DEV Community: qanzhi111

Uniswap Google Ad Phishing - Systematic Crypto Theft

qanzhi111 — Fri, 05 Jun 2026 11:08:09 +0000

Uniswap Google Ad Phishing Attack - Investigation Report

Date: May 29, 2026

Case ID: ONCHAIN-2026-0529-001

Status: Active - Ongoing Scam

Executive Summary

Google's advertising platform has been weaponized by scammers to drain crypto wallets through fake Uniswap phishing sites. Over $400,000 has been stolen from users searching for Uniswap on Google, with two primary attacker wallets identified holding approximately 146 ETH (~$306,000).

Incident Timeline

Date	Event
May 25, 2026	On-chain investigator @b_block_oficial identifies attack
May 26, 2026	Community alerts spread via Twitter/X
May 27, 2026	Multiple news outlets report the incident
Ongoing	Scam continues - Google has not taken action

Attacker Wallet Addresses

Primary Drain Wallet 1: 0x37925684BA178821b4436E06e67f5dBD6cfA49Bb
Primary Drain Wallet 2: 0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2

Current Holdings (as of May 26):

Wallet 1 + Wallet 2: ~146 ETH (~$306,000)
Additional tokens (unspecified)
Total estimated theft: ≥$400,000

Attack Methodology

Phase 1: Ad Placement

Scammers purchase Google sponsored ads for "Uniswap" keyword
Outbid legitimate Uniswap protocol to secure top position
Use hacked or fraudulently obtained Google advertiser accounts

Phase 2: Cloaking & Evasion

Phishing URLs use authentic-looking domains
Hidden secondary element loads malicious code
Advanced infrastructure includes:
- Cloudflare Workers
- Arweave-hosted payloads
- Traffic redirection systems
- Proxy layers monitoring user RPC requests
Techniques bypass Google's automated review systems

Phase 3: Wallet Drain

Victims land on convincing Uniswap replica
Malicious site intercepts Ethereum RPC requests
Silent drain of connected wallets
No seed phrase needed - one wrong signature drains everything

Scale of the Problem

SEAL Organization Findings

The Security Alliance (SEAL) has been tracking this pattern:

Sharp rise in March 2026: $1.27 million stolen (March 13-30)
356+ malicious Google ad URLs blocked (typical weekly volume)
Pattern has sustained for over a year
Uniswap accounts for 41% of tracked malicious websites

Other Targeted Platforms

Morpho Finance
PancakeSwap
Hyperliquid
CoW Swap
1inch
Ledger (phishing emails post-data breach)

Drainer Families Identified

Inferno Drainer
Vanilla Drainer

Community Response

@b_block_oficial Alert

"Two scammers have already stolen ~$400,000 from users through a phishing @Uniswap ad on Google. It's insane that Google has ignored this issue for years while fake links keep getting pushed above real ones and users keep getting drained."

@StacyMuur (GREEND0TS Founder)

Shared screenshots of malicious ads appearing as top sponsored results. Confirmed scam site closely replicates official Uniswap interface.

@defillama

Echoed concerns, calling fake Google ads a "common and recurring source of phishing attacks targeting the crypto community."

Regulatory & Legal Context

Google Responsibility

Google has been aware of crypto phishing ads for over a year
No effective prevention measures implemented
Continues to profit from ad purchases by bad actors
No statement or remediation announced

Victim Protection Guidelines

Only use official links: Verify via official channels (defillama.com, coinmarketcap.com)
Check URLs carefully: Even slight misspellings indicate phishing
Use hardware wallets: For significant holdings
Review approvals regularly: Use revoke.cash to check/remove suspicious approvals
Never sign blind transactions: Read all transaction details before signing
Be skeptical of search results: Sponsored = Paid, not verified

On-Chain Evidence Links

Original alert tweet with wallet addresses: Twitter/X Link
SEAL Report: Phishing campaign analysis

ZachXBT Angle

This case is NOT suitable for ZachXBT coverage because:

Attack methodology is well-documented by other analysts
No new unique investigative angle
Attack is ongoing rather than concluded
However, Google's complicity in perpetuating this scam deserves wider exposure

Conclusion

This incident highlights the ongoing failure of Google to protect users from cryptocurrency phishing scams on its advertising platform. Despite repeated warnings from the security community, fake Uniswap ads continue to appear as top search results, resulting in ongoing losses exceeding $400,000.

Key Takeaway: Google profits from ads while users lose life-changing money. The platform has shown no willingness to implement meaningful safeguards despite over a year of documented attacks.

Investigation conducted by on-chain-shadow

Report generated: May 29, 2026

GitHub Pages: https://onchain-shadow.github.io/on-chain-investigations/

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

GitHub NPM Supply Chain Attack - Crypto Wallet Targeting

qanzhi111 — Fri, 05 Jun 2026 11:01:54 +0000

GitHub NPM Supply Chain Attack - Investigation Report

Date: May 29, 2026

Case ID: ONCHAIN-2026-0529-002

Threat Names: Megalodon, Mini Shai-Hulud

Status: Active - Ongoing Crisis

Executive Summary

A massive supply chain attack campaign dubbed "Megalodon" and "Mini Shai-Hulud" is targeting GitHub tokens and NPM packages. Malicious code injected into npm packages steals developers' GitHub Personal Access Tokens (PATs), allowing attackers to:

Access private repositories
Steal API keys and secrets
Inject malicious code into legitimate projects
Drain Web3/DeFi user wallets through compromised front-ends

Impact: Affects Grafana Labs, GitHub itself, and thousands of open-source projects with millions of daily downloads.

Threat Timeline

Date	Event
Late May 2026	Security researchers discover attack campaign
May 27-28, 2026	Internet buzz reaches maximum levels
Ongoing	New variants appearing every few hours

Attack Chain Analysis

Step 1: Initial Compromise

Malicious NPM Package → Developer Downloads → Trojan Activates

Attackers inject trojan code into popular npm packages. When developers install or update these packages, the hidden malware activates silently on their computers.

Step 2: Token Harvest

The trojan specifically searches for:

GitHub Personal Access Tokens (PATs)
Browser-stored credentials
IDE/saved passwords

Step 3: Automated Exploitation

Once a token is stolen, automated bot scripts:

Log into victim's GitHub account immediately
Bypass 2FA/authentication
Inject same trojan into all managed repositories
Spread across thousands of projects in hours

Step 4: Downstream Attack

Compromised repositories lead to:

Malicious website code updates
Fake "Connect Wallet" buttons
Phishing smart contracts
Mass wallet draining of end users

Technical Details

Why GitHub Tokens Are Valuable

Capability	Without Token	With Token
2FA Required	Yes	No
Password Required	Yes	No
Access Private Repos	No	Yes
Push Malicious Code	No	Yes
Steal API Keys	Difficult	Instant

Attack Speed

Traditional hack: Days to weeks
This attack: Hours to days
Automated propagation infects thousands of repos in 24 hours

Confirmed Victims

Enterprise Platforms

Grafana Labs - Internal code stolen
GitHub - Internal systems compromised
Multiple enterprise platforms - Under investigation

Open Source Impact

Thousands of independent developers affected
Millions of daily downloads potentially compromised
GitHub audit logs show suspicious midnight commits
npm registry deleting malicious packages (but new variants every few hours)

Web3/DeFi Specific Risk

Why Crypto Is Extra Vulnerable

Heavy npm dependency: DEX, DeFi, and meme coin websites rely heavily on public npm packages
Small teams: Limited security audit capabilities
Irreversible transactions: One bad signature = total wallet loss
Anonymity: Attack attribution is difficult

Attack Surface for Web3 Users

User visits crypto website 
→ Website uses compromised npm package
→ Developer token was stolen
→ Malicious code pushed to production
→ "Connect Wallet" button now drains wallet
→ User clicks → Wallet emptied

Community Response

Industry Actions

GitHub Security: Tracking known hacker IP addresses
npm Registry: Working around clock to delete malicious packages
Major tech firms: Advising employees to stop installing unverified updates
Security firms: Emergency response mode

Developer Warnings

Check GitHub audit logs for unauthorized commits
Run npm audit on all projects
Look for unknown background processes sending data externally
Revoke ALL active GitHub PATs immediately
Change main account passwords
Alert community if project may be compromised

Mitigation Recommendations

For Developers

✅ Review GitHub audit logs immediately
✅ Scan code with npm audit or specialized tools
✅ Check for unauthorized midnight commits
✅ Monitor for unknown external data connections
✅ Revoke ALL GitHub PATs - regenerate new ones
✅ Use environment variables, never hardcode secrets
✅ Enable 2FA on all accounts

For Crypto Users

✅ Use hardware wallets for significant holdings
✅ Verify website URLs carefully before connecting
✅ Check project's social media for security announcements
✅ Don't trust "Connect Wallet" buttons on meme coin sites
✅ Use reputable platforms when possible
✅ Consider CEX for trading until supply chain stabilizes

Industry Expert Opinion

OpenZeppelin Founder's Warning

Manuel Aráoz, co-founder of OpenZeppelin, stated:

"I now consider all of DeFi unsafe. Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric: defenders need to fix every bug while attackers need just one exploit to steal funds."

