SlowMist|4月 29, 2026 03:42
🚨SlowMist TI Alert🚨
We have detected a malicious transaction exploiting a flawed EIP-7702 account, resulting in a loss of 1,988.5 QNT (approx. 54.93 ETH).
The root cause is that the admin identity of a QNT reserve pool is held by an EOA (0xc6ddf90790b433743bd050c1d1d45f673a3413f4), which delegated its code to a `BatchExecutor` contract via the EIP-7702 mechanism.
Unfortunately, `BatchExecutor` designates the permissionless `BatchCall` contract (0x044dc3e39c566a95011e272ec800dbd2cc9c057c) as an authorized caller.
However, `BatchCall.batch()` is entirely open to any external caller without any permission checks. This led to an arbitrary call vulnerability, allowing the attacker to drain the QNT tokens from the reserve pool.
Exploit tx:
https://etherscan.io/tx/0x4f31f68df9f240492f13df9ab23207ea231ec1b5a89af9c31cde58e7d98cb18c
Powered by #SlowMist.AI(SlowMist)
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink