AstraSec

🚨 [Transit Finance Incident Reflection] A deprecated 2022 smart contract on #TRON was exploited, draining ~$1.88M DAI. Even though marked “deprecated”, it remained fully callable. This raises a hard question for every Web3 builder: - Why didn’t the deprecated contract truly die? ⏰Proper deprecation isn’t optional — it must be designed from day one. Correct ways to deprecate: - Reset critical state variables - Use toggle switches(Pausable/Deprecation Flag) to disable core functions - For upgradeable contracts: point proxy to a dead (revert-only) implementation - Renounce all admin privileges 💡Security isn’t “deploy and forget.” Build for a safe, graceful exit. #SmartContractSecurity #DeFi #Web3Security #Solidity

📣 Transit Announcement Regarding a recent incident related to historical legacy risks, we would like to share the following update: 1️⃣ Cause of the Incident The issue was related to an early-version smart contract previously deployed on TRON. Although this legacy contract had been deprecated since 2022, historical vulnerabilities within it were recently exploited, affecting a limited number of users. 2️⃣ Actions Taken Upon discovery, our team immediately carried out investigation, isolation, and mitigation measures, followed by additional review and remediation on May 12, 2026. Users do not need to take any action. The current smart contract version remains unaffected and has been operating securely for over four years, with ongoing security audits, testing, and monitoring in place. We will continue strengthening the management of legacy contracts and potential on-chain risks to further improve overall security. 3️⃣ Compensation Affected users will receive full compensation, with further details to be announced through our official channels. 4️⃣ Security Reminder • Please remain cautious of unsolicited messages or accounts claiming to represent Transit Finance. • Never share your private key or seed phrase with anyone. Transit Team

🚨 Alert: @Aurellion_Labs on Arbitrum was exploited, losing approximately $455k USDC. Root Cause: Uninitialized Diamond Protocol The protocol set the owner in the constructor but never called initialize(). The attacker called initialize() on the SafeOwnable Facet to claim ownership, then used diamondCut() to inject a malicious facet with pullERC20 & sweepERC20 functions, draining approved USDC from multiple victims. Tx: arbiscan.io/tx/0x19cbafae5…

Today Aurellion was exploited for $456,000. We will be covering the funds extracted from this exploit. A detailed breakdown of the incident will be shared shortly. For now, all protocols operations are momentarily paused.

1/ 🚨 DeepBook was drained of $239,700 on May 9 using just ~$2,500 in capital—a massive 100x return. No reentrancy, no oracle attack, no access control bypass. Just two order-placement paths with mismatched price validation. pool::place_limit_order — no price check pool_proxy::place_limit_order — price ∈ [Pyth ± tolerance] Margin uses proxy. Regular accounts use raw. Same orderbook. Same attacker. 🧵 2/ Attacker uses TWO BalanceManagers, both their own: • BM 0xe63374a58f2a63fe8554f0e9210332848654bd1130931c0719b1e9ba0a4fa30a (regular) • MM 0xe63374a58f2a63fe8554f0e9210332848654bd1130931c0719b1e9ba0a4fa30a (margin — borrows USDC) Per PTB, BM places a "trap" at the tolerance band edges: SELL @ $1.0878 + BUY @ $1.0759 (Pyth mid $1.0819, tolerance ±0.55%) 1.1% spread, both legs pass proxy. 3/ But this only works if the band is empty of legitimate orders. Phase A (asymmetric scan): attacker uses throwaway BMs as takers to sweep ~218K SUI / $235K of legitimate liquidity. Net cost: ~$1K in spread. Now only BM's trap sits in the band. 4/ Phase B (wash loop): MM market-orders into BM's trap. • MM BUY → only ASK in band = BM's $1.0878 → MM pays high • MM SELL → only BID in band = BM's $1.0759 → MM gets low Each round trip: $0.0119/SUI leaks MM's borrowed pool → BM. Run 35×, 70 + 70 fills at exact band edges. 5/ After PTB: MM insolvent → $283K bad debt to suppliers. BM keeps ~$96K + 8K SUI. Flashloan repaid same-PTB. Just 4 successful attack txs over 50 mins. Bridged 78 ETH + 0.7 BTC to a single EVM address. 6/ 🛡️ The AstraSec Takeaway:Vulnerabilities don't always hide in complex math—they hide in architectural inconsistencies. When proxy logic and raw pool logic don't enforce the same invariants, attackers will bridge the gap.

🚨 echooo.xyz exploited -- $229K lost Root cause: The Forwarder contract blindly forwards req.from as the msg.sender to the SwapRouter. An attacker can set req.from to any victim who previously approved the protocol, then drain their funds via spendFromUser. tx: etherscan.io/tx/0x57709a498… ⚠️ Revoke approvals to this address IMMEDIATELY: 0x2990A16D2C37163f26F86d7af219064Ba5CD5605

@aave just took a major step forward in the @KelpDao rsETH bridge exploit recovery. Aave has successfully executed controlled liquidations of the attacker’s positions on both Ethereum and Arbitrum. This was achieved by temporarily setting the rsETH oracle to a FixedPriceAdapter returning a fixed price of 1, enabling low-cost liquidation of the positions. Total: 89,567 rsETH have been recovered and are now safely held in the multi-sig wallet: 0x53cb4BB8F61fa45405dC75F476FaDAd801e653D9

In line with the technical plan outlined below, the attacker's rsETH positions on Aave have been liquidated on Ethereum and Arbitrum. The liquidated collateral now sits with the Recovery Guardian as specified in the AIP. No other users were affected, and Umbrella was also untouched. This was a critical step in the recovery roadmap, with next steps to follow.