He reportedly advised friends and family to pull funds from Aave, MakerDAO, and Compound.

Conclusion

The Megalodon/Mini Shai-Hulud supply chain attack represents a significant escalation in Web3 security threats. Unlike traditional smart contract exploits, this attack vector:

Exploits human/developer security
Circumvents all technical safeguards
Has massive blast radius
Spreads autonomously

Key Takeaway: Web3 security is no longer just about smart contract audits. The entire development infrastructure - from developer machines to npm packages to GitHub - is now an attack surface.

Data Sources

WEEX Security Report (https://www.weex7.com/wiki/article/github-token-leak-and-npm-malware-what-web3-traders-need-to-know)
Industry security researchers
GitHub/npm official statements

Investigation conducted by on-chain-shadow

Report generated: May 29, 2026

GitHub Pages: https://onchain-shadow.github.io/on-chain-investigations/

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

THORChain $10.7M Proposer-Forgery Attack

qanzhi111 — Fri, 05 Jun 2026 11:00:52 +0000

THORChain $10.7M Proposer-Forgery Attack Investigation Report

Date of Incident: May 30, 2026

Total Loss: ~$10.7 million USD

Affected Assets: Ethereum, Bitcoin, BNB Chain vault funds

Network: THORChain (Cross-Chain)

Executive Summary

On May 30, 2026, THORChain suffered a $10.7 million exploit targeting its cross-chain vault transfer mechanism. The attack exploited a proposer-forgery bug in THORChain's Bifrost Attestation Gossip system, allowing attackers to intercept and modify inbound deposit observations into fraudulent outbound payment requests.

The most alarming detail: THORChain developers had already developed a fix for this exact vulnerability, which would have prevented the attack. The fix was scheduled for deployment earlier in May, but the automated testing and distribution system failed to implement it.

This represents a case of operational failure rather than technical failure—the security knowledge existed, the fix was ready, but deployment infrastructure let the protocol down.

Attack Vector Analysis

Technical Mechanism

Vulnerability: Proposer-forgery bug in THORChain's Bifrost Attestation Gossip

The Bifrost protocol enables cross-chain communication within THORChain. The vulnerability existed in how validators observe and attest to transactions:

Normal Flow:
- Users deposit assets into THORChain vaults
- Validators observe the inbound deposit
- Validators collectively approve outbound withdrawals
- Funds are released from shared vaults
Attack Flow:
- Attacker initiates legitimate inbound deposit
- Attacker intercepts the inbound observation
- Modifies observation into fake outbound payment request
- Critical flaw: Validator signatures did not cover the inbound/outbound bit
- This allowed proposers to "flip" a real inbound observation into a fraudulent outbound instruction
- Validators approved what appeared to be legitimate withdrawal
- Funds drained to attacker-controlled addresses across ETH, BTC, and BNB

The Preventable Failure

According to Blockaid's analysis:

"Blockaid says Thorchain developers had already developed a fix for this specific vulnerability, which would have thwarted the attack. The fix was meant to be implemented earlier this month, but the automated system that tests and distributes software updates on Thorchain reportedly failed."

This is a critical lesson in DeFi security: knowing about a vulnerability and having a fix is meaningless if deployment infrastructure fails.

Market Impact

Metric	Value
RUNE Price (Pre-Attack)	$0.585
RUNE Price (2hr Post-Attack)	$0.501 (-14%)
RUNE Price (Press Time)	$0.514
Protocol TVL Impact	Significant

The RUNE token experienced an immediate 14% dip following public disclosure of the exploit.

THORChain's Controversial Role in the Ecosystem

A Platform Built to Avoid Bridges—Now Critical to Bridge Hackers

THORChain was architecturally designed to enable native cross-chain swaps without the security risks associated with wrapped tokens or bridge protocols. The irony is profound:

In the KelpDAO $292M exploit (April 2026), the hacker used THORChain as the primary laundering route for stolen funds.

According to Chainalysis and TRM Labs data:

THORChain processed the majority of laundering volume from both the Bybit ($1.5B, February 2025) and KelpDAO ($292M, April 2026) hacks
The protocol's operators have publicly refused to consider freezing or screening transactions, treating any such intervention as contrary to decentralization principles

North Korea's Preferred Laundering Infrastructure

The crypto.news investigation detailed how THORChain has become a load-bearing pillar of the laundering pipeline used by North Korea's Lazarus Group:

Stolen ETH swapped into BTC or stablecoins
Routed through cross-chain bridges (including THORChain) for obfuscation
Further routed through Russian crypto exchanges and Chinese OTC desks
Converted to fiat and channeled into procurement networks

The uncomfortable truth: THORChain's principled stance on decentralization and non-custodial operation has made it the preferred infrastructure for state-sponsored cryptocurrency theft.

Historical Attack Context

THORChain has a documented history of security incidents:

Date	Attack	Loss
July 2021	Multiple exploits (days apart)	~$15 million
Various	Ongoing exploits	Over $8 million total (2021)
April 2026	KelpDAO hacker used THORChain for laundering	$292M laundered
May 30, 2026	Proposer-forgery vault drain	$10.7 million

Total historical losses from THORChain-related incidents exceed $15 million in direct exploits, with the protocol now processing hundreds of millions in state-sponsored hacking proceeds.

The Automation Failure Problem

What Went Wrong

The THORChain exploit exposes a critical vulnerability in how DeFi protocols manage security updates:

Developer Response: Fix was identified, code written, ready for deployment
Scheduled Deployment: Meant to be implemented earlier in May
System Failure: Automated CI/CD pipeline for testing and distributing updates failed
Result: Fix never reached production validators, exploit succeeded

Lessons for DeFi Security

This incident highlights three systemic issues:

Over-reliance on automation: Critical security patches cannot depend entirely on automated systems without human oversight
The deployment gap: Security fixes in staging are useless if production infrastructure fails to receive them
Defense in depth failure: Multiple layers (code review ✓, fix development ✓, deployment automation ✗) must all succeed

As OpenZeppelin founder Manuel Aráoz noted:

"I now consider all of DeFi unsafe," citing AI's growing ability to identify smart contract vulnerabilities—and by extension, the industry's inability to rapidly deploy fixes.

Data Sources

Blockaid Security Analysis
Arkham Intelligence
crypto.news Investigation Report
Chainalysis / TRM Labs Attribution Data

Investigator Commentary

The THORChain $10.7M exploit is not a story about a clever hacker finding an unknown vulnerability. It is a story about organizational failure in the face of known risk.

The attacker's technique—proposer-forgery in the Bifrost attestation layer—was understood by THORChain's own developers. A fix existed. The vulnerability had a name, a description, and a remediation. What failed was the operational machinery between "fix ready" and "fix deployed."

This has implications for the entire DeFi industry:

Security is not just about code audits. It's about deployment pipelines, update mechanisms, and fail-safes.
Automation must have human oversight. The most sophisticated smart contract security is worthless if your CI/CD pipeline silently fails.
THORChain's ideological stance creates systemic risk. Their refusal to screen transactions is consistent with stated principles—and also makes them complicit in state-sponsored terrorism funding, whether intended or not.

The uncomfortable question that the DeFi industry needs to answer: Can protocols that refuse to implement basic AML/KYC controls on their infrastructure claim to be "just following the technology"?

At what point does principled decentralization become willful blindness?

