ExVul

🚨🚨🚨Security Alert: WUSD.fi / GLOVE Incentive Abuse On May 25, 2026, WUSD.fi / GLOVE on Ethereum suffered an exploit, resulting in the theft of USDC and USDT from GLO liquidity pools valued at ~$200K so far. 🔍 Root Cause The incident was caused by sybil abuse in `WUSD._englove`. Each fresh `msg.sender` wrapping at least 100 WUSD while holding fewer than 2 GLOVE could receive up to 2 GLOVE via `Glove.mintCreditless`, with no sybil resistance. The attacker used EIP-7702 helper contracts and a Morpho USDT flash loan to repeat wrap/unwrap cycles, harvest GLOVE, and dump it into Uniswap V3 GLO pools. 🧾 On-chain Details • Exploiter: `0x88329A09428778F62BC0C8BAac0997864E5a57f8` • Victim pool: Uniswap V3 GLO-USDC `0xB89F65D6c7d33A35Da7C01934e310a6f40E18A1f` (`-11,702 USDC` observed) • Victim pool: Uniswap V3 GLO-USDT `0xa2Bd1A142ff49131B8CC70A332bdA0125018c324` (`-8,079 USDT` observed) • Attack txs: etherscan.io/tx/0x2051c1f8d…

🚨🚨🚨Security Alert: Polymarket-Linked Wallet Drain Polymarket-linked wallets on Polygon suffered repeated drains from two EIP-7702 delegated accounts, resulting in the theft of funds valued at ~$600K+. 🔍 Root Cause Under investigation. On-chain activity shows the affected accounts were drained in repeated transfers, with funds first moving to `0x91430CaD2d3975766499717fA0D66A78D814E5c5` before being forwarded to `0x8F98075db5d6C620e8D420A8c516E2F2059d9B91`. 🧾 On-chain Details • Affected addresses: `0x871D7c0f9E19001fC01E04e6cdFa7fA20f929082` `0xf61e39C7EB1E2Ff5af3A24bCA88D40fD11594805` • Intermediate recipient: `0x91430CaD2d3975766499717fA0D66A78D814E5c5` • Exploiter: `0x8F98075db5d6C620e8D420A8c516E2F2059d9B91` Move Details will be follow

We’re pleased to share that ExVul has successfully completed a comprehensive smart contract audit for @cysic_xyz Cysic Network is a full-stack compute infrastructure designed to power the next generation of verifiable AI, ZK proofs, and decentralized compute economies. By unifying hardware, on-chain coordination, and tokenized compute assets, Cysic bridges the gap between traditional cloud computing and blockchain-based verification—turning compute power into a transparent, tradable, and yield-generating asset class. ExVul will continue to provide dedicated security expertise to support the growth and reliability of the Cysic ecosystem. 🔒✨ Click here to view our full audit report:github.com/exvulsec/audit…

🚨🚨🚨Security Alert: Galxe SpaceStation V2 Signer-Key Compromise In the early hours of May 18, 2026, Galxe SpaceStation V2 suffered an incident across Ethereum, BSC, Polygon, Arbitrum, Base, and Optimism, resulting in the theft of USDT, USDC, BUSD, OP, and CYBER valued at ~$219,411. 🔍 Root Cause A campaign-signing key used by SpaceStation V2 reward contracts was compromised. The attacker replayed valid EIP-712 signatures against `claim(cid, dummyId, expiredAt, claimTo, signature)` on contracts that recover signatures to a single immutable `_signer`, `0xC638B660694688c559D67016F4cD58d408aba306`, which had not been rotated since deployment. 🧾 On-chain Details • Attacker address: `0x6dBA9Be4fbA81CB9928ae7Ae5B909cb6C4577Aac` • Compromised signer: `0xC638B660694688c559D67016F4cD58d408aba306` • Affected reward contracts: Ethereum: `0x7870fC5dBa3251295077970B6e1425Da62a8CDF9` Polygon: `0x51BA6746c7502eeA040836169807d6596351CDE3` BSC: `0x803D7d0B1e826E4a57Bd41ee47D7B41D29E0ca4A` Base: `0xf7a39a4642ec17c0b1bbd3c0aa176435e689f426` Optimism: `0x406b02e7ab35d4e1dbc8be8695f03b1f39fde734` • Attack txs: Ethereum: `0x43399f457695c2d7f57ce08751f67653d5ab7bc389f18338b829c32d0980eb57` Polygon: `0x1d3f4dfabdc23b3f67ffaf7414683f3efbfffc95481f8d28e02bfcf0d59872bb` BSC: `0x81599d633c038004589a8ef0f8d911d5d986ca32433eb5a717491238112b8e8c` 🛡️ Takeaway Signing keys for cross-chain reward claims should be treated as high-value production secrets and rotated on a defined schedule. Add rapid signer-revocation controls, domain-scoped replay protections, and circuit breakers around any signature-authorized asset distribution path.

