More than $12 million was stolen this week across four incidents, with Resupply and Silo Finance suffering multi-million dollar losses. The Resupply hack is particularly notable where $9.8 million was drained due to a recurring vulnerability in which an empty market is exploited via a rounding error to mint excessive protocol tokens. Since the 2023 Hundred Finance hack, this vulnerability class has now accounted for over $51 million in losses, as developers continue to learn the painful lesson that newly deployed markets demand extra care, especially around math precision and initial liquidity. The incident also triggered the now-familiar cascade of finger-pointing further fueling drama across the ecosystem.
The remaining compromises were just as easily preventable. An MEV bot called printMoney lost $2 million due to insufficient function access control, while Silo Finance lost over $500,000 because of poor function parameter validation. These are well-known and well-documented issues. If you haven’t already, check out the recently released DeFi Top 10 Attack Vectors where these two categories appear on the list year after year, consistently causing millions in damages.
If you’re a developer and don’t feel fully confident in preventing these types of bugs, check out this week’s sponsor – Oak Security, a trusted auditor behind some of the ecosystem’s most unique protocols and a long-time supporter of this newsletter.
Oak Security has operated in Web3 Security since 2017, providing security services throughout a project’s lifecycle. audits. This includes audits, penetration testing, operational security training, and advisory services. Our signature blinded process emphasizes redundancy: Every line of code is reviewed by multiple auditors with a multi-disciplinary background in parallel.
Link: https://www.oaksecurity.io/
In other news, be sure to check out a new community-driven project Unphishable from the good folks at DeFi Hack Labs, ScamSniffer, and SlowMist. It’s a series of interactive challenges designed to teach users how to spot and avoid common Web3 phishing attacks. The project simulates real-world scams involving malicious signatures, spoofed dApps, and fake support agents, giving users a low-stakes environment to train their instincts before real money is on the line. Amazing!
And while you are at it be sure to thank this week’s sponsor Coinspect for helping uplevel wallet and user security.
Coinspect’s Wallet Security Ranking is an objective, transparent, and regularly updated evaluation of leading cryptocurrency wallets. It focuses on critical security features like anti-phishing defenses, transaction clarity, and protection against blind signing, helping users choose wallets that prioritize their safety.
Read more on newsletter.blockthreat.io
