negotiation periods. * **Transparency has Limits:** Knowing where the money went (Tornado Cash) is useless if you can't retrieve it. --- ### South Korea Weighs 3% Revenue Fines for Crypto Exchange Hacks South Korea is preparing to reshape the regulatory landscape for crypto exchanges following the massive security breach at **Upbit** on November 27. The incident, where over **104 billion Solana-based tokens** (valued at roughly $30.1 million) were drained in under an hour, has prompted the Financial Services Commission (FSC) to review a "no-fault compensation model." This unprecedented move would hold exchanges to the same strict liability standards as banks, requiring them to reimburse users for hacks or system failures even if the exchange itself was not directly negligent. The proposed penalties represent a drastic escalation in enforcement. Lawmakers are weighing **fines of up to 3% of annual revenue** for hacking incidents, replacing the current cap of approx. $3.4 million which critics argue is merely a "cost of doing business." This regulatory hammer isn't just about the hack; it's a response to chronic instability. Data from the Financial Supervisory Service (FSS) reveals that the country's five major exchanges (Upbit, Bithumb, Coinone, Korbit, and Gopax) have reported **20 system failures since 2023**, affecting over 900 users. Scrutiny has intensified regarding Upbit's response time. Although the breach was detected shortly after 5:00 AM, the exchange did not notify the FSS until nearly 11:00 AM. Lawmakers have raised suspicions that this delay was connected to Dunamu’s (Upbit's operator) merger with Naver Financial, which was completed just minutes before the report was filed. While Dunamu disputes this, the timing has fueled the push for bank-level oversight. If passed, these rules will force a consolidation of the market. Only exchanges with deep enough reserves to insure against "no-fault" payouts will survive. The era of the "buyer beware" exchange model in South Korea is effectively over. **Lessons Learned:** * **The End of "Not Our Fault":** Exchanges can no longer hide behind "sophisticated attacks" as an excuse. If funds move without authorization, the platform pays. * **Regulatory Revenue Caps:** Fines based on percentage of revenue (3%) are existential threats compared to flat fees. Security is now a boardroom survival metric. * **Incident Response Transparency:** Delays in reporting—especially when coincidental with corporate mergers—will be treated with extreme suspicion by regulators. --- **Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols.** We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure. We specialise in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards. **Website:** security.extropy.io **Email:** info@extropy.io