vulnerability

Maple Finance announced that there is a security vulnerability in its web application. The issue has been fixed, but out of caution, we will temporarily shut down the web application to ensure the fix is thoroughly completed.The team stated that the smart contracts were not affected and user deposits are safe. The team will notify users once the web application is back online.

Cross-chain liquidity protocol CrossCurve has released a security update regarding the $EYWA token, stating that they have successfully contained the exploit. The hacker extracted $EYWA from the bridge on the Ethereum network, but it cannot be used because only XT Exchange holds the Ethereum deposits, which have been frozen. Users' $EYWA tokens are safe, including all tokens on the Arbitrum network.For additional security, the team is contacting all centralized exchanges trading $EYWA to ensure that the hacker cannot sell or use the stolen tokens. The stolen $EYWA tokens cannot enter circulation and will not affect the token supply. The official team is conducting a comprehensive investigation into the details of the exploit, other stolen tokens, and how to prevent such vulnerabilities from occurring again.According to ChainCatcher, the cross-chain liquidity protocol CrossCurve was attacked due to a smart contract vulnerability, resulting in approximately $3 million being stolen.

According to The Block, the cross-chain liquidity protocol CrossCurve (formerly known as EYWA) has confirmed that its cross-chain bridge protocol "is under attack" due to a vulnerability in its smart contract being exploited, resulting in approximately $3 million in funds being stolen across multiple networks. Blockchain security firm Defimon Alerts discovered that the attack vector was a gateway validation bypass vulnerability in CrossCurve's ReceiverAxelar contract.Analysis shows that anyone can use a forged cross-chain message to call the contract's expressExecute function, thereby bypassing the expected gateway validation and triggering unauthorized token unlocks on the protocol's PortalV2 contract. The protocol is supported by Curve Finance founder Michael Egorov, who previously raised $7 million.

BlockSec released a significant vulnerability analysis of a closed-source contract, detecting a series of suspicious transactions targeting victim contracts deployed on Ethereum, Arbitrum, Base, and BSC for SwapNet and Aperture Finance, with total losses exceeding $17 million.Fundamentally, the root cause of both incidents is quite simple: the victim contracts have arbitrary call vulnerabilities due to insufficient input validation, allowing attackers to exploit this vulnerability to misuse existing token allowances and perform transferFrom to steal assets.Although the SwapNet and Aperture Finance incidents affected different protocols and blockchains, the fundamental issues in both cases are not complex: user-controlled underlying calls and insufficient input validation in contracts holding token allowances.

According to market news, an unknown contract on the BSC chain was exploited, and the hacker executed two reverse transactions through a flaw in the "burn pair" mechanism, ultimately resulting in a loss of approximately $100,000.The attacker first drained PGNLZ, then triggered the destruction of PGNLP and manipulated the price, thereby siphoning off most of the USDT from the liquidity pool.

Aperture Finance announced on platform X that it has detected an exploit affecting the Aperture V3/V4 contracts. To prevent new authorizations, core functionalities have been halted in the front-end application, and they are investigating the root cause of the incident in collaboration with security partners. To ensure wallet safety, please revoke all authorizations for the following contract address on the Ethereum mainnet immediately: 0xD83d960deBEC397fB149b51F8F37DD3B5CFA8913.Previously, it was reported that Aperture Finance was attacked, resulting in a loss of approximately $3.67 million.

According to market news, a series of suspicious transactions targeting victim contracts deployed on Ethereum, Arbitrum, Base, and BSC were discovered a few hours ago. These transactions were carried out by contracts deployed by two creators, resulting in a total loss of over $17 million.The victim contracts are not open source and appear to have a vulnerability allowing arbitrary calls. The attackers abused existing token authorizations to execute transferFrom operations to steal assets. Affected deployers: 0xbeef63AE5a2102506e8a352a5bB32aA8B30B3112------loss of approximately $3.67 million; 0x9cb8d9BaE84830b7F5F11ee5048c04a80b8514BA------loss of approximately $13.41 million.

BNB Chain's Chief Growth Officer Nina Rong posted that the theft of the BNB Chain Coinmarketcap account was due to a vulnerability that previously existed on the Coinmarketcap community platform. Immediate measures have been taken to ensure account security, and additional security measures have been implemented to prevent similar incidents from occurring again.

