vulnerabilities

The Donjon research team at Ledger demonstrated that electromagnetic fault injection (EMFI) can completely compromise a commonly used MediaTek smartphone chip, which is utilized in many Android phone models. The issue requires attackers to have physical access to the device, but it highlights the risks faced by users storing private keys on smartphones.Ledger stated that its team studied the MediaTek Dimensity 7300 (MT6878) chip produced by TSMC. Researchers used EMFI tools to disrupt the chip's boot read-only memory (boot ROM), successfully bypassing core security checks and gaining full control of the chip, allowing it to run arbitrary code at the highest privilege level (EL3). Ledger emphasized that this finding does not affect Ledger hardware wallets.Ledger disclosed this vulnerability to MediaTek in May. MediaTek responded that EMFI attacks are beyond the security scope of the MT6878 chip, which is designed for consumer products rather than financial or hardware security module applications. Additionally, MediaTek stated that devices with higher security requirements, such as cryptographic hardware wallets, should include specialized defensive measures.At the time of the report's release, physical attack incidents targeting cryptocurrency users were on the rise.

According to the cutting-edge red team test results released by Anthropic, AI agents identified multiple smart contract vulnerabilities in a simulated blockchain environment, with a potential exploit amount of up to $4.6 million.The tests covered the complete process of contract analysis, command line tool configuration, network reconstruction, exploit generation, and validation, and introduced a new benchmark for smart contract security assessment. This research was jointly completed by Anthropic, the MATS project, and the Fellows program.

According to the Nikkei News, the Financial Services Agency of Japan will require cryptocurrency exchanges to establish a reserve fund to compensate users for losses in the event of a hacking attack or security breach.

According to Cointelegraph, the Cardano network experienced a temporary chain split due to a "format error" in a delegated transaction. This type of delegated transaction refers to transactions that delegate ADA to a staking pool, which, while valid at the protocol level, can lead to code failures that affect network functionality.According to an incident report released by the Cardano ecosystem organization Intersect, this "format error" transaction exploited an old code vulnerability in the underlying software library of the Cardano blockchain, causing nodes to have discrepancies in how they processed the transaction, ultimately resulting in a network split. The vulnerability was caused by an ADA staking pool operator named Homer J, who used AI-generated code to facilitate the transaction and has admitted responsibility for the network split.Staking pool operators were urged to download the latest version of the node software to fix the issue and to reintegrate the split chains into a single complete blockchain. This temporary split sparked debate within the Cardano community, with some arguing that Homer J's actions helped expose critical vulnerabilities, while others, including Cardano founder Charles Hoskinson, labeled it an attack on the Cardano network, prompting an investigation by the FBI.One user quipped, "No one noticed the network partition of Cardano because no one is using it."

According to Cointelegraph, Bitcoin Core has passed its first third-party security audit, confirming that the software securing the Bitcoin network is highly mature, with no serious vulnerabilities found.The audit was conducted by the French security company Quarkslab, commissioned by the Open Source Technology Improvement Fund (OSTIF) and implemented on behalf of the Bitcoin Core development funding organization Brink. During the 104-day audit period from May to September, the reviewers assessed the most sensitive components of the project, with particular attention to the P2P layer and block validation logic. The report noted that despite the large size of the Bitcoin Core codebase, which contains over 200,000 lines of C++ code and more than 1,200 deployed test cases, the auditors assessed it as "the most mature and well-tested." The team found no high or medium severity vulnerabilities, only two low severity issues, along with a series of recommendations for improvements mainly related to fuzz testing tools and test coverage. These findings did not impact the consensus mechanism, denial-of-service resistance, or transaction validation.

