GoPlus Security 🚦

🚀 #GoPlus SafuSkill Launchpad is now LIVE —Turn your AI Skill into an asset You built an AI Skill. People are using it. It’s already running inside other Agents— but you haven’t earned a single dollar. The problem isn’t lack of value. It’s the lack of monetization infrastructure. 👉SafuSkill Launchpad is now live Built on BNB Chain (@BNBCHAIN), integrated with the Flap protocol (@flapdotsh), designed to solve this exact problem: →List your Skill →Launch a token →Auto-integrate with PancakeSwap →More trading = more earnings 🛡 Built-in security: AgentGuard scanning + GitHub verification SafuSkill is the secure marketplace for AI Agent Skills Not just used— but traded, priced, and monetized, forming a full value loop: -Marketplace (Discovery) -Launchpad (Issuance) -Earnings (Auto-accrual) This is the Skill Economy—where Skills become tradable, yield-generating on-chain assets. Try it now👇 safuskill.ai/launchpad

Claude AI Chat File Leak Case Analysis: When an External “Solution” Becomes an Executable Instruction Many people assume that security issues in Agents like Claude AI Chat usually happen because: ▪️ The user entered a malicious prompt ▪️ The system installed a malicious Skill ▪️ The device or account was compromised But the publicly discussed case this time exposes another, more hidden type of risk: the attacker does not need to directly control your device, nor do they need to take over your account. They only need to get the Agent to actively install a dependency it should never have installed while carrying out a task. reddit.com/r/cybersecurit… On the surface, this looks like an ordinary “package installation mistake.” But the real issue is that, when handling complex tasks, Claude AI Chat may treat untrusted content from the external world as a solution that can be executed in the next step. How does the risk emerge? In many AI assistants with code execution capabilities, after a user uploads a file, the system does not simply “read it and answer.” To complete the task, it may continue doing many things in a cloud-based backend environment, such as: ▪️ Processing uploaded files ▪️ Running scripts ▪️ Installing dependencies ▪️ Accessing external resources ▪️ Generating intermediate files and final outputs In this case, the Agent searched externally for a “solution.” But the attacker disguised malicious content as something that appeared reasonable. For example: ▪️ A troubleshooting post in a blog ▪️ A suggestion in a Reddit thread ▪️ Instructions on a GitHub page ▪️ A usage description of an npm package On the surface, all of these look normal, like developer advice, debugging methods, or community best practices. But without sufficient security isolation, things that were originally just “reference information” may be mistakenly executed by the Agent and cause harm. Why is this type of issue worth watching? Because what the attacker is really exploiting is not a single command, but a default design pattern of Agents: as long as something appears helpful for completing the task, the Agent may plan the next step on its own. That means you need to worry about: ▪️ Whether it will treat external webpage content as a trusted solution ▪️ Whether it will install third-party dependencies on its own during the task ▪️ Whether it will execute untrusted code in an environment that has access to sensitive files ▪️ Whether it will exfiltrate session data without you noticing Why is AgentGuard needed here? In the Agent world, many risks do not begin at the moment the user clicks “confirm.” They begin when the Agent starts looking for solutions on its own. This is exactly where AgentGuard provides value: it does not only watch whether the model output is safe. More importantly, it adds an extra layer of judgment before critical actions happen: ▪️ Suspicious dependency installation — block first ▪️ High-risk network requests — inspect first ▪️ Outbound connections after accessing sensitive files — review first ▪️ Execution chains that look reasonable but are actually dangerous — evaluate first

