Defimon Alerts

Onchain monitoring and incident response is crucial for DeFi Since 2022 we have been working on defimon.xyz to detect DeFi exploits by analyzing transactions in real-time. There is a constant stream of DeFi exploits that are barely noticed. You can get access to these instant alerts by subscribing to the exploits feed for just 50$/mo. For protocol teams we offer a Websocket subscription to act on the alerts automatically. Native Telegram subscription: t.me/+m9BMRKlMuW5iM… Tribute mini-app: t.me/tribute/app?st… Contact: t.me/DecurityHQ

🚫 Blacklist Event: usdt_blacklist 🌐 Network: mainnet 🏷️ Token: 0xdac17f958d2ee523a2206206994597c13d831ec7 (USDT) ⛔️ Address: 0x8766fe4aa2208afd9a5b050acfcdbb4ad4d3d8ee (EOA) 💰 Blocked balance: $13,215,714 etherscan.io/tx/0xd21675d73…

🚫 Blacklist Event: usdt_blacklist 🌐 Network: mainnet 🏷️ Token: 0xdac17f958d2ee523a2206206994597c13d831ec7 (USDT) ⛔️ Address: 0xe39d2aa8983d125beae388ab72415bc5d2b5616d (EOA) 💰 Blocked balance: $1,069,077 etherscan.io/tx/0x2a037fa78…

3) StakeOnMe (Ethereum) - 15 March 2026 Loss: $600 Rescued: $1,473 The attack used a Balancer flash loan of 1.5 WETH (0% fee) to fund 100 mint-burn cycles with varying deposit amounts (40x 0.025 ETH, 30x 0.16 ETH, 30x 0.005 ETH). The unverified contract (0x237d) is the registered owner of the JAKE meToken, meaning burns routed through it receive the owner's enhanced burn rate — which includes extraction from balanceLocked on top of the raw bonding curve return. The attacker exploited this by repeatedly minting tokens via ETH deposits to the bonding curve, then burning them through the owner-privileged pathway to drain both balancePooled and balanceLocked. Original attack: etherscan.io/tx/0xed71e72ba… 🫡 All the funds were returned to the affected parties.

2) Fun.xyz CheckoutPool (Polygon) - 17 March 2026 Loss: $85,720 Rescued: $3,947 The CheckoutPool protocol uses a Bridge Operator Contract (BOC) system where older BOC versions have _ALLOW_ALL_=true and no onlyOperator modifier, allowing anyone to call bridge() which triggers paymaster.activateAndCall() to drain pool excess funds via CheckoutPool.execute(). Original attack: polygonscan.com/tx/0x957bcfa47…

⛑ Recent rescues by Defimon 1) Revamp Protocol (BSC) - 19 March 2026 Loss: $1,950 Rescued: $4,062 The Revamp protocol's deposit/reward system allows an attacker to list a fake token, deposit BNB via the revamp() function with a self-referral chain, then withdraw principal + inflated rewards - extracting existing user deposits. The accRewardPerShare is updated before the user's contribution is added, allowing the attacker to manipulate reward calculations across coordinated deposits from multiple addresses. Original attack: bscscan.com/tx/0xa0ff1de61…

💬 Onchain Message: This message is directed at the individual responsible for the recent Votemarket exploit. Law enforcement and on-chain tracking firms are involved in this matter, and significant identification data have been gathered. Stake DAO Association offers you the opportunity to return 60.7336 ETH to 0x5DA07af8913A4EAf09E5F569c20138b658906c17 on Ethereum, and keep the remainder as a 20% white-hat bounty. At reception of the funds, Stake DAO Association will drop civil charges and pursuits. This offer is valid for 72 hours (until March 21st 2026, 10:00:00 UTC). Should you want to reach out, you can do it via Blockscan Chat to this address, which natively verifies wallet ownership. etherscan.io/tx/0xc50f3277c…