🚨🚨🚨Security Alert: Verus-Ethereum Bridge Exploit @VerusCoin Ethereum Bridge suffered an exploit, resulting in the theft of 1,625.37 ETH, 103.57 tBTC v2, and 147,659 USDC valued at ~$11.58M. 🔍 Root Cause A forged cross-chain import payload was submitted to `submitImports()`. The crafted `PartialTransactionProof` passed the bridge's verification flow in `proveImports`, and the follow-up `processTransactions` call executed three attacker-attached transfers to the drainer wallet. 🧾 On-chain Details • Affected bridge contract: `0x71518580f36feceffe0721f06ba4703218cd7f63` • Attacker EOA: `0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777` • Drainer wallet: `0x65Cb8b128Bf6e690761044CCECA422bb239C25F9` • Attack txs: etherscan.io/tx/0x6990f0172… 🛡️ Takeaway Cross-chain import proofs must bind every downstream transfer effect to authenticated payload data before execution. Bridges should add strict payload-to-execution validation, defense-in-depth around proof verification, and pause outbound flows when anomalous imports are detected.

🚨🚨🚨Security Alert: BoostHook Leveraged Long Exploit BoostHook suffered an exploit on Ethereum mainnet, resulting in attacker profit of ~20.9329 WETH, at least 38.3274 ETH in realized protocol bad debt, and another 32 ETH of debt left open across surviving positions. 🔍 Root Cause The attacker used a 120 WETH Morpho flash loan to manipulate the ETH/PERP Uniswap v4 pool price, then opened nine leveraged positions through `BoostHook.openLong()` at inflated pricing. `BoostHook` recorded the positions without enforcing a strong post-open solvency check, and after the attacker dumped PERP back into the pool, `BoostHook.afterSwap()` liquidated only five positions due to `MAX_LIQS_PER_BLOCK = 5`, leaving four toxic positions open. 🧾 On-chain Details • Victim contracts: `0x3db1ebb71c735980d12422f153987d89f4d7eacc` (`BoostHook`) `0x000000000004444c5dc75cb358380d2e3de08a90` (`Uniswap V4: Pool Manager`) `0x4ae2458e6d087aaa3625d81242f22f0b513bca07` (`BoostStaking`) • Attacker addresses: `0xb0a019dd22c363e82fa4f96ae1e4b993341f5104` `0xb64bff7b5199abcbb98fee2bf4014265fca85a6d` • Attack txs: etherscan.io/tx/0xb45cc4d9c… 🛡️ Takeaway Leveraged position entry must enforce post-open solvency and debt-coverage invariants, not only swap slippage checks. Protocols should defend against same-transaction price manipulation and avoid liquidation caps that allow multiple toxic positions to survive during an attack path.

🚨🚨🚨Security Alert: Aurellion Labs ERC20 Pull Incident @Aurellion_Labs suffered an incident on Arbitrum, resulting in the transfer of 456,442.536622 USDC to an attacker-controlled address. 🔍 Root Cause The attacker deployed and initialized a diamond-style contract flow, then executed `diamondCut(...)` to attach a facet exposing `pullERC20(address,address,uint256)` and `sweepERC20(address,address)`. The attacker used `pullERC20` to invoke `USDC.transferFrom(...)` against multiple EOAs with pre-existing USDC approvals, then swept the collected balance out of the proxy. This was not caused by a vulnerability in USDC itself. 🧾 On-chain Details • Malicious diamond / pull contract: `0x0adc63e71b035d5c7fdb1b4593999fa1f296f1b2` • Attacker receiver / operator path: `0x9f49591a3bf95b49cd8d9477b4481ce9da68d5ca` `0x4d7759e69cc973d338a1ea2fdb125c2b818f4d7e` • Stolen asset: 456,442.536622 USDC • Attack txs: arbiscan.io/tx/0x19cbafae5… 🛡️ Takeaway Approval-based token pull mechanisms become high risk when paired with attacker-controlled upgradeability or arbitrary execution hooks. Initialization and upgrade authority must be strictly locked, and users should avoid leaving unlimited approvals on untrusted or weakly governed contracts.