According to 23pds, the Chief Information Security Officer of Slow Fog Technology, a new type of security vulnerability has emerged in the Snap Store application store on the Linux platform. Hackers are taking over application publisher accounts by hijacking expired domain names and embedding malicious code into cryptocurrency wallet applications.Attackers monitor and register developer accounts in the Snap Store associated with expired domain names, using these domain emails to trigger password resets, thereby taking over the established publisher identity with long-term credibility. The tampered applications disguise themselves as well-known cryptocurrency wallets such as Exodus, Ledger Live, or Trust Wallet, with interfaces nearly indistinguishable from the originals.Currently, it has been confirmed that the publisher domains storewise[.]tech and vagueentertainment[.]com have been hijacked. These malicious applications lure users into entering their "wallet recovery mnemonic." Once users submit this information, sensitive data will be sent to the attackers' servers, resulting in the theft of digital assets.

a16z Crypto senior security researcher Daejun Park published an article calling for DeFi protocols to shift from "code is law" to "norms are law," adopting a more principled approach to security. The specific approach involves hardcoding security guarantees through standardized norms and invariant checks, automatically reverting transactions that violate predefined rules. Park pointed out that almost all known vulnerabilities would trigger such checks, potentially preventing hacker attacks during execution.According to a Slowmist report, hackers stole over $649 million last year through code vulnerabilities. Even established protocols like Balancer, which has been running since 2021, lost $128 million last November due to a code vulnerability. Developers are concerned that hackers are increasingly using AI to find vulnerabilities.Immunefi's security chief noted that invariant checks would increase gas costs, potentially driving away users, and are not a panacea. The co-founder of Asymmetric Research stated that many vulnerabilities are difficult to write invariant rules that can detect attacks without false positives.

According to CoinDesk, Immunefi CEO Mitchell Amador stated in a recent interview that despite the ongoing rise in cryptocurrency losses, on-chain security is improving. The year 2025 is recorded as the year with the most severe hacking attacks, but the biggest security failures did not stem from on-chain code, but rather from operational mistakes in Web2, such as passwords, private keys, infected devices, and human errors.As code becomes increasingly difficult to exploit, the main attack surface for crypto security in 2026 will be people, with human factors becoming the weak link that Web3 participants must prioritize. This view aligns with findings from a report by Chainalysis.The report indicates that cryptocurrency losses due to scams and fraud amounted to approximately $17 billion in 2025. Among these, identity impersonation scams increased by 1400% year-on-year, while AI-driven scams were 450% more profitable than traditional schemes.

According to information from the official website, Starknet ecosystem Perp DEX Paradex has announced temporary maintenance. The expected maintenance completion time has passed, but the protocol is still not online.According to community feedback, some users have faced forced liquidation in perpetual contract trading on Paradex due to abnormally high funding rates. Public information shows that Paradex is a decentralized perpetual derivatives Layer2 application chain that combines the liquidity of the crypto institution liquidity platform Paradigm with the transparency and self-custody of DeFi. It will operate as its own chain based on the Starknet developer stack and is the result of a continuous six-month collaboration between StarkWare and Paradigm.

According to Jinshi, Federal Reserve Governor Bowman expressed concerns about the fragility of the labor market.

The blockchain security agency BlockSec stated that the FutureSwap protocol deployed on Arbitrum was attacked again by hackers exploiting a reentrancy vulnerability, just four days after its first attack, resulting in a loss of approximately $74,000.The attacker first over-minted LP tokens using the reentrancy function 0x5308fcb1 three days ago, and after the cooldown period ended, redeemed the excess collateral to realize profits.

SVM Layer 1 project Fogo posted on platform X: "We have detected a vulnerability that causes the first season Flames EVM wallet points to not display correctly. We are currently investigating this issue, please check back in 24 hours. If the problem is resolved earlier, we will update the notice promptly."

According to a report by Cointelegraph, developers stated in a post released on GitHub on Thursday that a newly disclosed software vulnerability in the Bitcoin staking protocol Babylon could allow malicious validators to disrupt part of the network's consensus process, potentially slowing down block generation during critical periods.The vulnerability affects Babylon's block signing scheme, specifically the BLS voting extension scheme, which is used to prove that validators have reached consensus on a particular block. The flaw allows malicious validators to deliberately omit the block hash field when sending the voting extension, which could lead to consensus issues among validators during network epoch boundaries. The block hash field is used to inform validators which blocks they are actually voting to support in the consensus process, and this vulnerability allows for its omission.Through this vulnerability, in theory, malicious validators could cause other validators to crash during critical consensus checks at phase boundaries. If multiple validators are affected, it would result in a slowdown of block generation. There have been no reports of this vulnerability being actively exploited, but developers warn that if left unaddressed, it could be abused.

According to market news, the attacker initiated a flash loan through the Synnax contract on the SEI chain, borrowing 1.96 million WSEI (approximately $240,000) and did not repay it.This attack was triggered by a previous erroneous operation three blocks prior: the address 0x9748...a714 mistakenly transferred funds into the contract, inadvertently providing financial support for the attack. The attack path involved TX1 and TX2 transactions, showing that on-chain operational errors can still pose critical risk points in DeFi attacks.

The Slow Fog team security researcher 23pds forwarded a report from researcher Adam Chester, revealing a privilege escalation and command execution vulnerability found in Anthropic's Claude Code. Attackers can execute commands without user authorization. The vulnerability ID is CVE-2025-64755, and a related PoC has been made public.This issue has been noted to be similar to a previously disclosed vulnerability in the Cursor tool. 23pds stated that phishing hackers have already exploited the related vulnerability to attack cryptocurrency users.