The TrustedVolumes RFQ proxy has a critically broken fill function. The EIP-712 signature commits to (makerToken, takerToken, makerAmount, takerAmount, maker, counterparty, expiry, salt), and the contract checks _allowedOrderSigner[signedMaker][recoveredSigner]. But the function also takes unsigned calldata that does the actual transfer - including the real from address, real token, and real amounts. Nothing binds the executed from to the signed maker.
Estimated Loss
$5.87M
Category
Signature/Execution Parameter Mismatch
Detected
2026-05-07
AI Confidence
88%
Ekubo v2 locker blindly trusts the from address embedded in the locker's packed instruction payload. Its payCallback(token,id,_,amount,from) does a transferFrom with from taken straight from user-supplied calldata.
$1.38M
Missing Access Control
2026-05-05
Defimon-style Telegram alert: Ekubo v2 locker trusted a user-supplied from address in packed lock instructions, allowing repeated WBTC drains from an approved EOA.
May 5, 2026
Sharwa's MarginTrading priced Hegic option NFT collateral via Uniswap V3's spot Quoter on a low-liquidity USDC.e/USDC pool with no TWAP or Chainlink fallback.
$32,850
Smart Contract Bug
2026-05-01
Defimon-style Telegram alert: Sharwa priced Hegic option NFT collateral from a low-liquidity Uniswap V3 spot quote without TWAP or Chainlink fallback.
Oracle Manipulation
May 1, 2026
81%
The dynBaseUSDCv3 vault on Base prices its non-USDC reserves via UniswapV3Oracle. On 2026-01-19 the protocol admin registered the six yield-token oracle routes with a Uniswap V3 fee tier of 42. Uniswap V3 only enables fee tiers 100/500/3000/10000, so factory.getPool(USDC, X, 42) returns address(0) for every token - silently killing the direct price path. The WETH-fallback pools that did exist had zero liquidity, as a result VaultTokensLib.totalAssets() only counted the ~$100 idle USDC.
~$413K
Oracle Misconfiguration
2026-04-26
Defimon alert: dynBaseUSDCv3 vault on Base priced non-USDC reserves via UniswapV3Oracle. Admin registered yield-token routes with fee tier 42 (invalid) — factory.getPool returned address(0) for every token. Attacker flash-loaned 100k USDC, minted ~99.99% of supply at the broken ratio, then redeemed proportionally to drain all underlying yield tokens (~$413K).
Apr 26, 2026
94%
Six-month social engineering campaign used Solana durable nonces, fake CVT collateral, and compromised contributor environments to drain $285M.
$285M
Durable Nonce Abuse
Apr 1, 2026
96%
Phishing transactions abused Solana owner reassignment, giving attacker-controlled programs delayed control over victim accounts.
$3M+
Owner Permission Phishing
Dec 2025
South Korea's largest exchange suffered abnormal Solana-asset withdrawals from internet-connected hot wallet infrastructure.
$36.8M
Hot Wallet Compromise
Nov 27, 2025
91%
A targeted vault vulnerability allowed an attacker to steal approximately $2.2M from one Texture lending vault.
$2.2M
Jul 2025
87%
Oracle manipulation against RateX PT collateral enabled undercollateralized loans from Loopscale's USDC and SOL Genesis Vaults.
$5.8M
Apr 26, 2025
92%
Hundreds of sub-threshold transactions drained hot wallets across Ethereum, TRON, Solana, and BSC before funds moved toward Tornado Cash.
~$8M
Bridge Exploit
Jan 1, 2025
89%
Free demo case: NullTrace is investigating an ongoing TrustedVolumes resolver exploit on Ethereum. Instant forensic report is paid; full free report unlocks after 24 hours.
~$5.87M
3 hours ago
83%