The Slow Mist security team recently analyzed the open-source automated futures trading system NOFX AI based on DeepSeek/Qwen and discovered multiple serious authentication vulnerabilities. They pointed out that the system has a "zero authentication" mode under default configuration, with administrator mode directly enabled, allowing all requests to pass without verification. Attackers can access /api/exchanges and obtain complete API keys and private keys. Although JWT has been added in the "authorization required" mode, the default jwt_secret still exists, and if the environment variable is not set, it will revert to the default key. Furthermore, in this mode, sensitive fields are still output in raw JSON, meaning that if the token is forged or stolen, it can also lead to key leakage.Slow Mist stated that as of now, they have identified over a thousand publicly deployed instances using vulnerable configurations and have coordinated with the security teams of Binance and OKX to complete the relevant credential replacements. The team urges all users to upgrade their systems immediately, especially those running robots on Aster or Hyperliquid should check their settings as soon as possible.

Berachain announced that all funds lost due to the BEX / Balancer v2 vulnerability (approximately $12.8 million) have been returned to the Berachain Foundation Deployer address. The blockchain has resumed operation.The minting/redeeming function of HONEY has also been restored accordingly, but all BEX functions are restricted, including redemption, withdrawal, and deposits. For those with large pools of stolen funds from independent depositors, the Berachain core team is currently developing a system that will return deposits to their original addresses and allocate them to users accordingly. The team reminds that users with deposits in BEX that have not been attacked are temporarily unable to withdraw. This is out of caution, as the cause of the Balancer vulnerability has not yet been fully determined.

According to Jin Ten, Federal Reserve official Daly stated that, given the softening labor market, spending data currently faces more vulnerabilities.

The Berachain Foundation stated, "The validator nodes have coordinated to pause the Berachain network to allow the core team to execute an emergency hard fork to address the vulnerability issues related to Balancer V2 on BEX. This network pause is planned, and the network will resume operation shortly."

Balancer tweeted, "We have noticed that there may be vulnerabilities in the Balancer v2 pools. Our engineering and security teams are prioritizing the investigation. We will share verified updates and next steps as soon as we have more information."

The DeFi protocol Balancer is currently under attack, with losses exceeding $116.6 million across multiple chains, and the attack on Balancer is still ongoing.According to the on-chain AI analysis tool CoinBob, the historical security incidents of Balancer are as follows:June 2020 Flash Loan Attack: Attackers exploited a compatibility issue between the deflationary token (STA/STONK) and Balancer's smart contracts, repeatedly calling swapExactAmountIn to drain the liquidity pool, ultimately profiting $523,600.August 2023 V2 Pool Vulnerability: The Balancer V2 pool suffered multiple flash loan attacks due to a code vulnerability, with total losses reaching $2.1 million. The team urgently paused the affected pools and advised users to withdraw their funds, but some funds that were not withdrawn in time were still exploited.September 2023 Frontend Hijacking Attack: Hackers gained control of Balancer's frontend through BGP/DNS hijacking, tricking users into authorizing malicious contracts, resulting in a loss of $238,000. On-chain detective ZachXBT traced the funds to address 0x645710Af050E26bB96e295bdfB75B4a878088d7E.2023 Euler Incident Impact: Due to a vulnerability in Euler Finance, Balancer's bbeUSD pool suffered a loss of $11.9 million, accounting for 65% of the pool's TVL. The team took protective measures to limit liquidity withdrawals.2024 Velocore Attack Association: The Velocore vulnerability exploited Balancer-style CPMM pools, resulting in a loss of $6.8 million. Balancer's technical architecture was indirectly implicated due to cross-protocol integration.

ChainCatcher message, the Bitcoin bridging protocol Garden Finance announced on platform X that a certain "solver" has been found to have a security vulnerability. To conduct a security investigation, the APP functionality has been temporarily taken offline. The impact is limited to the solver itself, and user funds and the protocol will not face any risks. More information will be disclosed as soon as possible.Previously, "on-chain detective" ZachXBT revealed in a post on his personal channel that Garden Finance allegedly suffered losses exceeding $5.5 million due to an attack. Their team has sent an on-chain message to the attacker, offering a 10% white hat bounty, but has not yet publicly commented on the matter.

