CVA Security Watch #1

The Quarter's Most Significant Hacks and Risk Signals

Q4 2025 didn’t wind down quietly.

In one quarter we saw:

• A stablecoin issuer accidentally mint $300 trillion
  
  

• A DeFi protocol lose $128 million to a tiny rounding nuance
  
  

• Major cloud outages that reminded everyone how “decentralized” infra really runs
  
  

• Developers leaning too hard on AI and “vibe coding”
  
  

None of this is theory. It’s live-fire testing of our assumptions.

At the Crypto Valley Association (CVA), we’ve been unpacking these events with members from enterprises, protocols, and builders. The goal: turn hard lessons into practical security upgrades for the entire ecosystem.

This first CVA Security Watch breaks down four key incidents from Q4 2025 and how our Cybersecurity Working Group is turning them into action.

Key Incidents: Insights for Progress from Q4 2025

Drawing from thorough reviews, here are the quarter's notable events. Each offers valuable lessons to guide our ongoing improvements.

🔹 Paxos $300 Trillion Oopsie

In October 2025, Paxos, issuer of the regulated stablecoin PYUSD with PayPal, accidentally minted $300 trillion PYUSD on Ethereum during what was supposed to be a $300 million internal transfer.

• The excess tokens were burned within 22 minutes.
  
  

• The fix cost just $2.66 in fees.
  
  

• The root cause: a single “god-mode” key in a private account with unlimited mint/burn power.

The incident was resolved quickly, but the governance failure is brutal. As CVA member Cedric notes, this kind of oversight is unforgivable in a regulated stablecoin context and avoidable with layered controls: multiple verifications, human checks, and stricter key management.

The message is simple:

If one key can mint $300 trillion, the design is the problem, not the operator.

Sources:

1. https://rekt.news/paxos-300trillion-oopsie

2. https://yellow.com/news/after-minting-dollar300-trillion-by-mistake-paxos-calls-error-a-validation-of-blockchains-transparency

3. https://finance.yahoo.com/news/300-trillion-stablecoin-minting-error-020826515.html

4. https://www.barrons.com/articles/paxos-crypto-paypal-mistake-300-trillion-9338331e

🔹 Centralization Bites Back (When the Web Goes Dark)

On October 20, 2025, an AWS outage disrupted access to wallets, exchanges, and Layer 2 networks. Ethereum and Bitcoin kept producing blocks, but users couldn’t reach them.

In November, a Cloudflare configuration change briefly affected around 20% of the web, again impacting access to “decentralized” tools.

The lesson:
Infrastructure centralization creates real bottlenecks, even when base-layer chains keep running.

• Resource-heavy networks like Ethereum and Solana feel this more, as node ops are often outsourced to cloud providers.
  
  

• This outsourcing adds trust assumptions and weakens sovereignty.
  
  

• Bitcoin holds up better here: nodes are simpler to run on consumer hardware, and that resilience extends to wallets, exchanges, and interfaces.

As Cedric points out, reliance on centralized infra is a trade-off we can’t ignore. If your “decentralized” stack goes down when one cloud vendor sneezes, you have a centralization problem.

Sources:

1. https://rekt.news/we-have-centralization-issue

2. https://rekt.news/when-the-web-goes-dark

3. https://blog.cloudflare.com/18-november-2025-outage/

4. https://hackernoon.com/when-amazon-crashed-decentralized-blockchain-went-down-with-it

5. https://www.coindesk.com/opinion/2025/11/01/the-aws-outage-shows-why-crypto-can-t-keep-relying-on-centralized-infrastructure

🔹 Unrecoverable Vibe Coding

Q4 also spotlighted “vibe coding”  shipping code written largely by AI tools, with minimal review, documentation, or testing.

In crypto and DeFi, this is a security liability:

• Intuitive “it works” coding can miss subtle edge cases
  
  

• Lack of proper review and testing increases the odds of avoidable bugs
  
  

• Security-critical systems can’t rely on vibes
  
  

Cedric’s stance is clear:
AI should augment experienced engineers, not replace them. Used well, AI boosts productivity for those who can judge the output. Used blindly, it turns into a fast path to production-grade vulnerabilities.

AI coding is a power tool. It still needs an expert holding the handle.

Sources:

1. https://rekt.news/bad-vibes

2. https://www.kaspersky.com/blog/vibe-coding-2025-risks/54584/

3. https://www.databricks.com/blog/passing-security-vibe-check-dangers-vibe-coding

🔹 Expensive Rounding Errors

On November 4, 2025, Balancer’s Composable Stable Pools were exploited due to a subtle rounding issue in the _upscale() function.

The damage: $128 million drained across multiple chains.

Key context:

• The contracts had gone through audits and formal verification (including parties like Certora).
  
  

• The bug emerged from open-source code reuse and a narrowly scoped oversight.
  
  

• Experts highlighted the need for broader audit scopes and fresh eyes on reused components.

This wasn’t a flashy logic flaw, it was a minor rounding nuance with major impact.
The takeaway: in DeFi, “small” math details are never small when billions sit behind them.

Sources:

1. https://rekt.news/balancer-rekt2

2. https://x.com/Marcus_Balancer/status/1990859746166124797

3. https://x.com/drdr_zz/status/1986010986772336917

4. https://research.checkpoint.com/2025/how-an-attacker-drained-128m-from-balancer-through-rounding-error-exploitation/

5. https://finance.yahoo.com/news/tiny-rounding-error-ignited-balancer-142052252.html

Moving Forward: How CVA Is Turning Incidents Into Action

These Q4 events from governance lapses to infra centralization, vibe coding risks, and rounding exploits all point to the same reality:

Crypto is evolving in public, and the cost of mistakes is real.

At the Crypto Valley Association, our Cybersecurity Working Group is focused on turning these lessons into concrete improvements:

• Running sessions on threat analysis and infrastructure resilience.
  
  

• Hosting workshops on audit quality and secure development practices.
  
  

• Sharing up-to-date threat intel and incident breakdowns.
  
  

• Advocating for higher security standards across the Swiss crypto ecosystem.
  
  

For members, this collaboration delivers tangible benefits:

• Stronger safeguards against governance and key-management failures.
  
  

• Strategies to reduce dependencies on centralized infrastructure.
  
  

• Better processes for audits, code review, and AI-assisted development.
  
  

• A trusted forum to dissect real incidents and harden your own stack.
  
  

Whether you’re a large enterprise, a protocol team, or a fast-growing startup in Crypto Valley, plugging into this working group means you’re not facing these challenges alone.

Join the Conversation

We invite you to:

• Share your perspective and experiences with these Q4 incidents.
  
  

• Join our upcoming Cybersecurity Working Group sessions.
  
  

• Explore recaps from recent meetings and visit cryptovalley.swiss to connect.
  
  

We’re not just reacting to crises, we’re using them to lead toward a more secure 2026.

What’s your vision for progress?

Your input could help prevent the next $128M bug or $300T mis-mint.

Stay connected with CVA: follow us on LinkedIn, Twitter, and YouTube for updates, insights, and upcoming events. Visit our website to learn more about our initiatives, become a member, or reach out directly.