Investigator: Onchain Shadow

Report Date: May 30, 2026

Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

Gravity Bridge Key Compromise - $5.4M Validator Leak

qanzhi111 — Fri, 05 Jun 2026 10:54:23 +0000

Gravity Bridge Key Compromise Incident Investigation Report

Date: May 30, 2026 (Publicly Disclosed June 1)

Loss Amount: ~$5.4M

Attack Type: Validator Signing Key Leak (Not Smart Contract Vulnerability)

Status: Team Suspended Operations

Executive Summary

Gravity Bridge is a cross-chain protocol connecting Ethereum and Cosmos ecosystems. On May 30, 2026, attackers extracted approximately $5.4 million in digital assets using leaked validator signing keys.

This is the fourth major cross-chain security incident in the first week of June 2026, once again highlighting the fatal risks of centralized signing key management.

Asset Loss Breakdown

Asset Type	Quantity	Value
USDC	~$4,300,000	$4.3M
WETH	274 tokens	~$553,000
USDT	~$434,000	$434K
PAXG	14.16 tokens	~$64,000
Total		~$5,400,000

Attack Characteristics Analysis

Key Findings

Not Smart Contract Vulnerability: On-chain analysts confirmed this was a validator signing key leak, not a contract code issue
Bridge Operations Suspended: Team has instructed all validators to stop running validators and coordinators
Staggering TVL Ratio: Pre-incident TVL was approximately $11.5M, with nearly half lost in this incident

Fund Flow Tracking

Stage	Details
Attacker Retention	~2,102 ETH (~$4.23M)
Money Laundering Channels	ChangeNow, Binance
Timeline	May 30 attack → June 1 public disclosure

Cross-Chain Bridge Attack Trends: 2026 Data

According to PeckShield statistics, 2026 has seen 14 major cross-chain bridge attacks with cumulative losses of $340.7M:

Rank	Project	Amount	Date
1	KelpDAO	$293M	April
2	Drift Protocol	$285M	April
3	DxSale	$7.3M	June
4	Gravity Bridge	$5.4M	May
5	Alephium Bridge	$815K	May

Gravity Bridge vs Other Bridge Attacks Comparison

Dimension	Gravity Bridge	Typical Smart Contract Attack
Vulnerability Type	Key Leak	Code Vulnerability
Defense Method	Traditional Security (HSM, MPC)	Formal Verification, Code Audit
Responsible Party	Centralized Operator	Smart Contract Code
Impact Scope	Controllable (suspend operations)	Difficult to modify after deployment

Security Warnings

Key Management is the Fatal Weakness of Cross-Chain

Gravity Bridge incident proves:

MPC/HSM is Not a Silver Bullet: Even with multi-signature schemes, key management processes can still be compromised
Insufficient Validator Decentralization: "Validator signing keys" suggest relatively centralized signing mechanisms may exist
TVL and Security Mismatch: $11.5M TVL supporting $5.4M in key assets creates disproportionate risk exposure

User Self-Protection Recommendations

Be cautious when using bridges where bridge TVL > protocol TVL
Do not store long-term held assets in bridge contracts
Monitor protocol validator count and governance structure

Data Sources

Sina Finance: https://finance.sina.com.cn/stock/usstock/summary/2026-06-01/doc-inhzwpyp8549134.shtml
Crypto Gazette: https://cryptogazette.com/crypto-bridge-hacks-340-million-2026/

Event Progress

✅ Team confirmed key leak (ruled out contract vulnerability)
✅ All bridge operations suspended
⚠️ Validators have stopped working
⚠️ Asset tracking in progress, ChangeNow and Binance may assist with freezing
❌ Full incident report not yet published

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

TesseraDao Security Incident - $2.5M USDT Lost

qanzhi111 — Fri, 05 Jun 2026 10:53:21 +0000

TesseraDAO Security Incident Investigation Report

Date: June 2, 2026

Loss Amount: ~$2.5M USDT

Status: Project Team Unresponsive

Executive Summary

On June 1, 2026, TesseraDAO was attacked on BNB Chain. The attacker minted approximately 99 million TSR tokens and quickly dumped them, causing the token price to crash 99%, dropping from normal price to approximately $0.0002. The project team has not released any official statement to date.

Attack Vector Analysis

Attack Path

Minting Phase: Attacker minted 99,000,000 TSR tokens through the project's smart contract
Exchange Phase: Swapped TSR for approximately 2.5 million USDT on decentralized exchanges
Cross-Chain Phase: Bridged stolen funds from BNB Chain to Ethereum
Money Laundering Phase: Obfuscated 1,285.5 ETH transactions through Tornado Cash

Technical Details

Metric	Data
Attacker Address	`0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8` (BSC)
Minted Token Amount	99,000,000 TSR
Illicit Gains	~2,500,000 USDT
Tornado Cash Laundering	1,285.5 ETH

Key Suspicion: Likely Rug Pull

On-chain analysts strongly suspect this was not an external hack but insider involvement or privilege abuse:

Minting privileges and MultiTransfer functionality are exclusively controlled by deployer-related addresses
Attacker address has connections to the project deployer
Project team remains silent—a typical Rug Pull characteristic
Not discovered and publicly disclosed by security firms until 19 hours later

2026 BNB Chain Attack Pattern Comparison

Project	Date	Loss	Pattern
DxSale	Early June	$7.3M	Legacy architecture + ownership transfer
TesseraDAO	June 2	$2.5M	Mint+dump+suspected insider
Specter	May	~$2M	Token contract vulnerability

Data Sources

PeckShieldAlert: https://x.com/PeckShieldAlert/status/2061713210210988434
CryptoCompass: https://cryptocompass.com/articles/tesseradao-hack-drains-2-5-million-as-tsr-token-crashes-nearly-99-on-bnb-chain
BSCScan: https://bscscan.com/address/0x2201037A1755eC48eC5f00Fea21A10A9E56f2Dd8

Risk Warnings

Beware of "Centralized Mint Authority": If projects retain single-point minting capability, user funds are never safe
Pay Attention to Project Silence: Projects that don't respond after an attack are often心虚 (guilty) Rug Pulls
DeFi Security Requires Systematic Auditing: Pre-launch audits alone are insufficient for long-term security

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

DxSale Legacy Vulnerability - $7.3M Loss 1400+ Victims

qanzhi111 — Fri, 05 Jun 2026 10:47:06 +0000

DxSale Legacy Architecture Vulnerability Investigation Report

Date: June 2, 2026

Loss Amount: ~$7.3M

Affected Users: 1,400+ Liquidity Providers

Status: Team Blaming BSC New Features

Executive Summary

In early June 2026, DxSale—a DeFi Launchpad project—suffered an attack on its legacy liquidity vault (deployed in 2021), with approximately $7.3 million drained from over 1,400 locked liquidity pools.

This is a classic case of "Sleeping Vulnerability Awakening"—code lying dormant for 3 years, becoming catastrophic once discovered.

Attack Vector Analysis

Key Findings

Legacy Architecture: First-generation vault from 2021 was never properly audited or deprecated
Ownership Transfer: Contract ownership was secretly transferred 269 days ago, never publicly announced by the team
Fee-Modification Abuse: Administrators can use the fee modification mechanism to convert "locked" assets into withdrawable funds

Fund Flow

Stage	Details
Attacker Address	`0xC457...FA69` (full address requires further investigation)
Main Fund Vaults	Two wallets, each receiving ~$1.87M BNB
Money Laundering Channel	Multiple deposits into Binance
Initial Gas Source	Attacker obtained initial gas fees through Bybit

Team Response: The Blame Game

DxSale Official Statement:

"The vulnerability only affects the first-generation vault from 2021, related to BSC's new atomic transaction feature. The new contracts are completely safe."

