How Bad Was November, Really?
November has flipped the 2025 security narrative on its head.
According to a new monthly threat report from blockchain security firm CertiK, crypto platforms lost an estimated $127 million in net terms to hacks, exploits and scams in November. That figure already assumes roughly $45 million was frozen or recovered after the fact, mainly from DeFi protocols and exchanges.
On a gross basis, the same dataset puts November’s losses at over $172 million, while other trackers such as PeckShield and Halborn tally a similar ballpark, in some cases closer to $175–$190 million when they include additional incidents and bad debt.
Either way, the direction of travel is clear:
- October was one of the quietest months of the year, with just ~$18 million in losses from hacks.
- November saw roughly a 10x jump, with more than 50 separate security incidents recorded.
DeFi platforms were hit hardest, with over $130 million in losses attributed to on-chain protocols, followed by centralised exchanges and a smaller set of bridge, meme and AI-related projects.
The Headline Incidents: Balancer And Upbit
Two names dominate November’s loss table: Balancer and Upbit.
Balancer: A Rounding Bug With Nine-Figure Consequences
Liquidity protocol Balancer suffered the largest single exploit of the month and one of the biggest DeFi hacks of the year.
Across multiple chains, an attacker exploited a combination of:
- A rounding error in Balancer v2’s Composable Stable Pools.
- Vulnerable access controls in the
manageUserBalancefunction. - The fact that many pools relied on a shared central contract and that other protocols had integrated Balancer liquidity under the hood.
By manipulating pool balances and prices, the attacker was able to drain roughly $120–$121 million in assets from Balancer-linked pools. The impact rippled out to connected ecosystems:
- Berachain’s BEX exchange lost over $12 million, though it later reported recovering most of those funds.
- Several smaller protocols and Balancer forks saw their own pools drained because they reused the same vulnerable logic.
Balancer has since paused affected pools, worked with auditors to patch the vulnerabilities, and proposed compensation plans for users. But the incident illustrates how a single bug in a widely reused DeFi building block can propagate through an entire ecosystem.
Upbit: A Hot Wallet Breach With Geopolitical Overtones
At the centralised-exchange level, South Korean platform Upbit was hit by a Solana hot wallet exploit late in the month.
Key facts from public statements and subsequent reporting:
- Attackers withdrew roughly 44.5 billion won (about $30–$37 million) in Solana-network assets from one of Upbit’s hot wallets.
- The exchange immediately froze deposits and withdrawals, moved remaining funds to cold storage, and pledged to fully reimburse all affected customers using its own reserves.
- South Korean authorities now suspect the attack was carried out by Lazarus Group, the North Korean state-linked hacking unit already blamed for several past crypto heists.
In follow-up updates, Upbit disclosed that it had identified and patched a critical flaw in its internal wallet system, underscoring how infrastructure issues – not just smart contract code – remain a major attack surface.
The “Quiet” Hacks That Filled Out The Month
While Balancer and Upbit grabbed headlines, a series of smaller but still meaningful incidents rounded out November’s losses. Security reviews from Halborn, CertiK and others highlight several notable cases:
- Hyperliquid (~$4.9M) – A trader allegedly engineered a price-manipulation attack around the POPCAT market, building large buy walls and then pulling them to trigger liquidations and leave the protocol’s insurance mechanism with bad debt.
- Berachain’s BEX (~$12M, mostly recovered) – The Balancer-related exploit drained funds from BEX’s pools, but the protocol coordinated with partners to recover a large portion of the stolen assets.
- Beets (~$3.8M) – Another DeFi protocol tied into Balancer’s tech stack that suffered seven-figure losses before patching and recovery efforts.
- GANA Payment (~$3.1M) – Attackers compromised a smart contract, altered reward parameters, and used the unstake function to siphon value via inflated rewards.
- Aerodrome Finance (> $1M) – Base’s largest DEX faced a DNS hijack that redirected users to a malicious front end where they were tricked into signing approvals that drained their wallets.
- Yearn Finance (~$9M) – A late-month incident involved an infinite-mint style exploit of yETH, with the attacker minting roughly $9 million in synthetic assets before being contained. Recovery efforts are ongoing.
These incidents rarely made front-page headlines, but together they contributed tens of millions of dollars to November’s loss totals and showed that the attack surface spans everything from protocol math to web infrastructure.
