作者： admin

Two headlines hit the internet within hours of each other this week, and together they map the current state of DeFi’s security theater.

StakeWise DAO executed contract calls to recover approximately $19.3 million in osETH, along with an additional $1.7 million in osGNO, from the Balancer V2 exploit that drained between $110 million and $128 million across multiple chains.

At the exact moment, Stream Finance froze deposits and withdrawals after an external fund manager disclosed a $93 million loss, sending its staked stablecoin, xUSD, into a depeg that bottomed out at somewhere between 30 and 50 cents on the dollar.

One story shows DeFi’s defense toolkit finally working at speed; the other exposes the brittleness that remains when protocols outsource risk to opaque counterparties.

The contrast isn’t cosmetic. StakeWise’s partial recovery of about 15% of the total Balancer loss came from levers DeFi has spent years building: emergency multisigs, contract-level clawbacks, and DAO governance structures that can move capital within hours.

Stream’s collapse can be traced back to a structural bet on hybrid CeDeFi, which consisted of farming yields through an external manager without real-time risk dashboards or transparent collateral monitoring.

The $93 million vanished off-chain, beyond the reach of any smart contract or validator coordination. What worked and what broke both matter because they define the menu of tools available when the next nine-figure exploit lands.

Balancer confirmed the incident on November 3, targeting V2 Composable Stable Pools.

Loss tallies evolved as investigators traced the drains across chains of custody. The protocol offered a white-hat bounty of up to 20%, hoping to convert the attacker into a bug hunter with a payday.

Berachain, which runs Balancer-style pools on its native DEX, moved faster: validators executed a coordinated network halt, performed an emergency hard fork to isolate the vulnerable contracts, and resumed operations with the exploit contained.

The maneuver consisted of a pause and rollback, something that only works when a chain is young and centralized enough to coordinate validator action without governance deadlock.

StakeWise’s playbook provides the most compelling evidence that DeFi’s emergency architecture can withstand intense pressure.

The DAO’s multisig triggered contract calls that returned 5,041 osETH and 13,495 osGNO to protocol control.

The team committed to pro-rata distributions based on pre-exploit balances, turning a catastrophic loss into a partial haircut.

This isn’t theoretical: the funds moved on-chain, the DAO published the plan publicly, and multiple outlets corroborated the figures. The speed matters as much as the outcome.

Traditional finance recoveries can take months of litigation and often yield only pennies on the dollar. StakeWise executed in days, using tools native to the protocol.

The toolbox and its limits

Three mechanisms made StakeWise’s recovery possible: emergency multisigs with narrow, predefined powers, contract-level clawback functions that allow governance to reverse specific transactions, and a DAO structure capable of voting and executing within a single block cycle.

Berachain added the fourth option of chain-level intervention through validator consensus. Together, these tools enabled partial and rapid recoveries.

They don’t prevent exploits, but they create a credible ex-post response that narrows the attacker’s time window and reduces the payoff.

The limits are immediately evident in the numbers. StakeWise recovered $19.3 million from a $128 million drain, representing approximately 15%. Balancer’s white-hat bounty remains unclaimed as of press time.

Berachain’s rollback protected its own ecosystem but was unable to reverse transactions on the Ethereum mainnet or other affected chains.

Every lever DeFi pulled worked, and users still absorbed $100 million in losses. The toolbox isn’t empty, but it’s also not sufficient to stop a determined, sophisticated attacker who understands the protocols better than the auditors.

Stream Finance exposes the architectural flaw that no amount of on-chain tooling can fix. The protocol disclosed that an external fund manager lost approximately $93 million, prompting an immediate freeze on deposits and withdrawals.

Stream hired Perkins Coie to investigate, but the damage had already propagated. The protocol’s staked stablecoin, xUSD, depegged sharply as price trackers and newsrooms reported intraday lows between 50% and 70% of its par value.

The mechanics differ from a smart contract exploit, as no attacker drained a pool, no validator coordination could reverse the loss, and no DAO vote could claw back funds held off-chain by a third-party manager.

This is the CeDeFi compromise in its rawest form. Protocols promise DeFi’s composability and on-chain transparency while farming yield through traditional fund managers who operate under entirely different risk frameworks.

When the external manager fails, whether through fraud, operational error, or market losses, the stablecoin backed by that capital loses its peg, and the protocol has no emergency lever to pull.

Users discover too late that their “decentralized” stablecoin depended on trust in an entity they never saw, operating in a jurisdiction they can’t reach, under terms they never reviewed.