. @trustedvolumes suffered an exploit leading to a loss of approximately $5.87M. The root cause is that TrustedVolumes' RFQ contract had potential input validation vulnerability, which allowed any victim to be designated as order taker, thereby enabling the exploitation of their authorized assets. tx: etherscan.io/tx/0xc5c61b3ac… Revoke your approvals to the following address immediately (via revoke.cash): 0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756

tx: etherscan.io/tx/0x770bc9a1f…

@EkuboProtocol suffered an exploit due to missing payer validation in its EVM swap router contracts (on Ethereum and Arbitrum). The loss was approximately $1.4M, primarily in wrapped Bitcoin (WBTC) drained from approved user positions via unauthorized transferFrom calls. Revoke your approvals to the following addresses immediately (via revoke.cash): Ethereum: 0x8ccb1ffd5c2aa6bd926473425dea4c8c15de60fd (V2) 0x4f168f17923435c999f5c8565acab52c2218edf2 (V3) Arbitrum: 0xc93c4ad185ca48d66fefe80f906a67ef859fc47d (V3)

🚨 APRIL 2026: The list of major DeFi hacks, the real risks are now cross‑chain configs, social engineering, and edge‑case logic flaws. 13+ attacks, $620M+ drained. Attack surfaces have shifted. 📅 April 1 – Drift Protocol (Solana) → Social engineering, multi-sig compromise → $285M 📅 April 3 – Silo Finance → Oracle misconfiguration → $392K 📅 April 5 – TMM on BNB Chain → Flash loan reserve manipulation (PancakeSwap pool) → $1.665M 📅 April 13 – Dango → Missing positive input validation (negative "donation") → ~$1.9M (whitehat returned ~$1.49M) 📅 April 13 – Hyperbridge → MMR proof replay vulnerability → $2.5M 📅 April 14 – CoW Swap → Domain hijacking (social engineering) → $1.2M 📅 April 15 – Grinex Exchange → Exit scam / external hack → $13.74M 📅 April 18 – Rhea Finance (Arbitrum) [FIXED] → Intermediate token reuse flaw in multi‑swap, NAV manipulation → $18.4M 📅 April 18 – KelpDAO → LayerZero DVN config flaw (cross‑chain message forgery) → $293M 📅 April 21 – Bitcoin Depot → Admin‑level social engineering → $3.6M 📅 April 22 – Volo Protocol (Sui) → Vault ownership forgery → $3.5M 📅 April 24 – ZetaChain → Cross‑chain messaging vulnerability → $334K 📅 April 25 – Purrlend → Dual‑chain coordinated exploit → $1.5M 📅 April 26 – Scallop (Sui) → Oracle manipulation / legacy contract vulnerability → sSUI reward pool drained～150,000 SUI (~$142K) 📅 April 28 – JUDAO (BNB Chain) → Reserve manipulation via token hook vulnerability → $228K 📅 April 29 – Aftermath Finance (Sui) → Negative fee rate settlement flaw → $1.14M 📅 April 29 – Syndicate (Base) → Commons bridge accepted unverified cross-chain messages → ~18.5M SYND tokens dumped (~$330K)

@frank_liquid Congrats!

job's not finished

@OpalUSD This looks incredible and loving the vision, team!

Introducing Opal. We’re unlocking growth - whoever you are, wherever you are. An institution-grade platform that anyone can use. Powered by a 1:1 Treasury-backed digital dollar.

@philwatkins_eth I do get the msg from your compromised TG account and thanks for sharing here!

Be safe out their fam! My TG was comprimised over the weekend - if you are connected to 'philwatkins_eth' on TG - delete it and do not accept any meeting invites - if you are getting messaged - it isnt me I received a microsoft teams invite from a trusted web3 contact, when i joined the call I could see them with their colleagues, then was requested to update to make the audio work - not cool! Always ensure your passwords are locked away, use 2FA and hardware wallets, clean your cookies and browser sessions regularly. Luckily nothings was lost this time, currently updating everything to be a clean slate. Stay safe!

Total Loss is approximately 116,500 rsETH (Liquid Restaking Token) was illicitly drained via a cross-chain bridging exploit with market value around $293M, marking it as one of the largest DeFi exploits of 2026. The attacker attacker triggered unauthorized rsETH minting, used the stolen rsETH as collateral on Aave V3, Compound, and Euler to borrow large amount in ETH/WETH. This resulted in significant bad debt for Aave, a severe de-pegging of rsETH, and the temporary freezing of rsETH markets across major lending protocols.

🚨 LootBot.xyz Staking Contract Exploited (~$9,600 / 4.1 ETH loss) A contract deployed for 2.5 years was breached due to a logic error in the redeem() function. It failed to validate duplicate xLoot NFT IDs in the input array, allowing the attacker to claim X times rewards per NFT in a single call. TX: t.co/DqY7Er7Q9R