Crypto coins
Reading Time: 2 minutes
- Researchers have discovered a backdoor in thousands of DeFi smart contracts
- The backdoor gives malicious actors unhindered access to the contracts
- Researchers presume the backdoor was left by North Korean threat actors like Lazarus
Researchers have discovered a backdoor that gives malicious actors unhindered access to thousands of DeFi smart contracts. The secret access is thought to have been left by North Korean threat actors like Lazarus. According to researchers at Venn Network, threat actors could have used the backdoor to siphon more than $10 million from compromised projects, indicating the need to thoroughly audit smart contract code.
Crypto coins DeFi Platforms “At Risk for Months”
In an X post shared by Venn Network pseudonymous researcher Deeberiroz, the researcher said the backdoor put DeFi platforms “at risk for months,” an indication of “how a sophisticated attacker […] put backdoors in thousands of contracts and almost got away with it.”
We @VennBuild just discovered a critical backdoor on thousands of smart contracts leaving over $10,000,000 at risk for months
Along with the help of security researchers @dedaub @pcaversaccio, the seals team @seal_911 and others, we managed to rescue the majority of funds…
— deebeez (@deeberiroz) July 9, 2025
The researcher disclosed that the backdoor was discovered after Venn Network researchers “spotted anomalous transactions” where attackers exploited uninitialized ERC 1967 proxy contracts, allowing them to front-run deployers and spoof Etherscan’s user interface “with fake upgrade events.”
Deeberiroz noted that the backdoor was unremovable and attempts to fix it reset the malicious contract. He added that they were able to secure major DeFi platforms and that some of the affected protocols opted to withdraw funds while others reconfigured their contracts.
Crypto coins Waiting for a Bigger Target
According to the researcher, the hackers hadn’t exploited the DeFi backdoor because they may have been lying in wait “for a bigger target [and] not small wins,” adding that the researchers worked stealthily “to avoid tipping [the hackers] off.” Some of the affected protocols include Berachain, which paused affected contracts and transferred funds to a new contract.
Bm beras,
Earlier today, a potential vulnerability in the PoL Incentive Claim contract was identified.
In response, incentive claims and the contract were paused, funds were withdrawn from the contract, and will be migrated into the new one shortly.
✅ No user funds are at…
— Berachain Foundation 🐻⛓ (@berachain) July 9, 2025
The backdoor in thousands of DeFi smart contracts adds to the many ways threat actors are using to steal crypto. Some of the ways include selling compromised smartphones, spoofing popular crypto websites, and creating fake web3 firms.
Although the DeFi backdoor was discovered, hackers will likely use it to steal funds from projects that were late in fixing the vulnerability.