Second-order math

The existence of emergency multisigs and clawback functions raises the floor for exploit victims, as no value recovered is no longer the default; however, it also creates a moral hazard.

Protocols may underinvest in security audits, reasoning that governance can backstop losses ex post. Regulators will take note: if DAOs can reverse transactions and freeze funds, they effectively control the network in ways that resemble fiduciary duties.

That invites policy pressure for proof-of-reserves dashboards, mandatory risk disclosures, and stricter licensing for anything labeled “decentralized.”

For investors, the due diligence premium has just increased. Yield products built on opaque external managers or hybrid CeDeFi structures now carry a new risk: catastrophic, unrecoverable losses that break stablecoin pegs.

Real-time risk dashboards, transparent collateral monitoring, and on-chain proof-of-reserves stop being nice-to-haves and become table stakes. Protocols that can’t or won’t publish those metrics will trade at a discount, and rightly so.

The macro backdrop sharpens the stakes. Chainalysis tallied more than $2.17 billion in crypto thefts by mid-2025, already surpassing the total for the full year 2024, with projections indicating $4 billion if current trends continue.

DeFi isn’t the only target, but it remains the most liquid and the most vulnerable among them. Every exploit tests whether the ecosystem has built defenses that scale faster than the attack surface.

Who decides the outcome?

The Balancer-StakeWise-Stream sequence isn’t a one-off. It’s a stress test of two competing visions for the future of DeFi.

One side bets that emergency governance, contract-level controls, and validator coordination can create a credible defense that narrows the window for attackers and limits losses.

The other side embraces hybrid structures that trade on-chain transparency for off-chain yield, accepting counterparty risk as the price of competitive returns.

Both visions coexist today, and users allocate capital between them every time they choose a protocol.

What’s at stake isn’t whether exploits occur, but whether DeFi can defend itself sufficiently to remain a credible alternative to traditional finance. StakeWise’s recovery proves the tools exist. Stream’s collapse proves they don’t cover the entire attack surface.

The next $100 million exploit will fall into one of these two buckets, and the outcome will depend on which architecture the protocol chose months or years before the attacker arrived. The market will notice which one survives intact.

• The Bank of Canada will oversee the framework, allocating CA$10 million initially and CA$5 million annually.
• The Retail Payment Activities Act will be amended to include stablecoin-related payment services.
• Canada’s reforms align with similar regulatory frameworks in the UK, EU and Australia.

Canada’s 2025 federal budget, unveiled on 4 November, places fiat-backed stablecoins at the centre of its plan to modernise the national payments system.

The initiative signals a clear policy shift from research on central bank digital currencies toward regulating private digital assets within the country’s financial framework.

By introducing detailed rules around issuance, redemption and oversight, the government aims to make stablecoins secure, transparent and suitable for daily transactions while safeguarding financial stability.

The Bank of Canada will oversee the framework and integrate stablecoins into the Retail Payment Activities Act.

A regulated path for fiat-backed stablecoins

Under the new framework, issuers will be required to maintain adequate reserves, establish risk management systems and comply with data protection standards.

The legislation also includes national security provisions to uphold the integrity of the financial system and protect consumers.

The Bank of Canada will allocate CA$10 million over two years starting in 2026 to administer the framework, with annual operating costs of CA$5 million to be recovered from regulated issuers.

Amendments to the Retail Payment Activities Act (RPAA) will bring payment service providers handling stablecoin transactions under formal supervision.

Introduced in 2021, the RPAA already regulates both domestic and foreign payment firms in Canada. Its expansion to cover stablecoin use reflects the government’s intention to fold digital currencies into the existing financial oversight structure.

From central bank currency to private innovation

The move marks a turning point in Canada’s digital currency policy. In September 2024, the central bank decided against launching a retail central bank digital currency and shifted its focus to analysing global payment trends.

That decision created a gap that the new stablecoin legislation now addresses.

Officials have acknowledged that reform in Canada has been slower than in other major economies.

The Bank of Canada’s Executive Director of Payments, Ron Morrow, previously cautioned that Canada could fall behind the United Kingdom, Australia and the European Union, all of which already have digital asset frameworks.

By regulating rather than issuing digital assets, Canada is adopting a hybrid model that allows private innovation while maintaining government supervision. This approach is intended to encourage payment innovation without compromising oversight.

Building a modern and secure payment system

The stablecoin framework forms part of a broader payments modernisation plan.

Alongside it, the government plans to advance consumer-driven banking, open data mobility and the Real-Time Rail system, which is expected to enable instant fund transfers by 2026.

