Defimon Alerts

Onchain monitoring and incident response is crucial for DeFi Since 2022 we have been working on defimon.xyz to detect DeFi exploits by analyzing transactions in real-time. There is a constant stream of DeFi exploits that are barely noticed. You can get access to these instant alerts by subscribing to the exploits feed for just 50$/mo. For protocol teams we offer a Websocket subscription to act on the alerts automatically. Native Telegram subscription: t.me/+m9BMRKlMuW5iM… Tribute mini-app: t.me/tribute/app?st… Contact: t.me/DecurityHQ

💬 Onchain Message: Hi, we've decided to offer a 20% bounty for the exploit you carried out, we'll advice to refund %80 of funds to below address to avoid legal charges, we really hope we see this through amicably. Refund: 0x87192F5d0f44e3Ea7BD6594D3b3e890657aA1CCf etherscan.io/tx/0x5da0cb7f0…

🚨 NewMarketTrading.com (CEO @frank_hep) - Loss ~$3M (2026-05-25) Type: Access Control / Authorization Bypass New Market Trading gives each user a non-custodial ERC-4337 Safe smart account with a suite of DeFi modules (Aave, Yearn, Morpho, Beefy, SquidRouter, etc) that an off-chain delegate executes via a shared PermissionsManager/DelegateBundler. The SquidRouterModule inherits Axelar's permissionless expressExecuteWithToken(), which does no gateway validation at express time. Its _executeWithToken only checks that a caller-supplied sourceAddress string equals Squid's router, then _processPayload blindly trusts the delegate address encoded in the attacker's payload. By passing a real permissioned delegate with malicious swap/approve actions, anyone could impersonate that delegate and make any user Safe approve + swap its full balance. We contacted @squidrouter as soon as the first attack was detected by our monitoring system. Squid is not vulnerable - it's the flaw is in New Market Trading's module wrapping the Axelar express pattern. Sample TX: etherscan.io/tx/0x2d5298470… Vulnerable module: etherscan.io/address/0x1f1d…

💬 Onchain Message: We represent the New Market Trading team that you exploited. Can we talk over blockscan chat? etherscan.io/tx/0xf7c95518e…

🚨 Fractal Protocol - Loss ~$13.7K (2026-05-22) Token: $USDF (receipt token, no liquid market) TVL: $97.27K (pre-hack) Type: Logic Error / Price Manipulation Attacker (0xe2acec13) used an Aave V3 USDC.e flash loan, looped through a chain of Balancer V2 batchSwap callbacks, and recursively hit Fractal's Vault deposit (0xb6b55f25) / withdraw on 0x80e1a981 (impl 0x038c8535) and the USDF receipt token 0xae48b7c8 (impl 0xf8a13864). Each callback minted USDF at the configured tokenPrice and burned it back, extracting ~$13.7K of USDC.e from the vault by exploiting the deposit/withdraw accounting (tokenPrice/share-rounding) inside the recursive Balancer→Vault flow. Vault uses a fixed daily-accrued tokenPrice (~1.27 USDC/USDF) with only a 30-day catch-up in _compute(), and no proper invariant check between depositAmount and withdrawalAmount across re-entered swap callbacks. TX: arbiscan.io/tx/0x20db78913… Victim Vault: arbiscan.io/address/0x80e1… USDF Token: arbiscan.io/address/0xae48…

Learn about new DeFi hacks before anyone posts on Twitter: t.me/send?start=SBR…

🚨 @Mureapp - Loss ~$11.7K (2026-05-21) Type: Access Control / Unvalidated Signer Source MureDistribution trusts the user-supplied input to provide the authorized signer. Attacker passed an attacker-controlled contract as source, making themselves the "signer" - SignatureChecker then calls the attacker contract which returns true. Attacker then drained any address that had pre-approved the MureDistribution proxy, pulling 4.85M QUEST via transferFrom and dumping to ~5.45 ETH on Uniswap. TX: etherscan.io/tx/0xb83040361… Victim: etherscan.io/address/0x3650… (MureDistribution proxy)

