Web3 is Going Just Great

November 30, 2025

Yearn Finance hacked for the third time

Yearn Finance, a defi yield protocol, has suffered another hack. The exploiter took advantage of bugs in the project's smart contract to drain assets from several of its pools by minting a huge number of yETH tokens and then withdrawing the corresponding asset in the pools.

$2.4 million of the stolen assets, which were denominated in pxETH, a liquid staking token issued by Redacted Cartel, were recovered after the issuer burned the stolen tokens and reissued them to the team's wallet — essentially, removing the tokens from the hacker's wallet. However, the hacker routed the remaining funds through the Tornado Cash cryptocurrency mixer, which makes recovery substantially more challenging.

This is the third time Yearn Finance has been hacked, following an $11 million exploit in 2023 and another $11 million exploit in 2021. Yearn also suffered around $1.4 million in losses in 2023 in connection to the Euler Finance attack.

November 22, 2025

Aerodrome and Velodrome suffer website takeovers, again

(attribution)

Attackers redirected users intending to visit the websites for the decentralized exchanges Aerodrome and Velodrome to their own fraudulent versions using DNS hijacking, after taking control of the websites' domains. The platforms urged users not to visit the websites as they worked to regain control.

This is the second time such an attack has happened to these same platforms, with another DNS hijacking incident occurring almost exactly two years ago. In that instance, users lost around $100,000 when submitting transactions via the scam websites.

"Top DEXs Aerodrome, Velodrome hit with front-end compromise, urge users to avoid main domains", The Block [archive]

November 20, 2025

GANA Payment hacked for $3.1 million

(attribution)

An attacker stole approximately $3.1 million from the BNB chain-based GANA Payment project. The thief laundered about $1 million of the stolen funds through Tornado Cash shortly after. The attacker was able transfer ownership of the GANA contract to themselves, possibly after a private key leak.

The theft was first observed by crypto sleuth zachxbt. Not long after, the project acknowledged on its Twitter account that "GANA's interaction contract has been targeted by an external attack, resulting in unauthorized asset theft."

November 6, 2025

Elixir shuts down deUSD after Stream Finance halt

(attribution)

After the defi yield platform Stream Finance announced a $93 million loss, Elixir announced it would be discontinuing its deUSD synthetic stablecoin. Stream Finance owes $68 million to Elixir, and holds around $75 million deUSD.

Elixir has announced that they plan to allow deUSD holders to redeem their tokens for USDC through a process that will also eliminate the risk of Stream Finance cashing out their deUSD without repaying their loan. According to Elixir, "Stream comprised of 99%+ of the lending positions (and has decided to not repay or close positions)".

Tweet thread by Elixir [archive]

November 4, 2025

Moonwell accrues almost $3.7 million of bad debt after oracle malfunction

(attribution)

The Moonwell lending protocol, built on the Base Ethereum L2, wound up with $3.7 million in bad debt after an attacker took advantage of an oracle malfunction that caused the price of wrsETH to be massively inflated. The Chainlink oracle used by the project erroneously reported that a single wrsETH token (Kelp DAO's wrapped restaked ETH) was priced at around 1.65 million ETH (~$5.8 billion). Within 30 seconds of the oracle reporting bad data, an attacker took advantage of the error to borrow huge amounts of tokens, which they then swapped to other tokens to cash out.

Ultimately the attacker profited around 295 ETH (~$1 million), but the protocol was saddled with significantly more bad debt that the team will now have to grapple with.

wrsETH Oracle Malfunction 11/4/25, Moonwell forum
Tweet by CertiK Alert [archive]

November 4, 2025

Stream Finance halts activity after $93 million loss

(attribution)

The Stream Finance defi yield project announced that "an external fund manager overseeing Stream funds disclosed the loss of approximately $93 million in Stream fund assets." Stream announced that they were in the process of withdrawing remaining liquid assets, and had halted all deposits or withdrawals. They also announced they had retained a law firm to investigate the "incident".

The project didn't disclose who the fund manager was, or the circumstances in which the "loss" occurred.

The Staked Stream USD token depegged on November 3, and crashed further following the announcement.

Tweet by Stream Finance [archive]
Staked Stream USD price chart, CoinGecko

November 3, 2025

Balancer exploited for at least $110 million

(attribution)

The defi protocol Balancer suffered a major exploit that drained over $110 million across several blockchains, including Ethereum, Polygon, Base, and Sonic. Attackers exploited faulty access control in the manageUserBalance function of Balancer's v2 smart contract, enabling unauthorized internal withdrawals. The stolen tokens included 6,850 osETH, 6,590 wETH, and 4,260 wstETH, later consolidated into new wallets likely for laundering.

The exploit also impacted forked protocols like Beets Finance, which lost around $3 million. Balancer's BAL token dropped over 10% following the theft.

This was Balancer's third major security incident since 2020, despite prior audits by OpenZeppelin and Trail of Bits.

"Balancer Hit by Apparent Exploit as $110M in Crypto Moves to New Wallets", CoinDesk [archive]

October 4, 2025

Abracadabra loses more "Magic Internet Money" to third hack in two years

(attribution)

In their third major hack in two years, the Abracadabra defi lending project lost $1.8 million of their Magic Internet Money stablecoin. An attacker took advantage of a bug in the project smart contracts to borrow more than their provided collateral would normally allow. The attack was funded via Tornado Cash, and the exploiter then swapped the stolen tokens for ETH and laundered them back through Tornado.

The project disclosed the theft, describing the exploit as affecting "some deprecated contracts". They downplayed the theft, saying they'd bought back the stolen assets using treasury funds.

Abracadabra previously suffered a $13 million theft in March 2025, and a $6.5 million theft in January 2024.

"Abracadabra loses $1.8 million in protocol's third major DeFi hack since 2024", The Block

September 26, 2025

Hypervault rug pulls for $3.6 million

(attribution)

Only days after the Hypervault yield farming platform announced on Twitter that they'd surpassed $5 million in total value locked, the platform suddenly shut down its website and social media accounts. Simultaneously, the crypto security firm PeckShield observed an "abnormal withdrawal" of a large quantity of various crypto assets priced at around $3.6 million, which were swapped to 752 ETH (~$3.1 million) and laundered through Tornado Cash.

The project had attracted customers by advertising yields of 76–95%.

"$3.6M Drained From Hyperliquid DeFi Platform Hypervault in ‘Abnormal Withdrawal’", Decrypt [archive]

September 12, 2025

Shibarium bridge hit with $2.4 million flash loan attack

(attribution)

A bridge for Shibarium, the layer-2 network for the Shiba Inu project, was exploited for approximately $2.4 million in funds. The attacker bought 4.6 million BONE tokens (the governance token for Shibarium) using a flash loan, then used compromised validator signing keys to take control of the majority of validator power. Then, they used that control to drain around 225 ETH and 92.6 billion SHIB, together priced at around $2.4 million at the time of the theft.

The project has paused staking on the network, freezing the BONE tokens borrowed by the attacker, which may limit the attacker's profits.