What Changed Versus October?
The mix of attack vectors also shifted sharply compared with the previous month.
In October, the dominant theme was a handful of bridge-related issues and social-engineering scams, with phishing accounting for a large slice of the modest $18 million in losses. November looked very different:
- Code vulnerabilities took the top spot, accounting for over $130 million in exploit-driven losses.
- Wallet compromises – often involving stolen keys, malware, or compromised signing infrastructure – contributed around $30+ million.
- Phishing losses fell to roughly $6 million, less than a quarter of October’s tally.
From an ecosystem perspective, the story is clear: technical fragility, not just user behaviour, drove November’s spike. DeFi protocols, in particular, were the hardest-hit category, reflecting their complexity and composability.
Why DeFi Security Is Back Under Fire
November’s pattern has re-ignited debates about whether DeFi is structurally secure enough to support the capital it is attracting.
A few themes stand out:
- Composability cuts both ways – Balancer’s design, where multiple pools rely on shared contracts and many external projects integrate those pools, is efficient for growth but dangerous when a bug emerges. One vulnerability can ripple across many protocols.
- Audit fatigue is real – Balancer, Yearn and other affected platforms had undergone multiple audits over the years. The fact that serious bugs still slipped through shows that point-in-time audits are not a guarantee of safety, especially as code evolves.
- Front-end and DNS risk is underappreciated – The Aerodrome hijack is a reminder that even if smart contracts are solid, users can still be drained via fake websites, poisoned DNS records or malicious browser extensions.
- Exchange hot wallets remain prime targets – Upbit’s incident underscores that centralised platforms still carry concentrated risk in hot wallets, even if customers are ultimately reimbursed.
- Sophisticated attackers are industrialising – Groups like Lazarus are now combining traditional techniques (malware, infrastructure compromises) with blockchain-specific exploits, and some analyses suggest they are experimenting with AI-assisted tooling.
Taken together, November looks less like a random cluster of bad luck and more like a sign that attackers are systematically probing the weakest links across the stack.
Implications For Protocols, Users And Regulators
For DeFi And Exchange Teams
- Security budgets are likely to rise – Expect more demand for continuous monitoring, on-chain anomaly detection and recurring code reviews rather than one-off audits.
- Dependency management will matter more – Projects that integrate external liquidity or smart contracts may face pressure to disclose those dependencies and their audit status more clearly.
- Incident playbooks are no longer optional – The speed with which Balancer, Upbit and others communicated and coordinated recovery efforts helped limit secondary damage. Slow or opaque responses are likely to be punished by both users and regulators.
For Users And Traders
Even without going deep into technical details, November’s events suggest a few practical points:
- Smart contracts, even on established platforms, can fail in unexpected ways.
- Front-end safety (URLs, DNS, browser security) is as important as on-chain logic.
- Centralised exchanges can and do get hacked, even if the better-capitalised ones make users whole.
None of this means DeFi is unusable, but it underscores that yield and convenience always come with risk.
For Policymakers And Security Firms
Regulators and security providers are likely to focus on:
- Baseline controls for DeFi protocols that want to list in regulated jurisdictions or work with licensed custodians.
- Disclosure standards around audits, bug bounties and incident response plans.
- Cross-border cooperation in pursuing groups like Lazarus and freezing stolen funds before they can be laundered.
The November numbers also strengthen the case for industry-wide threat sharing and more proactive tooling, rather than relying on ad hoc investigations after the damage is done.
Conclusion
November’s spike in hacks and exploits is a reminder that crypto’s security problems have not gone away – they have simply shifted.
Net losses of around $127 million, and gross losses north of $170 million, represent a roughly 10x jump from October’s relatively quiet month. While the Balancer exploit and the Upbit hot wallet breach were the headline stories, a string of smaller DeFi hacks and infrastructure compromises filled out the picture and pushed DeFi security back into the spotlight.
Whether December looks better or worse will depend on how quickly protocols patch, how seriously teams treat their dependencies and front-ends, and how effectively exchanges and security firms can respond to increasingly organised attackers.
For now, the main takeaway is simple: as more value flows into DeFi and crypto, the cost of fragile code and weak infrastructure is rising just as fast.
The post November’s Hack Wave: Why DeFi Security Is Back Under Fire appeared first on Crypto Adventure.