Problems with This Narrative

Secretly transferred permissions 269 days ago, now blaming BSC's new features?
If new contracts are safe, why was the old vault completely drained?
"First Generation Vaults" were essentially a backdoor planted by the team that was never cleaned up

Legacy Architecture Risk Matrix

Vulnerability Type	Impact	Affected Architecture
Fee-Modification Privilege Abuse	Locked assets can be arbitrarily withdrawn	First Generation Vaults (2021)
Atomic Transaction Manipulation	Cross-chain execution exploited	BSC Interface
Secret Ownership Transfer	Permission chain tracking difficult	All Historical Contracts

Community Response

Blockchain analyst Tahax discovered:

Malicious wallet only appeared shortly before the attack
Attacker obtained gas fees through Bybit deposit
Some funds passed through obfuscation infrastructure

Coinsult Analysis Conclusion:

"Fee-Modification mechanism + Legacy Asset Locking Function = Lethal Combination"

2026 DeFi Security Data

Month	Attack Count	Loss Amount
April	~30	$634M (Annual High)
May	~60	$59M
Early June	Ongoing	Multiple > $1M

Data Sources

PeckShieldAlert: https://x.com/PeckShieldAlert/status/2060188553079054351
Tahax Analysis: https://x.com/Tahax1/status/2060003698651087205
Coinsult: https://x.com/CoinsultAudits/status/2060015934153146757
DxSale Response: https://x.com/dxsale/status/2060739439744237912
Meterpreter Analysis: https://meterpreter.org/dxsale-liquidity-pool-exploit/

Risk Warnings

2021 Code = Time Bomb: Features considered "innovative" at the time may now be vulnerabilities
Regular Audits: Projects need continuous monitoring after launch, especially legacy contracts
Permission Transparency: Ownership transfers must publicly notify the community
Locked ≠ Safe: If "lockup" functionality has admin backdoors, there's no actual lock

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

WUSD.fi GLOVE Sybil Farming Attack - $207K Onchain

qanzhi111 — Fri, 05 Jun 2026 10:46:01 +0000

WUSD.fi GLOVE Sybil Farming Attack - Onchain Investigation Report

Report Date: May 28, 2026

Event Type: Sybil Farming Attack

Loss Amount: ~$207,000 USD

Attack Time: May 25, 2026 06:07 UTC

Affected Chain: Ethereum Mainnet

Starting Block: 25,170,426

I. Executive Summary

On May 25, 2026, the WUSD.fi protocol suffered a meticulously planned Sybil farming attack. The attacker exploited a design flaw in the protocol's reward mechanism, using EIP-7702 technology to batch-create wallet addresses for farming GLOVE token rewards, ultimately stealing approximately $207,000 from Uniswap V3 liquidity pools.

Key Findings:

This is the first large-scale attack using EIP-7702, marking the maturation of a new attack technique
The core vulnerability lies in the lack of Sybil resistance mechanism in the WUSD._englove() function
The attacker converted funds to 98 ETH and transferred them to the Railgun privacy protocol to increase tracing difficulty
As of the report date, the WUSD.fi team has not issued any official statement

II. Event Overview

2.1 Project Background

Project Information	Details
Project Name	WUSD.fi / GLOVE
Token Type	ERC-20 (WUSD, GLOVE)
Deployment Network	Ethereum Mainnet
Protocol Type	Stablecoin Wrapper Protocol + Incentive Reward System
GLOVE Utility	Protocol incentive token, distributed via wrap fee buybacks
Core Mechanism	WUSD._englove() + Glove.mintCreditless()

GLOVE Token Economics:

WUSD protocol charges 1% fee on each wrap operation
Fee revenue is used to purchase GLOVE tokens on the open market
GLOVE is distributed as rewards to protocol participants
GLOVE has a "utility credit" system where users must accumulate internal credits to sell GLOVE holdings

2.2 Attacker Profile

Attribute	Details
Main EOA Address	`0x88329A09428778F62BC0C8BAac0997864E5a57f8`
GLO-USDC Pool Extraction Address	`0xB89F65D6c7d33A35Da7C01934e310a6f40E18A1f`
GLO-USDT Pool Extraction Address	`0xa2Bd1A142ff49131B8CC70A332bdA0125018c324`
Operation Mode	Automated batch operations, EIP-7702 contract-driven
Current Fund Status	Converted to 98 ETH, deposited in Railgun

III. Vulnerability Analysis

3.1 Vulnerability Mechanism: WUSD._englove() Design Flaw

Vulnerable Code Logic:

Condition 1: Wallet is a fresh wallet (new wallet)
Condition 2: wrap ≥ 100 WUSD
Condition 3: Holdings < 2 GLOVE
→ Can call Glove.mintCreditless() to receive 2 GLOVE

Triple Absence:
| Protection Measure | Status |
|-------------------|--------|
| Identity Check | ❌ Missing |
| Rate Limit | ❌ Missing |
| Sybil Detection | ❌ Missing |

Attack Viability:

Any new wallet address meeting the conditions can claim 2 GLOVE tokens
Attackers can farm rewards infinitely by batch-creating addresses
The contract code logic is completely correct, but the economic incentive design has fundamental flaws

3.2 Deep Analysis of EIP-7702 Attack Mechanism

What is EIP-7702:
EIP-7702 is a new feature introduced in the Ethereum Pectra upgrade, allowing Externally Owned Accounts (EOAs) to temporarily delegate execution rights to smart contracts, enabling regular wallets to operate as contracts.

Key Role in the Attack:

Traditional Method: Each new wallet address creation requires:
                   1. Generate private key
                   2. Deploy wallet contract (or use EOA)
                   3. Fund transfer
                   4. Contract call
                   → High cost and low efficiency per operation

EIP-7702 Method:
                   1. Deploy single helper contract
                   2. Batch-delegate multiple EOA addresses via EIP-7702
                   3. Automated execution of all operations within the contract
                   → Significantly reduces batch operation costs, enabling scalable attacks

Technical Breakthrough:

The attacker only needed to deploy one EIP-7702 helper contract
This contract could delegate unlimited EOA addresses to execute smart contract logic
Each delegated address appeared as a "fresh wallet" to the protocol
Achieved single contract, multiple addresses, large-scale Sybil farming attack

EIP-7702 Security Warning:
This is another case of EIP-7702 being used for malicious purposes since the Pectra upgrade in May 2025. Phishing attacks had previously exploited this technology, resulting in $1.54M in losses.

IV. Attack Path Reconstruction

4.1 Complete Attack Flowchart

┌─────────────────────────────────────────────────────────────────────┐
│                         MORPHO USDT FLASH LOAN                       │
│                           ($100,000+ USDT)                          │
└──────────────────────────────┬──────────────────────────────────────┘
                               │
                               ▼
┌─────────────────────────────────────────────────────────────────────┐
│                    Deploy EIP-7702 Helper Contract                   │
│               Contract address temporarily gains                      │
│               smart contract execution capability                    │
└──────────────────────────────┬──────────────────────────────────────┘
                               │
                               ▼
┌─────────────────────────────────────────────────────────────────────┐
│                     Batch Create Fresh Wallet Cluster               │
│                    (Hundreds to thousands of new addresses)          │
└──────────────────────────────┬──────────────────────────────────────┘
                               │
              ┌────────────────┼────────────────┐
              ▼                ▼                ▼
        ┌──────────┐    ┌──────────┐     ┌──────────┐
        │Wallet #1 │    │Wallet #2 │     │Wallet #N │
        │ wrap 100 │    │ wrap 100 │     │ wrap 100 │
        │   WUSD   │    │   WUSD   │     │   WUSD   │
        └────┬─────┘    └────┬─────┘     └────┬─────┘
             │               │               │
             ▼               ▼               ▼
        ┌─────────────────────────────────────────┐
        │       Call Glove.mintCreditless()        │
        │         Each address claims 2 GLOVE      │
        └─────────────────────────────────────────┘
                               │
                               ▼
        ┌─────────────────────────────────────────┐
        │          Batch Dump GLOVE to             │
        │          Uniswap V3 Liquidity Pools      │
        │  (GLO-USDC Pool + GLO-USDT Pool)         │
        └─────────────────────────────────────────┘
                               │
              ┌────────────────┼────────────────┐
              ▼                ▼                ▼
        ┌──────────┐    ┌──────────┐     ┌──────────┐
        │-11,702   │    │ -8,079   │     │  Profit  │
        │  USDC    │    │  USDT    │     │ Aggregation
        └──────────┘    └──────────┘     └────┬─────┘
                                               │
                                               ▼
                                      ┌─────────────────┐
                                      │   Repay Morpho  │
                                      │   Flash Loan    │
                                      └─────────────────┘
                                               │
                                               ▼
                                      ┌─────────────────┐
                                      │   Convert to ETH│
                                      │   (~98 ETH)     │
                                      └─────────────────┘
                                               │
                                               ▼
                                      ┌─────────────────┐
                                      │    Railgun      │
                                      │  (Privacy)      │
                                      └─────────────────┘

