BlockThreat Week 40 - $5M in Web3 Losses, Abracadabra Exploit, mining pool compromises resurface

The Week 40 BlockThreat newsletter tracks roughly $5M in crypto/Web3 losses across six incidents. A notable case is Abracadabra’s third exploit (~$1.8M), attributed to a simple logic flaw—an omitted else statement—creating an unwanted state. The issue reiterates the fragility of on-chain logic where small conditional errors can unlock significant value movement. The newsletter also revisits compromises at centralized mining pools, including $24M stolen from SBI Crypto identified a week later when laundering began—highlighting detection latency at large transfer hubs and echoing historical mega-thefts like the $3.5B Lubian miner hack that went unnoticed for years. Another case concerns a vulnerable 7702 smart wallet where an unprotected pancakeV3SwapCallback allowed arbitrary “repayment” calls, leading to a $300K drain on a USDT.C token. Collectively, these incidents reflect recurring patterns: insecure wallet callbacks, centralized pool opacity, and insufficient defensive coding standards. For enterprises interfacing with Web3—whether treasury exposure, loyalty tokens, or DeFi adjacency—these themes warrant rigorous code audits, counter-party risk assessment, and monitoring of liquidity/bridge flows that can signal ongoing exploitation.