For consumers, the reforms promise faster and more reliable transactions and may lower the cost of cross-border payments. For issuers and payment providers, the challenge lies in meeting new compliance requirements while remaining competitive.

The legislation’s emphasis on privacy and national security also signals the government’s intention to build public trust in digital finance as it becomes a mainstream part of the economy.

Toward a digitally integrated financial system

The new stablecoin rules complement existing crypto regulations in Canada, which already require strict compliance from exchanges and trading platforms.

Several major international firms have withdrawn from the market in recent years, citing complex regulatory demands.

In addition, the Crypto-Asset Reporting Framework, coming into effect in 2026, will compel crypto service providers to report client and transaction data to tax authorities.

Together, these developments reflect a strategic shift in how Canada views digital finance. By replacing experimental central bank projects with clear regulation, the government is laying the foundation for a secure and inclusive digital economy.

• Bitcoin and Ether ETFs record fifth consecutive day of outflows.

• Solana funds attract inflows despite broader crypto market weakness.

• Bitcoin stabilises near $100,000 after a sharp correction earlier this week.

Spot Bitcoin and Ether exchange-traded funds (ETFs) saw significant capital withdrawals on Tuesday, marking their fifth consecutive day of outflows.

The losses came even as Solana-linked funds continued to attract investor inflows, extending their streak to six days.

According to data from Farside Investors, spot Bitcoin ETFs recorded $566 million in net outflows—their largest single-day withdrawal since mid-October.

Date	IBIT	FBTC	BITB	ARKB	BTCO	EZBC	BRRR	HODL	BTCW	GBTC	BTC	Total
04 Nov 2025	0.0	(356.6)	(7.1)	(128.1)	0.0	(8.7)	0.0	(17.0)	0.0	(48.9)	0.0	(566.4)
03 Nov 2025	(186.5)	0.0	0.0	0.0	0.0	0.0	0.0	0.0	0.0	0.0	0.0	(186.5)
31 Oct 2025	(149.3)	(12.0)	(17.9)	(19.3)	0.0	0.0	0.0	0.0	0.0	6.9	0.0	(191.6)
30 Oct 2025	(290.9)	(46.5)	(55.1)	(65.6)	(8.0)	0.0	0.0	(3.8)	0.0	(10.0)	(8.5)	(488.4)
29 Oct 2025	(88.1)	(164.4)	(6.0)	(143.8)	0.0	0.0	0.0	0.0	0.0	(65.0)	(3.4)	(470.7)

ARKB and Fidelity’s FBTC led the redemptions, reflecting sustained selling pressure following last week’s market correction.

Ether ETFs followed a similar trajectory, posting $219 million in net outflows on Tuesday.

Fidelity’s FETH and BlackRock’s ETHA products accounted for the majority of redemptions.

The five-day withdrawal streak has now drained nearly $1 billion from Ether-linked ETFs since late October, underscoring waning investor sentiment toward the asset amid persistent volatility.

Solana defies market gloom

In contrast, Solana funds continued to post gains. Spot Solana ETFs saw $14.83 million in net inflows on Tuesday, marking their sixth straight day of positive capital movement.

Bitwise’s BSOL and Grayscale’s GSOL each contributed to the increase.

The steady inflows suggest institutional traders are rotating funds into Solana-based products, which have gained traction as yield-bearing alternatives within the digital asset market.

The positive momentum stands out amid an otherwise bearish environment for major cryptocurrencies and related investment products.

Crypto prices show signs of stabilisation

After sharp declines earlier in the week, top cryptocurrencies appear to be stabilising.

Bitcoin (BTC), Ethereum (ETH), and Ripple (XRP) were consolidating near key support levels on Wednesday, as traders reassessed positions following heightened volatility.

Bitcoin price faced rejection around a broken trendline on Monday and dropped 8.18% by Tuesday, retesting the 50% retracement level at $100,353.

As of Wednesday, BTC was holding slightly above $102,000, suggesting potential recovery if the $100,353 level continues to act as strong support.

Ethereum also mirrored the broader recovery trend. The asset fell 15.73% after facing resistance at the 100-day exponential moving average (EMA) of $3,928 earlier in the week.

By Wednesday, ETH had rebounded after retesting the 50% retracement level at $3,171. If this support holds, analysts expect a possible move toward the 61.8% Fibonacci retracement level near $3,593.

While the recent correction has dampened momentum across the crypto market, stabilising prices and selective fund inflows into Solana suggest that investor sentiment remains cautiously constructive in certain segments of the digital asset space.