4.2 Detailed Timeline

Time (UTC)	Block Height	Event Description
06:07:59	25,170,426	Attacker initiates first Morpho USDT flash loan
06:08-06:15	~25,170,426-	EIP-7702 contract deployment, batch wallet creation
06:08-06:15	~25,170,426-	Loop wrap/unwrap operations, mass mintCreditless calls
06:08-06:15	~25,170,426-	GLOVE tokens batch minted and sold
06:08-06:15	~25,170,426-	GLO-USDC pool loses 11,702 USDC
06:08-06:15	~25,170,426-	GLO-USDT pool loses 8,079 USDT
06:15	~	Repay Morpho flash loan principal + interest
06:15	~	Profit aggregation to attacker main address
06:15	~	Converted to ~98 ETH
06:54:52	~	ExVul security researcher first public warning
08:38:05	~	PeckShield confirms attack, publishes complete analysis
08:38+	~	98 ETH transferred to Railgun privacy protocol

4.3 Fund Flow Tracking

Initial Fund Source:
| Source | Amount | Nature |
|--------|--------|--------|
| Morpho USDT Flash Loan | $100,000+ | Flash loan (repaid within single transaction) |
| Attacker Own Funds | Small amount of ETH | Initial Gas fees |

Lost Asset Details:
| Asset | Amount | Source Pool | Extraction Address |
|-------|--------|-------------|-------------------|
| USDC | 11,702.083968 | Uniswap V3 GLO-USDC | 0xB89F65D6c7d33A35Da7C01934e310a6f40E18A1f |
| USDT | 8,079.161526 | Uniswap V3 GLO-USDT | 0xa2Bd1A142ff49131B8CC70A332bdA0125018c324 |
| Total | ~19,781.24 | Stablecoin Value | - |

Fund Aggregation and Mixing:

GLO-USDC Pool Extraction Address ─┐
                                   ├──▶ Attacker Main EOA ──▶ Convert to 98 ETH ──▶ Railgun
GLO-USDT Pool Extraction Address ─┘

Railgun Transfer Records:

Amount: ~98 ETH (worth approximately $207,000)
Time: Shortly after PeckShield confirmation
Purpose: Anonymize transactions via zero-knowledge proofs, sever chain tracking

V. Sybil Wallet Network Analysis

5.1 Attack Scale Estimation

Based on attack revenue and single reward (2 GLOVE) estimation:

Total Loss ≈ $207,000
Single Wrap Fee ≈ 1% × 100 WUSD = 1 WUSD ≈ $1
Per Cycle Cost ≈ gas fees + wrap fee
Per Cycle Revenue ≈ 2 GLOVE × GLOVE price

Conservative estimate: Hundreds to thousands of Fresh Wallet addresses involved

5.2 Wallet Cluster Characteristics

Characteristic	Description
Address Type	EIP-7702 Delegated EOA
Creation Time	Within attack window (~06:07-06:15 UTC)
Lifecycle	Single-use (abandoned after attack)
GLOVE Holdings	All sold after attack
Correlation	Shared same EIP-7702 helper contract

5.3 EIP-7702 Contract Address

Based on public onchain analysis, the attacker's deployed EIP-7702 helper contract:

Function: Batch management of delegated EOA addresses
Permissions: Temporarily obtained EOA execution rights
Status: Possibly abandoned or destroyed after attack

VI. Flash Loan Path Analysis

6.1 Morpho USDT Flash Loan Mechanism

Morpho Protocol Features:

Optimization lending market based on Aave V3
Supports flash loans, no collateral required
Atomic transaction guarantee

Flash Loan Workflow:

1. Attack contract borrows USDT from Morpho
         ↓
2. Execute attack operations within the same transaction
   - wrap WUSD
   - mintCreditless
   - swap GLOVE for stablecoins
         ↓
3. Repay USDT principal + fees
         ↓
4. Transaction succeeds, profit goes to attacker
   OR
   Transaction fails/rolls back, Morpho funds untouched

6.2 Complete Attack-Repayment Path

Step	Operation	Amount
1	Borrow Morpho USDT	+$100,000+
2	wrap WUSD (loop N times)	-$N WUSD
3	mintCreditless (loop N times)	+2N GLOVE
4	swap GLOVE → USDC/USDT	Sell all GLOVE
5	Extract liquidity from GLO pools	+$207,000
6	Repay Morpho USDT + fee	-$100,000+
7	Net profit aggregation	+$207,000-$100,000

VII. GLOVE Token Economic Impact

7.1 Immediate Market Impact

Impact Dimension	Description
Price Impact	GLOVE token price pressured by massive selling
Liquidity Impact	GLO-USDC and GLO-USDT pool liquidity significantly decreased
LP Loss	Liquidity provider positions damaged by impermanent loss + pool draining
Protocol Trust	Reward mechanism vulnerability exposed, protocol credibility damaged

7.2 Long-term Token Economics Impact

Item	Assessment
GLOVE Token Price	Faces selling pressure short-term, depends on protocol fix long-term
Protocol TVL	Liquidity providers may withdraw funds
Incentive Mechanism	Requires redesign with Sybil resistance
Community Trust	WUSD.fi non-responsive as of report date affects trust recovery

7.3 Industry Trend Correlation

2026 DeFi Security Landscape:

As of report date, DeFi exploit cumulative losses: ~$770M+
May became a high-incident period for liquidity layer attacks
Incentive paths and internal accounting becoming new attack vectors
Traditional code audits cannot cover economic incentive design flaws

VIII. Security Warnings and Recommendations

8.1 Vulnerability Root Cause Summary

Dimension	Issue
Code Level	Contract logic correct, no typical vulnerabilities
Design Level	WUSD._englove() lacks Sybil resistance
Economic Level	mintCreditless has no frequency limit/identity verification
Audit Level	Routine audits don't test economic incentive paths

8.2 Protocol Security Recommendations

Immediate Actions:

Pause Glove.mintCreditless() functionality
Implement wallet history correlation detection
Add per-address claim frequency limits
Introduce onchain identity verification (e.g., WorldID)

Long-term Improvements:

Economic incentive design requires special audits
Introduce TWAP price oracle to prevent flash loan manipulation
Establish real-time anomaly monitoring and alerting system
Consider decentralized emergency pause mechanism

8.3 User Risk Warnings

Risk Type	Description
LP Risk	Liquidity providers in attacked pools lost assets
Exposure Risk	Users holding GLOVE tokens face selling pressure
Trust Risk	Protocol non-response may indicate Rug Pull
Recovery Risk	Funds have entered Railgun, recovery extremely unlikely

IX. Evidence Sources

9.1 Onchain Data Sources

Source	Link/Notes
Etherscan	API Key: 2WASDAKWI6H5S1HJNS4V4RYZNBHW2QUCFA
PeckShield Alert	https://twitter.com/PeckShieldAlert
ExVul Research	https://twitter.com/ExVul_
Lookonchain	https://m.lookonchain.com/feeds/57616

9.2 Security Company Confirmations

Company	Status	Source
ExVul	First public warning	X/Twitter
PeckShield	Confirmed and tracking	X/Twitter Alert
SlowMist	Added to hack database	Hack Archives

9.3 News Sources

Source	Link
Live Bitcoin News	https://www.livebitcoinnews.com/wusd-fi-sybil-farming-attack-drains-200k-from-glove-pools/
CoinAlert News	https://coinalertnews.com/news/2026/05/27/defi-exploits-glove-stakedao
CoinFi	https://www.coinfi.com/news/1812793/wusdfi-sybil-farming-attack-drains-200k-from-glove-pools
Crypto Adventure	https://coinstats.app/news/21f76ad1f0bcf1a49e26ef5b33f5a896986db9aaaef63be7d0f8ca08f952adc1_WUSDGLOVE-Exploit-Drains-207K-Before-Funds-Move-Into-Railgun
OurCryptoTalk	https://ourcryptotalk.com/news/glove-exploit-wusd-fi-200k-sybil-attack

X. Appendices

Appendix A: Key Address Summary

Address Purpose	Address
Attacker Main EOA	`0x88329A09428778F62BC0C8BAac0997864E5a57f8`
GLO-USDC Pool Extraction	`0xB89F65D6c7d33A35Da7C01934e310a6f40E18A1f`
GLO-USDT Pool Extraction	`0xa2Bd1A142ff49131B8CC70A332bdA0125018c324`
Target Contract	`0x068e3563b1c19590f822c0e13445c4fa1b9eefa5`

Appendix B: Attack Statistics

Metric	Value
Attack Duration	~8 minutes
Attack Block Range	25,170,426+
GLO-USDC Pool Loss	11,702.083968 USDC
GLO-USDT Pool Loss	8,079.161526 USDT
Total Stablecoin Loss	~19,781.24
ETH Equivalent	~98 ETH
Final Loss	~$207,000

Disclaimer: This report is based on publicly available on-chain data and third-party sources for informational purposes only. The analysis and recommendations in this report should not be construed as legal or investment advice.