🚨 GoPlus Security Alert: DxSale Legacy Locker Exploit Drains $7.3M, Suspected Insider Involvement; Another $15.5M in Funds and LPs Still Require Emergency Action ❗️❗️ I. Incident Timeline In August 2025, Telegram channels surfaced offering “DxSale insider-connected” services to unlock legacy LPs for sale publicly. At 01:08 UTC on May 26, 2026, the original owner address 0x47BAcf93 called transferOwnership, transferring control of the locker contract to attacker address 0xC4574D. On May 27, 2026 (20 hours before the attack), attacker wallet 0xC4574D received 104 BNB (~$67K) from Bybit as initial funding. At 03:45 UTC on May 28, 2026, the attacker leveraged the EIP-7702 delegation mechanism to batch-drain more than 1,400 LP pools. Within hours after the attack, the funds were routed through more than 80 wallet hops before eventually cashing out via multiple Binance addresses. II. Root Cause Analysis 1️⃣ transferOwnership Lacked Security Protections: The legacy DxSale locker contract (deployed in 2021) inherited the standard Ownable pattern for its transferOwnership function, allowing the owner to transfer ownership to any address at any time, without a timelock, without multisig protection, and without monitoring or alert mechanisms. Once the owner private key is compromised — or the owner itself becomes malicious — all assets locked in the contract face the risk of being fully drained. 2️⃣ Legacy Contracts Left Unmaintained for Years: Since being deployed in 2021, the contract has continued holding a large amount of LP tokens from early BNB Chain projects, with the cumulative value exceeding tens of millions of dollars. However, these assets remained in a vacuum state: no audit updates, no security monitoring, original owners potentially having exited the industry, and contract code never upgraded. 3️⃣ EIP-7702 Was Abused for Batch Exploitation: By leveraging the batch-processing capability enabled by EIP-7702, the attacker was able to drain more than 1,400 pools within a single transaction flow. 4️⃣ Suspected Insider Premeditation: According to an investigation by eyeonchains (see Figure 1), as early as August 2025, Telegram channels were already openly offering services to “unlock legacy LPs through DxSale insider connections.” This indicates the attackers had long been aware of the exploitable nature of the contract owner privileges. Combined with the fact that the attack execution stretched across multiple days, proceeded at a controlled pace, and received no response from the project team, the incident strongly resembles a nine-month-long insider-planned exit operation. 🧐🕵️ Combined with DxSale’s historical infrastructure connections to projects such as SAFEMOON (whose team members were later criminally charged), the nature of this incident appears more consistent with an organized insider exit scam than with an isolated external exploit. III. Attack Flow Analysis 1️⃣On May 26, the original owner account of the DxSale Legacy Locker contract 0xEb3a9C updated the owner address to attacker address 0xC4574D: bscscan.com/tx/0x23e331a81… Note: In addition to the exploited Locker contract 0xEb3a9C, other Locker contracts whose owner was updated to 0xC4574D include: 0x81E0eF68e103Ee65002d3Cf766240eD1c070334d (~$13.2M) 0x2D045410f002A95EFcEE67759A92518fA3FcE677 (~$2.2M) 0x5b5e94485c9628793B01A38762921Dc37B6829b6 (~$1.3K) 2️⃣The attacker deployed exploit contracts (such as 0x74Ad1E), then upgraded 0xC4574D using EIP-7702, with the Delegator set to the exploit contract address (such as 0x74Ad1E): bscscan.com/tx/0xe6d29d066… 3️⃣The attacker directly invoked the unlockToken function in the DxSale Legacy Locker contract using owner privileges, unlocking the LP tokens stored in the contract and transferring them to 0xC4574D: bscscan.com/tx/0xb107f19af… 4️⃣ After obtaining the unlocked LP tokens, the attacker removed liquidity from the pools. Example transaction (see Figure 2): bscscan.com/tx/0xb0ee7388a… IV. Key IOC Summary Exploited Locker Contract: 0xeb3a9c56d963b971d320f889be2fb8b59853e449 Original Owner (Suspected Insider / or Private Key Compromise): 0x47BAcf935066b802EAA0067eC14AB035B24eB78b Primary Attacker Wallet 0xC4574DDEF299e7E563971e200433e592EeaaFA69 EIP-7702 Delegator Contracts 0x74Ad1Ef17Fbb3e494c31c72F7ec730A27FEf0310 0x996521B5Bb2bbF34764d89932f0Ea206e6A3A388 0xd6c7d6b19b9c05E8591542a13D297047C362d268 0xA0795423A2647eC750fEA5cAD3B709cFe7C814be 0xc2efbD94aeDFf1555b97ddCb216646DFC01e4718 Intermediate Aggregation Address A 0x47F80D09d1Bd0BB675ac627BDC1d1244731F66bf Intermediate Relay Address B 0xF19acAD8E DCd733A8bF9175C93da9AB660afC747 Secondary Transfer Wallet A 0xb71c1C2A0cD7A88f1317f9A996e4d121E7db5E92 Secondary Transfer Wallet B 0x4c5ee9703653C8e7725C65593bff372655e0453C Example Attack Transaction: bscscan.com/tx/0xb107f19af… V. Security Recommendations 1️⃣ Projects should immediately verify whether their LPs remain locked in contracts 0xEb3a9C56, 0x81E0eF68, 0x2D045410, or 0x5b5e9448. If affected, immediate action should be taken to withdraw funds. Approximately $15.5M in assets still require urgent self-rescue measures. 2️⃣ The initial funding source was Bybit (104 BNB), and KYC tracing is recommended. The final cash-out routes involved multiple Binance addresses, and relevant security teams are advised to submit on-chain evidence and request freezing of attacker-related accounts. 3️⃣ Security mechanisms must be strengthened. Critical admin functions should always be protected by timelocks, owner privileges must use multisig wallets, and all ownership changes should trigger manual review procedures (including those involving EIP-7702). 4️⃣ As of now, DxSale has not issued any public incident response statement, and its silence itself warrants attention.