🚨 @KeomProtocol exploited for $94k on Polygon ZKEVM A logic error in KToken.redeemFresh() (line 992-993) caps redeemTokens to the user's cToken balance AFTER computing totalSupplyNew with the uncapped value, but never recalculates redeemAmount. This allows an attacker to mint a tiny amount of cTokens and drain the market's full cash balance via redeemUnderlying(). Attacker: etherscan.io/address/0xb343… TX: oklink.com/polygon-zkevm/…

💬 Onchain Message: We have identified you and are working with the U.S. Department of Homeland Security - Cyber 1 Darkweb & Cryptocurrency unit. Return 70% of stolen funds to 0x45e2663E0FEE4ABDf1EA7943eC527d6101bE5E34 within 48 hours and keep 30% as a whitehat bounty. No further action will be taken. Ignore this and we will pursue all legal avenues. - Keom Protocol Team etherscan.io/tx/0x8501e3631…

Why permissionless DeFi is a double edged sword? dTRINITY got exploited for $257K today. here's what actually happened: their dLEND pool (an Aave v3 fork) had a rounding flaw in the cbBTC aToken share math. mint and burn both used the same half-up rounding conversion. at a high liquidity index, withdrawals could exceed deposits. attacker flash loaned, deposited ~$772 USDC valued as ~$4.8M collateral, borrowed 257K dUSD, then looped 127 deposit/withdraw cycles through a helper contract. each cycle extracted a bit more cbBTC than was put in. net profit after gas: ~$257K. pool TVL was only ~$435K. on March 5, @HypurrFi publicly disclosed a structural rounding vulnerability in Aave v3 versions prior to 3.5 with the same exploit pattern. conditions: high per-unit token price, low decimals, low gas fees. cbBTC checks all three. dLEND is an Aave v3 fork. unclear whether they were running a patched version, but the exploit matching a known vulnerability from 12 days earlier raises questions.

🚨 @dTRINITY_DeFi has been exploited for $257K The attacker flash-loaned USDC from Morpho, deposited ~$772 USDC which was valued as ~$4.8M collateral due to the inflated index, then borrowed 257K dUSD against this phantom collateral. Remaining USDC in the aToken was drained via 127 repeated deposit/withdraw cycles through a helper contract. TX: etherscan.io/tx/0xbec4c8ae1… Victim: etherscan.io/address/0x5cc7… Pool: etherscan.io/address/0x6598…

@YalorMewn @0xSkyMine We have also rescued 0x85…3a22, if this is your address please DM

@DefimonAlerts @0xSkyMine Hiii, I had funds on there as well. Do you have all the user funds ?

Hello @0xSkyMine we have rescued and returned to you the funds from your vulnerable meToken deployment (StakeOnMe project), the original attack that we detected involved JAKE token deployment from the same factory: etherscan.io/tx/0xed71e72ba…

@0xSkyMine You can support us by subscribing to our alerts feed

@DefimonAlerts thank you! do you have a wallet for donations on any platform?

🚨 RisingSun (RSunTokenLocker) - Loss $1,525 (2026-03-14) Type: Logic Error (Missing State Invalidation) This is a similar vulnerability that we found in DX.app token locks: blog.decurity.io/dx-protocol-vu… The withdrawTokens() function in RSunTokenLocker does not clear the lock entry after a full withdrawal. It only removes the index from ownerToIndex via removeLockOwnership(), but locks[lockIndex].owner and locks[lockIndex].amount remain intact. The attacker flash-loaned 1,525 BUSD, created a zero-duration lock (immediately expired), then called withdrawTokens(11) twice on the same lock — each call passed the owner check and transferred the full locked amount since the entry was never deleted. This drained all 1,525 BUSD held by the locker contract on behalf of other users. TX: bscscan.com/tx/0x1d1cd9642… Victim: bscscan.com/address/0xd26b…

