A recent investigation into decentralized finance (DeFi) security led to the prevention of a large cryptocurrency theft amounting to over $10 million. Security experts discovered and eliminated a critical vulnerability that affected thousands of smart contracts within the DeFi ecosystem.
Dangerous Vulnerability in ERC-1967 Proxy Contracts
According to Venn Network researcher Deeberiroz, the threat had been undetected for several months and could have had catastrophic consequences. The vulnerability was linked to ERC-1967 proxy contracts, commonly used in smart contracts within DeFi protocols. These contracts allowed attackers to seize control of the contracts before they were fully configured. As a result, the attacker could gain access to and manipulate assets using these contracts without the knowledge of the owners.
Venn Network co-founder Or Dadoch explained that the vulnerability enabled hackers to inject malicious code during contract deployment, granting them hidden and persistent access to asset management. This threat was particularly dangerous for DeFi protocols, which often use proxy contracts for flexibility and updates.
Covert Operation to Protect Assets
Once the vulnerability was discovered on July 8th, a 36-hour emergency operation was immediately launched to eliminate the threat. Several teams, including Pcaversaccio, Dedaub, and Seal 911, participated in the operation, working behind the scenes to prevent asset loss and minimize risks.
The operation was conducted in strict secrecy to avoid alerting the attacker. All efforts were focused on quickly identifying and neutralizing the vulnerable contracts. Experts conducted a detailed assessment of the affected smart contracts to ensure that the attacker had no opportunity to withdraw funds before the operation was completed.
Or Dadoch noted, “We discovered that tens of millions of dollars were at risk. What is frightening is that the damage could have been much larger if the vulnerability had been exploited to steal a significant portion of the funds locked in the protocols.”
Secured Assets and User Protection Maintained
After the vulnerable contract was suspended, funds were immediately transferred to a new, secure contract. This measure prevented any loss of funds, and project representatives confirmed that users’ assets were not harmed. The security team also performed additional tests and updates to ensure that the new contracts were free from similar vulnerabilities.
Suspicion of Lazarus Group Involvement
David Benchimol, a researcher at Venn Network, suggested that the attack could be linked to the notorious North Korean hacking group, Lazarus Group. He pointed out that the attack was highly sophisticated and was used across all EVM-compatible networks, indicating a high level of preparation and resources. Benchimol also emphasized that the attacker may have been waiting for a larger target, indicating an organized group, although there is no direct evidence connecting Lazarus Group to the attack.
It is important to note that in June 2025, BitMEX disclosed operational security vulnerabilities related to Lazarus, which adds weight to the assumption that the group may be connected to attacks on DeFi protocols.
Conclusion
This incident demonstrated the importance of rapid response to threats within the DeFi ecosystem. Despite the complexity of the attack, the security team was able to quickly identify the vulnerability and prevent the theft of significant funds. This event underscores the need for continuous monitoring and auditing of smart contracts’ security and highlights the importance of collaboration among security experts to protect the DeFi ecosystem from similar threats.
