Security pros run a 36-hour war room to close a critical DeFi backdoor, likely installed by North Korean hackers
Security researchers said they've closed a critical backdoor on "thousands" of smart contracts before a threat actor managed to hit a large target.
Deebeez, a security researcher at Venn Network, a developer of a decentralized firewall, said the North Korea state-sponsored hacker group Lazarus is suspected of planting the backdoor, which was spotted by Venn on July 8th due to anomalous transactions.
We @VennBuild just discovered a critical backdoor on thousands of smart contracts leaving over $10,000,000 at risk for months
undefined deebeez (@deeberiroz) July 9, 2025
Along with the help of security researchers @dedaub @pcaversaccio, the seals team @seal_911 and others, we managed to rescue the majority of funds…
"Attackers exploited uninitialized ERC1967Proxy contracts (a common proxy standard), front-running deployers to set malicious implementations and spoofing [Etherscan’s, Ethereum's blockchain explorer] UI with fake upgrade events," Deebeez said.
According to him, it gave the hackers full control over the contract. Moreover, the analysis showed that it was "unremovable," as attempts to fix the issue only reset the malicious contract.
The researcher said that, together with another crypto security expert, @pcaversaccio, they ran "a 36-hour war room to save funds," working along with other researchers from the Dedaub and SEAL 911 teams.
"Some protocols reconfigured contracts, others upgraded to withdraw $100Ks safely. We secured major DeFi protocols and bridges before the hacker acted," Deebeez said, suggesting that the hackers waited for a bigger target before acting, while over $10 million was at risk for months.
Other developers also reported their experiences with this backdoor.
"The hacker injected their proxy contract as an implementation that does some nasty stuff before calling the actual implementation," Artem Chystiakov said, adding that the project he's working on got lucky that the attacker couldn't complete his injection in a single transaction.
We were deploying a protocol update this week and for some strange reason the deployment scripts kept failing at the undefinedinitundefined function. At first we thought the RPC was dumping us (limits/connection) but after a minute or two the deployment passed alright.
undefined Artem Chystiakov (@Arvolear) July 9, 2025
We decided to check if…
Developers of another popular blockchain, Berachain, have also chimed in, saying that a potential vulnerability in one of their contracts was identified. The team paused both incentive claims and the contract, and also withdrew funds from it. No user funds were lost, they said.
