ret2basic.eth

Translation: you passed verification but we won't allow you to do your regular job, what you gonna do about it kid?

So you’re telling me that Andean Medjedovic walked away with $65,000,000 April 2026 - 23 years old - Canadian math prodigy - from Hamilton, Ontario background - finished high school at 14 - studied mathematics at University of Waterloo described as “one of the brightest students ever” obsessed with DeFi mechanics and AMMs early crypto activity - participates in bug bounties - finds vulnerabilities legally - builds reputation in Code4rena October 2021 Indexed Finance exploit - manipulates reindexing mechanism - uses flash loans to distort pool pricing - drains $16.5M - embeds “1488” references in addresses - includes offensive messages in transactions after the hack - publicly admits involvement - refuses to return funds - rejects bug bounty - Ontario court issues warrant - he disappears November 2023 KyberSwap exploit - operating from a hotel in The Hague - using a fake Slovak passport - executes complex liquidity manipulation - drains $48.8M across chains total extracted ~$65M what happens next, he sends on-chain message to Kyber team demands control of the protocol in exchange, returning only 50% of funds “less than what they wanted, more than they deserve” August 2024 - detained in Serbia - held for over 90 days - released due to insufficient evidence for extradition - disappears again February 2025 DOJ indictment February 2026 - hires U.S. lobbyist - pays ~$300,000 retainer goal was presidential pardon April 29, 2026 current activity - moves stolen funds - sends $24.88M through Tornado Cash - actively laundering - still on the run a fugitive still moving millions

Scallop drained for 150K SUI by someone who knew exactly which deprecated package to call. Not the active code. Not the SDK path. An old V2 from November 2023 that nobody's used in months. Either deep reverse engineering, or someone who knew where to look. The bug had been sitting there for 17 months. How the bug works: The spool tracks an "index" that grows over time as rewards distribute. Each user account is supposed to record its last_index at the moment of staking, so points earned = stake × (current_index - last_index). You only earn rewards from when you joined. In the deprecated V2 package, last_index isn't initialized when you create a fresh spool_account. It stays at 0. So when update_points runs, it computes points = stake × (current_index - 0) = stake × FULL HISTORICAL INDEX. The user gets credited with every reward accumulated since the spool was created in August 2023. Spool index grew to 1.19B over 20 months. Attacker staked 136K sSUI, got credited 162 trillion points instantly. The rewards pool ran a 1:1 exchange rate (numerator and denominator both = 1), so 162T points converted directly to 162K SUI worth of rewards. Pool only had 150K SUI in it. Drained. Why it sat dormant: legit users go through the new package via the SDK, which fixed last_index sync. The old V2 package stayed on-chain because Sui packages are immutable - once published, every old version is forever callable. The shared Spool and RewardsPool objects accept calls from any version. The attacker bypassed the SDK and hit the old code path directly. This is the Sui stale package class of vulnerability. The proper fix requires version fields on shared objects and assert!(version == CURRENT_VERSION) checks in every function. Without that, every prior package version stays a live attack surface forever. April's pattern: most exploits this month weren't in core protocol code. - KelpDAO: RPC infrastructure - Litecoin: MWEB privacy layer - Aethir: access control on a peripheral adapter - Scallop: forgotten old package version The audit perimeter has to extend to every contract you ever shipped, not just the one currently deployed. tx: 6WNDjCX3W852hipq6yrHhpUaSFHSPWfTxuLKaQkgNfVL