Prysm consensus client bug causes Ethereum validators to lose over $1 million
Ethereum validators running the Prysm consensus client lost around 382 ETH ($1.18 million) after a bug resulted in delays that caused validators to miss blocks and attestations. Though the bug had been introduced around a month prior, it did not affect validators until Ethereum completed its "Fusaka" network update on December 3. Around 19% of Ethereum validators use the Prysm consensus client, which is developed by Offchain Labs.
- "Fusaka Mainnet Prysm Incident", Prysm
- Client Distribution, Clientdiversity.org
Yearn Finance hacked for the third time
Yearn Finance, a defi yield protocol, has suffered another hack. The exploiter took advantage of bugs in the project's smart contract to drain assets from several of its pools by minting a huge number of yETH tokens and then withdrawing the corresponding asset in the pools.
$2.4 million of the stolen assets, which were denominated in pxETH, a liquid staking token issued by Redacted Cartel, were recovered after the issuer burned the stolen tokens and reissued them to the team's wallet — essentially, removing the tokens from the hacker's wallet. However, the hacker routed the remaining funds through the Tornado Cash cryptocurrency mixer, which makes recovery substantially more challenging.
This is the third time Yearn Finance has been hacked, following an $11 million exploit in 2023 and another $11 million exploit in 2021. Yearn also suffered around $1.4 million in losses in 2023 in connection to the Euler Finance attack.
Upbit hacked for $30 million
The Korean cryptocurrency exchange Upbit suffered a loss of around $30 million in various Solana-based assets due to a hack. Some entities have suggested that Lazarus, a North Korean state-sponsored cybercrime group, was behind the hack.
Upbit reimbursed users who had lost funds from company reserves. The exchange was able to freeze around $1.77 million of the stolen assets.
This theft occurred exactly six years after Upbit suffered a theft of 342,000 ETH (priced at around $50 million at the time).
Aerodrome and Velodrome suffer website takeovers, again
Attackers redirected users intending to visit the websites for the decentralized exchanges Aerodrome and Velodrome to their own fraudulent versions using DNS hijacking, after taking control of the websites' domains. The platforms urged users not to visit the websites as they worked to regain control.
This is the second time such an attack has happened to these same platforms, with another DNS hijacking incident occurring almost exactly two years ago. In that instance, users lost around $100,000 when submitting transactions via the scam websites.
Cardano founder calls the FBI on a user who says his AI mistake caused a chainsplit
On November 21, the Cardano blockchain suffered a major chainsplit after someone created a transaction that exploited an old bug in Cardano node software, causing the chain to split. The person who submitted the transaction fessed up on Twitter, writing, "It started off as a 'let's see if I can reproduce the bad transaction' personal challenge and then I was dumb enough to rely on AI's instructions on how to block all traffic in/out of my Linux server without properly testing it on testnet first, and then watched in horror as the last block time on explorers froze."
Charles Hoskinson, the founder of Cardano, responded with a tweet boasting about how quickly the chain recovered from the catastrophic split, then accused the person of acting maliciously. "It was absolutely personal", Hoskinson wrote, adding that the person's public version of events was merely him "trying to walk it back because he knows the FBI is already involved". Hoskinson added, "There was a premeditated attack from a disgruntled [single pool operator] who spent months in the Fake Fred discord actively looking at ways to harm the brand and reputation of IOG. He targeted my personal pool and it resulted in disruption of the entire cardano network."
Hoskinson's decision to involve the FBI horrified some onlookers, including one other engineer at the company who publicly quit after the incident. They wrote, "I've fucked up pen testing in a major way once. I've seen my colleagues do the same. I didn't realize there was a risk of getting raided by the authorities because of that + saying mean things on the Internet."
GANA Payment hacked for $3.1 million
An attacker stole approximately $3.1 million from the BNB chain-based GANA Payment project. The thief laundered about $1 million of the stolen funds through Tornado Cash shortly after. The attacker was able transfer ownership of the GANA contract to themselves, possibly after a private key leak.
The theft was first observed by crypto sleuth zachxbt. Not long after, the project acknowledged on its Twitter account that "GANA's interaction contract has been targeted by an external attack, resulting in unauthorized asset theft."
Crypto tracking platform DappRadar shuts down, citing financial woes
Amid a month of falling crypto prices, the crypto tracking platform DappRadar has announced it will be shutting down after seven years of operation. "Running a platform of this scale became financially unsustainable in the current environment," the company announced on Twitter.
The company had previously raised several rounds of financing, with a $2.3 million seed round in 2019 and a $5 million Series A in 2021.
Cardano holder loses $6 million to slippage
A holder of around 14.4 million ADA (~$6.9 million), the token for the Cardano network, made an expensive error when attempting to swap the tokens for a stablecoin. Because the stablecoin they were looking to buy is lightly used and has only around $10.6 million tokens in circulation, an attempt to purchase millions of the tokens on the market caused the dollar-pegged stablecoin's price to spike to around $1.26. The resulting slippage meant that the trader spent their roughly $6.9 million in tokens to receive a little less than $850,000 in the USDA stablecoin, meaning the trader essentially threw away $6 million.
Observers have questioned what happened. It's possible that the holder, who had not been active on-chain since 2020, was simply unaware of the slippage risk. It's also possible that it was a "fat-finger" trade — that the trader accidentally selected the wrong stablecoin from a list of similarly named options, some of which could have more easily absorbed a trade of that size.
Elixir shuts down deUSD after Stream Finance halt
After the defi yield platform Stream Finance announced a $93 million loss, Elixir announced it would be discontinuing its deUSD synthetic stablecoin. Stream Finance owes $68 million to Elixir, and holds around $75 million deUSD.
Elixir has announced that they plan to allow deUSD holders to redeem their tokens for USDC through a process that will also eliminate the risk of Stream Finance cashing out their deUSD without repaying their loan. According to Elixir, "Stream comprised of 99%+ of the lending positions (and has decided to not repay or close positions)".
Moonwell accrues almost $3.7 million of bad debt after oracle malfunction
The Moonwell lending protocol, built on the Base Ethereum L2, wound up with $3.7 million in bad debt after an attacker took advantage of an oracle malfunction that caused the price of wrsETH to be massively inflated. The Chainlink oracle used by the project erroneously reported that a single wrsETH token (Kelp DAO's wrapped restaked ETH) was priced at around 1.65 million ETH (~$5.8 billion). Within 30 seconds of the oracle reporting bad data, an attacker took advantage of the error to borrow huge amounts of tokens, which they then swapped to other tokens to cash out.
Ultimately the attacker profited around 295 ETH (~$1 million), but the protocol was saddled with significantly more bad debt that the team will now have to grapple with.
- wrsETH Oracle Malfunction 11/4/25, Moonwell forum
- Tweet by CertiK Alert [archive]