AstraSec

1/ 🚨 DeepBook was drained of $239,700 on May 9 using just ~$2,500 in capital—a massive 100x return. No reentrancy, no oracle attack, no access control bypass. Just two order-placement paths with mismatched price validation. pool::place_limit_order — no price check pool_proxy::place_limit_order — price ∈ [Pyth ± tolerance] Margin uses proxy. Regular accounts use raw. Same orderbook. Same attacker. 🧵 2/ Attacker uses TWO BalanceManagers, both their own: • BM 0xe63374a58f2a63fe8554f0e9210332848654bd1130931c0719b1e9ba0a4fa30a (regular) • MM 0xe63374a58f2a63fe8554f0e9210332848654bd1130931c0719b1e9ba0a4fa30a (margin — borrows USDC) Per PTB, BM places a "trap" at the tolerance band edges: SELL @ $1.0878 + BUY @ $1.0759 (Pyth mid $1.0819, tolerance ±0.55%) 1.1% spread, both legs pass proxy. 3/ But this only works if the band is empty of legitimate orders. Phase A (asymmetric scan): attacker uses throwaway BMs as takers to sweep ~218K SUI / $235K of legitimate liquidity. Net cost: ~$1K in spread. Now only BM's trap sits in the band. 4/ Phase B (wash loop): MM market-orders into BM's trap. • MM BUY → only ASK in band = BM's $1.0878 → MM pays high • MM SELL → only BID in band = BM's $1.0759 → MM gets low Each round trip: $0.0119/SUI leaks MM's borrowed pool → BM. Run 35×, 70 + 70 fills at exact band edges. 5/ After PTB: MM insolvent → $283K bad debt to suppliers. BM keeps ~$96K + 8K SUI. Flashloan repaid same-PTB. Just 4 successful attack txs over 50 mins. Bridged 78 ETH + 0.7 BTC to a single EVM address. 6/ 🛡️ The AstraSec Takeaway:Vulnerabilities don't always hide in complex math—they hide in architectural inconsistencies. When proxy logic and raw pool logic don't enforce the same invariants, attackers will bridge the gap.

🚨 https://t.co/9Opv0Nqq5d exploited -- $229K lost Root cause: The Forwarder contract blindly forwards req.from as the msg.sender to the SwapRouter. An attacker can set req.from to any victim who previously approved the protocol, then drain their funds via spendFromUser. tx: https://t.co/YNSBErTzlD ⚠️ Revoke approvals to this address IMMEDIATELY: 0x2990A16D2C37163f26F86d7af219064Ba5CD5605

In line with the technical plan outlined below, the attacker's rsETH positions on Aave have been liquidated on Ethereum and Arbitrum. The liquidated collateral now sits with the Recovery Guardian as specified in the AIP. No other users were affected, and Umbrella was also untouched. This was a critical step in the recovery roadmap, with next steps to follow.

🚨 APRIL 2026: The list of major DeFi hacks, the real risks are now cross‑chain configs, social engineering, and edge‑case logic flaws. 13+ attacks, $620M+ drained. Attack surfaces have shifted. 📅 April 1 – Drift Protocol (Solana) → Social engineering, multi-sig compromise → $285M 📅 April 3 – Silo Finance → Oracle misconfiguration → $392K 📅 April 5 – TMM on BNB Chain → Flash loan reserve manipulation (PancakeSwap pool) → $1.665M 📅 April 13 – Dango → Missing positive input validation (negative "donation") → ~$1.9M (whitehat returned ~$1.49M) 📅 April 13 – Hyperbridge → MMR proof replay vulnerability → $2.5M 📅 April 14 – CoW Swap → Domain hijacking (social engineering) → $1.2M 📅 April 15 – Grinex Exchange → Exit scam / external hack → $13.74M 📅 April 18 – Rhea Finance (Arbitrum) [FIXED] → Intermediate token reuse flaw in multi‑swap, NAV manipulation → $18.4M 📅 April 18 – KelpDAO → LayerZero DVN config flaw (cross‑chain message forgery) → $293M 📅 April 21 – Bitcoin Depot → Admin‑level social engineering → $3.6M 📅 April 22 – Volo Protocol (Sui) → Vault ownership forgery → $3.5M 📅 April 24 – ZetaChain → Cross‑chain messaging vulnerability → $334K 📅 April 25 – Purrlend → Dual‑chain coordinated exploit → $1.5M 📅 April 26 – Scallop (Sui) → Oracle manipulation / legacy contract vulnerability → sSUI reward pool drained～150,000 SUI (~$142K) 📅 April 28 – JUDAO (BNB Chain) → Reserve manipulation via token hook vulnerability → $228K 📅 April 29 – Aftermath Finance (Sui) → Negative fee rate settlement flaw → $1.14M 📅 April 29 – Syndicate (Base) → Commons bridge accepted unverified cross-chain messages → ~18.5M SYND tokens dumped (~$330K)