Aftermath Finance (🥚, 🥚)

We've published a sheet of every affected account: #gid=1181738102" target="_blank" rel="nofollow noopener">docs.google.com/spreadsheets/d… If you're affected, review your row before claim opens Monday so we can minimize inconsistencies. Some balances may need reconciling because of withdrawals taken during the under-collateralized window. If your amount looks incorrect, open a ticket on our Discord or DM us on X with your transaction.

@natalia777mar All the positions should be considered closed at the time of the exploit. You don’t need to hedge. If you performed any action during the exploit time window, we will take that into consideration and make sure that you receive what you are owed.

@AftermathFi Quick question: is my ETH position already closed on the backend? Or will I be able to close it myself when trading resumes? I need to know to manage my hedge on another protocol."

We've published a sheet of every affected account: #gid=1181738102" target="_blank" rel="nofollow noopener">docs.google.com/spreadsheets/d… If you're affected, review your row before claim opens Monday so we can minimize inconsistencies. Some balances may need reconciling because of withdrawals taken during the under-collateralized window. If your amount looks incorrect, open a ticket on our Discord or DM us on X with your transaction.

If you have collateral idle in your account you can already withdraw it.

@EseTeLopez @0x_Abdul x.com/aftermathfi/st…

@0x_Abdul @AftermathFi ?? Wut?? 😪🫨😭😭

april 2026 was the worst month ever in terms of defi exploits ~$635M lost in total, 28 incidents in 30 days: 1) apr 1 - drift - $285m 2) apr 3 - silo v2 - $392k 3) apr 4 - tmm - $1.67m 4) apr 5 - denaria finance - $165k 5) apr 9 - aethir - $423k 6) apr 12 - hyperbridge - $2.5m 7) apr 12 - subquery - $60k 8) apr 13 - dango - $410k 9) apr 13 - mona - $61k 10) apr 14 - zerion - $100k 11) apr 16 - rhea finance - $18.4m 12) apr 16 - grinex - $15m 13) apr 18 - kelp dao - $293m 14) apr 20 - juicebox v3 - $52k 15) apr 20 - thetanuts finance - $50k 16) apr 21 - volo protocol - $3.5m 17) apr 22 - kipseli - $80k 18) apr 23 - giddy finance - $1.3m 19) apr 25 - purrlend - $1.5m 20) apr 26 - scallop - $150k 21) apr 27 - singularity finance - $413k 22) apr 27 - zetachain - $300k 23) apr 28 - judao - $228k 24) apr 28 - quant - $138k 25) apr 29 - aftermath perps - $1.14m 26) apr 29 - sweat foundation - $3.5m 27) apr 29 - syndicate - $330k 28) apr 30 - wasabi protocol - $5m+

Aftermath Postmortem On April 29th, Aftermath experienced an isolated security incident in the integrator feature of AF Perps. All other products (afSui, Pools, Farms, Agg, SOR) are completely unaffected & all users will be made whole. This has been a scary week for crypto. AI tooling is developing rapidly, and we were among the almost a dozen protocols affected by hacks. We’re hopeful that by sharing our experience, we can help the broader crypto community learn and build back stronger. Root Cause The root cause was a signed integer issue in the integrator accounting logic. A malicious user was able to create their own integrator with a negative taker fee. This negative fee is then credited to a newly created account, which can be freely withdrawn from the vault. This issue was introduced as part of a diff on August 29, 2025. The changes were audited by @osec_io in Nov 2025, but the issue was unfortunately missed. Timeline The attacker (suivision.xyz/account/0x1a65…) was first funded on 04-28 22:02:07 UTC with 405.24 SUI. At 04-29 08:21:48 UTC, the attacker swapped 300 SUI for ~278 USDC via the SOR to obtain seed collateral for opening perp positions. From 04-29 08:55:50 UTC to 09:31:49 UTC, the attacker drained ~1,139,927 USDC from AFperps across 17 attempts (11 successful, 6 failed). Each of the 11 successful transactions was a single PTB that opened two accounts, registered the attacker as their own integrator with a negative 100,000 taker fee, executed a market order that crossed against a real counterparty’s maker order, then withdrew the resulting synthetic collateral as real USDC. From 04-29 09:22:23 UTC to 10:45:22 UTC, the attacker laundered the proceeds through fresh single-use wallets and DEX swaps before depositing to Binance (suivision.xyz/account/0x9350…) (~$250K USDC), KuCoin (suivision.xyz/account/0x13c0…) (~$400K USDC), Huobi (suivision.xyz/account/0xe5c0…) (HTX) (~150K SUI), and HitBTC (suivision.xyz/account/0x8612…) (~$150K USDC). Next Steps Out of an abundance of caution, we’re conducting an additional audit before relaunching AFperps with a separate company. That being said, we also recognize that manual review alone is insufficient in 2026. We are investing heavily to improve our AI-security workflows. AI tooling is developing rapidly, and we were among the almost a dozen protocols affected by hacks this week. We’re thankful to all of our partners for their rapid response and help. In particular, Blockaid, ZeroShadow, OtterSec, Sui Foundation, and Mysten Labs.