ChainCatcher news, according to BlockSec Phalcon, their system detected multiple suspicious transactions targeting two unknown contracts on Ethereum, resulting in a loss of approximately $120,000. The attacker exploited the lack of access control in the key functions approveERC20 and withdrawAll of the victim contracts, successfully extracting tokens from within the contracts. These victim contracts are not open source and were deployed by the same address.

ChainCatcher message, Hyperdrive clarified in a post on platform X that the thBILL itself does not have vulnerabilities, but rather two wallet positions using Theo's thBILL as collateral in the Hyperdrive Treasury Market appear to have been attacked, and the investigation is ongoing.

ChainCatcher news, according to Jinshi reports, Federal Reserve Chairman Powell stated that he has not seen any increasing structural vulnerabilities in the financial system.

ChainCatcher news, according to The Block, on-chain detective ZachXBT revealed that THORSwap has repeatedly issued bounty invitations to hackers who attacked a user's personal wallet in the past few days, with the victim possibly being THORChain founder John-Paul Thorbjornsen.Latest on-chain information on Friday indicated that returning THOR tokens would yield rewards, and no legal action would be taken if returned within 72 hours, along with provided contact information. PeckShield initially stated that the THORChain protocol was attacked, resulting in a loss of approximately $1.2 million, but later corrected it to indicate that a user's personal wallet was attacked. ZachXBT claimed that the wallet attacked was likely John-Paul Thorbjornsen's, from which $1.35 million was stolen by North Korean hackers on Tuesday.Thorbjornsen admitted that the attack originated from a fake Zoom link sent from a friend's hacked Telegram account. He stated that the emptied old MetaMask wallet was in another logged-out Chrome profile, with the keys stored in the iCloud Keychain, and that the attacker may have accessed it through a zero-day vulnerability, which reinforced his belief that threshold signature wallets are the only true means of protection.

ChainCatcher News: Recently, the Cybersecurity Threat and Vulnerability Information Sharing Platform (NVDB) of the Ministry of Industry and Information Technology detected a high-risk out-of-bounds write vulnerability in Apple's iOS/iPadOS/macOS, which has been exploited for cyber attacks.iOS/iPadOS/macOS is an operating system developed by Apple Inc. Due to an out-of-bounds write vulnerability in its ImageIO framework, processing malicious image files may lead to memory corruption.

ChainCatcher message, Lido has released a security disclosure on platform X: vulnerabilities related to Lido CSM and the permissionless validator contract used for validating validator withdrawals have been reported and fixed.The vulnerability was not exploited, and no CSM node operators were affected. stETH holders were also unaffected. As part of the fix, a vulnerability mitigation was implemented through an oracle solution (disabling the bond destruction feature) and DAO proposal 190 was voted on.Lido has paid a bounty to the white hat hacker who disclosed the issue through the Lido×Immunefi project.

ChainCatcher news, recently, it has been revealed that NVIDIA's computing chips have serious security issues. Previously, U.S. lawmakers called for advanced chips exported from the U.S. to be equipped with "tracking and positioning" features.Experts in the U.S. artificial intelligence field disclosed that NVIDIA's "tracking and positioning" and "remote shutdown" technologies for computing chips have matured. To maintain the network security and data security of Chinese users, in accordance with the relevant provisions of the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, the National Internet Information Office interviewed NVIDIA on July 31, 2025, requesting the company to explain the security risks of backdoor vulnerabilities in the H20 computing chips sold to China and submit relevant proof materials. (Jinshi)

ChainCatcher news, Slow Mist founder Yu Xian stated that the attacker of the decentralized stablecoin protocol Resupply exploited an interest rate inflation vulnerability to steal assets. The attacker triggered price inflation by donating to the Controller contract of the new treasury, causing the exchangeRate to drop to 0, thereby bypassing collateral verification. Ultimately, the attacker was able to borrow a large amount of reUSD using only 1 wei of collateral. The hacker's funds have currently been converted to ETH, worth approximately over 9.5 million USD, and the hacker's Gas came from Tornado Cash.