Security Alert: Huma Finance V1 BaseCreditPool Exploit @humafinance suffered an exploit affecting deprecated V1 BaseCreditPool deployments on Polygon, resulting in the theft of USDC and USDC.e valued at ~$101,389. 🔍 Root Cause Under investigation. The affected contracts were deprecated V1 deployments, and no user funds are reported to be at risk. 🧾 On-chain Details • Affected V1 BaseCreditPool deployments: `0x3EBc1f0644A69c565957EF7cEb5AEafE94Eb6FcE` (82,315.57 USDC) `0x95533e56f397152B0013A39586bC97309e9A00a7` (17,290.76 USDC.e) `0xe8926aDbFADb5DA91CD56A7d5aCC31AA3FDF47E5` (1,783.97 USDC.e) • Attacker address: `0x13B44e416e0f66359502E843AF2e1191f1260DaF` • Exploit contract: `0x44D4a434aE1529106e4B801315E22721978022A3` • Attack txs: polygonscan.com/tx/0x7b8d641d7… 🛡️ Takeaway Deprecated deployments should be fully decommissioned, access-restricted, or drained of residual funds once retired. Even when user funds are not directly at risk, legacy contracts left live onchain can still present exploitable value.

🚨🚨🚨Security Alert: INK Finance Treasury Proxy Exploit In the early hours of May 11, INK Finance suffered an exploit on Polygon, resulting in the theft of USDT valued at ~$140,148. 🔍 Root Cause The attacker deployed a contract at an address matching a whitelisted claimer entry in INK Finance's Workspace controller. By calling `claim(claimId)`, they passed the eligibility check and triggered the treasury proxy's authorized transfer path, draining funds. A Balancer V2 flashloan was used and repaid atomically during the exploit. 🧾 On-chain Details • Victim contract (Workspace Treasury Proxy): `0xa184Af4B1c01815A4B57422A3419E4FB78a96Ee4` • Attacker address: `0x90b147592191388e955401af43842e19faa87ee2` • Attack txs: polygonscan.com/tx/0xb469a24ec… 🛡️ Takeaway Whitelist-based authorization should not rely on address assumptions alone. Sensitive claim and transfer flows should enforce stronger identity validation, strict recipient binding, and continuous monitoring for anomalous contract deployments or flashloan-assisted execution.

🚨🚨🚨Security Alert: INK Finance Treasury Proxy Exploit In the early hours of May 11, INK Finance suffered an exploit on Polygon, resulting in the theft of USDT valued at ~$140,148. 🔍 Root Cause The attacker deployed a contract at an address matching a whitelisted claimer entry in INK Finance's Workspace controller. By calling `claim(claimId)`, they passed the eligibility check and triggered the treasury proxy's authorized transfer path, draining funds. A Balancer V2 flashloan was used and repaid atomically during the exploit. 🧾 On-chain Details • Victim contract (Workspace Treasury Proxy): `0xa184Af4B1c01815A4B57422A3419E4FB78a96Ee4` • Attacker address: `0x90b147592191388e955401af43842e19faa87ee2` • Attack txs: polygonscan.com/tx/0xb469a24ec… 🛡️ Takeaway Whitelist-based authorization should not rely on address assumptions alone. Sensitive claim and transfer flows should enforce stronger identity validation, strict recipient binding, and continuous monitoring for anomalous contract deployments or flashloan-assisted execution. ```

🚨🚨🚨Security Alert: Renegade Dark Pool Exploit @renegade_fi suffered an exploit, resulting in the theft of 27 ERC-20 assets valued at ~$209K. 🔍 Root Cause An unprotected `initializer` on the Dark Pool proxy allowed the attacker to inject malicious logic and execute it via `delegatecall` in proxy storage, enabling asset drainage. 🧾 On-chain Details • Victim contract (Dark Pool Proxy 1): `0x30bD8eAb29181F790D7e495786d4B96d7AfDC518` • Attacker address: `0x777253F28AdC29645152b7b41BE5c772A9657777` • Attack txs: arbiscan.io/tx/0x0e494685a… 🛡️ Takeaway Lock all proxy initialization paths after deployment and enforce strict initializer guards. Monitor for unauthorized initialization or implementation changes, and pause integrations immediately if anomalies are detected.

🚨 🚨 🚨 Security Alert: Heisenberg HEIST HeisenbergHook Uniswap V4 hook Chain: Ethereum Loss: ~0.42 ETH profit. Target: HeisenbergHook at 0xbea90eed6b2d07e8d66894969ed6d0a5ba242ac8 Attack Tx: etherscan.io/tx/0x938216ea4… Summary: An attacker used a 10 WETH Morpho flash loan to manipulate HEIST/ETH Uniswap V4 liquidity and HeisenbergHook fee-processing paths. The exploit combined pool initialization, liquidity add/remove, processFees/processBurn, and final HEIST-to-ETH swaps to extract ETH profit. Funds flow: 0x0f6a119567dc162ed343b28a7506a5764741b665 received 0.42592 ETH; Need ExVul in time DeFi security monitor(no delay)? Join our tg: t.me/send?start=IVf… #DeFiSecurity #ETH #ExvulAlert