💣 479K-follower KOL Under Fire: $260 Meme Coin Profit Behind a “Shilling Playbook” A trading KOL with 479K followers promoted a meme coin and made around $260. He later claimed his account was hacked, but the comment section didn’t buy it. GoPlus investigation found that multiple meme coins promoted by this KOL last year shared the exact same developer address.

🚨 Update: Added "pool_fee" to "dex":[] in the GoPlus Token Security API. pool_fee represents the trading fee charged by the DEX pair. Actual total trading tax = token tax + pool_fee. This helps developers more accurately calculate swap costs and improve risk visibility. Docs: docs.gopluslabs.io/reference/resp…

🎉 Congratulations! @AgentGuard_AI × @clawvardEDU is hosting the first AI Agent University offline event! AgentGuard will showcase its commercial release and latest agent security capabilities, alongside live demos and an open mic session 🎓 📅 May 29, 2:00–6:00 PM（GMT-7） 📍 1199 Coleman Ave, San Jose, CA 95110 🔗 luma.com/nigfy3vc Builders, KOLs & investors — welcome to join! ✨

🚨 GoPlus Security Alert: The X account of DonutAI, an AI trading agent project, founder @Chrizhuu has been compromised. The account is currently posting unauthorized tokens and phishing links. Please stay alert and avoid interacting with any suspicious content!

🧵5/5 📌Related Transactions Attacker address: 0xeF3C054d8F7eD0a7D61c8da56ff55F090577aa25 Malicious contract address: 0x00380be1cbC5885090fDdc89147Ff76b2f411106 vsdCRV contract address: 0x62d5a59E0d67c0381aAd53B201B4A1B8Dcd2C833 StakeDAO deployer address with the suspected compromised private key: 0x000755Fbe4A24d7478bfcFC1E561AfCE82d1ff62 Attack transactions: etherscan.io/tx/0x52941877d… arbiscan.io/tx/0xf97ddff0d… arbiscan.io/tx/0x7489ec5f5…

🧵4/5 (3) The attacker then executed a cross-chain minting transaction, minting approximately 54.5 trillion vsdCRV tokens. arbiscan.io/tx/0x7489ec5f5…

🧵1/5 ⚠️Vulnerability Analysis: Breakdown of the Stake DAO Exploit DeFi protocol @StakeDAOHQ’s StakeDAO contract deployer address on #Arbitrum was suspected to have had its private key compromised. The attacker used the address to set a malicious contract as a Peer, then executed cross-chain minting transactions to mint approximately 54.5 trillion vsdCRV tokens, with part of the funds already swapped into ETH.

🚨 GoPlus Security Alert: Beware of Scam “Black U” Promotions and Fake AML Detection Websites on X Today, we received community reports about promotions of so-called “black U” and AML (Anti-Money Laundering) detection websites on X. According to GoPlus investigation, these sites are phishing websites hosted on Vercel that attempt to trick users into granting wallet approvals. Users are strongly advised not to interact with them. Security Recommendations: 1. Avoid private OTC transactions whenever possible. Use reputable CEX platforms for OTC trading, as they typically include built-in AML risk controls. 2. Treat any unfamiliar links with extreme caution, especially those requesting wallet connection, signatures, or approvals. Remember the GoPlus anti-phishing rule: Do not click, do not install, do not sign, do not transfer — avoid clicking unknown links, installing unverified software, signing unclear wallet transactions, and sending funds to unverified addresses. 3. Install the GoPlus security extension to block phishing links, malicious signatures, unauthorized approvals, and risky transactions in real time → chromewebstore.google.com/search/GoPlus

🧵6/6 📌 Related Transactions Attacker addresses: 0x7c82cb4b2909c50c7c0f2b696eee7565e0a23bb8 0x9BDC730183821b6bb2B51BE30B77C964FA645b91 Attack contract: 0xe1d5FCfBba4d46F4937de369De415dD7E2D3265a Exploited SquidRouterModule contract address: 0x1f1d37a3Bf840e35c6a860c7C2dA71Fe555123ca Compromised Safe wallet address: etherscan.io/tx/0xc7bcd1ffe…

🧵5/6 (3) The attacker then removed the initially added liquidity for the u-Token (e.g., the u/USDC pool), thereby extracting the tokens paid by the Safe wallet during the swap, such as USDC. etherscan.io/tx/0xfd8eda4a6…

🧵1/6 ⚠️ Vulnerability Analysis: SquidRouterModule Exploit Incident The #SquidRouterModule contract on #ETH was exploited due to a permission vulnerability. The attacker leveraged the flaw in the contract to compromise an on-chain Safe wallet, netting approximately $3.07M in profit. Note: The exploited contract was NOT an official contract deployed by @squidrouter or @safefndn, but a third-party contract with the same name deployed by an unknown developer.