Defimon alert: dynBaseUSDCv3 vault on Base priced non-USDC reserves via UniswapV3Oracle. Admin registered yield-token routes with fee tier 42 (invalid) — factory.getPool returned address(0) for every token. Attacker flash-loaned 100k USDC, minted ~99.99% of supply at the broken ratio, then redeemed proportionally to drain all underlying yield tokens (~$413K).
Loss
~$413K
Risk
Vault fully drained — preliminary post-mortem
Confidence
94%
Instant Forensic Report · x402 on Solana
Pay once with SOL via x402 — the machine-to-machine payment protocol on Solana. Full wallet trace, fund flow graph, exploit PoC, and PDF export unlocked instantly.
x402 · HTTP 402 payment required · Solana Mainnet · Demo mode
Reporter Agent synthesis with forensic confidence scoring
With the oracle broken, VaultTokensLib.totalAssets() only counted ~$100 idle USDC. The attacker deposited 100k USDC and received shares representing almost the entire vault supply at a 1000x inflated ratio. On redemption, the vault distributed a proportional share of every real underlying token balance — independently of oracle price — draining the full vault.
Protocol admin registered six yield-token Uniswap V3 oracle routes with fee tier 42. Uniswap V3 only enables fee tiers 100/500/3000/10000; factory.getPool(USDC, X, 42) returns address(0) for every token. The WETH-fallback pools existed but had zero liquidity. No validation was run on the returned pool address before using it for pricing.
confidence score
Vault fully drained — preliminary post-mortem
Attacker path, bridge transfers, token drains, mixer usage
Flash loan → deposit at broken oracle ratio → redeem proportional share of all underlying tokens
Invalid Uniswap V3 fee tier in oracle route registration silently returned address(0), breaking totalAssets()
0x67b93f6676bd1911c5fae7ffa90fff5f35e14dcd0x73b8c192bfc323c3ea224c88219d55dfc319e89f0x00b949bc3ed3edb58b04faedfbd8eb1db2edceae761382e80fe012919f8d37320x2df0be7a17bd69a2f732c1396796690240aecdfaf13b0a8f60f49f95a8dbe150Emergency Bridge
Move funds off Base
If your assets are at risk on Base, bridge them to a safer chain immediately via LI.FI — the cross-chain aggregator covering 60+ chains and all major Solana bridges.
From (at risk)
Base
Bridge to
Best Route via LI.FI
Base → Ethereum
Mayan Swift • Across • Glacis aggregated
Est. Fee
~$0.50
60+ chains · gasless swaps on Solana · Jito bundles
60+
Chains
$2B+
Volume
20+
Bridges
2026-01-19
Protocol admin registered six yield-token oracle routes with Uniswap V3 fee tier 42 — an invalid tier. factory.getPool returns address(0) for every token, silently killing all direct price paths.
2026-04-26 T+0
Attacker flash-loaned 100k USDC from Morpho to fund the attack.
T+1
Attacker deposited into dynBaseUSDCv3 vault. With oracle broken, totalAssets() only counted ~$100 idle USDC, minting ~99.99% of vault supply for 100k USDC.
T+2
Attacker redeemed vault tokens, receiving a proportional cut of every actual underlying yield token balance independently of the oracle, draining the vault.
T+3
The 100k USDC flash loan was repaid. Net loss to the protocol: approximately $413K in drained yield tokens.
Demo X/Twitter integration for researcher posts, warnings, and fake-info checks
NullTrace links social posts to the incident by contract mentions, protocol name, researcher credibility, and fake-loss detection tags.
Defimon Alerts
@DefimonAlerts · Apr 26
🚨 SingularityFinance.ai loss ~$413K. Oracle Misconfiguration / Share Inflation. dynBaseUSDCv3 vault on Base — admin registered oracle routes with Uniswap V3 fee tier 42 (invalid), silently breaking price paths. Attacker flash-loaned 100k USDC, minted 99.99% of supply at broken ratio, redeemed for all underlying tokens.
NullTrace Scout
@nulltrace_ai · Apr 26
Singularity Finance vault oracle used fee tier 42 — only tiers 100/500/3000/10000 are valid in Uniswap V3. Every getPool call returned address(0), making totalAssets() count only idle USDC.
Maya Chen
@maya_sec · Apr 26
Classic share inflation via broken oracle. The attacker didn't need to manipulate price — the oracle was already returning zero. Share mint at $100 total assets for a $413K underlying vault is the entire attack.
Rumor Watch
@intel_filter · 10m
Unverified recovery claims are circulating. No confirmed full recovery unless the protocol or tracked wallet flows support it.
suppressed by misinformation filter
Defimon Alerts
@DefimonAlerts · Apr 26
🚨 SingularityFinance.ai loss ~$413K. Oracle Misconfiguration / Share Inflation. dynBaseUSDCv3 vault on Base — admin registered oracle routes with Uniswap V3 fee tier 42 (invalid), silently breaking price paths. Attacker flash-loaned 100k USDC, minted 99.99% of supply at broken ratio, redeemed for all underlying tokens.
NullTrace Scout
@nulltrace_ai · Apr 26
Singularity Finance vault oracle used fee tier 42 — only tiers 100/500/3000/10000 are valid in Uniswap V3. Every getPool call returned address(0), making totalAssets() count only idle USDC.
Maya Chen
@maya_sec · Apr 26
Classic share inflation via broken oracle. The attacker didn't need to manipulate price — the oracle was already returning zero. Share mint at $100 total assets for a $413K underlying vault is the entire attack.
Rumor Watch
@intel_filter · 10m
Unverified recovery claims are circulating. No confirmed full recovery unless the protocol or tracked wallet flows support it.
suppressed by misinformation filter
Generated incident narration for security leadership
briefing ready · 00:58 · analyst-grade summary