🚨 🚨 🚨 Security Alert: BlastFOMO BlastFOMOVault () Reward-claim logic abuse Chain: BSC Loss: ~1.28 BNB profit. Target: BlastFOMOVault (0xbfb18b2c1c1b6b099f0e2b1e962c03210f24900e) Attack Tx: bscscan.com/tx/0x0e37a1ba8… Summary: The attacker used a 120 WBNB flash loan from ListaDAO Moolah to route BlastFOMO trades through PancakeSwap, then invoked TaxProcessor/BlastFOMOVault payout logic. Multiple temporary contracts repeatedly called BlastFOMOVault.claimBonus and returned the ETH to the attack contract. Funds flow: 1.2895080796485432 ETH was observed flowing to 0xaea29218262dc6b0904ca077f6527c49dfd426d9. Need ExVul in time DeFi security monitor(no delay)? Join our tg: t.me/send?start=IVf… #DeFiSecurity #BSC #ExvulAlert

🚨 🚨 🚨 Security Alert: Sat1 Sat1Hook bonding- hook for sat1 token Bonding Chain: Ethereum Target: Sat1Hook bonding-curve hook 0x2a0a30dd78af7698e6f40212b8b8324fce2ee888 for sat1 token 0x8f66337a0c2a02202fd91dd596c411cf977c6060 Attack Tx: etherscan.io/tx/0xc3ec96153… Summary: The exploit path used Morpho WETH flash loans and V4/V3 swaps, but the affected component is Sat1Hook’s bonding-curve/accounting logic. Need ExVul in time DeFi security monitor(no delay)? Join our tg: t.me/+U33r1Rrcoy9hM… #DeFiSecurity #ETH #ExvulAlert

🚨 🚨 🚨 Security Alert: Aave V2 aUSDT aSTETH positions tied Chain: Ethereum Loss: 229,030.9713 USDT realized to attacker Target: Aave V2 aUSDT/aSTETH positions Attack Tx: app.blocksec.com/phalcon/explor… Funds flow: 32.443555102343855764 ETH came out of Curve after the aSTETH leg, and the attacker ultimately transferred 229,030.9713 USDT to 0x224c940003dd0b8aa1a20e655ced0363d573fa46. Need ExVul in time DeFi security monitor(no delay)? Join our tg:t.me/+U33r1Rrcoy9hM… #DeFiSecurity #ETH #ExvulAlert

🚨🚨🚨Security Alert: TrustedVolumes Continued Exploit Attempt A second attacker has been identified attempting to exploit the same unpatched vulnerability in @TrustedVolumes, deploying a new malicious contract to replicate the original attack vector. 🧾 On-chain Details • New attacker address: `0xbabf9d36094b58a32114869056f1e265fd6ee675` • Malicious contract deployed: `0xA228726D5368D1350B315E39Cf9a23962655560A` • Attack tx: etherscan.io/tx/0x15d627761… Need ExVul in time DeFi security monitor(no delay)? Join our tg: t.me/+Xbd9PmU8s_Q5N… #TrustedVolumes #Web3Security

In the exploit transaction, attacker EOA 0xc3eb...9100 deployed the attack contract 0xd4d5...1e95, which first called `registerAllowedOrderSigner(signer=0xc3eb...9100, allowed=true) ` on the settlement contract 0xeeee...1756. The attack contract then executed multiple settlement calls with selector 0x4112e1c2, using the TrustedVolumes Market Maker’s unlimited approval to the settlement contract to pull out WETH, USDT, WBTC, and USDC, while returning only 4 minimal units of USDC to the Market Maker. At the end of the transaction, the stolen assets were transferred to 0xc3eb...9100.

🚨🚨🚨Security Alert: TrustedVolumes Resolver Exploit @trustedvolumes suffered an exploit, resulting in the theft of WETH, USDT, WBTC, and USDC valued at ~$5.87M. 🔍 Root Cause A distinct vulnerability was exploited in a TrustedVolumes-controlled custom RFQ swap proxy, `0xeEeEEe53033F7227d488ae83a27Bc9A9D5051756`. Public attribution indicates this is a different vulnerability from the March-2025 1inch Fusion V1 incident. 🧾 On-chain Details • Victim contract (TrustedVolumes resolver): `0x9bA0CF1588E1DFA905eC948F7FE5104dD40EDa31` • Exploiter address: `0xC3EBDdEa4f69df717a8f5c89e7cF20C1c0389100` • Attack txs: etherscan.io/tx/0xc5c61b3ac… 🛡️ Takeaway Custom swap/proxy pathways should be isolated behind strict allowlists, invariant checks, and emergency pause controls. Treat resolver/operator flows as high-risk surfaces and enforce continuous on-chain monitoring with immediate kill-switch response.