Meowverse retweetledi
SECURITY WITH SISI: November Hack Breakdown
November closed with $127M confirmed losses and closer to $240/250M when small/underreported incidents are included. It made one thing brutally clear
Web3 breaks at the seams where deFi, centralized infra, keys, governance and humans intersect.
Major Incidents
◈ Balancer V2 $113M Exploit
Vector: Composable pool invariant failure
A subtle rounding bug inside Balancer’s composable pool logic allowed attackers to distort pool balances and drain liquidity across multiple integrated protocols.
Because these pools were deeply wired into other protocols, the exploit cascaded across chains.
A tiny math error escalated into multiprotocol contagion.
Recovery: $45M frozen across cooperating protocols, remainder laundered via bridges/mixers.
◈ Stream Finance $93M Loss
Vector: Off-chain fund manager failure
Stream relied on an external asset manager controlling large off chain collateral. A massive loss hit the manager, wiping the backing of xUSD/xBTC/xETH.
Centralized fund management undermined decentralized guarantees
Recovery: Legal & forensic investigation; withdrawals still restricted.
◈ Upbit $30/36M Hot Wallet Compromise
Vector: Private key inference / infrastructure level key leak
Abnormal SOL outflows from Upbit’s wallets triggered an emergency freeze.
Investigators claim the attacker reconstructed the hot wallet key by exploiting a "private key inference vulnerability" in Upbit’s internal infrastructure meaning the flaw was likely inside the signing system, not user accounts.
Funds flowed exactly like a Lazarus op:
• SOL → USDC
• USDC → ETH
• ETH bridged + mixed
Same chain path as the 2019 Upbit hack.
What’s interesting is that the hack happened exactly during Upbit parent Dunamu’s $10B acquisition by Naver Corp. The exchange’s explanation is still unusually vague
Could be Lazarus or an insider disguising as Lazarus
Recovery: Remaining funds moved to cold storage; full reimbursement promised. Investigation ongoing.
◈ GANA Payment $3.1M Drained
Vector: Admin key compromise and delegator misuse
An hacker gained access to an admin key and abused an EIP-7702 style delegation contract to drain assets.
They bridged stolen ETH + BNB to Ethereum, then laundered through Tornado Cash.
Recovery: None. Team announced they will “relaunch.”
◈ Beets $3.8M Exploit
Vector: Smart contract vulnerability
A protocol level flaw in beets allowed hackers to manipulate pool logic and extract value.
Not a wallet drain, not phishing, classic contract failure.
Recovery: No confirmed freezes or clawbacks announced yet.
User side losses
Over $33M in November came from: Seed phrase theft, clipboard malware, wallet drainer approvals, “delegation” phishing, fake support staff, malicious extensions, old keys reused across wallets
Hackers increasingly target individuals because:
• One whale is 8/9 figure jackpot
• OPSEC is weak
• Hardware wallet usage is still not default
• New wallet drainers are 1 click silent approvals
User mistakes remain one of the largest attack vectors in Web3.
Hack Pattern Analysis: What changed this month?
◈ DeFi composability remains a multiplier for failure, one small bug → dozens of pools → multiple chains → 9 figure loss.
◈ Off chain operations are now a systemic onchain risk
◈ Stream finance proves that you can follow every smart contract rule and still lose everything if your centralized partner blows up, centralized infra is still the weakest keyholder
◈ Upbit’s private key leakage shows CEXes remain the #1 institutional attack surface.
◈ Admin/privilege misuse is still the fastest way to zero
GANA’s exploit required no clever math just an overpowered admin key.
◈ Wallet hygiene is still collapsing
Despite better tools, user losses remain massive and steady.
Security Tips
For users: Use hardware wallets, keep hot wallet risk minimal, assume all support DMs are scams, never reuse keys and never store seed phrases on devices.
For teams: Use timelocks & multisig/MPC, remove unnecessary emergency powers, audit both code and operations, rotate keys, isolate environments and expect attackers to target governance and key control.
For the ecosystem: Enforce transparent recovery/freeze reporting, build shared cross chain forensics and standardized admin privilege disclosures.
If you’re building in web3 secure the keys, secure the people, secure the processes before securing the code.
Sisi@sisihacks
SECURITY WITH SISI: September hacks breakdown September wasn’t loud and hackers stopped chasing big TVLs and started exploiting old keys, bad governance, dusty contracts and oracle mistakes instead. ◈ Total Losses: $98.7M Recovery: <12% (one of the lowest this year) Big Hits: ◈ UXLINK: $11.3M drain and 2B tokens minted after a governance takeover ◈ Gravita: $54M from a single mispriced oracle ◈ KiloEx: $14.8M from signature replay ◈ StellaSwap: $10.5M after deployer key compromise ◈ NestFi: $7.1M from oracle index drift This month exposed: ◈ Governance is now attack surface ◈ Replay attacks are back full tim ◈ Oracles still wreck protocols overnight ◈ Old keys are ticking time bombs ◈ Long tail risk is killing teams silently Web3 isn’t being hacked in new ways, it's being hacked through everything they forgot to secure. Full breakdown on medium here 👇 @sisipepper/september-hack-analysis-overview-e95b18b177ed" target="_blank" rel="nofollow noopener">medium.com/@sisipepper/se…
English