Report Generation Date: May 28, 2026

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

Fake Uniswap Google Ads Phishing - $400K+ Stolen

qanzhi111 — Fri, 05 Jun 2026 10:35:46 +0000

Fake Uniswap Google Ads Phishing Scam Investigation Report

Investigation Date: May 26, 2026

Incident Type: Google Ads Phishing Scam

Loss Amount: $400,000+

Attacker Wallets:

0x37925684BA178821b4436E06e67f5dBD6cfA49Bb
0x2fC25F46cC49D226eF92E9A7665f3d2821F3c5E2

📋 Executive Summary

On May 25, 2026, on-chain analyst b_block discovered that attackers were purchasing Google sponsored advertisements to impersonate the official Uniswap website, luring users to connect their wallets and sign malicious transactions, thereby stealing user assets.

As of this report, the two attacker wallets collectively hold approximately 146 ETH (valued at approximately $306,000 at the time), with total losses exceeding $400,000.

🔍 Attack Vector Analysis

Attack Flow

Ad Placement: Attackers purchased sponsored ads for "Uniswap" keyword on Google Search platform
Phishing Website: Users clicking the ad are directed to a meticulously crafted phishing website with an interface nearly identical to the official site
Malicious Authorization: When users connect their wallet and sign transactions, they are actually granting access permissions to a malicious contract
Fund Transfer: The drainer contract automatically transfers user assets to wallets controlled by the attacker

Attack Tools

Security researchers identified that the phishing website utilized the AngelFerno drainer tool, a Phishing-as-a-Service (PhaaS) malware.

Attackers also employed the following techniques to evade detection:

Punycode URL: Utilizing Cyrillic characters to make phishing domains visually indistinguishable from legitimate domains
Hidden iframe: Loading malicious code while remaining invisible to Google's automated review systems
Traffic Redirection: Secretly routing all user network traffic to attacker-controlled servers

Attacker Infrastructure

Phishing websites utilized Google trusted services (sites.google.com, docs.google.com) to bypass detection
Advanced infrastructure including Cloudflare Workers, Arweave hosting for payloads, and proxy layers
Capable of intercepting Ethereum RPC requests and monitoring user activity in real-time

📊 Fund Flow Analysis

Wallet Address	Held Assets	Estimated Value
0x37925684...A49Bb	~73 ETH + tokens	~$153,000
0x2fC25F46c...c5E2	~73 ETH + tokens	~$153,000
Total	~146 ETH	~$306,000

⚠️ Systemic Risk Analysis

Google Ads Platform Responsibility

According to Security Alliance (SEAL) reports:

During March 2026, Google Ads phishing attacks stole approximately $1.27 million
SEAL blocks over 356 malicious Google ad links weekly
This attack pattern has persisted for over one year with no signs of slowing

Notable Victims

Uniswap founder Hayden Adams has publicly criticized Google's failure to effectively combat counterfeit advertisements:

"These scams are absolutely terrible, and we have been fighting them for years. Counterfeit scam apps impersonating our Uniswap keep appearing, despite our continuous applications to the Apple App Store, which took months to get approved."

FBI Data

According to FBI's "2025 Internet Crime Report":

Cryptocurrency-related complaints: 181,565
Total losses: $11.36 billion (22% year-over-year increase)
Average loss per victim: $62,604

🛡️ Community Protection Recommendations

Bookmark Verification: Manually bookmark DeFi platform URLs rather than relying on search
Manual URL Entry: Directly type official domain names into the browser
Verify Channels: Use trusted aggregators like DeFiLlama to verify protocol information
Regular Revocation: Use revoke.cash to regularly clean up unnecessary token approvals
Hardware Wallet: Use hardware wallets and carefully review each transaction
Ad Blocking: Consider using ad-blocking plugins and anti-phishing browser extensions

📝 Unique Analytical Perspective

This case reveals the contradiction between centralized platforms and decentralized finance:

DeFi protocols themselves are secure: Uniswap smart contracts have never been compromised
The problem lies at the entry point: Google search results have become accomplices for attackers
Irreversibility: Blockchain transactions cannot be reversed; once malicious transactions are signed, funds cannot be recovered

This differs fundamentally from traditional cybersecurity—users cannot "call customer service" or "request a refund," relying only on prevention rather than remediation.

📚 Data Sources

Investigator: Onchain Shadow

OPSEC Statement: This report is based on publicly available on-chain data and media reports, all information sourced from publicly available sources.

Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

StablR Stablecoin Hack - EURR/USDR Admin Key Attack

qanzhi111 — Fri, 05 Jun 2026 10:34:44 +0000

StablR Stablecoin Hack Investigation Report

Date: May 27, 2026

Event: StablR EURR/USDR Stablecoin Admin Key Attack

Attack Time: May 24, 2026

Investigator: Onchain Shadow

Executive Summary

MiCA-compliant stablecoin issuer StablR suffered a major security incident. Attackers compromised a 1-of-3 multisig private key, obtained minting permissions, and minted approximately $13.5 million in unbacked stablecoins (8.35M USDR + 4.5M EURR), cashing out approximately $2.8 million (1,115 ETH) through DEX dumping.

Core Irony: StablR holds a Maltese Financial Regulator license, claims MiCA compliance, but minting permissions were protected by only a 1-of-3 multisig—one private key compromised and the entire system fell.

Key Metrics

Metric	Value
Fake Token Face Value	~$13.5M (8.35M USDR + 4.5M EURR)
Actual Cash-Out Amount	~$2.8M (1,115 ETH)
EURR Depeg Extent	-23% ($1.15 → $0.88)
USDR Depeg Extent	-30% ($1.00 → $0.40 low)
Multisig Configuration	1-of-3 (one signature suffices)
Attack Duration	>3 hours (slow team response)

Attacker Addresses

Role	Address	Notes
Primary Attack Wallet	`0xD4677B5A8B1b97EA213Fdb876b0FcBAB3f9F6CD1`	Added as multisig owner, then executed minting
Secondary Wallet	`0x482aC1a69A41e7657DE6B420B7346FB09DA09115`	Replaced original compromised owner
Tertiary Wallet	`0xbC631Daf86611f32FAA63E7EC8c9c9571F2F5BB3`	Replaced legitimate owner
Compromised Owner	`0xC73fD562de86d7860EE636C20813Bcb2cF4D550d`	Private key stolen
ZachXBT Tagged Address 1	`0xea480c23d7b29a515856aafe0dc86f7519965a04`	Via CCTP/Noble deposit
ZachXBT Tagged Address 2	`0x09BE1A36c2d7f9909eb3D6F9184c6e46A12B0ACA`	Associated address
ZachXBT Tagged Address 3	`0x6283558eB6948CA50A2bE942D98A41ca4d1Def40`	Associated address
ZachXBT Tagged Address 4	`0xf1f70d7461356f32b97ddc2cd54a490d4363340e`	Associated address
ZachXBT Tagged Address 5	`0x74b4621b82eb31c5fd9fbad5729bef1813e26dcf`	Associated address
ZachXBT Tagged Address 6	`0x8aaa93d06bf8de94c282f66a16effe6d9d94d038`	Associated address
ZachXBT Tagged Address 7	`0x5D2184d84b82B67c1818Bbec8ce81E7Df14F6bAb`	Associated address

Affected Contracts

Contract	Address
USDR Token	`0x7B43E3875440B44613DC3bC08E7763e6Da63C8f8`
EURR Token	`0x50753CfAf86c094925Bf976f218D043f8791e408`
Multisig Wallet	`0xF45392bd2D6e6b8C5Dc26BA6c8a12889419B82F3`

Key Transaction Hashes

Transaction	Hash	Description
Ownership Change 1	`0x1f8a6764f66bb5a2438dc62f89bfe52080dbca782444c3757dbf1e1ce3a11bec`	Attacker replaced legitimate owner
Ownership Change 2	`0xde5bc3b7b80576f894fbc7e2c8fea5f8829503bae75dcf30a27725cd95a05f16`	Attacker replaced original compromised owner
Minting Transaction	`0xa720...24ed`	Minted USDR/EURR

Attack Timeline (UTC)

Time	Event
Before 5/24	Attacker deposited funds to wallet via CCTP/Noble
5/24 Attack Start	Attacker used compromised private key to operate multisig
Step 1	Added `0xD467...6CD1` as multisig new owner
Step 2	Replaced legitimate owner `0xD4b6...aD40` → `0xbC63...5BB3`
Step 3	Replaced compromised owner `0xC73f...550d` → `0x482a...9115`
Step 4	Minted 8.35M USDR + 4.5M EURR via `0xD467...6CD1`
Step 5	Dumped on Uniswap and other DEXs for ETH
Step 6	Used admin privileges to blacklist/burn 2.7M EURR from legitimate users
3+ hours	StablR team unresponsive; ZachXBT helped freeze 6-figure funds
8 hours later	Attack stopped; StablR issued statement

Technical Analysis

Root Cause: 1-of-3 Multisig = Single Point of Failure

StablR's minting multisig was configured at 1-of-3 threshold, meaning any 1 of 3 signers could authorize transactions. This degraded the entire stablecoin system's security to a single private key.