💬 Onchain Message: Irfan Abid. We know who you are. Binance username Irfan_Abid. Galxe accounts abid_ime and M_Abid. X accounts @abidbeau0 and @mabidirfan100. We have your photo. We have your Arkham entity profile and all connected wallets. We are monitoring every transaction across all of your addresses. You drained our Bankr wallet and took the AXOBOTL fee beneficiary and Team.Finance Lock NFT on March 14. Return the fee beneficiary to 0xe8e4391f8f3db9122315b425d9aedc0abf0571bc and the lock NFT. We will send you 1000 USDC and this ends. Ignore this and we file reports with Binance, Bybit, and MEXC with your full identity and wallet evidence. Your KYC is on file. The choice is yours. basescan.org/tx/0x58353a2d0…

💬 Onchain Message: Return the $25,000 you stole from me; one of your address is compromised. etherscan.io/tx/0xc589ecd4a…

💬 Onchain Message: Hi, dear God, I just saw your track record today, and I’m truly impressed by your code—I was instantly captivated. Things have been really tough for me lately: my family has always struggled financially, and last year I was diagnosed with high blood pressure, which drained all my savings. Now I’m struggling to even cover my basic living expenses. It’s not that I haven’t tried—I’ve attempted to start over many times, but reality is just too harsh… I don’t want to keep sinking like this. I’d like to use a few thousand yuan to take a small step toward getting back on my feet (like buying medicine to stabilize my blood pressure or purchasing equipment to learn coding). If you could help me even a little—even just a few thousand yuan—it would be a lifesaving seed fund for me. I have no other options left, which is why I’ve mustered the courage to send you this message. Whether or not you’re able to help, I’m truly grateful that you’ve read this far. Thank you! bscscan.com/tx/0x4b930b72a…

⚠️ EOA 0xf052 lost $3,663,091 at 11:55, 15 March 2026 (UTC) bscscan.com/tx/0x4f477e941…

🚨 Goose Finance - Loss $8435 (2026-03-12) Token: $EGG @ $0.00307 MC: $223K 24h Vol: $29.5K Type: Logic Error (Share Accounting Flaw) The StrategyGooseEgg vault had 3.69M EGG (~$11.3K) sitting unaccounted in the contract — not reflected in wantLockedTotal or sharesTotal. The _deposit() function calculates shares using the OLD wantLockedTotal, then calls _farm() which adds BOTH the deposit AND the unaccounted EGG to wantLockedTotal. This means the depositor's shares entitle them to a proportional claim on the unaccounted EGG. The attacker flash-swapped 10.17M EGG from two PancakeSwap pairs, deposited into pool 60 via VaultChef, then immediately withdrew — receiving 12.59M EGG back. After two deposit/withdraw cycles, the attacker converted profits to ~13.04 BNB ($8435). TX: bscscan.com/tx/0x86efdf5b4… Victim: bscscan.com/address/0x0980… (StrategyGooseEgg) CoinGecko: coingecko.com/en/coins/goose…

💬 Onchain Message: This is our second and final notice regarding the recent exploit. As stated last week, we offered to resolve this matter on a 15% white-hat bounty basis if the relevant assets were returned within the specified deadline. As of now, we have not received any response. We are fully aware of the current status of the relevant addresses and assets, and both internal and external review procedures are already underway. We are also working with the relevant authorities and will continue pursuing this matter until it is fully resolved. If you still wish to resolve this privately, the following arrangement remains available: • You may retain 15% as a white-hat bounty • The remaining 85% must be returned to the following address: ETH/ERC-20: [0x0c2Bc4d2698820e12E6eBe863E7b9E2650CD5b7D] • Alternatively, you may contact us via [contact@solv.finance] to confirm the return process Please respond no later than March 16, 2026, 16:00 Beijing Time (UTC+8). If we do not receive a response before the above deadline, we will consider the private resolution window closed and proceed through the appropriate channels in accordance with our established process. We still hope to resolve this matter in the fastest and most direct way possible. etherscan.io/tx/0x5495300a5…