 

North Korea’s IT operatives are shifting strategies and recruiting freelancers to provide proxy identities for remote jobs.

Operatives are contacting job seekers on Upwork, Freelancer and GitHub before moving conversations to Telegram or Discord, where they coach them through setting up remote access software and passing identity verifications.

In earlier cases, North Korean workers scored remote gigs using fabricated IDs. According to Heiner García, a cyber threat intelligence expert at Telefónica and a blockchain security researcher, operatives are now avoiding those barriers by working through verified users who hand over remote access to their computers.

The real owners of the identities receive only a fifth of the pay, while the rest of the funds are redirected to the operatives through cryptocurrencies or even traditional bank accounts. By relying on real identities and local internet connections, the operatives can bypass systems designed to flag high-risk geographies and VPNs.

Inside the evolving recruitment playbook of North Korean IT workers

Earlier this year, García set up a dummy crypto company and, together with Cointelegraph, interviewed a suspected North Korean operative seeking a remote tech role. The candidate claimed to be Japanese, then abruptly ended the call when asked to introduce himself in Japanese.

García continued the conversation in private messages. The suspected operative asked him to buy a computer and provide remote access.

The request aligned with patterns García would later encounter. Evidence linked to suspicious profiles included onboarding presentations, recruitment scripts and identity documents “reused again and again.”

Related: North Korean spy slips up, reveals ties in fake job interview

García told Cointelegraph:

They install AnyDesk or Chrome Remote Desktop and work from the victim’s machine so the platform sees a domestic IP.”

The people handing over their computers “are victims,” he added. “They are not aware. They think they are joining a normal subcontracting arrangement.”

According to chat logs he reviewed, recruits ask basic questions such as “How will we make money?” and perform no technical work themselves. They verify accounts, install remote-access software and keep the device online while operatives apply for jobs, speak to clients and deliver work under their identities.

Though most appear to be “victims” unaware of who they’re interacting with, some appear to know exactly what they are doing.

In August 2024, the US Department of Justice arrested Matthew Isaac Knoot of Nashville for running a “laptop farm” that allowed North Korean IT workers to appear as US-based employees using stolen identities.

More recently in Arizona, Christina Marie Chapman was sentenced to more than eight years in prison for hosting a similar operation that funneled more than $17 million to North Korea.

A recruitment model built around vulnerability

The most prized recruits are in the US, Europe and some parts of Asia, where verified accounts provide access to high-value corporate jobs and fewer geographic restrictions. But García also observed documents belonging to individuals from regions with economic instability, such as Ukraine and Southeast Asia.

“They target low-income people. They target vulnerable people,” García said. “I even saw them trying to reach people with disabilities.”

North Korea has spent years infiltrating the tech and crypto industries to generate revenue and gain corporate footholds abroad. The United Nations said DPRK IT work and crypto theft are allegedly funding the country’s missile and weapons programs.

Related: From Sony to Bybit: How Lazarus Group became crypto’s supervillain

García said the tactic goes beyond crypto. In one case he reviewed, a DPRK worker used a stolen US identity to present themselves as an architect from Illinois, bidding on construction-related projects on Upwork. Their client received completed drafting work.

Despite the focus on crypto-related laundering, García’s research found that traditional financial channels are also being abused. The same identity-proxy model allows illicit actors to receive bank payments under legitimate names.

“It’s not only crypto,” García said. “They do everything — architecture, design, customer support, whatever they can access.”

Why platforms still struggle to spot who’s really working

Even as hiring teams grow more alert to the risk of North Korean operatives securing remote roles, detection typically arrives only after unusual behavior triggers red flags. When an account is compromised, the actors pivot to a new identity and keep working.

In one case, after an Upwork profile was suspended for excessive activity, the operative instructed the recruit to ask a family member to open the next account, according to chat logs reviewed.

This churn of identities makes both accountability and attribution difficult. The person whose name and paperwork are on the account is often deceived, while the individual actually doing the work is operating from another country and is never directly visible to freelancing platforms or clients.

The strength of this model is that everything a compliance system can see looks legitimate. The identity is real, and the internet connection is local. On paper, the worker meets every requirement, but the person behind the keyboard is someone entirely different.

García said the clearest red flag is any request to install remote-access tools or let someone “work” from your verified account. A legitimate hiring process doesn’t need control of your device or identity.

Magazine: Bitcoin OG Kyle Chassé is one strike away from a YouTube permaban