Comparison:

Harmony Horizon Bridge (2022, $100M hack): At least 2-of-5
Industry Standard: 2-of-3 or 3-of-5 + hardware wallets + geographic distribution
StablR: 1-of-3 — weaker than a bridge hacked two years ago

Attack Method Breakdown

Key Acquisition: Attacker obtained private key of owner 0xC73f...550d (method undisclosed; possible phishing/malware/supply chain attack)
Permission Takeover: Using 1-of-3 threshold, just one signature enabled:
- Adding attacker address as new owner
- Removing legitimate owners
- Obtaining 100% multisig control
Unlimited Minting: Called mint function via compromised multisig
DEX Cash-Out: Dumped newly minted tokens on Uniswap and other DEXs; shallow liquidity pools resulted in significant discounts
Countering Legitimate Users: Used admin privileges to blacklist+burn legitimate user tokens, preventing redemption

Why Only $2.8M Cash-Out from $13.5M Face Value?

USDR/EURR DEX liquidity pools extremely shallow (EURR market cap only $14M; USDR market cap $11M)
Large dumps caused massive slippage
Depeg triggered panic selling, further deteriorating prices

Background & Impact

Who is StablR?

Malta-registered EMI (Electronic Money Institution) license holder
Uses Tether's Hadron tokenization infrastructure
Received Tether strategic investment in December 2024
Received Kraken investment in July 2025
Claims EURR/USDR trading volume exceeded €3 billion in H1 2025
MiCA compliant; reserve funds held in segregated accounts

2026 DeFi Attack Pattern Shift

According to DefiLlama data:

70%+ of 2026 large DeFi losses stem from key/management permission theft, not smart contract vulnerabilities
April single month lost $634 million across 28+ incidents, worst month on record
LayerZero bridge exploits (18%), admin key theft (16%), fake tokens (14%), private key leaks (11%)
This case belongs to the same attack pattern as Echo Protocol and Drift Protocol

Irony of European Stablecoin Regulation

Attack occurred as ECB pushed for tighter euro stablecoin liquidity rules
ECB President Lagarde just stated euro stablecoins pose potential financial stability risks
EURR accounts for only 0.24% of Ethereum fiat stablecoin total
MiCA compliance ≠ Technical Security

Pending Deep Investigation Areas

Attacker Identity Tracing: Trace KYC information at CCTP/Noble deposit source
Compromised Key Acquisition Method: Phishing/insider/supply chain?
ZachXBT's 7 Tagged Associated Addresses: Complete fund flow mapping
Burned 2.7M EURR: Whose assets were destroyed? Legal consequences?
Tether/Kraken Investor Responsibility: Did they conduct adequate technical due diligence?
Fund Freeze Progress: Was 6-figure freeze successful? Where did remaining funds go?

Data Sources

BeInCrypto - Echo Protocol Hack Autopsy
Cointelegraph - StablR EURR USDR depeg
CryptoCompass - StablR Technical Analysis
CryptoWisser - StablR Stablecoins Lose Peg
Blockonomi - ZachXBT Flags StablR Exploit
ZachXBT Telegram/X posts (May 24, 2026)
Blockaid real-time exploit detection

Investigator: Onchain Shadow

Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

Echo Protocol eBTC Admin Key Attack Investigation

qanzhi111 — Fri, 05 Jun 2026 10:27:04 +0000

Echo Protocol eBTC Admin Key Attack Investigation Report

Date: May 27, 2026

Event: Echo Protocol eBTC Admin Key Attack

Attack Time: May 18, 2026 ~17:55 ET

Investigator: Onchain Shadow

Executive Summary

BTCFi protocol Echo Protocol's eBTC deployment on Monad suffered an admin key attack. The attacker obtained DEFAULT_ADMIN_ROLE, self-granted MINTER_ROLE, minted 1,000 units of unbacked eBTC (face value $76.7M), and cashed out approximately $816K in real assets through Curvance lending protocol before laundering through Tornado Cash. Due to insufficient liquidity in Monad DeFi ecosystem, 955 eBTC remained illiquid and were ultimately destroyed by the Echo team.

Key Lesson: A $254M+ TVL protocol with management permissions tied to a single EOA private key—one key is the entire line of defense.

Key Metrics

Metric	Value
Fake Token Face Value	~$76.7M (1,000 eBTC)
Actual Cash-Out Amount	~$816K (384 ETH → Tornado Cash)
Face Value to Actual Ratio	94:1 (due to liquidity insufficiency)
Destroyed Fake Tokens	955 eBTC
Echo Aptos TVL	~$254M
ECHO Token Decline	-11% (after news broke)

Attack Flow Breakdown

Step 1: Obtain Admin Privileges

Attacker obtained control of eBTC contract's DEFAULT_ADMIN_ROLE. This permission was tied to a single EOA address (regular wallet, single private key) with no multisig protection, no timelock, and no rate limiting.

Step 2: Self-Grant Minter Role

grantRole(MINTER_ROLE, attacker_wallet)

Used admin privileges to grant themselves the minter role.

Step 3: Mint Fake eBTC

mint(attacker_wallet, 1000e8)

1,000 eBTC凭空出现。Face value $76.7M, real BTC backing: 0.

Step 4: Cover Tracks

Attacker revoked their own admin privileges, making on-chain traces less obvious. This was premeditated—the attacker knew investigators would first scan role authorization records.

Step 5: Cash Out via Curvance

Deposited 45 fake eBTC (face value $3.45M) into Curvance as collateral
Curvance had zero verification to distinguish real from fake eBTC—from the contract's perspective, eBTC is just eBTC
Borrowed 11.29 WBTC (~$867,700)

Step 6: Cross-Chain Laundering

Bridged WBTC to Ethereum mainnet
Swapped to ETH
Approximately 384 ETH ($821,700) deposited to Tornado Cash

Step 7: Remaining Fake Tokens Stranded

955 eBTC remained in attacker's Monad wallet, unable to cash out further due to liquidity exhaustion. Echo team subsequently destroyed these tokens.

Dual Failure Analysis

Failure 1: Echo Protocol — Single Private Key Managing $254M+ Protocol

DEFAULT_ADMIN_ROLE tied to an EOA
No multisig, no timelock, no minting cap, no rate limit
Entire Monad deployment security equivalent to single private key security

Failure 2: Curvance — No Collateral Source Verification

Accepted newly minted eBTC as collateral without verifying BTC backing
Lending protocols should implement post-mint cooldown periods or whitelist mechanisms
Isolated market design limited contagion but did not prevent single-asset exploitation

2026 DeFi Security Trends

Trend	Percentage	Description
Admin key/private key theft	70%+	Primary attack vector in 2026
LayerZero bridge exploits	18%	Cross-chain infrastructure risk
Fake/deception tokens	14%	Like the fake eBTC in this case
Smart contract vulnerabilities	<10%	Traditional attack vectors declining

Major May 2026 Events

Date	Project	Loss	Cause
5/24	StablR	$2.8M	1-of-3 multisig key compromised
5/22	Polymarket	$600K+	Exploitation
5/22	Verus Bridge	$8.5M (returned)	Malicious nodes + GG20 exploit
5/21	Map Protocol	96% crash	10 trillion tokens minted
5/19	Echo Protocol	$816K	Admin key compromised
5/15	THORChain	$10M	Malicious nodes
April	Drift	$285M	CCTP exploit
April	KelpDAO	$292M	Protocol attack

Defense Recommendations

For Protocols

Multisig Management: Minimum 2-of-3, recommended 3-of-5 + hardware wallets
Timelock: Ownership changes require 24-48 hour delay
Minting Cap: Single/daily minting limits
Rate Limiting: Large mints trigger alerts and delays
Role Separation: Admin/minter/pauser use different controllers

For Lending Protocols

Collateral Source Verification: Newly minted tokens require cooldown before serving as collateral
Minting Monitoring: Real-time monitoring of abnormal token supply growth
Isolated Markets: Curvance's isolated market design limited contagion—well done

Pending Deep Investigation Areas

Admin Key Compromise Method: Phishing/insider/supply chain/malware?
Attacker On-Chain Footprint: Fund destinations after Tornado Cash deposit
Curvance Bad Debt Handling: How are bad debts from 45 fake eBTC handled?
Cross-Chain Bridge Security: WBTC bridging path from Monad to Ethereum
Echo Aptos Deployment Comparison: Is aBTC management permissions equally vulnerable?