💬 Onchain Message: To the Verus<->Ethereum Bridge Exploiter: Members of the Verus community and its developers have discussed a set of terms, detailing the size of the bounty, obligations from your side and ours, and how the funds can be returned. 1. We have agreed that the bounty amount will be 1350 ETH. If you adhere to these terms, we will consider these 1350 ETH a reward for your exposing of a vulnerability, and we would publicly request to all interested parties that the 1350 ETH be considered your legitimate bounty. 2. If the funds are returned to the address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74, minus 1350 ETH, meaning a total return of 4052.4 ETH within 24 hours after this post, Verus community members and developers, and everyone we currently know to be involved in investigating the event, will halt any existing investigations into you to the best of our ability, and we will not press charges or pursue extralegal consequences. We will consider the address that holds 1350, either as change or if still in the source as the bounty address. If you return a total of 4052.4 ETH to the address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74 within the 24 hours specified above, we will understand that as your agreement to these terms, and we will uphold our stated agreement to cease further investigation into you, not initiate new investigation of you, not press charges, and not seek additional consequences. We will also post a public acknowledgement, referencing the 1350 ETH and publicly state that we consider those funds to be your bounty. If further communication is required to come to an agreement, please refer to the following contact points, as mentioned in previous messages: email: verus.bridge@proton.me z-address on Verus (for encrypted memo communication): zs1wl6e6qe8z8n8t8jp4qxek5ey53t9xajzwxc75gj72wrcwuq6ha4mdg0v8p6z8wpkz2fhxrqlayc To verify the authenticity of this offer, you can also see the same message posted on the Verus discord in the announcements channel, and on the Verus community's X account at x.com/VerusCoin. etherscan.io/tx/0x3ce93e671…

Learn about new DeFi hacks before anyone posts on Twitter: t.me/send?start=SBR…

🚨 @ElevateFiOG ($EFI) - Loss ~$16K (2026-05-19) Type: Oracle Manipulation (UniswapV2 spot-price) Staking vault prices EFI via raw pricePair.getReserves(). Attacker used a flash-loan funded buy of EFI from the EFI/DAI pair to inflate spot EFI price during staking, paid less EFI for a large packageUsd credit, then waited for epochs to accrue and called rebase() + claim() at normal price, extracting 6,256.5 EFI (2x the EFI they put in) from the vault. StakeEFI TX: polygonscan.com/tx/0x2bd7213a7… Claim TX: polygonscan.com/tx/0x3b366a43a… Victim: polygonscan.com/address/0x816e…

💬 Onchain Message: Hey, nice one. LunarBase team. We know the bug - asymmetric L (Ly for X to Y, Lx for Y to X) sharing one mid. Round-trip doesn't close. Patched and pool's back live. Willing to keep a bounty and return the rest? basescan.org/tx/0x07f2fbf70…

💬 Onchain Message: To the Verus<->Ethereum bridge attacker, The Verus community and its developers acknowledge your skill. Your recent attack on the Verus Ethereum Bridge was a sophisticated, multi-step exploit, requiring a solid understanding of both the Verus network cross-chain protocol's validation methods and also how the Ethereum contracts handle proofs in great detail. We see what you did, step by step, and will, of course, resolve the vulnerability and describe it in detail, as there is a lot of misinformation in online summaries. We ask that you agree to a resolution that isn't just you take everything, requiring us to kick off investigations that we can't stop. We ask that you accept a compromise. If you are willing to return funds, the community would certainly be willing both pay a substantial percentage of the funds' amount as bounty for finding this issue, and will not pursue any further action past that point. You can contact us at any of the following email: verus.bridge@proton.me z-address on Verus (for encrypted memo communication): zs1wl6e6qe8z8n8t8jp4qxek5ey53t9xajzwxc75gj72wrcwuq6ha4mdg0v8p6z8wpkz2fhxrqlayc Please sign your response with any of the "Verus Exploiter" addresses (0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777, 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9) to verify etherscan.io/tx/0x8a69f4f90…

💬 Onchain Message: Dear Mr. Hacker,The funds you took are the compensation funds that users are waiting for. We kindly ask you to return a portion. Thank you! bscscan.com/tx/0xce1e7a4b4…

💬 Onchain Message: Please return ETH sent as fees to your deployed contract 0x6beAc0dd77044A9B6D290efC8Fb95D1fd670a415 after exploit at tx 0xec9c1a3c5a26ca035954583e3d589240ed30139a8b8c6d6194a33b3efcd15e79 etherscan.io/tx/0x67a2dbd92…

@chrisdior777 @adsharesNet Sorry, but this is just engagement farming without any additional value. If you wanted awareness, you could just retweet.