Today Aftermath Finance sustained an exploit of its perpetuals protocol on Sui which was subsequently paused. The Sui Foundation, in partnership with Mysten Labs, has committed to working with Aftermath Finance to both ensure fund recovery to users and continuity of the Aftermath protocol. Aftermath will provide further updates on fund recovery shortly.

We expect users to be made whole in the next 48-72hrs. We are working across the hours to get everyone their funds back. We appreciate everyone’s patience.

Update: Great news. Thanks to support from @Mysten_Labs and @SuiFoundation all users will be made whole ZERO losses for anyone. Aftermath will be up and running again soon. Thank you to both teams and to @blockaid_ for the rapid response. For clarity: this was not a Move contract-language security issue.

Update on today's incident: We're actively coordinating with zeroShadow, Seal, Blockaid, and OtterSec on response and fund-tracing. We're pursuing every available law-enforcement channel. A patch to the affected contracts is in development. More updates to follow.

Total damage is 1.14m. We are now focused on recovery.

@MarcinRedStone Perps has been paused fyi.

There's an ongoing exploit on Aftermath - supposedly affecting only the perp product. Stay safe. April has not finished yet...

All our other packages/products remain safe. The only vulnerability its our perps protocol which allowed negative builder code fees to be set.

@basq0x @DeFi_Alien0 Wasn't the perps contract itself. Was the fact that we allowed negative builder code fees which was incorrect.

@DeFi_Alien0 @AftermathFi Only the Perps contract was hit, Farms and LPs are totally safe. ( 1.4M appatrently) The hacker sent the loot straight to Huobi and KuCoin, so he isn't exactly a mastermind.

Apparently, there might have been an exploit on Aftermath Nothing has been confirmed yet by the Aftermath team, but if this is true it would be the third exploit on Sui in the month of April I hope this isn’t true tho Still waiting for an official announcement from Aftermath

ONLY PERPS WAS EXPLOITED. The exploit stems from us allowing (wrongly) to set negative builder codes fees.

Attention Aftermath community - We’ve identified an exploit affecting the protocol. Our team is actively investigating alongside leading security partners. As a precaution, the protocol has been paused and measures are being taken to minimize potential impact to user funds. We’ll continue to share updates as we learn more. Thank you for your patience.

This is the attackers address: suivision.xyz/account/0x1a65…

We have been exploited.

Roughly 1 in every 8 transactions on @SuiNetwork is are Aftermath perps txs. Aftermath also accounts for almost 12% of all gas used on the network. With over 20 markets live, there’s never been a better time to trade on Aftermath. aftermath.finance/perpetuals

@andrewm04881094 aftermath.finance/perpetuals/USD…

@AftermathFi QQQ

You can now long or short $URA perps with up to 3x leverage. af.lol/perpetuals/USD…