Data Sources

BeInCrypto - Echo Protocol Hack Autopsy
PIGlobalInvestments - Echo Protocol Hack on Monad
Cointelegraph - Echo Protocol eBTC exploited
BingX - ECHO token slides
The Arabian Post - Echo breach exposes Bitcoin DeFi risks
@dcfgod X post (initial exploit alert)
@keoneHD (Monad co-founder) confirmation

Investigator: Onchain Shadow

Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

CWU Token On-Chain Investigation - $7.3M Commonwealth Rug Pull

qanzhi111 — Fri, 05 Jun 2026 10:26:57 +0000

CWU Token On-Chain Investigation Report

🚨 Case Summary

Token Name: Commonwealth (CWU)

Blockchain: Solana

Contract Address: CmVUoJUt7hMGc9ze7s8zYdnA7enMfCAFdQCggxcbACWU

Investigation Date: 2026-05-27

Risk Level: 🔴 Extremely High — Classic Slow-Motion Rug Pull

Current Status: Insiders still dumping; 85% of supply controlled by associated wallets

📊 Key Metrics

Metric	Project Claim	On-Chain Reality	Discrepancy
Circulation Ratio	90% "in circulation"	10-15% actual circulation	75-80% gap
Project Treasury	10%	85-90% in associated wallets	8-9x inflated
Holder Distribution	Wide distribution	200+ new wallets batch-claiming	Single entity control
Insider Dumping	Undisclosed	~$600,000 already sold	Ongoing

Price Trajectory (CoinGecko Real-Time Data, 2026-05-27)

Current Price: $0.02425 (24h +37.6%)
ATH: $0.03663 (2026-04-14)
ATL: $0.01141 (2026-04-10)
Market Cap: $21,836,596 (#801)
FDV: $24,249,481
24h Volume: $2,519,129 (+307%)
Primary Exchange: Meteora DAMM V2 (CWU/SOL, 100% volume)
⚠️ Rugcheck.xyz Warning: "Risk of market manipulation with significant token concentration in one or more unidentified wallets"
Trend: Short-term bounce, but continuous insider selling; long-term pressure

🔍 On-Chain Evidence Chain

1. Supply Concentration (Bubblemaps Analysis)

From Bubblemaps Case Analysis:

200+ newly created wallets were batch-funded around token launch
These wallets simultaneously claimed the vast majority of CWU supply
Inter-wallet transfers and connections indicate they are controlled by a single entity or coordinated organization
These associated wallets currently hold approximately 85-90% of total supply

2. Insider Dumping Pattern

Bubblemaps real-time monitoring:

Associated address cluster has sold approximately $600,000 in CWU tokens
Dumping occurred during price increases (classic "sell into strength" strategy)
After dumping, still control 85% of supply, meaning massive inventory remains available

3. Marketing Claims vs. On-Chain Reality

CWU Official Statement:

"90% of the token's total supply is 'in circulation' and only 10% is reserved for the project treasury"

On-Chain Reality:

200+ associated wallets control 87-90% of supply; truly free-floating tokens only 10-15%

This is a textbook false statement — the project distributed to 200+ wallets to create the illusion of "wide ownership," while a single entity maintains control.

🏛️ Political Endorsement Risk

John Agyekum Kufuor's Role

Ghana's 10th President (2001-2009)
Described as "Official Advisor" in CWU marketing materials
MEXC exchange listing states CWU "registered under the endorsement of John Agyekum Kufuor"
This political endorsement grants the token false legitimacy, attracting retail investors

Dangerous Combination: Political Endorsement × Memecoin

Trust Transfer: Retail investors assume "implicit backing" from a former head of state
Regulatory Vacuum: Political figure endorsements of crypto projects lack clear regulation in many jurisdictions
Cross-Border Complexity: Ghanaian politician + Solana chain + global traders = jurisdictional chaos
Deniability: Kufuor can claim "just an advisor," disclaiming responsibility for investment losses

Key Unanswered Questions

Did Kufuor actually receive CWU tokens or fiat payment?
Was Kufuor aware of the 200+ wallet concentration?
Could the former president's name be misused?

🧩 Rug Pull Mechanics Breakdown

Phase 1: Preparation (Pre-Launch)

Create 200+ new wallets
Fund in batches (avoid single large transfer triggering alerts)
Prepare marketing materials (political endorsement, MEXC listing narrative)

Phase 2: Launch

200+ wallets simultaneously claim vast majority of supply
Create illusion of "fair distribution"
Use political endorsement to attract retail entry

Phase 3: Pump

Extremely low float (85% locked in associated wallets) → scarcity drives price up
Market cap surges from $0 to $120M
Exchange listings (MEXC, etc.) add liquidity

Phase 4: Dump — Current Phase

Associated wallets continuously dump at price highs
Already cashed out ~$600,000
Still hold 85% supply, can continue dumping
32% decline is just the beginning

Phase 5: Crash — Predicted

When insiders complete exit, price approaches zero
Retail investors lose everything
Project may deny association with wallets

⚠️ Risk Assessment

Risk Dimension	Score	Explanation
Rug Pull Risk	🔴 10/10	85% supply concentration + continuous dumping
False Statement Risk	🔴 9/10	"90% circulating" vs actual 10-15%
Political Endorsement Misuse	🟡 7/10	Former president's endorsement potentially abused
Regulatory Recourse	🟡 5/10	Cross-border + anonymous team = enforcement difficulty
Retail Loss Risk	🔴 10/10	85% supply can crash price at any time

🔬 Next Steps for Deep Investigation (Pending API Key)

[ ] Trace funding sources of 200+ associated wallets (Solana RPC)
[ ] Identify funding patterns and timeline of associated wallets
[ ] Track post-dumping fund destinations (CEX? Mixer?)
[ ] Analyze whether Kufuor directly received CWU tokens
[ ] Contact MEXC exchange to confirm CWU listing review process
[ ] Compare patterns with other politically-endorsed memecoins

📝 Information Sources

Bubblemaps CWU Case Analysis
Crypto.news Report (2026-05-26)
Bitcoinworld Report (2026-05-26)
CoinCarp CWU Data
Bubblemaps X Post: @bubblemaps 2026-05-26

This report is for research and educational purposes only and does not constitute investment advice. On-chain data is based on publicly available information; conclusions require further verification.

Investigator: Onchain Shadow

Disclaimer: This report is based on publicly available on-chain data and media reports for security research purposes only.

🔒 Protect Your Crypto with ChainSentinel

ChainSentinel — AI-powered on-chain risk intelligence platform:

Real-time Risk Scanning — Check any address for rug pulls, phishing, and exploit risks
Multi-Chain Monitoring — Ethereum, BSC, and more
AI-Powered Analysis — Gemini-driven risk engine

👉 Try ChainSentinel Free | Pro Plan - $29/month

Stay safe on-chain. Get alerts before the next exploit.

Echo Protocol eBTC Admin Key Attack

qanzhi111 — Fri, 05 Jun 2026 10:21:56 +0000

Echo Protocol eBTC Attack

Investigation of the admin key attack on Echo Protocol eBTC.

Summary

The attack exploited an admin key vulnerability resulting in significant fund losses.

ChainSentinel

AI-powered on-chain risk intelligence. Try Free