Extropy Security Bytes: w10 2025

Welcome to this week’s edition of Extropy Security Bytes, where we break down the latest security incidents, exploits, and vulnerabilities in the crypto and Web3 space. From classic reentrancy attacks to mysterious exchange disappearances and critical cryptographic flaws, the past week has been a stark reminder that security remains an ever-evolving battlefield. In this issue, we dissect high-profile hacks, uncover suspicious activity in centralized exchanges, and explore how AI security regulations could shape the future of Web3. Stay informed, stay vigilant, and let’s dive into the latest developments.

Hegic Finance

Hegic finance was hacked for 0.8275 wBTC. The vulnerability was a classic reentrancy attack.

The root cause was that the developer forgot to subtract “t.share” value, and the user could withdraw funds from the contract multiple times.

Xeggex

Xeggex,

an altcoin exchange known for low fees

, easy listings, and no KYC, experienced a security incident where it vanished overnight, with some funds potentially misappropriated. The exchange claimed its CEO account was hacked and the database corrupted, leading to user access loss. Millions in altcoins remained inaccessible in wallets connected to the exchange.

Technical Details:

Initial Incident: Xeggex went offline shortly after a significant market dump in February.

Suspicious Activity: On-chain analysts at Bitrace detected suspicious movements from Xeggex’s hot wallets before the “hack” announcement.

Wallet Movements: Transfers were observed moving from a Xeggex hot wallet (0x20FfE0D07D7f7c2C21A24537538b4cDE06c9048a) before the exchange went dark. Arkham Intel data indicated a substantial drop in token balances around the time of the incident.

Recovery Attempts: Xeggex claimed to be restoring from a new database server but reported missing email addresses. Logins were partially restored, but trading and withdrawals remained disabled for a period.

Phantom Assets: The exchange introduced USDTXX, BTCXX, and ETHXX, which are digital IOUs that users could not withdraw or trade. These tokens existed only within Xeggex’s internal database and promised an interest rate, to be replaced with actual assets as funds were raised.

Access Control: The exchange quietly updated its code to block U.S.-based customers.

Community Response: The cryptocurrency community initiated investigations, sharing evidence and theories on Reddit, Discord, and Twitter. A

Change.org

petition was created to demand investigation by authorities.

Key Observations:

• Transparency concerns: Xeggex’s communications were reported to be vague and delayed.
• Unclear Explanations: The exchange’s reasons for the incident were reported to have been met with scepticism since expert advice was dismissed.
• Similar Incident Patterns: The event shared similarities with other exchange collapses, including identical crisis playbooks.

Potential Exploit Type: While the exact nature of the exploit remains unclear, there have been reports of a possible coordinated exit scam, with potential hot wallet compromise and database manipulation.

Time.fun: Whitehat Finds Vulnerability

Time.fun

, a platform providing dedicated wallets for users to deposit USDC for trading, suffered from a critical vulnerability. This flaw allowed an attacker to steal trading fees and modify metadata of tokens launched on the platform. A whitehat hacker discovered and exploited this vulnerability, later returning the funds after the issue was resolved.

Technical Details:

Dedicated Wallets:

Time.fun

provided each user with a dedicated wallet for USDC deposits, with private keys securely stored by a third-party provider.

Gas Fees and SOL Requirement: Since SOL was needed for gas fees,

Time.fun

implemented a system where the wallet “HW2C…Lo1H” signed every trade transaction alongside the user’s wallet signature to ensure seamless user interaction.

Vulnerability: The wallet “HW2C…Lo1H” owned all tokens launched by

Time.fun

, meaning that if arbitrary data could be signed on behalf of this wallet, malicious actions could be performed.

Exploit: By forging a token, an attacker could trick the backend into signing a malicious transaction. This allowed for the alteration of metadata (e.g., changing “toly’s minute” to “vitalik’s minute”) and withdrawal of funds from the “HW2C…Lo1H” wallet.

Whitehat Hack and Resolution: A whitehat hacker discovered the vulnerability and exploited it to highlight the issue. They contacted the

Time.fun

team and returned all funds after the vulnerability was quickly fixed.

Key Observations:

Backend Signing Risk: The incident underscored the risk of backends signing transactions originating from the frontend, regardless of validation or simulation checks

1inch Fusion V1 Vulnerability

A

vulnerability was discovered in the parser smart contract

implemented with the outdated Fusion v1 by the 1inch team. This vulnerability did not directly affect the security of end-user funds but could impact those who use the parser in their own contracts with Fusion v1. An exploit of the vulnerability led to a loss of approximately $1 million.

Summary

Vulnerability Discovery: The 1inch team discovered the vulnerability in the Fusion v1 parser on March 5.

Impact: Although user funds were secure, the vulnerability impacted parsers using Fusion v1 in their own contracts.

1inch’s Response: 1inch actively collaborated with the affected parsers to ensure their systems were secure. The 1inch team urged all parsers to immediately audit and update their contracts.

Loss: Slow Mist detected suspicious transactions related to 1inch on March 5, resulting in a loss of approximately $1 million.

Private Key Leakage in ECDSA Signatures

A critical security vulnerability (GHSA-vjh7–7g9h-fjfh) has been discovered in the widely used JavaScript elliptic encryption library

. By crafting specific inputs, attackers can extract private keys and gain control over digital assets or identity credentials. The vulnerability stems from flawed handling of non-standard inputs, leading to repeated random numbers (k) in ECDSA signatures, which compromises the security of the ECDSA algorithm.

