Monday, October 20, 2025

From trillion-dollar typos to orbital scam cities and Sui’s latest liquidity implosion, this week proved once again that DeFi’s biggest vulnerabilities aren’t bugs in the code - they’re features of the system.

EIP 7702 Security Considerations (7 min read)
Ethereum’s latest upgrade gave EOAs brains and attackers a new toy. By turning wallets into callable smart contracts, EIP-7702 lets anyone borrow privileges from whitelisted users without touching their keys. The result? Whitelist bypasses, proxy exploits, and yet another reason msg.sender no longer means what you think it does.

Produced by SlowMist: Common Cryptographic Risks in Blockchain Applications (30 min read)
From weak random seeds to forged signatures, Web3’s foundation is cracking at the code level. SlowMist’s open-source report exposes the hidden rot in crypto’s cryptography - insecure RNGs, broken libraries, and careless key handling - the silent killers behind multimillion-dollar exploits that start not in contracts, but in code.

Auditing Vault-Based Protocols in DeFi(6 min read)
Vaults are DeFi’s safes - until a single math error turns them into slot machines. This piece breaks down how mispriced shares, lazy keepers, and broken withdrawal queues can silently drain user funds long before launch.

Crypto safety 2025: 7 easy ways to avoid hacks and scams (11 min read)
Over $2.4 billion vanished in the first half of 2025 - not from smart contract exploits, but from bad clicks and worse habits. This guide distills seven practical defenses against phishing, toxic approvals, fake support, and SIM swaps. From ditching SMS 2FA to separating hot and cold wallets, Cointelegraph’s security checklist reminds users that most crypto losses aren’t technical - they’re behavioral.

Zero Vulnerability in Web3 Security (5 min read)
As web3 systems grow in complexity, security is shifting from one-time audits to continuous assurance. The zero vulnerability approach frames security as a design discipline - verifying invariants, enforcing constraints, and monitoring systems throughout their lifecycle. In this model, resilience comes not from reacting to exploits but from systematically reducing the space where they can occur.

Researchers Unveil Cryptographic Proofs to Catch Phishing Scams. SEAL’s new TLS attestation tool lets security teams verify what victims really saw on malicious sites, breaking through scammer cloaking tactics that hid $400 million in crypto thefts this year.

MEV Spam Is Devouring Blockchain Scalability. Flashbots researcher Robert Miller found that spam bots consumed over half of Base’s gas throughput while paying just 10% of fees - turning scaling gains into wasted computation and revealing how low-cost blockspace fuels an endless, self-defeating arms race across rollups and Solana alike.

Researchers Expose Massive Satellite Data Leak Visible From Space. A $600 setup was enough for academics to intercept unencrypted satellite traffic - including SMS, encryption keys, and military data - as geosynchronous networks quietly broadcast sensitive information across nearly half the planet.

Interpol Cracks $439M Global Scam Ring in Operation HAECHI. The five-month sting spanned 40 countries, freezing 68,000 bank accounts and 400 crypto wallets tied to phishing, romance scams, and business email fraud - a warning shot that cross-border cybercrime is running out of places to hide.

North Korean Hackers Hide Malware in Ethereum Smart Contracts. Google’s Threat Intelligence team uncovered DPRK’s UNC5342 group using “EtherHiding” to stash and deliver malware via blockchain - embedding payloads in smart contracts to evade takedowns, update campaigns cheaply, and steal crypto straight from developer job applicants.

• CryptoGuard Prototype: a wallet-integrated dashboard using AI and behavioral analytics to detect cryptojacking, phishing, and suspicious transaction patterns for non-technical users, bridging consumer UX and on-chain threat intelligence.

• Beosin KYA Lite: a newly launched risk-screening tool for virtual assets that monitors counterparties and addresses for compliance and fraud risk in real time - useful for exchanges, DeFi protocols and institutional infrastructure.

• VeilAudit: a cross-chain auditing framework introduced in recent academic work that bridges user privacy with auditability using linkable tags and zero-knowledge proofs - signals the next generation of monitoring tools for multi-chain environments.

• On‑Chain KYC  2.0 by Blockpass: a privacy-centric identity and compliance suite for Web3 that delivers reusable user attestations via on-chain proofs, supporting KYC/KYB/AML on multiple chains - lets platforms onboard users without centralising personal data.

One year ago, Tapioca DAO’s sweet DeFi experiment curdled into a $4.4 million disaster after a private key compromise turned its Arbitrum vaults into an all-you-can-drain buffet. The attacker exploited Tapioca’s vesting contracts, minted five quintillion USDO, and dumped 30 million TAP for 591 ETH before fleeing across chains. TAP cratered 97%, the team claimed “social engineering,” and in a bizarre twist, they “hacked the hacker” to recover 1,000 ETH. Twelve months later, Tapioca stands as a reminder that DeFi collapses aren’t always coded-they’re often keyed, clicked, and catastrophically human.

How do you steal $600B in stealth tech? With charm, spreadsheets, and a Gmail draft folder. Su Bin’s six-year cyber-heist turned China’s J-20 from blueprint to battlefield - and left the U.S. chasing its own shadow.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.