November 2025 saw significantly more major DeFi hacks than the previous month. This included about half a dozen attacks totaling over $175 million in losses, compared to three hacks with about $16 million stolen in total.
Biggest DeFi Hacks of November 2025
Several hacks in November 2025 included over $1 million in losses, including:
Balancer v2: In November 2025, an attacker exploited a rounding error in Balancer v2’s Composable Stable Pools. The rounding error allowed invariant manipulation, resulting in the attacker being able to drain about $121.1 million from the pool by taking advantage of incorrect prices for BPT.
Hyperliquid: In November 2025, an attacker targeted Hyperliquid in an attack that caused $4.9 million in losses. The attacker created a leveraged long position on POPCAT and several buy walls to support the price. When they removed those buy orders, the POPCAT token plummeted, causing liquidations and forcing HLP to absorb $4.9 million in bad debt.
GANA Payment: The GANA Payment hack involved a compromised smart contract and resulted in about $3.1 million in losses. The attacker changed the platform’s reward rates and used its unstake function to drain value through inflated rewards.
Aerodrome Finance: Aerodrome Finance, Base’s largest DEX, was the victim of a DNS hijacking attack that redirected visitors to two of its domains to phishing sites. This allowed the attacker to trick users into approving transactions that used malicious approvals to drain various tokens from their wallets. Over $1 million in tokens was estimated to have been stolen within a single hour.
Upbit: Upbit, a South Korean exchange, suffered a hot wallet breach with over $36 million in losses. The Lazarus Group is suspected to be behind the attack, which occurred the same day as an acquisition of Upbit’s parent company.
Yearn Finance: In November 2025, Yearn Finance suffered an infinite mint exploit. The attacker was able to create roughly $9 million in maliciously minted yETH.
Lessons Learned from the Attacks
November 2025 saw several $1M+ hacks with a variety of different causes. Some incidents involved smart contract vulnerabilities, while others exploited compromised private keys or the infrastructure that project’s Web2 frontends relied on.
The diversity of these high-profile attacks demonstrates the importance of considering all aspects of a project’s attack surface, including both on-chain and off-chain components. Halborn offers a combination of security advisory and smart contract auditing services designed to help DeFi projects identify and address their security gaps before they can be exploited by an attacker. Get in touch to learn more.