A Silent Threat in the DeFi Ecosystem

A team of crypto security researchers have successfully thwarted a sophisticated backdoor exploit that posed a major threat to thousands of smart contracts across the decentralised finance (DeFi) ecosystem. The flaw, which had gone undetected for months, had the potential to allow attackers to steal over $10 million in crypto assets.

The exploit was discovered by Venn Network researcher Deeberiroz, who shared the findings on X (formerly Twitter) on Thursday. According to the researcher, the vulnerability targeted uninitialised ERC-1967 proxy contracts. This allowed attackers to hijack contracts before they were properly configured, effectively giving them complete control.

36 Hours to Rescue the Funds
The issue came to light on Tuesday, prompting a rapid 36-hour rescue operation. Several developers and blockchain security specialists, including Pcaversaccio, Dedaub and Seal 911, collaborated with Venn Network to evaluate the impacted contracts and safeguard at-risk funds.

Or Dadosh, co-founder and president of Venn Network, explained that the attacker had been front-running contract deployments and injecting malicious implementations. “In the simplest terms, the attacker exploited certain deployments which allowed them to put a well-hidden back door in thousands of contracts,” he said.

Once the contracts were initialised, the exploit became almost invisible, leaving a permanent and undetectable backdoor. Dadosh warned that the attacker could have taken over the contracts at any time. By keeping the vulnerability secret until the rescue operation was complete, the security team managed to protect a significant amount of crypto from being drained.

Millions Saved in the Nick of Time
Deeberiroz revealed that several DeFi protocols were able to secure hundreds of thousands of dollars’ worth of assets before the attacker could act. Dadosh estimated that tens of millions of dollars were potentially at risk. “Even scarier is if this could have kept growing, and a larger portion of the overall total value locked held by the protocols involved could have been threatened,” he added.

Source: Deeberiroz

Berachain Responds Swiftly
Among the affected protocols was Berachain, which responded by immediately pausing its vulnerable contract. The Berachain Foundation stated on X that no user funds were lost and that incentives would be available again within 24 hours, once new Merkle trees for distribution were generated.

“Incentives will be claimable again within the next 24 hours as merkles for distribution are recreated,” the Foundation confirmed. Funds were safely transferred to a new contract to prevent any potential misuse.

Lazarus Group Suspected Behind Attack
Venn Network security researcher David Benchimol suspects that the infamous North Korean state-backed Lazarus Group may be linked to the exploit. “The attack vector was very sophisticated and deployed on every EVM chain,” he noted, suggesting the scale and complexity pointed to an organised operation.

Benchimol added that the attacker seemed to be biding their time, possibly waiting for a larger target to strike. Despite the strong suspicions, there is currently no definitive proof confirming Lazarus Group’s involvement.

The successful neutralisation of this major threat has highlighted both the growing sophistication of crypto attacks and the importance of rapid collaboration within the security community. As the DeFi sector continues to expand, safeguarding its infrastructure remains a critical priority.