@DefimonAlerts @adsharesNet I credited you as a source and amplified the alert. Not sure why me spreading extra awareness is bad?

🚨 JUST IN: @adsharesNet was exploited for ~$628K. Cause: fake bridge mint validation. The bridge-minter EOA signed 3 wrapTo() calls with non-existent native-chain txids, minting fake wADS to the attacker. Attacker dumped the wADS for ~148.5 ETH and ~$305K USDC on Ethereum.

🚨 @adsharesNet - Loss ~$628K (2026-05-15) Adshares bridge-minter EOA signed three wrapTo() calls on the WrappedADS contract minting 99,999.93 (x2) + 999,999.94 wADS to attacker. All three calls cited native block-message txids that don't exist on the canonical Adshares chain. The attacker then dumped the wADS through Uniswap V4 UniversalRouter, extracting ~148.5469 ETH and ~$304,995 USDC. 1M ADS fake mint: etherscan.io/tx/0xa34765751… Victim (WrappedADS): etherscan.io/address/0xcfcE… Attacker EOA: etherscan.io/address/0x63e2… Native attacker account: operator.adshares.net/blockexplorer/…

💬 Onchain Message: To the address that interacted with Adshares Wrapper contract 0xcfcEcFe2bD2FED07A9145222E8a7ad9Cf1Ccd22A: Regarding the vulnerability you identified and exploited. We are prepared to treat this as a whitehat disclosure under the following terms: 1. Return 90% of the drained assets to 0xb6fe3854a85dc6c2a873f2b6bbd43a36c74cae1f within 72 hours of this message. 2. You retain 10% as a whitehat bounty. 3. Upon receipt of the 90%, Adshares will not pursue any civil or criminal action, and we will treat this incident as a whitehat disclosure. Contact contact@adshares.net with a message signed by this EOA, 0x63e22Ce9Bde9bb8892a447258abfCaa4142f001B, for further communication We want to resolve this cleanly. etherscan.io/tx/0x99a1114c2…

💬 Onchain Message: The company is prepared to write off the stolen funds and proceed with a criminal complaint. Based on the latest information available to us, data from the wallets, swap systems (DefiLlama and others used by you), and network infrastructure used in this incident has already been obtained and analyzed. We once again propose discussing a settlement of the situation via a bug bounty instead of a criminal complaint. Contacts: telegram @trustedvolumes, email tvbugbounty@proton.me etherscan.io/tx/0xebeec0fba…

💬 Onchain Message: MEV Sandwich Attack Alert Calculated loss: $201.97 (0.088170 WETH-equivalent) Your tx: etherscan.io/tx/0xbffc57f64… Block: 25095209 Your swap: 1.067835 WETH -> 20,412,930,711.02 wojak What happened: 1. Frontrun tx: etherscan.io/tx/0x914c47403… A bot bought wojak before your swap. 2. Your swap tx: etherscan.io/tx/0xbffc57f64… You bought after the bot pushed the price against you. 3. Backrun tx: etherscan.io/tx/0xa0e563ecd… The bot sold right after your swap. In simple words: the bot entered before you, made your price worse, then exited after you. That is why you likely received less than you should have. Next steps: use a private/MEV-protected RPC such as Flashbots Protect, set tighter slippage, split large swaps, avoid low-liquidity V2 pools during volatile periods, and revoke approvals if you used a suspicious router or token. Evidence tx: etherscan.io/tx/0xbffc57f64… Uniswap V2 pool: etherscan.io/address/0xcaa3… No wallet connect, signature, or payment is required. Never sign anything from alert links. Optional tip if this helped: EVM/ERC20: 0xe8a4f9c227bf4495c89043ea816eff4f9df2f7b2a SOL: 9ZfjrKL8pzWRFxNjcPY8pqjwLptWJVwQpLT9fCqbr7P2 BTC: bc1q5lk8hnxq798rvp3ewxwdpz34syy42qepff8jn0sgy9f96w5n4dzstsuuhs basescan.org/tx/0x85135f190…

▶️ Contract unpaused 🌍 Network: mainnet 📍 Contract: LRTOracle belonging to protocol Kelp DAO (Immunefi) 👤 Actor: 0xb3696a817d01c8623e66d156b6798291fa10a46d 🕐 Time: 14:45, 15 May 2026 (UTC) etherscan.io/tx/0xb1bd0cfcf…