Technical Details:

Vulnerability Cause: The vulnerability arises from the elliptic library’s flawed handling of non-standard inputs, which can lead to the repetition of the random number ‘k’ in ECDSA signatures.

ECDSA Algorithm Dependency: The security of the ECDSA algorithm heavily relies on the uniqueness of ‘k’. If ‘k’ is reused, the private key can be directly derived.

Affected Library: The vulnerability is present in the elliptic library, a widely used elliptic curve cryptography (ECC) library in the JavaScript ecosystem. It supports multiple curves, including secp256k1 and ed25519, and is used in cryptocurrency wallets, identity authentication systems, and Web3 applications.

Affected Versions: elliptic <= 6.6.03

Affected Curves: secp256k1, ed25519, etc.

Impact Scenario: Any application performing ECDSA signatures using externally provided input, especially systems accepting unfiltered user input for signing, is vulnerable.

Vulnerability Mechanism:

The elliptic library uses HMAC_DRBG (a deterministic random number generator) to ensure the uniqueness of k5.?HMAC_DRBG’s input parameters include entropy (derived from the private key) and a nonce (computed from the message).

The same entropy and nonce will yield the same k. Therefore, if the nonce is identical across different signatures, k will be reused, leading to private key leakage.

The vulnerability is caused by converting msg into a BN (Big Number), and then deriving nonce which leads to nonce reuse.

Remediation Recommendations:

• Upgrade elliptic to version 6.6.1+.
• Avoid signing unverified messages directly and ensure msg is properly standardised.
• Replace potentially compromised private keys

The UK’s AI Cyber Security Code of Practice

The UK’s AI Cyber Security Code of Practice

is a significant development with potential implications for the world of agentic Web3. Here’s a breakdown of what it means and how it might help in the development and deployment of Web3 agents:

What is the Code of Practice?

Voluntary Framework: It’s a set of guidelines and best practices for mitigating security risks in AI systems throughout their lifecycle (design, development, deployment, maintenance, and end-of-life).

Focus on Cybersecurity: It addresses specific vulnerabilities in AI systems, such as data poisoning, adversarial attacks, and model exploitation.

13 Principles: It outlines 13 principles that organizations can adopt to enhance the security of their AI systems.

Implementation Guide: Provides practical advice on implementing the Code’s principles.

Global Standard: The UK aims to use this Code as the basis for a new global standard through the European Telecommunications Standards Institute (ETSI).

Implications for Agentic Web3:

1. Increased Security Focus: The Code highlights the importance of security in AI, which is directly relevant to Web3 agents that often rely on AI for decision-making and automation.
2. Emphasis on Secure Design and Development: Web3 agent developers will need to prioritize security from the initial design phase, incorporating security best practices and conducting thorough testing.
3. Transparency and Explainability: The Code emphasizes the need for transparency in AI systems, which could lead to greater scrutiny of Web3 agents and their decision-making processes.
4. Vulnerability Disclosure: The Code encourages the establishment of Vulnerability Disclosure Programs (VDPs) for AI systems, which could become a standard practice for Web3 agents as well.
5. Third-Party Audits: The Code recommends involving independent security testers, suggesting that third-party audits of Web3 agents might become more common.
6. Data Security and Privacy: The Code addresses data security and privacy concerns, which are crucial for Web3 agents that often handle sensitive user data.
7. Regulation and Compliance: While the Code is currently voluntary, it could pave the way for future regulations around AI security, potentially impacting how Web3 agents are developed and deployed.

How Web3 Agent Developers Can Adapt:

• Adopt Secure Development Practices: Integrate security considerations into every stage of the agent development lifecycle.
• Conduct Thorough Testing: Perform rigorous testing, including adversarial testing and penetration testing, to identify and address vulnerabilities.
• Prioritize Transparency: Design agents with transparency in mind, enabling users to understand how decisions are made.
• Establish Vulnerability Disclosure Programs: Create VDPs to encourage responsible reporting of security flaws.
• Embrace Third-Party Audits: Consider engaging independent security experts to conduct audits of your agents.
• Stay Informed: Keep up-to-date with the latest developments in AI security and regulations.

Potential Benefits:

• Increased Trust and Adoption: By adhering to the Code’s principles, Web3 agent developers can build trust with users and foster greater adoption of their technologies.
• Reduced Security Risks: A stronger focus on security can help mitigate risks and protect users from potential harm.
• Improved Resilience: Securely designed agents will be more resilient to attacks and disruptions.

Challenges:

• Complexity: Implementing some of the Code’s principles might add complexity to agent development.
• Balancing Security and Functionality: Finding the right balance between security and functionality will be crucial.
• Evolving Landscape: The AI security landscape is constantly evolving, requiring ongoing adaptation and learning.

The UK’s AI Cyber Security Code of Practice is a positive step towards creating a more secure and trustworthy environment for AI technologies, including Web3 agents. By proactively addressing security concerns, developers can build innovative and responsible solutions that benefit users and contribute to the growth of the decentralized web.

The world of crypto and Web3 security never sleeps, and each new incident offers a valuable lesson for developers, traders, and users alike. Whether it’s a vulnerability in widely used cryptographic libraries or questionable activity from centralized platforms, awareness and proactive security measures are our best defenses. As the UK’s AI Cyber Security Code of Practice signals a shift toward more structured security guidelines in AI development, it’s clear that the industry must continue evolving to mitigate risks. Stay tuned for more updates, and as always — verify, audit, and never take security for granted.

About Extropy

Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.

We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.

- Website:

security.extropy.io

- Email: [email protected]

Get in touch today — let’s build safer smart contracts together!